Tag Archives: cloud

‘Innovation in Action’ Award Winners

SMA has announced the winners of the 2015 SMA Innovation in Action Awards, recognizing three insurers for truly ground-breaking projects and initiatives with demonstrable real-world impact. In conjunction with the announcement of the winners, SMA published a collection of case studies on all the insurer award submissions this year, showcasing the remarkable innovation taking place in the industry today.

The submissions for the SMA Innovation in Action Award ranged from the introduction of business models to the invention of creative distribution models, along with an array of technology projects that focus on the adoption of maturing and emerging technologies that position insurers to differentiate and win in the industry.

Last year, a chief characteristic of the winners was that they were using maturing technologies like telematics and cloud in unexpected ways to really differentiate their projects and solutions. That pattern shifted among the 2015 winners, who focused on initiatives using several emerging technologies in combination with each other or in combination with maturing technologies. Not long ago, the rate of adoption of emerging technologies that we saw this year would have been unthinkable. Now, insurers are clearly realizing the advantage of implementing emerging technologies in tandem with maturing technologies, as seen in this year’s insurer winners:

Haven Life Insurance Agency

Offers the first solution for purchasing medically underwritten term life insurance online. Haven Life users can calculate their needs, then apply for and start coverage on the Haven Term policy in about 20 minutes. Its sophisticated underwriting algorithms leverage external data sources to render an instant decision on applications. By reinventing the traditional, four- to six-week process of buying life insurance into an entirely online, 20-minute process, Haven Life has successfully streamlined how life insurance policies are sold, underwritten and administered.

The John Hancock Vitality Program

Offers a new approach to life insurance that rewards policyholders for the steps they take to promote their health and wellbeing. The program fosters a revolutionary bond between policyholder and life insurer using interactive emerging technologies like wearables and “gamification.” Activities, including exercise and annual health screenings, can be tracked via a mobile app, a dedicated website or a free Fitbit to earn Vitality Points that determine a member’s status for a broad range of rewards and premium savings.

USAA

Is a pioneer in the use of drones in the insurance industry, particularly in P&C claims following natural disasters. In collaboration with the nonprofit Roboticists Without Borders, USAA deployed drones after the Oso, WA, mudslides in 2014 to provide data and imagery to county officials to assist in rebuilding. USAA was also the first insurer to file a request with the FAA for permission to utilize fixed-wing drones for research and development.

These insurers are springboarding into the future with forward-thinking applications that use a wide range of different technologies to differentiate their offerings, the customer experience and company capabilities. Their winning initiatives demonstrate commendable examples of innovation in action.

How Not to Innovate (and How to): IBM v. Facebook, Amazon

You don’t often see a CEO squash a great quarter with an analyst call script designed to batter his company’s stock price. Yet, that’s what Mark Zuckerberg recently did—to his great credit.

One of the biggest challenges for public companies is to make investors prioritize long-term value over short-term profits. So, rather than running a victory lap after beating Wall Street’s expectations for the third quarter, Zuckerberg laid out a long-term strategy that drove loads of investors away.

To understand why this was a smart move, look at Amazon.com and IBM.

Few CEOs have been more audacious than Amazon CEO Jeff Bezos in managing Wall Street. Bezos told investors 17 years ago, “It’s all about the long term. . . . Our goal is to move quickly to solidify and extend our current position while we begin to pursue the online commerce opportunities in other areas…. We will continue to make investment decisions in light of long-term market leadership considerations rather than short-term profitability considerations or short-term Wall Street reactions.”

Bezos has, ever since, eschewed profitability to invest in—and deliver—innovation and growth in ever-expanding retail categories and adjacent markets, including tablets, phones, original content and cloud services.

In return, Amazon attracted investors who believed in his long-term time horizon, as evidenced by Amazon’s astronomical price-to-earnings-ratio and a market cap that stands at nearly $140 billion. Amazon’s costs have risen to eat up all revenues — but the stock price has rocketed.

At some point, Bezos will have to deliver profits commensurate with Amazon’s scale, but, for now, investors continue to give him wide latitude to invest for the long term.

Contrast Bezos’ approach with that of his counterparts at IBM. In 2006, IBM CEO Sam Palmisano told investors that IBM would focus on earnings per share, ahead of growing IBM’s business. Palmisano’s rationale, as he recently told Harvard Business Review, was that IBM was a “mature business” that needed to respond to the demands of shareholders who “wanted more margin expansion and cash generation than top-line growth.” Palmisano dubbed his plan Roadmap 2010 and committed to increase earnings per share from $6 to $10 by 2010.In return, IBM amassed like-minded investors who drove up IBM’s share price in lockstep with earnings growth. Roadmap 2010 was so successful with investors that Palmisano and his successor, Ginni Rometty, doubled down on it with Roadmap 2015—which called for IBM to deliver $20 per share by 2015.

