Judy Selby – Partner at BakerHostetler and co-Chair of the Information Governance Team
The past few years have witnessed a tremendous increase in awareness on the part of most enterprises of the importance of cyber security and privacy issues. High-profile data breaches and concern about intrusive practices involving personal data have served to highlight awareness. However, some equally important concepts that also affect today’s data-driven companies are unfortunately not as well understood.
Two such concepts are information governance (IG) and cyber insurance. This article discusses how those concepts relate to each other and highlights the key role they play together to secure an enterprise’s most important asset – its data.
What is information governance?
IG is not simply a new name for records management; its definition, however, is still the subject of some debate. The Information Governance Initiative defines IG as ‘the activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs’, while the Association of Records Managers and Administrators says IG is ‘a strategic framework composed of standards, processes, roles and metrics that hold organisations and individuals accountable to create, organise, secure, maintain, use and dispose of information in ways that align with and contribute to the organisation’s goals’. Meanwhile, advisory firm Gartner suggests that IG is the ‘specification of decision rights and an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organisation to achieve its goals’.
Despite these different definitions, it is universally appreciated that IG represents an enterprise-wide commitment to appropriately govern enterprise information throughout its entire lifecycle, from creation or collection all the way through to its ultimate disposition. Good IG maximises the value of information while also minimising its risks.
What is cyber insurance?
Cyber insurance is a relatively new and still evolving form of coverage designed to address the emerging information-related risks facing today’s companies. These risks include breach of privacy, failed network security and media liability. Unlike more traditional forms of coverage, there are no standard cyber insurance policy forms, provisions, definitions or exclusions. But like traditional coverage forms, a cyber insurance policy’s first-party component provides coverage for costs incurred by the insured itself when responding to a covered event, while third-party coverage responds to claims and demands made against the insured.
First-party coverage under a cyber policy can be triggered by a variety of events that are becoming far too familiar to modern enterprises, including the malicious destruction of data, accidental damage to data, power surges, IT system failure, cyber extortion, viruses and malware. Typical first-party coverages include legal and forensic services to determine whether a breach occurred and, if it has, to assist with regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation and payment of ransom costs.
Third-party coverage can be implicated in a number of ways, including by claims for breach of privacy, misuse of personal data, defamation/slander, or the transmission of malicious content. Coverage is available for legal defence costs, settlements, or damages the insured must pay after a breach and electronic media liability, including infringement of copyright, domain name and trade names on an internet site, regulatory fines and penalties.
Cyber insurance typically provides for the retention of an attorney – often called a ‘breach coach’ – to coordinate the insured’s response to a cyber incident. An experienced coach can build an effective team of specialists – basically, a cyber swat team – and efficiently guide the company through the forensic, regulatory, public relations and legal issues that arise from a security incident.
Given the complexities of the various laws pertaining to data breach notification (there are 47 different state breach notification laws in the United States, for example) as well as the focus paid by regulators, the media and the plaintiffs’ bar to data breaches, coverage for the retention of a skilled breach coach is perhaps the greatest benefit of cyber insurance.
Relying on someone who has ‘been there and done that’, who knows the law and regulations and who has relationships and credibility with the relevant regulators and law enforcement officials can help an affected enterprise successfully emerge from a cyber incident and avoid potentially catastrophic financial and reputational damage.
How do IG and cyber insurance relate to each other?
Although there are no standard applications for cyber insurance, cyber insurers generally and rightly, focus on a prospective insured’s IG policies and practices in the application process in order to decide whether or not to offer coverage and, if so, in what amount and at what premium. Insurers usually ask for similar types of information from the prospective insured, including customary financial data about the company, such as assets and revenues, number of employees and planned merger and acquisition activity. But in addition, cyber insurance applications focus on how the insured is addressing the particular risks within the purview of the cyber insurance policy. For example, insurers typically inquire into the following areas:
- The company’s compliance with security standards and regulations and the frequency of assessments
- The volume and types of data (i.e. credit card data, banking records, protected health information) handled or maintained by the company
- The existence of written, attorney-approved and updated policies and procedures concerning the handling of information
- Any existing network security programmes, including the use of firewalls, antivirus software and network intrusion testing
- Whether or not the company employs a chief information officer, chief privacy officer, or chief technology officer
- The company’s history of security incidents and breaches, including how long it took to detect any prior breach (particularly relevant if business interruption coverage is desired)
- Whether or not there have been prior threats to disable the company’s network or website
- Whether or not another cyber insurer cancelled or refused to renew a cyber policy
- If the prospective insured is aware of any facts or circumstances that reasonably could give rise to a claim under a prospective cyber policy
- The company’s security budget (is it part of the IT budget and, if so, what percentage?)
