Cyber and Tech E&O: Do You Need Both Policies?
All companies experience stress in the aftermath of a cyberattack. Risk managers need to work with insurers, lawyers and other response team members to recover files and make sure sensitive data isn’t leaked.
But when a technology provider is hit with an attack, it faces an additional layer of stress. A popular target for cybercriminals, tech firms often hold sensitive data for their clients, offering attackers not just their own files but those of the firms for whom they provide services too.
“Tech companies end up being targeted many times because of the data they hold,” said Anthony Dolce, head of professional liability, cyber and technology E&O at The Hartford.
In addition to questions surrounding cyber claims, tech firms might also be concerned about errors and omissions (E&O) exposures that they may face. Insureds might wonder about the differences between these two policies and whether or not they need both.
Partnering with the right cyber and tech E&O carrier can help insureds navigate the challenges that arise where these two policies intersect.
Cyber and Tech E&O: A Brief History
Cyber policies grew out of online media policies in the mid-1990s. Eventually in 2002 California passed the Security Breach and Information Act, which required companies to notify people who had been involved in a data breach.
“If a company had a breach, they now — under the law — had to provide notification to the affected individual,” Dolce said.
Soon after this law passed, first-party coverages (like business interruption, network damage and recovery and cyber extortion) began to appear in cyber policies. Today, companies in every type of industry rely on cyber insurance policies to help them respond to cyberattacks, data breach and restoration, network extortion and business interruption.
“Cyber is a type of policy now that’s becoming more and more like a must-have for insurance buyers,” Dolce said. “It’s becoming a mainstay, just like D&O, CGL or property.”
While cyber policies are now becoming more essential to businesses in every sector, tech E&O coverages are more niche. They help tech companies who may face third-party lawsuits from clients or need to deal with the ramifications of regulatory proceedings or subrogation.
“That could be the failure to perform the work or failure to meet the client’s expectations, for example,” Dolce said.
Technology service providers might purchase cyber and tech E&O policies separately, or they might purchase one policy that combines the two covers: “You could have a stand-alone cyber policy, you could have a stand-alone E&O policy, you could also have them mesh together,” Dolce said.
When a Tech Company Faces a Cyberattack
When a tech company or one of its clients is attacked, it might face a number of cyber and tech E&O exposures. From a risk management standpoint, it’s important to have an incident response plan (IRP) in place to address any issues that might arise.
“I’ve been in the insurance industry a long time, and I would go and talk to insureds and ask, ‘Does everybody have an IRP?’ and I’d get blank looks on people’s faces,” Dolce said. “That’s evolved a little bit now to where most established companies have some type of incident response plan.”
A solid IRP will include knowing what types of insurance policies respond to which exposures. Consider the example of managed service providers (MSPs). MSPs secure and keep technological operations running for multiple clients. If an MSP gets attacked, cybercriminals might be able to access the data of numerous types of firms in all sectors that use the service.
“You see many large losses where the actual professional service firm, law firm, accounting firm, what have you, is compromised through their service provider,” Dolce said.
In these cases, clients might sue, alleging that their provider mishandled data or made a security mistake that allowed the breach to occur. Technology firms, in those cases, might face both cyber and tech E&O exposures. A regulatory body might even step in to see if it was adhering to any relevant laws, which are constantly shifting and vary from state to state.
“If you expose the data of thousands of customers, it’s probably a fair bet that you’re going to find some lawsuits following,” Dolce said. “You’re also going to see, potentially, some regulatory involvement too. You may see an attorney general stepping in, or some other type of regulatory body look into things.”
How Cyber and Tech E&O Policies Can Help You Respond to Attacks
In an ever-evolving cyberattack landscape, partnering with the right cyber and tech E&O carrier can help insureds respond swiftly to attacks, minimizing the effects of a claim. Working with a strong cyber and tech E&O carrier can help you navigate claims smoothly and get your operations up and running with minimal impact.
“The landscape almost changes weekly, monthly,” Dolce said. “We’re always taking underwriting actions to try to stay current with the market.”
Cyber carriers are often integral to an insured’s claims response. The Hartford offers a dedicated cyber claims team and a host of ancillary services, like law firm and forensic team partners, that can help clients quickly and properly respond to an incident.
“If you have a cyber carrier, make sure they’re an integral part of that incident response plan. Don’t let them be an afterthought,” Dolce said. “This may be the worst day of your professional career, but for the cyber claim handler, it’s just Thursday.”
The Hartford partners with law firms and forensic teams to help clients access the resources they need in order to respond to claims. The firm can also recommend risk management services — including security testing, code reviews and software composition testing — that can help prevent attacks from occurring in the first place.
“In the middle of one of these events, you need to make a number of decisions quickly, and you need to do it in a coordinated manner. That is not the time when you want to go out and start interviewing people and say, ‘Hey, does anybody know a good law firm?’ ” Dolce said.
“In many instances, you’re going to have coverage for a top-tier law firm that specializes in cyber/privacy issues, as well as other incident response experts. There’s a number of different services that you may not have in-house that you can basically avail yourselves of, either through pre-loss or then, when the loss happens, through the panel of service providers that we have.”
In the event of an attack, insureds will want to communicate with their clients and, if necessary, the public to reassure them everything is being handled properly. Working with a crisis response manager, that is usually provided in a cyber policy, can help companies facilitate these communications and cut down on lawsuits. As with recommendations for legal partners and forensics teams, carriers can help facilitate these services.
“If you have somebody managing that message in the middle of an event, that can sometimes cut down on the amount of lawsuits or regulatory proceedings,” Dolce said. “Utilize and take advantage of the resources of an established cyber carrier.”
The Hartford Financial Services Group, Inc., (NYSE: HIG) operates through its subsidiaries, including the underwriting company Hartford Fire insurance Company, under the brand name, The Hartford,® and is headquartered in Hartford, CT. For additional details, please read The Hartford’s legal notice at https://www.thehartford.com.
The information provided in these materials is intended to be general and advisory in nature. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations contained herein are as of May 2023.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with The Hartford. The editorial staff of Risk & Insurance had no role in its preparation.