It is unsurprising, then, that the rapid growth in the collection and storage of digital data necessary to power the online economy has proven to be an irresistible opportunity for cyber criminals. The past few years alone have borne witness to stunningly large ransomware attacks, including the $11 million ransom paid by JBS, and enormous data thefts, including the RockYou2021 compilation leak containing 8.4 billion passwords. As a result of the increasing frequency and severity of cyberattacks, cybercrime is expected to cost the global economy $10.5 trillion annually by 2025. Companies that fail to invest in robust cybersecurity programs make themselves prime targets for cyber criminals and take on the risk that a single attack could put them out of business entirely.
In this paper, I discuss the potential for companies to face liability due to inadequate cybersecurity practices under a negligence theory. I discuss three possible approaches to establishing the standard of care under such theory, including the economics-based approach often associated with Judge Learned Hand. Using recent data on the frequency and severity of cyberattacks, I estimate the amount that a company would need to invest in cybersecurity under this economics-based approach. The result then provides a foundation for discussing the criticality of cyber insurance in reducing potential liability. A brief overview of the history of the private cyber insurance market is provided, followed by common critiques and the reasons why a purely market-based approach to protecting against cyber risks is unlikely to succeed. Next, I outline a recent proposal for a federal government cyber insurance program and the benefits that it could provide to both companies and the private cyber insurance market. Finally, because a federal government proposal is unlikely to gain traction in the near term, I propose that a New York cyber insurance program, paired with its recent Department of Financial Services Cybersecurity Regulation, could be a short-term mechanism to address issues within the private cyber insurance market and an experiment to guide future government-backed solutions.
Cybersecurity and Negligence
Given the rapid growth in data collection as part of the transition to a fully digital economy combined with increasingly sophisticated threats to such data by cyber criminals, scholars have argued that companies have a duty to provide reasonable information security practices in order to protect sensitive customer data. The recognition by some courts that lax cybersecurity practices may be an unfair trade practice under Section 5 of the Federal Trade Commission Act lends support to the idea that companies have a duty to implement some minimum level of information security as a requirement of doing business. Scholars argue that explicitly recognizing such a duty in the law would incentivize companies to take data protection more seriously and invest in stronger preventative measures.
Although scholars have proposed many possible torts under which this duty could be housed, the most widely accepted theories tend to center around negligence. Where a statute exists that requires a company to adopt a reasonable and/or comprehensive information security program, a consumer may be able to argue negligence per se. However, where a statute does not apply such a standard, or where the statute fails to provide a private right of action, a consumer may still be able to resort to the common law of negligence. One result of applying negligence concepts is that it requires courts to determine when such duty has been breached. And determining when a breach occurs requires first determining the standard of care owed under such duty.
One common method to determine the appropriate standard care involves looking to the practices or customs of the industry in which the company operates. Industry custom often provides a floor for the appropriate standard of care, and a company’s failure to adhere to industry custom may be strong evidence of negligence. However, a company’s adherence to industry custom does not in itself defeat a negligence claim, especially where the industry’s standards are lax. A challenge with applying this method to the realm of cybersecurity is the rapid rate at which cybersecurity threats and accompanying practices evolve and the difficulty that companies, especially small and medium-sized companies, have in keeping pace. Setting the standard too high subjects small and medium-sized companies to significant legal liability, while setting the standard too low risks subjecting companies to the argument that industry custom is too lax to serve as a defense.
Some scholars have argued that the relevance of industry custom as the basis on which to determine a standard of care may vary significantly by the frequency and severity of the risk being mitigated. On the one hand, low frequency risks, even those with high severity, are less likely to generate meaningful industry customs. High frequency risks, on the other hand, are likely to quickly generate stable and meaningful industry customs. How this insight applies in the realm of cybersecurity is uncertain. While cyberattacks are pervasive, only a tiny fraction of such attacks are successful. Thus, it is unclear if the frequency of the risk should be viewed as high or low. Deciding whether the severity of cyber risks is high or low is also more difficult than the shocking numbers provided in the introduction would indicate. Courts have often struggled to quantify the loss resulting from a data breach. And although quantification may be easier in the realm of ransomware attacks, especially where the ransom is paid, such attacks only form a small portion of the risks associated with inadequate cybersecurity programs.
