Be very afraid, be prepared and be covered
Target. Home Depot. Yahoo. Equifax.
What do they have in common? You guessed it — they’ve all experienced major data breaches that exposed tens of millions of users’ sensitive personal and/or financial data. Yahoo was actually victimized twice, each attack compromising hundreds of millions of users. (Oh, Yahoo.)
Your company is vulnerable
Big-company cyber incidents are understandably newsworthy, but they’re really just the tip of the iceberg. Most incidents go unreported in the media, even in wonky tech blogs, because they directly impact fewer people or fail to compromise critical systems.
A 2016 FBI report put the average daily number of U.S. ransomware attacks at 4,000, a 300% increase from2015.
That figure doesn’t count other types of cyber-attacks, such as phishing. Check your spam folder when you get a chance — it’s a virtual certainty that some of those sketchy emails contain malicious files or links.
Insurance can help
“Cybersecurity insurance is a misnomer,” says Dave Wasson, Vice President and Cyber Liability Practice Leader at Hays Companies in Minneapolis. “‘Privacy and security insurance’ is more accurate. Lots of claims have nothing to do with hacking — someone forgot to shred a sensitive document, maybe.”
For brevity, we’ll call it cybersecurity insurance. It exists because general commercial liability policies typically exclude digital and analog privacy and IP threats.
Cybersecurity insurance policies provide financial redress for a broad range of potential threats: the U.S. Department of Homeland Security cites “costs a from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.”
How to approach cybersecurity insurance
Many owners and execs have only a tenuous handle on their companies’ digital and analog vulnerabilities.
“A significant portion of what we do is educational,” says Wasson. “With new clients, the key question is: ‘Is your understanding of your exposure correct?’”
Some companies mistakenly believe they’re taking adequate measures to address perceived vulnerabilities, which they may or may not fully understand. Others affirmatively avoid due diligence on the not-incorrect assumption that actively researching the threat landscape eliminates plausible deniability and increases liability.
At least one large, well-known Minnesota company takes this “head in the sand approach,” says Wasson. (He declined to identify the firm.) Wasson is not a fan: “That’s like saying you’re healthy because you haven’t gone to the doctor,” he says. Self-insuring against privacy and security threats is doable for larger companies with the resources to absorb the cost of a cyber incident, but “understanding potential threats is always better than not understanding.”
What it costs, what it covers
Needless to say, most sizable companies do carry cybersecurity insurance policies. Coverage is increasingly common among SMBs too. When resources are tight, any significant cybersecurity incident is a grave threat.
“For small businesses, you can find good quality policies, not pared down at all, for less than $1,000 per year,” says Wasson. The lower end of the market, below $50,000 per year, is growing fast. (The costliest policies, built for Fortune 1000 firms, cost more than $1 million per year.)
Like other forms of insurance, cybersecurity insurance products are highly customizable, but most policies have seven basic coverages. The devil is usually in the details. Wasson advises clients to pay close attention to three key issues:
“Failure to maintain” clause: This exclusion penalizes policyholders who fail to execute or maintain stated security practices. “It basically says, ‘If you say you have a particular safeguard in place and you don’t, we’ll deny your claim,’” says Wasson. He strongly advises against buying policies with “failure to maintain” clauses.
IP protection: Cybersecurity insurance newbies are often disappointed by policies’ anemic or nonexistent intellectual property coverages. Some policies do cover NDA-protected IP compromised in a breach. Premiums may be higher, though.
Bringing in outside experts: Does the policy let you bring in your own legal and forensic IT experts after a breach? Some force policyholders to choose from approved professionals; using non-approved experts could compromise or even void your claim. “It’s like the requirement that you select a provider in your health insurer’s network,” says Michael Cohen, head of the Global Privacy, Cybersecurity and Data Protection legal team at Minneapolis-based Gray Plant Mooty.
Data breach? Minimize exposure and get the response right
Cybersecurity insurance alone can’t prevent privacy and security incidents. Insurers require, incentivize and recommend that policyholders take steps to mitigate their exposure.
