High-performance cyber requirements require rapid action

The biggest difference between handling cyber claims and more traditional property / accident claims is the speed at which the process develops, which requires an immediate, coordinated response from the policyholder, the insurer and the broker, observers say.

Claims management for the more traditional property / accident lines is a comparatively calm process, where a claim is made, the policyholder waits for a decision on coverage, and cases proceed from there to either a paid claim or a lawsuit, they say.

On the other hand, cyber claims are often characterized by frantic speed, with simultaneous events occurring on several fronts and the possible existence of the company at stake.

“Every cyber incident is an emergency,” said Kristine D’Amato, New York-based National Claims Advisor, Executive and Professional Risk Solutions for USI Insurance Services LLC.

“You have a policyholder who is facing something they have never encountered before” who “often feel that they do not know exactly what has happened,” she said, adding that every minute can cost companies if their business is shut down.

John Scordo, New York-based manager of cyber claims for Marsh LLC, said the broker is already working with insurance adjusters “literally the first hour” after a ransomware incident.

“There are several parties that need to be involved; schedules must fit together for at least the first 48 hours, says Dan Twersky, New York-based global cyber claims manager for Willis Towers Watson PLC. He noted that cyber incidents often occur on a Sunday, when it can be difficult to reach people.

The critical nature of the situations increases the feeling of urgency, observers say.

Cyber ​​incidents “can really knock the company down”, with some companies discovering that hackers have made their source code publicly available, says Christine Flammer, New York-based claims manager for Axa XL, a unit within Axa SA.

The threats are constantly evolving, even on a daily basis, as hackers find new ways to infiltrate networks, says Savanna Boyles, New York-based head of claims for insurtech Corvus Insurance Holdings Inc. “We see new twists and iterations in the types of claims on a continuous basis , she said.

Another issue is to determine the extent of cyber losses.

Initially, “everyone is trying to find out what actually happened,” whether it was an intrusion, a ransomware incident, or some other variant, “said Daniel J. Healy, a partner with Anderson Kill PC in Washington. Determining the extent to which data is compromised and what has been damaged “can be quite complicated,” he said.

Boyles said that unlike fire damage, where the evidence of loss is tangible, cyber losses are “much harder to measure, and the extent and cost of the loss is not always as cut and dry as it is with other lines.”

Another problem with cyber claims is the number of parties involved, including lawyers, forensic experts, security and public relations specialists, which require insurance companies to act as quarterbacks, said Tim Zeilman, Simsbury, Connecticut-based global cyber product owner at Hartford Steam Boiler Inspection and Insurance Co. ., a Munich Reinsurance Co. unit.

Despite the insurers’ immediate initial involvement, as so many “coverage buckets” are involved, “claims continue for a long time” and may involve first-party, business interruptions, regulatory, class action, fraud and criminal claims. Scordo sa.

Furthermore, cyber claims can contain many exclusions that need to be understood and can raise so-called silent cyber issues, says Jamie Taylor, London-based senior manager for data protection and cyber security at DWF Group, a provider of legal and business services. .

Thomas H. Bentz, a partner with the Holland & Knight LLP in Washington, said that “the rate of combustion,” how quickly claims exceed retention, is significant with cyber.

In a typical class action lawsuit for directors and officials, he said, it takes “months, if not years,” before claims pierce retentions and policy boundaries. With a cyber claim, it can happen on the first day, he said.

The situation also requires preparation, says Katherine Keefe, Marsh’s Philadelphia-based leader in cyber incident management for the United States and Canada. She said Marsh spends a lot of time with policyholders before they are ever faced with a cyber incident to familiarize them with their policies and options, so they are willing to use available resources “to maximum effect.”

A frequently mentioned problem is when policyholders use providers who are not approved by their insurers to respond to a cyber incident.

Ms Boyles said that sometimes in the heat of the moment policyholders, who are unaware that their insurer has a 24/7, 365-day response team, “just panic and may try to take matters into their own hands” and reach out to unapproved providers .

“It could be an important point” if that provider can not handle more complex issues such as a ransomware attack, she said.

D’Amato said: “There are insurance forms that give some leeway to choose a supplier or adviser”, but almost without exception with the warning that the insurer must approve the choice in writing.

“I’ve seen some policies that actually say you do not need to use a pre-approved provider, but if you do not,” there are different limits or retentions, “said Joni Mason, New York-based senior vice president, national injury practice leader, at USI. .

“My recommendation is to keep the carrier informed at every step” because it is more difficult to get the insurance companies’ approval if the external supplier has already been hired, said D’Amato.

Cyber ​​experts emphasize the need to immediately inform the insurer about the claim.

