Sector Under Siege
The Target data breach of 2013, in which hackers accessed 40 million credit and debit card accounts and the personal data of up to 70 million people, will likely go down as the event that piqued public awareness of the just how vulnerable their personal information is in the hands of retail organizations.
Legislation addressing how companies handle personal data goes back decades — the Song-Beverly Credit Card Act of 1971 (a California statute), for example, was amended in 1990 specifically to address the misuse of personal information by retailers for marketing purposes. Since then, the world has changed. Cyber risk touches every business sector to varying degrees, and with cyber crime an increasingly lucrative activity, data breaches are — according to media column inches at least — bigger and more common than ever.
Since the Target breach, Verizon has identified two more U.S. retailers who it said have been hacked; and in the ensuing media storm, lawmakers are scrambling to protect consumers. In March, Congress rallied retailers to support a nationwide standard for retail companies to quickly notify customers in the event of data theft in order to increase accountability in the sector.
The push for tighter laws is being played out not just in the United States but across many global economies. In this country, however, the state system means that retailers must navigate a rapidly and constantly evolving patchwork of privacy rules and regulations. Last year, the California Supreme Court ruled that the Song-Beverly Act’s privacy protections do not apply to online transactions. But in late January 2014, S.B. 383 was passed to amend the Act to fill the perceived gap in consumer identity protection.
Many retailer clients of insurance recovery lawyer Linda Kornfeld, a partner at Kasowitz Benson Torres & Friedman, would argue that traditional general liability coverages do not cut it when it comes to data privacy law violations. In 2011, many of those that operated in California faced litigation for collecting ZIP codes from credit card transactions. The state Supreme Court ruled that — despite several California court decisions to the contrary — ZIP codes counted as personally identifiable information (PII), therefore the retailers had violated the Song-Beverly Act.
Around 150 class action lawsuits were filed, and retailers got burned by their general liability insurers, who refused to pay out on the grounds that they had triggered exclusions by violating a privacy statute in the state. “This then prompted coverage litigation,” Kornfeld said.
Other Courts Follow Suit
Kornfeld said some retailers are still relying on general liability coverage rather than specialist privacy and data breach products, and may be exposed in a similar way — particularly as the California situation was mirrored in Massachusetts in March 2013. More recently, similar court rulings have been handed down in Wisconsin and Washington, D.C.
“Since the ruling last year, there has been a flurry of class action litigation being filed in Massachusetts,” she said, noting that Apple was sued there as recently as January.
“Retailers must be in strict compliance with these statutes, because the courts don’t seem to be interpreting them very favorably for the retailers.”
Kornfeld added: “Retailers that don’t have privacy and data breach cover in their insurance portfolio already should seriously consider buying it. They need to look at whether the coverage matches their risks and if the premiums match their concerns about exposure.”
If they take the decision not to buy specialist cover, she said, retailers should study the language of their traditional liability coverages to ensure it is flexible enough to cover them against privacy violation issues — both under existing law and in the instance that new legislation creates an exposure during the policy period. She also recommended working with counsel who is up to date on the various legislative changes taking place across the United States.
“If a retailer is sued with respect to the ZIP code issue, then they need to be aggressive in pursuing coverage, because insurers are taking very strong positions against coverage and I don’t agree that those positions are meritorious,” she said.
Paul Bantick, underwriter for technology, media and business at Beazley, which has insured six of the 10 largest data breaches in the world, said most retailers are up-to-speed on ZIP code collection laws and are also well protected against fines and penalties stemming from privacy violations.
“I haven’t seen any significant cases related to this for a while,” he said. “Most companies have changed their business practices — once you stop collecting the ZIP codes the exposure goes away. If a retailer is violating privacy laws and collecting ZIP codes when they shouldn’t be, that is covered by the cyber policy, which covers cyber liability and third-party claims arising from privacy violations.”
However, Kornfeld argued that while retailers adapted their business practices in California after the class action lawsuits of 2011, they may not necessarily have done the same in other states.
