In the hyperconnected world, cyber attacks have become a constant threat to organizations across all sectors. No entity, whether large or small, is immune to data breaches, ransomware or other forms of cybercrime. The need for protection advances alongside technology.
Currently, Brazil has extensive legal data protection through the LGPD (General Data Protection Law), but companies still need prior guidance on protection as well as swift assistance in cyber breaches.
This self-evidently explains the need for cyber insurance. This type of insurance is nothing more than a protective layer for the company’s operational and financial aspects. The insurance responsibility has at least four duties: reducing financial damages; civil liability; management; and technical inspection.
Reducing financial damages makes reimbursement mandatory for direct losses incurred by the company, such as lost profits, as well as reimbursing expenses for technical consultations and emergency actions.
As for civil liability, it is nothing more than protecting the company in case of client data leaks. In a possible data breach, the company’s reputation may be shaken.
Thus, another important coverage point of the insurance would be management. The cyber policy also covers technical and/or legal support for reputation management. Lastly, technical inspection. With this duty, the insurance covers forensic expenses to determine the origin and extent of the data leak, both for the company and third parties, including support to restore affected data.
Additionally, it’s important to note that insurance policies specify cases where coverage is excluded. The most common are: attacks/leaks prior to policy inception, human error, low-recommendation or ineffective company security systems, and reimbursement for protection system upgrades.
Legal contracts
What about legal contracts? Although useful, these contracts face significant challenges, whether legal or regulatory. The contract cannot rely on ambiguous definitions and wording. In other words, all terms used must be accompanied by clarity, avoiding situations that could lead to further disputes. Thus, subjective clauses should be avoided, just as there must be compliance with the LGPD.
The size of the company matters little for damage quantification. Some insurances set a minimum or limit for indemnification, reimbursement, or total loss calculation. Often, quantification ends up being much more limiting and not meeting the client’s needs, as, for example, a small company may suffer a much larger cyber attack than a large one that managed to contain it early on.
Moreover, it is crucial that the contract has international reach, as the company ends up being protected anywhere in the world where the leak originated, and the insurer may require the installation of cyber defense mechanisms at the start of the policy. If this contractual provision exists and the company fails to comply, it may result in the insurance refusing reimbursement or indemnification.
Thus, it is concluded that cyber insurance does not prevent leaks nor can it be held fully responsible for damages. However, purchasing it proves highly beneficial, as it provides technical assistance to the insured, guidance on commands to avoid intrusions, and indemnifies within policy limits, offering quicker financial relief.
Therefore, it is recommended to seek cyber insurance that meets the company’s needs, regularly observing LGPD requirements, ensuring protection against potential attacks (guidance and support), as well as coverage regarding third parties—insured clients—(civil and monetary liability).
