Judy Selby is a partner at Hinshaw & Culbertson LLP. For more than 25 years, Judy has served as...
Sharon D. Nelson, Esq. is president of the digital forensics, managed information technology and cybersecurity firm Sensei Enterprises. Ms....
John W. Simek is vice president of the digital forensics, managed information technology and cybersecurity firm Sensei Enterprises. He...
Cyber threats can often seem like a distant threat and cyber insurance an overzealous safety measure. But as technology becomes more and more a central part of any legal practice, cyber insurance is becoming increasingly vital to a company’s financial health. In this Digital Detectives, hosts Sharon Nelson and John Simek talk to Judy Selby about what cyber insurance covers, the different types of coverage, and why it’s an important part of a legal business. She also discusses the key things to keep in mind when investing in coverage and how to find a policy that fits your particular needs.
Judy Selby is an insurance consultant with over 25 years of insurance coverage litigation experience on behalf of insurers and policyholders.
Cyber Insurance Expensive, Complicated, and Necessary
Sharon D. Nelson: Hey listeners. There is a brand-new show on Legal Talk Network about the First Amendment, called Make No Law. Trust me, it is phenomenal. Here’s a quick trailer about the show.
Ken White: News and pop culture are full of controversies about free speech in the First Amendment. We hear terms like hate speech and heckler’s veto in a barrage of coverage about campuses, protests and even wedding cakes, but what does it all mean and how do we get here. That’s exactly what my new show Make No Law: The First Amendment Podcast from Popehat.com will explore.
I am Ken White and I invite you to tune in every month for the history, stories and personalities behind the right to free speech and the most important Supreme Court cases establishing it.
Sharon D. Nelson: You can find Make No Law on HYPERLINK “http://www.legaltalknetwork.com/”legaltalknetwork.com, Apple Podcasts, Google Play, or wherever you are listening to this podcast. Enjoy.
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 88th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics cyber security and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, “Cyber Insurance: Necessary, Expensive and Complicated.”
Sharon D. Nelson: Before we get started, I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.
We’d also like to thank our sponsor HYPERLINK “http://www.PInow.com/”PInow.com. If you need a private investigator you can trust, visit HYPERLINK “http://www.pinow.com/”pinow.com to learn more.
John W. Simek: Our guest today is Judy Selby, the Founder of Judy Selby Consulting. Judy brings 25 years of insurance coverage litigation experience on behalf of insurers and policyholders to her insurance consulting and expert witness work. She has a particular expertise in cyber insurance and coverage under various policy forms for today’s emerging risks.
She provides coverage evaluation, policy negotiation, and gap analysis services to companies across multiple industries, helping them to make the most of their insurance premium dollars.
She’s also the author of the newly released eBook, ‘Demystifying Cyber Insurance: 5 Steps to the Right Coverage’, which is available on Amazon. And I know that because we’ve purchased it.
So thanks for being with us Judy.
Judy Selby: You were the one, John.
Sharon D. Nelson: Well Judy, let’s start out with a 10,000 foot view, because this is a subject a lot of people are confused by and don’t know a lot about, so could you give us that high level overview of cyber insurance and what it covers.
Judy Selby: Sure. At the most fundamental level, cyber insurance covers privacy and network security. So by that I mean, first and foremost, data breach.
So almost, I think every policy on the market provides coverage for data breaches and there are two types of coverages that are typically involved with that. One is called first party, the other is called third party.
The first party coverage would cover the expenses that the breached entity, the insured itself incurs in the event of a cyber incident. So those would be things like PCI assessment, forensics, notification costs, if you have to notify data subjects, credit card monitoring costs.
One of the best benefits of the first party coverage for data breach under a cyber insurance policy is that most carriers have relationships with teams of experts who have handled many, many breaches in the course of their careers. I call it a Cyber SWAT Team, and they usually can refer the insurer to one of these teams or usually headed up by an attorney, a very experienced breach attorney, sometimes called a breach coach, and they have kind of been there and done that a lot of times.
So for the insurer that’s experiencing a data breach — everybody’s hair is on fire, it’s a bit of a crisis internally, but for an experienced cyber team, this isn’t the end of the world and they know how to get you through the process with the least amount of trouble possible.
