With cyber attacks on the rise, what can businesses do about it?

Increasingly frequent and costly cyber attacks on large organizations could have major implications for insurance providers and their clients, according to legal experts at global law firm Reed Smith LLC.

“In the past five years, ransomware attacks have become one of the most frequent forms of cyber and privacy incidents, and do not appear to be letting up,” Andy Moss, partner, Insurance Recovery Group at Reed Smith, said.

Facing increasing losses, insurance firms could increase premiums for cyber insurance or reconsider coverage altogether, John Ellison, partner, Insurance Recovery Group at Reed Smith, noted. This could put business clients and other consumers in a difficult position.

CDK cyber attack fallout

Just last month, auto dealership software firm CDK Global experienced a massive cyberattack that saw hackers demand millions in ransom money, forcing the firm to go offline for weeks.

The fallout was significant, impacting countless consumers and around 15,000 car dealerships that rely on CDK’s software for critical aspects of their operations, including insurance and financing management.

It also sent a shockwave through the U.S. automobile dealership industry, sparking lawsuits and causing interest in cyber insurance to skyrocket.

“Events like the CDK cyber event are becoming more prevalent and more costly to both the insurance industry and the businesses that are the targets of the attack,” Ellison said. “Since many of these attackers are organized and repeat offenders, the threat to economies around the globe is increasing and becoming more costly at multiple levels.”

Insurance industry impact

Increasing cyber events and ransomware attacks ultimately have a major impact on the overall insurance marketplace, Reed Smith’s legal experts suggested.

“It has a negative impact on the overall capital available in the global insurance marketplace, against which insurance companies are willing to assume risk with adequate financial reserves to respond to losses that are suffered by policyholders,” Ellison said.

Both Ellison and Moss noted more cyber attacks can also lead to increasing premiums for cyber insurance coverage, due to the rising number and value of losses caused as a result.

“It translates into higher cyber insurance rates and premiums and also is causing insurers to restrict, in some instances, the scope and amount of insurance they are willing to make available to policyholders to protect their businesses from such attacks,” Moss added.

Mitigating risk through cyber insurance

While cyber insurance could help mitigate the negative impact of such events, Ellison cautioned policyholders to pay close attention to coverage details. He pointed out that it’s a relatively new form of coverage that is still continuing to evolve.

“Cyber insurance policy forms are not standardized and may vary substantially in the types of security and privacy events covered, the language of exclusions and other limitations on coverage and other terms and conditions, such as the timing and form of notice and whether policyholders may select their own counsel and incident response vendors, or must select from the insurer’s ‘panel,’” he said.

Policyholders should also look out for whether multiple lines of coverage will offer combined benefits. According to Ellison, different insurance policies are “generally not designed to work together” in cyber insurance, and determining which insurance policy pays first or whether coverage must be allocated can be “complicated.”

Proactive protection

At the same time, Moss said having a cyber insurance policy in place is just the first step, but there are many other ways businesses can be proactive about mitigating the risk of cyber threats. He encouraged cyber insurance policyholders to:

• Have the most up-to-date cybersecurity feasible
• Adequately train personnel on how to spot a potential attack and avoid falling victim to social engineering fraud schemes
• Ensure personnel responsible for maintaining the company’s cyber insurance are part of the internal incident response team
• Include robust, up-to-date security training for all personnel
• Review all types of insurance coverage, including cyber, liability (employment practices, professional, general), errors and omissions, property and business interruption and commercial crime

He emphasized that policyholders need to understand what events or claims may trigger coverage; what forms of notice must be given and when; what consent or authorization may be required before engaging outside counsel, incident response firms or other professionals; and what cooperation must be provided to the insurers.

“In the event of a claim or incident triggering potential coverage, policyholders should provide timely notice to all potentially applicable insurers, including excess insurers, and promptly obtain any necessary consent to engage counsel or other professionals,” Moss said.

“If facing a claim or incident due to an attack on a critical vendor or service provider, companies should also review their services agreements to determine whether they may have rights to indemnification or the other company’s insurance. Policyholders should consult experienced coverage counsel to help navigate these complex issues,” Ellison added.

Reed Smith LLC is an international law firm founded in 1877. Headquartered in Pittsburgh, Philadelphia, it has more than 30 offices in the United States, Europe, Asia and the Middle East.

© Entire contents copyright 2024 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

Rayne Morgan is a journalist, copywriter, and editor with over 10 years' combined experience in digital content and print media. You can reach her at [email protected].