Two leading cybersecurity studies, Symantec and Verizon (both available for a free download from their respective websites, www.symantec.com and www.verizonenterprise.com),are filled with important information pertaining to the most common cyber threats and trends. The Verizon study indicates that the “average loss for a breach of 1,000 records is between $52,000 and $87,000.” Verizon Enterprise Solutions 2015 Data Breach Investigations Report, page 29.
The Symantec report also presents interesting information. “Last year, 60 percent of all targeted attacks struck small- and mid-sized organizations.” Symantec Internet Security Threat Report, April 2015, Volume 20, page 6. Further, “[f]ive out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks in 2014, a 40 percent increase over the previous year.” Id. at pg. 7. With the growing connectivity of the “Internet of Things,”which include those devices which may not be computers in the traditional sense, but are nevertheless connected to the internet/network – think of your smart home, the threat will only increase over time. Therefore, business attorneys must possess basic knowledge of the issues involved and the ways to mitigate threats.
One such way to mitigate risk is use of cyber insurance. Because most attorneys likely will not have any understanding of what cyber insurance is or what it covers, this article is intended to be a basic overview of what to look at when approached about cyber insurance.
Cyber insurance is generally offered to businesses to cover losses caused by data theft or loss, network intrusions, information-security breaches and lost income due to system downtime. It is available for first-party losses (the business’s own personal data, damage to the business, e.g.) and third-party losses (liability to third parties that the policy holder may have, e.g.). Policies vary by company, so an understanding of what is covered, what is not covered, and when coverage is negated is important.
When approached by a client with a question pertaining to cyber insurance, you should first identify your client’s major risks. Risk identification should be at least two-pronged: knowing the industry your client is in and knowing the connections in which people access your client’s networks. Careful coordination with your client’s information technology department is advisable.
When identifying risks, it is important to understand the changing landscape of the workforce. For example, ten years ago most employees accessed their computer from the office.
Today, many employees now work remotely, such as through a virtual network or through a mobile device. While in-house computer connections were relatively easy to monitor, the wide array of connections and the programs which are used on those devices has become more difficult to monitor. For example, Symantec found that 17 percent of all Android apps (nearly one million total) were actually malware in disguise. Id. at 10.
Next, you should gather information on existing insurance policies and coverage. The terms of the business’ existing policies may provide some protection. While some coverages may be interconnected or overlap with cover from existing policies, such as business continuity, third-party supply chain issues and professional indemnity, a cybersecurity policy will specifically cover cyber issues.
Next comes the review of the specific cyber insurance policies. There are many companies that offer such insurance, and nearly all have different coverages, requirements, limits, and sublimits. Common limits on coverage include breach notification costs, network/business interruption, and regulatory investigations. Likewise, costs vary widely, so coverage limits are particularly important in this regard. Indeed, some carriers will negotiate the size of the limits or sublimits without increasing the premium.
Reviewing the exclusions for each policy is likewise important. For example, while one policy may exclude any losses as a result of unencrypted connections, some other policies may cover losses even in such circumstances.
Likewise, some policies have exclusions for “failure to follow minimum required practices”, “phishing attacks”, “failure to be in compliance with regulatory frameworks”, etc. Due to the ever-changing nature of connectivity, this could result in a client being covered one day and not the next.
There are a plethora of other coverage issues that should also be considered. These include, but are not limited to: the necessity and ability to obtain retroactive coverage, third-party acts and omissions coverage, coverage for regulatory actions, and data restoration costs.
In terms of other things that the business attorney can do that are unrelated to insurance, the first is to evaluate existing agreement with vendors and service providers. Consider either modifying existing agreements or having new agreements contain appropriate indemnification language for cyber concerns.
Finally, and most important, is to advise your client to stay on top of their technology. Many hackers (and automated servers) look for simple ways into a network. If they can’t find an easy entry point, then they generally move on unless they are particularly interested in thetarget. Simple security measures can help mitigate the risk of a successful attack.
Such measures including making an inventory of authorized and unauthorized devices and connections, checking software and updating with regularity, changing passwords regularly, placing rules on passwords, implementing realistic but firm technology use policies, securing and monitoring configurations, and automated logout of computers.
Cybersecurity is an issue that is not going away. Attorneys must start becoming more aware of the issues involved. In fact, the business attorney must also wonder how much longer it will be before their clients, and especially boards of directors in heavily regulated industries, will be required to take a more active role in information security. For the answer, one only need to look as far as the banking industry, where the Federal Financial Institutions Examination Council, which includes five banking regulatory bodies, indicates that the boards will have to start overseeing the implementation of its “Cybersecurity Assessment Tool.”
Since cyber insurance is still a fairly new product, business attorneys do have the benefit of being able to learn the policies as the products mature. Fortunately, with the cooperation of your client, your client’s information technology department, and a good broker, these immense obstacles can be overcome and your client (and client’s customers’ data) protected.
Author: Brian F. Johnson is an attorney and shareholder with Johnson, Bunce & Noble, P.C. His practice areas focus in business and real estate representation. In addition to practicing law, he holds a degree from Bradley University in Business Computer Systems.