And we know from recent history that breaches that are handled well are — at the outset, are less expensive in terms of money and in terms of reputational cost to the enterprise.
So particularly for small and mid-sized businesses, this component of the coverage is probably the most valuable. The other part of the coverage, the third-party coverage is what you rely on if you get sued by third parties; claims, class-action lawsuits, some regulatory coverage, things of that nature.
The other high level type of coverage that’s typically found in a cyber policy is network security coverage. So if something happens with your network and it’s a covered cause of loss and your customers can’t access your network or your network starts transmitting malware or is co-opted for a DDoS attack or your data is damaged by an attack of some sort, there’s coverage for that.
So I’d like to say that those are the two real fundamental types of coverage and they really can be a lifeline for companies, particularly small and mid-sized companies that don’t have the in-house capabilities to deal with this type of event.
John W. Simek: Well, if somebody was considering getting cyber coverage, can you tell us a little bit about what some of the key issues might be to keep in mind?
Judy Selby: Sure. Well, it’s a new and growing area, so there are a lot of issues inherent with the current situation. So I always refer to something called the Snowflake Effect, a good friend of mine kind of coined that phrase for cyber policies, meaning that no two policies are the same.
So carrier A’s policy will be different from carrier B’s policy. Although the fundamental coverages may be the same, there could be very, very important differences among all of the policies on the market. And there are a lot of policies on the market now.
So you really have to look at what you’re thinking about buying and I have to emphasize, you have to read every single word or get somebody in there to help you and really make sure you’re understanding the coverage.
So for example, you may look at one policy that says, we provide coverage for security event and you look at another policy and it will say the exact same thing.
And so you’re inclined to think, okay, well, these two policies are the same at least with regard to that coverage. But if you don’t take that extra step and see how that term security event is defined, it could mean very different things under the different policies.
So the lack of uniformity, the differences in definitions, all these types of things can make it a little bit challenging to select the right policy. It’s also complicated by the fact that the brokers out there are of varying levels of knowledge about the policies. So that can create some issues as well.
So it’s a really a buyer beware type of situation to try to get the right policy to fit your company’s particular cyber risk profile. But in my view, it’s well worth the effort for most companies.
Sharon D. Nelson: So let’s talk a little bit about the application process which I regarded when I went through it as an absolute nightmare. It was over 20 pages, I cannot think how many hours it took me to do it, it just it was a nightmare. So what types of information do insurers look for from a potential insured?
Judy Selby: Well, you hit on a really great topic Sharon, and it really depends on the insurance company you’re dealing with. So you had an application that was very lengthy, there are other carriers out there with applications that are only six questions.
So it really is going to depend on the insurer that you’re dealing with but basically what the carriers ask for, the types of information tends to be the same, such as the types of data that that you hold. Are you dealing with protected health information, are you dealing with PII, credit card data, and they may ask questions about the volumes of data that you have as well.
They may ask about your outsourcing of IT functions and data hosting functions things of that nature. There probably will be questions around how you’re handling data and security? Are you using encryption, firewalls, things of that nature? What type of regulations your enterprise is subject to?
They may also ask for written policies for — if you have written policies around privacy, website content, things of that nature, and they may also ask if those policies have been written and/or approved by a qualified attorney. Some carriers will actually ask for copies of those types of policies as well.
So I always urge companies to be extremely careful when they’re filling out an application for coverage.
If the policy is eventually issued, the application becomes part of the policy and so any misrepresentations in the policy, any application responses could create a coverage dispute later on if you have a claim. In connection with filling out the application, you also should consider making sure you have the right expertise, the right group of people around the table helping you answers those questions to give those correct answers.
You probably need a cross-section of stakeholders within the enterprise to do that. If it’s a big company, you may need someone from HR, someone from IT, someone from legal. You may also need to go outside of your enterprise and talk to third-party vendors if some of the questions pertain to what they’re doing with your information and you don’t know internally.
But one other point that’s relevant to cyber insurance applications and to applications generally is make sure you understand the question before you answer it. If you don’t think or you have any questions, get some clarification from the insurance company before you answer.
