Cyber-insurance is on the minds of most Boards (and, therefore, most CEOs, CFOs, and GCs). As a result, clients often ask us to benchmark their cyber-insurance policies, or to work with their brokers to make sure that the policies they purchase have real coverage.
The market for cyber-insurance is incredibly diverse, and there are a hundred traps for the unwary. If you are interested in understanding the gaps to look for, the exclusions to avoid, and how to get a reality check on limits, we’ve published several guides on the topic and have recorded several presentations. Understanding the traps can help steer you from buying a “junk” policy that provides no real coverage. But that’s not necessarily where the role of attorneys stops.
I always try to remind my clients to keep one thing in mind. There is no insurance for the “big” data risk. Why? The “big” data risk is your company’s reputation.
There are few instances I can think of where the potential reputational impact from the mishandling of data did not outweigh (exponentially) the possible legal liability. While some insurance policies provide access to public relations experts (at least in the case of a breach), and a few policies attempt to compute reputational damage by comparing earnings in the 12 months preceding a data event with earnings after a data event, no policy can make a company whole for the long term impact of losing the trust of customers and the public.
Managing the reputational risk is, unfortunately, a lot more complex than buying an insurance policy. It means making strategic decisions about what you collect, how you use it, with whom you share it, and how you will respond to a crisis – like a data breach – when it occurs. Those decisions require creativity, planning, and practice that can’t be purchased, but can turn out to be priceless.