Insured Success

Cyberattacks, including hacks, ransomware and malware attacks, are on the rise. Nearly every industry has been or could be affected, including professional and financial services, manufacturing, distribution, health care, education, tech, retail, energy, government and non-profit. Experts believe this trend will only continue. But insurance may be able to help manage the growing risks, as Lisa Szymanski and Adrienne Kitchen discuss in this episode.

Transcript:

Intro: Hello, and welcome to Insured Success, a podcast brought to you by Reed Smith's insurance recovery lawyers from around the globe. In this podcast series, we explore trends, issues, and topics of interest affecting commercial policyholders. If you have any questions about the topics discussed in this podcast, please contact our speakers at insuredsuccess@reedsmith.com. We'll be happy to assist. 

Adrienne: Welcome back to Insured Success. I'm Adrienne Kitchen, and I'm joined by Lisa Szymanski. Cyberattacks, including ransomware, business email compromise attacks, third-party breaches, network intrusions, inadvertent disclosures, and malware attacks are on the rise. Nearly every industry has been or could be affected, from professional and financial services to manufacturing and distribution, healthcare to education, tech to government, and non-profits and retail to energy. And experts believe this trend will only continue. 

Lisa: The cyber threat landscape is quickly evolving, creating new and unique risks. Data and privacy breaches are disruptive, expensive, and embarrassing, and many lead to litigation. Malicious attacks are on the rise. So it's a question of when, not if, a business will suffer a data breach. 

Adrienne: That's right, Lisa. And most states, including D.C. And the U.S. minor outlying islands, have data breach notification statutes. A handful of states have statutes mandating methods by which businesses must secure data. The federal government also has enacted several statutes and regulations addressing data privacy and security in different realms, from health to finances and government to family. 

Lisa: With respect to insurance, traditional insurance like commercial general liability policies typically exclude losses arising from a data breach. However, other policies like employment practices liability policies, directors and officers policies, errors and omissions, and even property policies may provide some cover. This is because security breaches may give rise to claims against management, commercial crime policies may cover certain direct losses, and computer fraud and property policies may provide cover for damage to types of electronic data. 

Adrienne: An often overlooked, unpurchased, optional feature of some cyber policies is system failure insurance, which is usually triggered by an unplanned outage of a computer system resulting from operator error, erroneous updates of software, or a similar unintentionally damaging maintenance of computer systems. Another often overlooked aspect of cyber policy is customer attrition, which provides cover for lost profits due to a residual loss of customers following a service interruption. 

Lisa: Data security and privacy liability policies may be placed as standalone policies, or coverage sections in package policies, or endorsements to traditional liability policies. All of this cover is relatively new, so the forms vary significantly and are always evolving. Data security and privacy liability insurance is negotiable, and policyholders should compare the policies and try to obtain bespoke coverage whenever possible. Generally speaking, data security and privacy liability policies may cover several risks, including, for example, misappropriation of private information, unintentional disclosure of private information leading to a risk of or actual identity theft, failure to protect confidential information from misappropriation or disclosure, failure to disclose or notify victims of a breach incident, violations of federal, state, local, or foreign laws governing data protection and privacy, including certain regulatory actions, as well as business interruption.

Adrienne: Data security and privacy liability policies may also cover certain costs incurred when a business responds to, investigates, or remedies a breach. This includes things like breach notification costs, attorney's fees for legal assistance from privacy counsel following the breach. Sometimes these are called breach coaches, the costs of a forensic examiner. Various other response costs like maintenance of a system for those affected to communicate with the company. Remedial measures like credit monitoring and expense reimbursement may also cover defense and claims administration costs, damages, and consumer redress fund payments. It also may cover business interruption costs to hire communications professionals to address the effects of negative publicity so the company can maintain goodwill, and other costs like replacing or restoring electronic information, extortion payments, and criminal rewards. 

Lisa: Data security and privacy liability policies typically contain a number of exclusions, and I'd like to highlight a few of those for you. These include intellectual property violations, products liability, violations of anti-spam, blast facts, and similar laws, misconduct committed by senior management, infrastructure failures, inability to use, the performance of, development of, expiration of, or withdrawal of support of certain tech products and software, and content created by third parties. 

Adrienne: Right. And as mentioned, cyber insurance is vital. It's also vital to check your kidnap, ransom, and extortion policies. They may cover things like ransomware attacks, although you want to take a look at your policy language because that is becoming less the norm, but the older policies do, and some may still. Cyber and KRE policies may cover the costs of independent forensic analysts, independent consultants, lawyers, and others, either expressly or as part of the loss mitigation coverage. Importantly, many policies have pre-approved vendors and counsel that must be used or require that the insurer give consent before the policyholder retains any vendors or counsel. 

Lisa: Publicity costs may also be covered, and this is particularly important because reputational harm may be one of the largest damages to a corporation following a cyber attack. Adrienne, maybe you could talk about steps that policyholders can take before and after the breach to help protect their business. 

