The number of ransomware attacks declined substantially in 2022, leading to a 40% decrease in the payments from victims. Whether a short-term trend or indicative of a permanent change in cybercrime activity, fewer attacks and better-prepared organizations have shifted the focus in cyber insurance.
While ransomware claims may be in a lull, cyber insurers are finding themselves busy with a new wave of cyber claims stemming from class action lawsuits and enforcement actions due to data privacy violations. Once seen as a low-risk cyber coverage grant, cyber underwriters and claims teams are now scrambling to revise their policy language (and rates) to address the growing data privacy risks in their books.
Over the past six months, there has been a wave of data privacy lawsuits and enforcement actions on several fronts hitting cyber insurers’ policies:
Hospitals inadvertently share patient data with Facebook via the “Meta Pixel.” Examples include Dignity Health and UCSF in California and Advocate Aurora Health in Illinois.
Retailers collect and share consumer data via online session replay tools. Examples include Zillow, Lowe’s and Expedia, sued in September.
Financial services providers are sharing data with the Meta Pixel on tax preparation websites.
Online news, sports and quick-serve restaurants share customers’ online video-watching behavior with social media networks. Examples include the recent Chick-Fil-A lawsuit (January 2023), as well as CNN and NBA lawsuits in 2022.
Why Are Cyber Underwriters On Alert?
Beyond the significant legal expenses related to the allegations and regulatory fines levied by state AGs, in some instances the privacy violations have escalated to reportable HIPAA breaches, which bring additional notification and remediation costs. For example, BayCare Clinic in Wisconsin recently informed the U.S. Department of Health and Human Services about a breach involving 134,000 of its patients who had been affected by online tracking technology. BayCare said the trackers potentially sent patient information to third parties, including the dates, times and locations of scheduled appointments; the type of appointment or procedure; patients' proximity to a practice location; and their insurance information.
Similarly, in 2022, the Advocate Aurora Health online privacy violation led to a reported breach of 3 million patients’ personal data. The health system of over 500 healthcare facilities in Illinois and Wisconsin reported itself to the Department of Health and Human Services on Oct. 14, saying the breach involved unauthorized access or disclosure.
Beyond healthcare, insurers are also seeing claims activity among media networks, retailers and financial institutions, as allegations of violations of the Video Privacy Protection Act and state wiretapping laws are growing nationwide.
In light of these growing claims, some cyber underwriters are adding exclusions for coverage. Others, eager to build their customer relationships, are looking for opportunities to underwrite with greater intelligence about these privacy risks.
See also: How Insurance Can Halt Ransomware
As With Ransomware Response in 2015, a Privacy Economy Is Growing Today
Insurers, attorneys, regulators, tech service providers, forensic firms, PR agencies and consultants rallied as the cybercrime wave grew over the past 10 years. Insurtech innovation was also fueled by the growing cyber threats.
Today, we see similar activity in the data privacy ecosystem. Federal regulators and state legislatures are implementing new laws, stimulating the plaintiffs bar to pursue class action lawsuits. This, in turn, drives insurers to create coverage for these new risks that their policyholders will face. Subsequently, tech innovators are creating tools to help provide intelligence to insurers during underwriting, while also creating better software for companies to not only comply with the new laws but mitigate the risk on their end. All the while, everyone in the "privacy economy" is seeking to learn more about the risks and how to protect themselves.
Building Greater Privacy Risk Intelligence
With each new data privacy lawsuit and regulatory enforcement, cyber insurance underwriters are going to develop new language for their cyber policies to help protect their policyholders (and their loss ratios). Insurers, having learned from the ransomware and cybercrime waves of the past, are building intelligent underwriting tools that can help them assess privacy risk prior to issuing coverage and, likely, will be adding new tools to help their clients mitigate risks, as well.
Cyber threats and cyber insurance are in constant evolution. What started as "data protection" for a business’ network security issues, evolved to cover HIPAA regulatory risk, which then quickly evolved to cover broader customer data breaches, which then evolved to cover cybercrime and business interruption. Behind the rapid growth of cyber insurance has also been a wave of federal and state government regulations pushing companies to take responsibility for cybersecurity, as well as insurers to provide a backstop. Today, the new wave is focused on driving corporate responsibility for online privacy.
See also: Risk Barometer for 2023
The Online Privacy Revolution
In 2023, the regulatory environment is heating up again with new laws (GDPR, CCPA, FTC enforcement actions, OCR guidance and four other newly enacted state laws) around protecting customer data and online privacy. This is driving insurers to consider how to best provide cover for insureds while also mitigating risks. Perhaps this year will be seen as the start of an online privacy regulatory revolution. Not only is the regulatory environment ripe, but consumers are also more aware due to constant spam, scams, tax fraud, cyberbullying and identity theft.
Already in five states (California, Colorado, Connecticut, Utah and Virginia), new data privacy legislation has been enacted. Huge fines have been levied against Google and Facebook in Europe for privacy violations. And you can’t watch a major sporting event on TV without at least a few ads promoting data privacy as a key reason to buy their phone, insurance, credit card or broadband subscription.
The insurance industry has been instrumental in shaping how companies around the world adopt new technologies and practices to fight ransomware and cybercrime. It’s time now for the industry to take up the cause for online privacy and help companies evolve how they safeguard their customers’ personal data.