Navigating the Cyber Insurance Claims Process

Cyber incidents—including data breaches, business interruptions, ransomware attacks and social engineering scams—have become increasingly prevalent over the past decade, impacting organizations of all sizes and industries. Global cyber economy researcher and publisher Cybersecurity Ventures projected that the cost of cybercrime could surge to $10.5 trillion by the end of 2025—more than tripling from $3 trillion in 2015. To offer perspective, if cybercrime were a country, it would rank as having the third largest national GDP, trailing behind the U.S. and China.

When a cyber incident strikes, it’s important for organizations to know how to navigate the claims process and understand what their insurance may cover, in order to ensure a timely and cost-effective recovery and minimize related damage. Although no two claims are the same and specific response measures may vary based on the nature of an incident and its associated losses, this article outlines four general steps for organizations to take amid the cyber insurance claims process.

Step #1: Notify important parties.
As soon as an organization identifies a potential cyber incident, whether it’s via threat detection software or an employee report, it should carefully assess the situation to determine the validity of the incident. Upon validation, the organization should swiftly execute its cyber incident response plan by contacting necessary parties to kickstart the investigation and insurance claims process.

Failure to notify the insurer in a timely manner can expose the organization to possible complications in the claims process or even a denial of coverage. The organization should be prepared to provide in-depth information and resources regarding the overall scope and severity of the cyber incident. Key information and resources may include a current narrative of events, documented proof of the incident and a calculation of associated losses. Because such information and resources can change as the incident develops, the organization should continue collecting details in real time and update necessary parties as needed.

Step #2: Coordinate with vendors.
After the organization notifies the necessary parties about the cyber incident, it should coordinate with various vendors to help remediate the situation and minimize related damage. Depending on the organization’s cyber insurance policy and particular preferences, it may select these vendors independently (as outlined in its cyber incident response plan) or obtain referrals from the insurer and broker. Therefore, the organization should be sure to communicate with the insurer and broker before moving forward with any vendors. In some cases, insurers may even require policyholders to receive explicit consent regarding vendor selections to prevent possible coverage exclusions from being implicated. This is because some insurers have pre-negotiated rates with certain vendors, which can help minimize the costs incurred during claims.

There are multiple vendors for the organization to consider, each playing a different role in handling the incident. Key vendors include the following:

• Legal counsel—An attorney who specializes in data privacy and cybersecurity, also called a breach coach, can assist an organization in determining applicable data compliance standards for recording and reporting the loss or exposure of sensitive information. This attorney may also help the organization coordinate with other vendors and set up any necessary services (e.g., credit monitoring applications and call centers) for stakeholders or other individuals affected by the cyber incident.
  
  
• Forensic investigators—In addition to working with local authorities, the organization can consult forensic investigators to examine the cyber incident further, identify the perpetrators and assist with data recovery. These investigators can also help the organization prepare and uphold the integrity of any digital evidence associated with the incident.
  
  
• System recovery professionals—While forensic investigators can help the organization recuperate data impacted by the cyber incident, system recovery professionals can support the organization’s IT department as it works to restore any compromised networks, servers and technology. In turn, these professionals can ensure the organization resumes normal operations as quickly as possible, therefore reducing downtime and limiting lost income.
  
  
• Crisis communication experts—The organization can utilize crisis communication experts to adopt a plan for handling any public relations concerns related to the cyber incident to deliver appropriate post-incident communications to regulators, affected parties and the public.

Step #3: Mitigate the incident and document associated expenses.
Upon coordinating with its selected vendors to fully mitigate the cyber incident, the organization should work closely with its broker and the insurer’s key representatives, namely the claims adjuster, to calculate the total expenses incurred amid the event and determine the applicability of coverage. This entails keeping detailed records of all associated damage and restoration costs. Here are some important expense-related records for the organization to hold on to: 

• Vendor invoices and statements of work (SOW)—The organization should ask every vendor they coordinate with to provide detailed invoices and SOWs that summarize the work being performed, highlight daily progress on this work and break down each component of the final bill. Further, the organization should clearly distinguish which aspects of every bill pertain to restoration costs versus improvement expenses. This is a crucial step, as most cyber insurers will only cover the cost of restoring systems and operations to their status prior to a cyber incident, rather than enhancing these elements beyond their original state. Any improvement beyond that condition is known as “betterment,” and coverage for those expenses is severely restricted.
  
  
• IT receipts—In addition to keeping vendor invoices and SOWs, the organization should maintain any documentation of IT purchases made throughout the recovery process. This may include the cost of repairing damaged systems or replacing hardware that couldn’t be recovered with comparable solutions. Receipts should be separated based on the nature of each purchase; those related to system restoration will likely receive coverage, whereas those associated with upgrades to the IT landscape (e.g., enhanced security software) may not.
  
  
• Business interruption calculations—Depending on the specific details and severity of the cyber incident, the organization may incur minor or major business interruption expenses throughout the recovery process, especially relating to lost income. The lost income is typically captured in a document known as a “proof of loss.” The quantification of lost income is best performed by a forensic accountant, and many policies provide a small sublimit of coverage for the insured to retain the services of such a professional in assembling the proof of loss. Because most organizations affected by cyber incidents are usually able to reinstate their key operations within a matter of days, cyber insurers often heavily scrutinize business interruption calculations and related expenses. In many cases, cyber insurers will engage their own forensic accountants to review these expenses further.
  
  
• Other recorded expenses—The organization should record all remaining expenses incurred amid the cyber incident, such as temporarily elevated production and labor costs that helped make up for downtime. In the event that the incident prompted a lawsuit or attention from regulators, any additional legal fees (e.g., defense costs) and penalties should also be documented.

Altogether, keeping detailed documentation of all expenses related to the cyber incident can help the organization promote a more seamless claims process and confirm that the insurer’s representatives have the necessary resources to provide an accurate payout.

Step #4: Resolve the claim and determine key takeaways.
Finally, the organization should provide any additional information that the insurer requests to help resolve the claim as quickly as possible. Upon receiving the final payout, the organization should review the cyber incident as a whole and identify key takeaways. This typically involves conducting a post-incident analysis. Such an analysis should focus on where the cyber incident originated; how it was detected; how effective the incident response plan was in handling this event; and the different technical, operational and financial impacts of the incident. Depending on the cyber incident’s origin and associated losses, it may also be worthwhile to evaluate whether any organizational failures or shortcomings played a role in the event.

The results of the post-incident analysis will guide the organization’s identification of cybersecurity weaknesses and its effort to fill possible gaps with bolstered defenses. Doing so is critical to help prevent future cyber incidents and minimize related expenses. Necessary adjustments may include modifying the cyber incident response plan, updating or introducing new software, and implementing stricter security policies. Documenting these remedial measures will be essential during the insurance renewal process, as the organization should work closely with its broker to reassure the underwriters that its security and privacy controls have evolved. Based on the outcome of the claim, the organization may also wish to consult its broker to determine whether any adjustments to the policy (such as higher limits or broader coverage) are necessary to ensure ample protection for cyber incidents going forward.

Conclusion
By having a deeper understanding of the cyber insurance claims process, organizations can navigate potential incidents with ease and keep related losses under control. Contact us today for more risk management guidance and insurance solutions.