Tag Archives: selby

How to Lower Your Cyber Risk

As we approach the close of 2014, virtually no one needs to be reminded that cyber liability is real and here to stay. Data breaches and cyber security incidents are on the rise. New York’s attorney general reported that breaches tripled between 2006 and 2013, and, according to a recent study, 43% of companies experienced a breach last year.

What are some of the key issues accounting for this increase? First, information is the new oil, and it has value. Stolen financial and medical data can be purchased on the “dark web” and used for identity theft and fraudulent billing. Second, computer networks can be attacked relentlessly by hackers thousands of miles away, with little risk to the hackers. Third, entities are creating and storing more data than ever. It is estimated that the volume of data is doubling every two years, and too many entities have adopted a keep-everything approach to information management.

Given this reality, it’s no wonder that sales of cyber insurance are rising. Cyber insurance can fill gaps left by traditional policies and provide a lifeline to entities affected by a breach or security incident. But cyber insurers require prospective insureds to complete detailed applications that address various areas relevant to cyber liability. Among the areas of inquiry are:

  • Records and Information Management — including identification of the types and volume of sensitive information the company handles. For example, do you handle or store payment card information, intellectual property of others or medical records?
  • Management of Computer Networks — including security management, intrusion testing, auditing, firewalls, use of third party vendors and encryption.
  • Corporate Policies — for privacy, information security, use of social media and BYOD (bring your own device), among others. Insurers often ask if the policy was prepared by a qualified attorney and how often it is reviewed and updated. Some insurers require such policies to be attached to the completed application.
  • Employment Issues — including whether employees go through criminal background checks. Many insurers also ask if the company has a chief privacy officer, chief information officer and chief technology officer.

The following are some basic steps a company can take to better position itself to complete the cyber application and obtain optimal cyber coverage.

Locate Your Data

You can’t manage and secure information if you don’t know what you have or where it is. Creating a map or inventory of all enterprise information is an invaluable step toward getting your data house in order. Paper records and data stored on inactive media and on mobile devices should not be forgotten.

Delete What You Don’t Need

It is estimated that between 60% and 70% of stored information has no business value. Keeping all this useless information is not a sustainable business practice. Disposing of data can reduce storage, e-discovery costs and security risks, and improve employee efficiency. Legally defensible deletion of useless information and adoption of a sound record retention and deletion policy are important parts of a successful information management policy.

Control Access

Entities should permit access to information, particularly sensitive information, on a need-to-know basis. A large number of data breaches result from employee negligence and disgruntled or rogue employees. Restricting access to sensitive data is an important step to mitigating that risk.

Improve Policies and Training

Depending on business activities, entities should consider adoption of policies that relate to cyber liability, including privacy, record retention and deletion, use of passwords, email and use of social media. Policies should be reviewed by a qualified attorney, updated regularly and enforced. Employee training and re-training is an important component of successful policy implementation. Conducting data breach workshops, where the entity can rehearse its response to a breach incident, can pay big dividends in the event of a breach.

Because cyber applications require entities to take a close look at their information management and cyber vulnerabilities, it’s no wonder that a recent Ponemon study found that 62% of surveyed companies report that their ability to deal with security threats improved following the purchase of cyber insurance. Taking the steps outlined above in connection with applying for cyber coverage makes good business sense and can help an entity obtain the best cyber policy to protect itself against growing threats.

Cyber’s Surprising Importance for M&A

Although many people think of cyber insurance when confronted with a data breach, cyber insurance may not be quite so top of mind in the context of corporate mergers and acquisitions. Cyber insurance should be, because policies typically contain provisions that are directly affected by such transactions. Enterprises should take a close look at their cyber insurance policy provisions early on in the deal-making process so that coverage for the affected enterprises can be maximized.

The focus on cyber should be especially acute now, both because M&A activity continues to rise and because the importance of cyber coverage is surging on the heels of recent, headline-making data breaches.

Cyber insurance policies, like most other policies, typically provide coverage to the named insured identified in the policy, as well as to any subsidiary of the named insured that was created by the date the policy took effect. Carriers generally ask enterprises to identify all such subsidiaries during the application process.

Although disclosed subsidiaries may generally be considered “insureds” at the time cyber policies are issued, cyber policies may contain provisions that specify the steps the insured must take to obtain coverage for subsidiaries acquired or created, or for entities involved in mergers or consolidations.

Insureds that are considering mergers or acquisitions should ensure compliance by carefully reviewing their cyber insurance policies early in the transaction process. Relevant provisions might be found in various places in cyber policies, including within the policy’s conditions, definitions and exclusions.

Mergers and newly acquired or created subsidiaries

The steps an insured must take to secure coverage for a newly acquired subsidiary vary from policy to policy and may depend on the financials of the subsidiary. For example, under one cyber policy, if the acquired entity has revenue greater than 10% of the named insured’s total annual revenue, the named insured must: provide written notice before the acquisition, obtain the insurer’s written consent and agree to pay any additional premium required by the insurer.

Another insurer requires an Insured that merges with, acquires or creates an entity with assets exceeding 10% of the total assets of the insured to provide full details of the transaction as soon as practicable The insurer is entitled to impose additional terms, conditions and premiums, at its sole discretion.

Under the terms of a different policy, if the named insured acquires or creates another organization in which the named insured has an ownership interest of greater than 50%, the organization is covered for insured events that take place after the date of acquisition or creation, but only if the named insured provided notice to the insurer no later than 60 days after the effective date of the acquisition of creation, along with any information the insurer should require. The insured may be exempted from that process if, among other things, the new subsidiary’s gross revenues are 10% or less than those of the named insured.

Relevant terms are implicated under another cyber policy if the insured acquires or creates an entity that becomes a subsidiary, acquires an entity by merger or purchases assets or assumes liabilities of an entity without acquiring the entity. If the total assets of the acquired or created entity, or the combined total amount of the purchased assets or assumed liabilities, are less than 30% of the consolidated assets of the insured, the new entity may be entitled to certain coverages under the policy if the named insured provides written notice as soon as practicable, but in no event later than 60 days after the effective date of the transaction. The named insured will have to provide any requested information and may be subject to an increased premium.

A different insurer requires the named insured to provide notice of a newly formed or acquired subsidiary within 60 days of the transaction if the named insured has more than 50% of the legal or beneficial interest of the entity. If, however, the total assets or total revenues of the new entity exceed 15% of the total assets or revenues of the named insured, the named insured must provide the “full particulars” of the new entity, and the insurer must agree in writing to provide coverage. The insurer may charge an increased premium and amend policy terms.

Divested entities and changes in ownership

Provisions of cyber policies also may be affected by changes affecting entities that initially are covered under the policy. For example, policies may provide that if the named insured’s legal or beneficial interest in a subsidiary becomes less than 50%, the entity will no longer qualify as a subsidiary under the policy and will lose coverage.

Cyber policies also may contain provisions that will be triggered in the event of a takeover of the named insured.

Conclusion

Corporate transactions may have important effects on the coverage provided under a cyber insurance policy. Because there are no standard-form cyber policies, the provisions that might be implicated by any such transaction, including important notice requirements, will vary from policy to policy.  Entities should carefully review their coverage at the very outset of the deal-making process to ensure that they full understand their rights and obligations and comply with all policy provisions so that coverage can be maximized.