The claims process following a data breach is something an increasing number of insurers — and insureds — need to understand more clearly, and in his presentation at the recent New York Chapter meeting of the International Information System Security Certification Consortium, Markel’s Director of U.S. Professional Liability David T. Vanalek outlined the claim’s team’s vital role when proprietary information is compromised.
One of the roles of the claims organization is to shepherd policyholders through the breach-response process. The process can be complex, depending on the scope of the incident; Vanalek mentioned that increasingly, insurers are hiring lawyers out of private practice with expertise in cyber-related legal issues due to their complexity.
After a breach, Vanalek explained, the claims group is the primary point of contact between the carrier and policyholder. As such, it’s important for policyholders to know in advance precisely who their point of contact is should their help be needed, especially for large organizations with significant liability exposures.
There are a range of policies that may cover aspects of cyber-related claims: these include stand-alone Cyber policies, Commercial General Liability, D&O/management liability, Commercial Crime coverage, and other blended products. Each is subject to limits, sub-limits, exclusions and endorsements.
It’s important to know that Cyber claims often involve more than one insurer (especially for a large client) and require handling of third-party liability claims. The claims organization has primary responsibility for coordinating these third-party claims in addition to their policyholders’ claims.
The breach-response lifecycle begins
A claim is initially triggered by theft, loss, or unauthorized disclosure from a legally liable organization. It’s incumbent on the policyholder to file a breach notification with the carrier, agent or wholesaler: Because breaches can become broad-based (and possibly public) quickly, that filing should be immediately followed up with a call to discuss coverage issues.
After the claim is filed, Vanalek explained, the investigation will begin. The investigation will include forensic and legal analysis, and its scope and complexity will be dictated by the size and value of the potential loss.
Forensics will uncover technical aspects of a breach, including the methods used, scope of the breach, and first- and third-party impacts. Depending on the scope of the breach and the complexity of the policyholder’s IT infrastructure, technical domain experts from the carrier (or their service providers) will engage with the policyholder’s IT management.
Complex forensic investigations will often be handled by carrier-approved, third-party providers with expertise in breach detection, remediation and prevention.
Importantly, breach-notification laws exist in 48 states — but the requirements for breach reporting in each of those states is unique. A breach that must by law be reported in one jurisdiction may not be, in a neighboring state. Because the insurer’s responsibility is to the policyholder and not to law enforcement, legal authorities may not be notified. In addition to the first-party claim, third-party claims may also be filled in additional jurisdictions.
During this process, the policyholder will receive a coverage letter from the insurer outlining the scope of their coverages.
Related: Utilizing investigative services
The value of readiness
Concurrent with the forensic evaluation, a response plan will begin to take shape. Depending on the nature of the breach, this will involve victim notification, credit monitoring, public relations, data recovery, system hardening and implementation of new security products, services and procedures, as well as a breach coach. The costs can add up quickly, and the claims team is responsible for coordinating all these activities and paying all the invoices.
Because those costs can quickly mount, Vanalek noted, it’s important for policyholders to have ongoing updates on the status of their coverage levels being reached.
After response, focus shifts to defense. After a cyber incident, insurance defense involves a combination of class-action lawsuit handling, management of regulatory fines and penalties, minimizing reputational damage and limiting income loss.
Carriers have approved lists of defense attorneys; however, they will sometimes allow off-panel defense attorneys as well. Generally, said Vanalek, carriers work toward early resolution in defense of first- and third-party claims through mediation, direct settlements and negotiation — but failing that, claims will go to trial.
Cyber claims handlers should be experts in understanding first- and third-party policy coverages, and have a deep understanding of the issues related to cyber. The claims handlers should also be adept at understanding how the various coverages in the policyholders tower of coverages come into play in the event of an incident.
Key Takeaways for Insureds:
- Know who your contact is at your broker, agent or carrier for handling cyber claims
- Have a thorough understanding of the breach response services available to you from your insurer – or their claims administrator
- Cyber claims handlers should be experts in understanding first- and third-party policy coverages, and have a deep understanding of the issues related cyber breach response. Do some due diligence on your insurer’s expertise
- Look for an insurer who has expertise in handling risk in the industry or profession you’re in
- Pick an insurer who has experience working with organizations as big or small as yours
- In the event of a cyber incident, notify all your insurance providers. You may be covered by more than just your standalone cyber policy
Key Takeaways for Insurance Professionals:
- Educate your clients in advance about who to contact and how to file cyber claims
- Meet with clients at contact signing and walk them through the breach response process
- Be sure your policyholders understand the breach response services available to them
- Have a thorough understanding of your clients’ cyber exposures in advance, so you’re not playing catch-up in the event of a breach