ever, if they comprehend the importance of reviewing and understanding the terms in a document in order to be eligible for coverage in the event of a breach, you will likely see a different reaction.
2. KNOW THE INSURANCE CARRIER. A common perception is that if an insured is speaking with a claims professional,
this means something bad has happened to the insured. Though
often true, that does not always have to be the case. There is nothing preventing the company from contacting the claims unit that
handles cyber claims before a breach and asking to be walked
through the process.
It is strategically advisable to ask which claims professionals
would be assigned a reported breach, where they are located and
what happens when he or she learns of the breach. Is there a hotline or email address for expedited reporting? What information
should the insured have ready to provide to the claims professional? How will a retention or deductible be applied? What role
will a company’s internal IT staff play in responding to a breach?
While the insurance carrier should be a partner with key stakeholders during a breach, it would be much more beneficial to
cultivate that partnership before it is needed.
3. KNOW THE VENDORS. If a cyber insurance carrier man-
dates that specific vendors be used in the event of a breach, or
provides incentives to use vendors from an approved panel, the
company should reach out to those vendors prior to the breach.
Management should engage the law firm who will act as a breach
coach to initiate a vetting process and to understand what the
procedures will be from a legal perspective in the event of a
breach. They should also know who from the law firm will be
providing legal assistance and keep a record of updated contact
information easily accessible.
Having an attorney already identified can save valuable time
and is far more efficient than blindly calling the firm and being
placed on hold. In addition, the insured should contact carri-er-approved forensic firms to learn their protocols, gain an understanding of what to expect from a forensic review, and what
possible disruptions to business operations could arise as a result.
When faced with a challenge like a breach situation, knowing specifically who will help and how they will assist before the
storm hits can accelerate the company’s response and help to
mitigate potential exposures.
4. KNOW WHO IS RESPONSIBLE. An old adage warns that
if everyone is responsible for something, then no one is. Management should already have clearly defined roles for individual staff
members to follow in the event of a breach. Who ascertains the
extent of a breach? Who is the point person if a breach occurs after hours? Who notifies employees? Who contacts the insurance
carrier and law enforcement officials? Who is in charge of taking
mitigation efforts to contain any intrusion? Who will approve
communication to impacted individuals? Who will work with
counsel to craft an explanatory message to clients?
Making sure staff members are on the same page in terms of
pre-breach duties will make the post-breach response more efficient and effective. Management should also ensure that every staff
member with assigned duties has a backup. A company’s breach
response will be less successful if the person responsible for leading
a significant component of it is on vacation when a crisis strikes.
Industries of all types are spending vast sums of money in order
to secure their data and customer information to the greatest extent possible. In the event technical and human defenses fail, the
insurance industry offers a multitude of products to provide expertise and coverage for expenses incurred in responding to a breach.
Companies should take the time to know how they can best
benefit from a cyber insurance product and determine everyone’s
role before an event occurs. The steps outlined here cost nothing
and can pay great dividends should the need arise. Given the increasing cyber challenges facing businesses today, no company
can be too prepared.
Matthew Tucci (Matt. Tucci@aspen-insurance.com) is vice
president of professional liability claims for Aspen Insurance.
Previously, he was with Zurich North America as their
professional liability claims counsel and then team manager,