How should organizations considering cyber insurance start the process? Cyber liability lawyer Richard Bortnick offers three steps in determining the type of cyber liability coverage they should seek.
"Policy holders are not necessarily being given the best advice or they don't understand the scope of the coverage that they have," he says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
For organizations mulling the purchase of cyber insurance, Bortnick offers the following three tips:
- Conduct an initial risk assessment : The assessment should be top-to-bottom and consist of the internal risks to the organization as well as the potential exposure of sensitive information in order to determine which type of cyber liability insurance coverage they should seek, Bortnick says.
- Speak with a lawyer: Seek advice from a lawyer, Bortnick says. They should be willing to provide free advice since the information being sought shouldn't take that long for a lawyer to provide.
- Create a cyber-response plan: This process involves developing a team consisting of members from various departments in the organization, such as general counsel, IT, human resources and management. "You need everybody to get in a room, discuss what the corporate assets are that need to be protected, what the personal information is, whether it's employees or customers or clients, and come up with some kind of plan to send people off to do their respective jobs," he says.
In the interview, Bortnick discusses:
- Initial steps organizations should take in conducting a risk assessment to determine the type of cyber liability insurance coverage they should seek;
- Selecting members of the enterprise who should be on a team to put together the application for cyber insurance;
- Where to find qualified insurance brokers to identify the appropriate cyber insurance policy.
A frequent lecturer and blogger on cyber liability and insurance, Bortnick is a member resident of the law firm Cozen O'Connor's Philadelphia office. He is the Pennsylvania chair for the Council on Litigation Management. Bortnick co-chairs the Computer and Technology subcommittee of the American Bar Association's Insurance Coverage Litigation Committee.
Cyber Insurance Usage
ERIC CHABROW: Are most organizations properly insured against the impact of cyberattacks and IT failure?
RICHARD BORTNICK: The vast majority at this point are not. Most companies still to this day do not appreciate the risks and exposures that they face and are not aware of exorbitant costs that could arise from a cyber breach, both with respect to business interruption loss as well as third-party exposures, should financial, healthcare or other information of customers' clients be stolen. There are a lot of different verticals that companies need to be concerned about: first-party, crisis-management and third-party liability.
CHABROW: There's a lot of news about cyber intrusions and then companies being hacked and personally identifiable information being exposed. Despite this, why do you suspect that companies aren't aware?
BORTNICK: It's like the shoemaker whose son walks around barefooted. It can't happen to me. I don't worry about myself. I'm worried about everybody else. You read about cyber breaches and virtually all that you know about are big Fortune 50, Fortune 100 companies and government contractors - folks that the typical company or the typical person who owns the company can't relate to. They presume, "Why would someone hack me? Who would want anything that I have?" I would say to them, "If you had an opportunity to rob a bank in downtown Philadelphia where I'm located or you could go into a suburb on a street corner that's a neighborhood, where would you go?" The low-hanging fruit is the easy street-corner bank, and the low-hanging fruit in this space is smaller, mid-sized companies that either don't appreciate the risks or don't think it can happen to them. These companies are not out there actively putting into place the cybersecurity protections that they might need, or thinking about having to buy insurance because they're investing their limited corporate assets in other things to grow the business, and not thinking about protecting the business.
CHABROW: Is there a perception, or misperception, among many organizations that they have other types of liability policies that might protect them from some of the damage that can be caused by a cyberattack?
BORTNICK: Let me answer that this way: yes and no. Companies don't think about it. They just don't. It's not on their radars until it's on the radars. As to those companies that have thought about it, they will most likely have asked their brokers. Sadly - even as of today - brokers don't understand the product. I had a broker say to me such and such a client did not need cyber insurance because they have a different type of insurance. Well I looked at their coverage and came to realize, very quickly, they didn't have the coverage the broker said or thought they did.
Policy holders are not necessarily being given the best advice or they don't understand the scope of the coverage that they have. Some policies do provide limited coverage. For example, there was a recent decision that came out from an appeals court that found a crime policy covered a cyber event. Up to now, nobody was looking at crime policies so there's one other avenue that a company could look to if you're a service provider. You might look to your professional liability policy for third party that still does not address the first-party business interruption. It certainly doesn't address the crisis management aspects, which up to now has been the leading expense in this area. Lawyers are second and liability with regard to third-party lawsuits is way down the list of expenses. Folks who think about it think they're covered, but, depending on the type of event that we're talking about, they might not be. They probably aren't.
CHABROW: You're a C-level executive or maybe in the information security department of an organization and your company doesn't have cyber liability coverage. What do you start doing and what should be protected?
BORTNICK: Speak with a lawyer. Don't even hire a lawyer because the advice the lawyer would give should not take very long, and I give out free advice on what I think a company might want to look into to see if they want to then proceed. Then it becomes more of an enterprise. At the very beginning, I say you need to create a cyber-response plan. And you need to get these team members in place. You need the general counsel if you have one. You need human resources. You need IT. You need a C-level executive. You need management. You need everybody to get in a room, discuss what the corporate assets are that need to be protected, what the personal information is, whether it's employees or customers or clients, and come up with some kind of plan to send people off to do their respective jobs.
