Understanding Cyber Risks for Technology Companies
Think of all the well-regarded companies you’ve seen named in the news, not for their products or services, but for their alleged failure to protect the personal information of their customers. Breaches to computer networks and the ramifications of unauthorized access to sensitive data are the key elements of cyber risk, a growing problem for businesses in many industries, including technology.
Confusion about what constitutes a cyber risk – and the myriad of coverage options for the risks associated with data/information security – present a challenge for technology companies and their insurance agents.
Simply stated, cyber exposures are directly connected to the responsibility a company has for certain electronic information and the risks associated with this information being compromised or misused. These risks include personal injury, intellectual property infringement and financial injury, as well as obligations associated with Consumer Protection and Data Privacy Regulations.
Exposures generally fall into two categories:
“Third Party” Liability – the risk of a third party claiming your company caused them damages, typically associated with the company’s responsibility to protect certain private or confidential information. Claim Senario Third Party Liability
“First Party” Expenses – certain expenses, other than those from a third party’s claim, your company may incur as a result of a cyber event. Expenses could be related to notification, credit monitoring, cyber investigation, crisis management and data privacy regulatory expenses. Claim Senarios First Party Expenses
Evaluating the Exposure
Asking the right questions is key to evaluating a technology company’s exposure. A few simple questions can help identify a potential cyber exposure. This is where Roach Howard Smith & Barton’s Technology, Media & Life Sciences specialty practice can assist your technology company in protecting itself from cyber exposures and mitigating risks involved.
One area to evaluate is any unnecessary data and it’s elimination to prevent exposure. Many companies collect or maintain sensitive data without having a specific purpose for such information, increasing their cyber risks without a viable business benefit.
Other areas to evaluate include: the tracking of sensitive information, verification of information security controls, assessment and monitoring of access privileges for users including remote access, web applications review/testing, and computer systems event log monitoring.
In evaluation if a cyber exposure is identified, it is important to understand the nature and costs of losses that could result – and the fact that many General Liability policies don’t cover them.