In his article in last month’s issue of MCC, “Learning to Live with Imperfect Security,” my partner Ted Kobus, co-leader of BakerHostetler’s Privacy and Data Protection team, noted that when it comes to data security, being “compromise ready” may be a company’s best defense. Becoming compromise ready in the context of cybersecurity requires focusing on a variety of issues, including network security, employee training and mobile device management, among other things. Unfortunately, many companies overlook cyberinsurance when they are developing their cybersecurity plan. Although it is no substitute for appropriate security policies and practices, cyberinsurance that is appropriately tailored to a company’s unique risk profile can be a key component of a cybersecurity defense plan.
What is Cyberinsurance?
Cyberinsurance can provide much-needed tactical and financial support for companies confronted with a security incident. Generally speaking, the cyberpolicy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event, while third-party coverage is triggered by claims and demands against the insured arising from a covered incident.
First-party coverage usually can be triggered by a variety of events, including the malicious destruction of data, accidental damage to data, power surges, IT system failure, cyberextortion, viruses and malware. Generally available first-party coverages include legal and forensic services to determine whether a breach occurred and, if so, to assist with regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation, and payment of ransom costs.
Third-party coverage can be implicated in a variety of ways, including by claims for breach of privacy, misuse of personal data, defamation/slander, or the transmission of malicious content. Coverage is available for legal defense costs, settlements or damages the insured must pay after a breach, and electronic media liability, including infringement of copyright, domain name and trade names on an Internet site, regulatory fines and penalties.
Cyberinsurance typically provides for the retention of an attorney – often called a “breach coach” – to coordinate the insured’s response to a cyberincident. An experienced coach can build an effective team of specialists and efficiently guide the company through the forensic, regulatory, public relations and legal issues that arise from a security incident. Given the complexities of the various federal and state laws pertaining to data breach notification, as well as the focus paid by regulators, the media and the class action bar to data breaches, coverage for the retention of a skilled breach coach is perhaps the greatest benefit of cyberinsurance.
“A data breach is not a learning experience – there is too much to lose to risk mishandling it, “ says Paul Bantick, UK Technology, Media, & Business Services focus group leader at Beazley, a leading provider of breach response insurance. “Proper breach preparedness and response will not only mitigate a company’s risk but also minimize reputational damage.”
Obtaining Cyberinsurance
Although there is no standard application for cyberinsurance, insurers usually ask for similar types of information from the prospective insured, including customary financial data about the company, such as assets and revenues, number of employees, and planned merger and acquisition activity. In addition, cyberinsurance applications typically inquire as to:
- volume and types of data (i.e., credit card data, banking records, protected health information) handled or maintained by the company;
- existence of written, attorney-approved and updated policies and procedures concerning the handling of information;
- compliance with security standards and regulations, and the frequency of assessments;
- existing network security programs, including the use of firewalls, antivirus software and network intrusion testing;
- employment of a chief information officer or chief technology officer;
- history of security incidents and breaches, including how long it took to detect any prior breach;
- prior threats to disable the company’s network or website;
- awareness of any facts or circumstances that reasonably could give rise to a claim under a prospective cyberpolicy;
- prior cancelation of or refusal to renew a cyberpolicy;
- security budget (is it part of the IT budget and, if so, what percentage?);
- practices concerning data encryption, passwords, patching and system access control;
- employee hiring and training practices, and procedures around termination;
- physical security controls (e.g., access cards);
- audits of third-party service providers;
- vendor contracts and policies;
- policies governing mobile devices and social media; and
- data backup procedures.
Care should be taken to accurately complete the application, which will become part of the policy if one is issued. Applications may require the signature of the company’s president, CEO, and/or CIO, who must attest to the accuracy of the company’s responses. Inaccurate information provided in the application may prove to be problematic if a claim is tendered for coverage under a policy issued in connection with the application.
Choosing the Right Cyberinsurance Policy
Unlike more traditional forms of insurance, there currently are no standardized policy forms for cyberinsurance, and policies often contain “manuscripted” provisions agreed to by the insurer and the insured during the negotiation of the policy. Policy terms, including grants of coverage, exclusions and conditions, vary among the 60 or so carriers that currently issue cyberpolicies, and numerous coverage options are offered by cyberinsurers. Given this reality, companies need to ensure that the cyberpolicy they purchase is appropriate for their specific cyber risk profile. For example, if a company entrusts its data to vendors, it likely will want coverage for a vendor breach. And if a company maintains an active social media presence, it may want media liability coverage.
When negotiating the purchase of a cyberpolicy, the following points, among others, should be considered:
- What is the company’s cyber risk profile?
- Are policy limits and sub-limits adequate for existing needs?
- Is there retroactive coverage for prior unknown breaches?
- Is there coverage for claims resulting from vendors’ errors?
- Is “loss” of data covered or just data “theft”?
- Can cyberinsurance be combined with vendor indemnities to maximize protection?
- Does the policy cover data in the possession of cloud providers and other third parties?
- Will the insurer offer a subrogation waiver?
- How does the cyberpolicy fit within the company’s overall insurance program?
- Can more favorable provisions, limits and premiums be negotiated with another carrier?
In addition to the coverages provided by cyberinsurance after the occurrence of a cyber event, some cyberpolicies provide prophylactic benefits to reduce the insured’s risk of suffering a cyber event in the first place and to mitigate the effects if an incident does take place. For example, some insurers offer their insureds valuable resources, such as information governance tools, information management counseling, employee training and review of vendor contracts in connection with their cyber offerings. “We offer our policyholders access to a risk management portal that provides educational and loss control information relating to compliance with applicable laws, safeguarding information, preparing to respond to breach incidents and best practices.” says Bantick.
In conclusion, because of the variety and complexity of the various policies on the market, companies are urged to consult with a knowledgeable and experienced cyberbroker to help negotiate the most favorable cyberpolicy terms and limits to fit the company’s needs. Coverage counsel also can help ensure that the cyberpolicy adequately addresses the company’s cyber risks and fits appropriately within the insured’s comprehensive insurance program.
In the end, though, it should be a matter of finding the right cyberpolicy, not whether to obtain cybercoverage in the first place. Companies will continue to be under threat, and new cyber dangers are emerging every day. Having a policy in place that is suited to your company’s particular risks and exposures is a very smart step toward being compromise ready.
Published July 17, 2015.