Cyber Crimes: What You Need to Know About Risk Management & Insurance

By Jack Montgomery | June 20, 2012

The impact and skyrocketing costs of cyber crimes can be devastating to businesses. According to a recent study*, the cost to clean up after an attack ballooned from $247,744 to $417,748 from 2010 to 2011. Despite enormous resources devoted to combating cyber crimes, incidents continue to grow and perpetrators appear to be gaining ground.

Four major mitigation responses to cyber threats are available to businesses:

• Prevention
• Recovery from the perpetrator
• Contractual protections
• Insurance

While prevention is always of paramount importance, even the most conscientious business remains at risk. Recovery from a sophisticated and anonymous criminal is often impossible. Contractual protections can go a long way to minimizing exposure to loss. Likewise, insurance may offer a realistic mitigation option in many instances. However, insurance is as complicated, expensive and problematic as any other aspect of the cyber landscape.

The traditional insurance policy forms in place were written long before the cyber problem arose, making the status of coverage for cyber losses unclear. Newer, costly policy forms are now entering the market. Business owners may feel overwhelmed and wonder if cyber loss is covered under their existing policy and what insurance is really needed.

Building A Risk Management Team: Lawyer, Insurance Broker & Cyber Tech Expert

The best approach is to consider insurance coverage as part of a larger risk management approach. Before a cyber crime occurs, companies should work with legal counsel as part of a team that evaluates risks and creates a comprehensive plan to mitigate and, where possible, shift risks through contractual provisions and insurance. In addition to the lawyer, the team should include an experienced insurance broker and cyber technology consultant. The lawyer should help the client assure that the broker and consultant possess a sound understanding of the technology and information that’s at risk, as well as the modus operendi of the perpetrators. Unless the lawyer, broker and consultant all have this base line of knowledge, it isn’t possible to assess which combination of risk management strategies (i.e. prevention vs. contractual risk limitations/shifting vs. insurance) will best serve the client.

If a cyber crime occurs, the insurance notifications to insurers must be made immediately. If coverage is denied, that denial must be assessed by legal counsel. Never take the insurance company’s denial as the final word – these issues are rapidly evolving and often in a manner that favors insured business, but that may involve push back to the initial response from the insurance company.

*Ponemon Institute, 2011