Adrienne: Before the breach, selecting the right policy and the application process are crucial. You have to consider all possible areas of exposure and ensure your business has enough coverage for its risks. Cyberattacks are costly and can shut down a business completely if networks and computers are unusable, if the business cannot afford recovery costs, faces third-party liability, or cannot survive any temporary loss in income. Costs can vary and rise very quickly following a cyber attack. So it's vital to fully assess all potential exposures that your business might face and ensure you have adequate coverage, including for things like business interruption, ransomware payments, third-party liability, data recovery costs, legal fees, PR, and payment to customers. In determining what losses are likely, businesses should consider things like potential damages, including loss of a computer system or the data within. A business shutdown, potential fines and penalties, reputational damage, and things like theft and extortion. It's also really important to keep your IT security officers and the stewards of the IT systems in the loop when completing cyber insurance applications. Cyber insurance applications increasingly focus on cybersecurity infrastructure and controls, and an inadvertent error in an application may be used as a basis to deny coverage. So it is crucial to consult the people with the most information about your business's IT systems and keep them closely involved with the application process. 

Lisa: It's also crucial to understand your company's specific risks and exposures. For first-party costs, where the company is hacked or is subject to a ransomware attack, look for coverage for notification and credit monitoring expenses if your customer's personal information could be stolen in a data breach. These expenses add up quickly. Some policies cover credit monitoring and identity theft protection services for customers as well. With respect to third-party costs, look for liability costs associated with a breach of personally identifiable information. Also look for coverage for lost business income and extra expense due to a cyber attack, including express coverage for mitigation costs, particularly if you use your own IT and cybersecurity salaried employees to respond to an attack, to the extent they are working to respond to and recover from a cyber attack. It is also important to look for defense costs in the event your business is sued following a breach. 

Adrienne: Exactly. It's also important to consider obtaining coverage for employee or vendor acts. Insurers may decline claims if an employee or vendor with access to your data was at fault. Look for policies that include coverage for these kinds of incidents. Some policies bar coverage for rogue active employees but will cover the negligent active employees. This issue is increasingly important given the rise of social engineering fraud. Also be aware of sublimits that may leave your business without sufficient coverage following a social engineering fraud loss. 

Lisa: Another thing you should do is consider obtaining retroactive coverage. The reason for this is because breaches can occur months before they are discovered. Consider whether your business would benefit from retroactive coverage of breaches that occur before the date of policy inception. This is particularly important if your company is a first-time buyer of cyber coverage. Another important step is to implement best practices and industry-recognized security measures. Cyber insurers frequently require policyholders to minimize security threats through a variety of security updates, multi-factor authentication methods, and other means. If a bad actor was able to infiltrate or circumvent, and it's later discovered that the business's security policies and procedures were something other than what the policyholder stated in the application, or if the business was not using industry-standard security measures, the insurer may outright deny or severely limit coverage. To prove their compliance with policy terms, businesses should consider whether they need to retain professional IT security staff or an outside vendor to assess and maintain network and data security, to generate a comprehensive compliance assessment, and to document ongoing assessments and remediation steps taken in response to newly arising threats. Generally, businesses need the most recent security measures to mitigate vulnerabilities, including a firewall, intrusion detection and prevention systems, multi-factor authentication. Restricting access to specific information, data backups, and encryption of data. 

Adrienne: After a loss, it's important to notify all insurers that might provide coverage, review all of your policies, make sure that there's not coverage that you might be missing in a policy that you would not expect to cover. You should also notify your excess and umbrella insurers, not just the primary insurers, because cyberattacks can wind up being very costly. Most cyber policies require immediate or nearly immediate reporting and frequently require that the loss be suffered during the policy period. So you should promptly report all claims, even ones without a loss, to avoid a denial based on late notice. Ensure you include all information required by each policy and comply with the notice requirements in the policies. It is crucial to report the event before engaging any vendors or incurring any costs. Many policies have pre-approved panel vendors and lawyers that must be used. This will minimize the insurer's ability to deny non-approved pretender expenses. 

Lisa: Non-cyber policies that include general liability, first-party property, directors and officers' coverage, kidnap, ransom, and extortion policies, and crime policies may potentially cover cyber-related losses. You should work with your broker to review these policies and provide notice. If there is even a possibility, the cyber event may be covered under those policies. Make sure you include all the required information and comply with other notice requirements for each type of policy, which can vary from policy to policy. 

Adrienne: Excellent point, Lisa. It's also important to incorporate claim considerations into your response and recovery plan. Once a claim is reported, you have to submit a proof of loss, which includes a detailed description of the loss, time, place, and cause, and a calculation of losses along with underlying supporting documentation. The submission date for proofs of loss varies from policy to policy, and because expenses are frequently ongoing, the policyholder may need to request an extension of time or file more than one proof of loss or both. Coverage positions and theories should be well thought out and considered prior to the claim and proof of loss process in order to reduce disputes afterward. 

