The obligations imposed upon organizations under federal, state and common law to undertake reasonable efforts, consistent with best practices and industry standards, to protect private information and to avoid or minimize liability in the event of a data breach, should not be ignored. In the wake of a cyber-attack that results in the disclosure of personal identifying information and/or personal health information, an organization may suffer substantial costs, including business interruption (lost income) and the incurring expenses for forensic investigation, restoration of network operations and data, reputational damage, compliance with breach notification statutes, regulatory compliance, addressing regulatory inquiries, imposition of regulatory fines, crisis management services, remediation expenses, including credit card and fraud monitoring protection for its customers, legal fees and litigation costs. Additionally, expenses may be incurred as a result of class action and derivative lawsuits stemming from the breach and claims for, among other things, breach of privacy based on the organizations alleged negligence in failing to protect its customers' data.
What an organization does prior to being “hacked” is as important as what it does in response, particularly from a regulatory and third-party liability perspective. Adopting best practices, meeting or exceeding recognized security standards, and defenses to detect, defeat, minimize and contain cyber-hacks, as well as having a Written Information Security Program (WISP) in place will demonstrate that the organization took seriously its responsibilities to protect its customers' data, thereby reducing, if not eliminating, its liability for fines and damages. Equally important is having a prepared incident response in the event of a cyber-attack, with each key member of incident response team ready to execute a predetermined role.
Morrison Mahoney’s team of attorneys include those well versed in cyber risk assessment and response options, along with attorneys experienced in insurance defense claims and litigation management, claims monitoring and resolution strategies, and insurance coverage issues and policy drafting, capable of providing services to a host of corporate, brokerage and insurer clients.
So while we can, and have, provided traditional services for our insurer clients regarding risk assessment and policy drafting in the cyber risk space, we equally have been at the front line of assessing risks for businesses and helping them shape their best practices and response strategies to the cyber threat.
Services for Businesses
Our attorneys have assisted businesses with navigating applicable federal and state law, as well as developing and reviewing compliant incident response plans and corporate governance policies to ensure that C-Suite executives, the Board of Directors and other key personnel are involved with the CIO and CISO in the implementation of cybersecurity prevention and defense, as well as the incident action plan. In that regard, as the Board of Directors of any organization must execute its risk assessment and oversight responsibilities when it comes to cyber-threats, we have worked with our clients to insure that employees and officers are involved, kept aware and approve cybersecurity measures implemented by the organization to thwart and respond to cyber-attacks. We have assisted in establishing reporting channels through C-Suite executives and/or Board appointed executive committees to report to the Board about cyber-security measures, threats, audits, probes, surveys and other related issues that are being implemented to secure and prevent data breaches at a network and employee level. To further effect best practices we provide executive C-Suite training, with an emphasis on board risk assessment responsibilities and corporate governance, as well as providing employee training, education and awareness of an organization's data security policies and procedures.
Finally, we have also assisted with other required cyber-security considerations, such as the evaluation of specialty cyber-security or risk insurance.
Services for the Insurance Industry
Business cyber risk has necessitated that the insurance industry evaluate the exposure under traditional insurance products as well as consider the development of new products to address the risk.
For the broker community this requires that they become fully conversant in the potential risks facing their clients and insure that their clients follow best practices regarding their cyber risk. Our team of attorneys can provide the necessary risk assessment audit to aid in the presentation of an application for coverage as well as educate both broker and client in the cyber risk exposure and response options to the threat.
Correspondingly, for our insurance market clients we can assist in identifying and educating both underwriters and claims personnel in the nature and scope of the cyber risk. In addition we can provide pre underwriting audits for Underwriters to assess specific insured risks and best practices.
To better understand the risk for any particular insured, we can help our insurer clients implement stress tests and assessments for their insured’s IT infrastructure prior to underwriting a cyber-risk policy, which can include a robust vendor assessment process and ongoing cybersecurity assessment surveys.
With, threat scans, and post-policy audits, increased demand for specialty cyber-policies and concomitant risk and exposure, our practice group can assist Underwriters in defining the scope of coverage and exclusions to limit the nature of the risk that may be underwritten.
At the claim stage we can assist in the investigation and evaluation of the exposure and provide advice for proper crisis management, compliance with applicable federal and state breach notification laws, credit and fraud alert monitoring services, regulatory compliance, remediation, and limiting of reputational damage and attorneys' fees and litigation costs.
Our services and experience can be provided directly to an insured under primary coverage or we can provide claims monitoring of cyber related claims for insurers, either where an insured has its own counsel, or in the context of excess monitoring. Our team’s experience in handling large multi jurisdiction losses can provide claim resolution strategies to both insureds and insurers, including controlling litigation costs and expenses.