• Defensive reaction to regulators rather
than an open and frank dialogue.
• Failure to timely notify any and all potentially applicable insurance carriers.
Overreacting or underreacting to the
event can also be a problem says Nik-
hinson. “Where there’s smoke, there’s fire;
however, not every bit of smoke neces-
sarily means a five-alarm fire. Going too
quickly to the media and clients without
an adequate command of the facts often
causes far more harm than good.”
He also says that a company can’t just
put its “head in the sand and hope for
the best. This isn’t just an ‘IT’ problem.
It’s something that could result in cata-
strophic financial and reputational dam-
age to the company.”
Other problems include not having a
plan at all, not following the established
plan, not engaging a breach coach or
team, and having poor communication
between breach team members.
3. Working effectively
with your breach team
After a company experiences a breach is
not the time to be pulling together a team
to address the problem. Assuming that a
company already has a highly qualified
team in place involving legal, IT, security,
human resources, risk management and
public relations professionals, experts
recommend notifying legal counsel as
soon as a cyber incident is discovered.
“Counsel should handle retaining outside experts to maintain privilege, which
puts the company in the best defensible
position possible,” counsels Bob Parisi,
Marsh’s cyber product leader.
Kalinich concurs. “Legal counsel
should be involved as soon as a cy-
ber incident is identified for a variety
of risk mitigation, contractual liability,
privacy liability, legal compliance and
financial statement impact reduction
reasons. Thereafter, depending upon the
nature of the incident, the chief informa-
tion security officer (CISO), IT security,
privacy officer and management respon-
sible for cyber incident response should
be simultaneously notified. Outside par-
ties such as customers, partners, vendors,
suppliers, etc. need not be notified until
the entity understands what happened
(subject to notification laws, of course).”
Roman recommends activating the
company’s internal breach team as soon
as a breach is revealed since most breach-
es occur way before they are discovered.
“As you’re noticing it happened, it prob-
ably occurred earlier and they are suck-
ing you dry of confidential information,
client information, individuals’ personal
information, corporate secrets and infor-
mation that may be sensitive from a pub-
lic relations perspective.”
There should also be a designated team
leader and decision-maker says Roman,
“Someone who can take all of the advice
and says this is what we will do and has
the authority to do it.” He also recom-
mends that executives resist the urge to
micromanage the problem. “They should
assess the decisions made by the profes-
sionals and act accordingly.”
Communication between team members is critical to successfully managing the
breach. “Do your best to break down internal information silos,” recommends Beazley’s Nikhinson. “Does legal know what
IT/IS is investigating and how it is being
documented? Does IS know that risk purchased a cyber-insurance policy and that
it has certain reporting requirements? At
what point do you bring in corporate com-munications? Coordination between all of
the internal stakeholders is essential, and
having someone akin to a project manager
to facilitate that coordination can make all
the difference in the world.”
4. Experience matters
Insurance brokers, legal counsel, public
relations professionals and other vendors
on the breach team should have extensive
experience in cyber attacks and breaches.
An experienced insurance broker can
help a client find a cyber policy that best
matches their needs and risks says Parisi.
“The broker should have assisted the cli-
ent in fully understanding coverage as
well as the value-added services that are
part of today’s cyber coverage. By doing
that the client will be able to fully uti-
lize the benefits of the coverage when a
breach or event happens.”
Clients should report a breach to their
broker or agent as soon as it occurs. Ac-
cording to Aon’s Kalinich, an experienced
cyber broker will be able to:
• Identify the applicable insurance poli-
• Provide the insured with the required
insurance notice requirements.
• Detail any specific insurance policy
requirements (i.e., third-party forensic
experts must be selected from the insurance company panel in order to be
covered by the insurance policy).
• Arrange a call between the insurance
broker legal cyber incident claims specialist and the insured.
• Determine whether, and in what manner, notice is required to insurers.
• Describe past cyber incident best practices that reduce the total cost of risk.
• Maintain consistent and timely communications between the insured and
5. Practice makes perfect
Roman recommends that companies
hold periodic breach rehearsals, which
can be conducted by a firm outside of the
business. “Surprise your team. Tell them
this is a drill and there is a breach,” he
advises. This gives executives an opportunity to see how quickly the breach team
can be pulled together and how they will
react to a real breach. It also gives them
an opportunity to role play some of the
critical elements of the plan.
Brokers can assist their clients by ensuring they have the right coverage for
their business exposures as well as “a
proactive relationship with their carrier’s
breach response team so their first meeting doesn’t occur in the middle of a firefight,” adds Nikhinson.
Waiting until after a cyber breach
occurs is too late to begin managing its
effects, and can have dire consequences
to a company’s reputation and its
bottom line. Being proactive will help
mitigate some of the damage and give
the company a roadmap for successfully
managing the breach.