As we have previously noted, a recent ransomware attack crippled over 75,000 computers in over 100 countries. The “WannaCry” appears to be the largest Ransomware attack to date. However, cyber-experts are already warning of a second, bigger, wave.
Organizations are scrambling to respond to the increasingly ominous threat. However, in our experience, one aspect is frequently overlooked in incident response plans: insurance. Any cyber contingency exercise should factor in the role of insurance. There are three reasons.
First, many policies carry a reporting requirement. Insureds must report the incident, even if coverage is not available. Failure to do so runs the risk of forfeiting future related coverage e.g. in a subsequent Directors & Officers Liability claim arising out of the same incident. For certain “claims made” policies, failure to report a previous incident can void coverage in later policies.
Second, insurers are increasingly offering free or steeply discounted cyber assistance: the digital counterpart to the “preventative medicine” model. Even if an organization has not experienced an incident, it should utilize these resources. A insurer’s practiced eye can identify easily rectified issues – an exercise that could avert a potential catastrophe down the road. Since the personnel detailed to this task specialize in constantly evolving threat, they are better positioned to identify and rectify vulnerabilities than even the most proficient IT department. Since their services have already been paid for through insurance premiums, organizations should call upon them.
Third, organizations should regularly reevaluate their coverage to ensure that it comports with their risk profile. Cyber policies vary widely in what they cover. Is ransomware covered? Business Interruption? One law firm’s coverage claim currently in litigation claims that it lost $700,000 in billables as it struggled to resolve a ransomware issue. What about regulatory investigations? Compliance or contractual costs? The provisions of the policy must align with the realities of the business.
Insurance is no silver bullet. In cybersecurity, there is no such thing. But it is a readily overlooked tool that can help prepare you for the next big one.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.