The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.

Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask us to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.

This is part 5 of an eight-part guide to handling data breaches. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities. Click for Part 1, Part 2, Part 3, and Part 4.

Part 5: Dealing with Cyber-Insurers.

Situation. After being notified of a security incident many cyber-insurers understand that it is in their joint interest to help a company quickly investigate an incident, remediate any security vulnerabilities, and comply with legal obligations. That said, depending on a number of factors such as the level of the company’s retention, the scope of the insurance, etc., the interests of the company and of the cyber-insurer may diverge on important issues. For example, if a cyber-insurance policy has a low retention and a low limit an insurer may be interested in deploying the lowest cost providers for responding to the incident as the insurer realizes that it will be required to pay for incident response, but will be unlikely to pay for any fallout from the investigation (e.g., lawsuits, fines, government investigations, etc.). Specifically if the incident does not turn into a catastrophic breach the insurer stands to pay relatively little for the investigation; if the incident turns into a catastrophic breach the insurer’s liability is capped at the policy limit. As a result, in some situations we have seen insurers mandate that forensic investigators be used that have relatively little experience, industry-credibility, or capacity for fast turnaround, but that have offered the insurer a rate well below industry averages. In other situations insurers may mandate the use of lawyers that receive most, if not all, of their work from insurance companies. In some situations that has led to counsel that either has little experience, no bench, or no incentive to flag issues that might jeopardize their pipeline of work from the insurer (e.g., recommend investigators that are not on-panel, identify areas of the policy that might provide coverage, dispute denials of coverage, etc.).

Strategic considerations: Management typically considers the following factors when determining how to deal with a cyber-insurer:

  1. Don’t Let An Insurer Slow You Down. Most cyber-insurance policies require that the insurer approve breach-related resources before they can be used (g., forensic investigator, lawyers, credit monitoring, etc.). Some insurers, however, have taken weeks to formally “approve” a service provider. Management must determine whether it will, or will not, wait for formal approvals before responding to an incident.
  2. Be Confident In Your Vendors. If an insurer pushes their own “on-panel” resources, and is threatening to deny coverage if you use your own resources consider the following:
    1. What level of confidence do your operational teams have in the resources that are identified by the insurer (e.g., forensic investigator, legal, public relations, etc.)
    2. Culture Clash. Are the teams that are being proposed by the insurer a good cultural fit with your in-house analogs? Are they going to be able to establish a good working relationship?
    3. If there are likely to be questions concerning coverage (e.g., if certain types of security events are covered and others are not) is the company comfortable with vendors that may have explicit or implicit pressure from the insurer not to find coverage triggers?