In today’s digital age, businesses are increasingly reliant on technology to operate efficiently. However, this dependence on digital systems also opens new avenues for risk, particularly in the form of cyberthreats.
Look no further than the recent news of a global technology outage that impacted businesses across the world and across industries. The global outage was not caused by cybercriminals, but rather by a routine software update pushed out by the cyber security firm, CrowdStrike. The software is used around the world.
The update caused computer systems around the world and across industries to crash. This is where cyberinsurance comes into play. Cyberinsurance helps businesses mitigate the financial impact of cyberincidents, but understanding the operational risks involved is crucial for both insurers and policyholders.
What is operational risk?
Operational risk refers to the potential for loss resulting from inadequate or failed internal processes, people, systems or external events. In the context of cyberinsurance, operational risk encompasses a wide range of issues—from data breaches and hacking, to system failures and human error. These risks can lead to significant financial losses, reputational damage and legal liabilities.
Key operational risks in cyberinsurance
Third-party risks. As the CrowdStrike outage demonstrates, many businesses rely on third-party vendors for services like cloud computing, payment processing and IT support. A security breach or service outage at or caused by a third-party provider can have a direct impact on the insured’s business.
Cyber insurance policies should include coverage for losses resulting from third-party incidents.
Data breaches. One of the most common cyberrisks, data breaches involve unauthorized access to sensitive information. This can result from hacking, phishing attacks or even internal errors. The cost of a data breach can be substantial, including expenses related to notification, legal fees and regulatory fines.
Ransomware attacks. Ransomware is a type of malware that encrypts a victim’s data, with the attacker demanding a ransom to restore access. These attacks can cripple a business’s operations, leading to significant downtime and revenue loss.
A cyber insurance policy can cover the ransom payment and associated recovery costs, but the operational disruption can be severe.
System failures. Technical failures—whether due to software bugs, hardware malfunctions or network outages—can halt business operations.
Often, cyber insurance policies cover the costs associated with system restoration and business interruption, but the impact on productivity and customer trust can be long-lasting.
Human error. Mistakes made by employees—such as misconfiguring security settings or falling for phishing scams—can lead to security incidents.
Training and awareness programs are essential to mitigate this risk, and a cyber insurance policy can help cover the financial repercussions.
The importance of cyberinsurance
While the presence of a cyber insurance policy cannot prevent a cyberattack or service outage, a cyber insurance policy is designed to help businesses manage the financial fallout from those cyberincidents and outages. Key coverages typically include:
Incident response: Assistance with breach investigation, notification and crisis management. This is a vital, but often overlooked benefit of a cyber insurance policy.
Legal and regulatory: Coverage for legal defense, regulatory fines and penalties.
Data restoration: Costs associated with recovering or restoring compromised data.
Business interruption: Compensation for lost income and additional expenses incurred during a system outage.
Cyberextortion: Reimbursement for ransom payments and associated costs.
Bradford J. Lachut, Esq.
Bradford J. Lachut, Esq., joined PIA as government affairs counsel for the Government & Industry Affairs Department in 2012 and then, after a four-month leave, he returned to the association in 2018 as director of government & industry affairs responsible for all legal, government relations and insurance industry liaison programs for the five state associations. Prior to PIA, Brad worked as an attorney for Steven J. Baum PC, in Amherst, and as an associate attorney for the law office of James Morris in Buffalo. He also spent time serving as senior manager of government affairs as the Buffalo Niagara Partnership, a chamber of commerce serving the Buffalo, N.Y., region, his hometown. He received his juris doctorate from Buffalo Law School and his Bachelor of Science degree in Government and Politics from Utica College, Utica, N.Y. Brad is an active Mason and Shriner.