After the (WannaCry) Affair: Six Tips To Evaluate Your Cyberinsurance
by Saad Gul and Michael E. Slipsky
As previously noted, a recent ransomware attack crippled over 75,000 computers worldwide. The United States was largely spared the brunt of the wave, thanks to a Microsoft patch that averted a full fledged meltdown.
We have previously highlighted that insurance must be an integral part of any cyber incident response. In life, an ounce of prevention is worth a pound of cure: this applies with exponentially greater force in insurance. Since Crassus started in ancient Rome, once the fire has started, insurance is available, if at all, only at prohibitive rates.
Not all cyber insurance policies are alike. In our experience, after assessing your own needs, here are six features to consider:
First and foremost, avoid the Act of War or Act of Terrorism Exclusions. Most cyber-attacks are attributed to foreign states or their affiliates. This exclusion could void coverage for the bulk of threats faced by an organization. Avoid.
Second, look at reporting requirements. Many incidents are not discovered till weeks, months, or even years after their occurrence. The famous OPM hack, resulting in the exfiltration of the security files of millions of federal employees and contractors, went undetected for 2 years. Policies must accommodate this reality. If necessary, purchase a tail policy. A single incident will justify the additional premium.
Third, examine third party coverage. This is particular significant with the expansion of cloud computing. If the breach occurs on the third party servers, standard ISO language may limit coverage. Plan accordingly.
Fourth, review employee exclusions. By far the single biggest cause of cyber incidents – even at the NSA – is human error. If an employee falls victim to a W-2 phishing scam, clicks on a link, or downloads something they should not have, verify coverage is available.
Fifth, and related to the last point: ensure that the “contractual exclusion” does not apply to cyber incidents. Most policies exclude coverage for contractual commitments. However, much of the damages from cyber intrusions arguably stem from a contract. A malicious wire transfer? Loss of payment information? You are going to be contractually obligated to reimburse the financial institution. Ensure that your coverage is similarly obligated.
Finally, the policy should cover regulatory compliance and legal costs. Some industries such as health (HIPAA) and finance (GLBA) are heavily regulated. States are increasingly imposing their own requirements in addition to the federal obligations. Even if you are spared a class action lawsuit, an internal investigation will be necessary, and a remedial plan and possibly monitoring instituted. The cyber insurance should address these as well.
The possible variants are endless – there is a reason the insurance industry introduces new products every year – but as always, the fundamentals remain the same. Ignore them at your peril. Or pick up the phone and give us a call.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.