Demystifying Cyber Liability Insurance: Common Business Oversights and Best Practices

By Robin Kester*

June 2017

IMAGE VIA FLICKR

I. Common Business Oversights

Even when businesses and organizations purchase cyber liability insurance, there are often common business oversights.  For example, with respect to small to midsize businesses, there is a fear that they will have a false sense of security from purchasing insurance.[1]  As a result, these businesses may fail to implement training, process, and technology that are essential to having an all-encompassing cybersecurity program.[2]

You still don’t allow unsafe workplace conditions once you have a workers compensation policy in place. Your business is still required to take the necessary steps to create a safe workplace, while the worker’s compensation insurance is in place to protect in the unlikely event that something does happen.  Despite having such protections in place, employee accidents often have very real consequences.[3]

In other words, organizations should continue to put appropriate cybersecurity preventative measures in place, and not simply rely only on having cyber insurance.  Some small businesses have also made the following mistakes with respect to cybersecurity:

  • Not planning for a breach and not having a response plan in place.[4]
  • Assuming the business is protected under general liability insurance.[5]
  • Failing to monitor employee behavior.[6]
  • Failing to invest in cybersecurity software.[7]

Moreover, businesses are especially vulnerable throughout the time of a merger or acquisition for the following reasons.[8]

  • “They may not be fully investing in updates and system upgrades.” [9]
  • “Data shows an average of 200+ days for companies to detect advanced persistent threats, so the impact of a cyber deficiency in an acquired company may not be visible immediately.” [10]
  • “The acquirer may not be engaged sufficiently on cyber and information technology issues immediately after its investment to catch weaknesses and allocate resources quickly.” [11]

In addition, the cyber risk of the target company should be assessed in the due diligence phase of an acquisition or merger. [12]  Previous cyber breaches can affect the value of the deal, including the return on investment, the confidence of the deal, and the acquiring company’s reputation.[13]

II. Best Practices

With respect to public companies, directors have a duty in overseeing the cybersecurity program.[14]  A public company director’s “duty of oversight” generally stems from the concept of good faith. As noted in the seminal case, In re Caremark Int’l, Inc. Derivative Litigation, 698 A.2d 959 (Del.Ch. 1996), as a general matter “a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that the failure to do so in some circumstances, may, in theory, at least render a director liable for losses caused by non-compliance with applicable legal standards.”[15]  However, the business judgment rule protects a director’s “informed” and “good faith” decisions unless the decision cannot be attributed to any rational business purpose.[16]  In today’s world it would be hard to question that cyber security should not be part of any organization’s enterprise risk management function, and thus, by inference, part of any director’s duty of oversight.[17]

In other words, the duty of oversight likely encompasses cybersecurity.  This would mean that any damages that occurred as a result of a director’s failure to provide an adequate system or monitoring/reporting plan regarding cyber security, could in theory result is personal liability to the director.

            A. Preparing for a Data Breach

One of the best methods for an organization to prepare for a data breach is for the organization to be prepared and run a data breach simulation, similar to a fire drill.[18]

From the moment a breach is revealed, an incident response team needs to be able to get into formation and respond to a crisis that will yield new demands and challenges by the minute. If the team members have practiced and refined their response, they’re much more likely to minimize damage to the company, its systems and its clients or customers whose information might have been stolen or compromised.  Then, in investigations and litigation that are common after a significant breach, regular exercises will show that the company was as prepared as they could have been.[19]

In other words, a company that has a response team in place and has practiced a simulated data breach will be in a better position to minimize damage to the company.  Moreover, a response plan and practice of a data breach will help in a company’s defense in litigation by showing that the company was prepared for a data breach.[20]

            B. Utilizing Outside Counsel

In a data breach simulation, outside counsel should be used for designing and running the simulation.[21]  This is particularly important because of discovery implications, especially when people may be taking notes and discussing hypothetical situations.[22]  “It’s not airtight, nothing’s hermetically sealed, but you maximize the degree of protection and confidentiality by having outside counsel run the exercise,” said Devore & DeMarco LLP partner, Joseph DeMarco, who served as a former U.S. attorney for the Southern District of New York.[23]

            C. Other Considerations

Organizations and businesses should also take the following into consideration regarding cybersecurity:

