the role of insurance in a cyber risk management strategy
play

The Role Of Insurance In A Cyber Risk Management Strategy By James E. - PDF document

Nov 16, 2022 •315 likes •358 views

Portfolio Media. Inc. | 111 West 19 th Street, 5th Floor | New York, NY 10011 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com The Role Of Insurance In A Cyber Risk Management Strategy By James E.

  1. Portfolio Media. Inc. | 111 West 19 th Street, 5th Floor | New York, NY 10011 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com The Role Of Insurance In A Cyber Risk Management Strategy By James E. Scheuermann July 14, 2017, 11:34 AM EDT Property insurance for commercial operations universally includes coverage for fire losses. But no CEO or risk manager thinks that fire insurance encompasses the whole of prudent risk management for fire. No prudent warehouse owner would operate a warehouse without some type of fire control devices or alarms. No reasonable safety officer in an office tower thinks that fire insurance is a good substitute for evacuation plans. And, fortunately, it is equally rare for corporate insureds to treat cyber insurance as the whole of their cyber risk management plans. But many insureds make a closely related, and potentially equally serious, mistake — they treat cyber insurance as a distinct and independent silo, not an integrated part of a comprehensive cyber risk management strategy. James E. Scheuermann Effective risk management requires coordinated strategic action on many fronts. For any known risk that presents itself to a corporation, the responsible decision makers need to decide whether the risk in particular is to be avoided, accepted, mitigated or transferred.[1] With few exceptions, the risk manager is not in a position to decide entirely on her own, with respect to any particular cyber risk, which of these four options is most cost-beneficial and risk- beneficial for the company. Her function focuses on risk transference, and even as to that only through insurance policies and not also through other vehicles (e.g., indemnification clauses in vendor contracts). Effective management of cyber risk typically involves, then, a dialogue among the CEO, other responsible corporate executives and the risk manager, at a minimum. The decision whether a risk is to be avoided, accepted, mitigated or transferred is the end-product of a deliberative process, not the beginning. For cyber risk, this is the space in which business objectives and judgment loom large, where risks are identified and assessed, where subject matter expertise from the CEO, CIO and CISO, CFO, the GC and the risk manager must be considered, and where cost-benefit and cost-risk analyses come into play. That deliberative process is far more likely to reach reasoned and desired outcomes when the risk manager is at the table and actively engaged in the discussions. If the CISO advises that a specific cyber risk cannot be entirely avoided as a technical matter, for example, and if the CEO declares that commercial constraints prevent it from being transferred to vendors, customers or business partners, then risk transfer through cyber insurance may be the preferred vehicle for the management of that risk, if that vehicle is available. If cyber insurance is not available, in-house mitigation strategies may

  2. need to be developed. Because financial resources are never infinite, whether some portion of the cyber risk management budget would be better spent by the IT department, or by the risk manager’s purchase of additional cyber insurance limits, can only be answered by a vetting and common understanding of the company’s cyber risks and technical and insurance tools available to manage them. One of the risk manager’s tasks in that pre -incident dialogue is to educate her colleagues on both the scope of cyber insurance coverage and its limitations so that the management team knows what cyber risks it can transfer to insurers and those risks whose management requires other solutions. Cyber insurance covers many cyber risks, and it usually is negotiable to cover more than the insurer initially offers, but it doesn’t cover all cyber risks. Consider the following examples: • Most cyber insurance policies do not cover bodily injury or property damage caused directly by a cyber event. When the responsible officers know that the company bears that risk uncovered, alternative risk management strategies can be implemented. • Virtually all cyber insurance policies provide coverage for the costs of notification to third parties (usually consumers or healthcare patients) whose personal information has been stolen. Some of these policies limit the notification coverage to a specified number of people. The insurer will not cover the notification costs to individuals beyond that defined universe. Does the company need an excess policy to cover that risk or can it negotiate a number sufficiently large, at a premium it can afford, to address that risk? • Most, but not all, cyber policies provide business interruption coverage for lost profits and ongoing expenses following a cybersecurity event that disrupts the company’s computer systems’ operations. For purposes of calculating covered business interruption losses, some cyber policies limit the period of restoration of the computer systems to normal operation after a cybersecurity incident to 30 or 60 days. While that limitation often can be negotiated to a longer period, unless the CIO and the risk manager are communicating with each other on the CIO’s best estimate of how long it will take to be back to normal operations after a data breach, a ransomware attack, an infection by malware or a virus, or a denial of service attack, the risk manager is forced to guess at the right number of days. • Many cyber policies contain subrogation clauses that provide that the insured will not do anything to impair the insurer’s subrogation rights against third parties. The risk manager is uniquely positioned to raise the question whether the indemnification provisions in vendor and customer contracts have been drafted such that they may defeat the cyber insurer’s subrogation rights, and thus create a defense to coverage by the insurer. The consideration of the principal legal consequences that may result from a data breach of personally identifiable information or personal health information also illuminates the need to make the risk manager an integral part of the company’s cyber risk management team . These legal consequences include: • notification obligations to affected individuals • regulatory investigations and information requests • regulatory fines or penalties • Payment Card Industry (“PCI”) fines or assessments • preservation of evidence • dealings with law enforcement (the FBI, DOJ)

