Insights
Publications

Mitigating Cyber Risk: Strategies to Reduce Exposure

3/14/2014 Articles

By Tyler Gerking of Farella Braun + Martel and Mark Massey of Deloitte Financial Advisory Service

It’s official—cybersecurity is now a top-ranked risk at the board level, according to the “Lloyds Risk Index 2013.” This should make digital risk a focus of senior corporate management.

Those managing corporate risk should leverage the emerging cyber insurance market, which is rapidly growing and evolving. But they should do so methodically, after gaining an understanding of the company’s security controls and individual risk profile. In the rush to buy cyber insurance, companies may too often fail to appreciate the strengths and weaknesses in their security controls, their risks and exposures, and the coverage they need.

While a variety of potential approaches exist for assessing cybersecurity requirements, this article discusses one method to help you understand your company’s risks and exposures, and how that knowledge can be used to choose the security and risk transfer strategy that most appropriately fits your needs.

Identify High-Value Data and Systems Subject to Disruption

Start with an evaluation of the company’s high-value data and IT system risks. First, talk with the business unit leaders—in plain English—about “The Rules and The Jewels” that exist in their respective business lines:

  • The Rules: What regulated data does the company store, which if stolen or lost could require consumer notification (i.e., health information, personally identifiable information and payment card information)?
  • The Jewels: What data might a hacker try to steal (e.g., customer lists, strategy documents, contact databases or secret formulas)?

Second, identify threats to the IT system that are not necessarily motivated by financial gain, but seek to disrupt the operations of the company or its customers. To do so, talk with the company’s IT department, along with security, privacy and other network professionals.

Prepare Probable Loss Estimates for Potential Events

Next, quantify the probable losses that the company could suffer because of a high-value data loss or system disruption. Through discussions with the relevant company personnel (IT, security and privacy, business unit leaders, risk management, legal and finance), record the following for each potential event:

  • The data or systems it likely will affect.
  • The costs associated with actions the company will be required to take in response.
  • The value of any assets that could be lost or damaged.
  • The value of any business relationships that could be harmed or destroyed.
  • Any indemnification obligations the company has to third parties.
  • Any indemnification rights the company has against third parties.
  • The potential cost of resulting litigation.

Then calculate the probable loss that each potential event may cause the company.

Link Identified Risks to the Company’s Security Controls

Once you know the company’s risks and exposures, analyze its existing security controls and make informed decisions about allocation of scarce investment dollars. If high-value data presents a particularly high exposure—as credit card and personally identifiable information does to a national retail chain—the company can invest in additional security controls to protect that high-value data. If a network disruption would cause large business interruption losses to the company or its customers, the company can focus its investments in that direction.

This process also can allow you to identify the strengths and weaknesses of the company’s security controls, which you can use to adjust the probable loss estimates.

Risk-Transfer Options

Armed with the knowledge about the company’s systems and risks, you will be able to develop the company’s risk-transfer strategy. Consider the company’s two basic risk-transfer options—indemnity agreements and insurance.

Indemnity Agreements

Consider whether the company can require its vendors to indemnify it against cyber exposures. If it is possible, closely scrutinize the protection any such agreement actually will give the company. While the indemnitor might be able to protect the company against a small-scale event, the indemnitor might not be able to do so if many of its customers are affected by a large event. Consider whether the indemnitor has:

  • The balance sheet to back up the indemnification obligation.
  • Sufficient insurance to secure its indemnification obligation.
  • The processes in place to respond as required.

Cyber Insurance

Cyber insurance policies offer a variety of coverages, some of which can provide the company more useful protection than others. Now that you understand the company’s risks and exposures in light of the analysis above, identify those coverages that are vital to the company and evaluate the proposed policy language to help ensure that the coverage is as broad as necessary.

The cyber insurance market is growing—currently there is no one standard policy form, and there is virtually no case law interpreting the various insurers’ forms. Ambiguities abound, but insurers often are willing to negotiate over and modify the policy’s terms.

Several examples of language issues:

  • Policies often cover losses arising out of a disruption of the company’s “computer system” or “network.” Policies might not define these terms or, if they do, the definition might narrowly include only hardware in the possession, custody or control of the insured. This potentially leaves no coverage for losses caused by the disruption of a third party’s system that supports the company’s network. The company should seek to negotiate a broad definition of “computer system” or “network.”
  • Policies do not always cover events relating to unencrypted mobile devices, such as a phone or tablet. Employees’ phones and tablets are often soft targets for hackers and easily lost. A company that allows employees to use personal phones or tablets for work should seek to ensure that coverage for such events is available.
  • Insurers may seek to exclude coverage for losses relating to the insured’s failure to maintain the security of its system in accordance with industry standards, internal policies or regulations. These exclusions can leave much room for dispute about the standards with which the insured must comply and, if applicable, potentially defeat the purpose of the cyber insurance policy, which is to cover cyber losses regardless of fault. The company should seek to persuade the insurer to eliminate any such exclusion.

Finally, consider the coverage limits that the company needs. Insureds commonly select limits based on a rudimentary “benchmarking” basis, comparing the limits that their peers have purchased in the past. This may not necessarily yield the limits that fit the company’s unique risk profile. Instead, consider using the information gleaned from the analysis above to evaluate the size of potential losses and claims that could be associated with any one event and select limits that sufficiently protect the company.

Incident Response Plan

The analysis described above can lead directly into the preparation of an incident response plan. This plan should define—before an event—who will be responsible for the response, as well as processes for insurance reporting, consumer notification, containment and recovery, root cause analysis, communications and litigation defense.

When Losses Occur

Your pre-loss work can prepare the company to respond to future loss events. When a loss occurs, the company already will have developed an incident response plan, as well as a clear understanding of its IT system and security controls, its personnel’s capabilities and responsibilities, its vendors and customers, its exposures and its insurance coverage. It should be prepared to effectively and efficiently respond to a cyber event.

Tyler Gerking is an insurance coverage partner in Farella Braun + Martel’s San Francisco office. Mark Massey is a principal in Deloitte Financial Advisory Service’s San Jose office. They can be reached at [email protected] and [email protected].

Reprinted with permission from the March 13, 2014 issue of Corporate Counsel. © 2014 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Firm Highlights

News

Farella Braun + Martel Earns 2024 Best Law FirmsĀ® Rankings

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

Insurance Market Crushes Wineries and Wine Country Homeowners

We keep hearing about how difficult it is for winery and vineyard owners to get property insurance these days, both for their homes and their wine businesses in California’s wildfire-prone areas. Those who have...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Regulatory Changes Underway To Address Dwindling California Property Insurance Market

We keep hearing about how difficult it is for our clients to get property insurance these days, both for homes and businesses in Northern California’s wildfire-prone areas. Which, of course, is most of Northern...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part Two)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, Peter J. Georgiton, and J. Mark Hart Part 1 of our two-part article addressed the circumstances in which an insurer can directly pursue malpractice claims against...

Read More
Publication

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part One)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, PeterJ. Georgiton, and John Mark Hart When an insurer accepts an insured’s tender and agrees to provide a defense, it is often an afterthought as to whether...

Read More
Publication

Disputes Between Shareholders May Not Be Governed by Fiduciary Duties but Could Be Covered by Insurance

(As published in Private Company Director ) Disputes regarding ownership interests often arise in the context of closely held corporations, particularly when directors, officers, or majority shareholders sell or acquire ownership interests in the...

Read More
Publication

Reporting Dispute Claims Within Closely Held Wineries

Many wineries operate as closely held companies, meaning they’re owned by an individual or small group of shareholders, who are often members of the same family. Disputes regarding ownership interests can arise, particularly when directors...

Read More