By Patrick K. Burke
If you’re considering cyber-insurance, having a look at Target may sway your outlook on picking up a policy for your organization. Target had substantial cyber-policies in place, and while their reputation and management have suffered from their breach in 2014, a significant portion of their damages has been covered. Cyber-insurance provides another layer of protection for corporations that face increasing security threats to their IT infrastructure. Steven Boyne, a shareholder with Gunster law firm, focuses his practice on insurance law and cyber-crime planning. Boyne discusses with CIO Insight how cyber-insurance typically works and what CIOs need to be aware of before purchasing a policy.
It seems just about anything can be insured. NFL strong safety Troy Polamalu insured his distinctive hair for $1 million. Is investing in cyber-insurance outlandish in a similar way or is it worth the peace of mind?
No, it is not outlandish at all. Cyber-liability insurance should be viewed as one more set of protections for a corporation. Just as years ago, D&O insurance was viewed as an anomaly, and now it is extremely rare for any substantial corporation (public or private) not to have D&O coverage, in five years from now it will be rare to find a corporation that does not have a cyber-liability policy. The risks to corporations from both a financial and reputational perspective are just too high. In addition to first party and third party coverage for damages, there are substantial additional benefits such as having an independent objective party review a company’s IT infrastructure, and in the event of a breach an insurance company and competent counsel can help a company minimize any damages.
For those unfamiliar, can you explain how cyber-insurance works in a corporate setting? What’s covered and what isn’t?
There are two primary types of risks that are covered: (1) First party–damage to the company’s assets, which generally includes the IT infrastructure, and costs to restore and/or rebuild the systems; (2) Third party–this coverage is much broader and includes any damages to third parties, and includes breach of contract claims, responding to regulator’s inquiries, and some include shareholder claims. Additionally, every carrier has already handled a cyber-claim, so they generally have a roster of experts that they can deploy to assist a company in the event of a breach. This tends to be overlooked during the application process, but is extremely valuable. It is difficult to answer what is not covered, as the policies are somewhat flexible and dependent on industry, carrier and the negotiations between the insured and the insurance company.
What should a CIO be wary of before taking out a policy?
Time. The more time the CIO spends working with counsel, senior management and the carrier the better the coverage, and oftentimes the lower the premiums. If a company just fills out the application and delegates a lower-level employee to handle the process with the carrier, the end product is probably not what the company was looking for. It is critical that the carrier understands the company, the business and the IT infrastructure, and as such the CIO’s role is vital.
What are some typical limits when a company submits a cyber-insurance claim?
For smaller and mid-size companies generally, $1-20 million. Larger companies often have limits that exceed $100 million.
Generally speaking, how much are cyber-insurance premiums?
The market place is growing, and prices are over all the map, and the more secure a company’s IT is, the lower the price. In addition, some industries have higher rates than others. For example, data stolen from health-care companies is generally more valuable, so their rates tend to be higher.
Can you think of a situation where cyber-insurance saved a company from either taking a big financial hit or even going under?
I cannot think of a company that has been saved from bankruptcy, but Target had substantial policies in place, and while their reputation and management have suffered from their breach in 2014, a significant portion of their damages has been covered.
What prevents some companies from buying into cyber-insurance?
Some companies believe that their IT infrastructure is not secure enough, and as such the policy premiums will be exorbitant. Other companies believe that their data is not valuable, and they will not be targeted. Both of these assumptions are incorrect. Going through the process of buying a policy is extremely valuable; in that a company has an objective third-party (the insurance company) review their systems and highlight vulnerabilities.
Is there an expectation that as more companies buy cyber-insurance, the cost of a policy will drop?
Unclear. The market is in flux, and depending upon number and types of breaches the prices may go up or down. In theory the more companies that buy policies, the lower the prices, but to date that has not happened.
Does your firm have a cyber-insurance policy?
Gunster does have coverage, in fact we recently increased our coverage and limits. I am unsure to what extent our competitors have cyber-insurance, but I believe that best practices with respect to protecting your IT structure and preparing for the worst dictates that a law firm should have such policies. Finally, while a law firm’s data may not be as valuable as a health-care company, or a financial institution, Gunster’s management understands that to remain at the forefront of law firms, a cyber-policy, and its attendant benefits, is critical.
Steven Boyne, a shareholder with Gunster law firm, focuses his practice on insurance law and cyber-crime planning.
