Highest Rated Comments


CyberClaimsGuy116 karma

Not in my experience no. Ransomware attacks are a crime. That would be like punishing a person for getting robbed. Yeah, maybe you shouldn’t have been walking in a place known for robberies with five Rolex’s on your wrists; but ultimately it isn’t your fault that you were targeted for a crime.

Cyber insurance policies do typically have a subrogation provision that allows the insurer to recoup costs against liable third-parties. This is typically seen when our policyholders have a third-party service provider that may have been negligent and/or a preventable issue with software or hardware that was the proximate cause of the loss.

CyberClaimsGuy64 karma

I hope you never have to report a claim too! Generally, if I am talking to someone they’re having a bad day; or about to discover they’re having a bad day. But I do like this genre of insurance because I feel like I can make a difference in that “bad day” from minute 0. You don’t really have that ability in other lines of commercial insurance as they’re longer tail claims and exposures.

The first thing to make sure you do is report an incident (actual or suspected!) to your insurance carrier IMMEDIATELY. We work with a ton of great brokers and some of them want to be notified first, but at the very least notify the insurance carrier at the same time you notify your broker. Time is of the essence and minutes matter when getting assistance with your incident. I’ve had Insureds who had a known business email compromise but didn’t change passwords until they called me. If there was a long delay between talking to me that can lead to additional loss or damages.

The following is how we handle claim calls where I work so I won’t speak to other market participants but we do take a more hands on approach with claims handling.

You would contact us via our 24/7 claims hotline, claims email or chat function on our website and that goes direct to the claims team. Our average response time is under five minutes. So you’ll ideally be speaking with a claims attorney or claims manager instantaneously. We will triage your call to understand what is occurring and provide some immediate assistance in regards to stopping the damage from the ransomware event. Things like disconnecting impacted servers from the internet or shutting down your network while we determine what type of access was made and which parts are encrypted.

We’ll also get information regarding size of network, number of employees, type of work you do, and type of data you hold. During that call we’ll be reaching out to our preferred panel vendors for privacy counsel/breach coaches and incident response. Once those conflicts checks are clear we will set-up a “scoping call” with counsel and forensics to get additional information. It is key to have someone with knowledge of your network on this call! Typically we set this up in the next 30 minutes to an hour. Again, time is of the essence!

It is important to have legal counsel on this call as we want to preserve privilege of any investigation that is undertaken as well as to advise the Insured on any data privacy or other regulatory/compliance issues. Forensics will ask technical questions so that they can prepare a Statement of Work for the investigation and analysis of the incident.

During this call we will also evaluate the type of access, encryption, and data involved - if possible. We’ll need to determine if we need to engage a service provider to engage the Threat Actor in negotiations for purposes of getting data back.

After the call counsel will be engaged by the Insured. Counsel does not have a contractual relationship with the insurance carrier! It is solely between the Insured and counsel.

Once the forensic statement of work is approved by the carrier, counsel, and the Insured; forensics will have a “kick-off” call to get their collection tools in place and typically an EDR solution to monitor the network for persistence of the Threat Actor access.

Then we’re off to the races; kicking the TA out of the network, remediating and restoring the network to how it was before the event, and potentially negotiated a ransom payment if needed as a last resort.

After the network is clean and up to date, then we’ll have the Insured fill out a Proof of Loss to determine if they’ve incurred any business interruption losses or extra expense (costs to defray a BI loss).

CyberClaimsGuy36 karma

HAHA. Good catch. Leaving for posterity because what is an AMA without a crass typo.

CyberClaimsGuy32 karma

This guy/gal cyber insurances. Well said.

CyberClaimsGuy30 karma

I really appreciate this question because I have spent a lot of time with sysadmins who have told me privately - or publicly on scoping calls! - that they wanted to harden their network but were told that there was no budget or business need for it. There are a couple of things that I say to prospective policyholders:

  1. Do you work with computers? The answer is almost always yes. Okay, what would you do tomorrow if your entire network was done and you could not access any files on your servers. Does your current insurance policy cover the incident response: provision of third-party vendors - legal counsel, forensics, ransom negotiators, restoration specialists?

General business policies might have some limited protection but from what I’ve seen it is sometimes as low as $5,000 to as much as $100,000. Which with a systeminc incident is not enough.

  1. Does your policy pay for ransomware? A lot of policies are excluding this for coverage. A lot of CGL policies exclude loss of data/digital assets. If your business was ransomed and you had no ability to recover your data, could you still function? Could you provide payment in three days for $100k to get your data back? What about $500k? What about $1.5M?

The answer is often no. I’ve had claims with very, VERY, large companies that were unable to provide payments on such a short time frame. This is also why it is REALLY important that your insurance policy have PAY ON BEHALF coverage. Not reimbursement/indemnity for cyber extortion/ransomware. The carriers should pay the ransom - if necessary - not force the insured to do so.

The other thing is that everyone is at risk for a cyber incident. It is generally not something that is targeted. You have open holes in your network or a zero day exploit and you win a bad luck lottery and BOOM, you’re compromised and ransomed.

At the end of the day, people ultimately have the choice to purchase cyber insurance to protect themselves when they get hit with an incident. Or they purchase it after they’ve been hit with an incident. Just hope that the latter doesn’t utterly destroy your company.