At Large
Say Yes to Cyber

• Tony Kuczinski
• June 2019
• 

The day that I sat down to write this column, the news headlines announced a major cyber intrusion of Citrix Systems. As cyberbreaches continue to make news, this is a risk that is top of mind for most executives.

According to the 2018 PwC CEO Survey, cyberthreats ranked as No. 1 for extreme concern to an organization's growth prospects by North American CEOs. Cyber is a risk that continues to evolve as criminals seek out new ways to obtain information and disrupt commerce, and as new regulations are passed whose compliance may challenge some companies, especially small- to medium-size businesses.

In 2017, the NotPetya attack, malware that masqueraded as ransomware, crippled businesses and created about $10 billion in damages worldwide. Facing significant losses, many businesses turned to their general liability, property or professional liability insurance policies, which typically lacked a cyber exclusion or specific cyber cover. This non-affirmative coverage, dubbed “silent cyber,” has since become an issue for insurers and commercial policyholders that will most likely be resolved in the courtroom for NotPetya and other cyberattacks.

As insurers proactively contemplate how best to manage silent cyber, insurance policies will better address this issue. The rise of silent cyber demonstrates that the need for affirmative cyber coverage is critical for companies of all sizes. General liability, property and professional liability policies were not built or priced to help protect companies from cyber.

Unlike many property damage claims, which can often wait a few days for a claims adjuster to arrive on location, once a cybersecurity incident occurs, response time is critical. Minutes may be the difference between stopping a criminal from gaining access to valuable data and losing it all.

Cybersecurity incidents require specialized related services to help prevent or mitigate any loss. As cyberthreats advance in complexity and persistence, partnering with best-in-class breach response experts is also critical to helping prevent or mitigate the damage from a cyberattack. Subject, of course, to the terms and limitations found in cyber policies, coverage for first-party breach response exists in affirmative cyber policies and provides 24/7 response capabilities to contain and remediate an event with minimal loss to an organization.

The good news is that more U.S. companies are purchasing cyber coverage. A survey by analytics firm FICO found that only 24% of U.S. firms reported having no cyber insurance coverage in 2018 compared with 50% in 2017. Unfortunately, only 32% said their cyber insurance covers all risks.

In 2003, California was the first state to pass a data breach notification law. Today, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, and a number of other countries, have data breach notification laws. As the legal environment continues to evolve, companies will need to be more aware and proactive in the way they handle data.

For instance, in the United States, the regulatory environment has increased the demand for contractually required cyber insurance. It also has intensified the requirements on companies to take proactive steps to manage the collection, use and handling of personal data.

Many small and midsize enterprises may not be aware of these regulations or may believe themselves to be exempt, which may not be true. In addition, the ability of an SME to recover from a cyber-related loss may be far less than that of a large company.

Cyberrisk isn't going away and the regulatory landscape will evolve. Having an effective pre- and post-cybersecurity incident response and access to legal counsel can help make it harder for bad actors to succeed. Securing a cyber insurance policy is also an important step in mitigating the risk.