Over the past several months, we've been exploring the world of Cyber Risk from a variety of perspectives: first, understanding what Cyber Risk is, then how laws and regulations can have a significant impact, and finally, learning how to protect yourself from the risks in question. In this regard, it cannot be overemphasized that the best protection is implemented through robust internal controls. An e-risk insurance policy should be seen as a complement, not an alternative, to sound risk management practices. It cannot prevent a breach from occurring, but it will help you meet the costs of a breach and maintain financial stability should one occur. But what should you do if you are, after all, the victim of a network security or privacy breach?
Firstly, do not panic! Instead, contact your insurer’s claims department immediately. Insurers specializing in Cyber Risks provide their policyholders with a response team that, depending on the scope of the policy and the coverage options chosen, may include specialized law firms, forensic experts and investigators, specialists in notification, identity restoration and credit monitoring, as well as public relations firms. Such a response team will help you manage the crisis and answer any questions you may have, including those related to legal or regulatory requirements. In addition, it will provide you with the documentation required depending on the circumstances and will assist you if the situation requires notification of the persons affected by the breach.
In such situations, reaction time is crucial. That’s why you need experts who can determine the source and cause of the breach, help you avoid further damage, identify the information that has been compromised and who is affected, and assist you in protecting and recovering the data if necessary.
The following is an example of a claim that illustrates how an insurer can respond to a breach:
One of the partners of the accounting firm Assets, Liabilities & Associates comes into the office very early on a Monday morning to advance his audit work on the financial statements of a major client. When he tries to log on to the computer system as he does every morning, he finds that access is blocked. Soon after, he receives an e-mail from an unknown source, informing him that a hacker has taken control of the network and encrypted the data stored on it. To decrypt the data, the hacker demands that a ransom of $25,000 be paid in Bitcoin within 24 hours, after which the data will be unrecoverable. Panicked at the prospect of losing all employee and customer information, the partner was anxious to contact the bank as soon as its offices opened to make arrangements for the payment of the hacker’s ransom demand. Fortunately, the firm’s CFO who had just arrived at the office reminds him that the firm has Cyber Risk insurance. She immediately contacted the insurer’s claims department, which put her in touch with a member of the response team. Quickly, a strategy is established by identifying priorities:
- A computer security specialist examines the hacker’s email and the encryption method used. He quickly directs his research to a group of hackers well known for acting in this way. A negotiator contacts the hacker and succeeds in getting the hacker to decrypt the data for much less than the initial fee;
- After consultation with a law firm, it is decided that it is preferable to notify all those affected by the breach. A firm specializing in this area prepares a notice and takes care of the mailing;
- A public relations firm undertakes to draft a press release to be published on the Assets, Liabilities & Associates website to inform clients of the situation and explain the measures being taken to manage the crisis;
- The investigation conducted by the IT security specialist shows that, although the security measures were adequate, the hacker managed to break into Assets, Liabilities & Associates’ computer system using a malicious phishing e-mail. As a result, it was recommended that Assets, Liabilities & Associates provide mandatory training to all employees on best practices in computer security.
The amount of the ransom and the fees of the various parties involved were assumed by the insurer.
Although we have now gained a good understanding of insurance coverage for Cyber Risks, it may be interesting to know that it is not always where you expect it to be. We will attempt to unravel this mystery in our next column.