Comment

What cyber insurance can do for contractors

Justin Chiarodo is a partner and Philip Beshara is an associate in Dickstein Shapiro’s Government Contracts Practice.

Justin Chiarodo (left) is a partner and Philip Beshara (right) is an associate in Dickstein Shapiro’s Government Contracts Practice.

Cybersecurity compliance for government contractors is an ever-growing challenge. Companies face current and emerging obligations arising from a patchwork of executive orders, standards from the Office of Management and Budget and the National Institute of Standards and Technology, rulemaking in the Federal Acquisition Regulation and agency supplements, contract terms, and legislative action (and inaction). Not to mention the scrutiny that comes with endless press coverage.

But how well is your business financially protected in the event of a cybersecurity incident? (Or if you are on the government side, how safe are your industry partners?)

The financial costs of cyber events can be staggering. The highly publicized attack on Target cost the retailer and financial institutions a reported $348 million. And for government contractors, the implications can be existential. In 2014, a high-profile provider of background checks to the Office of Personnel Management fell victim to a suspected state-sponsored cyberattack that potentially exposed confidential information regarding 27,000 government employees.

OPM not only declined to renew the company’s contracts (which in one year totaled $417 million in revenue), but the contractor’s parent company filed for bankruptcy, citing the cyberattack as a key cause.

Following a 2011 data breach at a major contractor for the military’s Tricare health benefits program, the government required the company to pay the costs of notifying 5 million affected Tricare recipients. On top of that, the contractor faced years of class-action litigation.

Those numbers reinforce the notion that contractors should focus not only on cyber compliance practices but also on ways to mitigate the financial impacts of inevitable cyber incidents. Those investments should complement more traditional cyber compliance measures (e.g., system security and training).

Two such measures in particular are worth a closer look: corporate insurance and liability protections under the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act of 2002.

Although the cybersecurity insurance market is still evolving, contractors would be well-served to review their current policies and assess their current coverage portfolio. Advance review and planning will help identify potential coverage issues and gaps before a cyber event takes place, position contractors to maximize their potential recoveries in the event of a cyber incident and even enable contractors to negotiate more favorable policy language to maximize their liability protections.

As a complement to insurance coverage, the SAFETY Act might also provide critical liability protections to approved businesses that use or provide approved products or services that can reach cybersecurity vulnerabilities. For example, FireEye recently announced that the Department of Homeland Security had certified two of the company’s cybersecurity products as “qualified anti-terrorism technologies” under the SAFETY Act, and the company touted the approval as the first such certification for cybersecurity software.

Government contractors and other businesses that use DHS-certified technology may cloak themselves in the law’s liability protections, effectively avoiding the tort liability that can arise from a cyberattack when such technology is used. FireEye’s DHS approval is a welcome step that further confirms that the SAFETY Act’s protections extend beyond terrorism concerns to include the cybersecurity threats facing American companies and, through them, U.S. economic and national security interests.

Those threats — particularly for government contractors — show no signs of abating. Contractors that are waiting for financial protection from federal regulators or Congress will likely be disappointed. Given the financial risks presented by recent and future cyberattacks on federal contractors, companies should take every advantage of the financial and liability safeguards currently at their disposal and include the assessment of those safeguards as an integral part of their cybersecurity compliance strategies.

About the Authors

Justin Chiarodo is a partner in Dickstein Shapiro's government contracts practice.

Philip Beshara is an associate in Dickstein Shapiro's government contracts practice.

Nominate Today!

Nominations for the 2018 Federal 100 Awards are now being accepted, and are due by Dec. 23. 

Featured

Reader comments

Thu, Jul 16, 2015

Yes, why won't these lawyers name names? They are public. Would they leave them out of a Complaint or a Brief?

Thu, Jul 16, 2015

Good question. Why would these lawyers be so skittish? Wouldn't you want a knowledgeable junkyard dog kind of lawyer to look after your interest, rather than one playing to the political winds? Who ya gonna call, eh?

Mon, Jul 13, 2015 Mel Ostrow

It is interesting that the lawyer-authors of this piece were so gun-shy and hesitant to name the contractors involved in the publicly known and documented incidents that they cite, e.g., USIS for the OPM background checks. This kind of duck-and-cover only contributes to the furtive conduct by stakeholders in the current environment. And that's all of us. It would be good if there were swift and full disclosure of the companies who have been providing, under publicly identifiable, non-classified contracts, cyber defense related contract support to Federal agencies. That ensures that the air is clear and that the insurance angle, so important to lawyers as well as their clients, can be addressed in the cold light of day.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group