Cyberattacks or data breaches can be devastating because they can affect all locations, departments and functions of a business, resulting in significant losses across the organization. Though cyber insurance helps organizations recover financially from a cyberattack, they must be prudent and organized in order to recover the maximum they are entitled to under their policies. Incorporating insurance claim considerations into your response and recovery plan following a cyberattack or data breach will streamline the insurance claim process, ensure all costs are being identified and tracked, and reduce disputes during the claim adjustment process.
If your organization suffers a loss from a cyberattack or data breach, you should report the event to your cyber insurance carrier as soon as possible to preserve your organization’s rights under its cyber insurance policy. One of the primary reasons immediate reporting is critical, ideally before engaging any vendors or incurring any costs, is to avoid any pre-tender issues, where the insurer denies coverage for expenses incurred prior to the date the claim was reported.
Once the cyber event has been reported and expenses have been incurred, cyber insurers typically require their policyholders to submit a written proof of loss. The specific proof of loss requirements vary based on each insurer’s policy language, but generally insurers want the proof of loss to contain the following:
Many insurers require the proof of loss to be submitted within a certain number of days, such as 90 days. However, insurers will typically consent to an extension of time for you to submit your proof of loss, particularly if your organization continues to incur expenses because of the cyber event.
If you suffer business income or extra expense losses from the cyber event, you should carefully review your cyber insurance policy to determine which types of expenses are covered as “business income loss” or “extra expenses.” Typically, “business income loss” is defined as income loss, although the definition of income can vary widely between insurers.
Policies can also vary in terms of:
Insurers will often engage their own experts, including IT consultants and forensic accountants, to review an organization’s proof of loss, business income and other losses. Engaging your own forensic accountant to assist in calculating business income losses and extra expenses resulting from the cyberattack or data breach is critical. The forensic accountant, who represents only your interest, and not the insurer’s, will assist in identifying, quantifying and maximizing your organization’s business income losses and extra expenses based on the terms and conditions of the cyber policy. The forensic accountant you hire will also advocate on your organization’s behalf in discussions with the insurer’s forensic accountant. Most policies provide coverage for forensic accountant expenses that you incur.
In the initial hours and days following a cyber event, there is often confusion. You are trying to identify the affected systems and any related operational impacts, and continue operations given these potential system impacts. Consultants are often quickly engaged to help you recover from the cyber event while employees and external consultants frantically work to identify security vulnerabilities, restore systems and minimize operational disruptions.
In those initial hours, days and weeks, the focus is primarily on recovering from the cyber event and not on the insurance claim process that will follow in the coming months. However, to prepare the proof of loss, calculate business income losses and capture all expenses incurred because of the event, we recommend you implement a system to document the recovery efforts in real time and any costs while they are being incurred. This will be critical when the insurer and its forensic accountant reviews your claim submission.
We recommend taking detailed notes on events as they are occurring, such as:
We find that capturing this information in real time greatly assists in preparing a comprehensive and detailed narrative for your insurers to support the losses claimed. This complete and in-depth narrative helps provide context and background to the losses being claimed, which streamlines the insurance claim review process and reduces pushback from insurers.
Immediately following a cyber event, your organization will likely engage multiple third-party vendors to assist in the response and recovery process. These firms address a wide range of activities, including public relations and crisis management, legal counsel breach management, forensics/investigations and data/system restoration.
Many organizations’ first inclination is to engage vendors they have preexisting relationships with. However, you should be aware that some cyber insurance policies include vendor panel clauses requiring the use of vendors from a preapproved panel. Using non-panel approved vendors can result in denied reimbursement of costs or partial reimbursement up to the panel-approved hourly rates. Some cyber policies are more lenient when you engage non-panel vendors but may provide incentives for policyholders to engage preapproved vendors, such as higher limits or lower retentions.
In addition to considering panel requirements, your team should work closely with response and recovery vendors to ensure they are providing sufficient scope of work and invoice detail to support an expedited review and payment process by your cyber insurer. This can be achieved by providing:
One of the largest expenses following a cyber event is often IT expenses. This may include hardware or software purchases and IT consultant costs. Often the cyber event exposes weaknesses within an organization’s IT systems and security. Organizations often strengthen their systems during the recovery and response process.
During the insurance claim process, insurers will want to ensure claimed IT costs only include restoration costs to restore IT systems to the standard that existed before the cyber event and not include any costs for upgrades, enhancements or strengthening of IT systems and security. During the claim review process difficulties and delays often arise if the costs incurred by IT vendors contain a mix of restoration and upgrade expenses.
If you are engaging IT vendors to provide a mix of restoration and system improvement services, it is prudent to execute separate SOWs for the restoration/recovery work and the upgrade/improvement work. This will ensure the costs are clearly segregated for the insurance claim process.
Further, when compiling IT expense details, it is useful to delineate expenses related to replacements for damaged or corrupted items that cannot be restored versus purchases of hardware for interim solutions to minimize operational disruption.
Depending on your industry and the type of event suffered, your organization may sustain a business income loss from a cyber event. Businesses typically prioritize reinstating key systems as quickly as possible following a cyber event to minimize operational and production disruption. As a result, organizations are usually able to return operations to at least partial capacity within a few days. Due to this short impact period to key systems and the difficulty of directly connecting sales losses to a cyber event, we typically find that business income losses included in cyber insurance claims are highly scrutinized.
Two main areas most scrutinized by insurers and their forensic accountants include:
Providing a comprehensive written narrative, supplemented by conversations between your organization’s operations and sales teams and the insurer’s representatives, often help to provide more context to the sales losses resulting from the event. Some examples of items to document and address in this discussion include:
The financial impact of cyber events often spreads well beyond vendor-related expenses and business interruption. Examples of such losses include:
Of the items listed above, internal labor costs often cause the most confusion and frustration in cyber claims. In many cases, organizations rely heavily or exclusively on internal staff for system restoration and recovery efforts, which are usually salaried IT employees. Unfortunately, most policies only provide coverage for incremental payroll costs above and beyond normal costs.
For example, incremental overtime costs for hourly IT resources are generally covered. However, one-time bonuses or other discretionary compensation to reward internal employees for working abnormally long hours is usually excluded from reimbursement. Given these coverage considerations, you should consider the costs and benefits of using internal labor and third-party IT consulting firms.
You should also ensure that a process is in place to track all incremental costs incurred to mitigate or reduce any operational disruption. Examples include costs incurred to makeup lost production, extra costs to accelerate the recovery process (such as purchasing new computers instead of reimaging infected computers), expedited freight costs or any other cost that reduces business income or other losses.
Unfortunately, the question today is not whether a cyberattack and data breach will occur, but how fast and efficiently you can recover from one. Understanding the insurance process before you file a claim or experience an event can enable you to limit the financial and operational impact of such attacks.
