When company directors ask me about whether or not they should purchase standalone cybersecurity insurance, I always give them two simple analogies which I think are apt here: (1) would you ever think of sitting on a board of directors if it did not have directors and officers liability insurance? And (2) would you ever own a home or drive a car in a metropolitan area without homeowners insurance or auto insurance? The answer I get to both these questions is, “of course not.”
My follow up question thus is, “Given that this company has twenty million pieces of customer data, credit card information and PII, do you think standalone cyberinsurance is a good idea?” The answer is, of course, “Yes, absolutely.”
Cyberinsurance is a good idea for most any company dealing with, storing, or analyzing data as an adjunct to their business model. The risk of a cybersecurity breach is well apparent to any person reading the newspaper or news blogs daily. Whether it is a spear phishing attack, a ransomware attack, or a distributed denial of service attack, these risks are apparent and well- known. Some risks are so severe (like ransomware) that they have been the subject of multiple FBI warnings. Similarly, the potential large costs associated with a cybersecurity attack are also well known. For large businesses, these costs can run into the tens if not hundreds of millions of dollars when you add in all the factors associated with a breach: notification costs, cybersecurity incident response costs, crisis communications costs, and, of course, the lawyers. Knowing the risks of a cyber attack and the costs of a cyber attack, a company has two options: (1) self-insure, using its own balance sheet cash, or (2) transfer some of the risks and liabilities of a cyber attack to a third party for a fair premium. Say that premium was hypothetically $200,000 for a $10 million standalone cyber insurance policy. So on its face, cyberinsurance seems to present a good return on investment.
As noted in the article, “What is cyber insurance and why you need it,” cyber insurance provides reimbursement for a whole host of potential costs, most importantly, the forensic costs of “cleaning up” the cyberattack, and the litigation costs associated with the likely numerous class actions brought by customers or patients. The sum total of the importance of an investment in cyberinsurance was succinctly said in the article, “On a larger scale, the Centre for Strategic and International Studies in 2014 estimated annual costs to the global economy from cybercrime was between $375 billion and $575 billion. Although sources differ, the average cost of a data breach incident to large companies is over $3 million. Each organization has to decide if they can risk that amount of money, or if cyber insurance is necessary to defray the costs for what very well may occur.”
There are a whole host of other benefits that cyber insurance can provide a company in today’s high-risk climate. In my own opinion, the most important benefit might be “resiliency,” i.e. the ability to recover from an attack with your reputation and customer base intact. We strongly urge all our clients to consider stand alone cyber insurance for their corporations and businesses. We urge you to consider it as well.
Paul Ferrillo is counsel in Weil, Gotshal & Manges’ Litigation Department.