Cyber Insurance as Crisis Management Tool
My reason for joining
the 2021 Cyber Risk Officer spring program run by ICTTF was to be able to have
a sound, creditable basis for engaging in my role as a non-executive director
on the subject of all things cyber, from identifying risks through to a cyber
risk strategy. I wanted to see and understand what “great” looked like. That’s
exactly what we got through the program.
The cyber insurance
topic of the program was one where I’d some experience as during my career with
a large global insurance company focused on commercial insurance, cyber
Insurance became one of our offerings. I was both excited by it as it was
developing from a fringe purchase to a ”primary” purchase by companies so
represented a growth area for new product development, the opportunity to serve
customers with meaningful protection and of course it has the potential to
generate new revenue streams. However, I was also sceptical since it was an “unknown”
– little loss history, difficult to model and potentially one event worldwide
could magnify losses across multiple insureds.
That may sound like I didn’t believe in the product we were selling but only from the perspective of being the seller. If I was a buyer I would absolutely ensure I had good insurance protection in place! The remainder of this article puts forward views to support that.
The “Crisis Period”
We of course had cyber risks as part of the local and global Disaster Recovery (DR) plans. As chair of our Crisis Management Team, I considered a major cyber event much more damaging than the loss of use of say an office building to a fire. We could shift work pretty quickly to other offices following a fire. We could move to remote working within hours. But a cyber event in a global business where interdependency is embedded across the globe would be devastating. We would literally have thousands of people converting digitised processes to manual ones. Nobody had been trained for that outcome nor had our business operational model allowed for new processes to be designed for an enforced manual processing of transactions in real time so to speak.
So for me, what was important if we were subjected to a cyber event was what happens in the first 5 hours, the first 24 hours, the first 36 hours, the first 5 days and the first 10 days. I always took the view that if we’re not back in business to a great extent within weeks, the business would lose massive credibility – colleagues, regulators, customers, intermediaries and major suppliers to name a few. So this is the “crisis period”.
Of course we were a large financial company operating in a heavily regulated environment worldwide so our DR plans were pretty comprehensive, were aligned to the business model and were tested regularly. We knew we weren’t invincible but it wasn’t for a lack of preparation. Many companies and organisations quite simply are not so prepared.
Insurance is generally regarded as protecting against financial loss in exchange for a premium. However for certain categories of commercial risk the management of the crisis period is more critical than any financial indemnity. Think of a major pharma company with a large chemical spillage into a water course that affects 100,000 residents of a nearby town. Think of a food company which finds it has to recall product because of a serious contamination. Think of a company which has received a ransomware demand to release their crippled IT infrastructure which houses multiple types of personal identifiable information and renders large swathes of workflows redundant without IT. The scenarios demand quick and incisive support with a degree of urgency and immediacy. Insurance policies frequently fulfil this with a range of experienced services that can respond instantly to a crisis scenario. I’ll touch later on what that might include but to give one example, the PR agency used for product launches is unlikely to be the one to handle crisis-led communications.
should a Company Buy?
- The current status of organisational readiness for a cyber event
- How much cover to purchase and benchmark you within industry sectors
- Market conditions, pricing, insurer preferences
- Preparing the information to provide to insurers and organising the dialogue to have with insurers
- The range of post-incident services
- Coverage negotiations and customised options
cover and funding options that may be available.
Getting an insurer to engage in underwriting a cyber risk is now fairly rigorous, demanding and can be quite comprehensive in the data requested. It is not uncommon to have proposal forms that are 10+ pages in length. Below some of the data required;
- Basic corporate financial information broken down by product, sub product, geography, customer segment
- Number of records by type of information – PII, payment cards, health data
- By geography
- Online sales
- Scale, purpose, protocols, monitoring of 3rd party data sharing
3. System outages
- DR plan detail around actions, duration, mitigation measures, testing frequency
- Financial impact estimations
- Seasonal peak time modelling
- Back up management
- Life cycle management of IT infrastructure
- Due diligence, audits,
- Cloud usage
- Contractual and financial Indemnity provisions of any Service Level Agreements
- DR plan for OSPs
- Responsibility – privacy officer, company policies, compliance records
- Data classification policy
- System access privilege management
- Encryption & back up practices for sensitive information
- Compliance with various industry standards
- Retention and destruction policies
- Extent of protections – firewalls, anti-malware, vulnerability scanning, a remote access controls
- Password management policies
- Patching protocols
- Mobile network access – USBs, BYOD
- Threat intelligence capabilities
- Penetration testing
- Social media presence, procedures and policy
- Phishing tests
- Social media monitoring
- Details of incident log procedures, including escalation and review
- Claims history – accidental, intentional, near miss, disclosure
- Financial impact
- Extortion demands
IT’S YOUR STORY….
