Beware the data breach bear trap
Over the course of 2018, we have seen numerous pieces of data breach legislation come into force. However, while all this legislation is undoubtedly important in its own right, brokers and their clients shouldn’t see cyber insurance exclusively through this lens.
Back in February, the Australian government enacted the Notifiable Data Breaches Act. In May, we saw the introduction of the EU’s General Data Protection Regulation (GDPR). In June, Alabama’s Data Breach Notification Act of 2018 came into force, meaning that all 50 states in the US now have data breach notification laws in place. And November will see the Canadian government bring in notification and record-keeping requirements as part of the Digital Privacy Act.
With all of these laws coming in to force, it’s understandable that brokers have given a lot of attention to their clients’ data breach and privacy exposures. However, while all this legislation is undoubtedly important in its own right, brokers and their clients shouldn’t see cyber insurance exclusively through this lens.
There are a couple of reasons for this. For a start, many businesses do not collect or deal with consumer data, so the argument that this legislation affects them and that they should buy cyber insurance to mitigate this risk is not one that will resonate. It’s important to stress that cyber insurance is not just about covering the losses associated with a data breach. It’s much broader than that and provides cover for a whole host of cyber related risks, ranging from theft of funds and cyber extortion to system damage and business interruption. In fact, almost a third of CFC’s cyber claims are a result of the theft of funds, which is a significant risk for almost any business, regardless of how much data they hold.
Secondly, for those organisations that do collect or deal with consumer data and are purchasing cyber insurance as part of their risk management strategy, there is a danger of focusing on data breaches to the exclusion of everything else. Unfortunately, we’ve seen a number of organisations purchase their policy limits based on the estimated cost of a data breach to their business (going off the number of records that they hold), and this can leave them woefully underinsured when other, non-privacy related events occur. For example, we recently dealt with a claim where a hospital fell victim to a destructive malware attack on their systems and incurred $7.1 million in system damage and business interruption costs, but they had only purchased a $5 million limit because they had primarily focused on the impact of a data breach on their business. You can read more about this case here.
The key message, then, is that brokers should look at the whole range of cyber risks that their clients may face when they are considering or purchasing cyber insurance, rather than focusing narrowly on data breaches.