(216) 609-3940
SandRun Risk
  • Home
  • What We Do
    • Risk Management
    • Insurance Claims
    • Insurance Archaeology
  • Blog
  • About
    • Team
    • Our Company
    • Articles
  • Contact

How Can Companies Make Sure That Their Cyber Policies Provide Coverage for Data Breaches?

7/26/2020

0 Comments

 
Picture

Companies should develop and maintain a risk management program for addressing their cybersecurity risks.

Besides knowing the federal, state, and local laws and regulations, companies should thoroughly access their own cybersecurity risks through a risk assessment. 

​The assessment should include: 

  • Defining the system
  • Identifying and classifying critical cyber assets
  • Identifying and documenting the electronic security perimeters
  • Performing a vulnerability assessment
  • Assessing risks to system information and assets
  • Selecting security controls
  • Monitoring and assessing the effectiveness of controls using pre-defined metrics
  • Developing and implementing effective cybersecurity policies
  • Determining the level of understanding of employees with respect to cybersecurity and whether training is needed
 
Recently, the American Bar Association Cybersecurity Legal Task Force created a Cybersecurity Checklist.[1] 
Companies that suffer a data breach incur significant costs including but not limited to, forensic investigation costs, breach notification costs, credit monitoring costs, crisis management costs, lost business, and legal/litigation costs.  To protect themselves, companies can purchase a specialty insurance policy referred to as “Cyber” insurance.  Cyber insurance policies can provide coverage for first-party (cyber crime) coverage as well as third-party (cyber liability) coverage.  They can provide coverage for direct loss and legal liability with resulting consequential loss caused by cyber security breaches. Cyber insurance policies are usually claims made and can be very expensive, although the costs have come down as more carriers have entered the market.  Depending on the policy, there is an ability to insure notification costs, credit monitoring and other direct expenses covered if there is a data breach EVEN if there is never a liability claim.  Regulatory fines and penalties are endorsable.  Some insurance carriers provide crisis management, a call center, and other services to the policyholder when cyber insurance s purchased. 
 
A cyber insurance policy should provide coverage for the following first-party costs[2]:
  • Legal and forensic services to determine whether a breach occurred and to assist with regulatory compliance if a breach is verified
  • Notification of affected customers and employees
  • Electronic information restoration
  • Customer credit monitoring and identity protection services
  • Crisis management and public relations to educate the company’s customers about the breach;
  • Business interruption expenses, such as additional staff, rented or leased equipment, third-party services, and additional labor arising from a coverage claim;
  • Public relations firm fees to restore reputation and mitigate damages
  • Regulatory fines
  • Cyber extortion reimbursement for perils including credible threats to introduce malicious code, pharm and phish customer systems, or corrupt, damage or destroy their computer system.
  • Systems failure and administrative error

Similarly, a cyber policy should provide coverage for the following third-party costs[3]: 
  • Judgments, settlements or civil awards
  • Electronic media liability, including infringement of copyright, domain name, trade name, service mark or slogan
  • Potential employee privacy liability as well as network security and privacy liability
 
Even companies that purchase cyber liability policies may end up in a coverage dispute with their insurance carriers.  See Travelers Prop. Cas. Co. of Am. v. Fed. Recovery Servs., No. 2:14-CV-170, 2015 U.S. Dist. LEXIS 62185 (D. Utah 2015) (complaint had to contain allegations of negligence to trigger duty to defend); Doctors Direct Ins., Inc. v. Bochenek; 38 N.E.3d 116 (Ill.Ct.App. 2015) (no coverage under cyber claims endorsement for TCPA or consumer protection claims); Columbia Cas. Co. v. Cottage Health Sys., 2015 U.S. Dist. LEXIS 93456 (C.D. Cal. July 17, 2015); and P. F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No., CV-15-01322-PHX-SMM, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. 2016).
 
It is important for companies to carefully analyze their risks and make sure that the cyber policy that they purchase to cover those risks actually provides the coverage needed for the company’s risks.  It is important that companies review the cyber policy wording carefully to make sure that it meets their business needs.  Some policies are better written than others. 
 
 
 


[1]See http://www.americanbar.org/content/dam/aba/images/law_national_security/Cybersecurity%20Task%20Force%20Vendor%20Contracting%20Checklist%20v%201%2010-17-2016%20cmb%20edits%20clean.pdf

[2] See “Department: Technology: Risky Business: Why Lawyers Need to Understand Cyber Insurance for Their Clients”, Shawn Tuma and Katti Smith, 78 Tex. B.J. 854 (December 2015); and “Department: Law Practice Solutions: Everything You Need to Know about Cyber Liability Insurance But Never Knew to Ask”, JoAnn Hathaway, 95 MI B.J. 42 (December 2016).

[3] Id.
0 Comments



Leave a Reply.

    Authors

    Lori Siwik and Mark Siwik are the founders of SandRun Risk.  They apply the principles of vertical leadership and lean six sigma to the discipline of risk management.  From time to time they share their blog with guest authors who write about important risk management principles.

    Categories

    All
    Insurance Claims
    Mergers And Acquisitions
    Risk Management

    Archives

    March 2023
    February 2023
    May 2022
    December 2021
    September 2021
    August 2021
    July 2021
    June 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    June 2017
    May 2017
    March 2017
    December 2016
    November 2016
    October 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    June 2015
    May 2015
    April 2015
    March 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    May 2014
    April 2014
    March 2014

    Categories

    All
    Insurance Claims
    Mergers And Acquisitions
    Risk Management

    RSS Feed

What We Do.

Risk Management
Insurance Claims
Insurance Archaeology

Blog.

About.

Team
Our Company
Articles

Contact.

Legal.

Privacy
Terms of Use
 
Copyright ©2014 | 4199 Kinross Lakes Parkway, Ste. 275 Richfield, Ohio 44286 | 216-609-3940 | [email protected]