In the hyperconnected world, cyber attacks have become a constant threat to organizations in all sectors. No entity, whether large or small, is immune to data breaches, ransomware, or other forms of cybercrime. The need for protection advances as much as technology.
Currently, Brazil has broad legal data protection through LGPD (General Data Protection Law), but companies still need prior protection guidance as well as prompt assistance in cyber violations.
Therefore, the need for hiring cyber insurance is self-explanatory. This type of insurance is nothing more than a protective layer in operational and financial matters of the company. Security responsibility includes at least four tasks: financial damage reduction; civil liability; management; and technical inspection.
The reduction of financial damages makes it mandatory for the insurance to reimburse losses suffered by the company directly, such as loss of profits, as well as reimburse expenses for technical consulting and emergency actions.
Regarding civil liability, it is nothing more than protecting the company in case of leakage of its customers’ data. In a possible data breach, the company’s image can be affected.
Therefore, another important coverage point of the insurance would be management. The cyber policy also covers technical and/or legal support for the company’s image containment. And, finally, technical inspection. With this responsibility, the insurance covers the costs of expert examination to discover the origin and extent of the data leak, both from the company and third parties, including support to restore the affected data.
Furthermore, it is important to note that insurance policies specify cases where there is no coverage. The most common ones are: previous attacks/leaks before hiring, human error, low recommendation or effectiveness of the company’s security system, and reimbursement for security system improvements.
Legal Contracts
And legal contracts? Despite being useful, these contracts face significant challenges, whether legal or regulatory. The contract cannot rely on vague definitions and ambiguous words. In other words, all terms used must be accompanied by clarity, avoiding situations that can generate even more disputes. In this way, subjective clauses should be avoided, and there should also be compliance with the LGPD.
The size of the company is of little importance for quantifying damages. Some insurances provide a minimum or limit for compensation, reimbursement, or total loss calculation. Most of the time, the quantification ends up being much more limiting and not meeting the customer’s needs because, for example, a small company may suffer a much larger cyber-attack than a large one that managed to contain it early on.
Additionally, it is crucial for the contract to have international scope, as the company ends up being protected anywhere in the world where the leak originated, and the insurer may require the installation of some cyber defense mechanisms right at the beginning of the contract. If this contractual provision is made and it is found that the company has breached it, this can lead to the insurance being refused for reimbursement or compensation.
Thus, it is concluded that cyber insurance does not prevent leaks and cannot be fully blamed for the damage. However, hiring it ends up being very beneficial because besides providing technical assistance to the policyholder, it guides on commands to avoid an invasion and indemnifies within the possibilities provided in the policy, bringing financial support to the policyholder more swiftly.
Therefore, it is recommended to seek cyber insurance that meets the company’s needs, regularly observing the requirements of the LGPD, allowing protection against possible attacks (guidance and support), as well as support in the face of third parties – the policyholder’s clients – (civil and monetary responsibility).
