February 2019

by Joseph J. Bosick, Pietragallo Gordon Alfano Bosick & Alfano, LLP

In this day and age, it is almost impossible to find an industry or company that is immune to cybersecurity threats. Recent headlines provides an abundance of evidence of how sophisticated and widespread today’s cyber-attacks have become. According to the Identity Theft Resource Center, in 2017 there were over 930 data breaches that led to more than 19 million records exposed, and there are no signs that attacks are slowing down.

In fact, earlier this year, federal agencies have issued guidance statements pertaining to cyber risks and insurance. The Securities and Exchange Commission in February issued a statement and guidance on public company cyber security disclosures. Release No. 10459 (Feb. 21, 2018). In addition the FDIC and the Comptroller of the Currency in April issued statements encouraging, but not requiring, financial institutions to maintain cyber insurance to offset financial losses from a variety of exposures that may not be covered by general liability insurance. FDIC FIL-16-18 (April 10, 2018); OCC Bulletin 2018-8 (April 11, 2018).

As the attacks are becoming more sophisticated, employee training and awareness have become a focus for organizations. Phishing attacks are more common than ever before. Employees can be tricked into giving out critical business information resulting in malicious actors gaining access to bank accounts and other sensitive company information. Ransomware can quickly spread through a company’s network and render critical files unrecoverable. In one case, a hospital in Buffalo, N.Y., paid $10 million to recover their systems and services following such an attack. And even then, data and records that were encrypted by the attack were permanently lost.

As much as vigilance on the job is encouraged to prevent physical harm and workplace accidents, similar vigilance should be exercised when utilizing technology to prevent potentially catastrophic financial harm to employees and employers.

Query: If despite your best efforts your company becomes the subject of a cyber-attack, how will you pay for the cost of remediation? A Cyber Policy of Insurance is one answer.

Below we will highlight some of the types of losses that span both the non-physical and physical world that may be addressed by various cyber coverage offerings by AIG.

• Reimbursement of ransom payments incurred in terminating a covered cyber event;
• Costs to restore electronic data from duplicates or, if not possible, costs to research, gather, and assemble electronic data;
• Third party claims arising out of, or alleging financial loss as a result of a failure of the insured’s network security or a failure to protect confidential information, including PCI-DSS (Payment Card Industry Data Security Standard) assessments for the failure to protect payment card data;
• Investigation and defense of regulatory actions arising out of a failure of the company’s network security or a failure to protect confidential information, including coverage for such fines and penalties if allowable by law;
• Costs of forensic investigation, notifications, public relations, and other services to assist in managing and mitigating a cyber incident; legal consultations and identity monitoring costs for victims of a breach;
• Business income loss resulting from physical damage to property due to a covered cyber event, as well as loss of net profit and extra expense as a result of material interruption to the company’s network caused by a security breach;
• Third-party claims alleging bodily injury or third party property damage caused by a security failure or privacy event; and
• Third-party claims alleging bodily injury and third party property damage caused by a breach of a computer system that is part of an insured’s product.

Joseph J. Bosick serves as chair of the Construction Practice Consortium in the Pittsburgh, Pa., office of Pietragallo Gordon Alfano Bosick & Alfano, LLP. Bosick can be reached at (412) 263-1828 or JJB@Pietragallo.com.

##