According to Bob Parisi, leader of the network security and privacy practice at Marsh, ZIP code collection is “the least of retailers’ worries.” He said a more relevant concern is keeping up with state and federal privacy regulations including mandatory incident response plans that first emerged on the East Coast and are now working their way west across the country. “Now if retailers hold personally identifiable information and are operating in various states, they have to have an incident response plan in place that meets a certain minimum level of efficacy,” he said.
“Retailers are also subject to nongovernmental regulations in the form of payment card industry (PCI) regulations set by card companies that require companies holding credit card information to comply with their standards,” Parisi said.
Data Breach Protection
Concerns over data privacy are intrinsically linked to the risk of data breach — after all, it is highly unlikely consumers would be aware of any violations of privacy law by a retailer or pursue litigation against them unless they were made aware that their personal information had been lost or stolen. The response required by Target to deal with the fallout from its data breach cost the company $61 million — half of its quarterly profits — in Q4 alone. And there is no indication yet of the value of class action suits the company may face when it comes to cyber liability.
Retailers are right on the front line of this evolving threat. According to Cisco Systems, the retail sector had 60 percent more malware encounters than the cross-industry median in 2013, but it was by no means the most attacked sector. By comparison, the agriculture and mining, electronics and pharmaceutical/chemical sectors all registered more than 600 percent above the median, while energy, oil and gas was 430 percent higher.
Yet, there is no denying that when it comes to personal data, retail companies offer some of the most attractive targets due to the huge number of records they possess. “The retail sector is just as exposed as banks, health care, airlines or hotels. All these companies hold the same type of information. However, retailers have a severity to them right now,” said Bantick.
“Are retailers becoming a greater risk, or is it just that some hackers have found a way to get through security and have been able to replicate that on several retailers? I don’t know yet if there is some kind of ‘worst class’ developing,” he said. “Clearly, it’s a bad patch for retailers. Maybe it’s another industry’s turn soon.”
Notwithstanding the coverage litigation controversies seen in California, Parisi said, the insurance market has done a decent job keeping up with the threats retailers face and continuing to provide appropriate coverage. “The market has been behaving fairly well in terms of responding to losses, and offering broad, flexible coverage,” he said.
However, he added, recent high-profile losses have put some carriers off the class. “In the last couple of months, we have seen some carriers search their souls as to whether they want to continue to insure retailers, but that’s hardly surprising,” Parisi said.
“Some carriers are aggressively pursuing the risk and asking tough questions, but when they get their answers they are more than willing to put up their capital to insure the companies. Others want nothing to do with retailers whatsoever.”
Meanwhile, Bantick said, it is naïve to think any company can completely eliminate the threat of data breach, warning retailers that it is a case of if, and not when, they will be attacked. However, with retailers accounting for about 25 percent of its cyber portfolio, it is little surprise Beazley is one of the carriers happy to provide coverage against the risk. “It’s what we do,” he said.
The Gap in the Clouds
Cloud computing is integral to modern business. According to market research firm Gartner, the global cloud service industry will be worth $180 billion by 2015, while cloudhypermarket.com estimated a third of all IT expenditures in 2013 would be on cloud computing.
The cloud network is maintained by nearly 35,000 data centers (cloud service facilities containing physical servers), about 25,000 of which are located in the United States. These facilities are extremely well protected, employing the very best physical and cyber security systems, and are usually located in secretive locations away from obvious natural perils.
However, these facilities still require traditional property coverage to insure against risks including flood, fire, storm, earthquake, sabotage, civil commotion and terrorism. If one or more major cloud service facilities were damaged, service could be disrupted and data lost, with far-reaching economic implications for businesses that rely on the service.
Last year, Superstorm Sandy shut down data centers in Manhattan, while Amazon suffered two separate power outages at its Northern Virginia cloud facility forcing many popular websites including Netflix, Instagram and Pinterest offline. But it’s not just media outlets that suffer — thousands of businesses are now actively using the cloud for business purposes, with basic data storage only accounting for 13 percent of cloud usage, according to research firm IDC.