While investors loved them, Roadmaps 2010 and 2015 took IBM far off course in meeting the needs of its customers and employees. The problem is that while IBM might well be a mature company, it competes in an industry that was far from mature in 2006, and is even less mature today. Rather than accepting old age, IBM needs to be as agile as startups and growth-minded goliaths—like Amazon. But Palmisano and Rometty locked IBM into a set of investors and expectations that left less and less room for agility.

Rather than staying on top of the rapid advances in information technology products and services redefining its industry—and every one of its target markets—IBM management had to focus on financial and business reengineering to increase earnings for its investors, as promised.

One industry insider summed up IBM’s predicament this way: “They are paying the price for moving to services—which was smart—but not investing in the fundamentals to support services, e.g., recruiting, training, staffing, etc. They kept their earnings afloat by financial engineering, such as loading up on debt to fund buybacks.”

IBM paid a high price for not innovating. It suffered declining revenues for the last 10 quarters—to the point where Rometty had to abandon Roadmap 2015.

The superiority of Amazon’s long-term market leadership approach over IBM’s short-term profitability considerations is evident in the two giants’ battle over cloud services.

Who could have imagined in 1997 that one of the next big things in IT services would be cloud services, and that Amazon would be the dominant player in that space? If anyone should have foreseen and owned the cloud, it should have been IBM—given its deep client relationships and long history of running data and networking centers for corporate clients.

Yet, BusinessWeek estimates that Amazon Web Services is one of the fastest-growing software businesses in history:

The growth of Amazon’s cloud business is unprecedented, at least when compared to other business software ventures. It’s grown faster after hitting the $1 billion revenue mark than Microsoft, Oracle, and Salesforce.com. You would need to turn to Google—which had the advantage of the vast consumer market—to find a business that grew faster.

Amazon has also vanquished IBM in head-to-head competition, including for a high-profile 10-year, $600 million contract for cloud services to the CIA.

What’s more Amazon’s initial success has drawn other deep-pocketed competitors like Google and Microsoft.  The resulting price war might have more dire consequences for IBM, which does not have Amazon’s long-term investment flexibility.

So, when Zuckerberg prepared for his recent earnings call, he could have easily crafted a story that short-term investors would have loved. Facebook beat expectations for both top-line revenue and bottom-line profits. It also made great strides in showing that it would dominate in the mobile space—a transition about which many observers (including me) had been skeptical. Facebook’s share price would surely go for a nice ride if Zuckerberg simply focused on monetizing his social network.

Instead, Zuckerberg took a page from Bezos’ playbook and laid out five and 10-year visions with aspirations far beyond the core Facebook network. He told investors that he would build a series of other billion-user products—before starting to monetize them. What’s more, he said that Facebook would build the next major computing platform, which he believes will revolve around augmented reality. And he made it clear that this vision required significant investment and that, like Bezos, he would prioritize long-term market leadership over short-term profitability: “We’re going to prepare for the future by investing aggressively.”

The subsequent drop in share price meant that a lot of investors got the message, and left.

Zuckerberg still needs to deliver on his long-term strategy. But he left little doubt about his intentions and made sure that his investors were working on the same assumptions. That’s smart.

3 Ways to Protect Sensitive Messages

“Delete this email if you are not the intended recipient.”

That and similar language theoretically sounds imposing but essentially does nothing to protect sensitive data from any nefarious actors who view it (though they may get a good chuckle before reading the email).

Yet almost 90% of attorneys surveyed by LexisNexis for a study it published in May 2014 on law firm security acknowledged using email to communicate with clients and privileged third parties. The vast majority of attorneys surveyed also acknowledged the increasingly important role of various file sharing services and the inherent risk that someone other than a client or privileged third party could gain access to shared documents. Yet only 22% use encrypted email, and 13% use secure file sharing sites, while 77% of firms rely on the effectively worthless “confidentiality statements” within the body of emails.

Technology Basics

To explain the right approach, I need to start with some technology basics.

How does email actually work?

