Underwriters address cyber issuesReprints
DALLAS — Companies are dealing with a patchwork of different state cyber privacy regulations, while prospects remain dim for national cyber legislation.
Meanwhile, the insurance industry is only starting to consider how traditional property/casualty and cyber coverages might interact.
At the same time, small and midsize companies' lack of knowledge and resources can threaten not only their own existence, but also pose significant risks to the larger companies with which they deal.
These were among the issues discussed at the Professional Liability Underwriting Society's 2015 annual conference in Dallas earlier this month during several sessions on cyber risk.
Charles J. Clark, a partner with Schulte Roth & Zabel L.L.P. in Washington, said during a session on the changing regulatory environment that he believes the 2016 presidential election makes it unlikely that major cyber legislation will be approved by Congress in the next year.
“Nothing is going to happen because of the political battles, because of the presidential election, particularly when you look at the challenges facing” Rep. Paul Ryan, R-Wis., the recently elected speaker of the House of Representatives, Mr. Clark said. Looking at what regulators are doing is “much more important,” he said.
Rob Yellen, New York-based executive vice president of FINEX North America, a unit of Willis Group Holdings P.L.C., pointed to the various privacy and security regulations that exist both nationally and globally. Each jurisdiction and each geographical region is going to have to make decisions that are right for itself, Mr. Yellen said.
“If you're a cross-border business and trying to comply, it's massively difficult. How do you solve for that? I think insurance is one of the solutions,” Mr. Yellen said.
A cyber event can affect a variety of insurance coverages, said speakers at another session. For instance, an “all risk” property
policy is likely to cover a cyber event so long as there is no cyber exclusion in the policy, said Scott N. Kannry, CEO of Axio Global L.L.C., a cyber security consulting firm.
On the other side of the spectrum, especially in the terrorism market, there are very broadly worded cyber exclusions that can be put on property policies, he said.
But cyber events can cause property damage, said Mr. Kannry. “It's a realistic concern.” And the underwriting community is starting to embrace cyber as a peril, he said.
However, “it really raises bigger issues about long-term insurance industry treatment” of risks, he said, asking whether it would be better to exclude them from traditional policies and set up cyber-related policies. That “would be favorable to the insurance industry” because it can track the risk, he said.
But, if a large facility has an incident that results in a “hole in the ground” and there is enough suspicion it was triggered by a cyber incident, the property coverage tower would refuse to cover it, while cyber insurers would demand proof it was caused by a cyber incident. “We've only scratched the surface as an industry as to where (this issue) has to go,” he said.
“This is an intersection without any traffic lights,” said Darin J. McMullen, a shareholder with law firm Anderson Kill P.C. in Philadelphia, when asked to comment on casualty coverage in a theoretical scenario where people become ill because of a cyber hack.
Meanwhile, when dealing with the cyber risks faced by small and medium-sized businesses, “one of the big challenges we have to think about” is that these firms direct their limited resources toward making money, and information risk “in a lot of cases is what gets put on the back burner” said Sarah Stephens, a London-based partner with JLT Specialty Ltd.'s financial lines group.
Ways to deal with cyber attacks, which were discussed during a session on responding to cross-border data breaches, include having an incident response plan.
“We all know” cyber attacks are likely to happen late on Friday when “it's not that easy” to pull people together and coordinate, said Max Perkins, London-based senior vice president of global professional risk solutions for Lockton Cos. L.L.P. “One can't preach enough about practicing a response plan in real-life situations,” he said.
Incident response plans should not be too prescriptive, though, said Theodore J. Kobus III, a partner with Baker & Hostetler L.L.P. in New York. Having a script to read from “is a huge mistake,” he said. “You need flexibility during a response, and painting yourself into a corner is really the worst thing you can do.”
More than 1,800 people attended this year's PLUS conference. Next year's conference is scheduled for Nov. 9-11 in Chicago.