A second method for determining the appropriate standard of care involves looking to professional standards. This approach is often used in medical or legal malpractice cases because doctors and lawyers are subject to rigorous certification requirements and are expected to practice in accordance with well-established professional standards. However, this method may be difficult to apply to cybersecurity professionals, because approaches to professional standards vary widely among the cybersecurity certification and accreditation bodies.
A third method, first outlined by Judge Learned Hand in the T.J. Hooper case, takes an economics-based approach to setting the standard of care. Under this approach, the standard of care should include any preventative measures whose cost is lower than the probability of the risk to be prevented multiplied by the loss if the risk were to occur. This is often presented in the form of B < P*L, where B = the cost burden of implementing the preventative measure, P = probability of the risk event occurring, and L = loss if the risk event does occur. Preventative measures that satisfy the inequality are deemed to be “cost-justified.”
Learned Hand and the Standard of Care for Cybersecurity
Applying the Learned Hand formula referenced above to cybersecurity programs offers insight into the challenges that companies, especially small and medium-sized businesses, encounter when making decisions about what cybersecurity measures to implement. Scholars Michael L. Rustad and Thomas H. Koenig first applied Learned Hand’s formula to the cybersecurity context in a 2007 article. The scholars used data available at the time to provide a range of values for each part of the formula, beginning with the loss associated with a data breach (L).
Losses resulting from a data breach include reduced employee productivity, legal fees, increased call center activity, loss of future customers, lost executive time, foregone business opportunities and other ancillary costs. Not all these costs are directly measurable. For those that are, the scholars indicated a range of $50 to $305 per lost record, or an average direct cost total of $4.7 million per breach. A recent study by IBM indicates that the current cost of a data breach is similar, at $4.35 million, but that the cost varies significantly by region, industry, type of attack, and effectiveness of a company’s cybersecurity program and incident response plan. This amount corresponds to an average per record cost of $164. It is likely that the minimal change in average costs between the 2007 study and the recent study is a result of the recent study taking a global view. Separating out the cost by country, the cost of a data breach was highest in the United States, at $9.44 million. Because this analysis is focused on the United States, I will use the $9.44 million as the value of L in the Learned Hand formula.
The next piece of the formula is to determine the probability of a cyber incident. Rustad and Koenig avoided providing a range for the probability of a cyber incident and instead suggested that courts may be able to take judicial notice that such probability is high. This approach may reflect that fact that the Learned Hand formula has more analytical value than operational value, but having some sense of probability is important to highlight the challenges of an economic-based approach. A recent study by Forrester Research indicates that sixty-three percent (63%) of organizations were breached in 2021. Other studies have found similarly high incident rates for cyberattacks. Moreover, an organization may fall victim to more than one cyberattack within a given year. For example, the same study by Forrester Research found that organizations were subject to three cyberattacks on average over the twelve-month period surveyed. For the purposes of this illustration, I will use an assumption that there is a 63% chance that an organization will be subject to a cyberattack in a given twelve-month period. Thus, I will set the value of P at 0.63. Further, to reflect data showing that an organization is subject to an average of three cyberattacks in that same period, I will multiply the value of the loss set above by three.
Combining the preceding paragraphs provides us with the right side of the Learned Hand formula. Specifically, P = 0.63, and L = $9.44 million × 3 or $28.32 million. Multiplying these, we get P*L = 0.63*$28.32 million = $17.84 million. Accordingly, the Learned Hand formula indicates that the standard of care should be defined by B < $17.84 million. Keeping in mind that these represent annual figures and considering that B here represents the overall amount that an organization invests in preventative cybersecurity measures, this calculation implies that an average organization should spend approximately $17 million annually on cybersecurity or, at least, an organization that wants to avoid a potential claim of negligence.
