September 22, 2021
Threat actors launched a cyberattack against the Texas Office of Court Administration, the IT provider for many Texas courts, and encrypted their computer systems with ransomware, leaving those systems useless. Cognizant, which has a large presence in Dallas-Fort Worth and is one of the world’s largest and most sophisticated providers of information technology services for other companies, was hit with ransomware with losses currently estimated between $50 million and $70 million. Dallas-based CyrusOne, a global provider of data center services and managed information technology services for other companies, was hit with ransomware, impacting several of its customers. More than 20 Texas local governments were hit with ransomware, also rendering their computer systems useless.
These are just a few of the high-profile cyber incidents in the past year just for Texas. Similar incidents occur daily across the United States. While the public learns about attacks like these on well-known organizations, most do not hear about the attacks on small and midsize organizations. Unless the ransomware attack also involves the breach of confidentiality of sensitive personal information or protected health information, there is no general law requiring that most such attacks be publicly disclosed or reported.
That does not mean they are not happening. In our experience, they are happening exponentially more to small and midsize organizations all over the United States, and the impact is devastating.
A cyberattack is becoming the one universal risk that can literally destroy overnight an otherwise healthy company. Even with COVID-19, it took days and weeks for the impact to be felt. Not so with cyber incidents; it happens in an instant. If the large, well-funded experts in information technology like Cognizant cannot always defend themselves against these attacks, do you really believe your organization can?
Now is the time for cyber insurance and incident response plans In reality, there is no “secure” in the cyber world — even when the best security measures are taken. When cybercriminals want to get in and disrupt a business bad enough, they will find a way.
Because a company cannot be completely secure, it must be resilient. Cyber insurance is critical in providing a company with the resources it needs to properly respond to and recover from an attack. However, business leaders need to understand the details of an insurance policy and what it does and does not cover. Only policies specifically designed to cover cyber risk, cover cyber risk.
Standard insurance policies typically do not provide coverage for cyber risk. You must have a policy that is specifically designed to cover cyber risk and, more appropriately, the unique cyber risks your company faces. If you do not know that you have cyber risk coverage, you probably do not. In addition, businesses should invest in creating a thorough and detailed incident response plan that can be initiated on short notice. Ideally, this plan includes the who, when and how of the response — perhaps most importantly, who leads the response and coordinates all of the steps.
The plan should not only include the organization’s internal team, but those external service providers who have a critical role in an incident response such as breach counsel (i.e., legal), cyber forensics and public relations.
For an incident response plan and cyber insurance policy to work, business leaders must educate the key stakeholders, train every member of the team and practice or simulate the actions with the key stakeholders and external providers, all of which are essential members of the incident response team. The most valuable part of an incident response plan is communication and having the right team in place to successfully resolve the situation and minimize the disruptions and associated costs.
Cyber insurance works
Reputable carriers pay claims under cyber policies.
When a policy legitimately covers a claim, the carriers pay. We have handled hundreds of cases where insurance carriers have fulfilled their obligation and paid for the response, mitigation, notification, litigation and regulatory investigation costs. To give you an idea of how many and what kinds of cyber claims are paid each year, the NetDiligence 2019 Cyber Claims Study examined over 2,000 cyber claims that had been paid.
Of course, there may be exceptions and outlier cases where an appropriate claim is not paid or where the claim may fall within a gray area and coverage is not clear. This is true of all insurance for all types of risk.
Cyber is no different.
But these cases are the exception, not the rule. Unfortunately, they are the cases that usually get the most attention and create the perception that cyber claims are not paid. These situations are rare, and those who focus only on them are ignoring the thousands of cases where similar claims are paid.
You manage your company’s risk by honestly evaluating the probabilities, not getting hung up on the most unlikely exception. Addressing cyber risk should be no different. When you get a cyber policy from a reputable carrier, the likelihood that the carrier will cover those claims is just as high as the carrier covering any other kind of claim for which you have insurance.
However, before an incident occurs, you should know the answers to all of these questions:
- Do you know you have cyber insurance?
- Where is your policy?
- Who is the carrier and your main contact with that carrier, as well as your broker?
- Were proactive risk management services included?
- How quickly must you give notice of an event?
- Must those on the incident response team be “approved” or “preapproved” by the carrier before you can use their services?
- When must you get preapproval for steps taken in incident response?
Know who you will work with when a cyber incident occurs
Cyber insurance policies typically specify that if your company has an event and makes a claim, you will be required to work with the service providers who are on the carrier’s “preferred” or “approved panel” list. This means that if you already have a relationship with an experienced attorney, cyber forensic firm, PR firm or forensic accounting firm that you know and trust, you probably cannot work with them unless they are approved. This is not something you want to learn about when a crisis hits and is tantamount to learning that your star players are ineligible to play at the opening whistle of the championship game.
While this regularly trips up those who are inexperienced in incident response, there is a good reason for this requirement. Little mistakes can have a big impact on the response. Cyber incident response and serving as breach counsel is a highly specialized skillset and the professionals handling this must truly have significant experience in that role or else the consequences — and resulting losses for the client and the insurance carrier — can be catastrophic. The insurance carriers have a strong interest in making sure the professionals they approve have been vetted and can handle the role.
Also, insurance carriers typically have negotiated rates with their approved panel providers that are substantially lower than those same providers would charge on their non-insurance engagements. Because these providers’ fees typically erode the insurance policy coverage limits like any other costs, this helps the insured get the most bang for their coverage buck.
Finally, service providers that regularly do this kind of work with insurance companies get better results because they are familiar with the cyber insurance process, have strong relationships and a familiarity in working with the most experienced providers in the other external service provider disciplines (i.e., legal, cyber forensics, public relations), and they all know how to work well together as a team.
This is ultimately much better for the client.
There are solutions to this problem for clients that already have a relationship with an experienced attorney, cyber forensic firm, PR firm or forensic accountant: Address the issue upfront as part of the incident response planning process. If you know who you want to work with when you are obtaining your policy, make it clear and get a policy with a carrier that will allow you to work with the professionals of your choosing, or have the professionals you know and trust written into your policy.
It may be too late to do this once the policy has been issued, but you should still try because the insurance carriers allow such additions as long as it is before you actually have a claim.
The best way to get the right cyber risk policy is to work with a reputable broker who is truly knowledgeable about cyber risk and cyber policies. There are a lot of brokers trying to sell cyber policies, but many of them do not truly understand the policies, cyber risk in general, or your company’s unique needs.
Contact experienced cyber service providers you know and trust to ask for advice on how to get the right policy that will allow you to work with them. Let them connect you with a good insurance broker who truly understands your cyber risk and has the relationships that will allow them to find a policy that fits your needs.
How this all fits together
Assessing all of the above allows businesses to know what questions to ask to increase protection and mitigate risk:
- Do we have cyber insurance?
- Is it tailored to our unique risk?
- Does it offer proactive risk management services?
- What is covered? What is not covered?
- What choice do we have in service providers used?
- Are there service providers that we want to use that are not permitted?
- Can we get the service providers we want to use approved under the policy?
- If not, who are the carrier’s approved service providers so we can develop a relationship with them to use them in our incident response planning and preparation?
The key to identifying the right coverage to fit specific needs is to find the right policy with the right carrier. Good, knowledgeable brokers and agents can assist in this process. You can then incorporate that policy into your incident response plan and become a company fully prepared for the biggest threat facing your company today and in the future.
Written by: [Shawn Tuma]