What security leaders need to know about cyber liability insurance before a breach

I love asking “what happens when breach happens”?

I use it as a way to help bring security and business leaders together. That question now extends to your insurance coverage. What did you actually buy? And how do you use it?

As we continue the Leading Security Change on Cyber Insurance series, Shawn Tuma shares a wealth of information about the realities of handling the fallout from a cyber breach.

Shawn Tuma (LinkedIn, @shawnetuma, blog) is a Cybersecurity & Data Privacy Attorney with Scheef & Stone, LLP. Tuma has practiced in cyber law for nearly two decades. In addition to numerous awards, Shawn serves as General Counsel and Board Member for the Cyber Future Foundation, on the Advisory Board of the University of North Texas Cyber Forensics Lab, Policy Council for the National Technology Security Coalition, Cybersecurity Task Force for Intelligent Transportation Society of America, and an officer on the Council for the Computer & Technology Section of the State Bar of Texas.

Over the last year, Shawn has served as an advocate for many companies experiencing the reality of a cyber breach. It’s a unique role, often appointed by the insurance company, to serve as advocate and guide. Not just to ensure legal compliance, but to make sure the right decisions are made. Sitting between the insurers, insured, and contracted providers, his role benefits everyone.

If you ever need to use your cyber liability coverage, your carrier is likely to appoint Shawn or someone like him to help you. That means Shawn has a front row seat to the reality of a cyber breach. We talked about a range of issues that help security leaders make better decisions — before a breach happens.

Based on your experience, do companies need a cyber liability insurance policy?

While a cyber breach is an adverse event for companies, and sometimes catastrophic in and of itself, experience has taught us that how companies respond to breaches can be critical in determining their overall impact on the company.

For all but the largest companies the cost of responding to an incident can be crippling and those crucial early hours after discovering a breach are much better spent focusing on the response and not on trying to figure out how to pay for it.

I handle incident response for clients with and without appropriate cyber risk insurance coverage and over the years have seen firsthand just how important such coverage is for most companies to be able to properly respond to an incident. This experience has made me a strong advocate for cyber insurance and also given me a better understanding of what clients go through when they have an incident, what their coverage needs will be in such a situation, and overall enhances my ability to counsel clients in obtaining the best coverage for their needs.

What are key elements to review and consider when purchasing cyber insurance?

In the world of insurance, cyber risk is still in its infancy and the market is still evolving. Policies and available coverages are evolving. And the nature of the threat is evolving. It all adds up to mean this process is less of a science and more of an art where we have to rely on our prior experience with other clients, knowledge of other cases, and judgment developed over many years of experience in working with cyber risk.

There can be quite a difference in the policies different companies offer but there are several key areas of focus that can be resolved favorably if you know to ask the right questions. Here are some of my current favorites:

1. Does the policy require you to use the insurance company’s approved panel professionals such as attorneys, forensics, public relations, and identity protection services? The insurance company’s panel of professionals can be helpful because they are usually vetted by the insurance company as being experienced and competent in their subject matter and work at pre-negotiated rates that helps reduce the costs and, therefore, erosion of the policy limits. Companies that have relationships with professionals they trust need to make sure they have their preferred professionals scribed into the policy or at least have the flexibility to use them even if it means the insurance will only pay the rates for their services that panel counsel would have charged.

2. Does the policy have an exclusion for contractual liability? Policies often pay for losses to the insured company for incidents that directly impact the company that the company is directly responsible for addressing. This often does not include your contractual obligations, or the risks your third parties assume under their contractual obligations to you.

3. Does the policy provide coverage for incidents that occur during the policy period (an occurrence policy) or for claims that are made during the policy period (a claims made policy)? This is very important because you want to make sure your company is covered for as great a timespan as possible while accounting for the fact that it usually takes from 150 to 250 days after an incident has occurred before a company learns about it. Obviously, you want to make sure incidents such as these will be covered once they are discovered.

What are some common mistakes you’ve seen when it comes to cyber insurance policies?

The most common mistake I see is companies that do not understand that standard commercial general liability and property and casualty policies typically do not cover cyber risk. Cyber risk is a unique creature and if you do not know for sure whether you have coverage for it, you probably do not.