At this point it is necessary to point out the significant limitations of the simple analysis presented above. For example, I highlighted earlier that the cost of a cyberattack varies significantly by region, industry, and type of attack. However, for the sake of simplicity, I used a single number to represent the cost of a cyberattack. A more thorough analysis would use the specific characteristics of a particular organization to adjust the assumptions appropriately. Another key limitation is the fact that the implementation of a cybersecurity program itself (as reflected in B) may impact both the frequency of a successful cyberattack (P) and the potential losses resulting from such attack (L). The IBM study referenced above provides significant evidence that this is the case. A more thorough analysis would consider the potential reductions in attack frequency and severity as a result of adopting a new cybersecurity measure and adjust all three values in the formula appropriately. Considered in light of these significant limitations, the simple analysis above is still helpful to illustrate the fundamental problems with the current state of cybersecurity investment and the critical role that cyber insurance plays in mitigating some of these problems.
The Necessity and Futility of Cyber Insurance
Using a few simple and high-level assumptions in the prior section, I found that a cost-justified or economics-based approach under the Learned Hand formula implies that the average organization should allocate approximately $17 million annually to its cybersecurity budget. This result is astonishing. And while it may be tempting to believe that the risk posed (and correspondingly the amount that should be spent on cybersecurity) is lower for smaller companies, evidence actually points to the opposite conclusion. A recent report showed that smaller businesses were three times more likely than large companies to be targeted by spear-phishing, a particularly effective type of cyberattack.
Given the massive financial risk posed by cyberattacks, it is unsurprising that many companies look to cyber insurance as a key mitigation technique. Accordingly, the cyber insurance market has grown rapidly over recent years. In 2021, the 780 companies offering cyber insurance wrote a total of $5.1 billion in direct premiums, a 68% increase over 2020. However, cyber insurance remains very small compared to the broader property and casualty insurance market and heavily concentrated among a handful of writers. Moreover, the dramatic growth in premiums written over the past few years cannot be attributed to an increase in demand or utilization alone. Rather, such growth also appears to be the result of significant pricing increases as the cost of cyber claims continues to rise.
Cyber insurance policies come in two forms: as a stand-alone policy, or as an add-on to corporate general liability and property policies. Policies often cover only the specific set of “named perils” listed in the policy form. Although cyber insurance has been written for more than twenty years, a standard policy form has not yet emerged; thus, the specific perils covered and the amount of coverage may vary dramatically between writers and policies. The lack of uniformity among policy forms renders the process of purchasing cyber insurance an increasingly difficult challenge for businesses. Businesses that are not familiar with parsing through insurance policy forms in detail are likely to find that the policy excludes coverage for the exact kind of cyberattack that the company is most concerned about and that motivated the company to seek insurance coverage in the first place.
In addition to continued uncertainty about what a cyber insurance policy should include, there is significant uncertainty about how to appropriately price such policies. Little data exists on which to estimate the frequency and severity of cyberattacks given how rapidly such attacks and the technologies that they use evolve and a lack of sufficient information sharing among companies. No standard seems to exist for assessing cybersecurity risk, and insurer use of basic information—such as a company’s size, geography, security controls and incident history—varies significantly. Additionally, the potential liability resulting from a breach is constantly changing as legislatures pass new privacy and data breach laws, some of which establish private rights of action. Another wrinkle is the fact that cyberattacks are heavily correlated, which makes modeling of stress scenarios especially complicated. Finally, it is difficult to know what risks an insurer may be liable to cover given continued uncertainty around the enforceability of cyber insurance exclusions and the absence of a common policy form.
The recent dramatic price increases for cyber insurance may be the earliest indications of potential market failure. Some scholars have questioned whether a private market for cyber insurance is even sustainable, while simultaneously arguing that cyber insurance is vital for effectively managing cyber risks. Failures within the cyber insurance market may just be one expression of broader market failures within the cyber risk landscape. Given this landscape, it is unsurprising that many have proposed that the federal government intervene.
