In the hyperconnected world, cyberattacks have become a constant threat to organizations across all sectors. No entity, whether large or small, is immune to data breaches.ransomware or other forms of cybercrime. The need for protection advances as much as technology.
Currently, Brazil has extensive legal data protection through the LGPD (General Data Protection Law), but companies still need prior guidance on protection as well as prompt assistance in cyber violations.
This explains the need to purchase cyber insurance. This type of insurance is nothing more than a protective layer regarding the company's operational and financial aspects. Insurance responsibility has, at a minimum, four duties: reducing financial damages; civil liability; management; and technical inspection.
The reduction of financial damages makes it mandatory for the insurance to reimburse losses directly suffered by the company, such as lost profits, as well as reimburse expenses with technical consultations and emergency actions.
Regarding civil liability, it is nothing more than the company's protection in case of data leaks from its clients. In the event of a data breach, the company's image may be shaken.
With that, another important aspect of insurance coverage would be management. The cyber policy also covers technical and/or legal support for the company's image containment. And, finally, the technical inspection. With this responsibility, the insurance covers the costs of an investigation to determine the origin and extent of the data leak, both from the company and third parties, including support to restore the affected data.
Furthermore, it is important to note that the insurance policies specify cases in which there is no coverage. The most common are: prior attacks/leaks before hiring, human error, the company's security system with low recommendation or effectiveness, and reimbursement for improvements in the protection system.
Legal contracts
And the legal contracts? Although useful, these contracts face significant challenges, whether legal or regulatory. The contract cannot contain ambiguous definitions and words. In other words, all the terms used must be accompanied by clarity, avoiding situations that could generate even more disputes. In this way, subjective clauses should be avoided, just as compliance with the LGPD should be ensured.
The company's size is of little importance for quantifying the damage. Some insurance policies provide a minimum or limit for compensation, reimbursement, or total loss calculation. Most of the time, quantification ends up being much more limiting and does not meet the client's needs, because, for example, a small company may suffer a much larger cyber attack than a large company that managed to contain it early on.
Furthermore, it is extremely important that the contract has international scope, as the company is then protected anywhere in the world where the leak may have occurred, and the insurer can also require the installation of certain cybersecurity defense mechanisms right at the beginning of the contract. Having this contractual provision and verified that there was a breach by the company, this may result in the insurance refusing reimbursement or compensation.
In this way, it is concluded that cyber insurance does not prevent leaks and cannot be fully held responsible for the damage. Meanwhile, the hiring ends up being very beneficial, as it not only provides technical assistance to the insured but also offers guidance on commands to prevent an invasion, as well as compensates within the possibilities outlined in the policy, providing the insured with quicker financial support.
Therefore, it is recommended to seek cyber insurance that meets the company's needs, regularly monitoring the requirements of the LGDP, thus enabling protection against possible attacks (guidance and support), as well as support in the face of third parties – insured clients – (civil and monetary liability).
