Rising cyberattack and litigation risks highlight the need for cyber insurance
Lawsuits only add to the astronomical costs of recovering from a cyber hack. Here's what businesses should know.
As the number of ransomware attacks and data breaches increases around the globe, they are levying a high price on businesses and the insurers that provide cyber insurance coverage.
In the latest incident, a Russian cyber gang hacked Miami-based software company Kaseya in a ransomware attack that impacted about 70 of its customers — managed service providers with multiple downstream customers, according to The Associated Press. The attack might impact up to 1,500 small businesses like restaurants or accounting firms, reported CNN.
Often, lawsuits follow attacks like these.
Even when litigation doesn’t follow an attack, there are astronomical costs to recover computer systems and data and to notify and offer protection to people whose personal identifying information was lost. Lawsuits only add to the enormous expenses, which cause major disruptions to companies’ finances and operations or might even crush companies into bankruptcy.
To protect themselves, companies can purchase cybersecurity insurance. Lawyers who are experts in the cyber practice area say that any type of business that collects customer or employee data should consider buying this insurance to protect themselves. In some cases, the insurance will even cover the payment of ransom to cybercriminals.
“Cyber insurance policies should be part of any company’s portfolio,” said Jim Carter, of counsel with Blank Rome in Washington, D.C., who represents policyholders who have bought cybersecurity insurance. “Even a company that doesn’t think that it has much risk in terms of handling consumer data. Most do have personal data of employees.”
What is covered?
Cyber insurance pays for a company to hire a cybersecurity firm that conducts a forensic investigation to reveal exactly what happened in an attack. It pays for an attorney who can advise a business about the laws that it must comply with after a breach, Carter said. Many times, companies must provide notice to the people whose data was breached, which is another cost that the insurance covers.
A company might need representation before regulatory agencies launch investigations into companies that hackers have breached, Carter said.
When a cyberattack leads to people filing litigation against a company, the insurance company will step in to pay for defense attorneys and for a settlement or court-awarded damages to the plaintiffs.
“These policies have aggregate limits, and defense typically may be subject to the limits. A smaller company, maybe like $10 million is common,” said Carter, adding that major corporations often purchase “towers of policies” with much higher limits. “If you have a large cyber event, it can get eroded pretty quickly.”
‘Financial calculus’
A data breach is just one form of a cybersecurity attack. More common nowadays are ransomware attacks, said John Jackson, a partner in Jackson Walker in Dallas and Houston and chairman of his firm’s cybersecurity litigation group.
“It seems every couple of days, I am getting new calls about a ransomware incident,” Jackson said. “Insurance plays a big part in that – the ransomware.”
Just recently, data breaches in Georgia against ParkMobile, a mobile parking app, and in Texas against Waste Management Inc. have spurred litigation by customers or employees over compromised personal identification data.
Even the Texas judiciary was hit with a ransomware attack in May 2020.
The rising cyberattack trend is hitting corporations hard. Corporate Counsel reported that U.S. companies spent $2.9 billion in 2020 defending class action lawsuits. The law firm Carlton Fields surveyed general counsel and found that 42% of respondents thought the next litigation wave would be data breach suits.
Jackson said that up to four or five years ago, cyber insurance was rare. But it’s become increasingly more common. Most big companies have it, but the insurance still hasn’t trickled down to smaller companies and nonprofits. That should change, said Jackson.
“Lately, I found ransomware is occurring with even nonprofits and smaller companies that are easier targets,” he noted. “It can be pretty devastating.”
Jackson said he’s seen insurers that have paid the ransom to cybercriminals. Sometimes, paying a $500,000 ransom is the cheapest option.
“It’s kind of a financial calculus. If the company is experiencing business losses, and they are losing say $100,000 a day, every day, and they have been shut down for two weeks, and it will take another week or two to get everything up and running,” Jackson explained.
There are three categories of litigation that might follow a cyberattack: litigation by customers, employees and shareholders, said Jackson. Shareholders have different sorts of claims — alleging a company was negligent by failing to use safeguards to avoid a breach. The customers and employees typically sue because their personal data was compromised in a breach.
It’s important for companies to provide protection — like LifeLock and credit monitoring — to people whose data was stolen, he said. It not only protects those individuals from ID theft but also the company from liability.
Jackson noted, “If a consumer had personal information exposed and the company offered them the life lock protection, and they can’t show they suffered financial damage, then the lawsuit may be unsuccessful.”
Related: