One of the first things an organization should do if it suspects it is the subject of a cyber attack is to contact its cyber insurer.
In addition to notifying the insurer of a potential claim, the policyholder may have access to a range of incident response experts through the insurer. In addition, the coverage often requires a policyholder to use only pre-approved providers, experts say.
The policyholder should then, under the guidance of legal counsel, immediately notify regulators, clients and investors of an incident.
Before an incident occurs, careful and accurate completion of cyber insurance applications can help streamline the claims handling process and avoid friction with insurers (see related story).
Policyholders should contact their insurers at the first suspicion of a cyberattack, said Theresa Le, Cupertino, Calif.-based claims manager for Cowbell Cyber Inc. They should do this even if “it is not absolutely clear”; that there has been an attack, she said.
And policyholders shouldn’t try to investigate the incident alone, experts say.
By acting alone, policyholders without cybersecurity expertise can corrupt evidence and exacerbate the situation, said Matthew Cullina, Providence, Rhode Island-based director of global cyber insurance operations for CyberScout LLC, a data breach services company.
When an incident occurs, policyholders should have information including the name of the policyholder, the name and address of the insured entity, a description of the loss and, if relevant, a screenshot of the ransomware demand, said Joni Mason, New York-based senior vice president, national executive and Professional Risk Solutions Manager, for USI Insurance Services Inc.
“It’s more important to make the call quickly than to have everything on hand to answer any questions the insurance company may have for you,” says Tim Zeilman, Simsbury, Conn.
based global cyber product owner at Hartford Steam Boiler Inspection and Insurance Co., a unit of Munich Reinsurance Co.
“You don’t have to spend the next 10 hours trying to figure out what happened,” says Tara Bodden, general counsel, claims director, at insurtech general agency At-Bay Inc. in San Francisco. “That’s our job, to help through all investigations.”
Observers give insurers high marks for their handling of cyber claims.
CLICK ON THE IMAGE TO ENLARGE
“They’re doing an excellent job,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber liability practice. Claims disputes occur in all coverage areas, but overall, insurers are responding to cyber claims, he said.
Axa XL, a unit of Axa SA, has a 24/7 hotline for reporting cyber incidents, said Danielle Roth, New York-based head of cyber and technical E&O claims for the insurer. After the call is made, a handler will soon answer and make the initial intake call to get more information, understanding that at that point there are a lot of unknowns.
The expert panels that insurance companies have available include attorneys, allowing policyholders to quickly contact an attorney.
An attorney will “provide a mantle” of attorney-client privilege around the subsequent process, said Karrieann Couture, Chicago-based assistant vice president and cyber E&O claims leader at Aon PLC.
Attorneys will also “help guide (policyholders) through the legal minefields they have to negotiate,” Farley said. With insurance companies’ 24/7 hotlines, “you get an attorney when you need one,” he said.
By using pre-approved suppliers, the risk of claims disputes is reduced. Evan Bundschuh, commercial line manager for brokerage Gabriel Bundschuh & Associates Inc. in Scarsdale, New York, said he has seen cases where policyholders who hired a forensic investigator without first getting the insurance company’s approval were later told the costs would not be covered.
Insurance companies “just don’t make room for exceptions to this,” says USI’s Mason.
In addition, policyholders should be aware of cyber disclosure regulations and comply with all relevant timely notification laws, whether applicable to regulators, customers, investors or other interested parties, Bundschuh said.
If policyholders are the victim of a ransomware attack, cyber security companies will arrange ransom payments on behalf of policyholders. As situations develop, “our company is pulled in to negotiate with the bad guys and handle transactions,” including acquiring bitcoins, said Darin Bielby, Monroeville, Pennsylvania-based CEO of Cypfer Corp., a cybersecurity firm.
However, paying ransom demands is not necessarily recommended.
“The decision to pay or not to pay is not black and white,” said Lindsey Nelson, London-based cyber development manager for CFC Underwriting Ltd.
There are “a lot of considerations that have to be made” and making an informed decision “is incredibly important when it comes to claims disputes,” she said.
Among other things, policyholders should be aware that they and their insurers face penalties if they facilitate ransomware payments to entities sanctioned by the US Treasury Department’s Office of Foreign Assets Control. Such entities may include organizations affiliated with or controlled by governments hostile to the United States, terrorist groups, or drug traffickers.
But companies attacked by state actors will still be covered to restore their operations, said Deborah D’Angelo Hirschorn, New York-based managing director, US leader of cyber and technology claims, for Lockton Cos. LLC.
Although “it’s more common to get full coverage,” for ransomware attacks, some insurers have sublimits or co-assurance provisions for ransomware-related events, says Aon’s Couture.
Meanwhile, the impact on the claims process of Lloyd’s Market Association’s introduction in March of four new exemptions for war, cyber war and limited cyber operations for stand-alone cyber insurance policies is uncertain.
“You wonder how long it will take to correct the claim” when insurance companies decide which entity to attribute a cyber attack to, Hirschorn said.
If policyholders don’t get the coverage they thought they were entitled to, they should gather facts about what was needed for “a full fix” to get coverage, said Daniel J. Healy, a partner with Brown Rudnick LLP in Washington.
When claims are covered, insurers are reluctant to pay for system upgrades intended to prevent a future attack, said John Scordo, New York-based leader of cyber claims for Marsh LLC. It is not considered “relevant to the incident”, he said.
And “silent cyber,” or cyber-related coverage included in other property/casualty policies, remains a problem for insurers that have tried to eliminate coverage for cyber risks from non-specialist policies, experts say.
Although cyber policies have been available for more than 20 years, observers say there has been relatively little litigation over the coverage, so there are few guiding precedents.
“Cyber coverage is a new animal in the scope of things, and we don’t have a really developed case law in cyber and insurance issues,” said Robert L. Wallan, a partner with Pillsbury Winthrop Shaw Pittman LLP in Los Angeles.
Also, due to confidentiality regulations, it is unknown how many cases are settled, he said.
“I haven’t seen a lot of litigation about the coverage from the cyber forms,” said Thomas H. Bentz Jr., a partner with Holland & Knight LLC in Washington.