A Q&A with Kenneth Levine
Subrogation is an emerging topic in cyber liability insurance, as insurance companies are starting to pursue compensation from any third parties that can be held responsible for a data breach. To get a better handle on the current reality of subrogation in this area, I spoke to Kenneth Levine, partner at Nelson, Levine, de Luca & Hamilton, LLP.
Can you explain subrogation in layperson terms? Why is it important?
Subrogation has actually been in place since the 1700s in England. After an insurance company pays out a claim, it is allowed to try to recoup the money from anyone who might have been responsible for the underlying loss. It’s very important in the insurance world, because, by its very nature, subrogation limits the losses for insurance companies, allows for lower premiums and spreads the risk more equitably. It has become an especially critical aspect of the industry in the past three or four years, as subrogation recoveries in most companies have now replaced investment income as the second most important revenue generator after premiums. Subrogation isn’t as well developed for cyber liability insurance, but these days it is an exciting area of focus. As more cyber liability policies are written, more companies are starting to ramp up their recovery efforts following cyber losses.
Can you share any scenarios in the cyber liability insurance world in which subrogation efforts might be viable?
Let’s just use the recent highly publicized network breaches at The New York Times and Wall Street Journal, both hacked at the beginning of 2013, as examples. Following such breaches, subrogation attorneys would work with forensic specialists to see if any third parties were secondarily responsible for the breach and whether viable claims could be asserted against them to get back any losses or expenses incurred. For instance, these media companies most likely have contractors that assist with network design, maintenance and security, so you’d want to know whether the breach could have been prevented with antivirus software, alternate security controls or mandatory protocols that could have limited the vulnerability of the network. Overall, subrogation efforts would review whether the network was properly and reasonably secured, and whether anyone other than the newspapers’ employees was responsible for any deficiencies identified. In furtherance of such efforts, subrogation professionals would also look to see whether the newspapers had protections (or limitations) in their contracts with these possible subrogation targets.
What are some barriers or limitations to successful subrogation in the cyber risk space and how might they be avoided?
The biggest legal barriers are contractual limitations that some subrogation targets might have included in their service contracts. But before such limitations become an issue, factual impediments to the cyber investigation itself often create initial barriers by preventing forensics analysts from truly understanding the extent and cause of the data breach itself. Hackers are constantly coming up with better tools for gaining access and hiding their tracks, so it’s harder to discern how a breach happened, and exactly what security steps would have prevented it. Often, too, the forensic team will have to rely on the very people they may want to focus on for subrogation purposes, a company’s network contractor. These contractors are often the first ones who have their hands on the system after a breach, which can certainly present a conflict. We advise organizations that strongly suspect a breach to call their insurance company first—before bringing in their own network security contractors—to allow for a more proper investigation. We also try to educate companies to better review their contractual agreements with third parties so they are not signing away their recovery rights, or the rights of their cyber liability carrier. Forward-thinking cyber liability carriers with strong subrogation initiatives should be educating their insureds on these last two points before losses arise. Finally, I was somewhat encouraged by President Obama’s call for the creation of more cybersecurity standards under his recent Executive Order. A logistical impediment to subrogation recoveries in this area is the lack of industry-specific standards for cyber security. Without clear standards, it is far more difficult to demonstrate that a network has been poorly designed or maintained, a necessary element to a successful subrogation effort. While such reasonable security standards are now rather well established in the PCC arena, they are far less solidified and accepted in other business contexts.
I think subro expert Ken Levine nailed it here, explaining exactly why subrogation is going to be so important to the cyber risk insurance industry going forward. If you look at the underlying facts of many publicly reported cyber attacks and data breach events, it seems that in approximately 30 percent of cases, responsibility can be traced to a third-party vendor (service provider, Cloud, contractor) either upstream or downstream from the insured business—a direct consequence of corporate America’s trend of outsourcing computing. The annual NetDiligence® Cyber Liability & Data Breach Insurance Claims study and recent industry computer crime studies, like this one from Trustwave, underscore that fact. For this reason, subrogation will be a major part of the third annual NetDiligence® Cyber Risk & Privacy Liability Forum this June.