Recently, there has been a lot of buzz about the rise in demand for Cyber Liability insurance as heightened awareness has brought the issue into the forefront in the last few years. Not only do we have large data breaches continually making headlines, but we also have our government looking into how to deal with these risks. Furthermore, smaller companies are finally realizing that they are not immune to cyber-related losses. In fact, cyber criminals are increasingly targeting smaller firms across many industries, capitalizing on vulnerabilities and seeking new opportunities to wreak havoc with people's data.We first spoke with Mike Palotay, Senior Vice President of NAS Insurance Services, Inc., in 2011
about the extent of cyber attacks and the impact of these exposures across all industries, in addition to the implementation of key risk management protocols to help mitigate data breach losses. Mike manages the underwriting department for cyber and technology insurance for NAS, an Encino, California-based firm that provides a full spectrum of specialty products on an open-market program and reinsurance basis. We turned to Mike again to discuss how NAS has expanded its own Cyber program to address a critical exposure when a data breach occurs and to discuss changes in the digital landscape.
NAS' cyber product, NetGuardTM Plus, provides coverage for network security and privacy insurance, privacy breach responses costs, network asset protection (including accidental data loss), regulatory defense and penalties, multimedia insurance, cyber extortion and cyber terrorism. Breach response services available under the policy include: legal counsel service, IT security and forensic experts, public relations/advertising support, breach notification to customers and partners, call center and website support, and credit monitoring and identity theft restoration services. In September 2012, BrandGuardTM was added to NetGuardTM Plus, broadening coverage by providing relief for lost profits as a result of a data breach.
Annie George (AG): First tell us about BrandGuardTM and the importance of this coverage when it comes to data breaches.
Mike Palotay (MP): "Like other cyber policies on the market, when we first launched NetGuardTM Plus, we provided a program to address the direct costs associated with data breaches along with the key services needed, but this doesn't tell the complete story. As with any of our products, we continually evaluate emerging risks and exposures and see how we can enhance our offering. What we see is that when a data breach incident occurs, there is a key component that needs to be addressed: loss of profits.
"According to the Ponemon Institute, data breach incidents are estimated to cost U.S. companies $204 per compromised customer record. Of that amount, only one-third involves direct costs that are covered under most cyber policies, with two-thirds, or about $130-$140.00 (depending on the size of the company), related to loss of revenue as a result of reputational damage. With BrandGuardTM, our cyber product now addresses the majority of the exposure associated with a data breach. BrandGuardTM resembles the Business Interruption insurance component found in a Property policy and covers the difference in revenue after a breach occurs for a specific amount of time, up until the business is operating at a normal pace again. Typically, this period is between six to eighteen months.
"After a data breach many customers lose faith in an organization and stop doing business with them; it takes a while to restore goodwill even with PR and crisis management services that serve to repair a company's image. Getting back to normal operations takes time and during that critical time revenues can take a hit. We have filled this gap in coverage with BrandGuardTM. We work with a third-party, experienced adjuster that specializes in Business Interruption. They will look over the insured's operation and determine how much income they lost as a result of the breach, and will pay the benefit. They look at past results and estimates and evaluate the change in revenue. It's essential that the organization keep proper documentation and records to show that diminished revenues were as a direct result of the breach."
AG: Since we last spoke, what changes have you seen when it comes to the cyber environment?
MP: "There have been changes in several areas, including increased awareness due to large publicized breaches, broader regulation along with tighter enforcement, and a more litigious environment. Over the last five years, we have consistently seen large data breaches that have been played out in the press across all industries, including in healthcare, education, entertainment, and banking. What's more, President Obama and his administration are talking about taking measures to improve the privacy of Americans including introducing national data breach response legislation. This is all serving to highlight the issue among individuals and businesses. As a result, we've seen an increase in our submission flow. Before there was a great deal of interest in obtaining a policy quote to see how much cyber insurance would cost without a real awareness of the exposure and the extent of the costs that can result from a breach. In the last two years, more businesses are actually purchasing the policy, as they better understand the financial impact from a cyber attack. The increased attention and resulting awareness has had a positive impact in the demand for this protection.
"Furthermore, we've also seen changes in the regulatory environment that have had an impact on claims. For example, the expanded HIPAA rule has significant consequences for cloud providers, hosts and other types of vendors serving the data needs of the healthcare industry. The onus for data protection is not only on the healthcare provider but also for those companies storing information on behalf of the provider. If a hospital, for instance, uses a storage facility for its medical records, the company storing the files has an increased obligation in protecting that information. Additionally, we are seeing greater enforcement of regulations. Regulatory agencies are taking a more proactive approach to not only go after companies with large breaches, but also to investigate and penalize firms with relatively small breaches. The agencies are asking for a lot of information, especially if it appears as though the provider hadn't properly protected the individual's data. For example, if private healthcare information stored on a laptop was stolen, the Department of Health & Human Services will look at whether there were active steps undertaken (such as encryption) to protect the data. If not, substantial fines will be levied, even in cases involving relatively small breaches.
"Moreover, in looking at our claims experience, we're also seeing shift in the legal environment and case law. From an insurance company perspective, many of the losses and monies paid in the past were focused on direct costs associated with a breach response: that is, customer notification, credit monitoring and related ancillary expenses - basically first-party losses. When a breach occurs, it doesn't necessarily result in a third-party lawsuit for damages by the affected individuals. Lately, however, we've been seeing an interesting and somewhat disconcerting trend involving a rise in lawsuits and class action suits for damages involving loss of time. These types of lawsuits were not prevalent in the past, as an individual would have a hard time proving damages. If your information were stolen, for example, and someone ran fraudulent credit card transactions, the issuing credit card company would take responsibility for this. You may lose time in calling the credit bureaus and proving your identity if it had been compromised, but going after compensation for your lost time was atypical. Now, on large breaches, there have been a number of successful class-action suits asking companies for compensation for loss of time. This may not be significant on a smaller breach, but when talking about a large breach with millions of identities, the cost can be substantial.
What's more, in the healthcare area, we have seen individuals sue for damages due to mental anguish and emotional distress as a result of a breach in their medical records. This type of claim at one time would have had a difficult time going through the courts and resulting in settlements. Now it's happening more."
Mike illustrated the changing legal landscape with an example of the type of claims they are seeing in the medical field. NAS insures between 300,000-400,000 physicians throughout the country through its medical malpractice programs. Recently, there are pending claims against several plastic surgeons that have posted before and after photos of their "work" on their websites. For example, a successful breast augmentation may be featured on the practice's website. The patient's name is not disclosed and her face is not shown, but when the photo is posted on-line, the file name on the photo is tagged with the patient's name. As result, when Google crawls the site, it picks up the file name in its search. When a patient searches for her name, the website where her photo appears will come up in the search - even though her name is not displayed publicly on the site. This type of privacy breach has resulted in emotional distress and mental anguish claims against a number of doctors.
"Here's a case where there is not only a breach, but the physician's reputation also takes a substantial hit for not being discreet, for not protecting the patient's identity," explained Mike. A Cyber policy will pay to defend the claim or pay a settlement and for public relations and crisis management. But the biggest impact may be loss of income due to the doctor's reputational damage. With BrandGuardTM, the loss of revenue will be covered."
To find out more about NAS Cyber products, feel free to contact Mike at (818) 808-4476, or via email at MPalotay@NASInsurance.com. Also, please visit the NAS website.