Managing Cyber Risk: Three Key Focus Areas for Policyholders

As the trend from last year continues, cyber incidents rank again among the top risks businesses will face in 2024. In addition, the continuing war between Russia and Ukraine has drawn even more attention to cybersecurity. Unlike conventional warfare, cyberwar could have immediate global impacts across all industries within the already strained supply chain with heavy interdependence on electricity and communications.

Insurance companies have increased their scrutiny of cyber policies, concerned with significant losses that may accompany the increased risk of cyber attacks. The war in Ukraine is just one example of how insurers are looking closely at exclusions like the war exclusion to protect their exposure, while cyber threats and vulnerabilities have prompted more analysis by markets providing cyber coverage. As a result, policyholders should be proactive in assessing organizational cyber risk and must be prepared and ready to respond should an incident occur.

Below are three areas of focus that policyholders should consider as part of an incident response plan to minimize the adverse impacts of cyber events:

1. Preparation: Before an event occurs, businesses should ensure they are prepared from IT security and risk management perspectives. First, policyholders should identify significant threats to their organization. Then, once these threats to the organization are identified, it is essential to review whether adequate controls are in place to respond to these threats. Scott Takaoka, Alliant Cyber, Alliant Insurance Services, notes, “A solid foundation for starting this analysis is to evaluate your security controls in the context of a security framework such as the NIST (National Institute of Standards and Technology) Cyber Security Framework or SANS Institute's CIS Controls (formerly called SANS top 20). Either framework defines a taxonomy of cybersecurity controls that should be considered; however, businesses should seek to prioritize those controls that align with their security strategy.”

Businesses should evaluate the strength of their internal controls to respond to cyber threats in tandem with their policy coverage. Methodologies to assess cyber risk should include analysis regarding both the probability and severity of potential cyber threats and vulnerabilities to better inform decision making by insureds, as well as demonstrate stewardship to carriers.

For potential areas of weakness, policyholders should look to quantify the financial impact of cyber threats and evaluate if the current coverage is adequate. This evaluation should include both out-of-pocket expenses (legal fees, professional fees, IT costs, etc.) related to cyber response and recovery and loss of income due to the inability to operate or reputational risks associated with data breaches. Concerning expenses and business interruption, given the inflationary environment of today, it is critical that insureds ensure values used by risk managers are updated. Depending on the complexity of such an analysis, insureds may elect to engage a forensic accountant to assist in this assessment.

Further, as Mr. Takaoka recommends, a comprehensive cyber risk assessment should also provide policyholders’ management with recommended solutions to remedy areas of weakness, including wherever possible, the cost of such improvements and enhancements. With the proper risk analysis, policyholders can be better prepared to make capital expenditure decisions regarding upgrades to technology, as well as discuss how such fortifications can lower the cost of cyber insurance or make coverage possible.

Lastly, businesses should have the appropriate teams on standby should a cyber incident occur. These teams should include IT and finance departments, risk management team, legal counsel and forensic accountants who can assist with the response and recovery during and following a breach.

2. Response: If a cyber incident is identified, it is essential to ensure that the breach is addressed and contained immediately. If the business has adequately prepared for a cyber incident, it will already have its "breach team" (outside counsel, digital forensic investigator) identified and contracted so that when an incident occurs, it can quickly assemble the team and begin the investigation and remediation process. It is equally important to verify that your cyber liability insurance responds to events. Timely notification to your carrier and ensuring that your "breach team" is pre-approved are essential requirements for insureds and lay the foundation for a positive claims experience.

Throughout the response phase, personnel involved should put together a detailed timeline of events, keep a well-documented log of all work performed and document the time spent on each task. This step is critical to the claim recovery process and is frequently missed when responding to a cyber attack.

3. Recovery: After a company responds to, contains and eliminates the breach from company systems, the next step is to bring all compromised systems and devices back up. When the business returns to normal operations, the IT, risk management and finance department teams should evaluate the scope of the breach. In addition, policyholders must understand what geographic locations, systems and revenue streams were impacted and identify any critical data lost or if Personally Identifiable Information (PII) was compromised due to the event.

All expense-related documentation should be collected for the claim preparation process. Additionally, financial documentation will need to be collected and analyzed if there is a loss of business income due to the cyber incident. The level of granularity of data required will depend on the length of the impact period, otherwise referred to as "the period of restoration."

Should a cyber event occur, policyholders should consult with insurance professionals to help identify potential areas of coverage under their cyber policy and assist with claim preparation.