By its nature, email is not a terribly secure way to share information. When you send an email, it goes through a powerful, centralized computer called a server on its way to a corresponding email server associated with the recipient’s computer or mobile device. The email passes through any number of servers along the way, like a flat stone skipping across a pond. If that email isn’t encrypted, anyone with access to any one of those servers can read it.

What is encryption?

Encryption is the use of an algorithm to scramble normal data into an indecipherable mishmash of letters, numbers and symbols (referred to as “ciphertext”). An encryption key (essentially a long string of characters) is used to scramble the text, pictures, videos, etc. into the ciphertext. Depending on how the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical encryption) is used to decrypt the data back into its original state (called “plaintext”). Under most privacy and data breach notification laws, encrypted data is considered secure and typically doesn’t have to be reported as a data breach if it’s lost or stolen (so long as the decryption key isn’t taken, as well).

Three Methods to Secure Email

1) Encrypted email. Properly encrypted email messages should be converted to ciphertext before leaving the sender’s computer or mobile device and stay encrypted until they are delivered to the recipient (remaining indecipherable as they pass through each server along the way). This approach is referred to as end-to-end encryption.

Until fairly recently, email encryption has been a somewhat technical and cumbersome process, often requiring both sender and recipient to use matching encryption programs and carefully manage their own encryption keys. Now, there are plenty of encrypted email offerings from larger commercial companies, as well as a number of new and interesting email encryption services that have become available in the wake of disclosures made by Edward Snowden.

When choosing one, be mindful of where the service you use is located (including where the servers handling the emails on the system actually are). Snowden used a well-regarded U.S.-based encrypted email provider called Lavabit. Not long after Snowden’s revelations came to light, federal law enforcement forced Lavabit to secretly turn over the encryption keys safeguarding its users’ private communications. Lavabit’s founder tried to resist but was overwhelmed in federal court.  As a result, he shut down the service. Another well-regarded service called Silent Mail followed suit shortly thereafter as it felt it could no longer ensure its customers’ privacy. Both have since relocated to Switzerland and are planning to introduce a new encrypted email service called Dark Mail.

Larger companies offering encrypted email services typically control the encryption keys and will decrypt data before turning it over in response to a warrant or subpoena (including one coupled with a gag order). In addition, email service providers can legally read any email using their systems under Title II of the Electronic Communications Privacy Act, referred to as the Stored Communications Act. Moreover, emails remaining on a third-party server for more than 180 days are considered abandoned. Any American law enforcement agency can gain access to them with a simple subpoena.

Accordingly, if you choose to use a service based in the U.S. or another jurisdiction with similar privacy protections, be mindful of who controls the encryption keys.

2) Secure cloud storage. Another way to securely communicate or share files with a client or privileged third party is to place communication and files in encrypted cloud storage and allow the client or third party to have password-protected access to them. Rather than a direct email with possible attachments, the client or third party would receive a link to the securely stored data. The cloud service you select should be designed for security. Before you ask: DropBox and Google Drive would not be suitable options. There are a number of services offering well-protected cloud storage, and it’s important to do your due diligence before selecting one. If it all seems a bit much to figure out, two services I would recommend looking into are Cubby and Porticor.

3) Secure Web portal. A third approach is to place communications and files in a secure portion of your firm’s network that selected clients and privileged third parties can access. As with the secure cloud storage option, the email sent to the client or third party would have a link back to the secure Web portal’s log-in page. An advantage to this approach is that the communications and files do not actually leave your computer network and should be easier to protect.

An additional consideration: A government snoop or competent hacker doesn’t necessarily have to target a message while it’s encrypted. A message that is protected by strong encryption when it’s sent or held in secure cloud storage can still be intercepted and read once it has been opened or accessed using a mobile device or computer that has been compromised. The same holds true for intercepting a message before it’s encrypted initially. What steps can you take to protect yourself? The software on any computer or other device that can potentially access confidential data should be kept as up-to-date as possible. Devices should be protected against possible data loss if they are lost or stolen. And all firm personnel should have regular security awareness training with respect to social engineering and other threats.

At the end of the day, there is no single silver bullet to provide perfect security. But there are genuinely helpful steps that you can take to better protect your electronic communications and keep your sensitive data confidential.

The Need for Speed: It Just Keeps Intensifying

At the recent meeting of the Insurance Accounting & Systems Association, President Bill Clinton said in his keynote speech, “Share the future or fight over it.”

As an industry, we have a history of collaborating, which has benefited all of us, but we need to raise the bar to succeed in this fast-changing world. Other industries and businesses are changing all around us and seeking to encroach on and challenge insurance. So we must embrace open innovation, collaboration, crowdsourcing and ideation with new standards and at higher levels within companies, within the industry and even between industries.

