Spring 2020 Gavel 268650 SBAND Gavel Magazine_web | Page 34

cost of the overall premium. While security assessments should be regularly conducted within any organization or firm, an insurance company may have extra requirements or may require a more recent security assessment conducted by the third party of their choosing. This is done in an attempt to categorize and quantify potential cyber risks while simultaneously encouraging policyholders to create “cultures of security” that minimize moral hazard or human error risks. Cyber risks stemming from the human element, rather than technology per se, are arguably much more damaging and widespread. I would argue that the risk stemming from this human element (involving social engineering attacks, internal theft, mistakes, misuse, dissemination of confidential or proprietary data, and the like) seems impossible to measure authoritatively during the course of a routine security assessment. These attacks frequently change and become more sophisticated. The reality of evolving technologies is that the associated risks are always evolving too – but a well-executed security assessment is essential in developing sound written policies and protocols designed to defend against, and respond to, these risks. Security assessments associated with this kind of insurance are a critical part of the value that they offer; merely considering the product will bring greater awareness and increase proactive cybersecurity responses within an organization. Creating written policies and procedures is essential in counteracting risks and developing strategies, even if potential damages cannot be fully quantified or assessed. While the cost of regular security assessment and external third-party review of existing baselines should be considered a priority expense, being mindful of any additional requirements, such as upfront consulting and assessment as required by the insurer, is important. But in the difficult and opaque world of cybersecurity, it may seem to organizations that the brunt of any cyber event would be handled by their insurance policy, making it less of a priority to counteract the risks. When organizations don’t fully understand the extent of potential damages, insurance may seem like a Get out of Jail Free card. Conversely, though, many organizations that purchase cyber liability insurance are more prone to invest in cybersecurity measures and develop strong protocols. In addition to the policy requirements, fostering awareness of the potential financial and reputational costs of malicious cyber events is beneficial in establishing an organization’s security culture. Widespread investment in cyber insurance may also serve to help standardize security assessments and develop baseline criteria for proactive and reactive policies. Ultimately, cyber liability insurance requirements may prove to be the main driving force behind security assessment standardization. In this sense, I would suggest thinking of cyber insurance less as a safety net and more as a valuable component of a well-rounded remediation approach. The preparation involved in purchasing cyber insurance is potentially more valuable than the more or less ambiguous coverage it provides. This article originally appeared in Bench & Bar of Minnesota, the official publication of the Minnesota State Bar Association. It is reprinted with permission. Insurance as an Incentive for Proactive Security Cyber liability insurance should always be considered part of a larger edifice, not a singular measure, in protecting your firm against cyber risks. You should always be highly motivated to engage in proactive security measures that aim to protect organizational data, develop strong cybersecurity policies, train employees, incorporate regular security assessments, and institute remediation strategies and protocols. Having an insurance policy should never take the place of actively understanding and strengthening your security posture. Now, I understand – just because someone has car insurance doesn’t mean he or she will not care about getting in a car accident. Agreed. 34 THE GAVEL [email protected]