- If your organisation has a good story to tell, then share that with the underwriter. If you are wary about sharing DR plans (many companies are) you can ask for a confidentiality agreement or organise a secure vault online for underwriters in view-only mode for a limited time period.
- If there are weaknesses in your cyber security, acknowledge that you’re aware of them alongside the rationale for why it’s a weakness (e.g. it may be a very small part of the business) or highlight any plans to strengthen various areas.
- Ask your broker to benchmark that weakness against industry peers as it may turn out you’re above average compared to competitors.
- If your organisation has had an incident that became a claim, one tangible outcome is your organisation is now more aware of the impacts, lessons will have been learnt and perhaps the organisation is now at a higher level of readiness. Be open to sharing high level improvements.
- Explain why cyber insurance is a key purchase to strengthen your organisation from a cyber event and particularly in the “crisis period”.
- Share metrics that demonstrate the “organisational culture” is heavily influenced by cyber security. For example any outcomes from phishing or pen tests over various time periods or metrics from regular training programs designed to raise cyber risk awareness.
Some of these are probably counter intuitive in that they don’t seem to portray readiness. Underwriters are looking for a good thought process and as much mitigation as can be afforded.
Managing the “Crisis Period”
It’s Friday afternoon and your organisation has just been told that you’re the subject of a ransomware attack and your IT infrastructure has had to go offline or shut down. The recent HSE event in Ireland has highlighted how immediate the impact became for staff, patients, service delivery not to mention COVID plans. In effect there was organisational paralysis and a fair degree of scrambling.
Minute two is when the cyber insurance should be triggered. The triage that then takes place is designed to identify and assemble the external crisis management services required. Below are some common services offered by cyber insurance policies:
Response & IT Forensics. Identify an
incident manager, provide experienced negotiators to liaise with the cyber
event perpetrator, identify scale of the incident, follow the IT trail globally
(hacker servers can be locat3ed in any country worldwide).
accounting: Assess financial
impact and ability to continue trading.
& regulatory; identify obligations
if personal identifiable information has been lost – timescale, bodies to be
notified, customer notification requirements.
communications and PR: various stakeholders need to be considered as
part of the communications strategy and that determines what to communicate,
messaging components (eg multiple languages, local regulations if a multi
geography event; manage & interpret what regulators feed back to the
fraud and credit monitoring. If payment
card or other sensitive financial details are involved there may be need
to engage a service that can quickly
start to engage with customers around protections that have now been put in
place. There may be a need for a call centre to respond to queries from
negotiators. Several companies
specialise in negotiations of a sensitive nature to a company. Cyber criminals
are now firmly a part of that cohort.
Normally these service providers are global firms who are under Service Level Agreements to respond 24/7/365 and provide hugely beneficial advice. Sometimes we encountered a client who was concerned about access to its business systems and data that were unknown to them and so had a preference to have some of their own advisers respond in place of our panel. If your organisation feels strongly about this, then engage with the insurer during the negotiation stage. Where it makes sense an insurer will be accommodating (e.g. using the client’s global audit firm over the insurers forensics accounting partner). However be aware that where there is a critical component of the claims process, the insurer may insist on their panel appointment. That’s probably best to agree at inception of the policy rather than when an incident occurs.
Cyber insurance may be worth it for many firms and while compensation for financial loss may be important, for me it is the “crisis period” which is the most daunting. Having led a crisis management team through various events, the initial shock quickly dissipates when you’ve got a good plan in place which is augmented by professional expertise guiding you from “crisis period” back to business as usual.
David Gallagher has over 25 years experience in the commercial insurance industry across Europe. He led the Irish business of XL Insurance/Axa XL since 2008 and retired in 2020. He is now a consultant and advisor to several insurance entities.