The advent and popularity of cyber insurance is causing an interesting shift in the cybersecurity landscape and it’s probably not what the insurance world envisioned.
I believe that organizations are far more likely to pay a ransom if they have insurance than they would be if the ransom was coming off their own bottom line. As a result, cyber-criminals are encouraged by the likelihood of getting paid and the number of attacks is increasing. (At the time of this writing, ransomware claims for many insurance companies are on pace to double the previous year’s rate).
Given the increase in ransomware attacks and the potential impact to your organization, I believe that it is critical for you to understand your organization’s insurance requirements, the details of the policy and the expectations of the insurer. Here are four things you need to understand about cyber insurance.
1. Understand Scope of Coverage
Policies come with different options, modules and riders, liability limits and deductibles. Make sure that your Crisis Management Team is fully aware of your policy’s options and limitations. Understand if your policy includes modules for Security and Privacy Liability, Multimedia and Intellectual Property, Technology Services, Professional Services, Network Interruption, Network Extortion, Electronic Theft, Computer Fraud, Telecommunications Fraud, Social Engineering Fraud, Reputational Damage, Event Support Expenses and Privacy Regulatory Defense and Penalties.
Each of these modules covers a specific aspect of a cyber-attack. Often, organizations will engage third-party help in the area of crisis management and event support, which can be covered by insurance if you have the right module in place.
Watch For The Following:
Forensic Investigations. This would likely fall under a “Technology Services” module. It’s good to have a seasoned forensic team on contract to assist with the investigations.
Notification Expenses. Mass communications to thousands or even millions of affected parties doesn’t come cheap. You will probably want to engage a public relations firm to help with the messaging. A special hotline with a supportive call center may be required. Maybe you’ll need to create a special website associated with the breach. These expenses may be covered by your policy!
Downstream Legal Expenses. The legal landscape regarding cyber crime is ever changing. You could find yourself on the business end of a class action lawsuit. Determine if your policy covers external legal services, litigation and settlement expenses. (Here’s where the overall liability limit is very important to understand).
Ransom Demands. This is generally why organizations buy cyber insurance to begin with. But it’s worth a review of the policy to understand the limitations of the coverage (See Point 2 below).
Related: Addressing Your Information Security’s Weakest Link
2. Understand Policy Exclusions
This is critical. I was reviewing a policy for one of my clients recently and I came across an exclusion that explained that the insurer shall not be liable for any damages or claims involving the loss of or theft of any portable device (including security events or breach of privacy), unless the portable device is encrypted. I called the head of IT and asked him if he was a) aware of the limitation and b) encrypting their mobile devices. No and no. He explained to me that they used to encrypt their devices but recently stopped. In this example, a breach arising from a mobile device vulnerability would very likely have been denied by the insurer.
Each policy has a section on Exclusions / “What We Do Not Cover”. This section is as important as the one that explains what they DO cover. Read it and understand your limitations. This section may also include attacks from ‘enemy states.’ If an attack is deemed to be from a foreign government, or if it is considered an ‘act of war’ or ‘terrorism’, the policy may not cover the claim.
Watch For the Following:
Rogue Employees. Is coverage in place if the malicious act was done by one of your employees? Often policies will still cover this type of claim, as long as the employee wasn’t an officer of the company. Best to understand this limitation ahead of time.
Privacy Breach Not Related to Cyber. Sometimes a privacy breach is the result of human error and doesn’t have anything to do with a cyber-attack. Understand if the policy covers the unintentional distribution of personal information.
Third Parties. If a breach occurred at one of your third-party service providers, you would hope that a) they have coverage and b) the incident is covered by their insurer. Identify if there are any inclusions or limitations you need to be aware of as it relates to third-parties.
3. Understand What Added Value They Offer
Many insurers will provide add-on services to be available during a cyber related crisis. It makes sense for the insurer to provide these services because a well-managed crisis will save them money in the long run. Typically, an insurer will negotiate a favorable rate with the external provider and will help you engage them during the crisis. Check and see if your insurer provides the following:
Forensic Support. Even if your organization has an experienced cybersecurity team, there is immense value in bringing in a group of forensic experts to assess the situation. These teams have been exposed to countless attacks of various types and have far more experience than your in-house team. They know where to look and what to look for to determine the type of attack, which vulnerability may have been breached and how to proceed. They can also provide insight regarding decryption and remediation.
Legal Services. This is the same concept as the forensic support. Your in-house legal team will benefit from having experience cyber / privacy counsel available for advice and direction. Typically, the service providers are focused on cyber related incidents and can help guide your organization through the minefield associated with legal response.
Communications / Public Relations. There are a couple of things to consider here. Public relations firms can help your organization draft appropriate messaging as you notify affected parties and release information about the breach to the public and / or media. Crisis communications is an art; bringing the right people to the take can go a long way to mitigate the impact of the breach. They can also assist with website development, establishing temporary call centers and the development of materials for distribution.
Breach Coach. A lot of times the insurer will provide you with someone who does cyber response for a living. This person is there to guide you through the response phase, make sure your response is integrated with the insurer’s views and to provide you with whatever resources you need to manage the crisis well. Sometimes this is an internal employee, other times the insurer will outsource this with an experienced third-party. The advantage to you as the policy holder is that you have a direct line to the insurer. The advantage to them is that they are engaged in your response plan and can help make sure fiscally responsible decisions are being made.
Related: Ransomware as a Crisis
4. Understand Who Has Ultimate Decision-Making Authority
I can’t stress how important it is to understand who has the final say when it comes to key decisions during a cyber-attack. If you were to find yourself in a situation where you and the insurer disagree on a decision, are you locked into their approach (in order to have the claim processed)? What if they want you to pay a ransom and you are fundamentally opposed? (or vice versa). How would they handle the claim if you want to hire a third-party resource that they don’t do business with? Are you on the hook for the cost of this valuable resource?
This can be clarified by asking the question directly and by including the insurer in your tabletop exercises. By having them at the table during the exercise, you will get a better view into how they will be inclined to respond, and you will have a better understand of their rules of engagement.
Often, the insurer will need to be brought to the table early in your response protocol. They want to be engaged as quickly as possible to avoid costly mistakes that could become problematic later. It’s critical to understand their requirements and follow them as best you can, to avoid having a claim denied or disputed.
One of the most important relationships your Crisis Management Team will have is with the cyber insurance provider. Be thorough in your understanding of your coverage, their rules of engagement, what services they provide, and disagreements will be handled. This is another example of why it’s critical to exercise your plans so that you can limit the number of surprises at time of crisis!
About Mark Hoffman
Senior crisis management and business continuity consultant with cybersecurity response and crisis communications experience in a leadership role, spanning twenty years. Proven track record in developing and implementing crisis management, business continuity and cybersecurity response protocols, and establishing mature business continuity programs and effective governance models. Quick to build relationships and achieve results working collaboratively with business leaders and executives. Extensive experience in the development and execution of tabletop and operational exercises with a focus on measurable results that lead to overall improvement of plans and programs. Feel free to contact Mark to see how he can help your organization be well prepared: [email protected] or on Twitter @mhoffman_cbcp
This sounds much like what i do when responding on a kidnap for ransom (K&R) case. Should you need anyone please let me know.