Established regulatory structures are non-negotiable. For instance, policyholders must abide by the Payment Card Industry Data Security Standard (PCI DSS), an electronic payments security framework backed by major credit card issuers. Healthcare and finance companies must follow other frameworks.
Insurers incentivize the adoption of other safeguards, like robust encryption. “Encryption is one of the few things that has an actual causal impact on policy pricing,” says Wasson.
“The better your encryption, the less you’ll pay.”
Be honest about your data security practices and degree of exposure: On your cybersecurity insurance application, honestly disclose your exposure and mitigation practices. Even absent a “failure to maintain” clause, a misleading or incomplete application could lead to inadequate coverage. Plus, says Cohen, “Being recognized as a leader in data security benefits your organization in the marketplace.”
Don’t needlessly retain data: “Most companies don’t need to collect Social Security numbers,” says Wasson, “and they certainly don’t need to keep them in unencrypted files on mobile devices.” Only collect and retain data needed for essential business functions.
Take special care with legacy systems:
Many companies run key processes on functionally obsolete, unsupported IT systems. This is sub-optimal for all sorts of reasons, but overhauling is costly and disruptive, so it happens. Unfortunately, breaches can wreak havoc on legacy systems, which typically need to be overhauled after the fact anyway. When I spoke to Wasson, he was helping a client through a catastrophic ransomware attack made worse by the forensic impenetrability of its ancient IT. With no backup, the client had to shut down for a month to upgrade its systems and get out from under the attack. (Also relevant: Back everything up!)
Know your obligations under the law:
Legally mandated notification requirements may greatly increase post-breach costs. Firms must abide by notification rules in affected individuals’ home jurisdictions. Said rules vary widely, so firms typically adhere to standards in the strictest state in which they operate. Still, you need an attorney to work through dense regulatory language. To handle high notification volumes, you’ll need to retain a specialized firm.
Create an incident response team:
Don’t wait until it’s too late to build an incident response team. The point person (“breach coach”) should be an attorney experienced in handling data breach matters, whether in-house counsel or an outside expert like Cohen. Add at least one member from HR, IT (inside or outside), marketing or PR (inside or outside), finance, and upper management. Define each member’s role in the event of an incident. Mind insurance company restrictions — remember Cohen’s attorney networks.
Have an incident response plan ready:
Different scenarios call for different responses, but your first call should always be to your designated attorney. They’ll quickly assess the situation’s severity and determine what needs to happen next. If the situation warrants, “next” means a call to the FBI, which has a first-rate cyber forensics team. “The FBI is very discreet,” says Cohen. “Your business won’t leak just because they’re involved.” They may also know about other incidents that hold clues to your own.
You should do these six things “even if you choose to forgo cybersecurity insurance,” says Cohen. After all, fortune favors the prepared. And the careful.
WHAT CYBERSECURITY INSURANCE COVERS:
Privacy Regulatory Defense and Penalties: Covers regulator-assessed penalties and fees, where allowed by law, as well as costs associated with “complying with or defending against a privacy related regulatory investigation” by certain state and federal agencies or authorities.
Breach Costs: Covers costs directly associated with breach response, including notification to potentially affected parties, computer forensics, legal expenses, public relations campaigns,
and ongoing identity theft protection and monitoring.
Multimedia Liability: Covers “claims alleging intellectual property infringement [copyright infringement, defamation and libel, common law privacy rights, plagiarism or piracy, misappropriation of ideas] arising out of the advertising of a company’s goods or services, either online or offline.”
Business Interruption: Covers loss of income if the insured party is unable to conduct business “due to a malicious third party hacking event.”
Data Recovery: Covers costs associated with digital asset replacement, such as software licenses and proprietary software. May be combined with business interruption coverage.
Cyber Extortion: Covers costs associated with ransomware attacks, including investigations to determine whether the threat is credible and the cost of complying with the attackers’ demands (e.g., paying the ransom).
N.B. Precise nomenclature varies by issuer.
Source: “Cyber Liability Insuring Agreement Overview,” Hays Companies.