The Role of the Federal Government
David L. Vicevich, a cyber attorney in Butte, Montana, first proposed a federal cyber insurance program in 2018. He highlighted that the federal government has already taken significant steps that had a dramatic impact on the cyber insurance market, such as including cyber liability policies under the Terrorism Risk Insurance Program (TRIP). He also indicates that the private insurance industry has expressed support for greater federal involvement through public and private partnerships, including affiliations on topics such as “government mandated minimal security, information sharing, government backstops for extreme risk scenarios, better criminal enforcement, and anonymous reporting of security issues.”
Professor Christopher French of Penn State Law has pointed to the federal government’s extensive experience with insurance programs beyond the cybersecurity sphere, such as the Federal Deposit Insurance Corporation, which insures bank deposits, and the Pension Benefit Guaranty Corporation, which insures retirement benefits. Medicare, Medicaid, and Social Security are some of the largest and most popular federal government insurance programs of all time. French proposed three potential models for a federal insurance program: (1) a backstop model; (2) a reverse backstop model; and (3) gap-filler insurance.
A backstop model is similar to the approach taken by TRIP. The program enacting TRIP, the Terrorism Risk Insurance Act (TRIA), was a temporary response to insurers excluding coverage for terrorism risks after experiencing huge losses due to the terrorist attacks of September 11, 2001. Under TRIA, insurance companies are required to offer terrorism coverage, and the federal government functions as an excess of loss insurer or stop-loss insurer: when insurers’ losses exceed a specified dollar amount in the aggregate (or a certain percentage of premium on an individual basis), the federal government then limits an individual insurer’s liability to only 20% of the overall losses. Additionally, the coverage has an overall cap on what the federal government and insurers combined will pay. Vicevich argues that the backstop model has numerous benefits, including that it could address the correlated risk for losses that arises in cyber incidents, that it could encourage companies to offer more comprehensive policies with fewer exclusions as a result of the greater availability of risk capital, and that it could facilitate greater information sharing, which could help with risk assessment, quantification, and mitigation.
A reverse backstop model is the opposite, in which the federal government covers losses starting at the first dollar but only up to a certain cap. This model is similar to the widely recognized Federal Deposit Insurance Corporation (FDIC). Vicevich argues that this model could be paired with a requirement that businesses adopt a level of basic security measures (methods that can prevent 80% of breaches) in order to participate, which would improve overall security. Further, Vicevich argues that the consumer-friendly approach of FDIC (the “look for the FDIC sticker in the door”) could be effective in enabling consumers to feel confident that they are engaging with companies that will protect their information from attacks. Another potential benefit to the reverse backstop model is that it reduces the percentage of scenarios in which small businesses experience cyber incidents as an existential, going-out-of-business risk by potentially fully offsetting any loss under these scenarios.
Finally, a gap-filler model is similar to that adopted by the federal government for flood insurance under the National Flood Insurance Program (NFIP). The program requires that communities adopt and enforce regulations that meet certain minimum criteria in order to participate. For those that do, the federal government sets the terms of flood insurance policies, which are then written by private insurers. But any losses under the policies are paid by the federal government. Vicevich argues that the motivations for the NFIP have parallels to the context of cyber risk management, which makes it a particularly attractive option. Further, Vicevich believes that the gap-filler model is the only one that “suggests methods to regulate the powerful and elusive software and technology companies.”
The federal government appears to be taking the idea of a federal cyber insurance program seriously. In September 2022, the Federal Insurance Office (FIO), in association with the Cyber and Infrastructure Security Agency (CISA), issued a notice seeking public comments “as to whether a federal insurance response to ‘catastrophic’ cyber incidents may be warranted, as well as how such an insurance response should be structured and other related issues.” The notice referenced that insurance responses may take many different forms and highlighted TRIP and NFIP as examples of existing federal insurance programs. The FIO’s focus on “catastrophic” cyber incidents may indicate that it is currently assuming a backstop model that would protect companies from only the most sever cyber incidents, with a focus on incidents impacting a large number of entities simultaneously. The FIO also seems to recognize the potential need for accompanying regulations in order to ensure that companies covered by the program take steps to reduce the likelihood of catastrophic cyber incidents. Based on the responses to the notice, the FIO and CISA are expected to provide a joint assessment to Congress.
