Cyber risk is one of those rare exposures that affects every company and potentially impacts every insurer. The insurance industry is affected by this ubiquitous risk both as entities with their own cyber risk exposures, and as insurers and reinsurers of the exposures of others.
Accompanying rapid and pervasive developments in technology has been a concomitant increase in exposure to a growing range of risks and liabilities. Insurance, using the developing array of products focused on cyber risks, can be part of the solution, but insurers in all lines need to be aware of the range of exposures that cyber risks present. Insurers in all lines are increasingly faced with requests for coverage under policies, some intended and some not intended, to address these risks.
Every company, regardless of size or industry, is now dependent upon the collection and usage of information in electronic form. Similarly, the rapid proliferation of products and business functions that are operated or interconnected through the Internet, from smart cards to smart cars, and from vendor operated air-conditioning to entire operating systems, is nearly unavoidable for any business. The increasing dependency of businesses and their products and services upon connections to the Internet often seems to be as much a vulnerability, permitting unauthorized access to information and operations, as it is an opportunity for business efficiency and innovation. The resulting risks range from: the proliferation of hacking attacks directed at theft of personal information of individuals or confidential business information for financial gain that are often aided by disgruntled employees; to accidental loss of information by employees who seem to regularly lose laptops and other mobile devices on which company information is stored or accessible; to denial of service attacks or disruption of operations from government-sponsored entities or competitors; to the costs of mitigating risks and implementing compliance measures to address the expanding array of legal requirements for privacy, data security, and breach response worldwide. Businesses subjected to this continually changing and evolving threat landscape include: global financial institutions, local retailers, regional utilities, airlines, telecommunication companies, professional advisors, small vendors, healthcare providers, major manufacturers, government agencies, educational institutions, insurers and their agents — any business of any size, from small local enterprises to those whose operations are part of the critical infrastructure of countries.
The growth in cyber risks and liabilities also arises from the developing body of government regulation that establishes parameters around the permissible collection, usage, storage, and transmission of information about individuals both in the U. S. and globally and often also impose cyber security obligations on regulated businesses. New cyber exposures continue to develop as regulation expands to business practices involving the collection and usage of information in electronic form and the disclosure of such business practices, and as regulators at both federal and state levels become increasingly concerned about the cyber security of the vast array of companies considered to be part of critical infrastructure. Companies are now often faced with regulation of their cyber security, incident response, and business practices of collection and usage of consumer information by state and federal agencies with regulatory oversight of their industry, and an expanding network of state and federal legislation, with U.S. national uniform legislation continuing to be proposed in various forms, but not yet adopted. Regulators and litigators are increasingly examining not only what a company does with regard to cyber security and response to cyber attacks, but also what it says that it does, with recent litigation often focusing on issues of alleged misrepresentations by companies as to their business practices in collecting and sharing information about customers and in their cyber security. Moreover, the increasingly multi-national operations and customer bases of even relatively small revenue companies often raises issues of compliance with other countries’ regulatory requirements for security, notice, and cross-border transmission of personal information.
For the full article, refer to page 6 in the Fall 2015 issue. https://www.airroc.org/assets/docs/matters/airroc%20matters%20fall%202015%20vol%2011%20no.%203.pdf