Despite growing reliance on the cloud, Florence Levy, senior vice president and head of Lockton’s Global Technology and Privacy Practice, believes there is a gap in the insurance market that could leave cloud users uninsured for lost data or business interruption in the event of a physical event damaging a cloud facility.
“Traditionally, property policies address physical triggers and harm, while cyber and even errors and omissions policies are intended to address non-physical triggers and economic damage,” she said. “In the event of a physical trigger causing non-physical harm, property underwriters and cyber underwriters will be left pointing fingers at each other.”
According to Jim Charron, Technology Practice leader for Zurich, it is possible to insure data under a property policy, although coverage language often doesn’t capture the entire exposure. “Some [policies] are very clear that they cover computing resources and will specifically state that the coverage includes voice, data and even video, while others are not,” he said. “There are requests for this exposure to be covered and underwriters are responding, but the wording isn’t always reflective of the exposures.”
Charron added that underwriting becomes even more complicated when data is being held by a third-party on behalf of potentially millions of clients.
“Traditional property and business interruption risks already existed for insureds who maintained their computing resources within their own buildings, but with the use of the cloud those risks are subject to equipment not owned by the insured. Once the risk has been transferred to another party the insurance needs to change along with that,” he said. “I think there is an opportunity for insurers to refresh their approach.”
“People are starting to realize this may be a bigger issue than we had previously allotted for in the last couple of years. Savvy clients are asking a lot of questions,” said Levy, adding that brokers are trying to encourage insurers to develop enhanced coverage to ensure cloud users’ data is properly insured.
“The market is trying to figure out a way to address this, whether it is some sort of ‘difference in conditions’ policy that sits above the property and cyber policies, or more collaboration between the property and cyber underwriters and brokers to come up with a more effective solution,” she said.
Levy admitted, however, that creating some kind of hybrid product would be very challenging for insurers. “Cyber and property are two very different coverages with different profitability standards and historical data sets. The most likely solution is an umbrella or difference in conditions policy rather than stretching either set of underwriters beyond their comfort zone,” she said.
Another major challenge is aggregation of risk, with tens of thousands of businesses potentially facing disruption if any of the leading cloud providers went down.
“What is the aggregated business interruption and property damage exposure of one or several of these facilities if they were attacked all at once or there was a large weather event?” asked Charron. “If a major facility is taken down it could have a dramatic impact on the insurance industry.”
When in Doubt, Sue
Cloud users may have another form of protection. Robert Parisi, Network Security and Privacy Practice leader at Marsh, who places E&O and professional liability (PL) risks for cloud service providers, believes providers are vulnerable to PL claims, even if interruption or loss of data was caused by a physical risk rather than negligence.
“I don’t think there are gaps in coverage. If a cloud provider is unable to provide their service, it is going to come back at them as a PL claim. The end user is not going to care one whit why the cloud provider wasn’t there when they needed them — they just know they have a contract and the provider didn’t honor it,” he said.
Accordingly, cloud providers have to ensure their E&O and PL policy wordings are airtight in their response to ‘act of God’ type risks or even deliberate physical sabotage and terrorism risks.
“From an end user’s perspective, the principal recovery vehicle is going to be that PL policy, so the cloud providers and their brokers need to look under the hood of their policies,” said Parisi. “The market has evolved and is getting better at providing solutions, and the coverage is fairly broad. It is up to the broker to be aware those solutions exist and stitch them together for [the cloud provider].”
Parisi said PL claims against cloud providers are common, particularly in the litigious United States where cloud users also have very high expectations — anything less than 24-hour service at optimal speed could result in a PL claim, particularly from users whose businesses rely on real-time data feeds, he said.
“Tech companies are regularly sued for failing to provide service or failing to render the service non-negligently. Tech is not perfect, and when it goes wrong, usually the first thing a client of a tech company is going to do is assume the tech provider must have done something wrong,” he said.
