Cyber insurance won’t save your company if it has a breach
The data privacy and cybersecurity landscape is evolving to make compliance more consequential for companies by adding triggers that have nothing to do with breaches of people’s personal information, says Andy Lunsford, CEO and founder of cybersecurity firm BreachRx.
The Colonial pipeline data breach in 2021 was one of several incidents that prompted regulators to realize that breaches could be damaging even in a business-to-business (B2B) context that didn't involve the loss of people’s personal information, Lunsford said in a webcast hosted by contract management software company LinkSquares.
“There was no personal information involved [in the Colonial incident], but it had a big impact on people and the economy,” said Lunsford, referring to the ransomware attack that led to a supply shortage at gas stations across the eastern United States. “So, there’s a requirement coming out shortly from the Securities and Exchange Commission that, if you’re a public company and you have a cyber incident of any kind of magnitude, you have a notification obligation to the SEC.”
Lunsford said some B2B companies might be complacent about cybersecurity and privacy because they don’t collect personal consumer information, but there’s a shift among lawmakers and regulators to close that gap.
“If you weren’t paying attention before, you should start paying attention now, because there are these mandated requirements if you have a cyber incident,” he said.
False sense of security
Nor can you count on your cyber insurance to be much help.
There’s a tendency among some executives to think their incident response is largely covered by insurance, but a close look at your policy will likely show you there are a number of gaps that could leave you on the hook for the most expensive parts of responding to a breach.
“It’s not like a situation where you have a car accident and you get all these things done and you say, ‘Come pay for it,’” said Lunsford. “With this, you have to get approval for every single thing along the way, like an HMO almost. They might not cover all these aspects.”
In a typical policy, the provider might cover the cost of notifying consumers about the incident and of credit monitoring for the consumers impacted, he said. But it might not cover regulatory investigations or contract disputes.
“These could easily be the most expensive part of the fallout,” he said.
What’s more, many providers won’t cover breaches involving ransomware, which have become the go-to approach for many hackers. Additionally, they won’t cover any cryptocurrency losses.
“Ransomware is usually paid in cryptocurrency,” he said. “So, if you had a payment to [the hackers] in cryptocurrency, it could be a loss that’s not covered. So, you need to be more buttoned up on what a cyber response for your company might look like other than just thinking, ‘I’ll call my cyber insurance provider. They’ll put people on it to take care of it for me.’”
Lunsford said the trend in cybersecurity and privacy laws is to require quicker notifications and higher penalties.
For that reason, you’ll want to be proactive about knowing what your insurance covers and what other steps you need to take to improve your compliance posture, said Tim Parilla, chief legal officer at LinkSquares.
“You’re not thinking about privacy every day,” he said in the webcast. “You have to be deliberate in making time and to be a champion. Usually you [don’t act until] you find yourself in an uncomfortable situation and have to remediate. The best way to be effective is to be proactive.”
That means trying to get a handle on what each state requires, if the company does business nationally, and what each country requires if it interacts with people globally, including in the European Union, which requires companies to provide an incident notification within just 72 hours or face a fine of up to 4% of revenue.
“We’ve seen that dynamic of a short deadline and a penalty based on a percentage of revenue become an international movement in every new regulation that comes out,” said Lunsford. “We’re at a point where we have 181 regulations across the world and it can get expensive for a company to miss these deadlines. If you’re new to this space, you should know that, when you look at what regulations apply to you, it’s not where your company is located; it’s where the data is coming from.”
At a minimum, someone on your team should be certified under ISO 27001, an information security standard, Parilla said.
There’s a good chance other standards, including just for lawyers, will be coming your way, said Lunsford.
The New York State Bar recently passed a continuing education requirement that lawyers take classes in cybersecurity and privacy to maintain your license to practice law. Other states can be expected to follow suit.
“California and New York tend to be the kind of movers that change these [standards] fastest but then they spread across the country,” he said.