Legal Mandates Fuel Cybersecurity Insurance Growth

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Joyce

Jan. 6 — The rise of state data breach notification laws, as well as federal breach notice and data security obligations affecting some businesses, largely created the demand for cybersecurity insurance, analysts told Bloomberg BNA.

(Click image to enlarge.)

Insurance Scrabble Tiles

The cybersecurity insurance policy sales have skyrocketed. They essentially offer protection for companies from network security risks associated with data breaches and other cybersecurity and privacy liabilities.

The boom in cybersecurity insurance will likely continue as small- and medium-sized companies seek initial coverage and larger companies seek enhancements to existing coverage, the analysts said.

State Breach Notice Laws

Many companies' first brush with cybersecurity insurance was a coverage extension added to another professional liability or commercial policy; such riders evolved into some of the first stand-alone cybersecurity insurance products in the late 1990s.

The market picked up in the U.S. when state data breach notice laws began entering into force in the early 2000s. Then in 2012, high-profile breaches involving millions of retail consumers and bank customers pushed the issue into the offices of senior managers and corporate board rooms.

California enacted the first-in-the-nation statute in 2002. The law, which took effect in 2003, requires companies possessing or controlling personally identifiable information to notify individuals of a security breach if the personal information was or was presumed to be accessed by an unauthorized person. Companies started to seek insurance coverage from costs associated with breach notice obligations under California law. As other states followed California and enacted breach notice laws—47 states and the District of Columbia have breach notice laws—the desire for cybersecurity insurance coverage also grew.

Federal Obligations

In addition to the state laws, federal breach notice and security requirements, such as those from the Health Insurance Portability and Accountability Act, obligate covered entities to meet certain requirements regarding the use and disclosure of individuals' health information. Noncompliance can result in civil money penalties.

And financial institutions must comply with Gramm-Leach-Bliley Act rules, which in part aim to protect nonpublic personal information of consumers and their customers and former customers by requiring the institutions to describe accurately how they collect, disclose and protect the information. The Federal Trade Commission, other federal regulatory authorities and state insurance authorities enforce the GLB Act.

The Securities and Exchange Commission has also become more invested in the data security efforts of publicly traded companies.

Additionally, merchants and other entities that store or transmit payment card data face obligations under the self-regulatory Payment Card Industry Data Security Standard (PCI DSS) intended to ensure individuals' data are protected at all times during a transaction.

Reputational Harm

An overarching theme regarding cybersecurity insurance buying decisions is the real threat of a catastrophic impairment that could pose an existential threat to even large businesses, analysts said. To a lesser extent, companies are worried about harm to their reputation—especially if they are victimized by a breach event but their competitors aren't, they said

Enhancing resilience and having a cybersecurity insurance provider help design a comprehensive regime that includes strategic, tactical and everyday practices to harden defenses, engage employees, employ technical attack-prevention tools and be fully prepared in the event a cybersecurity incident does occur is another theme, the analysts said.

Companies also must realize cybersecurity threats aren't going away and they need to confront the threat sooner rather than later

There is also a push by some companies, particularly retailers, to require their third-party vendors carry cybersecurity insurance, which in part could in itself boost the cybersecurity insurance market.

And there's this: insurers themselves, because they hold sensitive client information, may themselves be targets of hackers looking to monetize stolen data.

Core, Ancillary Coverage

Generally, carriers now offer core coverage and then a suite of additional products to complement that core, for an additional cost. The core of many carrier products aims to protect against liability losses due to unauthorized privacy disclosures and data breaches.

First-party costs can be covered, including paying for forensics to determine the origins of an intrusion, required customer notifications, legal fees and costs associated with crisis management: public relations, investor relations, call centers to handle customer queries and credit monitoring for affected individuals.

Other services offered include items such as social media liability coverage, defence against lawsuits because of misused data and costs associated with regulatory fines or penalties. Additional coverage may be purchased to cover business interruption expenses, costs to restore or recover data, deal with any attempted extortion of corporate data or data systems and attempt to resolve the compromise of trade secrets or other intellectual property.

Insurance companies beginning to operate more comfortably in the market are now rolling out a more robust suite of ancillary services aimed in part at assisting insured companies construct resilient defenses to help combat cyber-attacks. Some firms, for instance, might advise customers on how to harden their defenses.

Growth Potential

Future growth in the cybersecurity insurance market will be twofold: large companies already possessing cybersecurity insurance will enhance their coverage with additional complementary services and increase exposure limits while small- and medium-sized firms that don't currently have cybersecurity insurance will buy it.

Indeed, many specialists said they expect small business to play a central role in the maintaining the rapid growth of cybersecurity insurance sales in the coming years.

Small businesses read about large company breaches, Robert Hartwig, Insurance Information Institute president, said. “The reality is that they are increasingly going to become targets of opportunity as other larger businesses harden their defenses and smaller businesses become targets,” he said.

“You're seeing a lot of innovation in this area. The insurers are developing products that are suitable for smaller- and medium-sized businesses across the country,” Hartwig said. “The reality is that irrespective of size, irrespective of your corporate structure, you're likely to be vulnerable—well, you are vulnerable,” he said.

According to a recent Standard & Poor's report, “high-profile attacks on household names might give the impression that cybersecurity attacks are mainly a problem for large companies, but small and midsize businesses are also in the firing line. And these companies are often the least secure and most vulnerable, and may not report many attacks. We expect this awareness to lead to increased cybersecurity insurance take-up rates for these smaller companies.”

To contact the reporter on this story: Stephen Joyce in New York at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law: Privacy & Data Security