Why You Need Cyber Risk Insurance – and Other Hot Topics in Cybersecurity

What’s hot in cybersercurity and data protection? Business insurance against cyber risks, increased scrutiny of corporate policies and practices to prevent – and respond to – cyber threats, updated privacy controls and standards from the National Institute of Standards and Technology, and more.

For your reference, a roundup of recent cybersecurity updates, from lawyers and law firms on JD Supra>>

Insurance Coverage for Cyber Attacks (K&L Gates LLP):

“While no organization is immune from cyber attacks, it is uncertain that companies are sufficiently aware of the escalating onslaught. Even companies that are sufficiently aware of the problem might not be sufficiently prepared. It is abundantly clear that network security alone cannot entirely address the issue. […] Insurance can play a vital role. And, yet, some companies may not be adequately considering the important role of insurance as part of their overall strategy to mitigate cyber risk. A recent 2012 survey conducted by global consulting firm Towers Watson reports that 72% of the 153 risk managers of North American companies surveyed ‘ha[d] not purchased network security/privacy liability policies.’” Read on>>

Insurance Coverage for Cyber Attacks – Part Two (K&L Gates LLP):

“The new cyber policies may come under names such as ‘Privacy and Security,’ ‘Network Security,’ and names that incorporate ‘Cyber,’ ‘Media’ or some form of ‘Technology’ or ‘Digital.’ ‘Cyber’ risk coverage can be extremely valuable. But choosing the right cyber insurance product can present a real and significant challenge. The cyber coverages available in the marketplace for cyber risks are far from standard. There is a dizzying array of cyber products in the marketplace, each with its own different terms and conditions. The terms and conditions of these policies vary quite dramatically from insurer to insurer — even from policy to policy underwritten by the same insurer.” Read on>>

Cyber Risk Insurance – Navigating The Application Process (Sherman & Howard L.L.C.):

“If your company’s current cyber security protocols are insufficient, the insurer may deny your application or charge higher premiums for the same coverage. Alternatively, if you purchase the policy and later have a cyber breach, triggering a claim under the policy, the insurer may scrutinize your application. Mistakes or misrepresentations on the application may result in a denial of coverage.” Read on>>

Cyber Risk Insurance May Cost More Than You Think (Zelle Hofmann Voelbel & Mason LLP):

“As the data breaches continue and the law develops, the risks and potential losses arising out of cyber claims will become clearer. This will be reflected in new specialty provisions and by new businesses seeking this type of coverage. Demand for this type of specialty coverage will most likely continue to grow, and more insurers will be ready to jump into this market. In the meanwhile, both insurers and insureds should be aware of the implications of their existing insurance policies, the potential cost and losses arising out of data breaches and any changes in state or federal law.” Read on>>

New Cybersecurity Guidance Released by the National Institute of Standards and Technology: What You Need to Know for Your Business (Mintz Levin):

“The National Institute of Standards and Technology (‘NIST’) has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations (‘SP 800-53 Revision 4’), and this marks a very important release in the world of data privacy controls and standards. First published in 2005, SP 800-53 is the catalog of security controls used by federal agencies and federal contractors in their cybersecurity and information risk management programs. […@ Taking ‘a more holistic approach to information security and risk management,’ the new revision of SP 800-53 also includes, for the first time, a catalog of privacy controls and offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy controls for federal information systems, programs, and organizations.” Read on>>

New York Investigates Insurance Companies’ Cyber Security (BuckleySandler LLP):

“On May 28, New York Governor Andrew Cuomo announced an inquiry into the measures employed by insurance companies to protect their customers and companies from cyber threats. The state’s Department of Financial Services sent letters to 31 insurers seeking an array of information, including information about (i) any cyber attacks the company has been subject to in the past three years; (ii) the cyber security safeguards the company has put in place; (iii) the company’s information technology management policies; (iv) the amount of funds and other resources dedicated to cyber security at their company; and (v) the company’s governance and internal control policies related to cyber security.” Read on>>

SEC Considering More Stringent Requirements For Cybersecurity Disclosures In The Wake Of Stock Manipulating Hacking Case (Orrick):

“Following up on clues earlier this year that the SEC may increase its scrutiny of cybersecurity disclosures, SEC Chairman Mary Jo White has asked the Commission to evaluate current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary. White asked the Commission to assemble a report on general practice and compliance with existing guidelines, and to make recommendations for future guidance. White did not yet commit to changes to the current guidelines, issued in October 2011, pending issuance of the report.” Read on>>

House Cybersecurity Information-Sharing Bill Provides Immunity Provisions for Reporting Companies (Loeb & Loeb LLP):

“The U.S. House of Representatives passed an amended version of the Cyber Intelligence Sharing and Protection Act (CISPA), with a 288-127 vote. The current version of CISPA (H.R. 624) would provide private-sector companies with protection from liability for sharing information on cyber-threats with federal government agencies. With the passage of this bill, the House attempts to resolve the problem of President Barack Obama’s Cybersecurity Executive Order not providing any liability protection to reporting companies. The bill provides both criminal and civil immunity for corporations sharing information with government agencies, as long as they act ‘in good faith.’” Read on>>

