Mitigating Cyber Risk: Strategies to Reduce Exposure

3/14/2014 Articles

By Tyler Gerking of Farella Braun + Martel and Mark Massey of Deloitte Financial Advisory Service

It’s official—cybersecurity is now a top-ranked risk at the board level, according to the “Lloyds Risk Index 2013.” This should make digital risk a focus of senior corporate management.

Those managing corporate risk should leverage the emerging cyber insurance market, which is rapidly growing and evolving. But they should do so methodically, after gaining an understanding of the company’s security controls and individual risk profile. In the rush to buy cyber insurance, companies may too often fail to appreciate the strengths and weaknesses in their security controls, their risks and exposures, and the coverage they need.

While a variety of potential approaches exist for assessing cybersecurity requirements, this article discusses one method to help you understand your company’s risks and exposures, and how that knowledge can be used to choose the security and risk transfer strategy that most appropriately fits your needs.

Identify High-Value Data and Systems Subject to Disruption

Start with an evaluation of the company’s high-value data and IT system risks. First, talk with the business unit leaders—in plain English—about “The Rules and The Jewels” that exist in their respective business lines:

  • The Rules: What regulated data does the company store, which if stolen or lost could require consumer notification (i.e., health information, personally identifiable information and payment card information)?
  • The Jewels: What data might a hacker try to steal (e.g., customer lists, strategy documents, contact databases or secret formulas)?

Second, identify threats to the IT system that are not necessarily motivated by financial gain, but seek to disrupt the operations of the company or its customers. To do so, talk with the company’s IT department, along with security, privacy and other network professionals.

Prepare Probable Loss Estimates for Potential Events

Next, quantify the probable losses that the company could suffer because of a high-value data loss or system disruption. Through discussions with the relevant company personnel (IT, security and privacy, business unit leaders, risk management, legal and finance), record the following for each potential event:

  • The data or systems it likely will affect.
  • The costs associated with actions the company will be required to take in response.
  • The value of any assets that could be lost or damaged.
  • The value of any business relationships that could be harmed or destroyed.
  • Any indemnification obligations the company has to third parties.
  • Any indemnification rights the company has against third parties.
  • The potential cost of resulting litigation.

Then calculate the probable loss that each potential event may cause the company.

Link Identified Risks to the Company’s Security Controls

Once you know the company’s risks and exposures, analyze its existing security controls and make informed decisions about allocation of scarce investment dollars. If high-value data presents a particularly high exposure—as credit card and personally identifiable information does to a national retail chain—the company can invest in additional security controls to protect that high-value data. If a network disruption would cause large business interruption losses to the company or its customers, the company can focus its investments in that direction.

This process also can allow you to identify the strengths and weaknesses of the company’s security controls, which you can use to adjust the probable loss estimates.

Risk-Transfer Options

Armed with the knowledge about the company’s systems and risks, you will be able to develop the company’s risk-transfer strategy. Consider the company’s two basic risk-transfer options—indemnity agreements and insurance.

Indemnity Agreements

Consider whether the company can require its vendors to indemnify it against cyber exposures. If it is possible, closely scrutinize the protection any such agreement actually will give the company. While the indemnitor might be able to protect the company against a small-scale event, the indemnitor might not be able to do so if many of its customers are affected by a large event. Consider whether the indemnitor has:

  • The balance sheet to back up the indemnification obligation.
  • Sufficient insurance to secure its indemnification obligation.
  • The processes in place to respond as required.

Cyber Insurance

Cyber insurance policies offer a variety of coverages, some of which can provide the company more useful protection than others. Now that you understand the company’s risks and exposures in light of the analysis above, identify those coverages that are vital to the company and evaluate the proposed policy language to help ensure that the coverage is as broad as necessary.

The cyber insurance market is growing—currently there is no one standard policy form, and there is virtually no case law interpreting the various insurers’ forms. Ambiguities abound, but insurers often are willing to negotiate over and modify the policy’s terms.

