There are two critical cyber insurance issues that every single company must understand right now, before they have an incident:
- In today’s environment, every company has substantial cyber risk and every company needs cyber insurance. Period. Cyber insurance is not covered by typical business insurance and companies must have the right cyber insurance for their unique risks — this is not one-size-fits-all. As I say here, “if you don’t know you have the right cyber insurance, you probably don’t.”
- Many cyber insurance policies strictly limit which service providers can be used for incident response services. Effective incident response takes a team. Frequently used service providers in incident response are often cyber forensics, cybersecurity, incident response, public relations, breach logistics, forensic accounting, and of course, legal. If your company wants to use a service provider they know and trust, they must make sure and get them written into the policy or get a policy without such restrictions. It is much easier to do this while they are procuring insurance but, even if they already have it, they should still make the request as soon as possible — the time to sort this out is now, not after they have an incident.
How do you do this?
It is simple! The following is an example of an email that some of our clients have sent to their insurance broker to let them know that they wanted to work with our firm. You could send something similar to your broker, listing the vendors you would like to work with should you ever have a claim.
Dear [Insurance Broker]:
Our company has an existing relationship with Shawn Tuma and the Spencer Fane LLP law firm and they have been helping us with cyber risk related issues, including incident response planning and advising us on the need for cyber insurance. Please ensure that any cyber / privacy insurance policies that you obtain for us to evaluate will allow us to use them as an approved vendor for incident response services, should we ever need such services for a claim under the policy.
The Spencer Fane team does incident response “coach” work for several insurance carriers as approved panel counsel and can provide a list of such carriers upon request. They are very familiar with both the process of working with carriers and the standard engagement terms.
See the resources below for more explanation about these issues:
- Cyber Insurance and Incident Response: What to Know, Secure World (quoting Tuma)
- Podcast: Real-Life Examples and Best Practices for Ransomware Incident Response
- With Ransomware Attacks Increasing, Cyber Insurance Now Seen as a Necessity, not a Luxury – Security Magazine
- Cyber Insurance Becoming a Necessity, No Longer a Luxury for Prepared Companies, CPO Magazine
If you are interested in learning more about how cyber insurance and these two issues in particular impact incident response planning, watch the following video: