Last Updated on January 12, 2024
If yours is like most organizations, you’re now facing higher cyber liability insurance premiums, higher deductibles, increasingly restrictive policy terms, and more detailed underwriting inquiries. It’s all part of the carriers trying to adapt their business models to one of the few constants in cybersecurity: increasingly severe and ever-changing risk.
Knowing that your insurer is likely to run any potential claim through the wringer, are you even prepared to file a claim? Do you understand your obligations under your cyber policy (e.g., having an incident response plan in place)? And can you demonstrate that you’re continuously meeting those obligations?
To alert business leaders to the top issues they need to address around cyber liability insurance, Eric Jesse, Partner at Lowenstein Sandler LLP, joined a recent episode of The Virtual CISO Podcast. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.
Get to know your policy
Your cyber liability insurance policy isn’t a “set it and forget it” document. You need to clearly understand every single requirement it specifies. Then you should periodically make sure that you’re meeting all the requirements and that nothing has changed in your environment to negatively impact your security posture in relation to that.
“I’ll use the example of the fraudulent instruction claim or the social engineering claim, where the policy may require that there be appropriate verifications put in place to make sure that the communication or the request to wire funds is authentic,” says Eric. “You need to make sure that you’re complying with that because if you don’t, and there’s still a resulting loss, you could void the coverage that you’re expecting to have there.”
Eric continues: “Another important component is understanding what the notice requirements are. That’s just the threshold obligation to getting access to the policy. It’s important to provide prompt notice of a claim or an incident because these are going to be ‘claims made’ policies and an insurance company can be very harsh. An insurance company can deny coverage for late notice of a breach. That’s why it’s so important to provide prompt notice.”
When you’re negotiating your policy, you can ask the carrier to relax the notice requirements, e.g., by putting language in the policy that in effect says, “If we’re late in giving notice, the insurance company can’t deny coverage because of that lateness.”
Many costs and vendors will need to be approved
Another important component of most cyber insurance policies is consent. Cyber liability policies are usually filled with insurer consent requirements. For example, there often needs to be consent for any costs that are incurred for any settlement, such as the cost to hire a computer forensics expert.
“These policies will often require the policyholder in the event of an incident to use the insurer’s preferred or panel consultant to work through the data breach and negotiate with the threat actors or pay the ransom demand,” Eric stresses. “There are a few things companies can do there. One is, if they have a preferred cybersecurity consultant that they want to work with, they should have that company endorsed onto the policy and have them pre-approved, so that in the chaos of a breach, you don’t have to fight with the insurance company about that. You can just pick up the phone and call them. Or another option is just to do your own due diligence on who the insurance company wants to work with you. Ask them who’s on their panel, so you can get comfortable with them.”
“I think that is super important and is something that we always push for because like you said, the faster we can contain an incident, the less impact it may have,” underscores John. “Minutes are critical, and you don’t want to be in a situation of saying, ‘Well, what company do we need?’ And, of course, this is going to happen on a Thursday at 5:05, and now you’re picking up the phone and trying to call data forensics companies and no one’s answering the phone. And it’s not until the next day that you get this thing going. If you’ve got a high enough risk, you want someone who’s actually on a retainer. So that way you’ve got a defined response time that they’ve contracted with you based on that.”
Panel consultants are usually competent
If you find yourself in a position of frantically researching digital forensics companies following an incident, you might want to start with your cyber insurer’s approved panel. If you hire a vendor that turns out to be incompetent and makes a major mistake like destroying evidence, your insurer could theoretically say, “We’re not going to pay for anything at this point. Not only are we not paying for what those guys charged you, we’re not paying the claim because you didn’t follow a good process.”
“Yeah, exactly—they can say that,” Eric concurs. “Yes, that claim or this issue has now been exacerbated because the wrong people were involved.’ And I will say in terms of the panel service providers, the insurance companies do have very well qualified service providers there. Policyholders can take comfort in knowing that the insurers have lined up the right companies.”
Of course, you still need to do your due diligence ahead of time and put the right company names and contact info into your disaster recovery plan or other contingency plans. You don’t want to be flipping pages in an emergency trying to find the right people.
What’s next?
To get the full benefit of Eric Jesse’s invaluable advice, click here.
Are your security policy and cyber liability insurance policy in alignment? Here’s a blog post on what to focus on: 5 Critical Steps to Align Security Policy with Your Cyber Liability Insurance Policy