The topics of innovation, change, and emerging technologies were the focus of this year’s IASA “Around the Horn” industry analyst panel. I had the pleasure of representing SMA, and as I prepared for the panel session I found myself taking a step back. I realized that when leveraging the vast base of SMA research and insights and blending that with the broader strategic business implications for the industry, a powerful story emerged. A wave of disruption and innovation has hit our industry with an intensity that we didn’t quite expect.

In the spirit of sharing, for those who did not attend, here is a summary of my rapid-fire responses to the panel questions to help inspire you, challenge you and get you to embrace collaboration as an industry to help you quickly define your future:

–Innovation is happening all around us. We are at the forefront of what is probably the greatest disruption in history: the digital revolution. And it is affecting every industry. This revolution is fueled by the breadth and depth of the new technologies that are changing customer engagement, transforming products and services, redefining business and revenue models, breaking down barriers to new entrants and more – look at the Apple iPhone, introduced 7 years ago, and the resulting destruction and construction of industries and businesses. Today, the bar is set at a new high. Operational excellence is an absolute. Innovation is necessary for future success. And the Next-Gen Insurer is being defined and shaped.

–Insurers must have a strong culture that combines the power of open innovation with an ecosystem that empowers collaboration. If we don’t define our own future as an industry, other industries may try to step in and define it for us.

–We must focus on the constantly connected customer. We all must recognize that, in this digital revolution, the customer is in control and is defining the channels that he or she wants to use – from purchasing through service. As insurers seek to become digital insurers, they must have unified digital strategies that create seamless, consistent and connected customer experiences in an omni-channel environment. Think like Google, Zappos, Apple, Nike, AT&T and others that are the new digital leaders.

–Product development and configuration are key differentiation levers. These capabilities are shaping today’s competitive landscape, with speed to market of paramount importance. The pressure to stay current, deliver new offerings and price accurately is driving many insurers to seek innovative solutions. The average new product implementation timeline is nearly 7.5 months. Less than 2% of insurers can implement in less than 30 days. But some innovative companies have found a way to implement in less than 5 days! Another emerging capability of even greater importance is the enabling of product co-creation – customers can help to configure their own products according to their wants and needs.

–Usage based insurance (UBI) is not just about product; it’s a whole new business model. UBI moves the focus from risk assessment to risk prevention. And its application is much larger than auto insurance. It is about the connected car, the connected home and the connected life. UBI is the precursor of a broader impact of sensors and the Internet of Things that will allow us to connect the dots between data for new customer products, services, outcomes and experiences – providing a real-time view of risk.

–Data is the new currency in the digital world. Data has always been seen as the lifeblood of the industry, but its strategic value is now at the forefront. And big data, business intelligence and analytics continue to take the insurance industry by storm. What is holding insurers back is the lack of a data management strategy and a deficient level of data mastery. Both strategy and mastery will be needed to unlock the full business value of data, whether transactional, unstructured, internal or external.

–Social media is a subset of digital data. Customers are sharing information about all aspects of their lives – social, pictures, online discussions, GPS, sensors, mobile technologies and more – and all this data is in the cloud. People are able to search their recorded memories and use new tools that can influence and shape their lives like never before. New companies are creating digital lockers for data that can be stored and managed by customers to be used in innovative ways. When new solutions like these form around customer logging activities, the question from customers will be: “Is the value of what I’m revealing worth the services I’m receiving in return?” The key issue will be the customers’ control of their data.

–Digitalization is happening and is dramatically destructive. A foundational change is taking place in the way all businesses are approaching value creation. In today’s hyper-connected world, companies are moving from managing value chains to managing ecosystems to power their businesses. The ubiquitous connectivity of people via the Internet and emerging technologies is disrupting traditional business assumptions about how to engage customers, the products and services offered and, ultimately, business and revenue models. Just look at these transformations: from the Yellow Pages to Yelp, hailing a cab to Uber or Lyft, booking a hotel to Airbnb and policemen managing traffic to managing traffic with crowdsourcing Waze. All of these represent the disruption happening all around insurance and point to the imminent disruption that will transpire within insurance.

–Mobile is much broader than the phone and tablet. It includes smartphones, MP3 players, e-readers, in-dash car electronics, cameras, portable consoles, home entertainment, appliances and any device or sensor that connects to the internet to share data. And there is now a continuing evolution of mobile apps from multi-purpose websites or portals to single-purpose apps. This will compel companies to design apps as a service layer within an enterprise technical architecture that will enable seamless integration and connectivity between apps – critically important with the Internet of Things.

