Cyber insurance has quickly become a standard form of protection for transportation and logistics organizations facing increased risks from threats like ransomware, network intrusion, and data theft. However, many organizations incorrectly assume that having a cyber insurance policy will protect them from any legal or financial consequences of a data breach involving sensitive information. While insurance is an aspect of a larger risk-management framework, it can never replace vigilant security practices, compliance controls, and accountability.

A more recent example, which occurred in the earlier part of this year, relates to WEL Companies, Inc., which experienced a data breach and stated in its notification that an unauthorized third-party accessed files containing sensitive personal information. Despite the high likelihood of data breaches, and reliance on cyber insurance as coverage for data breaches, incidents like WEL Companies illustrate that just because there is an insurance policy or some coverage under that policy, it does not mean that coverage will eliminate legal exposure for an organization or, for the affected individuals, will do anything to protect their personal information.

Why Cyber Insurance Is Not a Complete Safety Net

Cyber insurance is designed to assist organizations with some degree of the direct, financial impact associated with a security event, but not for all of the resultant ramifications. Policies may cover for things such as forensic reviews, notification costs, credit-monitoring services or some legal costs. However, there are various elements of liability which may not typically be covered under health plan policies.    

1. Insurance cannot cover negligence liability 
If a post-event forensic review finds weak security controls, obsolete systems, or other shortcomings in institutional standard of reasonable cybersecurity procedures, an organization would still be liable, even if they have insurance. Courts are increasingly imposing liability on organizations whose cybersecurity lapses result in preventable breaches. 

2. Reputational and operational harm is not insurable 
The lost business, eroded customer relations, or stopped freight or logistics operations may exceed specific caps in coverage or result in longer-term damages not amenable to insurance funds. 

3. Most policies have little coverage for vendor third-party incidents 
If breaches occur through a vendor, there may be coverage gaps that leave organizations directly responsible. Most policies will require strict proof of evidence of due diligence being conducted throughout the vendor chain.    

4. Employee and contractor claims beyond insurance payout limits 
If personal data is disclosed (Social Security numbers, driver's license number, etc.), an employee or contractor may seek compensation beyond the insurance limits under the policy. 

5. Insurance does not negate regulatory scrutiny.
Organizations may still endure federal or state level investigations, penalties, and actions for failure to comply with privacy or data-protection regulations.

Why This Issue is Important to Transportation & Logistics Industry

Transportation companies process extensive amounts of sensitive workforce data which may include identification documents, background logs, payroll information, and compliance paperwork. This type of information is extremely valuable to cybercriminals and difficult to replace. As the number of attacks against and value of data rises, insurance alone still leaves organizations exposed.

Establishing a Better Strategy to Manage Cyber Risk

To lessen liability, transportation and logistics organizations must pair insurance with proactive security measures including:

• Ongoing network monitoring and visibility
• Vendor and third-party cyber audits
• Encryption of sensitive files and identities
• Strong access controls and employee awareness of security
• Clear breach response plans and documented policies
• Compliance with federal and state level reporting requirements during a breach.

Final Thoughts

While cyber insurance can be beneficial, it is not intended to be a replacement for sound cybersecurity practices; it should be thought of as financial backing similar to other risk management solutions used by organizations. The WEL Companies event highlights that transportation organizations must always be ready to defend themselves, not only against a breach of their network security, but also from a legal and ethical responsibility to protect their employees, drivers, partners and customers. Resilience is achieved via preventable measures, transparency and accountability—not from an insurance policy.