Making Sure It’s Covered: Cyber Insurance — What are the Practical Things In-House and Outside Attorneys Need to Know? (conference panel discussion)

Cyber insurance is a hot topic among many but unfortunately, far too many companies are not getting any cyber coverage or are not getting the coverage they need for their risks.
This week I had the privilege of moderating a panel discussion targeted for in-house counsel that was titled “Making Sure It’s Covered: Cyber Insurance — What are the Practical Things In-House and Outside Attorneys Need to Know?”
For this discussion we had these amazing panelists sharing their unique industry expertise:
Our objective was to give the attendees a broad understanding of cyber insurance so they know why it is important to have cyber coverage (and dispel some of the “fake news” about cyber insurance), how to get the right coverage, and how to properly use their insurance solutions before and after they have an incident. We covered these main topics:
  1. Why cyber insurance is critical.
  2. Overview of the insurance process, who the players are such as brokers, underwriters, and claims, and how they all work together in the overall insurance ecosystem.
  3. Getting the right coverage.
  4. The claims process.
  5. Understanding how the panel of approved vendors works and why it is important to understand that before you have an incident.
  6. Incident response planning and practice.
Many thanks to these outstanding speakers and to The Center for American and International Law for providing us with the opportunity to present this very important information at its outstanding 3rd Annual Cybersecurity & Data Privacy Law Conference, I am already looking forward to next year’s conference!

Cyber Insurance – A Better Way to Help Small Businesses Manage Cyber Risk

In a recent Wall Street Journal article, The Case for Protecting Small Firms from Cyber Lawsuits, the authors argue that, because smaller companies lack the resources of larger companies when it comes to protecting data, smaller companies should have legal protections to exempt them from facing the consequences of these laws.

While it seems this argument is based on a fundamental misunderstanding of the purpose of these laws, it does offer some productive suggestions and I found it interesting for another reason. The reasons the authors gave for arguing that smaller companies should be exempted from the laws are some of the same reasons I give to smaller companies when I explain why it is so important that they have appropriate cyber insurance coverage:

  1. Small businesses have the same obligations to protect data that larger companies have.
  2. Breach notification laws may have penalties of a certain cost per record breached, regardless of fault.
  3. Breach notification laws may require notifying those individuals whose data was breached, that their data has been breached.
  4. Breach notification laws may require providing identity theft protection services to the individuals whose data was breached.
  5. Individuals whose data was breached may sue and seek recovery of damages and legal fees.

Cyber insurance coverage that is appropriately tailored to meet the needs of a small business will provide them with protection against the risks listed above, and many more, such as the legal fees and costs of having an experienced attorney serve as their breach guide to advise them through the process of managing a cyber incident (see Why You Need a Cyber Attorney) and properly respond to the incident.

I have been practicing in the cybersecurity and data privacy areas of law for nearly two decades and have served as breach guide to hundreds of companies — one of the biggest lessons that I have learned in all of these years is that in many cases, it is not the initial incident that causes most of the harm, it is the failure to properly respond to the initial incident after learning about it that causes it to escalate.

Incident response is expensive. The legal fees, the fees for security services, forensic services, remediation, public relations, and identity theft protection, notification of consumers, and reporting to regulatory agencies — all of these things are very expensive but they are mandatory to properly respond to an incident, in most cases. When a business does not have the resources to pay these expenses, it is not able to properly respond to an incident and that is what can be most devastating of all for small and midsize businesses. That is why it is so critical that small and midsize businesses have appropriate cyber insurance coverage to step in and provide them with the resources needed to help manage and properly respond to such incidents.

#DtSR Podcast: Guest Host on Newscast

#DtSR RabbitI was a guest host recently on the Down the Security Rabbithole Podcast to give my take on the legal aspects of current cybersecurity news with host Rafal Los (@Wh1t3Rabbit) and co-guest host John Foster (@dearestleader). As always, it was a blast!

Listen to the Podcast  

Join the #DtSR Discussion on Twitter

For more great #DtSR content, check out the full Down the Security Rabbithole Podcast homepage and also check out these past #DtSR podcasts where I was a guest:

#DtSR Podcast: Latest Issues in Law and Cybersecurity

#DtSR RabbitI was a guest recently on the Down the Security Rabbithole Podcast to talk about cybersecurity law with hosts Rafal Los (@Wh1t3Rabbit) and Michael Santarcangelo (@Catalyst). As always, it was a blast!

Listen to the Podcast  

Join the #DtSR Discussion on Twitter

For more great #DtSR content, check out the full Down the Security Rabbithole Podcast homepage and also check out these past #DtSR podcasts where I was a guest:

SecureWorld Post: 4 Key Cyber Insurance Takeaways for Companies from Spec’s v. Hanover Lawsuit

In my latest post for SecureWorld, explain 4 key takeaways for businesses from the Spec’s v. Hanover lawsuit regarding cyber insurance. Check it out and let me know what you think:  4 Key Cyber Insurance Takeaways for Companies from Spec’s v. Hanover Lawsuit