By LISA MONTI
Protecting personal and business data from cyber attacks is unsettling for a lot of reasons, not the least of which are the constantly changing cyber threats and ways to respond to data breaches.
Little surprise, then, that in October – National Cybersecurity Awareness Month – the National Association of Insurance Commissioners announced it is ramping up its cybersecurity activity, including pushing a model state law on cybersecurity. NAIC officials said they “want to communicate the need for national consistency regarding data breach laws and regulations.”
“State regulators are committed to developing tools to ensure effective regulation to protect consumers because we know the cyber risk landscape is changing quickly,” said John Huff, NAIC president and Missouri’s Insurance Director.
Once a company’s confidential information is breached, obviously it’s too late to start thinking about insurance, say Baker Donelson attorneys Sam Felker and Eric Setterlund.
Such breaches are followed by claims and expenses that hit “like a tidal wave,” the attorneys said, so they offer tips on preparing for the hack by keeping in mind five things when they’re shopping for specialty cybersecurity insurance.
“With expensive and high-profile cybersecurity breaches on the rise, we are encouraging our clients to review their insurance coverages now to make sure they are protected, if and when a hack or other cybersecurity incident occurs,” Felker and Setterlund wrote.
The attorneys point out that traditional insurance policies have gaps in coverage and most insurers are now adding cyber-specific exclusions to general liability policies.
The market for specialty cyber policies is expanding and that’s likely where business owners will have to look for cyber insurance coverage.
As complex as the cyber liability insurance market is, the two recommend that you get your attorney to review your coverage with your insurance broker to make sure you’re getting what you want and need.
The first thing business owners should do is look at their company’s greatest risks and make sure they tailor the policy to cover that exposure. Common coverage includes crisis management and identity theft responses, cyber extortion and malware, data asset recovery and restoration, and business interruption caused by cybersecurity events.
“It is also essential to understand the event that will trigger coverage, because expenses mount quickly after a breach or other cyber event and it is important to have insurance funds in place to assist with the expedited response that is often needed,” Felker said.
To further protect the business, owners may want to consider coverage from third-party liability.
“In addition to the damage to your own business and its network, you must also consider potential liability to third parties caused by the breach or security incident,” Felker said. Common third-party coverages include network security liability for claims arising from breach in network security or transmission of malware to someone else’s network- and privacy liability for claims against failure to properly handle and protect personal or confidential information.
The attorneys stressed that the exclusions in cyber policies vary and can impact how a claim is handled.
Common exceptions in policies include those for claims arising from unencrypted portable electronic devices, intentional acts of employees, cyber terrorism, Acts of God and security lapses that could have been prevented.
“Ultimately, it is important to recognize every exception and negotiate on the ones that are important to your business,” said Felker.
Another important consideration when searching for a policy is the limitations of liability as well as any retention amounts that must be paid by the company before the policy will kick in after an event.
Besides the regular policy limits, Felker said, many policies have limits on such things as breach notification costs, forensic expenses, credit monitoring costs, business or network interruption and extra expenses.
Also, business or network interruption coverage may have a larger deductible or include a time element such as how many hours a business or network must be down before business interruption coverage will be triggered.
Finally, the attorneys suggest, pick an insurer who is willing to work closely with you. In the highly competitive cybersecurity market today, they say, insurers will offer free services along with your policy.
“Many insurers today will partner with the insured prior to an event to assist with cybersecurity policies and procedures and training of employees on incident response strategies,” Felker said. “Many insurers also provide the services of specialty vendors to assist the client with forensic investigations and remediation in the event of a cyber incident. That’s especially helpful in preventing devastating cybersecurity incidents, he said.