Small amount of cyber carriers ‘truly appreciate what they are getting into’

Richard Bortnick

Advisen: What do you see as the greatest cyber risks today?

Richard Bortnick: Today’s risks come in various shapes and sizes. The simple answer is that it depends on the constituency. The executive and legislative branches focus on the critical infrastructure and the threat of cyber warfare. Commercial entities fear black hat hackers and hacktivists as well as rogue employees and simple negligence such as lost laptops and mobile devices. Individuals are concerned about the protection of their personal and health information while balancing civil liberties. And, of course, supply chain affects everyone in virtually all respects. Indeed, the risks in that space are ubiquitous. At the same time, reputational risks, digital slander and cyberbullying have become far more pronounced and better appreciated across the board.

One of the most underappreciated risks arises from the sharing of data with professionals such as lawyers, accountants and others who may not be properly protected (or insured) against data loss.  Lawyers are among the worst offenders based on my experience. Perhaps most troublesome, I have found that a majority of law firms still have no cyber insurance (and do not appreciate the risks and exposures). This omission is particularly curious given the scope and breadth of the data they hold.

On the other hand, none of these concerns differ materially from those that existed five -even ten – years ago. The seminal difference is that the privacy- and technology- related issues are on an increasing number of peoples’ radars as they have become more sophisticated and as breaches become more pervasive and highly publicized. Who knew about political risks before Stuxnet?  What was the level of concern among financial institutions, retailers, healthcare professionals and others? How many people were concerned that the theft and misuse of their personal and healthcare information? Who even knew this data was stored electronically and that it was at great risk? Did the term “cloud” mean any meaning beyond those things in the sky? In other words, the traditional threats associated with the use of computers and the storage of data remains alive and well and pervasive in our virtual and e- commerce platforms.

Advisen: What will the greatest threats be in 5 years’ time?

Richard Bortnick: The convergence of new technologies (the proliferation of Internet based communications and storage (i.e., clouds), software as a service, the sophistication of cyber armies and hackers) with an even wider-spread access to connectivity and mobility will greatly expand the scope of cyber-risk.  The ability to access (without authorization) things like medical devices, wearable applications, smart cars and mobile networks create a far greater risk of inadvertent disclosure of protected information and other damages than previously existed and, indeed, exists even today.

Advisen: Is the insurance industry doing enough to adequately address these risks?

Richard Bortnick: The industry is maturing in an organic manner, albeit the scope of coverage is expanding while premiums remain relatively static. While a growing number of direct insurers underwriting cyber and technology risks have become better educated, many insurers are providing coverage without a full understanding of what they are doing or the implications of a poorly written policy form. There are close to 50 policies and insuring agreements currently available. But only a modest, albeit increasing percentage, of these markets truly appreciate what they are getting into. Notwithstanding that there are a significant number of coverage choices, a large number of retail brokers either fail to appreciate or detest learning the scope and breadth of the coverages available. Until they become more comfortable with the product, the industry will continue to grow, but far less rapidly than it should if retailers and the public was better educated and their interests better represented by their insurance professionals. Also, many reinsurers, including the Bermuda market, continue to be deathly afraid of privacy and technology risks and exposures and have been reluctant to dip their toes into the space other than on a facultative basis.

Completely different dynamics pervade technology insurance coverage for tangible property damage. In my view (as well of those of people whose opinions I value), the development and growth of this product is the next frontier. At least two forward-looking underwriters already have embraced the opportunities. I’m very bullish.

Advisen: What keeps you awake at night?

Richard Bortnick: Small children and caffeine. That and the ability of a malicious hacker to access someone’s pacemaker and cause a heart attack or access someone’s smart car and slam on the breaks while it is driving 75 MPH on the New Jersey Turnpike. And, of course, the theft of my personal and healthcare information (other than my bills, which hackers are welcome to pay).

Advisen: In your opinion, what is the single most important cyber risk development in the past 12 months?

Richard Bortnick: As an illustration of the maturity and evolution of cyber-risk, courts seem to be more amenable to enabling data-breach victims to overcome motions to dismiss and allow discovery and, in some cases, motions for class certification, driving up the cost (and the inevitable risk) of privacy litigation. At the same time, California and, likely other states, are or will be considering legislation to overcome the fatal defect of claimants’ inabilities to prove actual damages as opposed to ethereal concepts such as lost opportunity costs and waste of time. A good example of the effect of courts’ willingness to allow litigation to proceed has been the growing number of multi-million dollar settlements, irrespective of the defendants’ motivation. Indeed, just last month, Sony agreed to pay $15 million dollars to PS3 users whose personal information was stolen by hacktivists troubled by Sony’s policies on intellectual property and the use of allegedly proprietary hardware and software.  Eventually, litigation-related costs and expenses will drive up the price of cyber insurance.

***

Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.