[BreachExchange] Cyber insurance claims: What happens when a breach occurs?

[Audrey McNeil]

http://www.propertycasualty360.com/2017/06/22/cyber-insurance-claims-
what-happens-when-a-breach?t=information-security?ref=channel-news

The claims process following a data breach is something an increasing
number of insurers — and insureds — need to understand more clearly, and in
his presentation at the recent New York Chapter meeting of the
International Information System Security Certification Consortium,
Markel’s Director of U.S. Professional Liability David T. Vanalek outlined
the claim’s team’s vital role when proprietary information is compromised.

One of the roles of the claims organization is to shepherd policyholders
through the breach-response process. The process can be complex, depending
on the scope of the incident; Vanalek mentioned that increasingly, insurers
are hiring lawyers out of private practice with expertise in cyber-related
legal issues due to their complexity.

After a breach, Vanalek explained, the claims group is the primary point of
contact between the carrier and policyholder. As such, it’s important for
policyholders to know in advance precisely who their point of contact is
should their help be needed, especially for large organizations with
significant liability exposures.

There are a range of policies that may cover aspects of cyber-related
claims: these include stand-alone Cyber policies, Commercial General
Liability, D&O/management liability, Commercial Crime coverage, and other
blended products. Each is subject to limits, sub-limits, exclusions and
endorsements.

It’s important to know that Cyber claims often involve more than one
insurer (especially for a large client) and require handling of third-party
liability claims. The claims organization has primary responsibility for
coordinating these third-party claims in addition to their policyholders’
claims.

The breach-response lifecycle begins


A claim is initially triggered by theft, loss, or unauthorized disclosure
from a legally liable organization. It’s incumbent on the policyholder to
file a breach notification with the carrier, agent or wholesaler: Because
breaches can become broad-based (and possibly public) quickly, that filing
should be immediately followed up with a call to discuss coverage issues.

After the claim is filed, Vanalek explained, the investigation will begin.
The investigation will include forensic and legal analysis, and its scope
and complexity will be dictated by the size and value of the potential loss.

Forensics will uncover technical aspects of a breach, including the methods
used, scope of the breach, and first- and third-party impacts. Depending on
the scope of the breach and the complexity of the policyholder’s IT
infrastructure, technical domain experts from the carrier (or their service
providers) will engage with the policyholder’s IT management.

Complex forensic investigations will often be handled by carrier-approved,
third-party providers with expertise in breach detection, remediation and
prevention.

Importantly, breach-notification laws exist in 48 states — but the
requirements for breach reporting in each of those states is unique. A
breach that must by law be reported in one jurisdiction may not be, in a
neighboring state. Because the insurer’s responsibility is to the
policyholder and not to law enforcement, legal authorities may not be
notified. In addition to the first-party claim, third-party claims may also
be filled in additional jurisdictions.

During this process, the policyholder will receive a coverage letter from
the insurer outlining the scope of their coverages.

The value of readiness


Concurrent with the forensic evaluation, a response plan will begin to take
shape. Depending on the nature of the breach, this will involve victim
notification, credit monitoring, public relations, data recovery, system
hardening and implementation of new security products, services and
procedures, as well as a breach coach. The costs can add up quickly, and
the claims team is responsible for coordinating all these activities and
paying all the invoices.

Because those costs can quickly mount, Vanalek noted, it’s important for
policyholders to have ongoing updates on the status of their coverage
levels being reached.

After response, focus shifts to defense. After a cyber incident, insurance
defense involves a combination of class-action lawsuit handling, management
of regulatory fines and penalties, minimizing reputational damage and
limiting income loss.

Carriers have approved lists of defense attorneys; however, they will
sometimes allow off-panel defense attorneys as well. Generally, said
Vanalek, carriers work toward early resolution in defense of first- and
third-party claims through mediation, direct settlements and negotiation —
but failing that, claims will go to trial.

Cyber claims handlers should be experts in understanding first- and
third-party policy coverages, and have a deep understanding of the issues
related to cyber. The claims handlers should also be adept at understanding
how the various coverages in the policyholders tower of coverages come into
play in the event of an incident.

Key Takeaways for Insureds:

Know who your contact is at your broker, agent or carrier for handling
cyber claims
Have a thorough understanding of the breach response services available to
you from your insurer – or their claims administrator
Cyber claims handlers should be experts in understanding first- and
third-party policy coverages, and have a deep understanding of the issues
related cyber breach response. Do some due diligence on your insurer’s
expertise
Look for an insurer who has expertise in handling risk in the industry or
profession you’re in
Pick an insurer who has experience working with organizations as big or
small as yours
In the event of a cyber incident, notify all your insurance providers. You
may be covered by more than just your standalone cyber policy

Key Takeaways for Insurance Professionals:

Educate your clients in advance about who to contact and how to file cyber
claims
Meet with clients at contact signing and walk them through the breach
response process
Be sure your policyholders understand the breach response services
available to them
Have  a thorough understanding of your clients’ cyber exposures in advance,
so you’re not playing catch-up in the event of a breach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170622/86cc2876/attachment.html>