Last Updated on July 11, 2022
Many businesses don’t realize that if you experience a data breach and you have cyber liability insurance coverage, you will need to follow the game plan defined by the breach counselor or breach response coach your carrier assigns. A breach counselor is usually an attorney with cybersecurity expertise.
Will this person represent your best interests… or the carrier’s? Do you need your own attorney to advise you during the breach response on what the breach counselor is telling you, or to look over the other lawyer’s shoulder?
To share advice on SMBs’ top cyber liability insurance questions, a recent episode of The Virtual CISO Podcast features Eric Jesse, Partner at Lowenstein Sandler LLP. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
It’s a good thing
Eric points out that the availability of a breach counselor is not a problem you need to work around, but one of the biggest advantages of having cyber liability insurance in the first place.
“One of the major benefits of these policies is they do provide coverage for this breach response coach, who is an attorney,” Eric relates. “And [the carrier] will provide defense costs if there’s a third-party claim and you need to be represented by an attorney.”
Keep your own counsel
But when it comes to the carriers’ panel attorneys, Eric is less enthusiastic.
“Where I expressed a lot of confidence in the insurer’s panel of computer security forensics experts, I’m a little more jaded on the panel counsel,” admits Eric. “This is frankly something we see under so many different types of policies—not just cyber. The insurers will appoint their counsel if that’s what’s permitted under the policy. And sometimes you can negotiate around that.”
The panel counsel’s ethical and fiduciary obligations are to the policyholder, and they must work in the interests of the policyholder. But how zealous are they in their role?
Eric continues: “I’ve worked with plenty of panel counsel where they’ve done that. But there is certainly a tension because panel counsel also knows where their next case is coming from, and it’s probably not the policyholders. It’s going to be the insurer.
“So, I think it can be a good practice to have your own counsel, your own privacy or data security counsel, that you’ll have to pay for by the way, but just to look over the shoulder of the insurer’s panel counsel to make sure the claim is handled properly. And the other thing I’ve seen is panel counsel, I think rightfully so, because they’re appointed by the insurer, they are not going to opine on any coverage issues or engage in any coverage battle on your behalf. And so that’s where coverage counsel might need to be called in,” Eric advises.
“The other thing I always find is that when you’ve got a cybersecurity person talking to a cybersecurity person, that’s different than if you have a businessperson talking to a cybersecurity person,” John comments. “So, if that panel counsel knows that you’ve got an attorney on your side and they’re involved in one or two of the conversations, I think it sets a level of expectation. I think it raises the bar a little bit that they’re going to hold themselves to. And I think if there’s a, ‘I can lean this way, or I can lean that way on this issue,’ I think they’re going to lean the way where they’re not going to get beat up by your counsel on.”
“I think that makes perfect sense, Eric confirms. “Just having your own counsel or the counsel you want to be looking over the shoulder, just appear on the scenes, once or twice, and then can take a much more back seat. It does set the expectation at the very outset.”
To hear all of Eric Jesse’s highly relevant guidance, click here.
Where does cyber liability insurance fit within an overall cyber risk treatment program? See this blog post for info: 80/20 Cyber Security, Part 4—The 3 “Damage Control” Controls