Preparing for a Data Breach with Cyber Insurance

How Insurance Helps Prepare For a Breach Response

For most companies, the significant costs associated with responding to a data privacy breach cannot be borne internally. Data privacy insurance is required to shift the risk for the company. Going through the process of placing such insurance is the first step to good coverage and a strong response plan.

Insurance underwriters are very cautious and equally thorough in issuing data privacy insurance. Because the new digital order with respect to cyber is not if but when, it requires an extraordinary amount of due diligence in the underwriting process. Companies that go through the process will learn a tremendous amount about the current state of its network security and response plan. Information learned in this process can be useful to find gaps and upgrade security, protocols and insurance coverage. Policyholders will be required to fill out extensive questionnaires from the insurer, and likely allow an onsite visit. All of the information gathered in the process not only informs the insurer as to whether it wants to issue a policy, but can prove invaluable to the company developing a strong network defense and response. An insured can use the information to identify the best response team and leader. The current response plan (every business needs one) can be updated and tested. External resources can be identified and brought into the response process. The clear and present danger to all businesses in the data privacy area cannot be overstated, and the insurance placement process can be the first step to being as prepared as possible.

Benefits of Planning Ahead For Your Response

A comprehensive data incident response is critical, whether the business owns data privacy insurance or not. As noted, the process of placing insurance coverage can provide valuable insight for creating the strongest response plan possible. There are measurable benefits to being well prepared for a data breach. Obviously, a thorough and tested plan will make for a more effective and efficient response. Mistakes made during the first 72 hours of an incident can increase the costs in responding by two or three times. An efficient response can also prevent a loss of sales, income and stock pricing. Customers who are comfortable with the company's response are less likely to stop doing business than those that lose confidence. A proper and effective response also protects the company's brand reputation.

Insurer's Response to the Growing Risk of a Data Breach

In response to the continually growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most insurers are now excluding cyber-risks from more traditional insurance policies, such as Commercial General Liability (CGL) or Errors & Omissions.

Second, insurance companies are racing into the market with new products aimed at providing specialized coverage for such losses. Estimates are that data breach policies are changing every six months to keep pace with the sheer size of the risk and exposure.

CGL Isn't for Cyber Coverage

Just as insurers reacted to CGL policies providing coverage for environmental exposures, they are now doing so with respect to cyber losses.

In May 2014, the Insurance Services Office (ISO) introduced several new endorsements addressing access or disclosure of confidential or personal data. These new endorsements will strip most, if not all, coverage for data-related losses from CGL policies.

The losses that are excluded could be those at the heart of an enterprise and which, if uninsured, could cripple a business with response and rebuilding expenses related to their network infrastructure. These endorsements are already showing up in most renewals.

A True Cyber Policy Is an Insured's Best Protection

Businesses can obtain cyber insurance for losses. It is critical to understand the full scope of the coverage you buy. Insurance to protect your property and network can include: 1) computer data restoration; 2) resecuring a company's information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; 6) crisis and public relations management; and 7) extortion. Commentators note that first-party losses are usually the higher costs to a business suffering a cyber-attack, so adequate coverage in this area is vital.

Organizations also need liability coverage as well. Most coverage in this area will provide for a defense to litigation brought by customers for their direct losses due to a breach. However, insurance may also cover: 1) PCI-DSS (Payment Card Industry Data Security Standard) liability; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations. Policyholders can obtain DIC (difference in conditions) coverage under certain aspects of first- and third-party coverages.

Today, “cyber” can be a misnomer for the breadth of coverage available. Don't forget, breaches can still occur the old fashioned way with paper files.

However, the policy forms among the different carriers vary tremendously and policyholders must be vigilant to ensure they purchase the right coverage. Insureds must look well beyond the declarations page and coverage grant when considering this type of insurance, although those are obviously important. The devil is in the details.

Here are some important areas to consider:

Policy sublimits. A critical area to watch for with cyber insurance are the sublimits. While many policyholders have a far better understanding of standard CGL and property coverage, it remains critical for them to take extra time to truly understand the nature of a new cyber policy being added into their insurance program. It is not uncommon for the most expensive and necessary aspects of coverage to have the lowest sublimits. Policyholders have to understand their risk and the costs for responding to a breach, then make sure the sublimits are appropriate for those various costs.