- The company’s existing practices concerning data encryption, passwords, patching and system access control
- The company’s policies and practices around employee hiring, training and awareness programmes and procedures at termination
- The physical security controls (e.g. access cards) utilised by the prospective insured
- Whether or not the company conducts audits of third-party service providers
- The company’s practices with regard to vendor contracts and policies
- Whether or not the company has and enforces policies governing mobile devices and social media
- The prospective insured’s data backup procedures
Great care should be taken to accurately complete the application, which will become part of the policy, if one is issued. Some insurers require the signature of the company’s president, CEO and/or CIO, who must attest to the accuracy of the company’s responses. Inaccurate information provided in the application may prove to be problematic if a claim is tendered for coverage under a policy issued in connection with the application and the event at issue is related to a perceived misrepresentation in the application.
How do companies choose the right cyber insurance policy?
Just as there are no standard applications for cyber insurance, there currently are no standardised cyber insurance policy forms and policies often contain ‘manuscripted’ provisions agreed to by the insurer and the insured during the negotiation of the policy. Policy terms, including grants of coverage, exclusions and conditions, vary among the 60 or so carriers that currently issue cyber policies and numerous coverage options are offered by those insurers. Given this reality, prospective insureds must take care to ensure that the cyber policy they purchase is appropriate for their specific cyber risk profile. For example, if a company entrusts its data to vendors, it likely will want coverage for a vendor breach. And if a company maintains an active social media presence, it may want media liability coverage.
When negotiating the purchase of a cyber policy, the following points, among others, should be considered:
- What is the company’s cyber risk profile? A credit card processing company or a retailer, for example, likely would have very different risk profiles compared to an investment advisory firm
- Are policy limits and sub-limits adequate for existing needs?
- Is there retroactive coverage for prior unknown breaches and, if so, for how many years?
- Is there coverage for claims resulting from vendors’ errors?
- Is ‘loss’ of data covered or just data ‘theft’?
- Can cyber insurance be combined with vendor indemnities to maximise protection?
- Does the policy cover data in the possession of cloud providers and other third parties? This is a critical question for companies that entrust their data to third parties
- Will the insurer offer a subrogation waiver?
- How does the cyber policy fit within the company’s overall insurance programme?
- Can more favourable provisions, limits and premiums be negotiated with another carrier?
In addition to the coverages provided by cyber insurance after the occurrence of a cyber event, the prospective insured should ask if any related services are offered in connection with a cyber insurance policy. For example, some cyber insurers and brokers now offer prophylactic benefits to reduce the insured’s risk of suffering a cyber event in the first place and to mitigate the effects if an incident does take place. Valuable resources, such as IG tools, information management counselling, employee training, breach response table-top exercises and review of vendor contracts may be available in connection with cyber offerings.
Because of the variety and complexity of the various cyber policies on the market, companies are urged to consult with a knowledgeable and experienced cyber broker to help negotiate the most favourable cyber policy terms and limits to fit the company’s needs. Coverage counsel also can help to ensure that the cyber policy adequately addresses the company’s unique cyber risk profile and fits appropriately within the insured’s comprehensive insurance programme.
Strong information governance, coupled with appropriate cyber insurance coverage, can help today’s data-dependent companies position themselves to maximise the value of their data while they mitigate and transfer the evolving information-related risks with which they are constantly threatened. Good IG policies and practices fit hand in glove with obtaining and keeping cyber insurance coverage. Companies that appropriately govern their information put themselves in the best position to secure the most favourable cyber insurance policy terms and limits, at the best premiums. Having its ‘information house in order’ also puts an enterprise in the best position to secure the benefits of a cyber policy in the event of a cyber insurance claim.
About The Author:
Judy Selby is a partner in BakerHostetler’s New York office, where she serves as co-chair of the Information Governance Team. She also is an experienced insurance coverage litigator and advises insurance companies and insureds about cyber insurance coverage issues. She can be reached at email@example.com