Cyberinsurance experts have welcomed the increased government attention to the issue of cybersecurity, such as putting out more information on potential threats and working on regulatory schemes for reporting cyberattacks. (AP Photo/Jon Elswick)
Despite these concerns, professionals in the cyberinsurance space said that there are still plenty of things to be grateful for.
Increased Capacity and New Carriers
While 2021 was marked by large rate increases, more restrictive coverage and reduced capacity in the cyberinsurance market, policyholders this year have started to see pricing trends turn slightly in their favor, Kristen Peed, director of corporate risk management and insurance at professional services company CBIZ Inc., said. Peed said one of the developments in the market she is most thankful for is the entrance of new capacity by carriers "that have never been in the cyberinsurance space."
As an example, Peed, who also serves on the board of directors for the Risk and Insurance Management Society Inc., said that RT Specialty, a wholesaler that works with CBIZ, recently set up a $15 million cyberinsurance program with all brand-new carriers.
"These are carriers that are excited to get into the space," Peed said. Additionally, the new capacity in the market is connected with underwriters that have a good understanding of how to write cyberinsurance and correctly price it, which "gives opportunities to companies out there who are doing the right things around security measures and mitigation efforts to really take advantage of some of this new capacity," Peed said.
Increased Understanding of Cyber Risk
Increased policyholder awareness of cyber risk and cyberinsurance was another development cyberinsurance professionals told Law360 they were thankful for. Policyholders had to react to the rapidly evolving requirements of 2021's hard market, but the experience led to a much more mature understanding of cyber risk on the part of policyholders, Aon's Harbison said.
"I am very thankful that, as a general client base, our clients are much more prepared for incidents," Harbison said. Policyholders, with the help of new scanning and quantification tools, now have a much fuller understanding of their "true risk" outside of an insurance application, Harbison said, which allows them to more effectively manage that cyber risk.
"If you're just looking at a paper application, you could be ticking a box saying that you have a certain control in place … but that really doesn't fully show or articulate what the risk could be," Harbison said.
Policyholders' increased awareness of their own risk also opens up alternative cyber risk management strategies. Peed told Law360 that risk managers at large companies are increasingly looking at alternative options like captives as a long-term risk management strategy.
"After discussions with your IT department … you may choose to take that risk and put it into your captive insurance company, because you know your risk better, and you're willing to take a bet that you can do better than what the marketplace is pricing you at," Peed said.
Increased Information on Cyber Risk
Going hand in hand with increased policyholder awareness of cyber risk is the increase in information regarding cyberinsurance, professionals told Law360. From law firms to cybersecurity vendors, more entities are putting out information on how organizations and businesses can protect themselves from cyber risks, Eric Stern, co-chair of Kaufman Dolowich Voluck's data privacy and cybersecurity practice, told Law360.
"One of the things that you're noticing is a greater amount of information that's out there, greater amount of information that's being disseminated to everybody, all the stakeholders … that allow them to better understand the risks that are out there," Stern said.
The increase in information surrounding cyberinsurance has helped to shift companies' views on cybersecurity and cyberinsurance, Annmarie Giblin, partner in Hinshaw & Culbertson LLP's data management, privacy and cybersecurity practice, told Law360.
"There really was a lot of questioning in years past of, is this a necessary product? Can we just get by on our other policies? And this past year that was answered affirmatively, you need cyberinsurance, and you might need more than you think you need," Giblin said. "That's been a really positive development, especially from my view when I help companies get their cybersecurity programs in place, because it helps to inform the risks and how you can help mitigate it."
Increased Government Attention
Another development that cyberinsurance industry professionals told Law360 they were thankful for was increased government attention to the issue of cybersecurity. Government entities have both helped spread information on cybersecurity and begun developing cybersecurity regulatory schemes, which reflect a recognition of the importance of cybersecurity, Hinshaw's Giblin said.
Giblin raised as an example the Federal Insurance Office's recent call for input on a possible federal cyberinsurance backstop and, more broadly, potential federal insurance response to catastrophic cyberattacks.
"Having the government step up and say, we recognize this as an issue and we're prepared to put something in place just like we did for terrorism coverage, that's a really great development," Giblin said." It'll help increase capacity and coverage and keep this market for those coverages live."
The federal government is also developing two "major" cybersecurity regulatory schemes, which David Cummings, partner at Reed Smith LLP who represents policyholders, told Law360 he might be thankful for. The first, the Cyber Incident Reporting for Critical Infrastructure Act, would authorize the Cybersecurity and Infrastructure Security Agency to develop a regulatory framework for critical infrastructure companies to report cyberattacks. The second scheme was proposed by the Securities and Exchange Commission; the proposed rules would require public companies to report cyberattacks and other information on their cybersecurity controls to the commission.
Cummings noted that he only "might" be thankful for these regulatory schemes as they have not yet been fully implemented, and therefore their impact in practice remains uncertain.
"As with any new regulatory scheme, there is the potential for onerous — or inadvertent — impacts on the regulated entities," Cummings said.
Regardless, the proposed schemes could potentially increase transparency around cyberattacks, unlock resources for cyberattack victims and create a database "to better arm network defenders and educate potential victims," Cummings said.
Increased transparency and standardized incident reporting that might result from new regulatory schemes could potentially allow insurance companies to more accurately evaluate risks, which might result in more cost-effective and predictable cyberinsurance premiums, Cummings said.
At the state level, Kaufman's Stern highlighted a new requirement by New York state, that all attorneys must complete one continuing education credit on data privacy and cybersecurity. The new requirement means that every attorney in the state will have a "baseline" understanding of data privacy and cybersecurity, Stern said.
"New York has really been a leader in terms of getting information out there," Stern said, adding that he hoped other states would follow suit.
Developments on War Exclusions
Cyberinsurance attorneys also told Law360 that they were thankful for developments regarding war exclusions, although opinions diverged among insurer-side and policyholder-side attorneys.
Reed Smith's Cummings told Law360 he was thankful for the decision in January in Merck Co. Inc. et al. v. ACE American Insurance Co. et al. that ACE could not rely on a war exclusion to avoid coverage of over $1.4 billion in losses from a 2017 cyberattack. The decision reaffirmed that coverage for cyberattacks should be read broadly and inclusively, Cummings told Law360.
"It's bedrock insurance law that a policy exclusion must be construed narrowly, according to the insured's reasonable expectations," Cummings said. "Insurers should not be permitted to benefit from a backward-looking expansion of what is necessarily a narrow exclusion."
On the insurer side, Scott Seaman, partner at Hinshaw & Culbertson who represents insurers, told Law360 he was thankful for the war exclusions implemented by Lloyd's of London as well as for exclusions addressing state-sponsored cyberattacks. Lloyd's in August required its insurer groups to exclude coverage of state-backed cyberattacks from all stand-alone cyberinsurance policies by end-March 2023.
"So-called standard war exclusions have not been uniformly applied by courts to bar coverage in the cyber context as the New Jersey trial court opinion in Merck illustrates," Seaman said, adding that he is looking forward to court decisions addressing attribution of attacks to state actors.
--Editing by Bruce Goldman.
Correction: A previous version of this article misstated a characteristic of policy exclusions. The error has been corrected.
For a reprint of this article, please contact reprints@law360.com.