There was just a case decided very recently; it wasn’t a cyber insurance case but it was a case where the insurance application had a double negative in the question. And the insured answered the question a certain way, and it led to this huge coverage dispute that went all the way up to a federal appellate court.
So make sure, you understand the question before you answer it. One other point is oftentimes in cyber applications, they ask what your practices are around certain things. So as I mentioned, buy around encryption or use the firewalls, things of that nature. So they are probably not asking what your practices are only on that specific day that you are answering the application questions.
So I think the implication usually is pretty clear that that is what you are doing – what are you going to be doing over the course of the policy term? So whatever you’re answering there, make sure that remains accurate throughout the lifetime of the policy. So a company should find a way to operationalize those types of issues so that somebody is in charge of that so that you don’t have any missteps that can jeopardize your coverage later on.
John W. Simek: Well, Judy tell us some of the new types of coverage that are being offered by the cyber insurers?
Judy Selby: Yeah, this is a really exciting time John for the cyber insurance because the insurers I think are working very hard to try to provide coverage to address these new and emerging risks. In fact, in my book, I really emphasized that the coverage is not just for data breaches anymore, although that’s critical coverage obviously.
But there’s coverage now for things like social engineering, contingent business interruption that would be a circumstance where somebody the insured is dependent on goes offline for a while. So let’s say, I’m depending on an outside vendor to perform some vital function for me and they’re knocked offline by a DDoS attack. I might be able to get coverage for my downtime caused by their downtime.
So that’s some — in this age of interconnectivity among all our digital enterprises, that coverage can be really, really important. There’s also coverage for cyber extortion, ransomware. There can be coverage for theft of senior officer personal funds in the event of a data breach and for corporate identity theft.
But like cyber insurance in general, you want to be careful. You really have to read these additional coverage parts and make sure that you understand the coverage you’re getting. I just published an article today on social engineering coverage for example and there are all different types out there. There’s one type that will only cover social engineering in the event that somebody is impersonating an employee within the covered enterprise.
So that wouldn’t respond if you had a fraudulent email purportedly on behalf of a vendor or a client. And that happens a lot. So you don’t want to just look at the title of the new coverage. You want to make sure you really read it and understand it. So you know what you’re getting.
John W. Simek: Well before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country had been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients’ peace of mind knowing their information is secure. Learn more at HYPERLINK “http://www.sitelock.com/legal/digitaldetectives”sitelock.com/legal/digitaldetectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit HYPERLINK “http://www.pinow.com/”www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Cyber Insurance: Necessary, Expensive, and Complicated. Our guest today is Judy Selby, the Founder of Judy Selby Consulting. Judy brings 25 years of insurance coverage, litigation experience on behalf of insurers and policyholders to her insurance consulting and expert witness work.
So Judy, what are some of the ancillary benefits provided by cyber insurers? I think a lot of people don’t know about those.
Judy Selby: Yeah well one of the benefits of the cyber insurance market being kind of a soft market, a competitive market for the insurance companies is that a lot of insurance companies are offering kind of what we call loss control services to their policyholders; sometimes for free, sometimes at deeply discounted rates.
Things like risk assessments, discounted legal and other vendor type services, employee training, and incident response planning and training; things of that nature. So you can get those things either for free or at a very low cost and/or sometimes, the carrier will actually discount your premium if you take advantage of some of these additional benefits. So they really are quite helpful.
John W. Simek: So Judy, could you describe the current cyber insurance market and what it really means for potential insureds?
Judy Selby: Yeah, I alluded to that a little earlier. I call it the Wild Wild West. The downside is that it can be hard to compare forms from one insurer to another or even within one insurance company itself, they’ll have a form today and come out with a new version of the form tomorrow. And so, and that’s the same insurance company.
So those things create challenges. But the upsides are, as I just mentioned, it’s a soft market meaning you can try to negotiate for better coverage; especially, if you know the market. So if I’m working with a client and we’ll go to an insurer and say we want this provision in our policy and they say, we don’t do that. If we come back and say well, this other carrier is doing it. We can usually use that as leverage to get a better policy provision in our client’s policy.
So it gives you an opportunity to negotiate for that better coverage, try to narrow exclusions and manuscript coverage that’s better suited for your particular needs.