“Not only is the cloud provider going to be held to rendering the service and having the service functioning as intended, there is also an element of latency risk; clients want their service working now, on demand, and without any delays.”
In order for the cloud providers to ensure they get adequate coverage against such claims, they must demonstrate high levels of risk management including building redundancies into their systems so that if one facility is damaged, the data can be switched rapidly to another network or facility without being lost.
“One of the large tech companies runs an entirely parallel network right next to their production network so if anything happens they can switch their customers from the day-to-day network to the parallel redundant network in the blink of an eye,” said Parisi.
“That’s an extreme example – most providers don’t have a parallel network. But if they are going to guarantee 100 percent up-time they need to make sure they have the facilities that can do that — and if that means geographically separating their data centers then that is what must be done.”
When it comes to liability for data loss or service downtime, much hinges on the service level agreement between the two parties.
“This agreement defines what level of liability the provider assumes. In that contracting process the provider can say they will deliver their service but there are things outside of their control, and if those things prevent the service the user will have to live with that,” said Parisi. “That won’t always necessarily fly in the negotiation process — in which case the provider may put liquidated damages or limitations of liability clauses with pre-agreed settlements or caps on liability into the contract.”
Parisi added that one of the best things a cloud provider can do to limit their liability is to manage the expectations of the cloud user.
“The quickest way for someone to think the provider did something wrong is for the provider to overpromise,” he said, noting that startup cloud providers are most susceptible to this as they aggressively compete for business.
Ultimately, though, cloud users must take responsibility for their own data — particularly if it is critical to their business. “Cloud users should take it as incumbent upon them as part of their risk management policy to ensure they have their data backed up, and most of them probably do,” said Zurich’s Charron. “The rub is if they are creating new data all the time and there is value in the creation of this new data being generated. Identifying whether data is confidential or mission-critical can help the user understand how often they should back up their data.”
Parisi said cloud use should be treated with the same common sense as any other enterprise risk.
“If you’re relying solely on a third party for the sanctity and security of your data, you are probably making a lot of other mistakes in your business,” he said.
More Time for TRIA?
It’s that time again. More than 12 years after 9/11, terrorism remains the most emotive of topics and it will soon take center stage once more, as the third Terrorism Risk Insurance Act (TRIA) is set to expire on Dec. 31, 2014.
Opinion is divided over the future of this federal backstop that protects the U.S. insurance market against a major terrorism loss.
Most believe the Act should be renewed, albeit with amendments. Yet, there remains a valid argument that TRIA has served its purpose and is no longer necessary. Terrorism risk, some say, is no different than any other catastrophe peril and should be insured entirely by the private market.
Under the existing TRIA program, a federal payout would be triggered by a terrorism loss of $100 million or more — a scenario fortunately yet to be tested since the Act was first implemented in 2002 and subsequently extended in 2005 and 2007.
Corporate insurance buyers and their brokers are certainly in favor of a federal backstop remaining in place in some form or other — after all, without TRIA, there is no way terrorism property cover would be as accessible and affordable as it is today.
“Since 2002, there has been a dramatic increase in terrorism property capacity in the marketplace and rates have decreased year on year,” said Rob Cruz, senior vice president of Hiscox USA, noting that the enactment of TRIA successfully brought an end to the price hikes and withdrawal of carriers from the market that occurred in the immediate aftermath of 9/11.
“If the backstop and the requirement of carriers to make this cover available were removed, we believe a substantial number of P&C carriers would simply decline to underwrite the risk,” he told Risk & Insurance®.
Impact on Workers’ Comp
“We have already begun to see the uncertainty over TRIA prompt some workers’ compensation carriers to pull back from certain parts of the market where they feel they have aggregated risk — large urban areas with high concentrations of buildings and employees,” he added.