Related is requesting cyber risk coverage without knowing what they need for their business or how to assess the policies to see if they are covered (or not). This often comes up when we review sub-limits in policies. For example, one company I worked with came to me with a policy that provided $5 million of coverage but had a $50,000 sublimit for forensics. For many breaches, forensics can be one of the most costly aspects of the incident response process so it makes little sense to have a policy with that much coverage yet have one of the most critical components have such a low limit. The company was able to get this resolved with minimal increase in premiums, the problem was that neither they nor their broker had an adequate understanding of how incident responses usually go or what are the biggest ticket items in the process.

Another big problem I see is companies that have risk managers, financial officers, or sometimes in-house counsel responsible for preparing the insurance applications and they do not involve appropriate technical or security members in the process. What this usually means is their answers to questions about technical or security questions will be incomplete, at best, or completely inaccurate. Incomplete or inaccurate information on an application will provide the insurance company with a justifiable basis for denying coverage on a claim overall, or at least as to those specific issues where there were misrepresentations on the application.

What are the most common claims costs associated with a breach? Any surprises people need to look out for?

A good cyber risk policy will provide coverage up to the policy limits (or sublimits) for legal counsel to guide the response process, work with the insurance carrier, work with law enforcement, ensure compliance with breach reporting laws and regulations, coordinate the activities of other service providers such as forensics, crisis management and public relations, and identity protection products and notification logistics vendors. The policy should pay for each of those service providers and products.

Companies should also make sure they obtain coverage for business interruption expenses and, with the epidemic of ransomware that we see today, payment for extortion demands (in addition to the business interruption). Some policies also provide coverage for regulatory fines and assessments which can be especially important to have for businesses operating in the healthcare arena or other regulated areas. Coverage for these expenses are often called first party costs as they are claim costs arising between the insurance company and the insured.

Third party costs are claim costs arising by someone other than the insured who is impacted by the data breach. These should include both the defense costs and liability costs for events such as litigation and settlements that now arise out of many data breaches.

What are most people surprised to find is not covered?

Social engineering (including phishing). Over the past year I have handled several incidents where companies have succumbed to social engineering schemes through email phishing attacks by providing the scammers with money or sensitive information. This threat is so common that both the FBI and IRS have issued alerts about this type of activity. From an insurance perspective, however, incidents such as these that caused by social engineering are viewed as deception induced voluntarily acts. Frequently, there is an exclusion for coverage of voluntary acts and in the recent case Apache Corp. v. Great American Insurance Co., the United States Fifth Circuit Court of Appeals upheld the insurance company’s denial of coverage on this basis (link to blog post explaining). There are ample policies that do not have this exclusion but you have to understand your company’s risks and know to ask the right questions to make sure yours covers social engineering, which you definitely need.

Perhaps less of “not covered,” it’s important to note that once an incident occurs, you need to notify your insurance carrier. Companies frequently make the mistake of not understanding their notice obligations under their insurance policy (i.e., contract) and failing to comply with the notice requirements. When this occurs, the insurance company can deny coverage for those claims where the notice was not timely.

The other post-incident mistake I see far too often is when the company does not cooperate with and follow the advice of the insurance carrier and, especially, the carrier-appointed legal counsel assigned to guide them through the breach incident response process. I have been fortunate to work with carriers that willingly honor their policy commitments and give their insureds the benefit of the doubt on coverage, whenever possible, but when the insured (or at least the insured’s point of contact) is contrary and uncooperative, it makes the whole relationship and the team oriented process much more difficult and ultimately only hurts the insured company. Taken to its extreme, an insured’s refusal to cooperate can cause the carrier to deny coverage and, in the case of legal counsel such as myself, force us to withdraw from representing the insured that is refusing to follow our advice.

I once handled an incident response for a smaller company that believed it had cyber risk coverage — and did have coverage to defend lawsuits if it got sued — but did not have coverage to pay for the response process. One of the best ways to get sued for a breach is to not handle the response properly. In this case, because of the time of year the incident occurred, the company was strapped for cash and did not have the means to pay market rate for forensics services which is one of the earliest and perhaps most important step in the response process. It took an extraordinary amount of time to find qualified professionals to perform the much-needed forensics on a budget that the company could afford.

This delay not only extended the overall time it took to respond to the incident but it also made it much less efficient by upsetting the normal flow of the process and causing me to spend valuable time searching for bargain rate forensics instead of focusing on more important aspects of the response process. We were able to keep the response under control and everything else went fairly smoothly for the company, which is fortunate because one more bad break for the company could have made it catastrophic and put it out of business.