Sharon D. Nelson: Well, that’s perfect. I like the idea of negotiating because there are so many times in life when you have no negotiating power whatsoever. So that is a gift. And along those lines, the insurance company will ask a lot of questions of the law firm but would you tell us what key issues the law firm should raise with the insurer?
Judy Selby: Well, the first thing you want to do is make sure that they’re providing coverage that matches up with your cyber risk profile. Hopefully, you know what that is in advance. You’ve taken an assessment of yourself and you know where your pain points are, where your exposures are.
And you want to make sure that the insurance carrier provides coverage to match up well with what your real risks are. So you also want to work with them on narrowing and eliminating some exclusions. I’ve mentioned that already but you really want to work with them on that. It’s possible to be done in this current marketplace.
You also want to make sure that your policy dovetails well with other insurance policies in your insurance portfolio. You can create a dangerous situation if you have two policies that apply to the same risk and sometimes, you’ll have an endorsement on, a general liability policy, for example, that provides some cyber coverage.
So if that policy is providing some coverage and you have a cyber policy providing coverage that can create issues. So you want to work with your insurance companies to prioritize which policy goes first in that type of situation.
You also want to talk to them about identifying choice of counsel. If you have a particular law firm that you want to work with and even though you’re a law firm, you may want to have — as you probably do want to have a different law firm, as your designated go to firm in the event you have an incident.
You can get that written right into the policy many times that we use the XYZ law firm. That saves time and trouble later on but then it gives you the opportunity to work with a firm that you want and you’re comfortable with. So those types of things you should talk to in advance before you actually purchase the policy.
John W. Simek: Well let’s take that a step further Judy, and let’s say I’ve purchased a cyber policy, what should the insurer do after that?
Judy Selby: Well, I’ll tell you what not to do and what not to do is put the policy up on the shelf and forget about it. You want to make sure that you really read the form and that you understand what the form is requiring you to do. I mentioned earlier that you may have made representations in the application, that yes, we always encrypt data at rest and we always do this and we always do that.
So as I said earlier, make sure that you’re actually doing those things that you told the insurance company that you’re doing. So you want to kind of operationalize those types of things, make sure you know who you have to give notice to in the event you have a claim and when you have to give notice.
Policies can have real strict requirements around whose knowledge of a claim is relevant in terms of giving notice. And they also almost always have requirements to get the insurance companies’ prior consent before you expend any funds. So you want to make sure that you identify all the key stakeholders within your enterprise, who are implicated by these requirements and conditions and make sure they know what their jobs are.
And you also probably want to make sure you put your — put notice your insurance carrier in your incident response plan. Because when everybody’s running around after an incident, with their hair on fire, it might be easy to forget to put your insurance carrier on notice. So you want to make sure you do that.
Another thing to think about is as new exposures emerge, as they frequently do in this cyber space, maybe you’re six months into your policy and there’s some new horrible cyber crime going around that nobody foresaw. You might want to get in touch with your insurance company or your broker and say, is there coverage available for this type of new exposure and have that added on to your policy as well.
Sharon D. Nelson: Judy, there hasn’t been a lot of litigation involving cyber insurance; although, my particular favorite is the case that is commonly known as the We Don’t Insure Stupid case. But can you please discuss some of the recent cyber coverage disputes.
Judy Selby: Yeah, probably the biggest issue being litigated actively right now is coverage for social engineering under crime policies, usually under the computer fraud, insuring agreement in crime policies and the insurers are taking a very hard stand on coverage for those claims.
So some are up on appeal, it will be interesting to see how those things shake out. Insurers are also fighting pretty hard on coverage for data breach type claims under general liability policies; particularly, under the advertising and personal injury coverage in those policy forms.
So again, there are a few things on appeal there and we’ll see how those pan out. And there was also a case a few years ago, that’s definitely worth mentioning or the issue is worth mentioning more so than the case itself. The issue is coverage for liability assumed under contract.
There’s a common exclusion in insurance policies of all sorts including cyber but there are certain coverages available under a cyber insurance policy typically, for certain types of those liabilities; particularly, for liabilities assumed under a contract with PCI, the entity that regulates credit cards.
So those are some of the hot areas that are being litigated right now. So we’re expecting some important case law to develop in this area soon.
