The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Cyber Insurance

  • From Vol. 3 No.3 (Feb. 8, 2017)

    How Fund Managers Can Prepare for Investor Cybersecurity Due Diligence 

    Cybersecurity remains a top-of-mind issue for regulators, investors and investment advisers. As part of operational due diligence, investors often evaluate whether an adviser has robust cybersecurity defenses. Similarly, advisers must ensure that their administrators, brokers and other third parties have appropriate defenses. A recent program hosted by the Investment Management Due Diligence Association gave specifics on what investors may be looking for, including due diligence questions they may ask and how they may evaluate a firm’s cybersecurity program, including its cyber insurance. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 2 No.23 (Nov. 16, 2016)

    Increasing Role of Counsel Among Operational Shifts Highlighted by Cyber Risk Management Survey

    As companies become more aware of the complexities of cyber risk, they are approaching not only preventative measures more collaboratively, but also risk management and insurance selection. A recent survey conducted by Advisen and Zurich North America shows operational shifts, including the increasing cooperation between IT and risk management, a heightened role for counsel and boards, as well as more reliance on external resources for post-breach efforts. The survey also reveals that the process of determining the right insurance coverage is also becoming part of this collaborative security effort. “Insurance in the cyber realm is not merely an instrument for transferring risk. Even the process of obtaining the insurance is viewed as a catalyst for driving and elevating enterprise-wide cybersecurity risk management,” Roberta Anderson, K&L Gates partner, told The Cybersecurity Law Report. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Learning How to Pick the Best Policy from Cyber Insurance Cases (Part Two of Two)

    The cyber insurance market is maturing. As policy definitions and exclusions come under judicial scrutiny, insureds are learning how to negotiate policies, and insurers are developing new policies to fill in coverage gaps. This article, the second part of our series covering a Knowledge Group webinar, includes the speakers’ insight on the importance of representations on the insurance application and ADR clauses in policies; what companies need to know about coverage of physical damage from breaches; and how new cyber policies may change the market. The first article included the panelists’ discussion of the current cyber insurance market and the issue of publication under CGL policies, as well as their analysis of recent cases to extract the questions companies should be asking insurers about key policy definitions and exclusions. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    What Cyber Insurance Cases Teach About Picking the Best Policy (Part One of Two)

    As cybersecurity-related insurance claims proliferate and litigation ensues, more jurisprudence in the area is being developed to guide companies as they purchase policies. Companies looking to purchase or amend their coverage can learn from examples of how other claims have fared under judicial scrutiny. This first part of our article series covering a recent Knowledge Group webinar includes the panelists’ discussion of the current cyber insurance market and the issue of publication under CGL policies. The speakers also analyze recent cases to extract the questions companies should be asking insurers about key policy definitions and exclusions. The second article will focus on lessons from the recent Cottage Health  case and discuss coverage considerations for physical damage. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations

    Publicly traded companies face an array of cyber-related decisions beyond how to best secure their data – chief among them are when and to whom to disclose cyber risks, how to handle shareholder litigation that follows a breach and what type of insurance policy to choose to mitigate post-breach costs. At a recent seminar hosted by the Practising Law Institute, speakers from Labaton Sucharow, BitSight Technologies and Beecher Carlson addressed considerations for making disclosures to investors both prior to and following data breaches, elements of a securities fraud case and the scope of possible insurance coverage to mitigate losses following a breach. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How the Financial Services Industry Can Manage Cyber Risk

    Financial services providers and financial institutions are prime targets for hackers, and have also been targets of SEC scrutiny – the agency has recently brought actions against Morgan Stanley, Craig Scott Capital, and RT Jones for cybersecurity violations, even in the absence of a breach. How can firms in those industries ensure their cybersecurity programs are robust and mitigate risk? At a recent symposium held by the Hedge Fund Association, panelists with various cybersecurity perspectives and expertise shared their insight on preparedness, incident response plans, vendor management, cyber insurance (including recommendations for carriers) and whether to use cloud services. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Cyber Insurance Challenges Highlighted by Court’s Denial of P.F. Chang’s Claim

    How far will cyber insurance coverage stretch when there is a breach? Courts are starting to answer this question as cyber insurance policies get tested with breaches. While these policies are marketed as “a panacea for all cybersecurity-related woes,” when policyholders face significant losses, the insurers “hire high-powered lawyers” to avoid paying claims, Scott Godes, a partner at Barnes & Thornburg, told The Cybersecurity Law Report. We analyze the recent district court ruling that a cyber insurance policy fails to cover liabilities to credit card issuers arising from a popular restaurant’s data breach. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm”: Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    How Financial Service Providers Can Use Cyber Insurance to Mitigate Risk

    Cyber threats in the alternative investment industry are growing increasingly larger and more sophisticated, requiring financial service providers to maintain sufficient infrastructure to prevent and respond to any breaches. A key component of that infrastructure is a cyber insurance policy to reimburse the fund manager for costs incurred defending against a cyber attack and loss of data caused by the attack. A recent alternative asset manager forum sponsored by insurance advisory and brokerage firm Crystal & Company offered a look at the current cyber threat landscape, cybersecurity preparedness, breach response and cyber liability insurance from the insurance, legal and forensic perspectives. The panel featured experts from investigation and consultancy firm K2 Intelligence, AIG Property & Casualty’s financial institutions group, AXIS Insurance and Lewis Brisbois Bisgaard & Smith. See also the CSLR’s series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Don’t Overlook Commercial General Liability Insurance to Defend a Data Breach

