What cyber insurance can do for contractors
When it comes to cybersecurity, the SAFETY Act deserves a second look, but companies should also consider commercial coverage.
Justin Chiarodo (left) is a partner and Philip Beshara (right) is an associate in Dickstein Shapiro’s Government Contracts Practice.
Cybersecurity compliance for government contractors is an ever-growing challenge. Companies face current and emerging obligations arising from a patchwork of executive orders, standards from the Office of Management and Budget and the National Institute of Standards and Technology, rulemaking in the Federal Acquisition Regulation and agency supplements, contract terms, and legislative action (and inaction). Not to mention the scrutiny that comes with endless press coverage.
But how well is your business financially protected in the event of a cybersecurity incident? (Or if you are on the government side, how safe are your industry partners?)
The financial costs of cyber events can be staggering. The highly publicized attack on Target cost the retailer and financial institutions a reported $348 million. And for government contractors, the implications can be existential. In 2014, a high-profile provider of background checks to the Office of Personnel Management fell victim to a suspected state-sponsored cyberattack that potentially exposed confidential information regarding 27,000 government employees.
OPM not only declined to renew the company’s contracts (which in one year totaled $417 million in revenue), but the contractor’s parent company filed for bankruptcy, citing the cyberattack as a key cause.
Following a 2011 data breach at a major contractor for the military’s Tricare health benefits program, the government required the company to pay the costs of notifying 5 million affected Tricare recipients. On top of that, the contractor faced years of class-action litigation.
Those numbers reinforce the notion that contractors should focus not only on cyber compliance practices but also on ways to mitigate the financial impacts of inevitable cyber incidents. Those investments should complement more traditional cyber compliance measures (e.g., system security and training).
Two such measures in particular are worth a closer look: corporate insurance and liability protections under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act of 2002.
Although the cybersecurity insurance market is still evolving, contractors would be well-served to review their current policies and assess their current coverage portfolio. Advance review and planning will help identify potential coverage issues and gaps before a cyber event takes place, position contractors to maximize their potential recoveries in the event of a cyber incident and even enable contractors to negotiate more favorable policy language to maximize their liability protections.
As a complement to insurance coverage, the SAFETY Act might also provide critical liability protections to approved businesses that use or provide approved products or services that can reach cybersecurity vulnerabilities. For example, FireEye recently announced that the Department of Homeland Security had certified two of the company’s cybersecurity products as “qualified anti-terrorism technologies” under the SAFETY Act, and the company touted the approval as the first such certification for cybersecurity software.
Government contractors and other businesses that use DHS-certified technology may cloak themselves in the law’s liability protections, effectively avoiding the tort liability that can arise from a cyberattack when such technology is used. FireEye’s DHS approval is a welcome step that further confirms that the SAFETY Act’s protections extend beyond terrorism concerns to include the cybersecurity threats facing American companies and, through them, U.S. economic and national security interests.
Those threats — particularly for government contractors — show no signs of abating. Contractors that are waiting for financial protection from federal regulators or Congress will likely be disappointed. Given the financial risks presented by recent and future cyberattacks on federal contractors, companies should take every advantage of the financial and liability safeguards currently at their disposal and include the assessment of those safeguards as an integral part of their cybersecurity compliance strategies.
NEXT STORY: One company shows how it is embracing agile