Advisen Conference Highlights Emerging Cyber Risks and Growth of Cyber Insurance Market


On October 24, 2012, Advisen, a provider of market research, analytics, and news services for the insurance industry, hosted the Cyber Liability Insights Conference in New York City. This full-day conference, which was held at the Bridgewaters facility at the South Street Seaport in Manhattan, boasted more than 30 different speakers and was attended by nearly 500 commercial insurance professionals, including corporate risk managers, insurers (underwriters, claims professionals, etc.), brokers, consultants, and attorneys.

The morning keynote speaker, Jeff Bardin, Chief Intelligence Officer of Treadstone 71 (a cyber security and intelligence company), kicked off the conference by discussing the importance of data security risk assessments and how a company's failure to maintain adequate security measures can lead to financial and reputational losses. He stressed that data breaches and cybercrime happen every day, noting that cyber criminals are finding their way into organizations through social engineering (manipulating/exploiting individuals to gain access to systems/data) and cyber espionage (using hacking techniques and malicious software to spy on others).

In response to these emerging risks, the cyber liability insurance market is growing quickly. In fact, David Bradford, President of the Research & Editorial Group of Advisen, explained that annual written premiums for cyber insurance are currently estimated to be $875 million annually, with an ultimate future market potential of $4 billion. Other reports have estimated the annual gross written premium to be in the $1 billion range.

In a panel discussing the risk manager's perspective on cyber risk management and insurance, David Conca, Director of Risk Management and Insurance of Time Warner Inc., explained that every business is at risk of a data breach and that, while information technology departments often want to guard data security systems, cyber security needs to be a C-suite issue. He also emphasized the importance of education about this growing liability, and the importance of maintaining adequate insurance coverage. As a telling example of the these risks, the panel added that a massive data breach affecting 63 Barnes & Noble stores across the country was widely reported in the news the morning of the conference.

A panel of experts addressing how to handle data breaches noted that U.S. Secretary of Defense Leon Panetta recently warned that the U.S. is in danger of experiencing a "cyber Pearl Harbor," a cyber attack that could cause physical destruction and the loss of life. Craig Hoffman, a Partner in Baker Hostetler's Cincinnati office, stressed the importance of involving legal counsel soon after a data breach to ensure that deadlines under state breach notification laws are met. Companies failing to do so often make mistakes, including notifying too many individuals, notifying too few individuals, or notifying too quickly before the breach has been properly remediated, he suggested. Robert Jones, Global Head of Financial Lines at Chartis, added that the Massachusetts data privacy regulations are among the most difficult and challenging regulations to comply with in the country.

In a panel discussing the insurance broker's perspective on cyber insurance, Chris Keegan, Senior Vice President at Willis, explained that the cyber insurance market has been growing consistently over the past few years and that insurance agents have recently seen a dramatic spike in demand. Meredith Schnur, President of the Professional Risk Group at Wells Fargo, added that third-party liability coverage (e.g., class action coverage, notification coverage) has been the primary driver in the cyber insurance market. Chandra Metzler, President of U.S. & Canada Financial Lines of Chartis, also emphasized the rapid growth in the cyber liability insurance market during the midday keynote, noting that the market has reached an "important tipping point." As an indication of where the market is headed, she pointed out that attendance at the conference itself nearly doubled from the previous year.

During a panel discussing data security regulatory risks, Richard Bortnick, a Partner at Cozen O'Connor, explained that Congress is currently "gridlocked" on cyber security legislation, with most Democrats in favor of such legislation and most Republicans against it. He noted, however, there may be a presidential Executive Order on cyber security in the near future. This order would create a voluntary program in which companies operating key infrastructure would elect to meet a set of security standards. He also added that the Federal Trade Commission has been very active in the enforcement of privacy violations and that this will continue in the future.

Oliver Brew, Vice President of Technology & Privacy Liability at Liberty International Underwriters, discussed recent developments in data privacy and breach notification laws, including recent amendments to the data privacy laws of Connecticut, Texas, and Vermont. He also noted the broadened scope of the HIPAA Privacy Rules under the HITECH Act, which has been actively enforced by the Civil Rights Division of the U.S. Department of Health and Human Services. He emphasized that it is challenging for businesses to navigate these waters, given the complex state, federal, and international laws with which they must comply.

Ben Beeson, Partner and Head of Global Technology and Privacy Practice at Lockton, discussed the proposed European Data Protection Regulation, which is intended to strengthen privacy rights in the European Union. Some of the more important aspects of the proposed regulation include a penalty of up to 2% of a company's global turnover for violations, "the right to be forgotten" (i.e., the right to have one's personal information permanently removed), a requirement to establish a privacy officer for companies with more than 250 employees, and notification to data protection authorities of breaches as soon as possible (if feasible, within 24 hours). Mark Schreiber, a Partner at Edwards Wildman Palmer, added that dealing with an international data breach is very difficult, and involving foreign data protection lawyers is recommended, since understanding the foreign laws can be challenging.

For more information on compliance with data privacy laws, protecting your business from the threat of a data breach, or cyber liability insurance, please contact David Governo ([email protected]) or Corey Dennis ([email protected]).