Subrogating a cybersecurity attack — Part 1
As cyberattacks increase, insurers are looking at other parties that should be held responsible as part of a claim.
Uncomfortable.
When it comes to cybersecurity risks, the insurance industry really can’t escape the feeling. “There isn’t a class of business that can hide from this,” explains Shiraz Saeed, vice president and cyber risk product leader at Arch Insurance Group.
Cybersecurity incidents, such as data breaches or ransomware attacks, are becoming so frequent that it can feel unbearable for insurers “Managing cyber risk is complicated. Trying to figure out the likelihood of an organization getting hacked is very challenging, there are tools that can help organizations with the predictability of a network security failure, but it is still not a perfect science. Instead of thinking about the probability of this possibly happening to your organization, you should assume it will and invest in people, tools, policies, procedures and controls to help mitigate the risk. Having an organization with a mature and robust cybersecurity risk management model reduces the chances of your organization falling victim to a cyber incident,” Saeed remarks.
The question is, how can we limit the exposure? In the wake of a data incident, there are several expenses and liabilities that will have to be paid for — many of which are contemplated in a cyber insurance policy. This would potentially include legal expenses, cybersecurity forensics, public relations, negotiation and payments of ransom demands, data recovery or business income loss. This will apply to most organizations that have a business-to-business client model.
If the organization is direct to consumer or has a business-to-business model where the organization has access to their clients’ private information or computer systems, we will see the addition of potentially having to notify and provide identity monitoring for impacted individuals and there can be lawsuits from individuals or other businesses or regulatory agencies depending on privacy laws that could have been impacted.
The big picture is this: When a cyber loss occurs, carriers are first and foremost concerned with making their insureds whole again. But as the dust settles and the full picture of the loss comes into view, you quickly find out that a breach is about more than notices and credit monitoring. Adjusters have to look at where fault lies and who should ultimately be liable. Subrogation is an effective means of holding responsible parties accountable and in turn, helping to lessen the financial load on the insurer. It’s not always as straightforward as it sounds.
Part 2 of this series publishes tomorrow and will look at questions insurers should ask as part of the business interruption evaluation and offer solutions to successfully subrogate a cyber claim.
Danielle M. Gardiner, CPA, CFF, (dgardiner@lowersforensics.com) is senior vice president of Lowers Forensics International. Joseph Lazzarotti (joseph.lazzarotti@jacksonlewis.com) is an attorney at law with Jackson Lewis P.C. Special thanks to Shiraz Saeed (ssaeed@archinsurance.com), vice president – cyber risk product leader at Arch Insurance Group for his contributions.
Disclaimer: This article should be considered for general information purposes only, representing the personal views of the authors and contributors within, and do not reflect the views of Arch Insurance Group.
Related: