This post is the sixth in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk Investigations. The 30-minute interview was conducted by Legal Week’s Dominic Carman.
In this segment, Andrew and Jason discuss the role of insurance in managing cyber risk. The issue that general counsel face on behalf of their companies, says Andrew, is making sure that the insurance they buy is relevant and covers the aspects of risk that need to be transferred. Too often, companies invest in inappropriate or overly expensive broad-scope cyber insurance when, in fact, what is actually needed is something far more targeted.
GCs need to understand the specific risks that they are looking to transfer through cyber insurance and focus on a policy that will provide that level of coverage. That might include provisions for the following assistance, among others:
Jason adds that GCs overseeing information security should really take a step back and ask themselves, “Why do I need an information security program?” Because if you don't understand why you need it, you can't appropriately manage the risks that the company is facing. For example, if you are a trucking company that collects no outside data, has no regulatory requirements and you're still doing everything via paper, why would you need a broad-based information security program?
So, these basic questions need to be asked, but many companies don’t. They just go out and buy cyber insurance. Jason advocates going back much further and asking, "Why do I need any of this?" Start from the 60,000-foot view, and then work your way down to get to your company’s precise needs.
Read the full Q&A transcript
Andrew: Cyber insurance at a corporate level is just one aspect or lever that an enterprise can use to treat the risk. In the same way that they treat any other risk effectively, for any risk an enterprise has three choices. They can accept the risk; they can mitigate the risk; or they can transfer the risk. And whether it be the risk of fire or the risk of a cyber breach, insurance has a role to play in the latter. The issue that GCs face on behalf of their companies is making sure that the insurance they buy is relevant and covers the aspects of risk that need to be transferred. Too often we see inappropriate broad-scope cyber insurance with relatively high premiums being looked at or taken by our clients, when in fact what they actually need is something far more specific for specific risk.
Dominic: Because these general policies have lots of caveats and exemptions.
Andrew: They have caveats and exemptions. I looked at one for a client several months ago, and with the exceptions that were in the policy as far as I could work out, they were covered for a replacement email server if it caught fire during an attack. And as far as I could work out, they were covered for that risk into their general insurance and their fire insurance already, so why buy a third premium?
GCs, and indeed, insurance teams and the bigger organizations need to understand the specific risks that they're looking to transfer through taking out cyber insurance and seek a targeted policy that will apply and provide that level of coverage. That might be the provision of forensic investigative support in the event of an incident. It might be for the recovery of data, the restoration of business. It might be for replacement hardware if it's encrypted and no decryption keys are available. But look at the specific risk that you're trying to address and transfer rather than accepting a very broad brush and generic cyber insurance policy.
Dominic: Is there anything you would add, Jason?
Jason: I think that a GC overseeing information security should really take a step back and ask themselves a big question, like “Why do I need an information security program?” Many times, when I ask that question, you'll hear crickets in the room afterwards because people naturally think, "Well, we must have one." But the question is why do you have one? Because if you don't understand why you need it, you can't appropriately manage the risks that the company is facing. It's as if you are a trucking company that collects no information outside, that has no regulatory requirements and you're still doing everything via paper. Do you need a broad-based information security program if you're doing a few hundred million dollars a year but you're not collecting data?
Maybe, but likely you'll need something much more scaled back. So, it's asking these basic questions which many folks don't do. They just go out and buy the sexy things that are being talked about in the paper right now. So, they just go out and buy cyber insurance. It's much more broader than that. I always like to take people back much further and say, "Why do you need any of this?" Okay, and then start from there, the 60,000-foot view, and then start working your way down.
A good example of that is we had a client who had a cyber insurance policy. They were subjected to a ransomware attack, which locked up about 600 servers that they had. We did an investigation. We helped to clean up their network and remediate them appropriately. And when they submitted their claim, they submitted a claim for the investigation, a variety of applications that were used to remediate, and then they also needed to purchase some new equipment. And the new equipment, just so happens, was not covered as part of the cyber liability policy because there was some exclusion in there.