There is a saying in the cybersecurity industry that there are two types of businesses today: Those that have been breached and know it and those that have been breached and just don’t know it.
To manage this burgeoning yet still nascent threat, just like other routine day-to-day risk and hazards, companies have started to include cybersecurity considerations when considering enterprise risk management and insurance risk transfer mechanisms - such as cyber insurance. There is little doubt that cyber insurance will soon become yet another basic element of a company’s overall insurance coverage program, just like general comprehensive liability, professional liability and officers and directors coverage.
Today, a cyber-attack potentially implicates several different types of insurance coverages – depending on such factors as the type of attack, the extent, if any, of data loss, the relationship of the parties, the nature of the data involved (e.g. personal information, intellectual property, trade secrets, emails, etc.), the type of policy in issue and, if for third-party liability, the allegations asserted and the type of damages in issue.
Yet while the market for cyber insurance continues to grow dramatically, no standard form of cyber insurance policy language has materialized. And, whether standard property casualty provisions even cover losses attributable to cyber incidents remains subject to interpretation and potential dispute.
In addition, the actuarial challenges of predicting/gauging the potential impacts of a cyber-attack can in turn, make it difficult to match a cyber insurance policy with the unique risk profiles of global and technologically sophisticated companies; these are difficulties faced not only by insurance providers but also by even the most experienced executive team members. Cyber-attack damages are so multifaceted and unique – much moreso than fire, flood, and other more traditional disaster scenarios – that there is no normal distribution of cyber-attack outcomes on which to assess the probabilities of future events and impacts. As a result, there are now a dizzying array of cyber insurance products in the marketplace, each with its own insurer-drafted terms and conditions, which can vary dramatically from insurer to insurer – some effective and comprehensive and others replete with loopholes, exclusions and other confusing features.
John Reed Stark Consulting suggests a different approach towards that calculus.
We are not licensed to sell insurance; we are not affiliated with any insurance company or product; and we are not compensated in any insurance company, originator, broker., etc. We are an independent and objective cybersecurity and data breach response expert and engaged only by people who want our opinion about costs related to data breach response.
Along those lines, we believe that a company should begin with a review of actual cyber-attacks experienced by others, analyzing and scrutinizing the typical cyber-incident response workflow and so-called “workstreams” that typically follow most cyber incidents. By analyzing and revisiting the practicalities and economics of these workstreams, a company can then collaborate with its insurance brokers and originators to allocate risk responsibly and determine, before any cyber-attack occurs, which workstream costs will be subject to coverage; which workstream costs that fall outside of the coverage; and those workstream costs that might be uninsurable.
Akin to when someone with a genetic history of heart disease consults with a cardiologist to help identify the most suitable health insurance or when a new homeowner consults with a local firefighter to help identify the most appropriate property and casualty insurance, partnering with John Reed Stark Consulting assesses risk practically.
In other words, partner with John Reed Stark Consulting to learn about the typical data breach workflow from the perspective of a cyber-attack first responder who has handled data breaches from both the government side and from the private side for over 20 years and avoid gaps or other mistakes in coverage.
For more information about John Reed Stark’s capabilities and expertise, review his recent articles and webcasts on cybersecurity and incident response in his Publications and in his blog, entitled Stark on IR. A few relevant samples include: