Experts are full of advice about the importance of designing and implementing a robust cyber breach response plan. They opine frequently on its key components, such as identifying the roles and responsibilities of the response team, steps for investigating and containing the breach, internal and external communications regarding the breach and the response, and applicable legal requirements. For the most part, however, their advice focuses on the information-technology aspects of the plan, with some attention given to the roles of senior management and the legal department. But few commentators offer tips on one of the most consequential components of a cyber response plan: insurance.
Insurance is often the last thing that a company reeling from a cyber-attack thinks about, but it should be top-of-mind. Importantly, it is the one piece of the puzzle that can actually offset the damage to the company’s bottom line. When the C-suite or, even worse, the shareholders say, “Show me the insurance money,” you don’t want to come up empty-handed because you left that piece out of the plan.
Engaging with insurers should be among the first steps taken in the aftermath of a breach. Insurance policies generally contain notice and cooperation provisions which, if not adhered to, can limit or eliminate coverage. Cyber-specific policies, in particular, often require not only that the insurer be notified but that it affirmatively grant advance written consent in order for coverage to attach to certain expenditures, such as costs for:
- Retaining a forensic investigator
- Hiring lawyers to advise on legal requirements for notification of the breach
- Notifying individuals or regulators
- Getting crisis management or PR professionals on board
- Offering ID theft monitoring and other credit protection measures
- Responding to an extortion demand or ransomware
- Hiring defense counsel or paying defense costs
- Settling third-party claims
- Incurring any other financial obligation or cost
It does no good to pay serious money for a state-of-the-art cyber policy only to blow any right to recover these proceeds due to inattention.
Alternatively, some cyber policies require that the policyholder use law firms, breach response experts, and other service providers who have been pre-approved by the insurer— either providers who are members of the insurers’ “panels” (usually identified on the insurer’s website), or providers who are specifically listed on policy endorsements. If you neglect this requirement while in crisis mode and hire other providers, you may find yourself unable to recover some or all of the fees and costs charged.
At a minimum, therefore, your cyber breach response plan should (in addition to being clearly documented, approved by senior management, and distributed to all key employees):
- Designate a risk management representative to serve on the cyber response team.
- Require disclosure of all known facts, in real time, to the risk management representative.
- Include a checklist of all insurance policies to be reviewed for potential coverage in light of the breach circumstances and with an eye toward foreseeable losses and liabilities. Identify the individual(s) responsible to conduct this review (who may be from the legal department or an outside coverage firm).
- For each policy, include a checklist of all insurer notifications required, including the specific recipient and address for notice. This list should include any general requirements to notify the insurer of the fact of the breach, as well as specific requirements for insurer consent for retention of providers or for expenditure of costs, along the lines of the examples above. The list also should include the timing requirements for notice, including whether advance notice is required.
- Identify risk management and/or broker personnel responsible for drafting notices and following up with the insurers to secure any necessary consents. If communications with insurers need to be reviewed by legal, identify the responsible lawyer and prescribe a maximum turn-around time. Depending on how deep your risk management and legal benches are, consider identifying outside coverage counsel responsible to assist.
- Where insurance requirements impact other components of the plan—such as the parts of the plan that deal with forensic investigation or crisis management activities—alerts should appear in those sections of the plan, warning those teams to check with risk management before hiring breach response providers.
- Include an express commitment by senior management and a directive to response team members to provide to insurers as much information as early as possible. If confidentiality is a serious concern, consider entering into non-disclosure agreements with key insurers in advance of or immediately following any breach.
- Identify regular intervals for keeping insurers up to date on the progress of the response effort, specify whether updates will be given by telephone conference or in writing, and identify who is responsible for organizing and keeping record of these efforts.
An ideal cyber breach response plan would include all the foregoing elements, but we all know that real life is not ideal. If you suffer a breach before a comprehensive plan is in place, be sure to contact coverage counsel for guidance immediately. Real money can be lost if you neglect the insurance piece of the puzzle.
What’s Good for the Goose: Protecting against Vendor Cybersecurity Risk