Data breaches, lawsuits, and ongoing conversations about cyber war exclusions gave Insurance Journal readers much to talk about regarding cyber insurance in 2023.
While news of cyber acquisitions, the major themes to look out for in the coming year, and the ever evolving ransomware scene gained attention, data breaches seemed to create the most buzz as Insurance Journal reported on the major data breaches of the year and how they affected the insurance, as well as the legal, landscape.
In fact, one class action lawsuit following a data breach affecting 23andMe, a genetics test-kit company that offers ancestry and health reports after analyzing a customer’s saliva, was the top read cyber story on Insurance Journal’s website for 2023 based on reader metrics. And that wasn’t the only company that suffered a data breach this year. Insurer Mapfre, Comcast’s Xfinity, and UK printing firm, Adare SEC, all faced data breaches of their own, and readers were paying close attention. Check out the top 10 cyber stories on Insurance Journal for this year.
1. 23andMe Faces Class Action Lawsuit Following Data Breach
Two victims of an early October 23andMe data breach filed a class action lawsuit that month in U.S. District Court for the Northern District of California. The suit alleged negligence, invasion of privacy, unjust enrichment, and breach of implied contract as the plaintiffs claimed notification about the breach was deficient because it did not address whether the threat had been contained or how the breach occurred. The breach came after reports said an anonymous hacker put the information from millions of customer accounts for sale, including email addresses, photos, gender, date of birth, and DNA ancestry. 23andMe said in an October blog entry that it exceeds industry data protection standards and attained multiple ISO certifications of its security program. The company said that since 2019, it has offered and encouraged customers to use multi-factor authentication.
2. Cyber Insurance Attorney Charged With Serial Rape, Kidnapping 15 Years Ago
Insurance Journal reported in May that The Federal Bureau of Investigation and Boston Police arrested a cyber insurance attorney in connection with a series of sexual assaults and kidnappings in the Boston area about 15 years ago. At a press conference, law enforcement officials said they identified Matthew J. Nilo, 35, as a suspect in three rapes, two kidnappings, one attempted rape and an indecent assault between 2007 and 2008 in Boston’s Charlestown neighborhood. Nilo’s LinkedIn page at the time identified him as claims counsel in New York for Cowbell, a San Francisco-based cyber insurance firm where he started work in January 2023. A Cowbell spokesperson told Insurance Journal that Nilo was hired in January after passing a background check. The firm said his employment at Cowbell “has been suspended pending further investigation.”
3. Lloyd’s Cyber War Exclusions: Confusing, Disruptive, but Necessary?
The conversation continued about cyber war exclusions this year as the rollout of the Lloyd’s cyber war exclusions received considerable criticism for the chaos and confusion caused in the weeks leading up to the March 31st effective date. A widely read May Insurance Journal article spelled out the details of the new cyber war exclusions, stating that a compliant cyber war exclusion must be included in policies purchased through Lloyd’s, meaning it’s not voluntary. The most commonly used exclusion – LMA5567A/B – does not exclude state-sponsored cyber attacks, unless certain thresholds are met – the most notable of which is that the insured digital assets must be located in a state that has suffered a “major detrimental impact.” Insurance Journal also reported another important fact — that the LMA’s exclusions can be revised, provided they adhere to Lloyd’s requirements listed in Lloyd’s Market Bulletin Y5381.
4. Travelers to Buy Cyber MGU Corvus for $435 Million
The mergers and acquisitions landscape continued in cyber insurance for 2023, with readers paying close attention as The Travelers Companies announced in November that it has agreed to buy cyber managing general underwriter Corvus Insurance Holdings, Inc. for about $435 million for its middle-market excess and surplus lines presence. The move came following a September announcement that Travelers would serve as a capacity provider for Corvus products in the U.S. starting Oct. 1. The companies reached a similar agreement in 2022 for the European market. Travelers said the deal is expected to close in the first quarter 2024, and it should have an immaterial impact to earnings in the near term.
