The dispute comes as demand soars for “cyberinsurance,” with companies seeking to protect themselves against customer claims and associated costs for data and identity theft.
How to write such policies has become a huge subject of debate in the insurance industry.
This is an important issue. As the article states, organizations are seeking to minimize damage by purchasing Cyber Insurance. The insurance industry has not settled on any model language or standards and likely won’t for some time. It will take even longer for newly created language to be tested in the courts.
- Attorneys need to vet existing insurance policies thoroughly and work closely with their security team to understand the risks their organization faces and the possible damages that may accrue in the wake of a successful attack. Determine whether your existing insurance will cover the risks your organization faces. As there is not any case law of significance directly on point, this may be the time to bring in outside specialized counsel.
- If there is a gap between what you are insured for and what you are willing to self-insure for, work with your carrier to fill in the gaps. Again, bringing in outside counsel to assist may be a wise expenditure. IMPORTANT: Your carrier will likely not write a policy unless you meet certain standards. You must have a program in place to drive compliance to the agreed standards. Your CPO should be well positioned to meet this need. If not, you may want to look at your privacy program and how it fits in your organization.
I haven’t yet reviewed the complaint in detail, but I have I have made it available here and intend to go through it in more detail shortly.
This is not an issue you want to let slide. It’s one of those issues that companies don’t think about and then when they need insurance the most they find that it’s not there.
On a related note, you can find an excellent article on insurance and denial of service attacks here.