The insurance industry has been making the case to Congress that cyberinsurance can be a path to good security practices, encouraging different groups inside an organization to better communicate with one another. The process of investigating, applying for and being approved for cyberinsurance may indeed prompt important discussions inside organizations about cybersecurity. And it may be a subject that prompts board-level discussion of cyber preparedness. But in our view, relying on cyberinsurance as the spark for those conversations is the tail wagging the dog or the chicken not the egg or the egg not the chicken.
Your company’s controller receives an email instruction from your CEO to wire funds to complete a time-sensitive and confidential deal–seems like a clear directive to execute, but it’s not. It’s an increasingly common scam known as the “Business E-mail Compromise” (BEC).
Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.
The shockwaves continue from the October 6, 2015 ruling of the Court of Justice of the European Union (CJEU), the European Union’s highest court, invalidating the U.S.-EU “Safe Harbor” data transfer regime in a controversy arising out of Maximillian Schrems’ complaint to the Irish Data Protection Commissioner. The Schrems decision obviously has huge privacy implications for companies that transferred data under the Safe Harbor regime, but it may also impact such companies’ cyber insurance.
October ordinarily brings the return of crisp air, fall foliage, and Halloween. This year, for the first time, it also brings National Cyber Security Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).
Cyber criminals posing as company executives have successfully made off with millions from company coffers by tricking company employees into sending them the cash. Insurers are increasingly taking the position that this type of fraud is not covered under cybercrime policies.
In a stunning victory for the former Goldman Sachs programmer, New York State Justice Daniel Conviser threw out Sergey Aleynikov’s jury conviction on state law charges that he stole intellectual property from Goldman. Trade Secrets Watch has extensively covered this story, most recently reporting the start of Aleynikov’s new trial, but missing out on a (later-dismissed) juror’s tale of an errant avocado.
The data breach earlier this month that potentially exposed information about millions of federal government employees is yet another reminder that any organization that maintains data is at risk of being hacked. And rest assured that if you get hacked, you will incur substantial costs as a result, including substantial notice and related costs and potentially massive third-party liability claims.
We have written extensively about so-called “cyber” insurance, including how cyber insurance is neither comprehensive nor standardized. As a result, when you are shopping for your first (or next) cyber policy it is important to understand what types of coverages, exclusions and conditions are in the market. Making a well-informed purchase starts with knowing your options.
There are too many differences between cyber policies to cover in one blog post, and the market, still in its youth, is rapidly evolving. But here is a list of five important things—in no particular order—to consider when you’re in the market for cyber insurance: READ MORE
There has been no recent shortage of high-profile cyberattacks and data breaches leaving businesses with millions of dollars in losses. Verizon’s 2015 Data Breach Investigations Report counted 79,790 security incidents (including 2,122 confirmed data breaches) in the last year alone. If you’re a business that stores information electronically—that is, if you’re any business at all—you’re probably sufficiently worried about cyber threats just by reading the news. But if you haven’t fully appreciated the seriousness of the problem yet, the insurance industry is happy to help. As one insurer warns in its marketing materials, “many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when.” Sufficiently terrified of cyber threats? Don’t worry—these same insurers will let you know they offer coverage that will help mitigate your risk. As one insurer puts it, “when a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.” READ MORE
Your insurer wrongfully denies coverage—so you file a complaint in court, right? Not so fast! Many new insurance policies now include mandatory arbitration provisions. While at one time arbitration clauses were common only in policies issued by foreign insurers, they are now finding their way into policies issued by domestic insurers and in all types of coverages, including commercial liability insurance policies, D&O, E&O, employment liability, and cyber insurance. While the terms of these clauses vary, to the extent they are enforceable or cannot be negotiated out of the coverage, arbitration provisions close the courthouse doors to insurance disputes and force policyholders and their insurers to resolve disputed issues in private and free from judicial scrutiny. READ MORE