Headlines over the past several months have been filled with reports of data breaches, denial of service attacks, thefts of personally identifiable information and other types of cybercrime. The fall-out from the April 2011 security breach of Sony's PlayStation Network - which resulted in the theft of personal information belonging to more than 100 million customers - prompted Sony CEO Howard Stringer to warn that Sony can't guarantee the security of its videogame network or any other Web-based system in the "bad new world" of cybercrime. The proliferation of cyber attacks this year, along with Stringer's chilling warning, should be a wake-up call for all companies that they are probably not doing enough to manage the risks related to the security of their computer systems.
In its "2011 Risk and Finance Manager Survey," risk management firm Towers Watson found that 73 percent of the companies surveyed had not purchased cyber security insurance. Those companies reported that they believed their own internal information technology (IT) departments and internal controls provided adequate protection against cybercrime. Other respondents indicated that they were not overly concerned about the risk of cyber attacks. The Towers Watson survey confirms that many companies have a false sense of security about their exposure to security breaches and data theft.
As noted by Scott Shackelford, Assistant Professor of Business Law and Ethics at the Kelley School of Business at Indiana University, in a May 13, 2011, Washington Times article, more than 90 percent of respondents to a joint Computer Security Institute and FBI survey reported experiencing a cyber attack during the past year, costing on average more than $2 million per organization. Shackelford further notes that identity theft costs consumers more than $5 billion per year and costs companies an additional $48 billion. These figures fail to take into account the staggering damage to a company's reputation that can occur when it suffers a data security breach.
Although there is no bulletproof way to protect electronic data, companies can take steps to mitigate the risk by making sure they have up-to-date security systems in place, and ensuring that confidential information is disseminated only on a need-to-know basis. Companies should also purchase cyber insurance, which can protect against the costs associated with security breaches, including the costs of notifying customers about the theft of their personal information and the costs of the defense and settlement of class action and customer litigation arising out of the theft of information.
Cyber insurance policies were first offered more than 10 years ago but were rejected by many companies as not worth the cost. Recently, however, cyber policy forms have begun to offer substantially broader coverage and higher limits of liability. In addition, cyber insurance has become more affordable. It is important to note that cyber policies are offered by dozens of insurance companies and that there are no standard forms. Because the policy forms are highly manuscripted and vary from underwriter to underwriter, the retention of a knowledgeable insurance broker is highly recommended at the time of insurance placement. Moreover, the review of your cyber insurance policy by experienced coverage counsel can help your company maximize its coverage in the event of a cyber security claim.