John W. Simek: Well Judy, do you expect to see more coverage battles in the future and what issues do you think will give rise to those disputes?
Judy Selby: Yeah, I think eventually, we will start seeing some hard-fought battles under cyber policies. I’ve been involved in situations myself where carriers denied coverage because the insured didn’t get prior consent before incurring cost. They just jumped in and dealt with the nightmare and forgot to notify the insurer, so things of that nature.
But on a broader scale, I think we may see coverage litigation around things like the insured’s failure to discover a problem before the policy was issued. Maybe a breach was ongoing for a long time and the insured didn’t disclose that and maybe they didn’t know but the question may be well, should they have known and when should they have known?
So that type of issue may — we may start seeing some things around that area. Also around misrepresentations in the application, whether they were intentional or not, I expect to see some action in that area and related to that is a failure to continue doing what you said you were doing. As I mentioned twice, I think so far, as you say you encrypt, make sure you’ve encrypt throughout the policy term, things of that nature.
Sharon D. Nelson: Are you seeing more and more people requesting GDPR coverage and you might explain what GDPR is?
Judy Selby: Yeah, it’s a hot issue and it’s a complicated issue because there are different types of liability that emerge under the GDPR. Some are easier coverage questions than others.
For example, data breach coverage is the easy question. So if you have a breach that gets you in trouble under GDPR, you have that coverage under the cyber policies. Now, on the regulatory side it’s more complicated. A lot of cyber insurance policies provide some regulatory coverage and again this is where you have to dig in and see exactly what you’re getting.
Oftentimes, that coverage is dependent on or has to arise out of a breach situation. So, if a regulator wants to investigate your law firm because of a breach, you probably have coverage there. But GDPR imposes liability around your practices for using data, were you supposed to collect it, were you supposed to keep it, were you supposed to get rid of it or and how are you storing it, even in the absence of a breach.
So that triggers lots of interesting coverage questions such as our insurer is willing to write that coverage and then, how will they try to limit it and protect themselves. There’s also the issue of coverage for the tremendous fines under the GDPR and whether they will be covered?
A lot of states prohibit coverage for punitive damages. So that could be a problem and so the issue is our GDPR fines going to be considered punitive. And I know the GDPR says the fine should be “dissuasive”, so there might be an argument that they should be considered as punitive damages.
We’ll see how that all shakes out and there could be some workarounds, maybe going offshore to Bermuda to get some coverage for fines and penalties that might not be insurable in the US.
So it’s a — it’s a pretty hot area and I urge companies with these additional exposures brought on by GDPR to take a real hard look at their coverage; not just cyber by the way, also your D&O coverage because if your Directors and Officers are sued for failure to properly supervise cybersecurity, inadequate funding of cybersecurity, some type of wrongful act around that, you’d want to have the right D&O coverage to kick in and provide some protection there.
Sharon D. Nelson: Well thanks for going through that. That was sort of an additional question. And for those of our listeners who do not know we were speaking about the European Union’s General Data Protection Regulation, which is short-handed to GDPR and it becomes effective on May 25th of 2018.
So if you haven’t ramped up yet it is certainly time to do so. And Judy, we sure want to thank you for being with us today. Your expertise is phenomenal. This is a very thorny subject, I know every time we talk to lawyers about cyber insurance, their eyes glaze over and they really do look like a deer in the headlights. So it’s really helpful to have somebody who knows everything you know talked to us today.
Thanks for being with us.
Judy Selby: It’s really my pleasure, and thank you both for having me.
John W. Simek: Well, that does it for this edition of Digital Detectives, and remember you can subscribe to all the editions of this podcast at HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on Apple podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at HYPERLINK “http://www.senseient.com” senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.
Doug Austin and Brett Burney give best practice tips for audio and video discovery.
Judy Selby gives a comprehensive overview of the many uses and risks associated with biometric information.
Cybersecurity expert Mike Maschke explains how penetration tests help lawyers protect themselves by identifying weak points in their security systems.
Maura Grossman discusses how TAR is used by medical researchers to support their efforts to understand and treat COVID-19.
David Ries gives an overview of work-at-home and remote access best practices.
Doug Austin surveys the current state of the eDiscovery industry and discusses emerging trends.