Prior to COVID-19, cyber security was at the top of the list of concerns for accountants, as well as other finance, legal and risk management professionals. Unfortunately, COVID-19 has not reduced this threat. If anything, threat actors are exploiting the fact that many people are working at home — distracted and less focused on cyber hygiene — to gain access to corporate systems for nefarious purposes.
Accountants are familiar with insurance policies, including cyber insurance and other policies such as crime or property, which are likely to have responsive coverage to cybercrime and cyber breaches. Last year, for example, the MICPA took steps to assist members with rising cybercrime concerns by partnering with IDTheft Assist which provides active monitoring, recovery, and restoration services in the event of fraud. But the key to assisting clients in understanding such assets in the event of an attack is to fully know the policy terms and to recognize that cyber insurance generally includes both first-party and third-party liability insurance, each of which may be important following an incident.
First-Party Cyber Coverages
Although the coverage and policy language may differ from policy to policy, first-party cyber coverages generally include breach response as well as the following:
- Event management (including data recovery, betterment, etc.)
- Cyber extortion
- Network/business interruption (including system failure and voluntary shutdown)
- Dependent business interruption (for IT and non-IT providers)
- Consequential reputational loss
Following a security breach, an accountant will want to review a company’s cyber policy to seek reimbursement for their breach-related costs and expenses. Some insurers have relationships with certain professional firms, including their technical and legal experts, and may cover breach response costs without reducing policy limits.
Accountants will also look to cyber policies for reimbursement for the costs associated with restoring data that is changed, damaged or lost following a breach. Similarly, cyber policies may cover business interruption losses, including those which arise out of attacks on a vendor or cloud provider.
The case of one law firm demonstrates how detrimental these attacks can be. Following a ransomware attack on the firm’s network, the attackers encrypted the firm’s files so that they were not accessible without payment of a ransom. The firm paid the cyber criminals $25,000 ransom, but it still took more than nine months to retrieve the corrupted information. As a result, the firm suffered more than $700,000 in business income losses. Other businesses faced with similar attacks have been forced to close due to the financial loss.
As such, first-party cyber coverage, including business interruption, is a risk management tool that accountants and policyholders may need to call upon following COVID-19-related attacks.
Third-Party Cyber Coverages
Although the coverage and policy language will differ from policy to policy, third-party cyber policies generally include coverage for the following:
- Network security failures and privacy events
- Regulatory defense and penalties (including coverage for General Data Protection Regulation (GDPR) liabilities)
- Payment Card Industry Data Security Standard (PCI-DSS) liabilities and costs
- Media content liability
As an example, Facebook settled a class-action lawsuit over its use of facial recognition technology which arose under the Illinois Biometric Information Privacy Act. The case reportedly settled for $550 million. It is particularly important, therefore, for accountants watching the bottom line to assess a company’s coverage for claims by consumers and employees, including class actions and regulatory actions arising out of data breaches.
As COVID-19 has seemingly emboldened threat actors, accountants are encouraged to review and understand cyber insurance coverages to maximize recovery in the event of an incident.
Peter A. Halprin, Esq., FAiADR, FCIArb, partner in Pasich LLP’s New York office, is insurance recovery counsel for commercial policyholders. His practice includes representing clients in matters involving cyber breaches and cyber crime. He can be reached at phalprin@pasichllp.com.
Reprinted with permission of the New Jersey Society of CPAs. njcpa.org