“There’s nothing worse than having to adjust a cyber claim afterwards. … You’re just sitting there trying to remove decisions made in the heat of the moment,” says Roger Francis, Cyber ​​Claims Director at CFC Underwriting Ltd. in London.

“Many times, when people do not report initially, it can become a major problem along the way, and if there is a threat in the system, it gives them more time to move around and possibly distribute malware,” says Lisa Jaffee, New York-based Vice President of Cyber ​​/ Tech / Media / Crime Claims for Hiscox USA.

Another issue that may arise is the lack of cooperation on the part of the policyholder.

Tara Bodden, General Counsel and Chief Compensation Officer at insurtech At-Bay Inc. in San Francisco, said it could be difficult to trace the cause of a claim if employees “somehow get in the way” of the investigation because they are worried about getting the blame and losing their jobs.

Experts say policyholders should be aware that checking that the hacker is not on the list of sanctioned entities in the US Treasury Department’s foreign asset control office in ransomware situations can delay the process.

An advice from October 2020 from the department warns that companies, including cyber insurance companies, that facilitate payments of ransomware to sanctioned entities may violate OFAC rules.

“It really is a challenge to make sure you follow all the appropriate laws and regulations, especially OFACs,” Zeilman said.

“It’s something that adds a different kind of complexity to claims management” that goes hand in hand with the effort to work with policyholders and see that they get the right compensation, “he said.

---

Policyholders, insurers must keep pace with claims

Good communication between policyholders and insurers is crucial for successful handling of cyber claims, experts say.

Make sure “you communicate with the claims manager,” including any claims updates, says Joni Mason, New York-based senior vice president, national claims manager for USI Insurance Services LLC.

“Policyholders should prepare well before a claim even occurs,” says Savanna Boyles, New York-based head of claims claims for insurtech Corvus Insurance Holdings Inc.

“You’re really behind the 8-ball if you wait until the day it says they see something fun in your network.”

Many cyber insurance companies offer pre-claim services to better prepare companies for an event, including providing a free one-hour consultation with an attorney to ask questions, says Stuart Panensky, a partner at FisherBroyle’s LLP in Princeton, New Jersey.

Companies should also do table exercises, which is a great way for a policyholder to learn what to do before an incident occurs, he said.

Policyholders go “even beyond their usual table exercises” to review in advance their obligations, who to contact, what information should be available if an event occurs and what they should track in case of losses and extra costs, said Dan Twersky, New York-based global cyber claims leader for Willis Towers Watson PLC.

Preparations should include having paper copies of incident response plans if online copies are not available, Panensky said.

Policyholders should also be aware of the consequences if they use an unapproved provider in their response to a cyber incident and be open with their insurers, experts say.

“Keep no secrets,” said Mr. Panensky. Even if there is a coverage issue, the insurance companies will “pay for everything” that they have agreed to pay, he said.

Victims of cyber incidents should also report immediately under all policies, “not just cyber policies,” said Daniel J. Healy, a partner with Anderson Kill PC in Washington.

---

Complex cyber requirements test the insurance companies’ technical expertise, capacity

Many experts say that cyber liability insurance companies have done a good job overall in dealing with claims, but their expertise and efficiency vary and it can sometimes take months before the claims are paid.

“Cyber ​​insurance has really evolved over the last decade,” said Savanna Boyles, New York-based head of claims claims for insurtech Corvus Insurance Holdings Inc.

“The nuances of cyber insurance and cyber claims were not fully understood” a decade ago, but the programs have since matured as insurance companies have added technical expertise, she said.

John Scordo, New York-based cyber claims manager for Marsh LLC, said: “The nature of the cyber incident and the claims and the interaction with the insurer are really very intertwined, and I think carriers do a really good job” in their advice and responsiveness.

Christine Flammer, New York-based claims manager for Axa XL, a unit within Axa SA, said that insurance companies not only do well when it comes to handling claims in the heat of the event, but when it comes to cooperating in advance and discussing afterwards what can be done better. next time.

Roger Francis, Cybercrime Director at CFC Underwriting Ltd. in London, said of insurance companies: “Those who handle it best spend time and money hiring talented individuals with the right expertise.”

Some insurance companies “tend to drag their feet a little” and examine losses more closely when the market has hardened, says Dan Burke, San Francisco-based national cyber practice leader for Woodruff Sawyer & Co.

“We’ve had more problems with insurance companies starting to outsource much of the process,” said Dan Twersky, New York-based global cyber claims manager for Willis Towers’ Watson PLC.

“They come back and ask a lot of questions before they pay,” he sometimes said months later.

Mr. Twersky said that there is sometimes “quarterbacking on Monday morning” about the period when people struggled to respond to a cyber incident, making it difficult for the policyholder.

Mr Twersky said the pandemic had complicated matters, as claims settlers had not been able to “go down the hall and talk to their boss.”