Privacy Overtakes Ransomware as Top Insurance Focus

In recent times, the threat of mishandling protected personally identifiable information (PII) has emerged as a significant concern, potentially rivaling the impact of ransomware attacks. David Anderson, Vice President of Cyber Liability at Woodruff Sawyer, a national insurance brokerage, warns, "While privacy claims take years to work their way through the legal process, losses are generally just as catastrophic over the course of three to five years as a ransomware claim is over the course of three to five days."

A survey conducted by Woodruff Sawyer revealed that 31% of cyber insurance underwriters identified privacy as their primary concern for 2024, ranking second only to ransomware, which was selected by 63% of respondents.

Dan Burke, Senior Vice President and National Cyber Practice Leader at Woodruff Sawyer shed light on an emerging trend. He said, "Pixel-tracking claims are the latest target for the plaintiffs' bar — going after companies tracking website activity through pixels on the screen without obtaining proper consent."

James Tuplin, Senior Vice President and Head of International Cyber at Mosaic Insurance concurs that underwriters are placing greater scrutiny on privacy trends. He notes that privacy litigation typically spans several years, with 2024 marking the culmination of cases filed between 2017 and 2019, predating the enactment of many privacy laws such as the General Data Protection Regulation (GDPR) in 2018.

Despite the substantial payouts associated with privacy claims, insurers often have ample time to manage their capital reserves as claims undergo negotiations and litigation. However, Tuplin emphasizes the need for boards of directors to recognize privacy issues as business concerns rather than solely IT matters, especially as regulators increasingly target Chief Information Security Officers (CISOs) for compliance.

"For the insurer, however, the payout for privacy claims may not be as large because the underwriters have a long time to play with their capital while those losses build to their final resolution. That's because insurers retain the interest from holding funds in escrow while claims work their way through negotiations and litigation," he explains.

"Many companies struggle to identify and classify the data they collect, often hoarding it as an asset rather than recognizing the associated risks," says Sherri Davidoff, Founder and CEO at LMG Security, highlighting the challenges organizations face in managing and protecting sensitive data effectively. "It's like nuclear waste. The more data you have, the more risk you have," she says.

Navigating complex privacy laws presents another hurdle for organizations, particularly those operating across multiple jurisdictions. Experts warn that minor infractions, such as discrepancies in privacy policy adherence or incomplete opt-out processes, can trigger significant regulatory fines and legal repercussions.

In 2022, the real-world consequences of regulatory violations were seen when a company's misrepresentation regarding multifactor authentication led to the denial of an insurance claim by Travelers, despite the premiums paid. Therefore, to address compliance gaps and mitigate potential liabilities, organizations must leverage the resources provided by cyber insurers, such as security tabletop exercises, to ensure adherence to regulations and maintain policy compliance.