Cybercrime, including ransomware, is one of the top challenges facing organizations today. Businesses across the globe are suffering staggering cyber-related losses, losing around $60 billion on cyber crime annually.  

We are excited to launch our thought leadership campaign, “Cyber Insurance claims: Minimize risk, maximize recovery,” which provides a comprehensive look into the key issues relating to cyber insurance and ransomware claims and how clients can minimize their risk and maximize their recovery before and after a cyberattack.Continue Reading Cyber insurance claims: Minimize risk, maximize recovery

One of the top issues facing business today is the risk of business interruption resulting from a cyber-related attack. Regardless of the form of attack – ransomware, denial of service, data theft, or other form of malware – any resulting failure of an organization’s network systems can have severe consequences, financial and otherwise. These may include loss of productivity, lack of or impaired access to websites, and, importantly, loss of sales or income.

Given the potential for significant losses, a strategy for calculating and minimizing losses, and maximizing insurance recoveries for damage from a business interruption should be part of every organization’s cyber incident response plan.  Because every business is unique, there is no “one size fits all” plan that will neatly apply to all businesses or to all business interruption claims. Nevertheless, certain best practices exist and can be applied and adapted to individual businesses to facilitate an efficient and effective response to a cyber-related business interruption.

1. Know your insurance coverage

The first step to maximizing recovery for business interruption is understanding the coverage provided under the applicable insurance policies. Many stand-alone cyber liability insurance policies provide coverage for lost net profits and mitigation costs, and may also cover continuing expenses, such as employee salaries, resulting from a cyber incident. However, there are also certain limitations to such coverage common in most cyber policy forms, even though they are far from standardized. For example, most business interruption coverage includes a waiting period of a certain number of hours before coverage begins. The length of that waiting period can be critical as losses attributable to the business interruption may continue to grow until the network system and level of service has been fully restored.  Insurers also may limit the “period of interruption,” the period of time for which the policy will pay for losses. Depending on the policy language, coverage may end before operations are fully restored.

It is important to understand these limitations when purchasing cyber insurance and to obtain the insurance that best fits the needs of your business. For this reason, we recommend involving insurance coverage counsel to assist in the insurance placement and renewal process.Continue Reading Responding to a cyber-related business interruption: best practices

Cyberattacks continue to grow in sophistication and frequency, with attackers targeting businesses of all industries and sizes with seeming impunity. In the wake of this ongoing pervasive and indiscriminate threat, corporate risk departments are taking measures to assess cyber risks and update network security and protocol in hopes of staying one step ahead of potential hackers.

But just as risk departments are reacting in real time to this ever-growing threat, so too are members of the insurance industry. As cyberattacks grow in sophistication and frequency, costs expended to recover from these attacks grow in kind, which has led to an explosion in insurance claims under cyber insurance policies and other responsive coverage. With insurers obligated to pay substantial sums to settle these claims, the result has been a tightening of the cyber insurance and related markets for renewals and placements and, with respect to claims under existing policies, heightened scrutiny and application of existing terms in rendering claims decisions.

The Court’s decision

An example of such novel application became front and center in a recent decision in Merck & Co., Inc. et al. v. Ace American Ins. Co. et al., Case No. UNN-L-2682-18 (N.J. Sup. Ct.). Merck, a multinational pharmaceutical company, sued its insurers after they denied coverage under an “all risks” insurance policy for a 2017 cyberattack that crippled Merck’s computer systems and caused an alleged $1.4 billion in losses to the company.

Although it was undisputed that the policies at issue provide coverage for “loss or damage resulting from the destruction or corruption of computer data and software,” insurers pointed to an unusual exclusion to support their argument that coverage must be denied: the “Hostile/Warlike Action Exclusion.”Continue Reading Lessons from Merck v. Ace: A cyberattack does not amount to an ‘act of war’

Businesses may find it more challenging to purchase or renew cyber liability insurance coverage, according to recent articles by Advisen¹, Reuters, and follow-up communications with Robert Parisi, managing director and National Cyber Risk Product Leader at Marsh. Brokers are warning that policyholders should expect sharp increases in premiums and deductibles, coupled with declining limits. Although

Data breaches at colleges and universities are on the rise. These institutions are targets because their networks have access to a large amount of private information, including educational and medical records, as well as employees’ personal data. But in other instances, their systems are being attacked for malicious sport.

In a recent Client Alert members

In light of the growing concern over cybersecurity, the United Stated Department of Justice (“DOJ”) issued guidance last week on how to prepare for and respond to cyber attacks.  Taking lessons learned by federal prosecutors while handling cyber investigations, and input from private sector companies that have managed cyber incidents, the guidance contains a step-by-step guide on what to do before, during and after a cyber incident.

Specifically, the DOJ recommends having a plan in place before any cyber attacks occur.  That plan should include identifying critical data and assets that warrant increased security, having the technology and services needed to respond to a cyber incident in place, having legal counsel that is familiar with legal issues associated with cyber incidents, and ensuring that your team knows who is responsible for what tasks in the event of an attack.   If an attack happens, the DOJ recommends assessing the scope of the incident and working quickly to prevent any on-going damage, collecting and preserving data related to the attack, and notifying law enforcement.  The DOJ cautions against using any systems that have been compromised and trying to “hack back” against the system involved in the attack.Continue Reading United States Department of Justice Announces “Best Practices” for Addressing Cyber Attacks

The New York Department of Financial Services (NYDFS) announced last week a series of measures it plans to take “to help strengthen cyber hacking defenses at insurers.” Those measures include, among other things: regular, targeted assessments of cyber security preparedness at insurance companies; putting forward enhanced regulations requiring institutions to meet heightened standards for cyber security; and considering the ways in which NYDFS can support and encourage the development of the cyber security insurance market. The NYDFS stated that it plans to initiate these measures in the coming weeks and months.
Continue Reading New York Department of Financial Services Announces New Cyber Security Measures Directed at Strengthening Insurers’ Cyber Defenses

Since the President’s February 2013 Executive Order directing the National Institute of Standards and Technology (NIST) to lead the development of a voluntary framework to address and reduce cyber risks, the agencies and stakeholders involved have been exploring whether to tie the February 2014 Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework) to incentives such as cyberliability insurance. For example, in a Report to the President on Cybersecurity Incentives, the Treasury Department suggested that “[c]yber insurance can promote adoption of stronger security measures” because, among other reasons, “insurers could require policyholders to comply with minimum security standards as a condition of insurance coverage, including adoption of the Framework.”

The Treasury Department held a public meeting on November 6 that included a discussion of developments in the market for cyberliability insurance and the NIST Framework.
Continue Reading As Federal and State Agencies Warn of Increased Cyber Threats, Insurance Incentives for Compliance with NIST Cybersecurity Framework May Be on the Horizon

The evolving market for cyberliability insurance coverage reveals significant differences in the scope of coverage afforded under available policies. A coverage gap that may exist under some policies is for insider cyber attacks. While external attacks receive substantial news coverage, a recent study finds that businesses may be far less equipped to stave off attacks involving insiders: employees, vendors, suppliers and others who may have authorized access to critical or sensitive data.
Continue Reading Beware Of Gaps In Your Cyber Risk Policy – Are You Covered In the Event of an Insider Attack or Data Breach?