The Expert Podcast

Wow, there's a lot going on with the cyber insurance industry and cyber liability, and it's a fast-moving market. One of the things we're finding is that liability litigant attorneys are looking for deep pockets when it comes to these cyber claims. Security officers in any company should be verifying coverage under DNO (Directors and Officers) or even under cyber liability policies.

Why is that? Information security officers are likely to become targets of regulators and plaintiffs' attorneys in data breach litigation. What does that mean? If your company has some type of breach and it causes damage to third parties, ultimately it will, right? Your customers' information is going to be out there; maybe your vendors are going to sue you because you couldn't pay your bills, or maybe your clients are going to sue you because you couldn't deliver products. If anything like that happens, they're going to look to sue the company. But in addition, they're going to be looking at individual liability. Because if you're a security officer and you didn't put best practices in place, then you might be liable. If you're a board member and didn't put practices in place, you may be liable. If you didn't have proper active monitoring of your network, you may be liable. And you want to make sure that you have coverage. They call DNO insurance a kind of magic shield. Look, if you do something wrong on purpose, it's not going to cover you. But if you're doing your job and you use best practices and somebody sues you, you want to have this kind of coverage.

The most important thing to know is that the liability claims that are going to happen in the next 12 to 36 months are going to come from cyber liability. That's where all the damage is happening. It's not fire; it's not theft; it's cyber liability. You're seeing articles in the newspaper every day about another company getting hacked, a hospital, or a government agency. Make sure you have coverage and are not just a rider on your normal insurance. If you call your agent and they say, "Hey, we have a cyber insurance rider," that's not good enough. Most cyber insurance riders are between $20,000 and $50,000, and they exclude a lot of things. You want to have a standalone cyber liability policy that covers up to a million or $2 million, or at least your annual revenue.

You also want to have what's called active monitoring. And a lot of these standalone policies will monitor your network every day to see if you have a breach. And they'll catch it before your IT person does, which is good. Your IT person is not bad; it's just that they're not watching it every single day. Also, you want to have a response team. If you have a breach in a company, you're going to be like a deer in the headlights. If you have active monitoring and a cyber policy, you can pick up the phone, and there's a number to call Ghostbusters. They'll take care of handling that for you. So be aware that these risks are increasing, and you are going to be targeted by regulators or attorneys if you don't put these things in place because they're going to be considered best practices.