The Oklahoma Bar Journal September 2023

For example, some applications require specific company positions, such as data privacy officers or chief information security officers. Others require certain internal policies and procedures, includ ing business interruption plans, cyber incident response plans, data privacy notices, etc. Almost all applications require at least annual training on cyber incident response plans and data privacy policies. Some even require penetration testing (pen-testing), where private companies are hired to attempt to hack into the client’s system. Common examples of technical controls required by insurance applications are backup systems, 11 firewalls, 12 multi-factor authentica tion 13 and endpoint detection and response. 14 Knowing a good tech nical team that can help imple ment these and other technical controls is extremely important. Another common lookout where technical controls and governance play a crucial role is the use of personal devices for work. If a company permits employees to use personal devices for work, then that company should absolutely have a bring-your-own-device (BYOD) pol icy. A good BYOD policy ensures that employees know what they can and cannot do with their own devices while utilizing them for work and how to use them in such a way that limits exposure to poten tial threats ( i.e. , limiting what apps can be downloaded). Companies utilizing a BYOD policy should also ensure they have technical controls in place for the management of mobile devices. 15 A solid BYOD pol icy and mobile management pro gram can help shield an employer from liability from a litany of angles ranging from employment to negligence claims.

to officers of companies. The exten sion of the Caremark duty to officers now means that officers, such as chief privacy officers, chief informa tion security officers or others, may be held liable if they fail to oversee proper implementation and opera tion of cyber-security protocols. 7 Both Cook and McDonald’s show that simply because data is involved does not mean the rules of general liability have changed. As a result, just as an attorney would make sure that their client has ade quate general liability insurance, attorneys advising corporate clients need to ensure that adequate cyber insurance is in place as well. LOOKOUT NO. 2: CYBER INSURANCE IS NO LONGER OPTIONAL Generally speaking, general liability policies do not cover dam ages arising from cyber incidents. 8 Nor do errors and omissions or directors and officers coverage. 9 That is why cyber coverage is a must-have. For example, while the figures vary, the average cost of a ransom for a ransomware attack can easily reach hundreds of thou sands of dollars, and that does not account for ancillary damages, such as business interruption, reputational damage or costs of remedies. Could your client afford a six-figure hit today? 10 Cyber applications and cov erages vary widely. Some cyber insurance applications ask for very minimal information from the applicant, choosing instead to simply determine – as a potential hacker would – how many external vulnerabilities are publicly detect able and approximating risk off that. Other applications are fairly detailed and may require gover nance and/or technical controls.

LOOKOUT NO. 3: WHAT IS ADEQUATE COVERAGE FOR CYBER POLICIES? Again, the estimates vary, but according to IBM, the aver age cost of a data breach world wide is $4 million. 16 Even if one assumes that those numbers are artificially inflated as an average, the costs to a small business for a data breach can still easily exceed $100,000, especially if lawsuits follow, as they often do. And that is setting aside the very plausible six-figure cost of a ransomware ransom. At this point, one should easily see the importance of ade quate coverage. What constitutes adequate coverage for a business would be difficult to quantify in general terms because it all comes down to the type of enterprise and risk tol erance of the company. (Unless, of course, your client has entered into a contractual agreement requir ing a specific coverage amount, which is not uncommon.) One of the easier items to consider and quantify under a cyber insurance policy is business interruption coverage, given that it is a function of revenue and expenses. Other considerations would include the number of unique individuals who might need to be notified in a breach, the size and complexity of the network, the number of vendors to whom the client may end up owing notification and/or indemnification obligations, etc. In addition to understanding the amount of coverage necessary for the client, it is also important to understand what is and is not covered. For example, does the policy cover conduit risk? 17 Does the policy cover the ransom pay ment? Does the policy provide for a cyber incident response team? 18

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.

8 | SEPTEMBER 2023

THE OKLAHOMA BAR JOURNAL