Definitions in the policy. Since insurers all use different forms for data breach and privacy insurance, the definitions used in the policy are critical to the scope of coverage. For example, how does the policy define “computer system?” That definition may make all of the difference in whether there is coverage or not. The same is true for “wrongful act” and a host of other definitions that are highly specific to the insurer's forms. Remember, data breaches can take all forms of attacks so you need the policy to account for them. Often it is the definitions that truly set out the actual scope of insurance coverage. Policyholders must dive deep into their policy with their broker and coverage counsel to ensure they understand the nuances of the policy. Insurers are currently in a growth mode for placing cyber coverage and many are willing to negotiate coverage to broaden the scope in favor of policyholders.

Cyber policies have exclusions. No surprise, these policies also contain a litany of exclusions. A prospective purchaser of cyber insurance must pay particular attention to the exclusions. Match the exclusions up with the numerous definitions and it becomes easy to see how tough it can be to have coverage at the end of the day. That does not mean such insurance is not critical ' it is. But, a prospective insured must be hyper vigilant to determine what the policy offers against the risks, and negotiate like the devil for better terms.

Know your retroactive date. A survey by Mandiant, a FireEye Company, noted that in 2014 the average number of days a hacker is in your system before discovery is 205 (down from 229 in 2013). See, “M-Trends' 2015: A View from the Front Lines.” Since many businesses continue to struggle with detecting a breach, what does this mean? You need a retroactive date of at least one year to ensure coverage for the lag time in breach discovery. Ideally, an insured would really want a minimum of two years, if possible.

Cyber insurance and breach response vendors. One of the main selling points of such insurance is that the insurers bring all the resources to the table. The insurance company will have forensic information technology vendors to assist in closing the breach. They have the credit monitoring and public relations experts. The goal is one call to your insurer after a breach should immediately marshal these resources for the coverage purchased. But, do you know these vendors and will they do more harm than good for you? Policyholders should vet the vendors, determine if they are best in class, or negotiate on the issue.

This last point is critical for policyholders to understand. Some insurance policies will place the onus on the insured to bring vendor resources to bear in responding to an incident. If so, a company must have a response team, including its outside vendors, selected and vetted as part of preparing a response plan. A company cannot afford to start looking for vendors, such as computer forensic companies or data privacy counsel, during the actual breach. Because most insurance policies that will reimburse for these covered costs say they pay “reasonable expenses,” the insured should understand beforehand what is acceptable to the insurer. Again, engaging in this dispute during the breach is a complete distraction that will make your response less effective and efficient.

If the insurer will select vendors as part of the response, it is still wise for the policyholder to determine which vendors will be involved and to ensure that they are familiar with the company's response plan beforehand. Some insurance policies provide a certain amount of free consultation with the vendors. Regardless, a company must be comfortable with the vendors or address it with the insurer before an event occurs.

Having gone through the exercise of purchasing data privacy insurance coverage, a company can best develop a response plan and is prepared ahead of time. The process will allow your business to prepare in the following ways:

• Develop a strong response team;
• Identify response capabilities and external resources;
• Establish relationships with law enforcement and regulators;
• Create and test the plan prior to an actual event; and
• Anticipate communication, remediation and notification pitfalls.

Conclusion

Time spent upfront from an in-depth analysis when considering such insurance may prevent the type of coverage fight many policyholders are facing in order to get the coverage they paid for from their insurer. Working closely with your broker and coverage counsel may seem tedious, but ensuring the correct coverage can prevent a poor response to an actual breach as well as unwanted litigation with the insurer over the scope of coverage.

Collin Hite leads the Insurance Recovery Group and co-chairs the Data Privacy & Security practice at the law firm of Hirschler Fleischer in Richmond, VA. He handles insurance recovery and coverage litigation nationally, as well as providing insurance policy and program audits for policyholders. He may be reached at 804-771-9595 or by e-mail at [email protected].

Data breaches continue to escalate and garner national attention. The most recent news-making incident was the hack of electronic toy maker, VTech.

The Risk Insurance Management Society's (RIMS) Cyber Survey (May 2015) provides important benchmarking information for risk managers as they continue to grapple with data security and procurement of cyber insurance. One of the important takeaways is that most companies have standalone cyber insurance at this point, and those that don't are now seriously considering it. That is not a surprise considering the massive data breaches occurring recently ' Target, Anthem, Starwood, the U.S. government. Companies of all sizes need to consider cyber insurance as part of the overall program.