The HR people need to lock down their employee information. The IT people need to make sure there are proper security measures in place, so on and so on. It's not hard to tell people to do that. The devil is in the detail as always. It's getting it done and getting people to actually buy into it and do what they need to do. Then, while you're doing that, I would also suggest companies speak to their brokers and get some insight as to that plan and how insurance might help. Obviously, as with anything else, the more secure your company is and the more protections you have in place, the better a risk you are for an insurance company. The better a risk you are, the more likely an insurance company would be willing to quote and the more protected you are, theoretically, the lower the quote would be because the lower the risk the lower the premium.
CHABROW: And an initial step would be doing an information risk analysis?
BORTNICK: A complete top-to-bottom and internal risk and exposure analysis, not just risk but exposure. And obviously, if a cyber criminal wants to get through, they'll get through. There's no magic bullet for a company to certify that it's 100-percent protected, but make it harder for them. As to the low-hanging fruit, if it's hard, most thieves aren't going to bother because there are too many other easy targets out there. You can make it harder for them. They won't be interested in you and the money you pay to implement such a process will pale in comparison to the cost if there's a cyber event, I can assure you. I've seen these claims time and again and the upfront cost is a fraction of the response cost in the event of a bad event.
CHABROW: What are the major costs that companies face when an event happens?
BORTNICK: Depending on the company, besides depending on the event, there are a lot of variables. At a bare minimum, you've got to get in a forensics person to figure out if there's a cyber breach, how the breach occurred, how do you close whatever the door is that they came in through. If you have more than 500 people whose personal information was stolen, you may have reporting requirements. Forty-six states have laws in effect that require breach notification to the state's attorney general and to affected individuals, so you'll have notification costs. You may have PR costs. You may have legal costs. You may have to create a call center for people who are affected because people whose information is stolen are going to want to talk to somebody. They're just going to want to vent. They're going to want to hear what you're going to do for them and then you're going to have to provide them some remedy that will make them feel like they're being protected or they're being compensated in some way for the inconvenience and the theoretical harm that might come to them, and typically in this space that means credit monitoring, although there are other giveaways that insurance companies and companies are using: credit freezes, credit thaws, things like that. But the most typical at this point is credit monitoring.
CHABROW: How about the value of information that may be breached? Can you quantify that and can that be insured?
BORTNICK: Yes and no. Can I quantify it? It depends on the company. Sure you can quantify it. What are your assets worth? Many company's assets these days, as we read about in the paper, is their intellectual property. You had Apple getting a billion-dollar verdict against Samsung. Intellectual property is what our economy is going to be based on moving forward, not brick-and-mortar anymore. How do you quantify it?
What is the value of it? How do you insure against it? Business interruption and all other types of insurance, but good will and things like that are not insurable. They're intangible assets that are unquantifiable. Some accountant can value good will, but it's not an insurable event.
CHABROW: Talking to people whose organizations do have cyber insurance, they tell me it's a more complex application process. They said they filled literally dozens of pages for cyber liability insurance.
BORTNICK: I wouldn't say dozens, but it's far more substantial because what you're evaluating are company's cyber risks and exposures. How do you do that? You need to understand the company. You need to understand the valuable information they hold, whether it be corporate information, personal information or healthcare information. You need to understand the technical security protections. You need to know what their security measures look like. You need to know what their plan looks like. You need to know what they do with the information. Do they send it to a cloud? If they send it to a cloud, to whom do they send it? What are their protections? You really need to understand every single aspect of the organization and their infrastructure - human infrastructure and intellectual property infrastructure - as well as their information security infrastructure. It's not like you go to a building and you look and see they've got smoke detectors and a sprinkler system. They have these tangible things that I can look at and I don't have to ask you about it because I can see it. Fire alarms and things like that are self-evident. It's not self-evident when you're talking about cyber, so you have to ask the questions to understand what the risks are as an underwriter that you might be buying into.
CHABROW: You mention cloud. With cloud and the relationship organizations have with other organizations because of what IT can offer, is it hard to quantify your digital assets because of where they're situated or who has them? Can they be protected?
BORTNICK: Your assets are your assets. You can value your assets. I think what you're asking is can you value the risk to your assets, because the assets are whatever they're worth. Let's say you own a patent and its value is a million dollars. Then your assets are a million dollars. I'm assuming that includes good will and all those other things that follow, but let's say the asset is the asset. Then the question is what happens if it's stolen and that question is how well protected is the cloud provider that you're using? Do they have protection to protect you, and typically cloud providers have limitations of liability in their contracts. If I send you something and you're holding it for me and then it gets stolen, whether it's personal information, IT or whatever, you the cloud provider might only have to pay me a thousand dollars, ten thousand dollars, certainly not the value of what I had given you, but that's how the contracts run these days.
It's a problem for the mom-and-pop that have to outsource their information to a cloud and they're sending it to somebody who frankly they probably don't even know what their protections are. They just know it's a cheap way to store stuff and they don't read the fine print, because most people don't read the fine print and don't realize what they're giving up by releasing all this information into the care and custody control of the third-party.
