A dual approach to risk management and mitigation of cyber threats
By Mary-Pat Cormier
Risk management and mitigation of cyber threats are no different from any other risk exposure facing companies. Effective strategies must employ a dual approach: security and insurance. Neither one alone is adequate, but both are necessary and more likely to address the growing cyber threats in their many manifestations.
Managing cyber risks and minimizing security threats
A company must be vigilant to manage cyber risks. How vigilance manifests itself differs based on how the risk is presented. In general, to properly prepare for, mitigate and address cyber threats, a comprehensive information security program is essential--and sometimes required by law. A security program should have five main features:
- risk assessment;
- employees responsible for maintaining all facets of the program;
- regular identification, assessment, and testing for reasonably foreseeable internal and external risks;
- a written information security protocol that includes security policies for the storage, access, and transportation of personal data; and
- evaluating third-party service providers for data security practices.
One of the single most effective things an institution can do to prevent cyber threats is to educate its employees on "red flags" of information security breaches. This includes encouraging, and in some cases enforcing, the use of complex passwords or changing passwords frequently; administering a cyber-security exam as a condition to obtaining a company email address; implementing multi-step authentication systems for certain company apps; learning about and using native encryption capabilities; and instructing employees on how to spot 'phishing' attempts. All user awareness programs benefit from frequency, consistency, and simplicity.
Finally, a helpful guide for internal risk assessment are applications for cyber-security insurance policies. These often lengthy and comprehensive applications are a road map for what is considered to be current best practices in information secuirty, data privacy or cyber-security.
Applications will often ask for information regarding the following:
- type of customers or clients
- type of data maintained for those clients
- how data is maintained
- where data is maintained (i.e. on- or off-site)
- if data is maintained off-site, the contractual arrangements with off-site service providers
- whether there have been any data breaches at the company, the nature of those breaches and when, how any claims were resolved
Additionally, applications can sometimes contain extensive IT sections that require certification by the CIO or equivalent executive position as well as the CEO/CFO. These sections typically evaluate the technological safeguards that a company uses.
When all else fails: Cyber risk insurance
A recent Reuters article on the rapidly growing market for cyber insurance noted that "corporate risk managers are seeing insurance against cyber crime as necessary budget spending rather than just nice to have."
With scores of companies offering cyber insurance--either as stand-alone policies or endorsed onto other forms--the variety and cost of coverage is varies. According to insurance broker Marsh, $1 million in coverage usually starts around $20,000. Based on our review of several common cyber coverage forms, the following is a list of the ten principal distinctions across coverages:
- First party/Third party--coverage is either available to the insured for costs to the business associated with the data breach, or to cover claims by third parties. Some policies offer both types of coverage.
- Privacy breach costs--includes notice costs, credit monitoring and any damages claimed by parties whose privacy was breached. Some policies make a distinction between privacy breach costs associated with regulatory action.
- Duty to defend--carrier has duty to defend the insured on a claim arising out of a breach.
- Coverage territory--coverage territory may be limited to the U.S. or specifically exclude certain countries.
- Intellectual property--excludes coverage for intellectual property which is compromised as a result of a breach, especially patents.
- Limits of insurance--sub-limits, separate retentions or co-insurance for certain costs or losses incurred.
- Extortion and threats--some policies specifically provide extortion coverage.
- Anti-stacking--prohibits stacking of coverages or limits offered by the same, or affiliated, insurance carriers.
- Bodily injury coverage--excluded or limited unless related to emotional duress arising from a privacy breach.
- SPAM--claims arising out of "surreptitious" treatment of personal information.
Globally, cyber crime losses are estimated to be $445 billion annually. Certainly, the first line of defense is the company, its systems, and its employees. With every successful hack comes costly fixes--from diagnostics and business interruption losses to liability exposures to third parties. For those costs--now seemingly unavoidable--there are insurance policies of almost every sort, scope, and nature.
About the Author: Mary-Pat Cormier, a partner in the Boston office of Bowditch & Dewey, focuses her practice on financial services and securities litigation, including disputes arising out of coverage and bad-faith claims handling against professional and specialty lines liability carriers. She can be reached at firstname.lastname@example.org.