While the recent notice by the FIO increases the prospects for a federal cyber insurance program, it is unlikely that such a program would be seriously considered by Congress in the near future. As a result of the Republicans winning the House and the Democrats holding the Senate in the 2022 elections, the federal government will be led by a divided Congress during the 2023–2024 session. Even on topics with which both parties can agree, divided Congresses rarely produce significant legislation. And it is uncertain at this point to what extent the parties agree on the need for a federal cyber insurance program.
However, while Congress is unlikely to make progress on a federal cyber insurance program in the short term, more promising opportunities for experimentation may arise at the state level. In particular, New York may be an especially effective state in which to test out a government-funded cyber insurance program, given its large concentration of critical infrastructure firms in the financial sector, its historical role as a hub for insurance companies, and its recent adoption of the New York Department of Financial Services’ Cybersecurity Regulation.
A Proposed New York Model
New York has the third largest economy in the country by GDP, at nearly $2 trillion. It is the financial capital of the United States, and it is home to many of the world’s largest financial institutions. This is relevant in a cybersecurity context because financial services experience more frequent and more costly cyber incidents than most other industries. Additionally, because of New York’s long-standing role as the global capital for insurance, it has a well-established and sophisticated insurance regulator. And perhaps most relevant is that New York’s insurance regulator, the Department of Financial Services (NYDFS), passed a first-in-the-nation Cybersecurity Regulation in 2017.
As discussed above, any effective government solution to the issues with cyber insurance will need be paired with regulations ensuring that companies adopt at least some minimum level of security. This pairing accomplishes multiple goals. First, it reduces the cost of the overall program by reducing the frequency and severity of cyber incidents in the aggregate. Second, it addresses any issues of free-riding, where companies with poor cybersecurity programs benefit equally from a government insurance program despite contributing disproportionately to the risk. Finally, it reduces the success rate for attacks, thereby decreasing cyber criminals’ return on investment and disincentivizing criminal syndicates from focusing on cybercrime as a source of revenue.
New York’s Cybersecurity Regulation is extremely effective in this regard. The regulation requires companies to maintain a risk-based cybersecurity program, implement cyber policies, conduct penetration testing and vulnerability assessments, restrict employee access, and consider adopting multi-factor authentication, alongside numerous other requirements. It has been embraced as the gold standard for cybersecurity regulation by many other state, federal, and international regulators. Since its original publication in 2017, the NYDFS has amended the regulations twice, including the most recent round of proposed amendments released on November 9, 2022, that, among other things, adds a heightened set of requirements for large companies and creates new notification requirements for ransomware attacks. The NYDFS has exhibited the ability to flexibly adapt and evolve the regulation to meet the rapidly changing cybersecurity environment. Given that any government cyber insurance program is highly likely to require significant experimentation in its early years, the Department’s ability to adjust quickly would be a critical asset.
One significant limitation of pairing a potential New York cyber insurance program with its Cybersecurity Regulation is that the latter is currently limited in scope to “covered entities,” meaning entities that operate under the Banking Law, the Insurance Law or the Financial Services Law. The regulation also requires certain minimum cybersecurity practices for any third-party service providers of such entities, although these requirements are significantly more limited in scope than those applied to covered entities. Thus, for a New York cyber insurance program to be effectively paired with the current regulation, it would likely need to extend only to covered entities. The inclusion of third parties may present issues of fairness, unless the amount or extent of coverage offered to third parties appropriately reflected the differences in required minimum cybersecurity practices under the regulation. As a result, any New York cyber insurance program may only cover companies in the finance and insurance sectors, which would significantly limit its effectiveness. However, a focus on the finance and insurance industries as a starting point may allow for more effective experimentation. Moreover, as discussed above, the financial services industry represents a disproportionate share of cyberattacks; thus, a cyber insurance program limited to financial services would be likely to have an outsized effect on addressing market failures in the private cyber insurance market.
