Major cyberattacks in the past year or so have raised awareness of issues with insurance coverage of losses caused by cyber breaches. In February, Change Healthcare suffered an attack that halted its ability to process health insurance claims. In May 2023, a breach of Progress Software's MOVEit file transfer platform allowed cyberattacks on its users, affecting about 1,000 organizations and 60 million people.
The cybersecurity insurance issues getting more attention as a result include subrogation – determining whether the user's insurer or the program provider's insurer is responsible for losses, a lack of a developed cyber insurance market, and a lack of rules, guidance or laws about the issue.
Subrogation is difficult in cyber breach claims because of insufficient coverage or limits on liability, according to Rich Gatz, vice president of cyber claims at Arch Insurance. "When you're dealing with marketplace-wide reaches, very often there's not enough coverage, or the company doesn't have enough money to make everyone whole," he said. "That doesn't even really discuss the type of contractual agreements in place that typically have a limitation of liability."
Unless a claim is successfully subrogated, the insurer for the party injured in a cyber breach – which could be a class action group – remains liable even if there is another party at-fault, Gatz explained.
The cybersecurity insurance market is not yet as mature as other coverage areas, according to Edward Shahnasarian, managing director in the financial technology and services vertical at the THL Partners consultancy.
"As markets mature, you eventually find and maintain market equilibrium, unless there's a dislocation in capital, which we saw in 2020," he said. "But you had market equilibrium across every mature product line [in insurance] from 2010 to 2020. Cyber is years away from equilibrium though. We're not close."
In this less developed coverage market, small and medium sized enterprises (SMEs) that can be hit harder by cyber breaches need to do more with security technology, according to Hilario Itriago, president of Boxx Insurance, a Toronto-based cyber risk insurer.
"They need to be very aware as to how to use technology through prevention and risk management, to protect themselves over and above whatever coverage they may have for the business," he said. "We're trying to make the whole SME spectrum far less vulnerable."
Conversely, to hold a small cybersecurity company responsible for a loss may prove difficult, explained Danielle Roth, head of the cyber claims team at AXA XL. "Looking at the particular vendor, we have to make a decision. Sometimes it's a very small company that's doing services for one of our insureds and they might not have any insurance or they might not have enough insurance," she said. "They could be effectively judgment proof."
Aside from liability claims that end up in court, insurance law has not yet defined how subrogation of cyber breach losses should work, Roth noted. "Maybe down the road, one day, we'll have a better body of case law and a better understanding of what it will look like, so they can factor it in a meaningful way," she said. "But that's just not where we are right now."
