Last Updated on January 25, 2023
Cyber insurance is a vitally important way to mitigate and transfer cybersecurity risk for many companies. But in today’s climate of increasing cyber risk from prevalent threats like ransomware, orgs can lose their cyber insurance or fail to obtain it if they don’t meet insurers’ requirements for information security controls and practices.
Orgs in the US defense industrial base (DIB) may face special cyber insurance concerns due to the US Department of Defense (DoD) mandate to protect controlled unclassified information (CUI). Will your policy protect you from the full spectrum of risks associated with a breach or mishandling of CUI, including regulatory sanctions? What about threats from nation state actors?
To update orgs in the US defense industrial base (DIB) on cyber legal issues, a recent episode of The Virtual CISO Podcast features Stephanie Siegmann, Partner and Chair, International Trade and Global Security Group and Cybersecurity, Data Protection, and Privacy Group at Hinckley Allen. Pivot Point Security CISO and Managing Partner, John Verry, is the host.
Who should be your breach counselor?
In the event of a breach or suspected breach involving CUI, your incident response plan should reference what cyber insurers often call an authorized response vendor, aka a breach counselor. Insurers will provide a list of approved vendors you can pick from.
But is that the way to go? Won’t those approved attorneys put the best interests of the insurer ahead of yours?
In a word, yes, according to Stephanie.
“There may be a panel of people that your insurance company says are pre-approved,” Stephanie explains. “But you can get your own counsel. If you’ve picked an attorney, you can ask that they be your [breach counselor].”
Ideally that would be someone with knowledge specific to your industry. Insurers usually put a rate cap on attorneys’ hourly rates, so if you want to use a specific attorney, you’ll often need to pay the difference between their rate and what’s covered.
“I hate to say this, but the people who win those contracts [to be authorized response vendors] are the lowest bidders,” notes Stephanie. “I think it was John Glenn, when they asked him what was going through his mind as the rocket was shaking and taking off, who said, ‘That the rocket was built by the lowest price bidders.’”
Beware coverage disputes
Should you have a coverage dispute with your cyber insurer, you want an attorney who will fight for you.
“Cyber insurance policies have changed a lot over time,” Stephanie observes. “There are war exclusions that they’ve used recently, and terrorism exclusions. So, there have been disputes about whether certain things are covered—and I expect that will continue.”
Coverage disputes might be a greater risk in the DIB than some other industries because of the prevalence of nation state adversaries and advanced persistent threats (APTs). An example related to Russia’s war on Ukraine has been the use of cyber policy exclusions for attacks using NotPetya malware. These attacks, launched on a wide scale, have been closely tied to the Kremlin and its ongoing cyber warfare against Ukraine and its allies.
“It’s not just the DIB that has to worry about those types of war/terrorism exclusions,” advises Stephanie. “Because if a malware attack is orchestrated by Russia or China, it could actually hit a lot more than just members of the defense industry.”
To hear this practical guidance from Stephanie Siegmann, click here.
When do DIB orgs need to be NIST 800-171 compliant? Yesterday: DIB Orgs: Time is Almost Up for DFARS and NIST 800-171 Compliance