Login Register Subscribe
Current Issue

Equifax data breach could lead to stricter underwriting

Reprints

The Equifax Inc. data breach revealed in September may have long-term consequences for policyholders and the insurance industry.

Equifax said hackers had accessed personal information on up to 145.5 million of the firm’s customers.

Equifax carried cyber liability coverage, which market sources say was led by London-based Beazley P.L.C., and the breach will likely result in a limit loss for insurers and reinsurers, observers say.

As a result of the Equifax breach, “we will see heightened underwriting scrutiny on accounts, especially accounts that have large amounts of personal data,” said Michael Born, Kansas City, Missouri-based vice president of the global technology and privacy practice at Lockton Cos. L.L.C. “Specifically, they will focus on patching protocols, because that seems to have been an issue in this case,” he said.

In addition, he said, “We may see some slight lessening of capacity for some carriers.” Some of the insurers that provided $10 million of capacity on the risk may have to pay that entire amount and could decide to pull back from the marketplace, he said.

The incident may ultimately prove to be a directors and officers liability issue, some observers say.

For instance, Hampden Kuhns v. Equifax Inc. et al., a putative class action complaint, was filed against the company and its directors and officers in U.S. District Court in Atlanta on Sept. 8. The lawsuit charges the company failed to maintain adequate security measures, that its share price dropped after the breach’s disclosure, and that company officers had sold stock before the firm revealed the breach.

Prior D&O lawsuits filed in response to data breaches “haven’t been particularly successful,” according to Kevin LaCroix, executive vice president of RT ProExec, a division of R-T Specialty L.L.C., in Beachwood, Ohio. The prospect of Equifax D&O litigation “does seem more favorable than some of the other lawsuits that have been filed,” because it involves an element of alleged insider trading, a stock drop and a delay between the breach’s discovery and its disclosure, he said.

“If a publicly traded company came into my office tomorrow and said, ‘We just had a cyber event, can you help us evaluate managing this risk and what we should do?’ I’m going to ask for both the D&O and cyber policy immediately. I’m going to want to tear into both of them,” said policyholder attorney Duke F. Wahlquist, a partner with Rutan & Tucker L.L.P. in Costa Mesa, California.