David Smith and I have recently been writing and speaking about cyber risks and cyber insurance for the wine industry. While many of the high-profile data security breaches in the news involve large public companies, all businesses that accept credit cards for payment and/or have personally identifiable information from employees or customers are at risk

Companies’ awareness of “cyber” risks has increased significantly because of large and highly publicized data security breaches, such as Target and Home Depot.  Companies are starting to more proactively manage the risk of data security breaches by strengthening their IT defenses and, in many cases, buying cyber insurance.  However, many do not realize that data security breaches are just the tip of the cyber-risk iceberg.  Because nearly our entire economic system depends on electronic devices, machinery and infrastructure that is connected to the internet (i.e., the “Internet of Things”), the potential exists for much larger scale hacking attacks that could control, damage, destroy or shut down many of the systems on which we rely to conduct business.  Some of this risk is covered by cyber insurance, but much of it is not.  Proactive and effective “Enterprise Risk Management” will be vital to companies seeking to protect themselves against these growing risks.  Businesses should carefully review their unique risk profiles, indemnity contracts and insurance policies (including their non-cyber “traditional” policies) to identify and mitigate their exposures.

We have all heard of the large scale attacks on Target, Home Depot and more recently, Ashley Madison.  The news generated by these cyber attacks has contributed to the public’s increasing awareness of the large volumes and types of personal information that companies are holding about their customers.  To protect themselves against some of the losses that such data security breaches may cause, many companies have prudently responded by buying “cyber insurance.”
Continue Reading

Insurance policies covering data breach liability began appearing roughly ten years ago. We noted then a troublesome provision in some forms that seemed to exclude coverage for the insured’s failure to maintain data security – in other words, the very risk the insured was seeking to insure. We’ll call it the “Mistake Exclusion.”  One AIG form from 2006, for example, excluded coverage arising out of “your failure to take reasonable steps to use, design, maintain and upgrade your security.” A 2009 Darwin form excluded coverage for any claim arising out of  “any failure of an Insured to continuously implement the procedures and risk controls identified in the Application for this insurance.” But isn’t liability insurance supposed to do just that – protect against the insured’s mistakes, innocent or negligent? We hoped and expected that as the market for these policies matured, savvy brokers and risk managers would insist that these Mistake Exclusions be removed or substantially narrowed. But that has not happened.

We now have the first case we are aware of by an insurer seeking to enforce a Mistake Exclusion. In Columbia Casualty Company v. Cottage Health Systems, filed May 7, 2015 in the U.S. District Court in Los Angeles, Columbia seeks to enforce an exclusion barring coverage for a data breach claim arising out of any “failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this Insurance and all related information submitted to the Insurer in conjunction with such application whether orally or in writing.” Columbia’s complaint arises out of a class action suit against Cottage alleging that, for a period of two months in 2013, 32,500 patient records were accessible via the Internet. Cottage had hired a third-party vendor to store Cottage’s records electronically and that vendor mistakenly set the File Transfer Protocol settings to allow public access. Columbia funded Cottage’s defense and settlement, but is suing to recover all of its payments from Cottage.


Continue Reading

Earlier this month, I gave a presentation with Irfan Saif, principal of Deloitte & Touche, on cyber insurance at the Institute for Advance Corporate Counsel (iACC) in Burlingame, CA.  We discussed how companies can analyze their data-related risks and develop strategies to mitigate those risks, including through the purchase of insurance.  Because cyber insurance is still a developing market, insurance policy forms are far from standardized and often can be negotiated.  As a result, it is important to carefully analyze your company’s data security risks and the proposed policy forms when considering the purchase of cyber insurance.  This is particularly critical when the company’s risks are related its data held by third-parties or computer systems that rely on third-party systems, as the scope of coverage for these risks varies widely among the policy forms currently available.


Continue Reading

It’s official—cybersecurity is now a top-ranked risk at the board level, according to the “Lloyds Risk Index 2013.” This should make digital risk a focus of senior corporate management.

Those managing corporate risk should leverage the emerging cyber insurance market, which is rapidly growing and evolving. But they should do so methodically, after