Mark Goodman is
a partner in our San Francisco office. In this hoganlovells.com interview, he
addresses the need for companies to manage their cyber risk and the role that
insurance plays in an organization’s overall risk management and cyber
liability strategy.
“Businesses are
well aware of the risks that cyber activity poses and many are seeing a need to
protect against cyber liability,” said Goodman. “Cyber insurance — like other
types of commercial insurance — is a good way to help mitigate risks associated
with cyber liabilities. I think any business of significant size certainly is
going to be concerned with cyber liability. But not all businesses are aware of
all of the ways that they can control the risks attendant to doing business in
cyberspace.”
What types of
companies need cyber insurance?
Goodman: Larger companies might
be self-insured for most of their insurance program, but they might not have a
self-insurance program for cyber risk since it is relatively new. Medium-sized
companies typically don’t self-insure, they usually use outside insurance. For
those companies, it is particularly important that they know what insurance
products are available that can protect against cyber risks and what the costs
of the various products are.
Often, companies
just don’t know what’s out there. They hire a broker, and the standard
insurance package the broker gets doesn’t always include the more specialized
coverage some companies need depending what their businesses are.
What are some of
the specialized coverage options a cyber insurance policy should include?
Goodman: Having both sufficient
coverage for the liability and also a defense obligation — to protect against
those situations where the company is sued for leaking or mishandling cyber
information. Litigation costs can be an extremely expensive part of cyber risk.
A company buying an insurance policy will likely want to make sure that it has
insurance that provides both an indemnity and a defense to cyber risk. You want
the defense to be outside of insurance policy limits, if at all possible, so
that you can have adequate coverage for what will likely be a very expensive
component of a cyber risk event. And you want to be able to make sure that your
insurance company allows you to choose, or at least to have a say in the choice
of, defense counsel. At the very least, a company should make sure that its
insurance company has on their panel of approved counsel a firm that is
extremely capable of defending what are very significant risks for the company.
When we are talking with our clients, we make sure that their policies would
allow them to use Hogan Lovells to defend their cyber liability cases.
You also want to
make sure that the cyber insurance policy doesn’t exclude business activities
that the company actually engages in and are a primary part of what the company
does. Insurance policies will exclude, for example, work that is done
internationally. You need to make sure that you’ve got worldwide coverage if
you are a business that does international work.
You want to make
sure that you at least have a defense for alleged intentional conduct. In
various jurisdictions, you can’t get indemnity for intentional conduct but you
can have a defense for alleged intentional conduct or criminal conduct. So if
you are being investigated by a government entity, for example, for a leak of
information or some alleged impropriety, you want to make sure that you have
coverage for that as well as just for civil actions brought by plaintiffs or
classes of plaintiffs alleging some damage as a result of cyber activity.
How has cyber
insurance evolved and changed over the past decade?
Goodman: Cyber insurance has been
around for ten or more years in some shape or form. With the events that have
happened during the past three to five years, we’ve seen more and more
companies experience large losses as a result of cyber activities. In response,
the market for cyber insurance has developed from an amorphous concept to
understanding what the risks really are and providing specific insurance for
those particular risks.
Why is Hogan
Lovells so well situated to help clients assess what type of cyber insurance
policy is the best for them?
Goodman: We are one of the few law
firms in the world that has dedicated and well-regarded privacy, cybersecurity,
insurance, and litigations groups. It is really valuable for clients to have
these cross-practice teams that work really well together. We make sure that
our clients get the insurance they need. But the fact that our clients are also
being counseled on state-of-the-art techniques for making sure their chances
for cyber liabilities are as low as possible is very favorable to both the
clients and to an insurance company that is considering selling them an
insurance policy.
An insurance
company will give better rates and better coverage if a prospective insured has
those types of practices in place. In other words, if businesses have protocols
in place that reduce the risk, you have a law firm that you are working with
that’s establishing state-of-the-art protocols for cyber security, and you have
a cybersecurity officer or team in place in-house — you are going to be much
more attractive to the insurance company and are probably going to get a better
rate and better coverage.
No comments:
Post a Comment