Does Your Cyber Risk Policy Protect You In the Event of an Insider Attack or Data Breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/does-your-cyber-risk-policy-protect-you-81850/

Protecting a company against data breaches requires not only measures to
prevent the adverse cyber event, but also adequate insurance to minimize
the financial impact should such an event occur. Unlike traditional lines
of insurance for which there is substantial uniformity among the coverage
available in the marketplace, the evolving market for data security and
privacy liability (“cyberliability”) insurance coverage reveals significant
differences in the scope of coverage afforded under these policies. Policy
forms may vary widely depending on the particular insurer and the industry
served, reflecting material differences in contract language, terminology
and structure. As a result, whether coverage is available under a
particular cyberliability policy requires a careful analysis of the nature
of the event as measured against the terms of that policy. What once
appeared to have been comprehensive coverage may be revealed to have
significant gaps.

A coverage gap that may exist under some policies is for insider cyber
attacks. While external attacks receive substantial news coverage and many
companies have become more vigilant and better prepared to prevent an
external cyber attack, a recent study published in the Harvard Business
Review finds that businesses may be far less equipped to stave off attacks
involving insiders – employees, vendors, suppliers and others who may have
authorized access to critical or sensitive data. Liability insurance
protection – even under specialized cyberliability policy forms – may
potentially lag behind on this important issue. It is therefore critical to
understand the scope of coverage provided under your company’s
cyberliability policy in response to insider attacks or data breaches.

In evaluating whether a particular policy adequately protects against both
external and insider cyber risks, it is important to closely review the
insuring agreements and any exclusions that may apply to such claims. Some
forms, for example, expressly exclude coverage for dishonest or fraudulent
conduct by any Insured, including claims arising out of an Insured’s
collusion or assistance provided to third parties. Other policy forms
expressly exclude coverage for any unauthorized use or accessing of a
computer, network or data storage device by an Insured. If the policy at
issue defines an “Insured” to include current or former employees, insurers
may assert that these exclusions are triggered in many situations for which
the company thought coverage existed.

In contrast, other policy forms take a more constrained approach, excluding
claims involving only a limited class of insiders. For example, conduct
exclusions in some policy forms only preclude claims arising out of an act,
error or omission of a director, officer, or senior manager, rather than by
any current or former employee.

Thus, in evaluating policy forms when purchasing or renewing coverage, it
is important to understand how differences in policy language – including
policy definitions and exclusions – may have a significant impact on the
scope of coverage available for a cyberliability claim, particularly for
claims arising out of malicious conduct by “rogue” employees or other
insiders. Companies considering cyberliability coverage or interested in
determining whether certain types of claims may be included as an insured
risk under a particular policy form should therefore seek guidance from
experienced coverage counsel to evaluate that coverage. Because liability
insurance should be a vital part of any company’s comprehensive data breach
response plan, the time to identify and address potential gaps in coverage
is before an adverse cyber event occurs.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!