  3. • disputes and/or litigation with: • business partners (e.g., joint venture partners, joint IP development partners) • vendors • customers • consumer class actions Each of these consequences likely will implicate the company’s cyber insurance. How the GC handles them may bolster the insurance clai m or seriously undermine it. The GC’s favorite law firm may not be on the cyber insurer’s list of panel counsel. The company’s breach response plan may have provisions for the conduct of a forensic investigation that is not sufficiently attentive to the in surer’s contractual right to be part of that investigation or even to conduct that investigation through its hand-picked vendor. Moreover, the inadvertent destruction of evidence in that forensic investigation may create defenses to coverage (e.g., the “hostile action” defense or causation defenses) that otherwise would not exist. In addition to these legal consequences, consider the adverse business consequences of a data breach, ransomware attack or other cybersecurity incident. To identify just a few, these exposures include: • loss of profits arising out of business interruption • the additional expenses to mitigate such loss of profits • damage to data, software, computers, and other tangible property • the loss of goodwill and brand reputation Again, each of these adverse consequences is packed with cyber insurance implications. Some of these effects are likely to be covered in whole or in part (depending on policy retentions, limits and sublimits or applicable time limitations) and some may not be covered at all. The CEO and her financial team would benefit from knowing, before a cybersecurity incident, how much and what types of business risk the company has transferred to its carriers or third parties, how much it has retained, and how it is managing the retained risk through other methods. Equally, the risk manager needs to know the answers to these questions to advise her colleagues and the board on the adequacy of the company’s cyber coverage. Cyber insurance limits in the tens of millions of dollars may be more than sufficient or far from adequate, depending on a number of factors. Cyber insurance is a critical part of a proactive, comprehensive and integrated corporate strategy of cyber risk management. The terms of cyber policies are negotiable, which is especially good news since “off -the- shelf” cyber policies often have coverages that an insured does not need or lack coverages that may be critical to the risks faced by a discrete subset of corporate insureds. A risk management dialogue among the responsible executive management, including the risk manager, to decide which risks to transfer through cyber insurance, and in what amounts, and which risks the company can and will manage by other means, promises to lead to better, cost-effective outcomes both prior to and after a cybersecurity event. James E. Scheuermann is a partner of K&L Gates LLP, where he represents policyholders in insurance coverage matters.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management

Introduction to Cyber Risk & Insurance Prepared for the Construction Financial Management Association Date: August 18, 2016 Agenda An Overview of Cyber Risk Exposures 1. Legal & Regulatory Trends 2. Marshs Cyber Risk Management

649 views • 31 slides
Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

AUGUST 25, 2015 Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks Tyler Gerking, Partner David B. Smith, CPCU, ARM, Insurance & Risk Management Consultant What is Cyber Insurance?

