The 21st century has been shaped by the fourth industrial revolution: primarily, the arrival of the digital age, the spread of technology and the nascent growth of the Internet of Things (IOT). And while everyday life has become more practical because of the growing influence of digitalisation and technology, companies are facing increased and significant cyber risk. Indeed, as the use of electronic devices has become more commonplace, cyber criminals have also become more advanced. Their tactics have evolved, they too have benefited from technological developments and they have become more creative in the scope of their attacks.
According to Norton Cyber Security Insights, Brazil ranked sixth in a list of countries that lost the most money due to cyber crime in 2017, a sum that is estimated to be around US$5bn. In addition, the number of cyber attacks targeting companies in Brazil nearly doubled in 2018, year on year, according to the fourth Report on Digital Security in Brazil.
Given the increasing number of cyber threats companies face, it is unsurprising that the number of firms utilising cyber insurance has grown in recent years. More and more companies are embracing cyber insurance as a way for organisations to protect their assets from the financial impact of a breach.
On 16 November 2018, Circular n. 579/2018 of the Brazilian Superintendence of Private Insurance (SUSEP) was published. It amended Circular n. 535/2016, which establishes the codification and disposes of the classification of coverage contained in insurance plans, to include cyber risks in the civil liability group of products. However, so far, SUSEP has not regulated cyber risk insurance specifically.
Going forward, the demand for insurance services will increase with the introduction of Federal Law No. 13.709/18, which will enter into force in February 2020. Allegedly inspired by the European Union’s (EU’s) General Data Protection Regulation (GDPR), the Federal Law establishes new rules for the use of personal data by natural persons or legal entities, whether governed by public or by private law. The aim of the law is to ensure the fundamental rights of freedom and privacy for Brazilian citizens.
Under the new legislation, controllers or operators of the data will be subject to significant fines – approximately 50 million Brazilian reais or 2 percent of the company’s sales or revenue – in the event that damage is caused to third parties when processing personal data. As a result, it is expected that many companies will increasingly opt to arrange cyber insurance.
It is clear, however, that regardless of whether insurance coverage is arranged to protect a company against potential liabilities, the responsibility for adopting the relevant security, technical and administrative measures to protect third parties’ personal data lies with the companies themselves, in order to reduce the risk of a privacy breach.
Naturally, risks vary from company to company. Also, the profile of the insured organisation, its field of business and its own internal security procedures will have an impact. For example, a company which adopts device encryption, biometrics, dual authentication and exchanges of passwords, and provides ongoing internal training on the precautions that must be taken with the system, besides other security measures, will, in theory, pay lower premiums, as the risk of loss is mitigated.
On the other hand, either due to the complexity of measuring a company’s vulnerability or because the number of insurance claims in the country is still considered low, insurers face significant difficulties in pricing risks during the subscription process. The result is that they ought to forget statistics and focus on other not so accurate elements.
Regarding the coverage found in cyber risk insurance policies, it is necessary to separate them into two general groups: (i) coverage for losses and damages that the insured may be sentenced to pay as a result of claims brought by damaged third parties; and (ii) coverage for the insured company in the event that it incurs costs, losses and damages to its own assets caused by a cyber attack. The truth is that insurance companies offer a package of services, which is not limited to payment of damages to third parties, but also covers damages suffered by the insured when conducting its business.
In the Brazilian national market, coverage varies from one insurer to another; however, there are some forms of coverage that are generally available in the market and that may attract the attention of potential insureds.
An example is coverage for defence costs incurred due to administrative, judicial and arbitral proceedings motivated by cyber attacks, not to mention the indemnity coverage that the insured may be obliged to bear as a result of unauthorised public disclosure of private data under their care, custody or control.
Regarding coverage pertaining to damage to the insured’s assets, various coverages are usually offered, such as: (i) compensation for loss of profits due to the paralysis of its network; (ii) compensation for damages that could not be avoided in an attack, such as loss or damage of digital assets; (iii) payment of a ‘ransom’ as a result of extortion by third parties that threaten to damage the system or leak sensitive data; (iv) warranty for damages resulting from an un-appealable judicial decision or agreement expressly authorised by the insurer from any claim made for the first time against the insured, by virtue of a harmful electronic publication; and (v) payment of damages suffered by outsourced companies as a result of claims brought against them due to a violation of personal information that was the insured’s responsibility.
Additionally, the cyber risk policy also guarantees the insured: (i) the refund of costs incurred to notify clients about any privacy or confidentiality breach; (ii) the payment of expenses incurred to prevent or reduce the effects brought by negative publicity resulting from a virtual attack; (iii) the payment of expenses incurred from hiring specialised professionals in computer technology; (iv) the covering of costs incurred in order to determine whether the compromised electronic data can be restored, reintroduced or recreated, and, when possible, the recovery of costs incurred in such a restoration, reintroduction or recreation; and (v) the payment of fines and administrative penalties that the insured is required to pay in connection with an investigation.
Furthermore, one of the most common issues when it comes to electronic risk insurance is the difficulty of identifying the date of the triggering event; that is, when the attack on the company’s systems and the third-party breach took place. It is possible that the breach will only be discovered years after it has occurred. However, in Brazil, the most common occurrence is that the applicable policy will be the one in force when the first claim is filed against the insured and not when the cyber crime effectively occurred, as the policies are ‘claims made and notified’.
Therefore, the insured may notify the insurer upon potentially harmful facts or circumstances that characterise an expectation of loss, which might lead to a future claim. Although in other types of civil liability insurance not much importance is placed on such ‘expectation of loss notification’, (often this is simply acknowledged or denied by the insurer), when insuring against electronic risks such foresight becomes more relevant, since security measures may be adopted in time to mitigate potential damages.
Moreover, in contrast to what is permitted worldwide, article 39 of SUSEP Circular No. 256/2004 prohibits insurers from setting a maximum deadline for the filing of a claims notice; as such, the refusal to cover claims due to late communication is only possible when it is proven that the insured’s delay has jeopardised the ability to mitigate damages associated with the event.
Undoubtedly, cyber risk insurance is still developing in the Brazilian market. However, when Federal Law No. 13.709/18 enters into force, along with severe penalties in the event of breach of a third-party privacy, companies’ demand for insurance coverage is likely to increase considerably. Likewise, as the business environment becomes increasingly digital and automated, the likelihood of companies experiencing an illegal cyber attack increases, which raises the question of whether a diligent company will, in practice, have any other choice but to obtain insurance coverage.
Renato Chalfin is a senior associate at Chalfin, Goldberg, Vainboim & Fichtner. He can be contacted on +55 21 3970 7315 or by email: firstname.lastname@example.org.
© Financier Worldwide
Chalfin, Goldberg, Vainboim & Fichtner