In his proposal for a federal program, Vicevich highlights four major concerns. First, the cost of a cyber insurance program may be prohibitive. This would likely be true in the case of a New York program as well, although the ability to experiment with a program tailored in scope to match that of the Cybersecurity Regulation could reduce the overall cost. Vicevich points out that, at the federal level, the government may be able to engage in defense spending to reduce overall societal costs of cyber losses, thereby limiting the federal program’s exposure. Of course, a New York program would not have this option. Thus, New York would be subject to the risk that the costs of its cyber insurance program increase because of the federal government’s failure to effectively police the cybersphere from attacks.
Second, Vicevich points out that a “lumbering [federal] bureaucracy” may fail to be sufficiently nimble in adapting the regulations accompanying a federal insurance program given how quickly the cyber landscape changes. While this fear also applies in part to New York state bureaucracy, the NYDFS has shown itself capable of at least some level of nimbleness. Rather, this fear would likely be most relevant with any decision to expand a New York program beyond the scope of the current Cybersecurity Regulation. The involvement of multiple state agencies would add significant complexity to the process for proposing and adopting new rules as the landscape evolves.
Third, Vicevich highlights that the nationalization of cyber insurance could stunt the growth and development of the private insurance market. He argues that this possibility is problematic because the private market has a greater potential to be reflexive and to better regulate in an ecosystem of rapid change. A New York program likely addresses this concern because it would allow for experimentation around a government program while still enabling the private market to grow and develop in other states (or in other industries not covered by the program). However, it is also unclear whether Vicevich’s premise itself is true. The existence of a strong and vibrant Medicare Supplement market provides evidence that a government-funded insurance program can effectively coexist with an effective private market. Moreover, the current market failures in cyber insurance seem to indicate to at least some extent that the private insurance market has not been an effective regulator in the rapidly changing space of cyber risk.
Finally, Vicevich argues that the program may fail to effectively address cyber risk. This prediction is, of course, true with any government program. There is no reason to believe that a New York program would not also face a risk, even potentially a high one, of failure. But the benefit of a state program with limited scope is that it would allow for experimentation while minimizing the financial consequences of failure. Further, aggregate loss caps, similar to those used in the backstop model, could be an effective way to manage the financial impacts of failure while still offering more coverage than currently exists under the private-sector-only model.
Conclusion
The rapid growth of the digital economy over the past two decades means that an increasingly large share of the country’s economic activity is occurring online. Simultaneously, cyberattacks are becoming more frequent and more severe. The potential liability that companies face from cyber threats poses an existential threat to the economy, especially for small and medium-sized businesses that cannot afford to invest millions of dollars annually in cybersecurity. Cyber insurance is critical both in reducing the damage posed by cyber-threat actors and in strengthening the overall cybersecurity posture of companies. However, numerous issues in the private cyber-insurance market indicate that a purely market-based approach is unlikely to work. Policies are complicated, and companies often discover only too late that the policy does not cover the exact risk about which they were most concerned.
The existential threat posed by cyberattacks, and evidence that such threats cannot be managed through a reliance on the private cyber insurance market alone, necessitate action by the government. Successful federal government insurance programs such as TRIP and NFIP could serve as models for a future federal cyber insurance program. Although a federal solution would have clear benefits over state-specific programs, Congress is unlikely to take any action on a federal cyber insurance program in the short term.
A state solution presents an attractive short-term solution to address the threats posed by cyberattacks. In particular, a New York program that aligns with the scope of the New York Department of Financial Services’ Cybersecurity Regulation would allow for quick experimentation with a relatively sophisticated and nimble regulator, while still covering critical sections of the economy that are most susceptible to cyber risks. The ability to tie the program to minimum requirements outlined in the Cybersecurity Regulation will reduce costs to the public and strengthen the overall effectiveness of a state cyber insurance scheme.