Insights From The Inevitable: Cyber Insurance in the Data Breach Era

Insights From The Inevitable: Cyber Insurance in the Data Breach Era

"When a company experiences a cyber attack…those can be quite expensive. And the costs can be myriad. It can be the cost of having to hire a third party to forensically investigate and the cost of hiring outside counsel, like myself, to help navigate the notification and regulatory obligations.

It can be the cost of having to notify individuals. It could be the cost you suffer from the loss of business or business interruption…the cost of replacing hardware and software [impacted] by the incident.

And then it could be the cost of having to defend against litigation or regulatory inquiry or the imposed costs of remediation and compliance data, privacy compliance, following an incident."

—Kari Rollins, Managing Partner, Sheppard Mullin

“One of the questions I always get asked is, ‘well, who's going to pay for all of these costs that are incurred in connection with a data privacy [or] security event?’ and often it can be your insurance” continues Kari. “So, from my perspective, cyber insurance is…an integral part of cybersecurity preparedness and data breach response.”

On January 21, as part of The Inevitable series, Kari Rollins and Summer Craze Fowler sat down for an insightful and wide-ranging discussion concerning “Cyber Insurance in the Data Breach Era.

Watch Now

Kari Rollins is Co-Managing Partner of the Sheppard Mullin New York office. Her practice is centered on data privacy with a particular focus on cyber security compliance, the drafting of security policies and incident response plans. And when necessary, crisis management including notification obligations, and regulatory and litigation support.

Summer Craze Fowler is Chief Information and Chief Security Officer, Argo AI who produces software and systems for self-driving cars. Her background includes 11 years at Carnegie Mellon. Prior to that she was at the Johns Hopkins Applied Physics Lab and Northrop Grumman where she worked with the United States Marine Core on a set of tactical ground systems.

Proactive and Prepared

“That preparedness angle is critical,” says Fowler, who views cyber insurance less like event-specific car insurance and more like health insurance: as something that “can become part of a proactive cybersecurity program...”

Both she and Kari agree:

"You're building a relationship with potentially a breach coach, not just your broker…So I really view cyber insurance as an imperative…. Companies view it not as just as important for themselves, but also as important for the vendors that…download or access and process their information. Because in the event of a vendor incident whose insurance is going to cover it? Does the vendor have insurance to cover the cost of investigation?"

—Summer Craze Fowler, CIO, Argo AI

While the press tends to focus on the escalating ransomware demands (now eight figures), as high as they may become, they still can represent a mere fraction of the total cost incurred by the business.

For example, the cost of that forensic investigation – identifying not only the source of the attack but ferreting out every last bit of malicious code that has typically proliferated throughout your systems and endpoints – alone can dwarf the dollar amount of the ransom request. Add to this the cost of a responding to Data Subject Rights Request (DSAR) if consumer data has been exposed, and potential regulatory inquiries and civil litigation, and the ransom is really just the tip of a very expensive iceberg.

"You can use [cyber insurance] proactively to prepare yourself for an incident, but you can also use it proactively for the myriad data privacy compliance regulations and requirements that are cropping up more and more.... Tabletop exercises in some instances can be covered today, depending on the type of insurance that you have. It could be working to get compliant with CCPA, if it applies to your company it could relate to GDPR compliance."

—Kari Rollins

“I have clients who have pre-breach coverage for [what you might call] cybersecurity health and wellness checks that they need to help them be prepared,” adds Kari. “And critically important to preparedness “is knowing what doesn't work.” She cautions against “lofty expectations in an incident response plan that you can’t” practically follow through with.”

Assessing Coverage

Summer works with the Argo AI risk team to help assess insurance requirements and providers. She details that their provider sends an extensive “questionnaire asking us a lot of questions about what we have inside of our program, really trying to build the profile for us.”

Importantly, says Summer is that Argo’s provider helped her “to understand all of the various types of coverage. What is a tower? How much insurance do I need and what kind of insurance do I need? We have to work together…to determine that."

“What are the crown jewels of the company? What are the things that are the most important? What are the things that I'm concerned about from a threat risk and vulnerability standpoint?”

"I'm also using the insurance company to really look at myself against others in this space so I have this baseline of my capability. And now I can look across the industry, across even my region to say, what should I be looking for in terms of cyber insurance [and] really making sure that I'm not overlooking a certain risk, threat or vulnerability."

—Summer Craze Fowler

Importantly, this is an assessment that needs to be done yearly to accommodate any number of changes that can take place concerning the company’s assets and the ever-evolving nature of cybersecurity threats.

What is Your Existing Security Posture and Potential Exposure?

Rollins agrees. The risk assessment is key. And the definition of “crown jewels” can vary greatly. For example, these could be “consumer data…Or perhaps it may be your employee data in HR systems that is at risk of W-2 scams or those that exploit healthcare and insurance through socially engineered phishing and spoofing scams."

The questions do not end here. And it helps to understand just how significant the costs can be:

“What is your company's capability to recover? If your systems were, for example, impacted by encryption malware and there was a ransomware attack that spread and brought down your company's systems, how quickly could they be restored? Do you have a lot of hardware and software that might need to be replaced? What do your backups look like? If they're down for a day or more, what does that loss to your business look like? Is that millions of dollars a day?”

—Kari Rollins

Working toward an understanding of these potential risks requires collaboration among your business teams, your information security teams, your legal teams, and then working with an experienced cyber insurance broker who understands the risks, the costs associated with those exposures, and consequently help you to assess what coverage is required. Ultimately, understanding “your risk profile is based on the types of data and systems you have [including third-party vendor relationships and] it is really critical to work with an expert and do that with buy-in from your folks,” cautions Kari.

And this is crucial information when developing your application for insurance.

"The application itself is part of your insurance policy. And the representations therein are scrutinized with a fine-tooth comb.

Where it used to be… just folks, either in risk compliance or finance who were filling out these insurance applications, today an insurance application necessarily should be filled out…hand-in-hand with your risk, your compliance, your finance teams – as well as legal – because you want to ensure that the statements that you're making are not overstatements about the security and health and wellness of your network environment, your network systems, and your controls."

—Kari Rollins

Misrepresentation is grounds to deny coverage. And bottom line: cyber insurance in the data breach era is not optional.

There is a great deal more discussed and it is a conversation well-worth a listen. You will find the full discussion here and The Inevitable Series lineup here.