The claims process following a data breach is something anincreasing number of insurers — and insureds — need to understandmore clearly, and in his presentation at the recent New YorkChapter meeting of the International Information System Security CertificationConsortium, Markel's Director of U.S. Professional Liability DavidT. Vanalek outlined the claim's team's vital role when proprietaryinformation is compromised.

One of the roles of the claims organization is to shepherdpolicyholders through the breach-response process. The process canbe complex, depending on the scope of the incident; Vanalekmentioned that increasingly, insurers are hiring lawyers out ofprivate practice with expertise in cyber-related legal issues due totheir complexity.

After a breach, Vanalek explained, the claims group is theprimary point of contact between the carrier and policyholder. Assuch, it's important for policyholders to know in advance preciselywho their point of contact is should their help be needed,especially for large organizations with significant liabilityexposures.

There are a range of policies that may cover aspects ofcyber-related claims: these include stand-alone Cyber policies,Commercial General Liability, D&O/management liability,Commercial Crime coverage, and other blended products. Each is subject to limits, sub-limits, exclusionsand endorsements.

It's important to know that Cyber claims often involve more than oneinsurer (especially for a large client) and require handling ofthird-party liability claims. The claims organization has primaryresponsibility for coordinating these third-party claims inaddition to their policyholders' claims.

Related: 5 cybersecurity problems facing mid-size insurancecompanies

The breach-response lifecycle begins

A claim is initially triggered by theft,loss, or unauthorized disclosure from a legally liableorganization. It's incumbent on the policyholder to file a breachnotification with the carrier, agent or wholesaler: Becausebreaches can become broad-based (and possibly public) quickly, thatfiling should be immediately followed up with a call to discusscoverage issues.

After the claim is filed, Vanalek explained,the investigation will begin. The investigation will includeforensic and legal analysis, and its scope and complexity will bedictated by the size and value of the potential loss.

Forensics will uncover technical aspects of a breach, includingthe methods used, scope of the breach, and first- and third-partyimpacts. Depending on the scope of the breach and the complexity ofthe policyholder's IT infrastructure, technical domain experts fromthe carrier (or their service providers) will engage with thepolicyholder's IT management.

Complex forensic investigations will often be handled bycarrier-approved, third-party providers with expertise in breachdetection, remediation and prevention.

Importantly, breach-notification laws exist in 48 states — butthe requirements for breach reporting in each of those states isunique. A breach that must by law be reported in onejurisdiction may not be, in a neighboring state. Because theinsurer's responsibility is to the policyholder and not to lawenforcement, legal authorities may not be notified. In addition tothe first-party claim, third-party claims may also be filled inadditional jurisdictions.

During this process, the policyholder will receive a coverageletter from the insurer outlining the scope of their coverages.

Related: Utilizing investigative services

The value of readiness

Concurrent with the forensic evaluation, a response plan willbegin to take shape. Depending on the nature of the breach, thiswill involve victim notification, credit monitoring, publicrelations, data recovery, system hardening and implementation ofnew security products, services and procedures, as well as a breachcoach. The costs can add up quickly, and the claimsteam is responsible for coordinating all these activities andpaying all the invoices.

Because those costs can quickly mount, Vanalek noted, it'simportant for policyholders to have ongoing updates on the statusof their coverage levels being reached.

After response, focus shifts to defense. After a cyber incident, insurance defenseinvolves a combination of class-action lawsuit handling, managementof regulatory fines and penalties, minimizing reputational damageand limiting income loss.

Carriers have approved lists of defense attorneys; however, theywill sometimes allow off-panel defense attorneys as well.Generally, said Vanalek, carriers work toward early resolution indefense of first- and third-party claims through mediation, directsettlements and negotiation — but failing that, claims will go totrial.

Cyber claims handlers should be experts in understanding first-and third-party policy coverages, and have a deep understanding ofthe issues related to cyber. The claims handlers should also be adept atunderstanding how the various coverages in the policyholders towerof coverages come into play in the event of an incident.

Key Takeaways forInsureds:

• Know who your contact is at your broker, agent or carrier forhandling cyber claims
• Have a thorough understanding of the breach response servicesavailable to you from your insurer – or their claimsadministrator
• Cyber claims handlers should be experts in understanding first-and third-party policy coverages, and have a deep understanding ofthe issues related cyber breach response. Do some due diligence onyour insurer's expertise
• Look for an insurer who has expertise in handling risk in theindustry or profession you're in
• Pick an insurer who has experience working with organizationsas big or small as yours
• In the event of a cyber incident, notify all your insuranceproviders. You may be covered by more than just your standalonecyber policy

Key Takeaways forInsurance Professionals:

• Educate your clients in advance about who to contact and how tofile cyber claims
• Meet with clients at contact signing and walk them through thebreach response process
• Be sure your policyholders understand the breach responseservices available to them
• Have  a thorough understanding of your clients' cyberexposures in advance, so you're not playing catch-up in the eventof a breach

Related: Humans: The weakest link in social engineering andcyber attacks