The US Treasury Department has issued a request for public comment on a federal cyberinsurance program that would aim to cover the costs associated with severe cyberattacks. The Federal Insurance Office (FIO) and the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are currently conducting a joint assessment for Congress. Because cyberattacks are occurring at such frequent rates, rates for cyberinsurance coverage have soared, making it difficult for businesses to afford coverage if it is even available. The proposed federal program would focus on critical infrastructure and be used as a backstop.
Cybersecurity continues to be an issue at the forefront of many of our contract negotiations. Though not typically included in the “data security” section of an agreement, the level and scope of cyberinsurance coverage often plays an important factor in the discussions between customer and vendor.

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

A significant fine imposed by the UK’s Financial Conduct Authority (FCA) on an established UK insurer is further evidence of the increased scrutiny being placed on outsourcing arrangements by the financial services regulator, and also of the importance the regulator places on issues that directly impact retail customers.
On October 24, 2017, during a joint meeting of the National Association of Insurance Commissioners (NAIC) Executive (EX) Committee and Plenary, the NAIC officially adopted the Insurance Data Security Model Law (Model Law) to establish standards for data security and the investigation of and notification requirements following a cybersecurity event.