Spring 2020 Gavel 268650 SBAND Gavel Magazine_web | Page 33

Quantifying Cyber Risk-Related Damages
As demonstrated by its broad definition, the complexity of cyber
risk makes for complicated policies and customer expectations. One
consideration involves external threats resulting in data breaches.
Compromised data may or may not entail subsequent damages or
malicious activity against the victim(s). While a firm or organization
is always hurt reputationally and financially by a breach, it’s harder
to determine how individual victims should be handled and how
their damages should be incorporated into a proactive response. In
comparison to other kinds of operational losses, the losses associated
with cyber risk are both financial and reputational. The damages
stemming from cyber risk are fairly nebulous, and incorporating the
full scope of the public’s loss and response to a breach is even trickier.
If it’s difficult for cyber experts to encapsulate it accurately without
leaving anything out, it’s even harder for an insurance company
that’s trying to put a price tag on it or an insured who wants the best
coverage at the lowest possible price.
In the growing realm of data breaches, how does one pinpoint
which breach led to which attack or subsequent set of damages for
individuals? In the wake of the Equifax breach, for example, millions
of U.S. citizens panicked over having their personal information
stolen. Many of them appeared to believe this was the first and only
time their information had ever been breached, and that if they did
end up becoming victims, this breach would be responsible.
The fact is, the majority of individuals affected by the Equifax breach
probably had already had their information compromised at least
once by a previous breach of some kind. If you become a victim of
identity theft, it is impossible to say with any certainty which data
breach, if any, led to it. (Maybe it wasn’t a data breach at all, but an
error on your part that led to information being compromised.)
While Equifax’s response to its breach was lacking and many of the
affected individuals were unwilling participants in having
Equifax store their information to begin with, it is still true
that assigning blame to any one data breach is not feasible.
If someone had their identity compromised as a result of a
data breach that occurred in 2015, but only suffered identity
theft in 2018, and blamed the Equifax breach, how could
it be determined with any certainty or fairness who was
responsible and which insurance policy should cover the
loss? Identity theft is not a joke; millions of families suffer it
every year. But when it comes to assigning blame, it’s truly
anyone’s guess. Factoring in victim damages as a result of
an organizational breach is another source of ambiguity and
confusion when it comes to cyber liability insurance.
how significant? How does a law firm measure the potential client
damages in the wake of a breach, and how should a cyber liability
policy be applied when the value of data differs and the greatest loss
is arguably reputational? When data breaches cause reputational and
financial damage, can a cyber liability insurance policy adequately
account for ongoing remediation efforts and possible compensation?
Potential future losses, many of them unknown until they occur, pose
another serious problem when it comes to the value of cyber liability
insurance and its part in counteracting cyber risk.
As the management of cyber risk becomes more regulated at a
national level and technology continues to adapt and expand, insurers
are also placed at a great disadvantage. The attention brought to
cybersecurity issues in the media, paired with the very public fallout
of large-scale data breaches and events, makes for a tempestuous
legal environment, especially when current laws and regulations are
fairly minimal. Given all the variables in play — the cost of insurance
policies, the associated application requirements, the pressures of
growing regulations and requirements — small businesses and
firms especially will be faced with an ever-increasing set of hurdles.
Insurers likewise will have to quickly adapt and adjust policies to
reflect changing policy and cybersecurity requirements.
For the remainder of this article, I will discuss the security assessment
aspects of obtaining coverage, insurance as part of a proactive
approach, and the incentivizing of cybersecurity investments.
The Role of the Security Assessment
In my experience, it is a requirement of all insurance companies
offering cyber liability coverage that prospective insureds either
provide recent security assessment results or pay up front for onsite
security risk assessments and consulting. Depending on the company,
security assessments can be strenuous or relatively broad, but either
way this requirement poses costs that need to be factored into the
In addition to the accountability problem, it’s also very
difficult to assess potential future damages. When client
data is personally identifying and permanent, such as
a Social Security number, the potential for damages is
lifelong. But what about data that doesn’t fall under this
umbrella? For a law firm, a breached email account can
cause significant financial and reputational damages. But
SPRING 2020
33