The Changing Landscape of Cyber Insurance and the Response from Regulators

The State of Cyberattacks 

Cyberattacks are on the rise, and have significantly increased since the pandemic began in March of 2020. Remote work, coupled with bring your own device policies, have only increased vulnerabilities of businesses and individuals during this time. In fact, ransomware attacks in particular increased 300% in 2020. 

The Cybersecurity and Infrastructure Security Agency (“CISA”) defines ransomware as:

an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.

Ransomware can be exorbitantly expensive because it is one of the most disruptive forms of cybercrime. Cybercriminals keep demanding larger sums and ransomware demands have increased 171% from 2019 to 2020, and continue to grow.

While small businesses account for 43% of all cyberattacks, neither large businesses nor government institutions are immune. In March 2021, for example, CNA Financial Corporation, one of the largest insurance companies in the United States, paid $40 million to regain control of its network after a ransomware attack. In another recent example, the Kaseya ransomware attack in July 2021 paralyzed as many as 1,500 organizations by compromising the tech management software. Kaseya’s software serves many managed services providers so the attacks multiplied before Kaseya could effectively warn its users thereby allowing the attackers to rapidly encrypt data and demand ransoms of as much as $5 million per victim. From the rise of this type of ransomware to the SolarWinds-based cyber-espionage campaign, it is abundantly clear that cybersecurity is now fundamental to almost every aspect of modern life—from consumer protection to national security. 

The Insurance Industry’s Response  

The rise of cyberattacks has consequently impacted the cyber insurance market. Because of the increasing regularity of ransomware attacks, the loss ratios on cyber insurance increased from an average of 42% between 2015 and 2019 to 73% in 2020. Cyber-related business interruption claims are the most sought after cyber coverage. Increasing costs are affecting premiums and scope of coverage. Insurers are also becoming more rigorous in assessing the cybersecurity of their customers and providing insurance according to that risk. 

Cyber insurance plays a key role in managing and reducing cyber risk. This is a relatively new area of insurance for most insurers though cyber insurance is becoming increasingly common. In 2019, the U.S. cyber insurance market was a $3.15 billion market. By 2025, it is estimated that the market will be worth about $20 billion. Is it important to note, too, that these numbers may understate the insurance coverage of cyber risk as many policyholders submit insurance claims arising from cyber incidents under non-cyber insurance policies.

Insurance companies themselves have also come under scrutiny for their cyber hygiene. As insurance companies collect, store, and maintain a plethora of sensitive personal and business data, this is somewhat predictable and only follows the trend of increasing regulation of the cybersecurity world. In the absence of federal comprehensive legislation, states are paving the regulatory pathway and setting baseline standards of care for cybersecurity. 

State Cybersecurity Regulation  

At least one state has taken a proactive role in issuing a cybersecurity regulation directed towards insurance companies, and other financial institutions. As many top companies are headquartered in New York or conduct substantial business in New York, this new regulation is significant, and may have implications for how other states decide to regulate the cyber insurance market. In 2017, New York’s Department of Financial Services (“NYDFS”) promulgated the first cybersecurity regulation for the financial services sector, and it created a specific Cybersecurity Division in 2019. See 23 N.Y.C.R.R. 500. 

The regulation became effective on March 1, 2017 and instituted a two-year implementation period. By March 1, 2019, all insurance companies and other financial services institutions and licensees regulated by DFS were required to have a robust cybersecurity program in place that is designed to protect consumers’ private data. In addition, they were required to have a written policy or policies approved by the Board of Directors or a Senior Officer, a Chief Information Security Officer to help protect data and systems, and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry including encryption and multifactor authentication. The regulation sets forth certain limited exceptions, many of which still require certain cybersecurity programs and practices. 

According to a 2018 DFS Memorandum, the purpose of this regulation is to bolster the financial services industry’s defenses against cybersecurity attacks in order to protect the markets and consumers’ private information. The regulation also requires that all entities and persons regulated or licensed by the New York State Department of Financial Services are required to file various cybersecurity notices to the Superintendent, including notifications of cybersecurity events—whether they are successful or not. 