Indeed, while the U.S. insurance industry now boasts a healthy surplus of P&C capacity, there is less confidence in the ability of the industry to foot potentially enormous workers’ compensation losses. Workers’ comp cover is mandatory, and most states, including New York, do not exclude terrorism. As such, capacity is stretched in dense urban areas containing many employees.
Will Farmer, terrorism underwriter for reinsurer Catlin, said that while property terrorism risk for a large office building is usually syndicated, the workers’ compensation policy covering the staff in the same building is often written by a single carrier.
“It’s hard to see small carriers continuing to write very large lines of workers’ compensation without TRIA,” he said.
Lloyd’s — the reinsurance market which carries more than half of the world’s stand-alone terrorism risk — was unavailable for comment, but stated in 2010 that it did not believe the private market would have the capacity or risk appetite to fill the void that would be created if TRIA was to expire in 2014.
“A significant loss event could act as a market turning event, causing the price of terrorism risk insurance to rise, or capacity to withdraw,” Lloyd’s said, noting that a number of underwriters had indicated they would exclude terrorism altogether if TRIA was allowed to expire.
David Frediani, president of Ironshore International, which offers a stand-alone terrorism policy with a limit of $300 million, said TRIA serves a purpose as a last line of defense against catastrophic losses that could arise from unprecedented events such as biological or nuclear attacks.
“This is something the insurance market simply cannot model or reserve for,” he said.
Meanwhile, Cruz said it may be time to analyze whether TRIA is needed on a line-by-line basis.
“I think the market is in a great position to handle property terrorism — theoretically, there is around $3 billion stand-alone terrorism capacity in the market. As far as workers’ compensation and liability are concerned — I’m not sure if we’re ready yet to be without TRIA,” he said.
“If there were a future attack, we would want as much clarity as possible so we know what would be supported by the federal government and what would be supported by the private market.”
– Peter Beshar, general counsel, Marsh & McLennan
An Industry Bailout?
But there are vocal quarters of the insurance and academic communities that say TRIA has run its course, and should be removed altogether.
David C. John, senior research fellow at the Heritage Foundation think tank, last year called on the House of Representatives for a “firm and short phase-out” of the Act, which he described as a “pre-approved bailout” for insurance companies.
He argued that, by allowing insurers to collect premiums without facing the true value of losses, terrorism risk is being underpriced and insurance buyers have no incentive to reduce their risk.
“There was a good reason to establish TRIA, but those days are gone,” he said.
In September 2013, Professor Robert Rhee reinforced that argument on behalf of the Cato Institute think tank, which released a detailed policy analysis of TRIA.
“If there was some ambiguity about the program’s need before, there is none now. Terrorism risk is not more severe than other insurable risks such as natural catastrophes. The private market is capable of underwriting this risk,” he said.
Natural catastrophes cost the U.S. insurance market $45.7 billion in losses between 2003 and 2012. Terrorism cost just $433 million.
Of the 20 most costly worldwide insurance losses between 1970 and 2012, 9/11 ranks fifth at $24 billion (according to Swiss Re) and the rest are natural disasters. Ten of the 20 costliest catastrophes were weather events occurring post-2000, yet these natural perils remain insured by the private market with no federal backstop, Rhee pointed out.
“It does seem strange that terrorism is the one peril that people feel needs to be fully insured,” said Catlin’s Farmer, who believes the private market is well equipped to handle a major terrorism loss.
“If insurers just want to write predictable risk, that’s not always helpful to the clients; the insurance market needs to step up and deal with unpredictable and difficult risks too,” he said.
Difficult to Model
TRIA advocates argue that although U.S. terrorism losses have been negligible since 9/11, it is impossible to know when, how and to what extent the next major attack will affect the United States, making the risk very difficult to model.
Even Rhee said that “without good data and reliable modelling, premiums must incorporate a substantial mark-up to ensure proper reserving for losses.” However, he argued, conclusions can be drawn from existing data to help insurers price the risk — such as the fact that high value economic targets tend to be concentrated in certain geographic areas.