CHABROW: Let's take an example of an organization that's storing personally identifiable information on the cloud and the cloud has limited liability to the business, whether it's a mom-and-pop or a more medium-sized business. Can cyber insurance protect those companies?
BORTNICK: Yes. I would call the data bailee and I use that as a term of art. It's a legal term. It means someone who holds something that belongs to someone else.
CHABROW: What was that term again?
BORTNICK: Data bailee.
CHABROW: How do you spell that?
BORTNICK: B-A-I-L-E-E. It's a term I've created. It doesn't exist. It does in my world and I've used it in several things I have written. If you give me your personal information, let's say you buy something from me and you give me your credit card, I now hold your credit card number. I hold your personal information. I'm a bailee. I'm holding something that belongs to you and so I have a duty to you at that point to protect it. Let's say I offload it to a cloud and then it gets stolen out of the cloud. It's your information that's stolen that you then handed to me that I was responsible for that I then laid off on somebody else.
Then let's take the next step and say the person who steals your information and uses your credit card and buys whatever they buy, of course your credit card company is going to write it off as fraud, but you might have some associated damages or injury, or at least you want credit monitoring. Who would you call? You're not going to call Ghostbusters. You would call me and you'd say, "I gave it to you. You're responsible for it." I say to you, "It was stolen from the cloud." You say, "I don't care where it was stolen from. I gave it to you. You're responsible for it. You go deal with whomever you have to deal with and if you don't take care of me, I'm going to sue you."
At that point or if not before, I've got my insurance backing me up, assuming I bought it and it will protect me, or should protect me, from your claim and your lawsuit. Whether my insurance company or I can then go against the cloud provider is my problem. It's not your problem. Your problem is making sure that I take care of you because I'm the one who you gave the information to and who you hold to be responsible and accountable for it. I can buy insurance. I as a policy holder should respond if I bought that coverage.
Cloud: Proper Precautions
CHABROW: You're a policy holder. You're putting some of the personally identifiable information of your customers on a cloud. What does the policy holder have to do to show the insurance company that it's taking the proper precautions that the cloud provider is taking steps to protect that information?
BORTNICK: I don't know that the insurance companies typically at this point are looking to that next layer of security in a cloud. They should. I don't know that all of them are. One of the questions in the application should be, "Do you offload to the cloud and to whom do you offload it?" It may well be the insurance company knows the cloud providers so they know what their systems look like. That's the duty of the insurance company and its due diligence up front to ask the right question and feel comfortable with the answer.
If the insurance company doesn't ask about cloud, which I can't imagine it wouldn't, but if you get an answer and it doesn't, then go to the next step and investigate the cloud provider and it writes to the insurance, that's on the insurance company. That's not on you. You've told them what they've asked and what you think they want to know. They then have taken the risk. I imagine and I know that they will have asked, "Do you offload to the cloud and to whom do you feed the information?"
CHABROW: The various insurance companies that offer cyber liability insurance, are their policies as consistent as other kinds of liability insurance?
BORTNICK: These things are all over. There's some consistency at 20,000 feet. There's service party. There's crisis management. There's third-party. But once you start dropping down into the weeds, there are so many material differences between the coverages available that there's no real one-size-fits-all approach.
CHABROW: Is that because it's still a relatively immature industry?
BORTNICK: Yes. Everybody wants to distinguish themselves from everybody else because there's so much insurance capacity out there. There are so many companies writing policies at this point. How do you tell them apart? They need to distinguish themselves so they make themselves more attractive to a particular company, a particular sector or a particular risk. As the industry matures, there will probably be somewhat more consistency. They'll be an ISO, insurance services office, formed that companies use as they're doing their general liability, but we're years and years and years away from that. Still, you need a sophisticated insurance advisor to tell you the differences between the policies, what policy or policies and what company or companies provide the best coverages for your entity.
Finding Insurance Brokers
CHABROW: Earlier you mentioned that a lot of brokers aren't that familiar with cyber insurance. What should a company do to make sure that their broker does understand it, or where else can they get information?
BORTNICK: They should ask a broker to tell them what types of companies they have represented in cyber. Do your homework on your broker. Test them and see if they know about cyber and then have them go out and bring you back a bunch of proposals and have them distinguish them. You'll know whether they know what they're talking about.
Regrettably, as I say, most brokers don't understand it because it's still too new and people are afraid of new things. It's human nature. Even people I work with, they don't understand it, they don't have time to understand it or they don't have the inclination unless they're under 25, at which point it's embedded in their DNA and they totally get it.
But how do you find a broker? You can go on the Internet and you can scour around and you will know who the folks are who know this stuff, the people writing the articles, the people giving the speeches around the country. They're the people that are being promoted by the industry because the industry has an infrastructure of folks who are very knowledgeable and whose knowledge is touted by the industry itself that these are the brokers that know what they're talking about. These are the underwriters that know what they're talking about and these are the lawyers who know what they're talking about. It's out there; you just have to go find it. Don't just entrust it to your broker and assume he or she knows what he or she is doing, because that would be an incorrect assumption I would say 75-80 percent of the time at this point.