Stites & Harbison attorney, Shannon Sprinkle joined other cybersecurity stakeholders gathered a few blocks from the firm’s Atlanta office for the American Bar Association’s Cybersecurity and Data Privacy conference to exchange thoughts on the state of the industry and market developments. Shannon and Peter share their thoughts on some key highlights from those discussions. While geopolitical events have injected much uncertainty into the space, several trends have developed, which are unlikely to disappear anytime soon.

The Cyber Insurance Market Has Hardened. Consistent with the insurance market generally, the cyber insurance market has become increasingly hard. Premium hikes as high as 500% and reduced limits have grown alarmingly common. Increased claim volume (predominantly involving ransomware attacks), the potential for systemic fallout, and the ever-evolving threat posed by sophisticated hackers have caused underwriters to veer conservative. While rates should eventually stabilize, broad coverage paired with minimal application requirements and low prices are a thing of the past.

Stand-Alone Cyber Necessary. Even if increasingly expensive, cyber insurance has become a necessary cost of doing business. It is no longer a question of whether a cyberattack will occur, but when (with many falling on a Friday night just before happy hour or a holiday weekend). Cyber insurance coverage provides businesses with the means to respond effectively to a breach by pairing them with attorneys and other professionals who can guide them through the ordeal. Importantly, communications between an insured and counsel regarding breach response should be protected by the attorney-client privilege. Having counsel and others on speed dial can help minimize operational losses, mitigate reputational damage, and guard against sanctions from regulatory authorities.

Proactivity as a Prerequisite. To obtain affordable coverage, businesses must begin implementing industry-standard protections and best practices. Simply installing antivirus software is no longer sufficient. At a minimum, companies must adopt multi-factor authentication (“MFA”) and ideally endpoint detection and response (“EDR”) security. Employees should receive regular training to recognize common cybersecurity threats, and management should know their incident response plan chapter and verse (post breach is not the time to craft your response plan). Companies that show initiative in these respects minimize their risks of an incident and signal to carriers they represent an insurable risk.

The attorneys at Stites & Harbison represent clients of all types and sizes in connection with cybersecurity and data privacy. If you need assistance with such a matter, please contact us today.