Cyber market grapples with ‘alphabet soup’ of regulation

By Michael Loney

March 21 - (The Insurer) - The cyber market is having to keep on top of a confusing mix of U.S. state and federal laws, as well as international laws, which has increased the number of claims related to privacy.

Paul Needle, senior vice president and cyber treaty reinsurance underwriter at Munich Reinsurance America, discussed the U.S. and international laws affecting the cyber market at this month’s PLUS Cyber Insurance Symposium in New York.

Needle said it “is a very complicated arena and it's difficult for companies to manage these types of exposures, small and large”.

This complexity was also highlighted by Chubb in a claims report released in March, which noted that U.S. laws affecting cyber claims include the Illinois Biometric Information Privacy Act, the Video Privacy Protection Act and wiretapping laws.

“Privacy laws and regulations are being implemented with increased frequency and are having a measurable impact on claims, including cases involving mass arbitration of alleged violations of VPPA and wiretapping statutes, with arbitration fees becoming payable before the merits of the claim are even considered,” the report said.

Chubb added that other state laws such as Illinois’ Genetic Information Protection Act and Washington’s My Health My Data Act “should also be on the radar of any companies that are concerned about privacy liability”.

The insurer said that the proportion of third-party claims related to privacy liability in the U.S. in 2023 to 2024 was double that in 2020 to 2022.

Outside the U.S., other frameworks such as the EU’s General Data Protection Regulation regulate the lawful collection, processing, use, and retention and deletion of personal identifiable information, the Chubb added.

“As cybersecurity and privacy concerns continue to intersect both within and outside of companies, claims are on the upswing,” the report said.

Munich Re’s Needle noted a lot of the laws are focusing on governance and how businesses go about protecting private data.

He advised companies to implement some sort of framework to help come into line with the laws, pointing to the National Institute of Standards and Technology cybersecurity framework as an example.

“Individual state privacy laws are utterly confusing,” he said. “There's been 59 introduced new state laws in each of the past two years, and seven new ones enacted into law this past year.”

He continued: “Data breach litigation tripled from 2022 to 2023 because of a lot of the things that we're talking about, (and now) you have to think about is there a seven- or eight-year tail on some of this business?”

Needle also highlighted the Digital Operational Resilience Act, which went into effect on January 17 this year and is changing the regulatory landscape for financial institutions operating in the European Union.

“But long story short is: follow frameworks so you don't get too confused with this alphabet soup of regulation,” he said.

The executive continued that longer-tail claims have increasingly come into focus for the cyber market. He noted the industry’s claims development for the 2016 to 2020 years.

He said that online tracking litigation “has really surged in the past three years”. This includes Meta Pixel claims, as well as ones related to the VPPA, the Wiretap Act and California Invasion of Privacy Act.

“It's a rapidly evolving landscape based off of these previously well-known laws or regulations that had a very limited scope and were developed in the sixties or maybe the early nineties,” he said. “And here we are litigating a technology that didn't even exist when these were created.”

Needle continued: “The creativity and the persistence in the judicial system is alive and well, and we're going to continue to see these claims. These are third-party claims, and there's been a huge spike in these,” he said.

Discussing the VPPA claims, Needle said that a lot of them are getting dismissed, although not all of them.

“But it's 100% a concern, and it could drive further long-tail development because of these third-party claims,” he said.

FEDERAL REGULATORY ACTION TIPPED TO EASE

On a regulatory panel at the PLUS symposium in New York, speakers suggested that federal regulatory activity related to privacy may ease under the Trump administration, but state action could increase.

“It's going to impact the federal regulatory environment, but it is not going to impact I don't think the state regulatory environment,” said Liz Dill, a Virginia-based partner at Mullen Coughlin. “And it may result in more activity because the states really need to pick up on consumer protection if the feds are stepping back.”

Dill added: “The state AGs are very well equipped and they are very knowledgeable about these kinds of topics, and they're willing to step in if they think their consumers are being harmed.”

On the same panel, Catherine Lyle, head of cyber claims and incident response at Tokio Marine HCC, agreed.

“I think the federal government is going to be pulling away. We've seen the FTC has pulled away from MGM. We're also going to see big tech having more influence, and so I think the president is not going to be as much involved.

“I think the state government will step in, and we're going to see a lot more of the private right of action police, plaintiffs’ counsel, coming forward saying, ‘Oh, we're we're doing the right thing by society,’ and using that as their moment to pull forward.”