The DFS has already brought several investigations into covered entities that were thought to be non-compliant with the new regulation, with the most recent resulting in a settlement with the First Unum Life Insurance Company of America (“First Unum”) and Paul Revere Life Insurance Company (“Paul Revere”) on May 13, 2021. The Superintendent of DFS announced that the insurance companies agreed to pay a $1.8 million penalty to New York State for violations of DFS’s Cybersecurity Regulation that caused the exposure of a substantial amount of sensitive, non-public, personal data belonging to its customers, including thousands of consumers nationally and hundreds in New York. As part of the settlement, the companies also agreed to implement further improvements to their existing cybersecurity program to ensure that their cybersecurity controls are fully compliant with the regulation. 

DFS’s Cybersecurity Regulation serves as a model for other regulators both at the national and state level, as well as for industry-specific organizations, such as the National Association of Insurance Commissioners. 

Krishna A. Jani, CIPP/US, is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or

Cybersecurity & Data Privacy Litigation Trends – February 2021

Spotlight on Recent Decisions 2021

The Delaware Superior Court recently dismissed a healthcare data breach lawsuit against Brandywine Urology Consultants (“Brandywine”) because it ruled that the victims of the breach failed to provide evidence of injuries or losses caused by a 2020 security incident and, therefore, lacked standing to sue. The suit, Abernathy, et al. v. Brandywine Urology Consultants, P.A., C.A. No. N20C-05-057 MMJ CCLD, resulted from a ransomware attack that was discovered by Brandywine in January 2020, and which was reportedly live on the network for two days before it was detected and isolated by the IT team. Interestingly, during the attack, cyberthieves accessed and encrypted records that included patient names, addresses, Social Security numbers, medical file numbers, claim data, and other financial and personal data but at no time did the cyberthieves attempt to extract a ransom. According to the Delaware Superior Court’s January 21, 2021 Opinion, Brandywine notified all of its patients of the attack via breach notification letters.

In May 2020, the breach victims filed suit against Brandywine, alleging negligence, invasion of privacy, breach of express contract, breach of implied contract, negligence per se, breach of fiduciary duty, noncompliance with the Delaware Computer Security Breach Act, and violation of the Delaware Consumer Fraud Act. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to sue—essentially that victims suffered no concrete, particularized, and actual or imminent injury-in-fact. In order to demonstrate “injury-in-fact” the victims alleged imminent risk of future harm, a loss of privacy, anxiety, failure to receive the benefit of the bargain, a loss of value to the property in personally identifying information, and disruption in medical care. The lawsuit sought mitigation expenses caused by the breach. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to bring the case to federal court—essentially that plaintiffs suffered no concrete, particularized, and actual or imminent injury-in-fact.

In its January 21, 2021 Opinion, the Delaware Superior Court stated that in “data breach cases [in Delaware], [p]laintiffs must provide at least some plausible specific allegations of actual or likely misuse of data to satisfy the standing requirement and avoid dismissal under [Superior Court Civil] rule 12(b)(1).” The court also noted that Delaware courts have not yet addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact sufficient to confer standing. Brandywine argued that it did not.

The court found that Brandywine’s breach notification specified that the breach was only a possible compromise of personal and financial information during the ransomware attack. It did not concede that it was a concrete and imminent threat. The court also determined that Brandywine appeared to act quickly in response to the breach and took the appropriate steps to investigate what had transpired. Ultimately, the court decided that Brandywine should not be punished for having notified individuals about a possible compromise of their data. In fact, the court expressed hesitancy about making any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution. The court stated that the mere fact that the attack occurred, without more, is insufficient to confer standing on plaintiffs. The court also found that mitigation costs, including credit monitoring and placing freezes and alerts with credit reporting agencies, do not create an injury sufficient to confer standing on plaintiffs who allege speculative harms resulting from a data breach.

In a similar case in the Middle District of Pennsylvania, cited in the Delaware Superior Court’s Opinion, the court also found that “[p]laintiffs’ alleged harm—that they are now at an increased risk of identity theft—does not suffice to allege an imminent injury.”

Though the courts remain fragmented on the issue of standing in data breach cases, the Delaware Superior Court’s opinion lays the groundwork for what may become the norm: a heightened pleading requirement for Article III standing in such cases.

Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or