Just some quick thoughts on cyber insurance. As insurers get more sophisticated in how they cover cyber incidents, businesses need to get more savvy as well. This isn’t a zero sum game. As a business owner, you NEED insurance. And as an insurer, the carrier wants to calculate the risk as accurately as possible. In the old days, cyber incidents might fall into traditional areas of coverage (e.g., business interruption). But, now we’ve got proactive security requirements coming out of the states. CCPA only applies to mid-size or larger businesses. However, here in New York, even if you are a small business you need to have SOME program in place (e.g., “reasonable safeguards” taking into account the size and scope of your business). Personally, I don’t think cybersecurity compliance has to be rocket science. But any way you slice it, doing nothing is not a smart option.
I think what you will find is that, going forward, doing nothing might also get your coverage pulled. At what point is non-compliance with SHIELD or CCPA going to be considered reckless, and therefore not insurable? I have a feeling we are going to start finding out the answer soon.