Cyber Liability Insurance Pitfalls

There were three times more data breaches in 2023 than in 2022. Cyber liability insurance is imperative, but is your company’s policy as ironclad as you think?

By Robert W. Wilkins

An oft-repeated mantra in business and technology is that it’s not a question of whether a data breach will happen, but when. In fact, most readers of this article likely have received notice that a data breach has potentially affected their data, as in the case of AT&T, LinkedIn, Facebook, Twitter, Experian, just to name a few. According to the 2023 IBM Security report, the average cost to a company of a single data breach in the United States reached an all-time high in 2023, averaging $4.5 million.

Artificial Intelligence is increasingly becoming a prevalent player. Cybercriminals are using generative AI to develop and implement attacks. Some form of non-malicious human error remains the most exploited means and is estimated to be more than two-thirds of security breaches. Without adequate cyber liability insurance, companies will be facing a double threat: being the victim of a data breach and then having to contend with the denial of their cyber insurance claim. Insurance providers are raising premiums and continuously investigating whether the practices — as represented by the insured when the entity applied for coverage —were implemented and regularly tested and updated as needed. This article addresses the risks of failing to implement and follow all the policies and procedures that are listed on a business’ application for cyber insurance and provides some important security takeaways.

Loss of Insurance Coverage
Recent reports have shown that an insured party’s perception of its security versus reality often differs greatly. One of the biggest reasons for coverage denial concerns misrepresentations in the company’s application and/or the failure to maintain cybersecurity practices amid the ever-changing threat environment. Most cyber insurance policies provide broad coverage for cyber extortion, data restoration, public relations, computer fraud, business interruption, regulatory compliance, and reputational damage. However, the coverage under a policy depends on the representations the insured made in its application, and its subsequent compliance with them.

A typical application for cybersecurity insurance requires the insured to disclose whether it requires multifactor authentication, network segmentation, secure passwords and authentication requirements, remote access controls, third-party vendor controls, limited access to sensitive information on a need-to-know basis, employee training, and an incident-response plan, just to name a few.

Linea Studio Blog Ads (1)

A Hole in the Net
The hole in the cybersecurity insurance net stems from the insured’s potential omissions or misrepresentations in its application. Recently, one insured business that suffered an enormous data breach was denied coverage and had its policy rescinded because the insured claimed in its application that it required multifactor authorization to access its administrative data. The insurance company determined that the insured did not implement multifactor authorization and the data was breached. As a result, the insurance policy was rescinded and the loss was not covered. Companies must regularly monitor, update, and test all cybersecurity requirements mandated in their policy.

It’s not just insurance companies that require businesses to have stringent procedures and policies to prevent and contain data breaches. Banks, corporate clients, and a multitude of others have similar requirements.

Takeaways
• Start with security — factor it into decision-making for every department of your business.
• Don’t collect personal information you don’t need and keep it only as long as it’s needed.
• Control access to sensitive information and limit access to employees on a need-to-know basis.
• Require secure passwords, authorization, and authentication.
• Use industry-tested and accepted security measures.
• Segment your network.
• Secure remote access to your network.
• Ensure your third-party vendors have reasonable security measures.
• Read your cybersecurity insurance policy application and representations to confirm each representation is accurate.
• Update your policies and practices to stay on top of changes and innovations in data security.
• Train and test your employees in data security practices and potential breaches, especially phishing schemes.
• Keep an open line of communication with your insurance provider and follow its recommendations regarding cybersecurity.
• Have an incident response plan reviewed and approved by outside counsel.

The bottom line: Data breaches may be inevitable, but diligence and preparation can mitigate both their financial and reputational impact.

Luxury Home Mag 2024_banner - 4

Robert W. Wilkins

Robert W. Wilkins, a Jones Foster shareholder and the Litigation & Dispute Resolution Practice Group co-chair, is double Board Certified by The Florida Bar in the areas of Business Litigation and Civil Trial. He is co-chair of the E-Discovery Subcommittee and the Data Security Subcommittee of the ABA Litigation Section’s Commercial and Business Litigation Committee. He is also a member of the recently created Florida Bar Standing Committee on Cybersecurity and Privacy Law and an active member of The Sedona Conference Working Group 1, Electronic Document Retention and Production and Working Group 11, Data Security and Privacy Liability. www.jonesfoster.com

You May Also Like…

  • Ride the wave in grand style this summer. Our picks for your home are designed to help you squeeze t...

  • Amy Storm and Co collaborated with her clients and builder on this stunning modern Tudor...

  • Indulge your four-legged family member with exquisite offerings that celebrate their unique personal...