The situation is getting so bad that businesses, large and small, are finally realizing that the question is not if they will get breached, but when. And the sheer number of high-profile breaches in the last year reminds policyholders that cyber coverage is a critical part of any insurance program.

How Insurance Helps Prepare For a Breach Response

For most companies, the significant costs associated with responding to a data privacy breach cannot be borne internally. Data privacy insurance is required to shift the risk for the company. Going through the process of placing such insurance is the first step to good coverage and a strong response plan.

Insurance underwriters are very cautious and equally thorough in issuing data privacy insurance. Because the new digital order with respect to cyber is not if but when, it requires an extraordinary amount of due diligence in the underwriting process. Companies that go through the process will learn a tremendous amount about the current state of its network security and response plan. Information learned in this process can be useful to find gaps and upgrade security, protocols and insurance coverage. Policyholders will be required to fill out extensive questionnaires from the insurer, and likely allow an onsite visit. All of the information gathered in the process not only informs the insurer as to whether it wants to issue a policy, but can prove invaluable to the company developing a strong network defense and response. An insured can use the information to identify the best response team and leader. The current response plan (every business needs one) can be updated and tested. External resources can be identified and brought into the response process. The clear and present danger to all businesses in the data privacy area cannot be overstated, and the insurance placement process can be the first step to being as prepared as possible.

Benefits of Planning Ahead For Your Response

A comprehensive data incident response is critical, whether the business owns data privacy insurance or not. As noted, the process of placing insurance coverage can provide valuable insight for creating the strongest response plan possible. There are measurable benefits to being well prepared for a data breach. Obviously, a thorough and tested plan will make for a more effective and efficient response. Mistakes made during the first 72 hours of an incident can increase the costs in responding by two or three times. An efficient response can also prevent a loss of sales, income and stock pricing. Customers who are comfortable with the company's response are less likely to stop doing business than those that lose confidence. A proper and effective response also protects the company's brand reputation.

Insurer's Response to the Growing Risk of a Data Breach

In response to the continually growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most insurers are now excluding cyber-risks from more traditional insurance policies, such as Commercial General Liability (CGL) or Errors & Omissions.

Second, insurance companies are racing into the market with new products aimed at providing specialized coverage for such losses. Estimates are that data breach policies are changing every six months to keep pace with the sheer size of the risk and exposure.

CGL Isn't for Cyber Coverage

Just as insurers reacted to CGL policies providing coverage for environmental exposures, they are now doing so with respect to cyber losses.

In May 2014, the Insurance Services Office (ISO) introduced several new endorsements addressing access or disclosure of confidential or personal data. These new endorsements will strip most, if not all, coverage for data-related losses from CGL policies.

The losses that are excluded could be those at the heart of an enterprise and which, if uninsured, could cripple a business with response and rebuilding expenses related to their network infrastructure. These endorsements are already showing up in most renewals.

A True Cyber Policy Is an Insured's Best Protection

Businesses can obtain cyber insurance for losses. It is critical to understand the full scope of the coverage you buy. Insurance to protect your property and network can include: 1) computer data restoration; 2) resecuring a company's information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; 6) crisis and public relations management; and 7) extortion. Commentators note that first-party losses are usually the higher costs to a business suffering a cyber-attack, so adequate coverage in this area is vital.

Organizations also need liability coverage as well. Most coverage in this area will provide for a defense to litigation brought by customers for their direct losses due to a breach. However, insurance may also cover: 1) PCI-DSS (Payment Card Industry Data Security Standard) liability; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations. Policyholders can obtain DIC (difference in conditions) coverage under certain aspects of first- and third-party coverages.

Today, “cyber” can be a misnomer for the breadth of coverage available. Don't forget, breaches can still occur the old fashioned way with paper files.

However, the policy forms among the different carriers vary tremendously and policyholders must be vigilant to ensure they purchase the right coverage. Insureds must look well beyond the declarations page and coverage grant when considering this type of insurance, although those are obviously important. The devil is in the details.

