What CPAs Need to Know About Cyber Insurance Today
The year 2019 ended with a number of cyberattacks on New Jersey government entities and businesses. In December 2019, it was reported that Hackensack Meridian Health was hit with a ransomware attack that disrupted care across its clinics and 17 hospitals. The attack brought down their computers for two days, and the healthcare network was forced to cancel some surgical procedures. According to press reports, Hackensack Meridian paid hackers an undisclosed ransom amount which was covered by insurance.
Indeed, prior to COVID-19, cyber security was at the top of the list of concerns for accountants, as well as other finance, legal and risk management professionals. Unfortunately, COVID-19 hasn’t reduced this threat. If anything, threat actors are exploiting the fact that many people are working at home — distracted and less focused on cyber hygiene — to gain access to corporate systems for nefarious purposes.
Accountants are familiar with insurance policies, including cyber insurance and other policies such as crime or property, which are likely to have responsive coverage to cyber crime and cyber breaches. But the key to assisting clients in understanding such assets in the event of an attack is to fully know the policy terms and to understand that cyber insurance generally includes both first-party and third-party liability insurance, each of which may be important following an incident.
First-Party Cyber Coverages
Although the coverage and policy language may differ from policy to policy, first-party cyber coverages generally include breach response as well as the following:
- Event management (including data recovery, betterment, etc.)
- Cyber extortion
- Network/business interruption (including system failure and voluntary shutdown)
- Dependent business interruption (for IT and non-IT providers)
- Consequential reputational loss
Following a security breach, an accountant will want to review a company’s cyber policy to seek reimbursement for their breach-related costs and expenses. Some insurers have relationships with certain professional firms, including their technical and legal experts, and may cover breach response costs without reducing policy limits.
Accountants will also look to cyber policies for reimbursement for the costs associated with restoring data that is changed, damaged or lost following a breach. Similarly, cyber policies may cover business interruption losses, including those which arise out of attacks on a vendor or cloud provider.
The case of one law firm demonstrates how detrimental these attacks can be. Following a ransomware attack on the firm’s network, the attackers encrypted the firm’s files so that they were not accessible without payment of a ransom. The firm paid the cyber criminals $25,000 ransom, but it still took more than nine months to retrieve the corrupted information. As a result, the firm suffered more than $700,000 in business income losses. Other businesses faced with similar attacks have been forced to close due to the financial loss.
As such, first-party cyber coverage, including business interruption, is a risk management tool that accountants and policyholders may need to call upon following COVID-19-related attacks.
Third-Party Cyber Coverages
Although the coverage and policy language will differ from policy to policy, third-party cyber policies generally include coverage for the following:
- Network security failures and privacy events
- Regulatory defense and penalties (including coverage for General Data Protection Regulation (GDPR) liabilities)
- Payment Card Industry Data Security Standard (PCI-DSS) liabilities and costs
- Media content liability
As an example, Facebook settled a class-action lawsuit over its use of facial recognition technology which arose under the Illinois Biometric Information Privacy Act. The case reportedly settled for $550 million. It is particularly important, therefore, for accountants watching the bottom line to assess a company’s coverage for claims by consumers and employees, including class actions and regulatory actions arising out of data breaches.
As COVID-19 has seemingly emboldened threat actors, accountants are encouraged to review and understand cyber insurance coverages so as to maximize recovery in the event of an incident.
Peter A. Halprin
Peter A. Halprin, Esq., FAiADR, FCIArb, partner in Pasich LLP's New York office, is insurance recovery counsel for commercial policyholders. His practice includes representing clients in matters involving cyber breaches and cyber crime.
This article appeared in the January/February 2021 issue of New Jersey CPA magazine. Read the full issue.