Data breaches have become a common occurrence in our society. From the recent Ashley Madison hack, to the breaches at Target and Home Depot last year, it seems like no one is safe. Not all data breaches involve large, well-known businesses, but the damage to the reputation is detrimental regardless of the company's size. Cyber insurance is available for purchase to manage the risks that come with a data breach, but there are also certain steps that a business can take to minimize the damage after a breach as well.
1. Assess the risk
Roman recommends that companies work with their brokers to craft coverage that will reduce their risk, review the policy exclusions, and ensure that they are insured to cover the types of information that will be affected and the resulting exposures from a breach.
2. Avoid these mistakes:
- Internal company denial regarding the potential magnitude of the incident. Appropriate resources and attention must be allocated immediately to determine the magnitude of the incident. The financial impact of cyber incidents is not always directly correlated with the size of the incident, but the financial statement impact is often correlated to the effectiveness of the response.
- Automatically characterizing an “incident” (no immediate legal liability connotations) as a “breach” (immediate legal liability connotations under various laws, regulations and insurance policies).
- Passing the buck rather than developing a comprehensive coordinated response.
- Defensive reaction to regulators rather than an open and frank dialogue.
- Failure to timely notify any and all potentially applicable insurance carriers.
3. Working effectively with your breach team
After a company experiences a breach is not the time to be pulling together a team to address the problem. Assuming that a company already has a highly qualified team in place involving legal, IT, security, human resources, risk management and public relations professionals, experts recommend notifying legal counsel as soon as a cyber incident is discovered. “Counsel should handle retaining outside experts to maintain privilege, which puts the company in the best defensible position possible,” counsels Bob Parisi, Marsh’s cyber product leader.
4. Experience matters
Clients should report a breach to their broker or agent as soon as it occurs. According to Aon’s Kalinich, an experienced cyber broker will be able to:
- Identify the applicable insurance policies.
- Provide the insured with the required insurance notice requirements.
- Detail any specific insurance policy requirements (i.e., third-party forensic experts must be selected from the insurance company panel in order to be covered by the insurance policy).
- Arrange a call between insurance broker legal cyber incident claims specialist and the insured.
- Determine whether, and in what manner, notice is required to insurers.
- Describe past cyber incident best practices that reduce the total cost of risk.
- Maintain consistent and timely communications between the insured and the insurers.
5. Practice makes perfect
Roman recommends that companies hold periodic breach rehearsals, which can be conducted by a firm outside of the business. “Surprise your team. Tell them this is a drill and there is a breach,” he advises. This gives executives an opportunity to see how quickly the breach team can be pulled together and how they will react to a real breach. It also gives them an opportunity to role play some of the critical elements of the plan.
Waiting until after a cyber breach occurs is too late to begin managing its effects, and can have dire consequences to a company’s reputation and its bottom line. Being proactive will help mitigate some of the damage and give the company a road map for successfully managing the breach.