An increase in data breach litigation and skyrocketing costs from ransomware attacks and other cybercrimes are making it harder and more expensive for businesses to purchase insurance policies that help them cover financial losses.
The changing insurance market and disagreements over policy exclusions are also causing legal uncertainty, leaving companies and policy providers fighting in court over who is responsible for paying what, lawyers say.
“Too often there is a disconnect between what companies think a policy can cover and what is actually covered,” said Michael Phillipsclaims director at Resilience, which provides cyber insurance policies and integrated cybersecurity solutions.
Many businesses turn to insurance to protect against losses. But smaller entities might not even know such coverage exists or face difficulty acquiring it, said Iliana Petersattorney at Polsinelli PC in Washington, DC
“Cover isn’t as easy to get as it used to be,” Peters said. “Before offering or renewing a policy, insurers demand a lot more from companies.”
An April report from Fitch Ratings found that “online statutory direct written premiums” increased 74% in 2021 to nearly $5 billion. According to the report, the P&C insurance industry as a whole grew by 9% over the same period.
This increase is due to “increased policyholder risk” and greater demand for coverage, the report notes.
Rising “loss costs” and litigation from cyberattacks are among the reasons prices are rising, said Gerry Glombicki, senior director of insurance at Fitch Ratings.
“Cyber insurance represents less than one percent of the overall market,” Glombicki said. “But it’s growing at a much faster rate than other types of insurance.”
Renewal premium rates in the space have been increasing every quarter since 2019, he added.
In addition to raising prices, font providers also require companies to meet certain security standards.
“Insurers can now require companies to broadly apply multi-factor authentication, endpoint detection, multiple backups and disaster recovery plans,” said David Derigiotissenior vice president at Burns & Wilcox, wholesale insurance broker and head of underwriting.
Disagreements over insurance coverage have led some companies to sue their policy providers, asking the courts to force them to cover the costs of repairing a hack or defending a related lawsuit. Similarly, insurers have taken legal action to exonerate themselves from liability.
Court decisions have focused on policy types and policy language, as well as exclusions.
In one case, the United States Court of Appeals for the Ninth Circuit ruled against the Pennsylvania state insurance company, which argued that it did not have to defend Landry Inc.a restaurant and casino conglomerate in data breach litigation.
The Ninth Circuit found that the insurer had a duty to defend Landry because the payment processor that sued him was seeking damages arising from the “oral or written publication” of material that invaded someone’s privacy. ‘a.
This overturned the district court’s decision that the data breach was not “personal and publicity harm,” as defined in the insurance policy, and that the damages in question were not “damages.” to privacy”.
There’s often a misunderstanding among buyers, who may think a general liability insurance policy covers something like a biometric privacy dispute, Phillips said.
Even some cyber insurance policies only cover costs arising from a cyberattack or data breach, Phillips said. An Illinois Biometric Information Privacy Act lawsuit focused on a company’s failure to obtain consent before collecting fingerprints, for example, would not be included in this definition because it is unrelated to attack or breach of security.
The erroneous collection of biometrics or their incorrect storage can result in costly litigation, but such lawsuits are generally not covered by general liability insurance policies and cyber policies focused on cybersecurity, Phillips said.
Courts in Illinois have grappled with this type of issue in recent months, siding with policy providers and companies based on the specific terms of their insurance contracts.
Securing a good broker who knows your business priorities and needs is key to getting in touch with the right insurer, Peters said.
But companies also need to recognize that securing coverage isn’t a one-size-fits-all approach, said Kamran Salourpartner at Troutman Pepper Hamilton Sanders LLP in Irvine, California.
“Some cyber policies, based on premiums and coverage, might not make the most sense for a business,” Salour said. “From a franchise perspective, you want something that works, and you want to make sure you’re working with a carrier that you know and trust and have a good relationship with.”
In some cases, the deductibles are low, but so is the coverage. Finding that “sweet spot” is critical for companies looking to maximize coverage and minimize expense, Salour said.
Companies need to watch policy language closely because insurers will often put exclusions for BIPA in employment practices insurance policies, Derigiotis said.
“At this point, given the number of lawsuits, companies need to take a closer look at potential biometric privacy risks and insurance policies that could protect them from associated costs,” Derigiotis said.