The Imperative of Legal Privilege in Cyber Insurance Applications
In the complex world of cyber insurance, this conversation with Damon Silver from Jackson Lewis highlights a critical aspect often overlooked by businesses: the importance of placing the risk assessments that often accompany the cyber insurance application process under legal privilege. This article unpacks the reasons behind this imperative, drawing on Silver’s expertise.
The Essence of Legal Privilege in the Cyber Insurance Application Process:
Protecting Information Developed During Risk Assessments: During the cyber insurance application process, companies are required to disclose detailed information about their cybersecurity practices and vulnerabilities. Silver notes that, in the course of providing those disclosures, companies often need to do an extensive assessment of their cybersecurity programs – leveraging tools like SecondSight – to identify risk factors and evaluate potential mitigation measures.
Those assessments are a major value add for companies, both with respect to their cyber insurance applications and the general health of their cybersecurity programs. However, to the extent feasible, they should be conducted under privilege to avoid creating evidence that will be damaging in litigation or regulatory investigations (e.g., about the decisions a company makes not to implement certain safeguards because the costs are too high or the risks are deemed too remote).
Active Involvement of Corporate Boards: The cybersecurity regulations recently issued and, in the latter case amended, by the SEC and NYS Dept. of Financial Services exemplify a growing trend towards requiring active board involvement in cybersecurity compliance and risk management. Silver points out that, in many cases, compliance with these and similar oversight obligations will necessitate board member involvement in the process of evaluating risk factors related to obtaining cyber insurance coverage.
For instance, board members may need to understand certain risk factors that impact the company’s cyber coverage needs and how cyber coverage fits within the company’s broader cyber risk management program. Again, being mindful of privilege can help companies avoid self-inflicted pain in future litigations and regulatory proceedings.
Importance of Comprehensive Compliance: Lastly, Silver stresses the importance of viewing compliance from a broader perspective. It can be tempting, given demands on time and resources, for companies to do the minimum needed to get or renew their cyber insurance; in other words, to limit their assessment to the specific areas covered in their insurance application.
Taking that path, however, causes companies to miss an opportunity to truly understand and effectively manage their cyber security risk. A more holistic assessment, structured to preserve privilege where feasible, helps companies not only get insured, but also develop fundamental resilience against digital threats.
Silver’s insights underscore the need for companies to treat the cyber insurance application process with the seriousness it demands, especially concerning legal privilege. It’s not just about obtaining insurance; it’s about ensuring that the process contributes to a company’s overall cybersecurity strategy without opening up new vulnerabilities. In today’s digital landscape, where cyber threats are a constant, understanding and implementing legal privilege in cyber insurance applications is not just advisable; it’s imperative.