5. Cyber Insurance Market Back From Brink After Onslaught of Ransomware Attacks
Bloomberg reported in February that the cyber insurance market, battered by a rash of pandemic-era ransomware attacks, is making a comeback. Price hikes are moderating, new carriers and fresh sources of capital are emerging, and companies can better afford coverage. Cyber-insurance pricing increased 10% from a year earlier in January, a fraction of the 110% annual increase reported in the first quarter of 2022, preliminary data from insurance broker Marsh McLennan show. If those trends continue, prices could be set to decline, said Tom Reagan, Marsh’s cyber practice leader.
6. Cyber Insurance Themes to Look Out for in 2023
The year started with Insurance Journal readers paying attention to the major cyber insurance themes that were likely to emerge in 2023. Oliver Brew, cyber practice leader at Lockton Re, spelled it all out in a January contributed article. He wrote that some trends are already underway and will accelerate, while others are new, and noted additional themes that could have an impact on the cyber insurance landscape include the use and convergence of war exclusions, growing common understanding of internet infrastructure definitions, and the impact of the ongoing war in Ukraine on cyber criminal activity.
7. Major Cyber Attack Could Cost Global Economy $3.5 Trillion: Lloyd’s
A cyber attack on a major financial services payments system could result in widespread business disruptions, potentially costing the global economy $3.5 trillion over a five-year period, according to research from Lloyd’s and the Cambridge Centre for Risk Studies, reported in Insurance Journal in October. While the cyber insurance market is growing, it still is a relatively immature market, estimated at around $9.2 billion in gross written premiums in 2022 and forecast to reach between $13 billion and $25 billion by 2025. As a result, Lloyd’s said, it would cover only a small portion of the potential economic losses faced by businesses and society.
8. Insurer Mapfre Faces Class Actions Over Data Breach
Bringing it back to readers’ interest in data breaches, perhaps the class action lawsuits resulting from a data breach affecting insurer Mapfre felt a little too close to home for the industry. Two proposed class actions were filed in federal court in Massachusetts against Mapfre U.S.A. Corp. and its affiliate Commerce Insurance Co. over a data breach, Insurance Journal reported in September. One of the lawsuits contends the breach may have exposed customer data for more than 260,000 individuals. The suits blame the property/casualty insurer’s online quoting platform for allegedly automatically populating an individual’s driver’s license number and other information for anyone entering a bare minimum of publicly available information about that individual. Mapfre has acknowledged it suffered a data breach between July 1 and July 2, 2023. The insurer said that as soon as it became aware of the issue, it took down its Massachusetts online quoting platform and began an investigation to determine what happened. It also reported the incident to law enforcement and offered customers free identity theft protection.
9. Comcast’s Xfinity Reveals Data Breach Potentially Affecting Nearly 36 Million People
Another data breach came at the end of the year, as Insurance Journal reported in December that Comcast’s Xfinity has started notifying customers of a data breach that may have revealed information of nearly 36 million people. Xfinity, Comcast’s brand for broadband, video and phone services, said in a notice that a routine cybersecurity exercise on Oct. 25 revealed suspicious activity. Unauthorized access to its systems between Oct. 16 and Oct. 19 was the result of a vulnerability with one of its software providers, Citrix. Xfinity found that information was likely acquired, and eventually concluded that the information could have included usernames and hashed passwords, names, contact information, last four digits of social security numbers, dates of birth, and/or secret questions and answers. According to a data breach notification filed in Maine, submitted by law firm Holland & Knight, the total number of people affected is about 35.9 million.
10. MOVEit Cyber Attack Hits UK Printing Firm Used by Insurers, Brokers and Banks
Bloomberg reported in June that a UK printing firm that sends mail for clients ranging from major health-insurance providers to multinational banks was a victim of the extensive MOVEit cyberattack. Adare SEC confirmed to Bloomberg News on June 12, 2023 that it was hit by the MOVEit hack and that data was stolen. The firm sends digital communications and printed letters and documents to customers of clients including Legal & General Group Plc, Aon Plc and Allianz SE. The company didn’t detail the type of information taken, only saying that the “data relating to a small proportion of our customers has been compromised.”
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
Big ‘I’ Report: Independent Agency Channel Placed 62% of Premiums in 2023 
Workers Sue Disney, Say They Were Wrongly Induced to Move to Florida 
Ford Recalls 668,000 2014 F-150 Pickup Trucks Over Transmission Issue 
Coverage Needed: Hundreds of Thousands in SE Now in Flood Zones With New Maps 
