In the ACC Docket article, Cybersecurity and Data Breaches: How In-House Counsel Can Engage the Board, my fellow partner Carly Alameda and her co-author Olga Mack of ClearSlide correctly observe that cyber insurance may cover costs a company incurs as a result of a data security breach.
I’d emphasize that boards should carefully review proposed policies before they buy one to ensure that they obtain the desired coverage. Cyber insurance policies are not written on standard forms. Policy language and the scope of coverage offered by different insurers can vary, sometimes widely.
I’d suggest that boards first gain an understanding of their own risk profile and then seek to tailor the cyber insurance to address their particular risks. For example, not all cyber insurance policies will cover the insured if the data security breach was caused by an intrusion into a third-party vendor’s system, even though the insured is ultimately responsible for providing notice to consumers and may face lawsuits by consumers, banks and others. Companies that rely on third-party vendors to collect or store PII should make sure that any policy they buy covers losses due to an intrusion into third-parties’ systems.