  • “Maintain written policies and procedures.”[24]
  • “Have a security guru, if possible.”[25]
  • “Use proper security software.” [26]
  • “Implement employee security measures.” [27]
  • “Secure data wherever it is.” [28]
  • “Secure credit card transactions.” [29]
  • “Routinely backup . . . data.” [30]
  • “Require service providers to include security in their contracts.” [31]
  • “Regulate social media use.” [32]
  • “Monitor . . . website content.” [33]
  • “Monitor Applications with Access to Data.”[34]
  • Limit User Access to Systems by Creating Specific Access Controls. [35]
  • “Collect Detailed [System] Logs.” [36]
  • “Maintain [Up-to-Date] Security Patches.” [37]
  • “Educate and Train . . . Users.”[38]
  • “Outline Clear Use Policies for New Employees and Vendors.” [39]
  • Monitor User Activity. [40]
  • “Create a Data Breach Response Plan.” [41]

In summary, cyber liability insurance is available to help businesses mitigate their risks of a data breach.  However, businesses and organizations should not solely rely on cyber liability insurance.  Instead, businesses should continue to implement cybersecurity preventative measures and follow best practices to minimize the damages and risks of cyber-attacks.  Businesses should also prepare for data breaches by developing a response plan and practicing simulations while utilizing outside counsel.

* Robin is a solo law practitioner in Greensboro, NC at the Law Office of Robin L. Kester. She received a B.S. degree in Computer Science from High Point University, an M.S. degree in Computer Science from Wake Forest University, and a J.D. from Elon University School of Law.  Robin’s practice areas include general business formation, technology consulting, contract review/drafting, and providing estate planning services.

[1] See Vijay Basani, Opinion: Cybersecurity Insurance –Weighing the Costs and the Risks, MarketWatch (Mar. 25, 2015), http://www.marketwatch.com/story/cybersecurity-insurance-weighing-the-costs-and-the-risks-2015-03-25/print.

[2] See id.

[3] Id.

[4] See Sammi Caramela, Cybersecurity: A Small Business Guide, Bus. News Daily (July 11, 2016), http://www.businessnewsdaily.com/8231-small-business-cybersecurity-guide.html (last visited Jan. 22, 2016).

[5] See id.

[6] See id.

[7] See id.

[8] Natasha G. Kohne, Michelle A. Reed & David S. Turetsky, Tackling Cybersecurity in the Boardroom: Special M&A Considerations, Akin Gump: AG Deal Diary (Nov. 19, 2015), https://www.akingump.com/en/experience/practices/corporate/ag-deal-diary/tackling-cybersecurity-in-the-boardroom-special-m-a.html (last visited Jan. 28, 2016).

[9] Id.

[10] Id.

[11] Id.

[12] Cyber Due Diligence Uncovering the newest threats through your Merger & Acquisition activities, PWC Hong Kong (Oct. 2, 2015), http://www.pwccn.com/webmedia/doc/635791417821394319_ra_due_diligence.pdf.

[13] Id.

[14] Kevin LaCroix, Guest Post: Cyber Security, Cyber Governance, and Cyber Insurance: What Every Public Company Director Needs to Know, The D&O Diary (June 4, 2014), http://www.dandodiary.com/2014/06/articles/cyber-liability/guest-post-cyber-security-cyber-governance-and-cyber-insurance-what-every-public-company-director-needs-to-know/.

[15] Id.

[16] Id.

[17] Id.

[18] Melissa Maleske, How to Run a Data Breach Fire Drill, Law360 (Jan. 13, 2016), http://www.law360.com/articles/745608/how-to-run-a-data-breach-fire-drill (last visited Jan. 26, 2016).

[19] Id.

[20] Id.

[21] Id.

[22] Id.

[23] Id.

[24] Samantha Cruff, Understanding Important Cyber Security Issues, Law.’s Mutual (Apr. 2015), http://www.lawyersmutualnc.com/risk-management-resources/articles/understanding-important-cyber-security-issues.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] Id.

[30] Id.

[31] Id.

[32] Id.

[33] Id.

[34] Matt Zanderigo, 10 Best Practices for Cyber Security in 2016, ObserveIt (Apr. 15, 2016), http://www.observeit.com/blog/10-best-practices-cyber-security-2016 (last visited on Nov. 11, 2016).

[35] Id.

[36] Id.

[37] Id.

[38] Id.

[39] Id.

[40] Id.

[41] Id.

Leave a Reply

Your email address will not be published. Required fields are marked *