Companies should develop and maintain a risk management program for addressing their cybersecurity risks.
The assessment should include:
- Defining the system
- Identifying and classifying critical cyber assets
- Identifying and documenting the electronic security perimeters
- Performing a vulnerability assessment
- Assessing risks to system information and assets
- Selecting security controls
- Monitoring and assessing the effectiveness of controls using pre-defined metrics
- Developing and implementing effective cybersecurity policies
- Determining the level of understanding of employees with respect to cybersecurity and whether training is needed
Recently, the American Bar Association Cybersecurity Legal Task Force created a Cybersecurity Checklist.[1]
Companies that suffer a data breach incur significant costs including but not limited to, forensic investigation costs, breach notification costs, credit monitoring costs, crisis management costs, lost business, and legal/litigation costs. To protect themselves, companies can purchase a specialty insurance policy referred to as “Cyber” insurance. Cyber insurance policies can provide coverage for first-party (cyber crime) coverage as well as third-party (cyber liability) coverage. They can provide coverage for direct loss and legal liability with resulting consequential loss caused by cyber security breaches. Cyber insurance policies are usually claims made and can be very expensive, although the costs have come down as more carriers have entered the market. Depending on the policy, there is an ability to insure notification costs, credit monitoring and other direct expenses covered if there is a data breach EVEN if there is never a liability claim. Regulatory fines and penalties are endorsable. Some insurance carriers provide crisis management, a call center, and other services to the policyholder when cyber insurance s purchased.
A cyber insurance policy should provide coverage for the following first-party costs[2]:
- Legal and forensic services to determine whether a breach occurred and to assist with regulatory compliance if a breach is verified
- Notification of affected customers and employees
- Electronic information restoration
- Customer credit monitoring and identity protection services
- Crisis management and public relations to educate the company’s customers about the breach;
- Business interruption expenses, such as additional staff, rented or leased equipment, third-party services, and additional labor arising from a coverage claim;
- Public relations firm fees to restore reputation and mitigate damages
- Regulatory fines
- Cyber extortion reimbursement for perils including credible threats to introduce malicious code, pharm and phish customer systems, or corrupt, damage or destroy their computer system.
- Systems failure and administrative error
Similarly, a cyber policy should provide coverage for the following third-party costs[3]:
- Judgments, settlements or civil awards
- Electronic media liability, including infringement of copyright, domain name, trade name, service mark or slogan
- Potential employee privacy liability as well as network security and privacy liability
Even companies that purchase cyber liability policies may end up in a coverage dispute with their insurance carriers. See Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs., No. 2:14-CV-170, 2015 U.S. Dist. LEXIS 62185 (D. Utah 2015) (complaint had to contain allegations of negligence to trigger duty to defend); Doctors Direct Ins., Inc. v. Bochenek; 38 N.E.3d 116 (Ill.Ct.App. 2015) (no coverage under cyber claims endorsement for TCPA or consumer protection claims); Columbia Cas. Co. v. Cottage Health Sys., 2015 U.S. Dist. LEXIS 93456 (C.D. Cal. July 17, 2015); and P. F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No., CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. 2016).
It is important for companies to carefully analyze their risks and make sure that the cyber policy that they purchase to cover those risks actually provides the coverage needed for the company’s risks. It is important that companies review the cyber policy wording carefully to make sure that it meets their business needs. Some policies are better written than others.
[1]See http://www.americanbar.org/content/dam/aba/images/law_national_security/Cybersecurity%20Task%20Force%20Vendor%20Contracting%20Checklist%20v%201%2010-17-2016%20cmb%20edits%20clean.pdf
[2] See “Department: Technology: Risky Business: Why Lawyers Need to Understand Cyber Insurance for Their Clients”, Shawn Tuma and Katti Smith, 78 Tex. B.J. 854 (December 2015); and “Department: Law Practice Solutions: Everything You Need to Know about Cyber Liability Insurance But Never Knew to Ask”, JoAnn Hathaway, 95 MI B.J. 42 (December 2016).
[3] Id.