Help Clients Insure Against Cyberattacks

by Pillsbury Global Sourcing Practice

The constant threat of cyberattacks presents many and varying challenges for businesses. Insurance provides one way to deal with them. Because the market for insurance covering these risks and the law interpreting these policies both continue to develop, this is an area in which attorneys can help clients by maximizing their opportunity to secure the broadest possible coverage.

A look at federal and state action on cybersecurity risks provides some critical background. President Obama issued his Executive Order on Improving Critical Infrastructure Cybersecurity in February. In October 2011, the U.S. Securities and Exchange Commissions Division on Corporate Finance issued relevant guidance on financial-disclosure obligations concerning cybersecurity issues in CF Disclosure Guidance Topic No. 2 - Cybersecurity.

Texas law also imposes some key legal requirements on businesses. Texas Business & Commerce Code Chapter 521 imposes duties on companies to protect sensitive personal information collected or maintained in a company's regular course of business and to notify affected individuals if the security of a computerized system containing that data is breached.

A look at cyberattackers also provides important perspective. Wrongdoers can target a company's trade secrets or product-development pipeline for competitive, nationalistic or societal reasons. In addition, certain industries with a strong presence in Texas, such as energy, petrochemicals, transportation and technology, face particularly frequent attacks due to their unique characteristics and vulnerabilities.

When prevention efforts are insufficient, a data security breach often imposes first-party losses in the form of response costs and impacts on the company's revenue stream. These can include expenses for detecting, investigating and eliminating the intrusion, notifying those affected by it, managing the company's reputation and dealing with revenue impacts from damaged customer relationships. Third-party claims also can result, in the form of lawsuits and regulatory actions.

Because these issues touch on so many aspects of a company's business, from negotiating vendor agreements to compliance to litigation, lawyers have many opportunities to help clients address these risks. Insurance coverage provides one such opportunity.

A company's traditional insurance policies may offer at least some protection. In Retail Ventures Inc. v. National Union Fire Insurance Co. of Pittsburgh, PA (2012), the 6th U.S. Circuit Court of Appeals held that a "computer fraud" endorsement to a crime insurance policy covered more than $5 million in losses arising out of the illicit access to customer accounts stored in a retailer's database. These losses included expenses for customer communications, public relations, customer claims, and investigations by multiple states and the Federal Trade Commission, as well as chargebacks, card reissuance costs, account monitoring and fines imposed by the credit card issuers.

The insurance industry's offerings for specific cybersecurity policies also have grown rapidly in response to this threat. Just going through the process of applying for cyberinsurance can improve a company's risk awareness. Large insurance brokers often use illuminating self-assessment questionnaires that pose dozens of queries on topics such as background checks, employee and contractor training, network security protocols, prior incidents and crisis-management procedures.

Attorneys will need to guide clients through varying policy options. Current cyberinsurance offerings lack the standardization that develops after court challenges refine policy language and the marketplace comes to accept that language.

Given the lack of industry-wide agreement on policy language, an "off the shelf" policy may be ill-suited to a particular business. Because the market is still developing, lawyers can have a greater impact in negotiating more favorable terms for a specific client's unique needs. The policy should cover both first-party and third-party losses, as a cyberattack often triggers both.

Here is a list of some other issues to consider when purchasing a cyberinsurance policy:

  • A simulated cyberattack can create an opportunity for detailed analysis. Several publicly available sources track costs associated with data security breaches. Because of the wide-ranging impacts a cyberattack can have, the total costs of these incidents are often significantly higher than the largest individual component. On the other hand, some aspects of a cyberattack may be relatively minor for a particular company.Gaining a thorough understanding of the company's risk profile through a simulated cyberattack will help guide decisions on issues such as the amount of overall limits, particular sublimits and deductibles.

  • Does the policy cover acts of third parties with access? If the company provides confidential data to third parties or allows vendors access to its secure systems, the policy should offer coverage for that exposure. Recent headlines involving rogue employees at third-party contractors demonstrate the importance of closing off this potential gap.
  • Seek coverage for unknown breaches that may have occurred already. A recent fraud summit revealed that early detection of cyberattacks remains a significant challenge. Accordingly, policyholders should seek retroactive coverage to protect against intrusions that began prior to the policy but only caused losses during the policy period.
  • Broad exclusions can have unintended consequences. Suppose a cyberattack leads to an environmental liability. Is there a pollution exclusion geared towards more traditional risks that would preclude coverage for the cyberattack? Counsel should address these issues and narrow relevant exclusions, if possible.
  • The right to choose counsel is critical. Choice-of-counsel provisions may matter here more than other areas. A company's comprehensive cybersecurity plan may already have designated counsel as part of a crisis-response team.
This is something a business typically can negotiate with the insurer before a loss occurs. Left unaddressed, a company may find itself arguing about selection of counsel at a time when it most needs the help of trusted lawyers who know the company well.

For companies involved in significant technology outsourcing arrangements, it is important to examine vendor agreements for cybersecurity issues, as well as for insurance and indemnity provisions that a cyberattack involving the vendor may trigger. That analysis may suggest needed modifications to these agreements for more robust protections.

Managing cyberattacks may be a more achievable goal than preventing them. Fortunately, paying close attention to insurance issues is one way lawyers can help companies with that effort.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Global Sourcing Practice | Attorney Advertising

Written by:

Pillsbury Global Sourcing Practice

Pillsbury Global Sourcing Practice on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.