缅北轮奸

A crime victim will need a deep bench when responding to a cyber incident. While the role of brokers, privacy counsel and forensic investigators is well understood, the contribution of insurance claim professionals cannot be overlooked.

A victim may have a number of questions during the initial stages of a cyber incident. However, without fail, we often hear the same question in the initial stages of response to a cyber event: Is this covered by my insurance?

The “big question” comes early and arises because the insured is facing a difficult situation that directly impacts their business in addition to trying to work through what may be unfamiliar coverages of a cyber insurance policy.

Many victims have never faced a cyberattack until this point, let alone worked through insurance coverage for such an attack. Claim professionals play a vital role in informing the insured about available coverages and providing the insurer’s coverage position. And the “big question” about insurance coverage can only be answered by claim professionals who are familiar with both cyber incidents and cyber policies.

To answer the “big question,” claim professionals will need to understand the types of coverage provided by cyber insurance.

In general, insurance policies provide either first-party insurance coverage or third-party liability coverage. First-party insurance policies provide coverage for losses the named insured sustains to their own property. The classic example is a fire insurance policy paying to rebuild an insured’s home after a fire loss. On the other hand, third-party liability insurance policies provide coverage for liability resulting when another person makes a claim against the named insured. Here, the classic example would be a commercial general liability policy providing coverage for bodily injury or property damage allegedly caused by the named insured.

Hybrid Characteristics

Cyber insurance policies are unique to the extent that they typically provide a hybrid of both first-party coverage and third-party liability coverage. The hybrid properties of cyber insurance policies require claim professionals to approach the documentation and management of cyber claims differently from claims under traditional lines of insurance.

The hybrid characteristics arise from the unique risk presented by a cyberattack. A cyberattack may expose an insured to first-party claims related to losses sustained in investigating the attack, restoring systems after the attack, negotiating with the criminals who launched the attack and working with regulators if personal information was exposed during the attack.

Additionally, a cyberattack may expose an insured to liability to the individuals alleging they were harmed in the attack. These claims may trigger coverage under the third-party portion of the cyber insurance policy. Given this scenario, claim professionals should be ready to convey this unique aspect of coverage under a cyber policy.

Forensic Investigations

Claim professionals will need to understand that the forensic investigation of a cyberattack must strike a balance between providing sufficient information to an insurer to meet the terms and conditions of the policy while making sure they are not waiving privilege over information that may be used against them in subsequent litigation.

During the investigation of the cyberattack, an insured needs a forensic investigator to provide unbiased insight into how the attack occurred and recommend steps to avoid another attack in the future.

The insured’s primary concern at this time may be to bring the insured back up and restore operations after an attack; the insured may not be thinking about preparing for regulatory review or litigation that may be a consequence of the attack. In answering the “big question,” claim professionals provide another resource to get the insured thinking about the impact of a cyberattack outside the initial days of the attack鈥攖hat is, claim professionals should be answering the “big question” throughout the claims process.

Regulations

In addition to responding to issues such as encryption of their data or harassment by criminals if they are hesitant to pay a ransom, insureds must closely watch various statutory requirements for proper storage and potential exposure of data.

This is not an easy task to the extent that each state may have its own specific data breach notification laws. For example, New York law may apply if a New York resident’s information is exposed during a cyberattack. An insured that experiences a “breach” under New York law that exposes a New York resident’s personal information may be required to provide regulatory notice to the New York attorney general, New York Department of State and the New York Division of State Police. The stakes are high to the extent that this process may result in the assessment of fines if a regulator finds lapses in security or untimely notice. Claim professionals should have a basic understanding of these data breach notification laws in order to assist insureds with documenting these losses under the first-party coverages of a cyber policy.

After being targeted by criminals and having to work with regulators, cyberattack victims face an increasing threat of data breach class action lawsuits. The individuals notified under various data breach notification laws may join class action lawsuits against cyberattack victims.

While an insured is well advised to provide all information requested by an insurer, claim professionals should understand that plaintiffs in data breach class actions may seek information gathered during the forensic investigation in an effort to establish liability against the insured. Claim professionals serve an important role by answering the “big question” as they remind an insured that the information gathered during the investigation may be used against them.

Beyond the terms and conditions of the cyber policy, while answering the “big question,” claim professionals provide practical guidance such as trying to retain policy limits for notice of impacted individuals, regulatory issues and class action litigation. Consequently, by preparing to answer the “big question,” claim professionals can provide more certainty for an insured by understanding both the first-party and third-party coverages and being able to communicate that understanding to the insured.

Rowe is a member of law firm Constangy, Smith, Brooks & Prophete LLP’s cyber team. He leads the investigation and evaluation of potential data security breaches and provides clients with forensic and/or remediation services. Email: trowe@constangy.com.