What Legal Departments Need to Know about Cyber-Insurance

published on Cybersecurity, Legal Risk Management
Data privacy issues have become a company-wide concern. These days they are a matter of corporate survival, which is why organizations should incorporate them into risk management. In a survey conducted of more than 2,200 executives involved in cyber risk management, the Ponemon Institute found that 52% of respondents believed their company’s exposure to cyber risks would increase over the next 24 months, while only 19% said their company had cyber insurance. When an organization becomes the victim of a data privacy breach, customers have no problem with taking their business elsewhere. As the list of companies experiencing a breach in data privacy grows longer, organizations of all sizes need to seriously consider buying cyber insurance to protect against the real risk of a major cybersecurity attack and the costs associated with a breach.

Determine your exposure:

The legal department needs to determine what their risks look like, as well as the frequency and severity of exposures based on the environment in which their organization operates in. For retailers, healthcare organizations, and the hospitality industry, one of the priorities of cyber insurance is to protect the large amounts of personal information they collect. For companies that handle large volumes of personal information, coverage for a breach of privacy will be at the top of their list. Organizations need to clarify where their cyber exposures are so their cyber insurance will cover the vulnerable areas.

What does cyber insurance cover?

Generally organizations can choose a cyber insurance policy based on the type of coverage that suits their needs. When deciding what your cyber insurance should cover, it is important to distinguish between your own costs and costs that third-parties may attempt to claim from you as a result of an incident. The main components of coverage are:
  • Liability due to a cyber or data privacy breach
  • Coverage for investigating a cyber-attack or data privacy breach
  • Coverage for any interruption to the business caused by a cyber attack
  • Coverage for the response to threats to harm a network, or release confidential information

The role of outside counsel:

Should a breach occur, the in-house legal department should enlist the help of a privacy attorney, who plays a key role in the initial response to investigating an incident. External counsel must quickly and efficiently identify the nature of the event and retain the support of any external vendors (such as forensic investigators or a public relations firm). It is the outside counsel’s job to quickly assess the structure of the threat and make sure the threat is neutralized as soon as possible. While it’s tempting for legal departments to resolve the incident themselves, it can actually make the situation worse if they accidentally expose more data or don’t have the resources to prepare properly for regulatory inquiries.

Takeaway:

Relying on the IT department alone to protect data privacy can create a false sense of security. Legal departments should ensure that there is a security management system as well as a data privacy policy in place. The risk of a data privacy breach can never be fully eliminated so some organizations have turned to cyber insurance as a method of reducing the risk of exposure to a data breach. Legal management software such as Legisway can provide an extra layer by providing a secure web-based platform for managing legal documents. While cyber-insurance itself should not serve as a defense against data breaches, it is effective as an additional defense.