What CFOs Need to Know About Cyber Insurance Now
If anything, threat actors are more emboldened, exploiting work-at-home and counting on the C-suite to be distracted.
By Peter Halprin, partner at Pasich LLP
Good news came in May when Moderna, Inc., announced that a vaccine trial resulted in the successful production of antibodies which can neutralize the coronavirus.
But that news was tempered by reports that the F.B.I. and Department of Homeland Security were issuing a warning about China seeking “valuable intellectual property and public health data through illicit means related to vaccines, treatments and testing.” According to the reporting, the forthcoming warning “focuse[d] on cybertheft and action by ‘nontraditional actors,’ a euphemism for researchers and students the Trump administration says are being activated to steal data from inside academic and private laboratories.” It was also reported that Iranian hackers were caught trying to get inside Gilead Sciences, the maker of a drug approved by the Food and Drug Administration for clinical trials.
Prior to the emergence of Covid-19, cyber security, ransomware and privacy liability issues were at the top of the list of concerns for CFOs, as well as finance, legal, and risk management departments. Unfortunately, as the above examples demonstrate, Covid-19 hasn’t reduced this threat. If anything, threat actors are exploiting the fact that many people are working at home, distracted and less focused on cyber hygiene, to gain access to corporate systems for nefarious purposes.
CFOs are familiar with their companies’ insurance policies, including cyber insurance and other policies, such as crime or property, which are likely to have responsive coverage to cyber crime and cyber breaches. The key is to fully know the policy terms, and to understand that cyber insurance generally includes both first-party and third-party liability insurance, which may be important toward a recovery during this pandemic.
First-Party Cyber Coverages for CFOs to Assess
Although the coverage and policy language may differ from policy-to-policy, first-party cyber coverages generally include breach response coverage as well as:
- Event Management (including Data Recovery, Betterment, etc.);
- Cyber Extortion;
- Network/Business Interruption (including System Failure & Voluntary Shutdown);
- Dependent Business Interruption (IT & Non-IT Providers); and
- Consequential Reputational Loss.
Following a security breach, a CFO will review the company’s cyber policy to seek reimbursement for their breach-related costs and expenses. Some insurers have associated with certain professional firms, including technical and legal experts, and may cover breach response costs associated with using such professionals without reducing policy limits.
CFOs will also look to cyber policies for reimbursement for the costs associated with restoring data that is changed, damaged, or lost following a breach. Similarly, cyber policies may cover business interruption losses, including those which arise out of attacks on a vendor or cloud provider.
The case of one law firm demonstrates how detrimental these attacks can be. Following a ransomware attack on the firm’s network, the attackers encrypted the firm’s files so that they were not accessible without payment of a ransom. The firm paid the cyber criminal’s $25,000 ransom but it still took more than nine months to retrieve the corrupted information. As a result, the firm suffered more than $700,000 in business income losses. Other businesses faced with similar attacks have been forced to simply close due to the financial loss.
As such, first-party cyber coverage, including business interruption, is a risk management tool that CFOs and policyholders may need to call upon following COVID-19-related attacks.
Third-Party Cyber Coverages for CFOs to Assess
Although the coverage and policy language will differ from policy-to-policy, third-party cyber policies generally include coverage for:
- Network Security Failures & Privacy Events;
- Regulatory Defense & Penalties (including coverage for GDPR liabilities);
- PCI-DSS Liabilities & Costs; and
- Media Content Liability.
As an example, Facebook settled a class-action lawsuit over its use of facial recognition technology which arose under the Illinois Biometric Information Privacy Act. The case reportedly settled for $550 million. It is particularly important, therefore, for CFOs managing the bottom-line to assess the company’s coverage for claims by consumers and employees, including class actions and regulatory actions, arising out of data breaches.
As Covid has seemingly emboldened threat actors, CFOs are encouraged to review and understand their cyber insurance coverages so as to maximize recovery in the event of an incident.
 David E. Sanger and Nicole Perlroth, “U.S. to Accuse China of Trying to Hack Vaccine Data, as Virus Redirects Cyberattacks,” New York Times (Updated May 13, 2020), https://www.nytimes.com/2020/05/10/us/politics/coronavirus-china-cyber-hacking.html.
 Peter A. Halprin and Jacquelyn M. Mohr, “COVID-19 Cybersecurity and Insurance Coverage,” New York Law Journal (April 20, 2020).
 Natasha Singer and Mike Isaac, “Facebook to Pay $550 Million to Settle Facial Recognition Suit,” NY Times (Jan. 29, 2020), https://www.nytimes.com/2020/01/29/technology/facebook-privacy-lawsuit-earnings.html.
This article originally appeared in StrategicCFO360 on August 18, 2020 and can be found here.