shutterstock_109214660-Cyber-Attack-BlogThe Internet of Things gives rise to many risks and exposures that companies and their insurers were not thinking about as recently as a couple years ago, and probably aren’t fully cognizant of today.

The DDoS attack late last week on internet infrastructure company Dyn should act as a wake-up call.  It shows how large and disruptive a cyber attack can become because of all the seemingly benign “things” connected to the internet.  And it should cause companies to think about what their risks really are and whether their current risk management approaches address them.

Just one example from this latest attack – I’m reading that one or more of the manufacturers of the devices that were used as bots in this attack must recall a very large number of products because the passwords (which were easily cracked) cannot be changed by the user.  The software that runs those products came ready installed on components bought from China, and it is this software that contains the vulnerability.  Now that the passwords are known, the devices can no longer be considered secure.  Maybe the manufacturers have product recall insurance or maybe they don’t.  But they likely never thought they would have to conduct a product recall under these circumstances and whether such a recall might be covered under their current insurance program.

Protect your company by:

  • Understanding your company’s IoT exposures.
  • Using your company’s broker and coverage counsel to review all insurance policies with IoT exposures in mind and negotiate favorable policy terms.
  • Revisiting the policies annually at renewal time because of quickly changing risks and policy terms.

Blog-Image---DataSecurity

Policyholders should always consider the potential for coverage under their CGL policies if they suffer a data security breach. However, as the cases described in my article for Corporate Counsel, coverage is highly fact-dependent and subject to interpretation by the courts even in the absence of a data-related exclusion. The addition of such an exclusion narrows the policyholder’s options.

As a result, policyholders should carefully consider their insurance programs and the unique risks that their businesses face in light of their own computer systems, third-party computer systems on which they rely and the data they collect and/or hold. They should consider whether technology errors and omissions liability or cyberinsurance would more effectively address their risks. With the help of their insurance brokers and counsel, companies can negotiate and tailor those policies to their risks and exposures relating to computer systems, personally identifiable information and confidential third-party business information. Some businesses may choose to rely exclusively on their CGL policies for protection against data breach lawsuits. But that decision should be made deliberately after understanding all the risks and options.

Read the full article: Data Security Breach Liability: Is Your Business Covered?

Law firms are important gatekeepers between cybercriminals and clients’ sensitive data. The release of the Panama Papers and several other recent high-profile breaches have brought to light vulnerabilities in law firm cyber security.

I recently participated in a podcast with journalist Ben Hammersley and eSentire’s VP and industry security strategist Mark Sangster. Our discussion focused on cyber risks that law firms face and risk mitigation strategies to protect themselves and the data they hold, including cyber insurance.

Listen to the podcast here