368 views • 10 slides
Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The Evolution of Cyber Insurance Is Cyber Risk Already Insured? Cyber And Data Protection Is Not Just An IT Issue Case Study Cyber Risk Stakeholders The

1.03k views • 8 slides
Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As

Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As

Cyber insurance covers the losses relating to damage to, Cyber Risk Insurance or loss of information from, IT systems and networks. 1. Do I need it? As a business of any size, it is likely you will rely on information technology (IT)

253 views • 6 slides
Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation

Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation

Risk Mitigation Services in Cyber Insurance Underwriting Sponsored By: 1 Risk Mitigation Services in Cyber Insurance Underwriting www.advisenltd.com Paper Beware the Botnets: Botnets Correlated to a Higher Likelihood of a Significant

671 views • 22 slides
Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan , Senior Healthcare Risk Management and

Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan , Senior Healthcare Risk Management and

Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan , Senior Healthcare Risk Management and Data Specialist James Penafiel , Underwriting Supervisor, Insurance Operations PARTNERING TO CREATE THE SAFEST HEALTHCARE SYSTEM CFPC Conflict of

498 views • 33 slides
Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and Security Sciences group TPM,

Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and Security Sciences group TPM,

Cyber risk and insurance Dr. Katsiaryna (Kate) Labunets Safety and Security Sciences group TPM, TU Delft E: k.labunets@tudelft.nl 1 Outline Who am I? Definitions Motivation Cyber insurance market: Current practice

828 views • 46 slides
What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

579 views • 12 slides
Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to

Technology and Cyber Wrap up Navigating the changing and challenging risk landscape How to prepare for Cyber Risk: 3 2 1 Understand the tech & Cyber insurance Focus on company interconnected risks culture 2 Policy: Protection &

774 views • 18 slides
Blockchain and Cyber Risk Part of an Ongoing Webinar Series on Insurance Innovation October 18 th

Blockchain and Cyber Risk Part of an Ongoing Webinar Series on Insurance Innovation October 18 th

Blockchain and Cyber Risk Part of an Ongoing Webinar Series on Insurance Innovation October 18 th , 2017, 11 AM Eastern Blockchain and Cyber Risk Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides

537 views • 19 slides
TO INDUSTRY SPECIFIC FACTORS SOUTH AFRICA Presenter: Credit Risk I Strategy and Risk Management

TO INDUSTRY SPECIFIC FACTORS SOUTH AFRICA Presenter: Credit Risk I Strategy and Risk Management

ADAPTING A STANDARDIZED CREDIT RATING METHODOLOGY TO INDUSTRY SPECIFIC FACTORS SOUTH AFRICA Presenter: Credit Risk I Strategy and Risk Management I Division: Asset and Liability Management | 11 June 2014 TABLE OF CONTENTS The Role and

489 views • 23 slides
Risk Management Presented by: Jocelyn Filippini Gougeon Insurance Brokers What is Risk

Risk Management Presented by: Jocelyn Filippini Gougeon Insurance Brokers What is Risk

Risk Management Presented by: Jocelyn Filippini Gougeon Insurance Brokers What is Risk Management? Risk Management is the process of making and implementing decisions that will minimize the adverse effects of accidental and business losses on

459 views • 25 slides
Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino,

Assessing your Cyber Risk A Real Life Case Study Presented by: Liz Limjuco, Marsh Mike Paulino, CSG International Cindy Stevens, Colorado Springs Utilities Agenda What is Cyber Insurance Overview of Cyber Risk Quantifying Cyber

508 views • 23 slides
Risk Management and Insurance Services May 13, 2020 Our Mission Work together to create a

Risk Management and Insurance Services May 13, 2020 Our Mission Work together to create a

Risk Management and Insurance Services May 13, 2020 Our Mission Work together to create a risk management and insurance program that will allow you to responsibly manage growth, control costs while protecting the assets of our client. Our

431 views • 8 slides
NEW PARADIGMS IN INSURANCE OLIVER WYMAN PRESENTATION PRESENTED BY # INSURETECHCONNECT Insurance

NEW PARADIGMS IN INSURANCE OLIVER WYMAN PRESENTATION PRESENTED BY # INSURETECHCONNECT Insurance

0 NEW PARADIGMS IN INSURANCE OLIVER WYMAN PRESENTATION PRESENTED BY # INSURETECHCONNECT Insurance plays a vital role in society Pools risk across groups Enables risk-taking Signals inherent risk Controls losses Provides credit

