Over the past two months, I have received questions from insurance brokers about what capabilities are at my disposal to assist them support the US government defense contractor community. One consistent theme observed is a lack of \u201cknowing\u201d whether the panel firms \u2013 those organizations with pre-negotiated rates to support the carrier or broker \u2013 have staff with security clearances. Insurance entities are highly predisposed to assessing what credit card data or healthcare data resides on the insured\u2019s system.A little background to provide contextWhile these are important matters to be sure, these same data sets are now incorporated into the National Archives and Records Administration (NARA) Registry for Controlled Unclassified Information (CUI). So why should this matter to you? It may not apply at all. However, if your organization sells technology goods and services to the US government, there is an increased visibility into supply chain risks and CUI is at ground zero of the matter.As a means of evaluating platforms that market themselves as rapidly identifying the right cyber insurance coverage or completing dry runs of more structured insurance applications for cyber coverage, I have yet to see any questions that pertain to CUI.\u00a0 In fairness, some policy questionnaires ask a very generalized, \u201cor other applicable regulatory requirement\u201d.\u00a0 In response to this ambiguously styled question, \u201cWouldn\u2019t most applicant\u2019s check yes by default with the General Data Protection Regulation (GDPR) in play in just a couple of weeks?\u201d.\u00a0 I would challenge agents and brokers to look at their completed applications and assess how many respond \u201cyes\u201d to this question.\u00a0If an applicant responds \u201cno\u201d, and a claim is filed because of harm incurred by CUI or GDPR sanctions, does that constitute a basis for rescission?To date, there are over 4,600 commercial enterprises that are now contractually bound to protect CUI by demonstrating 110 individual cybersecurity controls. In the event a cyber incident materializes because of the government contractor (think Postal Service or Office of Personnel Management breaches), the contractor is responsible for a myriad of incident response activities that are very cost intensive. Furthermore, these same enterprises are generally required to show proof of general liability, directors and officers, automobile, and\/or errors and omissions insurance coverage \u2013 but no cyber?The US Census Bureau estimates that 99.7% of all businesses in the United States are small businesses. From this estimation, that defines 4,586 of these 4,600 companies as small businesses. When we think \u201cGovernment Contractor\u201d, we probably conjure up imagery of companies like Raytheon, General Dynamics, or Boeing. Having worked for some of these organizations, I can advise that in the face of a cyber incident that they have the financial ware withal to be resilient.\u00a0 If a small business sustains a cyber incident and does not have a financial mechanism to transfer that risk, like an insurance policy, they are likely going to close due to the financial implications.\u00a0An unforeseen problem with very profound consequencesFor those reading this article that may not be familiar with the operational process of filing a cyber claim, there is generally language that stipulates if you do not use the insurance company\u2019s panel of incident response and crisis management firms, they are not bound to pay out on a claim. In a nutshell, they want the first call to be to the carrier. This creates a little bit of a challenge when a natural inclination of a business owner is to contact their attorney and in the case of a Government Contractor the contractual obligation reads as, \u201cRapidly report\u201d means within 72 hours of discovery of any cyber incident.\u201dA company might be able to accomplish notifying the insurance company first and notify the Department of Defense within 72 hours but here is where it gets a bit dicey.The contractual obligations with the U.S. Government also convey the following:(ii)\u00a0\u00a0Rapidly report cyber incidents to DoD at\u00a0http:\/\/dibnet.dod.mil.(2)\u00a0\u00a0Cyber incident report.\u00a0The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at\u00a0http:\/\/dibnet.dod.mil.Did you catch that?\u00a0 Let\u2019s take a second look.\u201c(2) Cyber incident report.\u00a0The cyber incident report shall be treated as information created by or for DoD.So, whatever may be construed as your information now belongs to the DoD!It is very plausible that if a Government Contractor notifies the insurance agency\u2019s point of contact of a cyber incident and those panel members respond and access the victim\u2019s network, this may constitute a breach of contract. Why? Because these individuals are not employees nor previously approved supply chain partners to gain authorized access to the system in question.\u00a0 Take it a step further. What if the system or data in question in classified?If the panel response team does not have the appropriate security clearances, the insured party is now in harm\u2019s way beyond the original cyber incident because allowing their access constitutes a contractual violation.The flip side of this issue is if the DoD provides resources and may charge the Government Contractor for fees incurred. If a claim is denied because the panel was not used, is the rescission justified? Does it expose the insurer to the risk of litigation by the insured party for failing to pay a that claim? If the questions within the application are not specific enough or if the carrier does not have a panel with cleared personnel, does this expose both the insured and insurer to a colossal debacle in the face of a crisis event?A path forwardThe insurance sector needs to have panel members that are already cleared and approved by the DoD in advance of a cyber incident being reported and arguably before coverages are agreed upon within the four corners of an insurance policy.This scenario is likely to become more pervasive in 2019 and beyond as the Department of Homeland Security and other non-Defense agencies (Justice Department, etc.) evolve their procurement language to emulate the cybersecurity requirements from DoD. This expands the number of companies from over 4,600 to tens of thousands of companies.