Here are some important areas to consider:

Policy sublimits. A critical area to watch for with cyber insurance are the sublimits. While many policyholders have a far better understanding of standard CGL and property coverage, it remains critical for them to take extra time to truly understand the nature of a new cyber policy being added into their insurance program. It is not uncommon for the most expensive and necessary aspects of coverage to have the lowest sublimits. Policyholders have to understand their risk and the costs for responding to a breach, then make sure the sublimits are appropriate for those various costs.

Definitions in the policy. Since insurers all use different forms for data breach and privacy insurance, the definitions used in the policy are critical to the scope of coverage. For example, how does the policy define “computer system?” That definition may make all of the difference in whether there is coverage or not. The same is true for “wrongful act” and a host of other definitions that are highly specific to the insurer's forms. Remember, data breaches can take all forms of attacks so you need the policy to account for them. Often it is the definitions that truly set out the actual scope of insurance coverage. Policyholders must dive deep into their policy with their broker and coverage counsel to ensure they understand the nuances of the policy. Insurers are currently in a growth mode for placing cyber coverage and many are willing to negotiate coverage to broaden the scope in favor of policyholders.

Cyber policies have exclusions. No surprise, these policies also contain a litany of exclusions. A prospective purchaser of cyber insurance must pay particular attention to the exclusions. Match the exclusions up with the numerous definitions and it becomes easy to see how tough it can be to have coverage at the end of the day. That does not mean such insurance is not critical ' it is. But, a prospective insured must be hyper vigilant to determine what the policy offers against the risks, and negotiate like the devil for better terms.

Know your retroactive date. A survey by Mandiant, a FireEye Company, noted that in 2014 the average number of days a hacker is in your system before discovery is 205 (down from 229 in 2013). See, “M-Trends' 2015: A View from the Front Lines.” Since many businesses continue to struggle with detecting a breach, what does this mean? You need a retroactive date of at least one year to ensure coverage for the lag time in breach discovery. Ideally, an insured would really want a minimum of two years, if possible.

Cyber insurance and breach response vendors. One of the main selling points of such insurance is that the insurers bring all the resources to the table. The insurance company will have forensic information technology vendors to assist in closing the breach. They have the credit monitoring and public relations experts. The goal is one call to your insurer after a breach should immediately marshal these resources for the coverage purchased. But, do you know these vendors and will they do more harm than good for you? Policyholders should vet the vendors, determine if they are best in class, or negotiate on the issue.

This last point is critical for policyholders to understand. Some insurance policies will place the onus on the insured to bring vendor resources to bear in responding to an incident. If so, a company must have a response team, including its outside vendors, selected and vetted as part of preparing a response plan. A company cannot afford to start looking for vendors, such as computer forensic companies or data privacy counsel, during the actual breach. Because most insurance policies that will reimburse for these covered costs say they pay “reasonable expenses,” the insured should understand beforehand what is acceptable to the insurer. Again, engaging in this dispute during the breach is a complete distraction that will make your response less effective and efficient.

If the insurer will select vendors as part of the response, it is still wise for the policyholder to determine which vendors will be involved and to ensure that they are familiar with the company's response plan beforehand. Some insurance policies provide a certain amount of free consultation with the vendors. Regardless, a company must be comfortable with the vendors or address it with the insurer before an event occurs.

Having gone through the exercise of purchasing data privacy insurance coverage, a company can best develop a response plan and is prepared ahead of time. The process will allow your business to prepare in the following ways:

• Develop a strong response team;
• Identify response capabilities and external resources;
• Establish relationships with law enforcement and regulators;
• Create and test the plan prior to an actual event; and
• Anticipate communication, remediation and notification pitfalls.

Conclusion

Time spent upfront from an in-depth analysis when considering such insurance may prevent the type of coverage fight many policyholders are facing in order to get the coverage they paid for from their insurer. Working closely with your broker and coverage counsel may seem tedious, but ensuring the correct coverage can prevent a poor response to an actual breach as well as unwanted litigation with the insurer over the scope of coverage.

Collin Hite leads the Insurance Recovery Group and co-chairs the Data Privacy & Security practice at the law firm of Hirschler Fleischer in Richmond, VA. He handles insurance recovery and coverage litigation nationally, as well as providing insurance policy and program audits for policyholders. He may be reached at 804-771-9595 or by e-mail at [email protected].