Why Data Breach Response Experience Matters - The Cost of Botching a Cyber Insurance Claim
August 31, 2015| Von Mindy Pollack
Selecting a breach response and cyber liability insurer may be the most critical decision you make when building a Cyber Insurance product. A botched breach response is costly in many ways: customers are angry from late notifications; your insured incurs additional costs and potential regulatory investigations, and insurers take a hit to their reputation. A botched response compounds all the stress of the data breach.
If a quality breach response is so important, why do many carriers fail to dig into the expertise and track record of providers that will be helping their insureds? We sometimes hear “They are good enough” or “They all seem the same to me.” But are they the same?
Breach response firms are not all created equal. If you have a serious medical problem, do you want a first-year GP or a seasoned specialist? There is a cost to relying on a provider without prior experience in handling the particular size and type of breach. It is worth the due diligence to find the right one.
Look at what happened to one small business where the initial breach response firm botched the work. An experienced breach response and cyber liability insurer was called in to correct the errors made by the original vendor. How do you think the business viewed the firm that let them down, and the insurer that solved the problem?
The Case of the Undetected Malware
The botch: A business discovered that an employee’s computer was infected with malware. After unsuccessful attempts to fix the problem, the business reported the potential breach of personal information and a forensics firm was sent in. After weeks of work and thousands of dollars in bills, the forensics firm did not find the malware source. As a result, the business could not confirm the breach or identify which customers were affected. With time running in the state breach statute, the business could not prepare notifications and faced regulatory inquiries.
The fix: The business knew it needed more expert assistance and turned to an experienced breach response and cyber liability insurer. The insurer maintained a panel of top notch forensics firms, and arranged for one to analyze the computer. The new forensics firm found the lost personal information and affected customers. A panel law firm prepared the proper notifications. The breach was fully handled by the insurer within the monetary limits of the policy and the time limits in the statute.
This business learned the hard way that breach response services are not all the same. How can you determine if a Cyber insurer or vendor has the skills to fix and not botch your breach?
Asking the right questions is a good place to start. How many breaches have the provider handled, and what breach causes has it investigated? What firms are on its expert panels? Has it guided businesses through state attorney general inquiries? Has it negotiated competitive rates so your limits can go further for your insureds?
Gen Re asked these same questions when building a turnkey breach response and cyber liability insurance product, and chose to embed Beazley's breach response product, based on its answers. In fact, Beazley is the breach response insurer that found and resolved the undetected malware problem featured here. That is not surprising, since they were voted the top breach response service provider by their peers.
The bottom line is that insurers do not want a vendor that will need to learn on the job - especially when that job is a breach of one of their own policyholders data. Experience matters. We can tell you more about the experience behind our product. Just give us a call.