This question may seem elementary, but it’s critical to ask.

So often in business, intra-company communication leaves a lot to be desired. Your cybersecurity and IT professionals, as well as the executives managing and overseeing them, may have no idea whether such a policy exists — even as they file a claim.

Frequently, there’s an assumption that an existing property damage or business continuity policy will cover an incident even if the policy is “silent” on cybersecurity issues. If, unbeknownst to you, cyber intrusions are not covered, you could end up footing the entire bill for a breach or attack — or engaging in a costly court battle for payment. In the US, the average total cost of a data breach was $8.6 million in 2020, more than twice the global average, according to the 2020 Cost of a Data Breach Report. The cost for breaches of more than 50 million records increased from an average of $350 million in 2018 to $392 million in 2020.

In 2020, the top 10 biggest ransomware attacks cost victims nearly $213 million to investigate, rebuild networks and restore backups, pay the ransom and put preventative measures in place to avoid future incidents. Even worse, ransomware payments totaling as much as 7 or 8 figures are now being extorted multiple times with multiple payments stemming from one attack

Who’s in charge of selecting and buying cybersecurity liability insurance for your firm? The CIO? CISO? Your risk manager? General counsel?

And in the event of a cyber attack, whose job is it to file the claim and see it through the processing?

Establishing accountability helps confirm that the tasks of managing and mitigating cyber risk are completed properly and in a timely manner. Before you can formulate a cybersecurity risk management strategy — critical to operational and digital resilience — you should establish robust procedures and playbooks for incident readiness.

Who is responsible for selecting and purchasing cybersecurity liability insurance for your company? CIOs? CISO? Your risk manager? General Counsel?

Critical infrastructure organizations — including banks, utility companies, healthcare providers, technology firms, manufacturers and state and local governments — are today’s primary cyber attack targets and may need more coverage than businesses such as retailers. Often, these industry targets have discrete industry and regulatory requirements that must be met, which ups the ante even further.

But how much insurance does your organization need? To help determine the right answer, you need to quantify your cybersecurity risk. More mature organizations such as financial institutions have already done this. But those that need it the most often have analyzed their risks the least. And companies in other less-regulated industries, including education and manufacturing, tend to be under-insured for cybersecurity liability.

Sometimes an incident becomes a wake-up call for an industry. After the debilitating NotPetya attack, the maritime industry began to improve its cybersecurity. Threat information sharing has improved and, as a result, cyber insurance products emerged.

Quantifying risk now can prevent headaches and potentially catastrophic losses for small and midsize companies later on. Admittedly, placing a dollar sign on your cyber risk isn’t easy. It’s a young field with few specialists.

 What are the exclusions on your policy? Find that out now! Don’t wait until your systems are held hostage, only to discover that your cyber insurance policy excludes ransomware payments, for instance.

Most policies will reimburse you for network security, hiring legal counsel and paying a forensics vendor. Often, they will pay the costs of restoring data and bringing your operations back online.

• What about the cost of a root cause investigation? That may not be covered.
• And what about the cost of breach notifications? If you’ve had 100,000 credit card numbers stolen, the cost of notifying the cardholders could be prohibitive.
• Does your policy cover public relations and communications? The right messaging can be critical in preventing reputational loss and restoring goodwill with stakeholders.
• Will your insurance pay the cost of providing credit monitoring and ID restoration to customers whose personally identifiable information (PII) was stolen?
• If you’re hit by ransomware, will your policy pay the costs of negotiating with the attacker and paying the ransom? Does your policy cover extreme business interruption, including losses from cancellations of flights or missed shipments or delayed production? Some, but not all, will include data breach coverage, business interruption cost reimbursement, cyber extortion defense, forensic support and legal support.
• If an advanced persistent threat (APT) infiltrates your system in a nation-state attack, will your insurance fund your recovery or will it write off the incident as an “act of war”? (This was tested in the wake of the NotPetya attack.) This question should no longer be hypothetical with the predicted increase in sophistication of APTs.
• And what if your organization incurs fines for violating the European Union’s General Data Protection Regulation (GDPR), the Sarbanes–Oxley Act of 2002, the NYDFS Cybersecurity Regulation, the California Consumer Privacy Act (CCPA) or some other cybersecurity or privacy regulation? How much, if anything, will your insurance company pay?
• A caveat: If your enterprise gets hit by malicious actors because your security wasn’t adequately robust, your insurance policy probably won’t pay for you to strengthen your systems to avoid another attack. But that doesn’t mean you shouldn’t take this precaution.

Insurance companies are accustomed to responding to natural disasters, overseas riots, loan defaults and other risks and threats. However, they may not fully comprehend the threats posed by phishing, social engineering and malware and the dangers they pose to your enterprise.

Do insurance providers grasp the privacy and security requirements that HIPAA imposes on the healthcare industry, as well as the privacy and security concerns caused by a regulatory push for sharing patient data? Do they understand the importance of the FFIEC’s (Federal Financial Institutions Examination Council) or Bank of England’s guidance on operational and digital resilience in financial services?

Your cybersecurity liability policy should be flexible enough to adapt to malicious actors’ tactics. It should also let your organization adapt and change as your business and technology needs grow without having to augment your policy.

At the same time, your team should actively review your cyber policy every time it’s up for renewal. If you don’t feel equipped to determine whether your policy is sufficient, get help — either from an in-house team, outside legal counsel or an experienced and qualified consultant.

There were 1,500 data breaches in 2015. There have been several well-known recent breach incidents and resulting D&O claims in recent years. One most notable is Home Depot which reported a massive breach of credit card information stemming from an intrusion that was reported in April of 2104, five months before the incident was made public. Target Corporation and Wyndham Worldwide were also among the more well-known of these types of breaches.

There are several sources of claims after a cyber incident, including customers, shareholders, regulatory agencies and other third parties such as financial institutions.

D&O claims arising out of a cyber incident can stem from allegations that include breach of fiduciary duty, waste of corporate assets, conspiracy and aiding and abetting. Named defendants can include the CEO, CIO and various directors.

Derivative claims can arise from a cyber incident as well. Derivative action is a lawsuit brought by a corporate shareholder against the directors, officers and management of the corporation, for a failure by management. These settlement amounts are often non-indemnifiable, subject to individual state laws.

A D&O insurance program can provide coverage for individual Directors and Officers and provide coverage to the company. These policies might provide exclusions of fines and penalties in the Definition of Loss as well as Bodily Injury/Property Damage exclusion and Professional Services exclusions.

Insurers are now increasingly asking cybersecurity and cyber breach questions as part of the D&O underwriting process and insurers are also starting to evaluate aggregation of limits between D&O and Cyber policies.

Risk managers are now playing an increasing role in identifying cyber risks related to the critical considerations of the board and management team. They need to understand Cyber and D&O policies and determine common points of overlap between them.  It is critical to keep pace with cyber risk trends and the impact they have on D&O coverage.