In the internet of things (IoT), new opportunities for efficiency continually bring new cyber risk. If a device in your winery or vineyard connects to the internet, it is vulnerable. And so is the rest of the system connected to it.
You should consider whether your insurance coverage would cover its losses and liabilities, should you undergo a cyber attack or failure of your systems that leaves your business or your customers compromised.
So what can companies do to manage these exposures? They should deliberately consider their risks and whether their current insurance programs cover those risks. They should not assume they are covered. In many cases, it might not be so clear.
Traditional insurance policies may provide insurance in some scenarios. For example, you might suffer a property loss because of a cyber attack. Such an attack could cause irrigation sensors to fail, leading to vine damage, or harm stored wines, if refrigeration controls fail.
Your property insurance may well cover it, if the policy is of the all-risk variety. But if you have a policy that specifies the perils such as fire, flood etc., it is possible that you’re not covered for property losses resulting from a cyber attack.
CYBER LIABILITY INSURANCE
Similarly, your company very likely carries commercial general liability (CGL) insurance. There has been a lot of activity in the courts recently about whether a company is entitled to a defense from its CGL insurer against class-action lawsuits arising from data security breaches. Unfortunately, those coverage cases have not yielded a clear answer. And CGL policies will not cover the costs that a company incurs to investigate and respond to a data security breach anyway.
A number of insurance companies now issue specialized cyber insurance policies. Each insurer’s policy form offers different coverage and restrictions. Additionally, the forms are lengthy, very complex and often negotiable. For these reasons, the help of a good knowledgeable broker or insurance-coverage counsel is important to help you understand what a policy covers and what other options may be available.
Here are some scenarios to consider.
When personally identifiable information is taken from a third-party vendor’s computer system (i.e., a credit card processor), you are legally responsible to notify your customers of the event. While a cyber insurance policy could cover you for losses due to the attack on a third-party system, some policies will only cover you for an intrusion on your own computer system or on hardware that you control.
As a result, it is important to understand whether you rely on third-party vendors to collect or store personally identifiable information and, if so, whether your cyber insurance policy would cover you in such an event.
CREDIT CARD ISSUANCE COSTS
Another risk, closely related to credit card transactions, is PCI DSS (Payment Card Industry Data Security Standard) assessments for data security breaches. If there is a breach, the banks will have to issue new credit cards, and you may be responsible for the expense.
Your cyber insurance policy can cover assessments made against you. If you are running credit card transactions, this would be a coverage to confirm is in your policy.
If you suffer a business interruption or denial-of-service (DDoS) cyber attack, a typical cyber insurance policy might cover you for one of two kinds of loss: A direct business interruption loss resulting from a loss you’ve suffered because of an intrusion into your computer system and a contingent business-interruption loss resulting in a loss of revenue because of an intrusion into a third-party’s system on which you rely.
Tyler Gerking (firstname.lastname@example.org) is a partner in Farella Braun + Martel’s San Francisco office, where his litigation practice focuses on recovering insurance policy proceeds for policyholders. Farella Braun + Martel also has a St. Helena office. Vine Notes (nbbj.news/vinenotes) is a monthly column by Rabobank and Farella Braun + Martel.