4 steps to recovering from a cyber event
Advanced preparation and training are critical to returning a company to normal operations as quickly as possible.
Cyber crime is the most serious man-made threat facing companies today. Not surprisingly, companies expend significant human and financial resources to strengthen computer network defenses and train their work forces to prevent breaches of their sensitive data. Major investments are made to keep the threat at bay.
This is the correct approach, but no one has developed a foolproof method for stopping bad actors who are often one step ahead of their targets with new attack methods. If a data breach occurs, companies must be prepared to respond, remediate and recover.
Insurance is an excellent tool to assist in these efforts. To get the most out of a data security insurance product, brokers should advise their clients to follow four steps that cost nothing, but can reap great benefits in the most challenging of times.
4 practical steps to recovery
- Know the policy. Cyber insurance policies that afford coverage for data breach incidents, like other insurance policies, are rather dull at first glance. Their language is technical and dry. They contain no pictures, have little to no color, contain no witty anecdotes and do not begin with passages that grab a reader’s attention from the outset — “It was the best of policy periods, it was the worst of policy periods.”
What they represent, in essence, is the amount of money available to an entity if certain conditions are met. The insured’s leadership must understand the policy terms before a breach occurs so the company does not unknowingly act in a way that jeopardizes the coverage. Granted, management typically has a plethora of things that take priority over reading insurance agreements. However, if they comprehend the importance of reviewing and understanding the terms in a document in order to be eligible for coverage in the event of a breach, you will likely see a different reaction.
- Know the insurance carrier. A common perception is that if an insured is speaking with a claims professional, this means something bad has happened to the insured. Though often true, that does not always have to be the case. There is nothing preventing the company from contacting the claims unit that handles cyber claims before a breach and asking to be walked through the process.
It is strategically advisable to ask which claims professionals would be assigned a reported breach, where they are located and what happens when he or she learns of the breach. Is there a hotline or email address for expedited reporting? What information should the insured have ready to provide to the claims professional? How will a retention or deductible be applied? What role will a company’s internal IT staff play in responding to a breach? While the insurance carrier should be a partner with key stakeholders during a breach, it would be much more beneficial to cultivate that partnership before it is needed.
- Know the vendors. If a cyber insurance carrier mandates that specific vendors be used in the event of a breach, or provides incentives to use vendors from an approved panel, the company should reach out to those vendors prior to the breach. Management should engage the law firm who will act as a breach coach to initiate a vetting process and to understand what the procedures will be from a legal perspective in the event of a breach. They should also know who from the law firm will be providing legal assistance and keep a record of updated contact information easily accessible.
Having an attorney already identified can save valuable time and is far more efficient than blindly calling the firm and being placed on hold. In addition, the insured should contact carrier-approved forensic firms to learn their protocols, gain an understanding of what to expect from a forensic review, and what possible disruptions to business operations could arise as a result.
When faced with a challenge like a breach situation, knowing specifically who will help and how they will assist before the storm hits can accelerate the company’s response and help to mitigate potential exposures.
- Know who is responsible. An old adage warns that if everyone is responsible for something, then no one is. Management should already have clearly defined roles for individual staff members to follow in the event of a breach. Who ascertains the extent of a breach? Who is the point person if a breach occurs after hours? Who notifies employees? Who contacts the insurance carrier and law enforcement officials? Who is in charge of taking mitigation efforts to contain any intrusion? Who will approve communication to impacted individuals? Who will work with counsel to craft an explanatory message to clients?
Making sure staff members are on the same page in terms of pre-breach duties will make the post-breach response more efficient and effective. Management should also ensure that every staff member with assigned duties has a backup. A company’s breach response will be less successful if the person responsible for leading a significant component of it is on vacation when a crisis strikes.
Industries of all types are spending vast sums of money in order to secure their data and customer information to the greatest extent possible. In the event technical and human defenses fail, the insurance industry offers a multitude of products to provide expertise and coverage for expenses incurred in responding to a breach.
Companies should take the time to know how they can best benefit from a cyber insurance product and determine everyone’s role before an event occurs. The steps outlined here cost nothing and can pay great dividends should the need arise. Given the increasing cyber challenges facing businesses today, no company can be too prepared.
Matthew Tucci (Matt.Tucci@aspen-insurance.com) is vice president of professional liability claims for Aspen Insurance. Previously, he was with Zurich North America as their professional liability claims counsel and then team manager, D&O claims.