In the hyperconnected world, cyber attacks have become a constant threat to organizations across all sectors. No entity, whether large or small, is immune to data breaches, ransomware or other forms of cybercrime. The need for protection advances just as much as technology.
Currently, Brazil has extensive legal data protection through the LGPD (General Data Protection Law), but companies still need prior protection guidance, as well as swift assistance in cyber incidents.
This self-evidently explains the need for cyber insurance. This type of insurance is nothing more than an operational and financial protective layer for the company. The insurance responsibility has, at minimum, four duties: reducing financial damages; civil liability; management; and technical inspection.
Reducing financial damages makes the reimbursement of direct losses by the insurance mandatory, such as lost profits, as well as covering expenses for technical consultations and emergency actions.
As for civil liability, it is simply the protection of the company in case of customer data leaks. In a possible data breach, the company’s reputation may be shaken.
Thus, another important coverage point of the insurance would be management. The cyber policy also covers technical and/or legal support for the company’s image containment. And lastly, technical inspection. With this duty, the insurance covers forensic expenses to trace the origin and extent of the data leak, both for the company and third parties, including support to restore affected data.
Additionally, it is important to note that insurance policies specify cases where there is no coverage. The most common are: attacks/leaks prior to hiring, human error, company security systems with low recommendation or effectiveness, and reimbursement for security system upgrades.
Legal contracts
And legal contracts? Although useful, these contracts face significant challenges, whether legal or regulatory. The contract cannot rely on ambiguous definitions and wording. In other words, all terms used must be accompanied by clarity, avoiding situations that may generate even more litigation. Thus, subjective clauses should be avoided, just as there must be compliance with the LGPD.
The size of the company matters little for damage quantification. Some policies foresee a minimum or limit for indemnification, reimbursement, or total loss calculation. Most often, the quantification ends up being very limiting and not meeting the client’s needs, as, for example, a small company may suffer a much larger cyber attack than a large one that managed to contain it early on.
Moreover, it is extremely important for the contract to have international reach, as the company ends up being protected anywhere in the world where the leak may have originated, and the insurer may require the installation of certain cyber defense mechanisms at the start of the contract. If such contractual provisions exist and the company is found non-compliant, this may lead to the insurance refusing reimbursement or indemnification.
Thus, it is concluded that cyber insurance does not prevent leaks nor can it be fully responsible for the damage. However, hiring it is very beneficial, as besides providing technical assistance to the insured, it guides on measures to avoid invasions, as well as indemnifies within the policy’s possibilities, offering financial support to the insured more swiftly.
Therefore, it is recommended to seek cyber insurance that meets the company’s needs, regularly observing the requirements of the LGPD, thus allowing protection against possible attacks (guidance and support), as well as support in the face of third parties – the insured’s customers – (civil and monetary liability).