602 views • 17 slides
Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program

Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program

Managing Cyber Risk for State Governments IU Cybersecurity Risk Management Program Multidisciplinary (Law, Secure Computing, & Business) Built on IUs Cybersecurity Certificates Applied Cybersecurity Risk Management Capstone

1.22k views • 75 slides
Strategic overview Professor Heather Nel October 2018 Overview Vision 2020 strategic plan

Strategic overview Professor Heather Nel October 2018 Overview Vision 2020 strategic plan

Strategic overview Professor Heather Nel October 2018 Overview Vision 2020 strategic plan Listening campaign VCs inaugural address Our iconic namesake Our institutional profile: 2018 One of 6 comprehensive universities in South Africa

658 views • 18 slides
Toit te Whenua Toiora te Wai Our challenge Ken Taylor Why a challenge? 2012 a fresh

Toit te Whenua Toiora te Wai Our challenge Ken Taylor Why a challenge? 2012 a fresh

Our Land and Water National Science Challenge: Toit te Whenua Toiora te Wai Our challenge Ken Taylor Why a challenge? 2012 a fresh look at our science The National Science Challenges The 11 National Science Challenges focus

445 views • 12 slides
A SADC regional response to the SDGs Regional Collaboration Case Study: Masters Programme in

A SADC regional response to the SDGs Regional Collaboration Case Study: Masters Programme in

A SADC regional response to the SDGs Regional Collaboration Case Study: Masters Programme in Climate Change and Sustainable Development Piyushi Kotecha Chief Executive Officer: SARUA Presented by Prof Ihron Rensburg Vice-Chancellor,

311 views • 29 slides
From Competence to Capability learning laboratories in postgraduate pedagogy learning

From Competence to Capability learning laboratories in postgraduate pedagogy learning

From Competence to Capability learning laboratories in postgraduate pedagogy learning laboratories in postgraduate pedagogy Martin Reynolds School of Engineering and Innovation With colleagues: The 6th eSTEeM Rupesh Shah Annual Conference

556 views • 11 slides
Cesarina Quintana Garcia de Paredes Senior National Program Officer SDC Global Programes Water

Cesarina Quintana Garcia de Paredes Senior National Program Officer SDC Global Programes Water

Transferring experiences between SDC countries - Lessons learnt from transferring experiences from Peru to Colombia (SABA) and the roles of global and regional cooperation). Cesarina Quintana Garcia de Paredes Senior National Program Officer

763 views • 12 slides
EFFECTS OF ELEVATED TEMPERATURE ON A CORAL REEF FISH AND THE POTENTIAL FOR ACCLIMATION Jennifer M

EFFECTS OF ELEVATED TEMPERATURE ON A CORAL REEF FISH AND THE POTENTIAL FOR ACCLIMATION Jennifer M

EFFECTS OF ELEVATED TEMPERATURE ON A CORAL REEF FISH AND THE POTENTIAL FOR ACCLIMATION Jennifer M Donelson Philip L Munday Mark I McCormick Global Warming in the Tropics Global temperatures are predicted to increase between 2-4C by 2100

635 views • 19 slides
1 Transition Advisory Team Meeting Topic: Provider Survey Wednesday, May 27, 2015 and Monday,

1 Transition Advisory Team Meeting Topic: Provider Survey Wednesday, May 27, 2015 and Monday,

S T A T E O F M A R Y L A N D D E P A R T M E N T O F H E A L T H A N D M E N T A L H Y G I E N E 1 Transition Advisory Team Meeting Topic: Provider Survey Wednesday, May 27, 2015 and Monday, June 1, 2015 Meeting Overview 2

317 views • 13 slides
North Dakota Department of Human Services Statewide Transition Plan revised to seek final

North Dakota Department of Human Services Statewide Transition Plan revised to seek final

North Dakota Department of Human Services Statewide Transition Plan revised to seek final approval from the Centers for Medicare and Medicaid Services Home and Community Based Federal Regulations Overview of the Federal Regulations A final

262 views • 14 slides

More recommend