Before the breach: selecting the right policy and the application process
1. Be sure to consider all possible areas of exposure and ensure your business has enough coverage for its risks
Cyberattacks are costly and can shut down a business completely if the business’ networks and computers are bricked and unusable, if the business cannot afford recovery costs, if the business faces third-party liability or if the business cannot survive any temporary loss in income. Costs can vary and rise quickly. It is vital to fully assess all potential exposures that your business might face and to ensure adequate coverage – including coverage for business interruption, ransomware payments, third-party liability, data recovery costs, legal fees, PR experts and payment to customers if the business is found to be at fault. In determining what losses are likely, consider things like damage and loss of a computer system or data, a business shutdown, potential fines and penalties, liabilities following data loss, reputational damage, theft and extortion.
2. Keep your IT security officers and stewards of IT systems in the loop when completing cyber-insurance applications
Cyber-insurance applications increasingly focus on cybersecurity infrastructure and controls. An inadvertent error in completing the application may be used as a basis to deny coverage, so it is important to consult the people with the most information about your business’ information technology systems and keep them closely involved with the application process.
3. Coverages to consider
The key here is understanding your company’s specific risks and exposures. For first-party costs, where the company is hacked or is subject to a ransomware attack, look for coverage for notification and credit monitoring expenses if your customers’ personal information could be stolen in a data breach. These expenses add up quickly. Some policies cover credit monitoring and identity theft protection services for customers as well. For third-party costs, look for liability costs associated with a breach of personally identifiable information. Also look for coverage for lost business income and extra expenses due to a cyberattack, including express coverage for mitigation costs, particularly if you use your own IT and cybersecurity salaried employees to respond to an attack to the extent they are working to respond to and recover from a cyberattack. It also is important to look for defense costs in the event your business is sued following a breach.
4. Consider obtaining retroactive coverage
Breaches can occur months before they are discovered. Consider whether your business would benefit from retroactive coverage of breaches that occur before the date of policy inception. This is particularly important for first-time buyers of cyber coverage.
5. Consider obtaining coverage for employee or vendor acts
Insurers may decline claims if an employee or vendor with access to data was at fault. Look for policies that include coverage for these kinds of incidents. Some policies bar coverage for the “rogue” acts of employees but cover the negligent acts of employees. This issue is increasingly important given the rise of social engineering fraud. Also, be aware of sublimits that may leave your business without sufficient coverage following a social engineering fraud loss.
After policy inception
6. Implement best practices and industry-recognized security measures
Cyber insurers frequently require policyholders to minimize security threats through a variety of security updates, multifactor authentication methods and other means. If a bad actor was able to infiltrate, or circumvent, and it’s later discovered that the business’ security policies and procedures were something other than what the policyholder stated in the application, or if the business was not using industry-standard security measures, the insurer may outright deny or severely limit coverage. To prove their compliance with policy terms, businesses should consider whether they need to retain professional IT security staff or an outside vendor to assess and maintain network and data security, to generate a comprehensive compliance assessment and to document ongoing assessments and remediation steps taken in response to newly arising threats. Generally, businesses need the most recent security measures to mitigate vulnerabilities, including a firewall, intrusion detection and prevention systems, multifactor authentication, restricting access to specific information, data backups and encrypting data.
After a loss
7. Report the claim and incorporate claim considerations into response and recovery plan
Once a claim is reported, the policyholder will be required to submit a proof of loss, which includes a detailed description of the loss (including time, place and cause) and a calculation of losses along with underlying supporting documentation. The submission date for a proof of loss varies from policy to policy. Because expenses are frequently ongoing, the policyholder may need to request an extension of time and file more than one proof of loss. Coverage positions and theories should be well-thought-out and considered prior to the claim and proof of loss process in order to reduce disputes afterwards.
8. Notify all insurers that might provide coverage
If your company faces a cyber event, immediately notify your insurers (and any excess or umbrella insurers). Most cyber policies require immediate (or close to immediate) reporting, and frequently require that the loss be suffered during the policy period. Promptly report all claims, even ones without loss, to avoid a denial based on late notice should the breach result in greater losses down the road. Ensure you include all information required by the policy and comply with all notice requirements under the policy. It is crucial to report the event before engaging any vendors or incurring any costs – as many policies have pre-approved panel vendors and lawyers that must be used. This will minimize the insurer’s ability to deny non-approved, pre-tender expenses.
Non-cyber policies that include general liability; first-party property; directors and officers coverage; Kidnap, Ransom and Extortion policies; and crime policies may potentially cover cyber-related losses. Review these policies and provide notice if there is a possibility the cyber event may be covered under those policies. Also provide notice to excess and umbrella carriers. As discussed in No. 8, make sure you include all the required information and comply with other notice requirements for each policy type, which can vary from policy to policy.
9. Beware of OFAC prohibitions against payments to threat actors
Beware of the prohibition against paying ransom demands to threat actors on the U.S. Department of the Treasury’s Office of Foreign Assets Control list. OFAC’s updated advisory states that “[t]he U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks,” and includes guidance on “the proactive steps companies can take” including implementing strong cybersecurity practices before an attack as well as promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies.
10. Narrative of events
Insurers also frequently want a narrative of events. Documenting recovery efforts in real time is critical. It includes listing impacted systems, dates of partial and full restoration, details about interruptions to operations and revenue and manual workarounds or incremental hours to continue operations or minimize slowdowns. A narrative should discuss the impact of the breach on the business’ production or its ability to provide services, the response to make up lost production or services, lost or cancelled orders including permanent customer or contract losses and the ability of customers to purchase products and services from competitors. As part of this tracking process, ensure that all incurred costs are reasonable and necessary.
11. Hiring third-party vendors
Depending on the type and scope of breach, third-party IT vendors may be critical to the response and recovery following a cyber event, including assisting with public relations, crisis management, breach management, forensic investigations and data or system restoration. But, as noted above, some policies will pay only for vendors from a preapproved panel. If a business retains vendors outside of the pre-approved panel, these costs may be denied or only partially reimbursed. To maximize coverage for vendor work, ensure your vendors provide detailed information to your cyber insurer, including detailed statements of work and detailed records of work performed by each employee. Separating the statements of work for system enhancements and improvements is critical because cyber policies frequently will not cover upgrades to the existing system. Due to the nature of cyber events, these upgrades are inevitable as a breach exposes weaknesses in the existing security system. It also is important to separate expenses related to replacement of damaged or corrupted items that cannot be restored and hardware purchases made to minimize disruption to operations.
12. Hire a forensic accountant
For extensive business interruption losses, a company may need to hire a forensic accountant to assist with the preparation of a proof of loss for business income, extra expense and other losses. The forensic accountant will help identify, quantify and maximize these losses based on the terms of the cyber policy, and will advocate for your business in discussions with any forensic accountants hired by the insurer. The same warnings apply here regarding retaining a vendor from the insurer’s pre-approved panel.
13. Interacting with the insurer post-loss
If the insurer’s reservation of rights or denial letter includes any inaccurate information, correct those statements immediately.
Most cyber policies require the policyholder to keep the insurer apprised of major developments as they arise. It is important to include in your response plan a way to track and inform all the insurers of these developments. Provide all bills to the insurer promptly, and ensure they audit the bills in a timely manner.
Always secure written consent from the insurer before paying or promising to pay any demanded ransom or a settlement with any claimants.
As always, hire experienced coverage counsel for placement of cyber policies and in the event of a loss.