We asked leading cyber legal experts to give us their predictions for 2021. From ransomware developments to Brexit regulatory fallout, here are their crystal ball readings for the coming months.
Sean Hoar, CISSP/CIPP/US, Lewis Brisbois
Heuristic-based endpoint detection and response tools will become a staple of a conventional “layered defense.” Ransomware attacks are the most dangerous online threats facing business information systems today. Unfortunately, the weaponization of encryption through these sophisticated attacks and the continued ability of malicious actors to monetize the impacted data will cause them to increase in frequency and scope. The silver lining is that technological defenses continue to evolve to meet the challenge of malicious online activity.
Since the malware is increasingly “zero day,” or a previously unknown malicious code, and because legitimate applications are being used for malicious proposes, a sophisticated endpoint monitoring tool that identifies malicious behaviors as well as malicious code is no longer a discretionary spend in 2021. My prediction is that the malicious behavior associated with ransomware attacks will accelerate the use of heuristic-based endpoint detection and response tools, serving as an “equalizer” to reduce attack surfaces, and reduce the relative success of threat actors.
Christina Terplane, Atheria Law PC
Increased exposures due to UK-GDPR: Following the Brexit transition period at the start of 2021, and the introduction of the UK-GDPR, companies operating in Europe and the UK and their insurers now face additional data protection burdens. Since the GDPR’s “one-stop-shop” mechanism no longer includes the UK, companies with operations in the UK and EU countries are now required to notify both the ICO (under UK-GDPR) and the lead EU data protection authority (under GDPR) of a data breach incident impacting data subjects in the UK and EU, and companies may also be liable for two separate fines/penalties.
In addition, such companies are required to appoint both GDPR and UK-GDPR representatives. While the EU has agreed to a temporary grace period to allow data transfers between the EU and UK to continue until data adequacy decisions can be made, to the extent that an EU adequacy decision in favour of the UK is not made, UK organisations will need to implement alternative data transfer mechanisms, such as standard contractual clauses (SCCs). As such, companies trading in the EU and UK now face increased potential liabilities, leading to increased exposures for their insurers.
Mass arbitrations in lieu of class actions: Recently, we’ve seen numerous cases involving thousands of individual arbitration demands filed in lieu of a single class action claim, typically in cases involving consumers who have entered into agreements requiring arbitration and restricting the right to file class actions. The cases can result in extremely high administrative costs, potentially involving millions of dollars in filing fees alone. Typically, plaintiffs are required to pay filing fees to initiate arbitrations, but the corporate defendant is usually required to reimburse them and pay subsequent administrative costs.
Courts have enforced these arbitration provisions, finding that the corporate defendant created the arbitration requirements and thus should be compelled to abide by them. This raises questions about the enforceability and validity of arbitration clauses, how arbitration fees should be allocated, and how settlements are structured in such mass arbitration proceedings. The AAA and other associations are addressing these mass arbitration issues by creating new fee arrangements and protocols for such matters.
Continued coverage issues around regulatory inquiries: Regulatory inquiries can be difficult to predict. Unlike lawsuits or alternative dispute proceedings, they don’t follow standard procedural steps and can lack full transparency which makes it difficult to anticipate the extent of the inquiry or potential penalties. As a result, companies frequently delay in providing notification to insurers of such matters, which can result in coverage limitations under policies providing regulatory coverage.
Penalty reductions: For the first time, companies assessed with penalties from regulators may begin pushing back on imposed fines following the recent Fifth Circuit decision in University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services. In that case, healthcare provider University of Texas M.D. Anderson Cancer Center received a $4.3 million penalty from OCR for alleged violations of HIPAA’s Privacy and Security Rules following three breaches. MD Anderson opposed the fine as “arbitrary, capricious, and otherwise unlawful.” The Fifth Circuit agreed with MD Anderson and vacated the fine.
Following the ruling, we anticipate that more entities, particularly in the healthcare context, will oppose large regulatory penalties.
Philip Yanella, Ballard Spahr, LLP
More ransomware attacks and more responsibility for vendors: We’re likely to see a continuation of ransomware attacks on corporate America in 2021. Vendors will continue to be a target. I would bet that this is going to lead to at least one and possibly more eight-figure fines by U.S. regulators against companies for lax third-party risk management. My other observation is that you are going to see companies whose vendors get hacked become more aggressive in pushing vendors to pay the ransoms.
Jennifer Coughlin, Mullin Coughlin LLC
More attacks mean more growth for the cyber insurance industry: It’s not news to anyone in the cyber business that there has been a spike in both the volume and severity of ransomware events over the past 18-24 months. As it is, the market must adjust accordingly. The underwriting process naturally tests the preparation of buyers to avoid and/or respond to data privacy and security events. Higher premiums, larger retentions, co-insurance and sub-limits are all part of necessary market adjustments to the current claims environment.
Some might resist these market adjustments, but note that they include more insured-focused/insurer-provided support than ever: analytical tools, monitoring and alerts, threat intelligence, education, information, training and access to experts that can assist organizations in becoming more secure and nimble. Our 2021 prediction: The cyber insurance industry will grow in both overall market penetration AND improved profitability.
The insureds (and soon to be insureds) need the product. The risk is evident. The market is there. The market will grow.