| | December 20229CIOReviewAn insurance broker should stay current with the selection criteria and appetite of each cyber insurer, to find the right "fit" for a client given its industry, revenue, and maturity of its security controlsare considering the purchase of cyber insurance for the first time.With each successive wave of cyber threats, the insurance industry has responded with new enhancements to its product offerings. These amendments are far from uniform, and some have coverage triggers that are difficult to interpret. The challenge for insurance brokers is to stay abreast of changes in the marketplace. Perhaps more than any other line of coverage, cyber insurance requires a fresh set of eyes before each renewal to ensure that the policy remains fit for purpose.An inescapable reality associated with managing cyber risk is that decision-making within companies is often divided; the General Counsel may be tasked with drafting a privacy policy, the network many be maintained by the CIO or CTO, and the Risk Manager or Treasurer is responsible for purchasing insurance. This can lead to a situation in which vendors are engaged and incident response plans are developed without an eye toward how the insurance coverage responds. Accordingly, an insurance broker's role should extend beyond mere placement of coverage and encompass helping his or her client devise an overall cyber risk strategy that involves all the relevant business units.The first step in developing this strategy is to conduct a risk assessment. This entails evaluating a client's controls against the underwriting framework, modeling the financial impact of a security breach and determining the appropriate limits and retentions for that client. Although insurance brokers are not cybersecurity engineers, they should note where the assessment points to deficiencies in the client's controls, and connect the client with qualified vendors who can implement these controls on the client's network.The next step is going to market. An insurance broker should stay current with the selection criteria and appetite of each cyber insurer, to find the right "fit" for a client given its industry, revenue, and maturity of its security controls. The broker should also negotiate wording enhancements that are appropriate for the client in question, and not simply accept the carrier's base form "as is." A critical but often overlooked element of this process is conferring with the client around the vendors they would call upon in the event of a security breach. Virtually all insurers have a panel of pre-approved law firms, forensic investigators, threat consultants, and public relations agencies who are experts at what they do and are available at pre-negotiated rates. While this is a key benefit of cyber insurance, businesses often wish to utilize firms with whom they have existing relationships. In such cases, the insurance broker should request that the underwriter add such firms to the policy by endorsement. The time to have this conversation with the carrier is not while the incident is playing out in real-time.Last but not least, the insurance broker is an advocate for his or her client when a claim arises. Notification of the incident to the carrier is only the first step. An insurance broker should help shepherd the client through the claims process, including securing approval of vendors and scopes of work, assisting the client with responses to information requests, serving as an ombudsman when coverage disputes arise and ensuring timely reimbursement of costs incurred. In particular, network interruption claims often present complicated issues of loss quantification, and while a forensic accountant may help a business to "prove up the loss," the insurance broker also has a role in crafting the narrative so that the client can make the case for a full recovery.Just as cyber insurance has started to grow up, it is time for companies to also bring their cybersecurity programs into adulthood. Working with an insurance broker to develop a comprehensive cyber risk response strategy, including appropriate insurance, will allow businesses be able to mount a mature response in the event of a breach.
< Page 8 | Page 10 >