In the December post Systemic Cyber Risks And The Internet of Things, we wrote about the increasing risk of cyber attacks on infrastructure and consumer products, and related insurance issues. We noted in that post that, while there have been a few cyber attacks on the Internet of Things (IoT) reported over the past few years, the number of such attacks was certain to grow. It has. Since our December post, several new attacks and developments have been publicly disclosed. These attacks again remind us that companies should evaluate their risks and exposures relating to the IoT and carefully negotiate their insurance policy renewals or purchases. Continue Reading Cyber Attacks on Infrastructure Are Increasing: Review Your Insurance As “Internet of Things” Risks Grow and Change
In the ACC Docket article, Cybersecurity and Data Breaches: How In-House Counsel Can Engage the Board, my fellow partner Carly Alameda and her co-author Olga Mack of ClearSlide correctly observe that cyber insurance may cover costs a company incurs as a result of a data security breach.
I’d emphasize that boards should carefully review proposed policies before they buy one to ensure that they obtain the desired coverage. Cyber insurance policies are not written on standard forms. Policy language and the scope of coverage offered by different insurers can vary, sometimes widely.
I’d suggest that boards first gain an understanding of their own risk profile and then seek to tailor the cyber insurance to address their particular risks. For example, not all cyber insurance policies will cover the insured if the data security breach was caused by an intrusion into a third-party vendor’s system, even though the insured is ultimately responsible for providing notice to consumers and may face lawsuits by consumers, banks and others. Companies that rely on third-party vendors to collect or store PII should make sure that any policy they buy covers losses due to an intrusion into third-parties’ systems.
David Smith and I have recently been writing and speaking about cyber risks and cyber insurance for the wine industry. While many of the high-profile data security breaches in the news involve large public companies, all businesses that accept credit cards for payment and/or have personally identifiable information from employees or customers are at risk of a data security breach. This is the case even if the collection or storage of such information is handled by a third-party vendor. Businesses should carefully consider their cyber risks and whether cyber insurance could help them manage those risks. We’d like to share an article we recently wrote on protecting your wine business against data security breaches and other cyber risks: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks.
Companies’ awareness of “cyber” risks has increased significantly because of large and highly publicized data security breaches, such as Target and Home Depot. Companies are starting to more proactively manage the risk of data security breaches by strengthening their IT defenses and, in many cases, buying cyber insurance. However, many do not realize that data security breaches are just the tip of the cyber-risk iceberg. Because nearly our entire economic system depends on electronic devices, machinery and infrastructure that is connected to the internet (i.e., the “Internet of Things”), the potential exists for much larger scale hacking attacks that could control, damage, destroy or shut down many of the systems on which we rely to conduct business. Some of this risk is covered by cyber insurance, but much of it is not. Proactive and effective “Enterprise Risk Management” will be vital to companies seeking to protect themselves against these growing risks. Businesses should carefully review their unique risk profiles, indemnity contracts and insurance policies (including their non-cyber “traditional” policies) to identify and mitigate their exposures.
We have all heard of the large scale attacks on Target, Home Depot and more recently, Ashley Madison. The news generated by these cyber attacks has contributed to the public’s increasing awareness of the large volumes and types of personal information that companies are holding about their customers. To protect themselves against some of the losses that such data security breaches may cause, many companies have prudently responded by buying “cyber insurance.” Continue Reading Systemic Cyber Risks And The Internet of Things
Insurance policies covering data breach liability began appearing roughly ten years ago. We noted then a troublesome provision in some forms that seemed to exclude coverage for the insured’s failure to maintain data security – in other words, the very risk the insured was seeking to insure. We’ll call it the “Mistake Exclusion.” One AIG form from 2006, for example, excluded coverage arising out of “your failure to take reasonable steps to use, design, maintain and upgrade your security.” A 2009 Darwin form excluded coverage for any claim arising out of “any failure of an Insured to continuously implement the procedures and risk controls identified in the Application for this insurance.” But isn’t liability insurance supposed to do just that – protect against the insured’s mistakes, innocent or negligent? We hoped and expected that as the market for these policies matured, savvy brokers and risk managers would insist that these Mistake Exclusions be removed or substantially narrowed. But that has not happened.
We now have the first case we are aware of by an insurer seeking to enforce a Mistake Exclusion. In Columbia Casualty Company v. Cottage Health Systems, filed May 7, 2015 in the U.S. District Court in Los Angeles, Columbia seeks to enforce an exclusion barring coverage for a data breach claim arising out of any “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” Columbia’s complaint arises out of a class action suit against Cottage alleging that, for a period of two months in 2013, 32,500 patient records were accessible via the Internet. Cottage had hired a third-party vendor to store Cottage’s records electronically and that vendor mistakenly set the File Transfer Protocol settings to allow public access. Columbia funded Cottage’s defense and settlement, but is suing to recover all of its payments from Cottage.
Earlier this month, I gave a presentation with Irfan Saif, principal of Deloitte & Touche, on cyber insurance at the Institute for Advance Corporate Counsel (iACC) in Burlingame, CA. We discussed how companies can analyze their data-related risks and develop strategies to mitigate those risks, including through the purchase of insurance. Because cyber insurance is still a developing market, insurance policy forms are far from standardized and often can be negotiated. As a result, it is important to carefully analyze your company’s data security risks and the proposed policy forms when considering the purchase of cyber insurance. This is particularly critical when the company’s risks are related its data held by third-parties or computer systems that rely on third-party systems, as the scope of coverage for these risks varies widely among the policy forms currently available.
It’s official—cybersecurity is now a top-ranked risk at the board level, according to the “Lloyds Risk Index 2013.” This should make digital risk a focus of senior corporate management.
Those managing corporate risk should leverage the emerging cyber insurance market, which is rapidly growing and evolving. But they should do so methodically, after gaining an understanding of the company’s security controls and individual risk profile. In the rush to buy cyber insurance, companies may too often fail to appreciate the strengths and weaknesses in their security controls, their risks and exposures, and the coverage they need.
While a variety of potential approaches exist for assessing cybersecurity requirements, this article discusses one method to help you understand your company’s risks and exposures, and how that knowledge can be used to choose the security and risk transfer strategy that most appropriately fits your needs. Click here to read the full article on the Corporate Counsel website.
By Tyler Gerking, insurance coverage partner in Farella Braun + Martel’s San Francisco office, and Mark Massey, principal in Deloitte Financial Advisory Service’s San Jose office.