By Robert J. Kerwin
The 2020 global increase in malicious cyberactivity against companies has been well reported.
As of March 30, 2020, the FBI's Internet Crime Complaint Center (IC3) reported it had received and reviewed more than 1,200 complaints related to COVID-19 scams.
In a previously published report, the global cyber education company, Cybint, noted that 64% of companies experience web-based attacks. Of these companies 43% of the cyber attacks target small business. Despite those threats, only a relatively small percentage of firms have cybersecurity insurance to cover all risks.
Many companies don’t fully realize the scope and breadth of their cyberpolicies until a cyberattack occurs, which is not the time to determine how good your policies are. Companies need to review their cyberpolicies now. Moreover, a company's future business may, in part, depend upon whether they carry cyber insurance. Recognizing the perilous nature of these cyber threats, more and more hospitals and manufacturers are requiring their vendors to carry cyber insurance.
Wading into the confusing world of cyber insurance is not easy. There are complicated coverage terms including: Incident response costs, legal and regulatory costs, IT security and forensic costs, crisis communication costs, privacy breach management costs, third party breach management costs, post breach remediation costs, theft of funds in escrow, theft of personal funds, extortion, corporate identity theft, push payment fraud and unauthorized use of computer resources, system damage and rectification costs, income loss, business interruption, reputational harm, claim preparation, hardware replacement costs, fines, intellectual property infringement.
Navigating all of the above is no walk in the park — especially after completing an extensive application form which requires disclosure of all controls and policies currently in place. The questions will vary from insurer to insurer, but they will all want to know if you had an independent third party cybersecurity audit and an account of any remediation that was performed. Candor is important, especially with respect to the training being given to employees in cybersecurity and whether your policies and procedures are being followed. Will an insurer pay claims submitted if they come to learn that the application disclosed policies and procedures that were never followed?
So where do you begin?
Cyber insurance is not like any other insurance. Several acknowledged authorities encourage simplifying the coverage inquiry to: Why do you need it? Are your biggest vulnerability concerns privacy obligations (PII or PHI)? Is your concern loss of data? One must begin with data mapping: where does your data sit? If it's in the cloud with a third-party, you will want to have third-party coverage. If your company uses a social media platform, you may want to look into media liability coverage. Can you obtain coverage retroactively? You want to have a vulnerability assessment conducted, and of course undertaken remediation. That is the point you can assess: what coverages are needed? You should have a solid data governance program. What are your document retention and destruction policies? Most states have long required that you maintain a written information security plan (WISP) so when incidents occur, you can use your WISP to respond in real time to the threats. Most importantly, you need within the company an "owner".
Tip: don’t base the owner of the data governance policy on the "org" chart. Appoint someone whose real job it is to manage the data privacy and governance concerns. She or he should have good data from inside the company to establish continuity plans and to modify plans as times and threats change. While many will want to use outside consultants to quickly get up to speed, don’t forget your insurance libraries. I use the Insurance Library Association of Boston
. Yearly membership costs are relatively modest, and they respond to my emails on various insurance topics.
Always ask to see the cyber policy ahead of time. Don’t rely on summaries or websites. You will need to read the fine print. The old adage “don’t judge a book by its cover” is so applicable to the cyber insurance policies.
Recently, I reviewed the proposed 30-page Policy Document for Cyber Insurance for a small company. The Declarations page displayed cyber incident response limitations of liability which, at first blush, looked ample. The document offered "Limit of Liability: $1,000,000 for each and every claim; legal and regulatory costs:$1,000,000," and so on.
The definitions told the real story. You likely don’t need a $1,000,000 coverage limit if it only pertains to the financial cost of contacting the insurer’s 24/7 cyber incident response line. The same goes for legal and regulatory costs if all that means is that you are able to use the insurer for drafting data breach notifications to governmental entities and customers. Wading through the 8 point font, it seemed that real losses were capped at $50,000. I guess I should have been tipped off when the premium quote for 12 months coverage was so low.
Good cyber insurance is expensive compared to other policies. In part, the higher premium costs are reflective of the reality that cyber claims are now routine. Consider whether it makes sense to seek longer-term coverage if possible. Some insurers are contemplating exiting the market because of the high number of claims and the sad reality exists that cyberthreats are now a permanent business threat.
About the author: Robert J. Kerwin is general counsel for IAMERS, the International Association of Medical Equipment Remarketers and Servicers Inc. and a member of the HSCC Legacy Medical Device Task Force.