Introducing Guest Blogger Yan Ross, Editor-in-Chief, Cyber Defense Magazine

Today we’re pleased to welcome Yan Ross, Editor-in-Chief of Cyber Defense Magazine,  as a guest blogger.  Here’s the first of Yan’s monthly contributions to The AI Counsel Blog:

Don’t Rely Solely on Compliance for Insurance Claims or Liability Defense

As editor-in-Chief of Cyber Defense Magazine, I review over 50 articles each month. CDM is an online monthly publication with some 400,000 regular readers. Our authors focus on current trends in cybersecurity; but the topics extend to other disciplines with cyber implications.

Practitioners in cybersecurity, privacy, critical infrastructure, governance, risk & compliance (GRC), insurance, and others in risk management read and contribute to the actionable information we publish.

Regulated industries represent an important sector in cybersecurity. Whether it’s financial, health, defense, or those subject to securities law and regulation, the issue of “compliance” looms large.

It is important to recognize, however, that there are growing cases in which an organization may be in compliance with regulatory requirements, but still fall short in defending legal claims and finding that they are subject to cyber liability insurance limitations.

In the extended world of cybersecurity, the use of checklists (especially AI-generated checklists) has come under growing scrutiny, for several reasons. A few examples are instructive for our purposes.

– Box-ticking is proving to be effective, as the evaluation of risks and responses does not conform easily to set and limited identification of actual risks experienced in the world of cybersecurity.

 

– State laws, especially those establishing private rights of action for damages incurred by clients and customers as a result of data breaches and ransomware attacks, are continually imposing greater liability on holders of personally identifiable information.

 

– Specific regulated sectors are constantly subject to greater and more detailed requirements in protecting sensitive information. We tend to think of such heavily regulated activities as financial (such as federally-insured banks), and health care (HIPAA), and defense contractors.

 

– Moreover, it is inevitable that any company in the supply chains of the 16 sectors of critical infrastructure will become subject to both regulatory and market forces in imposing requirements for cybersecurity measures and cyber risk insurance.

 

– None of these functions are easily satisfied by checklist practices, but require thoughtful analysis of vulnerabilities and preventive actions.

 

Beyond the implementation and enforcement of cybersecurity measures, risk management techniques using insurance coverage should be considered. It has been accurately observed that effective risk management involves making informed decisions about which risks to retain and which risks to lay off on someone else at a calculated cost. That’s the insurance function.

Insurance underwriters at the front end of the process, and claims adjustment companies at the other, do not generally rely on an affirmation of “compliance” with regulatory rules. In more specific terms:

In determining the spectrum of coverage limits, deductibles, exclusions, sub-limits, premium pricing, and other relevant factors, insurance carriers may consider regulatory aspect of the operations of the insurance applicant. But attestations of regulatory compliance is never going to be a sole test or factor in the underwriting process.

Similarly, when a claim is filed, the claims adjuster (often a third party contractor) will not default to considering whether the insured/claimant is in compliance with regulatory requirements. While that may be a consideration, it I unlikely that a payout will be recommended without consideration of other circumstances.

What does this mean for corporate counsel, in this fast-changing legal and technological environment?
We would respectfully suggest that in-house and outside counsel for regulated companies take the initiative in coordinating regulatory compliance and risk management with their in-house Chief Information Security Officers (CISOs) or contracted virtual or fractional CISOs (“vCISOs”).

As an integrated risk management exercise, it is also advisable to review professional liability insurance, especially the terms and limitations on cyber risks and those arising from the use of Artificial Intelligence (“AI”).

Finally, for the moment, trends indicate that periodic vulnerability testing by independent outside services provide value in identifying weaknesses which may lie undiscovered by internal resources over time.

In future guest blogs, we plan to cover these trends in greater detail and elaborate on broader aspects of how integrated risk management of regulatory compliance, liability recognition, and insurance coverage provide the most effective response to these growing challenges.