Few would disagree that the current $100 million trigger for TRIA appears disproportionately low given the market’s ability to absorb multibillion dollar natural catastrophes each year with few problems. “There is no reason why the private market can’t cope with events that are much larger than $100 million — all that’s doing is giving corporate welfare to smaller insurers,” said Farmer.
Each amendment to TRIA to date has seen increased private market participation and the consensus is that the $100 million trigger point will be scrutinized if TRIA is renewed.
While Farmer speculated a new trigger loss would be around $500 million or $1 billion, Rhee suggested raising the private market deductible to as much as $50 billion — effectively reserving TRIA for a truly industry-shaking event. However, raising the trigger would be bad news for small carriers and particularly captive insurers, many of whom could not afford to take higher deductibles and rely heavily on TRIA.
Cruz also pointed out that, for major insurance carriers, the point at which the government participates in a loss would actually most likely be far higher than $100 million, because insurers have a 20 percent direct earned premium deductible on the prior year’s earnings on all applicable TRIA lines.
“Losses have to be huge before some insurers would see money back from the government. A higher retention would equate to no TRIA at all for some companies,” he said.
One element of TRIA most parties would agree on is that if it is to be renewed, more clarity is needed on the definition of coverage as the nature and scope of terrorist methods continue to evolve.
At present, any terrorist event over $5 million must be certified as such by the government, and the fact that the Boston bombing in April 2013 has yet to be certified is a cause for concern in the industry.
“Boston was the defining moment — we know the perpetrator went overseas, trained and made friends there; I doubt there’s a citizen in the U.S. who would argue that was not an act of terrorism,” said Joe Boren, chairman, Environmental, at Ironshore.
“If you’re a small or mid-sized business, you can’t afford to wait around for seven months or more while bureaucrats in Washington, D.C. make a decision — you will go out of business,” he said.
In his testimony to the House of Representatives on Sept. 19, Marsh’s Beshar called for a 90-day time period in which to determine whether an attack is covered by TRIA; clarification that TRIA will backstop nuclear, biological, chemical and radiological events if coverage is provided in the underlying policy; and modernization of TRIA to reflect new terrorist threats including cyber terrorism.
“If there were a future attack, we would want as much clarity as possible so we know what would be supported by the federal government and what would be supported by the private market,” he said.
“The certification of an event as terrorism is still very political,” added Cruz. “I feel this judgment should be made by an independent body, not bodies employed by the president.”
Indeed, it is ultimately politicians who will decide TRIA’s fate, and all three scenarios — renewal, amendment and expiration — are still very much on the table.
Cruz said he has spoken to Washington D.C. insiders who suggest the next renewal debate will see a “clean slate look at the Act.” Yet, according to Farmer, “even some of the most ardent TRIA supporters say you can’t rule out inertia in the government and polarization of Congress leading to the program lapsing.”
Although TRIA’s expiration date is still more than a year away, insurers need an indication of the Act’s fate sooner rather than later. After all, policies that renew in early 2014 will start their term with TRIA in place but could end up without any TRIA as of Jan. 1, 2015.
“Insurers writing terrorism lines could be caught in an awkward situation and put their balance sheets at risk if they continue writing this coverage without terrorism reinsurance or TRIA,” warned Cruz.
While there are no clear biases along party lines that could lead to TRIA being held hostage in Congress, Cruz said the geographical make-up of the decision-making panel could have an influence.
Beshar, however, said: “TRIA is not just a Northeast phenomenon; terrorism insurance is growing faster in the West than anywhere else in the country. This is a cross-sector issue that affects the whole country, and lawmakers realize the significance of TRIA to their constituents.”
Despite some compelling economic arguments for the removal or scaling down of the Act, the very nature of terrorism breeds extreme caution — fear of the scale and nature of the next attack; fear among politicians of appearing complacent; fear among insurance buyers over how the insurance market will respond to life without the TRIA safety blanket.
Indeed, psychology — perhaps even more so than economic risk itself — will be crucial in determining whether, and in what form, TRIA endures.