“One of the questions I always get asked is, ‘well, who's going to pay for all of these costs that are incurred in connection with a data privacy [or] security event?’ and often it can be your insurance” continues Kari. “So, from my perspective, cyber insurance is…an integral part of cybersecurity preparedness and data breach response.”
Kari Rollins is Co-Managing Partner of the Sheppard Mullin New York office. Her practice is centered on data privacy with a particular focus on cyber security compliance, the drafting of security policies and incident response plans. And when necessary, crisis management including notification obligations, and regulatory and litigation support.
Summer Craze Fowler is Chief Information and Chief Security Officer, Argo AI who produces software and systems for self-driving cars. Her background includes 11 years at Carnegie Mellon. Prior to that she was at the Johns Hopkins Applied Physics Lab and Northrop Grumman where she worked with the United States Marine Core on a set of tactical ground systems.
Proactive and Prepared
“That preparedness angle is critical,” says Fowler, who views cyber insurance less like event-specific car insurance and more like health insurance: as something that “can become part of a proactive cybersecurity program...”
Both she and Kari agree:
While the press tends to focus on the escalating ransomware demands (now eight figures), as high as they may become, they still can represent a mere fraction of the total cost incurred by the business.
For example, the cost of that forensic investigation – identifying not only the source of the attack but ferreting out every last bit of malicious code that has typically proliferated throughout your systems and endpoints – alone can dwarf the dollar amount of the ransom request. Add to this the cost of a responding to Data Subject Rights Request (DSAR) if consumer data has been exposed, and potential regulatory inquiries and civil litigation, and the ransom is really just the tip of a very expensive iceberg.
“I have clients who have pre-breach coverage for [what you might call] cybersecurity health and wellness checks that they need to help them be prepared,” adds Kari. “And critically important to preparedness “is knowing what doesn't work.” She cautions against “lofty expectations in an incident response plan that you can’t” practically follow through with.”
Summer works with the Argo AI risk team to help assess insurance requirements and providers. She details that their provider sends an extensive “questionnaire asking us a lot of questions about what we have inside of our program, really trying to build the profile for us.”
Importantly, says Summer is that Argo’s provider helped her “to understand all of the various types of coverage. What is a tower? How much insurance do I need and what kind of insurance do I need? We have to work together…to determine that."
“What are the crown jewels of the company? What are the things that are the most important? What are the things that I'm concerned about from a threat risk and vulnerability standpoint?”
Importantly, this is an assessment that needs to be done yearly to accommodate any number of changes that can take place concerning the company’s assets and the ever-evolving nature of cybersecurity threats.
What is Your Existing Security Posture and Potential Exposure?
Rollins agrees. The risk assessment is key. And the definition of “crown jewels” can vary greatly. For example, these could be “consumer data…Or perhaps it may be your employee data in HR systems that is at risk of W-2 scams or those that exploit healthcare and insurance through socially engineered phishing and spoofing scams."
The questions do not end here. And it helps to understand just how significant the costs can be:
Working toward an understanding of these potential risks requires collaboration among your business teams, your information security teams, your legal teams, and then working with an experienced cyber insurance broker who understands the risks, the costs associated with those exposures, and consequently help you to assess what coverage is required. Ultimately, understanding “your risk profile is based on the types of data and systems you have [including third-party vendor relationships and] it is really critical to work with an expert and do that with buy-in from your folks,” cautions Kari.
And this is crucial information when developing your application for insurance.
Misrepresentation is grounds to deny coverage. And bottom line: cyber insurance in the data breach era is not optional.