Mark Goodman is a partner in our San Francisco office. In this hoganlovells.com interview, he addresses the need for companies to manage their cyber risk and the role that insurance plays in an organization’s overall risk management and cyber liability strategy.
“Businesses are well aware of the risks that cyber activity poses and many are seeing a need to protect against cyber liability,” said Goodman. “Cyber insurance — like other types of commercial insurance — is a good way to help mitigate risks associated with cyber liabilities. I think any business of significant size certainly is going to be concerned with cyber liability. But not all businesses are aware of all of the ways that they can control the risks attendant to doing business in cyberspace.”
What types of companies need cyber insurance?
Goodman: Larger companies might be self-insured for most of their insurance program, but they might not have a self-insurance program for cyber risk since it is relatively new. Medium-sized companies typically don’t self-insure, they usually use outside insurance. For those companies, it is particularly important that they know what insurance products are available that can protect against cyber risks and what the costs of the various products are.
Often, companies just don’t know what’s out there. They hire a broker, and the standard insurance package the broker gets doesn’t always include the more specialized coverage some companies need depending what their businesses are.
What are some of the specialized coverage options a cyber insurance policy should include?
Goodman: Having both sufficient coverage for the liability and also a defense obligation — to protect against those situations where the company is sued for leaking or mishandling cyber information. Litigation costs can be an extremely expensive part of cyber risk. A company buying an insurance policy will likely want to make sure that it has insurance that provides both an indemnity and a defense to cyber risk. You want the defense to be outside of insurance policy limits, if at all possible, so that you can have adequate coverage for what will likely be a very expensive component of a cyber risk event. And you want to be able to make sure that your insurance company allows you to choose, or at least to have a say in the choice of, defense counsel. At the very least, a company should make sure that its insurance company has on their panel of approved counsel a firm that is extremely capable of defending what are very significant risks for the company. When we are talking with our clients, we make sure that their policies would allow them to use Hogan Lovells to defend their cyber liability cases.
You also want to make sure that the cyber insurance policy doesn’t exclude business activities that the company actually engages in and are a primary part of what the company does. Insurance policies will exclude, for example, work that is done internationally. You need to make sure that you’ve got worldwide coverage if you are a business that does international work.
You want to make sure that you at least have a defense for alleged intentional conduct. In various jurisdictions, you can’t get indemnity for intentional conduct but you can have a defense for alleged intentional conduct or criminal conduct. So if you are being investigated by a government entity, for example, for a leak of information or some alleged impropriety, you want to make sure that you have coverage for that as well as just for civil actions brought by plaintiffs or classes of plaintiffs alleging some damage as a result of cyber activity.
How has cyber insurance evolved and changed over the past decade?
Goodman: Cyber insurance has been around for ten or more years in some shape or form. With the events that have happened during the past three to five years, we’ve seen more and more companies experience large losses as a result of cyber activities. In response, the market for cyber insurance has developed from an amorphous concept to understanding what the risks really are and providing specific insurance for those particular risks.
Why is Hogan Lovells so well situated to help clients assess what type of cyber insurance policy is the best for them?
Goodman: We are one of the few law firms in the world that has dedicated and well-regarded privacy, cybersecurity, insurance, and litigations groups. It is really valuable for clients to have these cross-practice teams that work really well together. We make sure that our clients get the insurance they need. But the fact that our clients are also being counseled on state-of-the-art techniques for making sure their chances for cyber liabilities are as low as possible is very favorable to both the clients and to an insurance company that is considering selling them an insurance policy.
An insurance company will give better rates and better coverage if a prospective insured has those types of practices in place. In other words, if businesses have protocols in place that reduce the risk, you have a law firm that you are working with that’s establishing state-of-the-art protocols for cyber security, and you have a cybersecurity officer or team in place in-house — you are going to be much more attractive to the insurance company and are probably going to get a better rate and better coverage.