When should you report a cyber incident?
July 18, 2022
So you’ve had a cyber incident. Maybe you’ve found a vulnerability in your server. Or your login credentials were stolen. Or there’s malware lurking in your system. Either way, your security is compromised and you don’t know just how bad things are. How do you respond? And do you have to tell your insurance company about it? What if they raise your insurance rates?
Most clients have a fender bender mentality when it comes to insurance claims; they don’t want to report seemingly small incidents because they’re afraid their premiums will spike. So they’ll either ignore the problem or try to fix things internally without saying anything to their insurer.
But the more you delay, the bigger a potential breach could get; a minor software bug or security flaw could easily turn into a major data leak. And if you take too long to notify your insurance company, your coverage might not apply, leaving you exposed to costly remediation expenses.
When is the timing “just right?” How do you make sure you don’t lose twice, first by experiencing a privacy breach, and then again by losing your insurance coverage? Here are three common claims scenarios you should avoid—and the best practices for reporting a cyber incident.
Common Claims Scenarios You Should Avoid:
Scenario #1: The “Fender Bender”
Network security issues are tricky to gauge. Even if your IT team can patch things in-house, there’s always a possibility a threat actor could become aware of the vulnerability and exploit it before you’re finished. And once they’re in, they could encrypt or threaten to release your data unless you pay a ransom.
In many cases, companies pay attackers to get back up and running quickly, expecting their insurance company to foot the bill and reimburse them. But if you wait until everything is said and done to file a claim, your insurance may not respond at all.
Why? Many cyber insurers don’t cover extortion payments anyway; they would rather negotiate with hackers because they know that acquiescing to ransom demands generally encourages repeat attacks. Plus, most Cyber Insurance policies have specific clauses that require you to notify your insurance company as soon as you’re aware of a situation that MAY give rise to a cyber incident. So if you don’t tell them about the initial vulnerability that led to the breach, the lower the chances are of your policy kicking in.
RELATED: Ransomware: Should You Pay Up?
Scenario #2: The Hold-Up
What if you’re not trying to hide the incident from your insurance company at all? What if you just want to have a little more information before you reach out so you can paint a fuller picture of the situation? Maybe you’ve already engaged a data forensics team to find out where the vulnerability occurred, what systems were bypassed, and if any files were exposed.
But not every case is the same. Some events only take days to assess, while others can take months. Keep in mind though: once you report a cyber incident, insurance companies still have to conduct their own loss assessment procedures to verify the damage and determine an appropriate claims payout. And depending on the size of your claim, investigations could take anywhere from a few weeks to a few months, severely delaying payment.
Here’s an example: following a security lapse, your data forensics team takes about 3 months to assess the situation. You then notify your insurance company, who takes another 3 months to get up to speed. That means you’ll be waiting on a claims payout for at least 6 months. If you had to shut down for investigations and/or repairs, could your business comfortably survive for that long? Long settlements might be particularly hard on smaller firms and victims of severe breaches who may need immediate financial relief after a major loss.
Additionally, depending on the forensics team you use, your expenses might not be fully covered; your policy may only reimburse services that are handled by neutral, insurer-approved third-parties with proven expertise in breach remediation.
Scenario #3: The Innocent Bystander
What if one of your third-party stakeholders experiences a breach or a ransomware attack? Like a cloud services provider or a vendor or distributor in your supply chain? Or what if there’s a glitch in a third-party software or code you’re using across your servers, like the log4j vulnerability? In any case, you’ve received word of a cyber incident and that the affected party is working on a solution. You don’t bother telling your clients or your insurance company. After all, if it’s not your system, then it’s not your problem, right?
The truth is: under Canadian privacy laws, organizations are responsible for safeguarding all data collected from clients. That means using a third-party to collect, store, process, or otherwise handle confidential data doesn’t transfer your liability; you still have an obligation to take direct action the moment you become aware of a security lapse. And you can be held accountable for your clients’ data if there’s a breach—even if you weren’t at fault.
In short, if you don’t report a third-party breach right away and you end up being affected later on, you could end up voiding your coverage and having to pay the expenses out-of-pocket.
So when do you report a cyber incident?
Cyber incidents are hugely disruptive for any business. And with remediation expenses hitting seven figures, being denied Cyber Insurance when you need it most won’t just be inconvenient or stressful; it could be financially devastating, with massive repercussions for your long-term recovery.
That means you need to act quickly. If you have reasonable grounds to suspect there’s been a security or privacy breach incident of any kind, you should loop in your insurance company. When? The earlier the better—it doesn’t matter where the incident came from, if it seems threatening or not, or even if you don’t know the full scope of the loss just yet. Here’s why:
1. No harm, no foul.
Breaking the news to your insurance company won’t cause you as much grief as you think. Unless there’s proof of data compromise or other harm, a security flaw might not be considered a claim in the eyes of your insurer so it won’t affect your rates. And if it does turn into a breach, the sooner you report, the sooner you can get your insurance company’s approval on remediation steps and reduce the possibility of a denial.
2. A little help from your friends.
In addition to coverage for legal fees and breach expenses, Cyber Insurance policies also have access to a whole host of valuable resources to help you unpack the situation. Depending on your coverage, that may include cybersecurity experts, a specialized data forensics team, a legal breach coach to advise you on response and regulatory compliance, PR consulting services to manage reputational harm, and more. In the event of a ransomware attack, your insurance company might even be able to help you stand up to threat actors or negotiate ransom demands.
To help you make the most of your coverage, here are some additional tips to keep in mind when reporting a cyber incident.
1. Keep a hard copy.
These days, most corporate data is stored digitally. Files, records, important documents—like your insurance policy. That means if there’s a breach or ransomware attack you might not even be able to access the critical information you need to reach out to your insurance company, like your policy number or dedicated contact for handling cyber claims.
For good measure, always keep a hard copy of your policy on hand. Every year when your policy renews, print off your policy and keep it locked away in a secure location at the office. This way, you’ll have it even if your networks are compromised.
2. Be transparent.
Don’t try to downplay the event or your role in it, especially if you were at fault. Explain the situation to your insurance company in detail, or as well as you know, anyway. What happened, how, the impact, and what you’re doing about it.
Transparency is crucial. Depending on the nature of the incident and the type of business you conduct, everyone that interacts with your company could be affected: your employees, your clients, maybe even your client’s clients. Potentially hundreds of people. Lying or omitting key details to make yourself come off better will only do you more harm in the long run if it comes out that more people are impacted.
Plus, if your insurance company finds out you lied, they won’t just decline your coverage—they might cancel your policy altogether. And once you’ve had a cancellation, it’ll be much harder for you to obtain insurance anywhere else.
3. Partner with a risk advisor.
If you don’t have a Cyber Insurance policy yet, or if you want to learn more about your existing coverages, connect with a licensed broker that you trust. Brokers—like PROLINK—are knowledgeable advisors that can help you plan, protect, and become resilient in the face of security gaps.
We’ll take the time to listen to you, understand your business, and align you with a comprehensive policy that suits your needs. We’ll also walk you through the claims process to make sure you know exactly what services are available to you throughout all stages of incident response. And with over 40 years of experience and specialized knowledge of cyber markets, we won’t be playing catch-up in the event of a breach; we’ll be advocating for you to make sure the remediation process is as smooth and stress-free as possible.
To learn about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.