You may have recognised how prevalent and potentially expensive being on the receiving end of a hacker can be, and protected your business with a cyber insurance policy ... but are you prepared for an event if it happens to you?
We've been hacked!
As a business owner, this sobering statement raises a multitude of worries. How extensive is the hack? How long will our system be down? How will this affect our revenue? Will our customers lose confidence in our abilities? Can we absorb this loss?
As an astute businessperson, you have taken the prudent step of obtaining cyber insurance. You may have recognised how prevalent and potentially expensive being on the receiving end of a hacker can be, and protected your business with a cyber insurance policy…but are you prepared for an event if it happens to you?
Have a plan
One of the major mistakes a policyholder can make is not preparing a plan ahead of a cyber event.
A cyber event is no different than any other emergency, like a fire. Although everyone knows to call the emergency services to respond to a fire, most don’t know how to respond to a cyber event. However, what you do and how you respond in the hours after discovery of a breach may determine how well you mitigate the exposure and possibly how well you’re covered by your insurance.
Insurance policies are essentially contracts, and they contain very specific provisions about what you must do and what will be paid for. Quite often, policyholders with no understanding of the policy will bypass the insurer and seek external legal or technical support as their first line of defence.
While this may be a seemingly logical response, you may inadvertently be stuck with thousands or even hundreds of thousands of pounds’ worth of bills that your insurer will not cover, and does not have a legal responsibility to pay for.
Some policies require you use specific law firms or technical support suppliers, and most policies require you obtain consent from the insurer before instructing third parties. If you don’t, you may be stuck with a mountain of bills to pay for, out of pocket. Don’t assume that your insurer will accept that the situation was so urgent you didn’t have time to consult them – they most likely won’t.
Building your response
You do not need to have an extensive understanding of cyber to construct an effective response plan and communicate it to key people within your company.
Your first call should be to your insurer. Most insurance companies will have a 24/7 breach response hotline number on the policy itself. It will either put you in touch with a live agent or give you an opportunity to leave a message, after which a specialist will respond to your call, usually within hours.
Your insurer will begin by assessing the situation. They may refer you to a breach coach or a specialised supplier, depending on the nature of the event. Importantly, you’ll know that any recommended suppliers are authorised by the insurer — so there won’t be any unpleasant coverage surprises.
What is a breach coach?
Many insurers will partner with law firms who can provide services specifically tailored to a cyber event. They are highly trained to provide specialised guidance, to assist you in working with forensic suppliers and to construct a response that will best protect your interests.
They can also make sure you are compliant with any notification requirements under the law, such as informing the financial and data protection regulators. This is more complicated than most people expect – there are very specific requirements regarding the information you must provide and the timescales for doing so, and getting it wrong can have serious consequences. In this respect, ensuring you have a policy that includes professional advice and/or a breach coach is essential.
“Another important aspect of cybersecurity attacks is the potential for data protection breaches to occur within the same event. Business owners are reminded that pursuant to Article 33 of the General Data Protection Regulation that when they act as a Data Controller, they are required to notify the relevant data protection authority not later than 72 hours after becoming aware of it. Clearly, time is of the essence when responding to cyber security breaches and having a robust cyber security response is vital.” Grant Scott, Head of Compliance, NFP UKI
If your insurer has an approved panel of breach firms, it is a good idea to pre-select one and have that number handy. A call to them can be just as effective as a call to the insurer’s breach hotline. Be aware that while the approved breach coach’s advice and actions are sanctioned by the insurer, many insurers do not consider a call to a breach coach to be a report of the claim. So, you will still have an obligation to notify the insurer of the claim at some point to fulfil the conditions of your policy.
How NFP can help you with cyber insurance
We’re committed to working with you to minimise and mitigate your risk. Our cyber security professionals stay ahead of the latest trends and threats, and our network of diverse risk professionals ensure that we provide holistic, forward-thinking solutions. We will work alongside you to assess your situation and apply the types and levels of coverage necessary to keep you covered and working. Through our relationships with key market players, we have the access necessary to find the precise products to fit your operation.
We offer coverages to better help protect your organisation from cybercrime, data breaches, reputation damage and more, including:
- Cyber incident response costs
- Cyber liability
- Media liability
- Network security and privacy liability
- System damage and business interruption
- Technology errors and omissions
- Unauthorised access
- Website defacement