Lisa: Thanks, Adrienne. I'd like to spend a minute now speaking about a narrative of events. This is something that insurers frequently want from policyholders. Documenting recovery efforts in real time is critical. It includes listing impacted systems, dates of partial and full restoration, details about interruptions to operations and revenue and manual workarounds, or incremental hours to continue operations or minimize slowdowns. A narrative should discuss the impact of the breach on the business's production or its ability to provide services. The response to make-up lost production or services, lost or canceled orders, including permanent customer or contract losses, and the ability of customers to purchase products and services from competitors. As part of this tracking process, ensure that all incurred costs are reasonable and necessary. 

Adrienne: And just a note about KRE policies, kidnap, ransom, and extortion malware in the event that you get a demand to pay money to get your data back. You need to be aware of OFAC prohibitions against payments to the threat actors. The U.S. Department of the Treasury's Office of Foreign Assets Control List, OFAC, has an advisory discussing this. There's frequently a list of businesses, states that you cannot pay for ransom extortion demands. So you want to keep track of that and make sure you're not violating any of those. 

Lisa: With respect to hiring third-party vendors, depending on the type and scope of the breach, third-party IT vendors may be critical to the response and recovery following a cyber event, including assisting with public relations, crisis management, breach management, forensic investigations, and data or system restoration. Some policies will pay only for vendors from a pre-approved panel. If a business retains vendors outside of the pre-approved panel, these costs may be denied or only partially reimbursed. In order to maximize coverage for vendor work, ensure your vendors provide detailed information to your cyber insurer, including detailed statements of work and detailed records of work performed by each employee. Separating the statements of work for system enhancements and improvements is critical because cyber policies frequently will not cover upgrades to the existing system. Due to the nature of cyber events, these upgrades are inevitable as a breach exposes weaknesses in the existing security system. It is also important to separate expenses related to replacement of damaged or corrupted items that cannot be restored and hardware purchases made to minimize disruptions to operations. 

Adrienne: Great points. Another thing that's very important to do is to hire a forensic accountant. For extensive business interruption losses, which are common with cyberattacks, a company may need a forensic accountant to assist with the preparation of a proof of loss for business income, extra expense, and other losses. The forensic accountant can help identify, quantify, and maximize the losses based on the terms of the cyber policy. They will advocate for your business in discussions with any forensic accountants hired by the insurer. The same warnings that Lisa just discussed apply here regarding retaining a vendor from the insurer's pre-approved panel. Lisa, what about interacting with the insurer post-loss? 

Lisa: Thanks, Adrienne. I'd love to discuss that. If the insurer's reservation of rights or denial letter includes any inaccurate information, be sure to correct those misstatements immediately. Most cyber policies require the policyholder to keep the insurer apprised of major developments as they arise. It is important to include in your response plan a way to track and inform all the insurers of these developments. Provide all bills to the insurer promptly and ensure they audit the bills in a timely manner. One thing that is very important to do is to always secure written consent from the insurer before paying or promising to pay any demanded ransom or a settlement with any claimants. 

Adrienne: Yes, that is vital. There are some pitfalls that we have not discussed. Be aware of your coverage for notification costs. The cost of notifying those impacted by a data breach may or may not be covered by your policy, even if those disclosures are required by law. 

Lisa: Right. And there are severe and various penalties related to the disclosure of personally identifiable information. If you are responsible for housing or have access to third parties' personally identifiable information, you may need coverage in the event that data is compromised. 

Adrienne: Exactly. And if one exists, it's important to follow your insurance company's mitigation protocol to avoid the inadvertent destruction or alteration of evidence the carrier may need to investigate the claim. Consider running tabletop exercises so key personnel know the plan on how to respond to a cyber attack even before an attack occurs. 

Lisa: Another exclusion that may bar coverage is a contractual liability exclusion. Policyholders should be sure to review policy language and ensure that their company is adequately protected, particularly with respect to risks that may arise via contractual obligations and relationships. It is also important to ensure that you have the proper protections from third parties with which your company does business. 

Adrienne: Exactly. Another exclusion or other exclusions are war, terrorism, or act of foreign enemy exclusions. They may bar coverage. It is important to negotiate carve-outs to these exclusions to ensure your policy covers cyberattacks that originate outside your country during the placement of those policies. 

Lisa: Carriers are also rewording policies to limit coverage to theft of data, which could exclude coverage for data exposures caused by an employee's negligence. Negligence is the cause of nearly one-third of cyberattacks, and it is important to work with your broker or coverage counsel to ensure that negligent disclosure of data will be covered. 

Adrienne: Yes, and there's training that you can do in advance, you know, various, here's how to recognize a cyber attack that your business may want to also consider doing. And as always, hire experienced coverage counsel. You can hire them when you're placing your cyber policies so they can review. And of course, in the event of a loss to review all of your policies and help you recover as much as you can. 

Lisa: Thanks so much, Adrienne, and thanks to everyone for listening today. If you have any questions, please do not hesitate to reach out to either Adrienne or I. We'd be glad to assist.

Outro: Insured Success is a Reed Smith production. Our producer is Ali McCardell. This podcast is available on Spotify, Apple Podcasts, Google Podcasts, PodBean, and reedsmith.com. To learn more about Reed Smith's insurance recovery group, please contact insuredsuccess@reedsmith.com.

Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers.

All rights reserved. 

Transcript is auto-generated.