Several examples of language issues:

  • Policies often cover losses arising out of a disruption of the company’s “computer system” or “network.” Policies might not define these terms or, if they do, the definition might narrowly include only hardware in the possession, custody or control of the insured. This potentially leaves no coverage for losses caused by the disruption of a third party’s system that supports the company’s network. The company should seek to negotiate a broad definition of “computer system” or “network.”
  • Policies do not always cover events relating to unencrypted mobile devices, such as a phone or tablet. Employees’ phones and tablets are often soft targets for hackers and easily lost. A company that allows employees to use personal phones or tablets for work should seek to ensure that coverage for such events is available.
  • Insurers may seek to exclude coverage for losses relating to the insured’s failure to maintain the security of its system in accordance with industry standards, internal policies or regulations. These exclusions can leave much room for dispute about the standards with which the insured must comply and, if applicable, potentially defeat the purpose of the cyber insurance policy, which is to cover cyber losses regardless of fault. The company should seek to persuade the insurer to eliminate any such exclusion.

Finally, consider the coverage limits that the company needs. Insureds commonly select limits based on a rudimentary “benchmarking” basis, comparing the limits that their peers have purchased in the past. This may not necessarily yield the limits that fit the company’s unique risk profile. Instead, consider using the information gleaned from the analysis above to evaluate the size of potential losses and claims that could be associated with any one event and select limits that sufficiently protect the company.

Incident Response Plan

The analysis described above can lead directly into the preparation of an incident response plan. This plan should define—before an event—who will be responsible for the response, as well as processes for insurance reporting, consumer notification, containment and recovery, root cause analysis, communications and litigation defense.

When Losses Occur

Your pre-loss work can prepare the company to respond to future loss events. When a loss occurs, the company already will have developed an incident response plan, as well as a clear understanding of its IT system and security controls, its personnel’s capabilities and responsibilities, its vendors and customers, its exposures and its insurance coverage. It should be prepared to effectively and efficiently respond to a cyber event.

Tyler Gerking is an insurance coverage partner in Farella Braun + Martel’s San Francisco office. Mark Massey is a principal in Deloitte Financial Advisory Service’s San Jose office. They can be reached at [email protected] and [email protected].

Reprinted with permission from the March 13, 2014 issue of Corporate Counsel. © 2014 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Firm Highlights


Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More

Farella Lawyers Recognized in The Best Lawyers in America® 2024 Edition

Read More

Who’s Who Legal 2023 Recognizes Farella Lawyers

Six Farella Braun + Martel lawyers have been recommended by Who’s Who Legal 2023 as leading practitioners in their fields. Who’s Who Legal – Environment 2023 James Colopy Robert Hines David Lazerwitz Chris Locke...

Read More

Chambers USA 2023 Recognizes Farella Braun + Martel Lawyers, Practices

Farella Braun + Martel is pleased to announce that Chambers USA has recognized 16 lawyers and six practice areas in the legal directory’s 2023 edition. Individual California and Western U.S. Rankings: Sarah Bell &ndash...

Read More

Farella Braun + Martel Attorneys Named to 2023 Northern California Super Lawyers and Rising Stars

Thirty-eight Farella Braun + Martel lawyers were named to the Super Lawyers and Rising Stars lists of top attorneys in Northern California for 2023. 2023 Farella Northern California Super Lawyers: Carly Alameda – Business...

Read More

Disputes Between Shareholders May Not Be Governed by Fiduciary Duties but Could Be Covered by Insurance

(As published in Private Company Director ) Disputes regarding ownership interests often arise in the context of closely held corporations, particularly when directors, officers, or majority shareholders sell or acquire ownership interests in the...

Read More

A Promise To Pay Is Just That: Two Courts Reject Insurers’ Bids To Escape Their Coverage Obligations by Complaining About Third Party Recoveries or Reductions in Liabilities

An insurer in Washington could not eliminate its coverage obligation based on its insured’s recovery from a third party.  T-Mobile USA, Inc. v. Steadfast Ins. Co., et al ., No. 82704-9-I, 2022 WL 17246715...

Read More

More Stringent California Claim Law Could Benefit Policyholders

To combat a perceived litigation tactic by plaintiffs counsel of using settlement demands within policy limits to set up insurers for bad faith, insurance company associations lobbied for statutory clarification to avoid uncertainty around...

Read More

Breach Cases Hint At Liability Coverage For Mobile Losses

More and more, companies generate revenue through the use of their customers' or users' mobile devices. This interaction takes many forms, from collecting transaction fees for mobile payments or cryptocurrency purchases to generating advertising...

Read More

Patrick Loi Selected to MCCA Sources of Success Program

Read More