–Cloud is increasingly mainstream because that is where the data is moving. Two years ago, it was an option in core system RFPs, whereas today it is increasingly a preferred choice. The future will be the Cloud of Things, a world of distributed data, devices, technology, intelligence, computing, etc. that is highly connected and will enable the creation of products and services.

–The issue is “customer empowerment,” not “customer-centricity.” Customer-centricity is a 1990s/early 2000s term and is only a subset of customer empowerment. We used to shape the customer experience; now it is shaped for us by the rest of the world. Customer empowerment defines new engagement models. As customers gain market power, they are increasingly comfortable with technology, have a stronger voice and use it to demand collaboration. Insurers must view all technology as touching customers, because it influences the customer experience, both directly and indirectly, ultimately shaping and defining the customer relationship.

–As an industry, we are seeing challenges to our long-held assumptions and business models coming at us every day. Technology is now super-connected, creating new experiences, new products and services, new outcomes and new business and revenue models that were not possible a few years ago. Just as the iPhone provided a platform of possibilities, core systems – integrated with an array of new technologies like mobile, social, Internet of Things, cloud, big data, analytics, driverless vehicles, biotechnology and much more – have the potential to transform our industry … and to do it on our own terms.

So be inspired. Be creative. Be collaborative. Be bold. Let’s create and share the future together!

How to Purchase Cyber Insurance

Cyber insurance can be an extremely valuable asset in an organization’s strategy to address and mitigate cyber security, data privacy and other risks. But selecting and negotiating the right insurance product can present a significant challenge, given, among other things, the lack of standardized policy language and the fact that many “off the shelf” policies do not adequately match the organization’s risk profile. The following five tips will help to facilitate a successful cyber policy placement.

#1. Get a Grasp on Risk Profile and Tolerance

A successful cyber placement is facilitated by having a thorough understanding of an organization’s risk profile, including the scope and type of personally identifiable information and confidential corporate data maintained by the company and the manner in which (and by whom) such data is used, transmitted and stored. A complete understanding of the risk profile also entails evaluation of the organization’s IT infrastructure and practices and assessment of potential threats to the organization’s (and its vendors’) network security. An organization should also consider the pervasiveness and manner of use of unencrypted mobile and other portable devices. There are many other factors that may warrant consideration. An organization should also assess its potential exposure in the event of a data breach or network security incident. When an organization has a grasp on its risk profile, potential exposure and risk tolerance, it is well-positioned to consider the type and amount of insurance coverage that it needs to adequately respond to identified risks and exposure.

#2. Look at Existing Coverage

The California federal district court’s recent decision in Hartford Casualty Insurance Company v. Corcino & Associates et al. 1 — upholding coverage under a commercial general liability (CGL) policy for a data breach that compromised the confidential medical records of nearly 20,000 patients — underscores that there may be valuable privacy and data breach coverage under “traditional” insurance policies, including under the “Personal And Advertising Injury Liability” (Coverage B) of a typical CGL policy. There may also be valuable coverage for data breach and network security liability and network security failures under an organization’s commercial property, D&O, E&O, professional liability, fiduciary, crime and other coverages.

#3. Purchase Cyber Insurance As Needed

As recently described in Law360,  2 in response to decisions upholding coverage for data breach, privacy, network security and other cyber risks, the insurance industry has added various limitations and exclusions purporting to cut off the “traditional” lines of coverage. By way of example, Insurance Services Office, Inc. (ISO) 3 recently filed a number of data breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage B:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

This exclusion applies even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information. 4

Although the full reach of the new exclusions ultimately will be determined by judicial review, and it may take some time for the new (or similar) exclusions to make their way into CGL policies, the exclusions provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of privacy coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises confidential personally identifiable information. By way of example, the AIG Specialty Risk Protector® specimen policy 5 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” 6 “Privacy Event” includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.7

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation” coverage (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

  • costs associated with post-data breach notification
  • credit monitoring services
  • forensic investigation to determine cause and scope of a breach
  • public relations efforts and other “crisis management” expenses
  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem. 

