A recent Board of Director (BOD) level post from Victor Font (https://www.linkedin.com/pulse/premiums-exclusions-governance-blind-spot-victor-m-font-jr–lu3ie/) which I believe was “Spot On”, got me thinking about this topic further. (I have a previous post on cyber insurance here on this website from 3-4 years ago – before the July ’23 SEC BOD disclosure guidance.)
Cyber Insurance integration was a significant part of my “coaching” based approach over my last decade at Dell Secureworks where I focused solely on management level CIRPs & TTX’s. I would facilitate a conference call with the client (typically the CISO), their internal insurance manager, general counsel, their broker(s), and on very few occasions, the underwriter(s) would attend. The goal was for everyone on the call to make sure all the “dots were connected”. Don’t wait until a crisis emerges to figure this stuff out.
Cyber Insurance is a significant risk mitigation tool, but if it is executed improperly during a crisis, it can lead to denied claims which in turn exposes your organization to significant financial risk. It does your BOD no good to have a great insurance policy, only for you to “fumble” it during your Incident Response (IR) execution.
I am not an insurance broker, nor a lawyer; It’s just the same questions I ask of every client. Here are just a few highlights from almost a DECADE of these cyber insurance integration conference calls:
- Misalignment with the organization’s cyber risks:
- The one that has been mentioned most of late is the application you give your customers for their phones. You didn’t develop it, but you put your name/brand on it. What is your exposure if it becomes a threat vector. Most clients with a customer app agree to discuss Tech E&O coverage after my call. Many don’t list it as a cyber risk in their 10-K.
- Misalignment with the InfoSec effort:
- I have had a handful of clients who ON THIS CALL discovered from their insurance broker that their upcoming cyber insurance renewal was predicated on them installing new technology (e.g. MFA, EDR, etc.).
- Misalignment with the Incident Response (IR) effort:
- Make sure your internal insurance manager/risk management/CFO person knows they are “on the hook” for managing the insurance component (division of labor) during an incident. This task may extend beyond just the cyber policy (e.g. eCrime, bond, Tech E&O, etc.) This should be clearly documented in your CIRP.
- Do you approve of the IR related vendors being provided/allowed by the policy? Are there any “other” vendors that will be invoicing you after an incident (7×24?)?
- Outside counsel may not be covered by the policy (Privacy, Industry / company expertise, the other “IR” – Investor Relations). AXA offers an endorsement for SEC (i.e. Materiality) support.
- Third party IT support that you will rely on during a crisis. You will need to pay their invoice and if they are working 7×24, it will not be cheap. Insurance is primarily a financial risk mitigant. Make sure you understand the full scope of this exposure.
- Who will speak Japanese, in Japan, to the Japanese regulator/media, when you are most likely asleep, with the authority of the company? Many clients are expecting their cyber insurance to cover this (e.g. legal, PR). Make sure to talk this through. Especially if you already have established working relationships in country.
- I developed containment plans for many of my clients. These were developed to be BOTH Proactive and Reactive (“Chasing Electrons”). For these clients, it was imperative that they had a “Voluntary Shut Down” endorsement within their policy.
- Other topics, but I don’t want to give everything away (i.e. sales tension)
- Notifications: calling the 800 number may not be enough.
- Expense Management: record keeping, invoices, etc.
- Payments: Bitcoin, Reimbursement policy, failure to obtain approvals is the leading cause of non-reimbursement, OFAC restrictions, etc.
- Betterment, Bricking, etc.
- Litigation: recent ACP developments/application to IR, Common Interest Agreement/JDA, vicarious liability, etc.
- Tabletop Exercise (TTX) with your carrier(s). Make sure you’ve TTX-ed your team prior. Your performance may impact your premiums.
- Decision Making: when you are an expense to the carrier(s) who is worried about their bottom line – Remember the Sting song: “when you find your servant is your master…”? A common TTX epiphany.
- CIRP documentation = documented due diligence. If you can “think” it, you can write it. Time to raise the bar.
- Zywave offers a free newsletter “Cyber Digest – Front Page News” which covers cyber insurance. It provides CISO’s a more quantitative/financial perspective. I strongly recommend it for your Situational Awareness. It may also help you when you speak to your BOD. I’ve used it repeatedly with my BOD clients.
Feel free to reach out if I can be of any assistance.