Notice of Proposed Rulemaking on Bulk Electric System Cyber Security Standards (King & Spalding):

“On April 18, 2013, the Federal Energy Regulatory Commission (‘FERC’) issued a notice of proposed rulemaking stating that it intends to approve Version 5 of the Critical Infrastructure Protection (‘CIP’) Reliability Standards submitted by the North American Electric Reliability Corporation, which pertain to the cyber security of the bulk electric system. The proposed CIP Version 5 Reliability Standards include ten new or modified Reliability Standards to address Bulk Electric System (‘BES’) Cyber System Categorization, Security Management Controls, Personnel and Training, Electronic Security Perimeters, Physical Security of BES Cyber Systems, Systems Security Management, Incident Reporting and Response Planning, Recovery Plans for BES Cyber Systems, Configuration Change Management and Vulnerability Assessments, and Information Protection.” Read on>>

Cyber Outlook: Executive Order Implementation, Congressional Action & Regulatory Requirements and Enforcement (Patton Boggs LLP):

“With the occurrence of near daily threats against the nation’s critical infrastructure (CI), cybersecurity continues to be a constant concern of owners and operators of CI, Congress and the Obama Administration. Responses to these significant threats require the consideration of both security and privacy issues… C-Suite Executives, General Counsels, CIOs, CISOs and Government Affairs Executives need to keep a close eye on the implementation of the Executive Order, new cyber bills coming out of the Congress, potentially new SEC cyber requirements, and FTC enforcement of consumer protections as a result of these ongoing cyber-attacks.” Read on>>

Cyber Criminals’ Menu Features the Food & Beverage Industry; Steps to Protect Your Business (BakerHostetler):

“The cost of a data breach can be devastating. ANX Corporation reports that the average direct cost of a credit card breach to a restaurant is $80,000. Perhaps more importantly, a shocking 70% of restaurants that suffer a breach go out of business within one year of the attack, according to ANX. Immediately after a breach is identified, the business must stop taking credit cards and remediate the breach. The business then would be required to be inspection by a Qualified Security Assessor (QSA) for the Payment Card Industry (PCI) on a yearly basis for three years or until the credit cards brands at issue agree to drop the reporting requirement. ANX identified eight key security gaps that affect food service organizations: outdated firewalls, insecure remote access, weak security configurations, operating system flaws, lack of staff training, flaw security policies, negligence and poor change control procedures.” Read on>>

GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Federal Procurement (Patton Boggs LLP):

“On May 12, 2013, [General Services Administration (GSA)], on behalf of [the Department of Defense], the Department of Homeland Security, and the FAR Council, published a Request for Information (‘RFI’) seeking industry’s input in framing the response to the EO’s directive to incorporate cybersecurity standards into federal procurement decisions. Industry comments are due on June 12, 2013. The RFI contains a list of 37 questions on which GSA seeks input.” Read on>>

Government RFI on New Cybersecurity Measures for Federal Contracts (Proskauer):

“The RFI is part of a joint effort between GSA and the Department of Defense (‘DOD’) to help develop a framework for cybersecurity standards pursuant to Section 8(e) of President Obama’s February 13, 2013 Executive Order addressing the improvement of critical infrastructure security (E.O. 13636). Section 8(e) of the Executive Order requires that GSA and DOD, in consultation with the Department of Homeland Security (‘DHS’) and the Federal Acquisition Regulation Council, make recommendations to the President on the feasibility, benefits, and relative merits of incorporating cybersecurity standards in the government contracts sphere.” Read on>>

$45 Million Cyber-Attack Is Object Lesson From Verizon Study Showing No Business Is Safe, But Financial Institutions Bear Big Data Breach Risk (Pepper Hamilton LLP):

“Newspapers around the world recently reported that a sophisticated and well-coordinated cyber-attack resulted in the theft of $45 million from thousands of ATMs worldwide.1 The incident accentuates the conclusions of Verizon’s 2013 Data Breach Investigation Report (DBIR), compiled by a global team of government and private organizations analyzing computer security incidents over the past year. This annual report shows that companies of all sizes and types are likely to experience some sort of data breach — if they haven’t already – and highlights the risks for banks, brokers, and other financial institutions, which stand to lose the most if they fail to properly prepare for these security incidents.” Read on>>

The Real Lesson of Chinese Cyberhacking (Orrick):

“The real lesson of Chinese cyberhacking is not that China has hackers targeting America, but that U.S. companies’ trade secrets are valuable assets of the U.S. economy that need to be protected regardless of who is stealing them. […] This is not the time for another federal half-measure that will result in gaps in protection and loopholes. This is a time for the federal government to step up and pass a comprehensive federal Trade Secret Act — akin to the Copyright Act or Patent Act — that would include broad civil remedies and completely preempt state laws in order to provide uniform and maximum protection for this valuable resource of the national economy.” Read on>>

Also watch:

Related reading:

 

 

 

Find additional updates on Cybersecurity at JD Supra Law News>>