With how many different ways there are to hack into a system and the fact that the insurance industry has entered the cybersecurity insurance game, it may actually matter how you get hacked, and how the hackers cause you harm … at least if you have cyber insurance.
Simply put, like any other insurance policy, cyber insurance policies do contain exclusions. Unfortunately, for unsophisticated but insured users of hackable technology, failing to use security protocols required by an insurer could lead to a denial of coverage. For employers, ensuring your workers are actually using the security measures can be a real challenge.
What’s in Your Policy?
As highlighted in a recent Reuters Insight piece, most cyber insurance is targeted at losses caused by data and privacy breaches. This means that damages caused by a cyberattacks on a company’s operations or infrastructure could actually be excluded.
For example, if a fictional coastal robot manufacturer’s robotic workers were all hacked and made to walk off a cliff into the ocean, that loss would not be covered under a traditional cyber insurance policy. Other potential targets that could be outside the usual policy could include attacks on energy grids, supply chain logistics, and financial operations.
Do Law Firms Need Cyber-Terrorism Coverage?
When push comes to shove, whether or not you need basic or more comprehensive cyber insurance is less of a choice and more of a question of exposure and what is even coverable. As new carve outs for hacking continue to find their way into general liability policies, creating new insurance products, the same is happening with cyber-insurance.
For law firms, it is important to understand what is actually covered, and what exclusions may apply. While a law firm probably doesn’t need bodily injury coverage related to a hacking incident (though it may if the firm has elevators in its office that are controlled by a computer that could in theory be hacked and used to injure someone), insuring against hackers bent on stealing the firm, or the firm’s clients’, data and money is probably a wise choice.