    Even though cyber insurance is becoming more readily available in many cases, companies whose data is hacked should not overlook the possible supplemental coverage provided by their existing commercial general liability insurance, which may cover the cost of defending the litigation that inevitably arises as a result. Some recent decisions appear to hold that CGL insurance does not obligate the carrier to provide such defense costs. However, in a recent case involving Travelers Indemnity Company, the Fourth Circuit upheld a lower court decision requiring the CGL carrier to provide a defense following a data breach. In a guest article, Richard A. Blunk, managing director and general counsel of Thermopylae Ventures, LLC, analyzes Travelers and a related line of cases to examine the possibility of whether other existing insurance coverage may provide data breach litigation defense costs as part of a coordinated corporate risk program. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part Two of Two)

    The enormous liability and costs that cyber incidents generate make cyber insurance a new reality in corporate risk management plans across industries.  This article, the second article in the series, explores policy exclusions and pitfalls to watch out for, including lessons from recent cyber insurance coverage litigation and steps companies can take to increase the likelihood of insurance coverage under their cyber policy.  Part one in the series covered navigating the placement proces –  having the proper individuals involved, finding the right insurer and securing the best policy for your company.  See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    Building a Strong Cyber Insurance Policy to Weather the Potential Storm (Part One of Two)

    With cyber attacks continuing to strike companies of all sizes, cyber insurance has become an important component of corporate risk management strategies.  While cyber risk insurance can provide coverage for the litany of potential damages that a company may suffer in the wake of a data breach, it is wildly different from the usual insurance marketplace – it is nascent, changing and varied.  This, the first article in our two-part series on getting the right cyber coverage in place, provides guidance on navigating the insurance placement process, selecting the individuals who should be involved, finding the right insurer and securing the best policy for your company.  Part two will explore lessons from recent cyber insurance coverage litigation, including steps companies can take to increase the likelihood of insurance coverage under their cyber policy and what policy exclusions and pitfalls to watch out for.  See also “Transferring Risk Through the Right Cyber Insurance Policy,” The Cybersecurity Law Report, Vol. 1, No. 15 (Oct. 28, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    What Companies Can Learn from Cybersecurity Resources in Pittsburgh

    Cyber crime is a serious threat – it cripples companies, damages economies, funds terrorism, launders drug money and bleeds the assets of individuals, according to the DOJ.  Often this cyber war is waged from shadows overseas (and often in the form of corporate cyber espionage).  Companies should be using a broad array of tools to prevent and mitigate the effect of international and domestic cyber crime, such as information sharing, sufficient cyber insurance as well as a thorough breach response plan that includes proper notification and preservation of evidence for future actions.  As K&L Gates attorneys Mark A. Rush and Joseph A. Valenti describe in a guest article, one place where law enforcement and the private sector have come together is Pittsburgh, where a string of major cyber crime cases has recently been prosecuted.  Developments there can serve as a model for cybersecurity measures across the country and across industries.  Rush and Valenti describe cybersecurity best practices before, during and after a breach, as well as some unique ways government officials as well as companies in Pittsburgh specifically are handling cyber crime.  See also “After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Transferring Risk Through the Right Cyber Insurance Coverage

    As companies recognize that they cannot ignore the risk of a significant cyber breach, they are looking to insurance policies to bear at least some of that risk.  Selecting the right cyber insurance, however, presents challenges in an ever-changing cyber insurance market.  In a guest article, BakerHostetler partner Judy Selby explains the cyber insurance options available, how to select the best insurance for your company and what to expect from the often-intrusive application process.  See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part Two of Two)

    The role of general counsel and compliance officers in pre-transaction due diligence is becoming increasingly integral in companies’ acquisitions processes.  Relatively new on their growing list of due diligence items are cybersecurity and data privacy issues.  For some deals, discovering problems in those areas will prompt a party to end the process.  But in other transactions, the parties will tackle the issues and find a solution to finalize the deal.  This article, the second in our two-part series on M&A cybersecurity best practices, examines how to handle cybersecurity problems when they are discovered, when to walk away and how to manage risk, remediation and integration when the deal does move forward.  Part one focused on cybersecurity and data privacy due diligence.  It also discussed proactive measures each side can take to facilitate a smooth transaction.  See also “Cybersecurity and Information Governance Considerations in Mergers and Acquisitions,” The Cybersecurity Law Report, Vol. 1, No. 7 (Jul. 1, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Cybersecurity and Information Governance Considerations in Mergers and Acquisitions

    The growing impact of cyber incidents has led to a heightened need to conduct a thorough cyber due diligence both before and after an M&A deal.  In a recent webinar, Reed Smith partners Anthony J. Diana, Courtney C.T. Horrigan, Mark S. Melodia and Richard D. Smith shared insight on how cybersecurity affects the valuation of certain assets and offered advice on how to focus due diligence to detect and assess cyber risks pre-transaction, including litigation risks that can arise from data breaches.  They also recommended specific steps for planning post-closing data integration and evaluating the adequacy of insurance coverage.  See also “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015).  There has been a flurry of data breach activity over the past 10 years, and “it is only increasing in pace,” Melodia noted.  A company’s cyber risk can directly affect its value in an M&A context.  This is where “cyber risk meets the deal,” he said.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps

    The demand for cyber insurance has dramatically increased as cybersecurity incidents, large and small, proliferate and companies scramble for protection.  The market for cyber insurance has been changing in response to this demand, evolving technology, as well as new cyber regulations that are adding to the cost of breaches.  Roberta Anderson and Sarah Turpin, partners at K&L Gates in Pittsburgh and London, respectively, and Peter Foster, Executive Vice President, Privacy, Network Security, Media, Errors & Omissions and Intellectual Property Risk at Willis Group, shared their insights in a recent webinar about the evolution of the cyber insurance market, policy options available, traps to look out for and how to implement an incident response plan to properly trigger most policies.

    Read Full Article …