From a risk management point of view, there are plenty of lessons to be learned from the recent data security compromise at Equifax.
- No one is immune from a cyber attack. Whether you are an individual, public company, government authority, health care provider, utility, or law firm, someone wants in. The attack vectors are numerous and creative, thus cyber risk can never be entirely contained.\
- If you are an officer or director and sell stock during the throes of a breach (especially before public disclosure), the timing will look bad to regulators, investors and the public — even where purely coincidental.
- Boards and senior corporate officers will be increasingly second-guessed for missing warning signs of cyber security weaknesses. In a somewhat ironic twist, however, a recent report about a hack of the SEC’s computer systems is bringing into question whether the SEC had appropriately enhanced its security after the completion of a GAO cyber security assessment.
- The timing of cyber intrusion disclosure will always be scrutinized. I have been on conference panels with state attorneys general and federal regulators who almost uniformly assert that a delay in reporting a breach that lasts more than 30 days typically raises a red flag with them. That is not to say they will not recognize extenuating circumstances, but it is a baseline that has significance to many who wield power when it comes to investigations and litigation.
- Policyholders can expect that their boards and managers will be increasingly raked over the coals for the robustness of their cyber security. This will be especially true where the data to be secured either bears on health and safety, or pertains to individuals (e.g., customers, patients, employees, etc.).
- We can also expect that, for public companies in particular, special focus will be trained on the level of insurance protection corporate managers have secured to protect the balance sheet of the corporate entity for both first-party losses and third-party claims.
Pre- and Post-Breach Cyber Peril Solutions
There are a number of things policyholders can do both pre-breach and post-breach to improve their station when it comes to cyber perils.
- At point of purchase, work with a skilled insurance broker who can steer the company toward insurance products that provide comparatively better protection. There are lots of competing insurance products in the marketplace and they are not created equal. Smart shopping with careful broker guidance can mean the difference between meaningful insurance protection and an insurance policy that is not worth the paper it’s printed on.
- Approach insurance applications carefully. This means providing prudent responses to insurance applications after polling key internal departments within the policyholder’s organization to make sure answers are correct. It also means pushing back against insurance application questions that are overly broad, vague or traps for the unwary.
- Provide proper and prompt notice of circumstances and claims. When a cyber incident occurs, make sure to notice any and all potentially applicable insurance policies. Potential coverage for cyber losses and claims is not limited to insurance policies with the word “cyber” in them. We have secured insurance coverage for cyber-related claims under property, crime, E&O, D&O, commercial general liability and other first- and third-party insurance policies. The Equifax hack implicates a number of different insurance policy types that may provide coverage for claims against Equifax, potentially including losses to Equifax’s own property and business operations. The hack may also implicate claims involving third-parties under their own insurance policies.
- If a cyber claim is likely to focus attention on the board of directors or the officers, consider whether a notice of circumstances to the company’s D&O insurance tower (including Side A and excess policies) is the safest approach despite the lack of an actual “claim” at the time. This can have implications for renewals, insurance application disclosures and possibly laser exclusions in the next year’s D&O coverage.
- Be on guard for attempts to impose cyber exclusionsat renewal time. Directors and officers should take care to ensure that their D&O policy remains clear of cyber exclusions that have taken hold in other lines of coverage such as CGL and marine cargo insurance.
As many policyholders have already learned, insurance coverage can be a vital benefit when the sky is otherwise falling due to a serious cyber hack. It’s imperative to ensure in advance that your coverage itself hasn’t been hacked at by underwriters.