Nowadays there’s no shortage of horrifying tales of data breaches that cost companies a fortune, from lawsuits, PR debacles and lost revenue, and that’s not even considering the cases where a hacker simply transferred millions out of a bank account. The US Securities and Exchange Commission (SEC), UK Financial Conduct Authority and other regulators have taken an interest in cybersecurity, which means every CFO, CCO and CTO is making it a top priority.
Part of that effort involves determining whether to purchase cybersecurity insurance. The policies can be vague in their coverage and don’t address acts of theft. They’re often irrelevant to the liabilities of the private equity and venture capital industry, which leaves a lot of firms deciding to self-insure. But if structured properly, these policies can guard against lawsuits and regulatory actions that arise from breaches. It should be noted that these policies often require the insured to demonstrate adequate cybersecurity measures, and if any of these aren’t followed, claims can go unpaid. So in a sense, such policies are best when coupled with a security program that’s aggressive enough to almost make these policies unnecessary.
Broadly speaking, what these policies cover are any costs rising out of the unauthorized access of a firm’s network, or of any personal information stored within that network. That personal information is usually social security numbers, but can also include driver’s license numbers, credit and debit card numbers and even personal health information, in the case of employees. The policies pay for legal fees, forensic IT investigators, a PR counsel and the notification of any individuals who lost their personal information.
Is it worth it?
Some GPs aren’t expecting much from their policies just yet, but still feel it’s worth buying for optics. One CFO admitted that it’s the equivalent to checking a box for regulators or investors. They’re not flippant about cybersecurity as an issue, but they have real doubts as to the value of these policies.
Indeed, for a lot of private equity firms, there are only a handful of individual social security numbers at risk. Tax ID numbers for large institutional investors are useless to hackers since they can’t be used for identify theft. Contrast that with major retailers like Target or Home Depot who might have access to the personal information of hundreds of thousands of customers.
“It’s difficult to understand and quantify the cybersecurity risk for private equity,” says Dimitri Korvyakov, CFO and CCO of Sandton Capital Partners. “Our biggest risks are unauthorized access to deal data and agreements and a privacy breach of investor data, and it’s hard to justify the costs.” Several other CFOs echoed the sentiment, suggesting it was better to invest in actual cybersecurity programs rather than the insurance.
Often firms already have insurance that protect against computer crime and fraud, as cybersecurity policies don’t cover the financial losses when a hacker actually transfers money out of a firm’s account. But brokers caution that firms should double check that they are, in fact, protected under existing policies.
One of the areas that private equity might find cybersecurity insurance worthwhile is in covering costs related to lawsuits that might arise due to that breach. “What you may find is that the very people you notified of that breach will turn around and sue you for damages,” says George Allport, vice president and financial fidelity product manager for Chubb Insurance.
These policies will cover the legal cost of the defense, along with any damages paid from a settlement or court decision. Such lawsuits can arrive from “active” and “reactive” incidents: “active” incidents are events such as when a network is compromised so a firm’s emails infect recipient’s systems with a virus; and “reactive” incidents are when an LP may visit a reporting portal site and catch a virus there. Most policies will cover lawsuits rising from either kind of incident.
If there isn’t a sense that LPs will be quick to sue, GPs remain exposed to lawsuits when a breach causes confidential portfolio company information to be leaked. “In a worst case scenario, a breach may cause sensitive company information to be made public, jeopardizing a planned spinoff or IPO which could prompt litigation,” says Allport. However, protecting breaches of corporate information must be added to traditional policies that only cover network security and personal information.
GPs can also purchase additional coverage that handles any regulatory actions, lawsuits, fines and penalties that might result from a breach. And given the uncertainty as to how regulators might react to damaging breaches, several market participants see this being a popular addition.
If a GP decides to purchase the insurance, the coverage cost is dependent on a number of elements which include, but are not limited to: the number of offices, number of employees, number of high-net-worth individuals, number of tax filings and the quality of the current cybersecurity program.
Keeping your premiums low
For now, there are no uniform criteria for what constitutes a proper cybersecurity program in acquiring these policies. But most brokers and attorneys agree on a few technical protections that can lower the price of a premium: firewalls with frequent updates; encrypting data on mobile memory devices like back-up tapes, portable drives, laptops and smart phones; intrusion detection and prevention programs; and software that can monitor when emails contain confidential information and can reaffirm the sender if they want to include that data before they hit send.
Brokers see those protections in place at most financial firms, but there are some practices that can further lower premiums. ““We like to see to see a tested action plan in case of a breach,” says Allport. “This would include all the processes, from what lawyer to call, to the content of a notification letter, all of which shortens the response time and may lessen the chance of a lawsuit.”
The other practice insurance companies appreciate is employee training. Several brokers say the biggest risk is the human element, where a hacker dupes an employee to share their username or password. Frequent and substantial training sessions can lower premiums.
However, GPs should be careful in listing cybersecurity measures in an application for such a policy. “Companies have to do exactly what they say they’re doing in the insurance application,” says Christine Marciano of Cyber Data Risk Managers. “If they say virus software is updated every 30 days and a breach occurs the day after when an available patch was to be in place, that claim can be denied based on several insurance carrier policy forms that state such an act could be deemed negligent.”
Just recently, the insurer CNA denied a claim on a cybersecurity policy from Cottage Health Systems because Cottage failed to install encryption software and other protections on the laptop that caused the breach.
Insurers do pay claims on such policies as seen in the data breaches at Target and Home Depot, but there have not been major payouts within the private equity industry yet.
“When we explored cybersecurity insurance, it was difficult to ascertain what constituted a breach under the policy. In the cyber world, risks are difficult to understand and new threats are being discovered everyday and therefore, the market is constantly trying to catch up,” says Jason Donner, CFO of Veritas Capital. “As the market matures, a number of these uncertainties will be defined.” Like most CFOs we spoke with, Donner will continue to review these policies as they evolve, since the risks are here to stay.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: