The Other Shoe Drops: The Importance of Cybersecurity Insurance Post-Sony

In late November, an anonymous hacking group that calls themselves "Guardians of Peace," reportedly operating out of North Korea, breached Sony's servers, leaking, among other things, hundreds of thousands of emails and copies of upcoming Sony films. This breach, which provided a sometimes unflattering look at Sony and the business of movie-making, doubtless has a large number of senior executives busy purging their email archives. While a great digital cleansing and increased security measures are long overdue in corporate America, companies are also rushing to buy cybersecurity insurance.

As a lawyers and technical cybersecurity specialist, I encourage law firms, public and private companies, non-profits, and government agencies, to evaluate the pros and cons of a cybersecurity insurance policy. Obtaining cybersecurity insurance coverage is an important part of a company's overall cybersecurity plan and companies should consult with legal counsel to most effectively meet their overall goals. While cybersecurity policies currently available may be expensive and limited to some degree, numerous coverage options remain accessible. In obtaining a suitable cybersecurity insurance policy, it is important for a company to understand many important factors including the language of their current policies, the current state of the market, relevant risks which need to be insured, and the types of coverage available.

Unfortunately I am watching many companies, public and private, law firms and accounting firms, big and small, purchase cybersecurity insurance that is not effective enough, overly expensive, or both.

As to the effectiveness of a cybersecurity insurance policy, they are often laden with technical jargon that either limit the scope of the insurance provided or allow for loopholes or exceptions that my render the insurance inapplicable to many breach incidents. Recently, I consulted with a client that purchased a cybersecurity insurance policy but was not told by their former counsel that, in order for the policy to be effective, they needed to conduct annual "pen testing", and were not advised to modify their existing policies to permit such testing. As a result, the small data breach that had hit the client was not covered by the cybersecurity policy the client had purchased.

More and more often, clients come to me having been advised to purchase expensive cybersecurity insurance policies, but are not taught exactly what these policies entail. These expensive policies come in-lieu of investing in the appropriate hardware and software solutions and hiring counsel to review and modify existing company privacy policies, contracts, and other agreements . While insurance is necessary and important, it must be paired with the deployment of hardware and software systems and a review of existing policies and agreements. Companies must strike a delicate balance and lawyers often fail to appreciate or understand the hardware and software systems or policies and agreements that be deployed and reviewed in conjunction with the acquisition of cybersecurity insurance.

Today, lawyers and consultants advising companies responding to a cybersecurity incident that have never actually been involved in the technical trenches or the ensuing forensic investigation, often result in delivering counsel that is, at best, ineffective. When employing a strategy, it is crucial that the counsel consider the laws that govern hack-back and the misuse of information and exercise caution surrounding the potential invalidation of some or all of the company's existing cyber security insurance policy coverage. Companies need to make sure that the lawyers and consultants they retain to assist them in responding to a cybersecurity attack not only know privacy law, but have a firm grasp on the cybersecurity software and hardware and cyber security insurance and computer crime statutes.