The sublimits typically associated with remediation coverage warrant careful attention. Cyber insurance policies often offer other types of coverages, including:

  • network security coverage (often in the same coverage grant as the “privacy” coverage discussed above), which generally covers liability arising out of security threats to networks, including, for example, transmission of malicious code and DDoS attacks;
  • media liability coverage, which generally covers liability arising out of, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content;
  • information asset coverage, which generally covers an insured for the cost of recreating, restoring or repairing the insured’s own data or computer systems;
  • network interruption coverage, which generally covers an insured for its lost revenue due to network interruption or disruptions resulting from a DDoS attack, malicious code or other security threats to networks; and
  • extortion coverage, which generally covers an insured for the costs of responding to “e-extortion” threats to prevent a threatened cyber attack.

In addition to the main coverages, insurers increasingly offer complimentary pre- and post-loss risk management services, which can be valuable in preventing as well as mitigating attacks.

#4. Spotlight the “Cloud”

Cyber risk is intensified by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers. The Ponemon Institute’s 2011 Cost of Data Breach Study, published in March 2012, found that more than 41% of U.S. data breaches are caused by third-party errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” 8 Many “off the shelf” cyber policies, however, purport to limit the scope of coverage to the insured’s own acts and omissions (not the acts and omissions of third parties) and to network security threats to the insured’s own network or computer system — not the networks / computer systems of third parties. This may result in illusory coverage. As recently described in Law360, 9 the recent high-profile attack on the New York Times homepage, during which users who tried to access  www.nytimes.com were directed to a website apparently maintained by a group called the Syrian Electronic Army, may not be covered under many “off the shelf” policies because the attack was not on the New York Times “system” as defined in many policies, but rather on the system of a third-party domain name registrar.

#5. Remember the Cyber Misnomer

Keep in mind that many data breaches are not electronic — they often result from non-electronic sources. Data privacy laws do not distinguish between a breach resulting from a network security failure or a breach on account of stolen paper records from a closet. Neither should a cyber insurance policy. A solid policy will cover non-electronic data, such as paper records. 10 Likewise, a policy should also provide coverage for physical breaches resulting from, for example, the theft of a laptop or loss of a USB drive.

There are many other considerations and points to focus on. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

This article first appeared in FC&S Legal, The National Underwriter Company on October 17, 2013.

1 No. CV 13-3728 GAF (JCx), Minutes (In Chambers) Order Re: Motion To Dismiss (Oct. 7, 2013). The two underlying class action lawsuits alleged that Stanford Hospital and Clinics and the insured, medical consulting firm Corcino & Associates, violated the privacy rights of numerous patients by providing confidential personally identifiable medical information to an individual who posted the information on a public website. In particular, the claimants alleged that “the private, confidential, and sensitive medical and/or psychiatric information of almost 20,000 patients of Stanford’s Emergency Department appeared on a public website and remained publicly available online for almost one full year.” Id. at 2 (quoting the Second Amended Class Action Complaint in Springer, et al. v. Stanford Hosp. and Clinics, et al., No. BC470S22 (Cal. Super. Ct., filed May 12, 2012)). The underlying complaints contained causes of action for violations of the claimants’ constitutional right of privacy, common law privacy rights, the California Confidentiality of Medical Information Act (CMIA) and the California Lanterman Petris Short (LPS) Act. The suits sought, among other things, statutory damages of $1000 per person under CMIA and statutory damages of up to $10,000 per person under LPS.

2See Roberta D. Anderson, ISO's Newly-Filed Data Breach Exclusions Provide Yet Another Reason To Consider “Cyber” Insurance, Law360 (Sept. 23, 2013).

3ISO is an insurance industry organization whose role is to develop standard insurance policy forms and to have those forms approved by state insurance commissioners.

4CG 21 07 05 14 (2013). “Electronic data” is defined as “information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled

equipment.” Id.

5See AIG Specialty Risk Protector® Specimen Policy Form 101014 (11/09), Security and Privacy Coverage Section.

6Id. Section 1. 

7 Id. Section 2.(d). “Security Breach Notice Law” includes “any statute or regulation that requires an entity storing Confidential Information on its Computer System, or any entity that has provided Confidential Information to an Information Holder, to provide notice of any actual or potential unauthorized access by others to Confidential Information stored on such Computer System, including but not limited to, the statute known as California SB 1386 (§1798.82, et. al. of the California Civil Code).” Id. Section 2.(m).

82011 Global Cost Of Data Breach Study, Ponemon Institute LLC, at 6 (Mar. 2012).

9See Lon Berk, Takeaways From Recent Cyberattack On New York Times, Law360 (Sept. 17, 2013)

10  See Richard S. Betterley, The Betterley Report, Cyber/Privacy Insurance Market Survey, at 18 (June 2013).