No industry or organization, wherever situated and whatever the size, is immune to the threat of cyberattack, and the impact can be catastrophic, both financially and in terms of reputation. For example, eBay recently announced a massive cyberattack that may have exposed the personal data of 128 million customers globally.
The management of cyberrisk clearly needs to be high on the boardroom agenda. Network security alone cannot fully address the issue: Experience has shown that even top-notch, state-of-the-art cybersecurity is vulnerable.
Boards need to ensure that they identify key risks and prioritize the protection of critical information. Internal policies and procedures should be put in place to ensure that staff are aware of risky behaviors, such as disclosing passwords and opening suspicious documents in unsolicited emails. Companies need to see that network security systems and controls are regularly tested and monitored, and that response procedures are in place in case of a cyberattack or data breach.
Insurance can also play a vital role in managing cyberrisks. As part of the board’s risk assessment, it needs to understand the types of cyberrisk, and the potential losses and liabilities that follow. This is the first step in understanding the organization’s insurance requirements and the extent of coverage required for cyberrisks.
Consider the Company’s Risk Profile
An initial assessment of the company’s risk profile and areas particularly vulnerable to cyberattack is crucial. External advice may be needed. The risk assessment should extend across the organization. The assessment needs to consider the amount and type of personally identifiable information, customer data and confidential corporate data the organization maintains and how such data is used, transmitted and stored. The company’s technology infrastructure should be evaluated, as well as potential threats to network security and the likely consequences of significant interruptions to online working or customer transactions. Also consider the risk of third-party claims arising from the company’s media content and the services provided to support e-commerce.
The company needs a complete understanding of any potential impact of a cyberattack or data breach, including the wider impact on business strategy. Performing a thorough risk assessment not only helps the organization identify and address risks and potential gaps in security but can facilitate underwriting of cyberrisks and may even result in premium reductions. Once the organization has a grasp of its risk profile and potential exposures, it can consider its insurance needs.
Examine Existing Insurance Policies
Some coverage for these potential losses and liabilities may be available under existing insurance policies already held by the business. These include general liability, directors and officers liability, professional indemnity, crime and property and business interruption policies. Careful assessment of the coverage provided by these policies is essential, however, as there are likely gaps in coverage because such policies have not historically been designed to cover non-tangible assets and network-related risks. The company will need to consider whether to fill those gaps with enhancements to existing policies or through new cyberrisk products now being offered by insurers.
Consider the Need for Cyberinsurance
There are now a number of cyberinsurance products available, and the scope of coverage varies from insurer to insurer. These policies typically cover losses and liabilities such as:
- Data liability. This covers damages and defense costs resulting from any claim against the insured from a data breach that compromises personal information. It should also cover claims alleging that information has been lost or compromised as a result of unauthorized access to, or use of, the insured’s computer systems. It is important that the policy covers not only an individual’s personal information but also employee data and confidential corporate information. Many organizations possess third-party trade secrets, customer lists, marketing plans and other information that could be beneficial to competitors and may result in liability if compromised.
- Media liability. This insures damages and defense costs resulting from any claim against the insured for infringement of copyright and other intellectual property rights, as well as misappropriation or theft of ideas or media content. While coverage may not extend to content published in a personal capacity, this should ideally be included, as organizations may face significant liabilities as a result of employees using Twitter, Facebook and other social media.
- Regulatory coverage. This covers the costs of response to any administrative, government or regulatory investigation following a data breach or cyberattack, as well as any fines or penalties imposed. However, this coverage is typically limited to civil fines and penalties, as criminal fines and penalties are not insurable in many jurisdictions. Some regulators, including the Financial Conduct Authority (FCA) and the Securities Exchange Commission (SEC), prohibit regulated firms from recovering from insurers any fines or penalties the regulators impose.
- Remediation coverage. Most policies provide coverage for additional costs associated with a data breach, including the costs incurred to notify those affected and relevant authorities, provide credit monitoring for those affected and set up call centers to field inquiries from concerned clients. Coverage may also extend to the costs of forensic services to determine the cause and scope of a breach, as well as public relations expenses and other crisis management costs.
- Information assets coverage. The policy may include coverage for costs of recreating, restoring or repairing the company’s own data and computer systems. This may also extend to third-party data that has not been captured by back-up systems or that has been corrupted or lost because of negligence or technical failure.
- Network interruption coverage. The policy may cover lost revenue from network interruptions or disruptions because of a denial of service attack, malicious code or other security threats.
- Extortion coverage. Many policies insure the costs of responding to ransom or extortion demands to prevent a threatened cyberattack.
Cyberinsurance policies vary significantly, so the specific policy terms and conditions should be analyzed carefully to ensure that the coverage meets the company’s likely loss scenarios and potential exposures. It is particularly important to consider whether the coverage extends to information in the hands of third parties where data handling, processing and storage has been outsourced to third parties, including cloud service providers. If the organization has outsourced data handling, then it should secure coverage for any loss or business interruption arising from data that is managed by third-party service providers.
Consider the “retroactive date,” as policies often limit coverage to cyberattacks or data breaches occurring after a specified date, such as policy inception. It is important to request retroactive coverage for network security breaches that may have occurred before the inception date, as it is not uncommon for cyberattacks to remain undetected for a considerable period.
Review Defense and Settlement Provisions
Cyberinsurance policies include defense provisions that typically limit coverage for defense costs to those that are reasonable and incurred with the insurer’s prior written consent. While many insurers include these types of provisions to insist on the appointment of their own choice of defense counsel, selection of defense lawyers is an important issue. Some companies prefer to appoint lawyers whom they know well and who are familiar with their business. Moreover, certain claims arising from the use of technology, such as claims for breach of confidence, breach of copyright and defamation, require specialist counsel with particular experience. The company should therefore consider requesting a specific provision reserving the right to choose its defense lawyer, although the decision will usually be subject to the insurer’s prior approval.
Check the Fine Print
The “devil is in the details,” especially with cyberinsurance. While the market has developed rapidly in recent years, there are inconsistencies in the cover provided, and minor variations can have significant impact on the availability of coverage.
There will likely be efforts by the insurer to exclude risks that should be covered under other types of policy, and this is not unreasonable. It is important, however, to avoid broadly worded exclusions that could extend beyond that concern, or attempt to undermine the initial purpose of the insurance. For example, insurers might seek to impose exclusions based on possible shortcomings in the company’s network security. These types of exclusions should be resisted.
Insurance can play a vital role as part of an overall strategy to mitigate cyberrisk, but it is necessary to look beyond the policy limits to ensure that the coverage provided — whether under traditional policy forms or specific cyberinsurance policies — is as broad as possible.
Ms. Gates wrote this article with Sarah Turpin, a partner in the dispute resolution and insurance coverage groups in K&L Gates’ London office.