Cybersecurity Insurance – One Size Does Not Fit All

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/cybersecurity-insurance-one-size-does-39754/

With headlines of data breach incidents becoming a weekly, if not daily
occurrence, it’s not surprising that many companies are considering whether
they should purchase cybersecurity insurance, if they haven’t already. The
need to consider cybersecurity insurance is perhaps intensified by the fact
that, more often than not, carriers take the position that general
insurance policies do not cover data breach claims and are taking steps to
strengthen data breach-related exclusions in general coverage policies.

Companies evaluating cybersecurity insurance coverage should be mindful—all
cybersecurity policies are not created equally. Unlike many other types of
insurance coverages where industry-standard forms often are used by
carriers, no such form currently exists for cybersecurity insurance.

The risks involved in cybersecurity events vary widely depending on a
company’s industry, types of data involved in its operations and the extent
of IT outsourcing arrangements. Consequently, the nature and scope of
cybersecurity coverage varies widely from policy to policy and carrier to
carrier. If your company is working with an insurance broker to obtain
cybersecurity insurance, involving counsel familiar with insurance policy
construction and the data regulatory and risk landscape is critical in
assuring that the most critical areas of potential exposure are covered.

While not exhaustive, the following includes some of the more critical
questions companies should be asking when they are in the process of
evaluating cybersecurity insurance coverage.

Do we need coverage for hard copy documents?

Some policies may limit certain coverages only for breaches of data stored
on electronic media or devices. But data breach liability can arise from
hard copy documents as well. If your company needs coverage for
unauthorized disclosures of confidential data on paper, you’ll want to
ensure that the language of the cybersecurity policy provides this coverage.

Do we need coverage for regulatory actions and fines?

Federal and state government agencies, including the Securities Exchange
Commission, are becoming more active in the arena of cybersecurity
breaches. At the state level, there are 48 state breach notice laws, each
carrying their own set of fines and penalties that may be imposed by
various state agencies. There is also a flurry of activity at the federal
level. For example, in Federal Trade Commission v. Wyndham Worldwide Corp.,
the Federal Trade Commission (FTC) filed a lawsuit against certain
corporate entities affiliated with Wyndham Hotels, claiming that Wyndham
Hotels failed to provide reasonable security measures for its customers’
information, such as credit card numbers, and allowed the unauthorized
access of such data on multiple occasions. The FTC alleged that this
failure violated the Federal Trade Commission Act’s prohibition on unfair
and deceptive trade practices. Not all cybersecurity policies provide
coverage for regulatory proceedings; therefore, if your company is seeking
to insure against such risks, you’ll need to confirm that the policy
includes coverage for the types of regulatory proceedings that may be
triggered as a result of the company’s operations.

Do we need coverage for confidential data while it is handled by third
parties?

If your company outsources any information technology functions to third
parties, including through Software as a Service or cloud-based platforms,
consider whether you need insurance coverage for cybersecurity incidents
that arise while the data is in the custody or control of those third
parties, as not all cybersecurity policies cover such incidents. In
particular, the need for cybersecurity insurance coverage of such data is
heightened if the risks associated with that data are allocated by contract
to your company.

Do we need coverage for confidential data of corporate entities?

Much of the focus in the news regarding data breaches is on the disclosure
of personal data of individual persons, such as retail customers. Coverage
under some cybersecurity policies is limited to losses incurred only by
"natural persons". But if your company, like most, maintains sensitive
corporate or competitive information, including information belonging to
corporate customers, policies aimed at covering losses of “natural persons”
may not cover the losses associated with corporate data assets that are
misappropriated during a data breach.

Do we need coverage for derivative claims arising from data breach
incidents?

Derivative claims are claims by one or more shareholders brought on behalf
of the company. These types of claims are on the rise and are generally
expected to occur after a merger or acquisition. Based on recent events
such as the Target and Wyndham Hotels data breaches, derivative claims also
may become common in the wake of a cybersecurity breach. Shareholders may
claim that directors and certain officers, such as a chief information
officer, breached their fiduciary duties by failing to implement adequate
IT systems and standards to prevent a breach. While derivative claims often
are covered by a directors and officers (D&O) insurance policy, companies
assessing their insurance coverage for cybersecurity breaches should
confirm whether their D&O policy in fact provides such coverage. Having
data breach-related derivative claims covered outside of or in addition to
a D&O policy also may be preferred to minimize the potential reduction of
insurance limits under the D&O policy by claims that may not have been
anticipated as D&O risks.

There are many ways to manage and minimize the risks of a data breach
incident, such as reviewing and investing in the company’s IT
infrastructure, training employees on protecting confidential data and
preparing a response plan to handle a data breach incident. But, as even
the best of plans cannot eliminate all cybersecurity risks, cybersecurity
insurance also can be an important part of managing those risks if the
policy provides coverages that are appropriately tailored to the actual
risks posed by a company’s particular operations.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!