Elevate Xchange Roundtable Forum DFW Table 2 January 12, 2023
Title: Keeping Data Protection and Cybersecurity Insurance Real
led by Sean Tuma, Attorney/Cybersecurity Co-Chair, Spencer Fane
Note: We apologize for any lack of clarity. We had a packed room so recording was a little difficult. Due to the powerful conversation, we chose to publish rather than not. Enjoy!
Data has become the new Enterprise life’s blood. To protect an Enterprise’s data and assets, a
thorough data and security strategic plan with multiple layers is needed including Cyber Insurance.
First, design a robust Incident Response Plan (IRP).
An Effective incident response plan takes a team, and the team needs to be prepared in advance of any possible breach. Frequently used service providers in incident response are often cyber forensics, cybersecurity, incident response, public relations, breach logistics, forensic accounting, and legal.
a. Many cyber insurance policies strictly limit which service providers can be used for
incident response services.
b. How will your cyber insurance then impact your incident response planning and how
should the two work together?
c. How and when must notices be given to the insurance carriers and when must
approvals be obtained?
d. What is the most important information a company can have to make sure this all worksbtogether in the smoothest manner possible under the most stressful of times?
Second, make sure your purchase your Cyber Insurance Policy from a company that
specializes in cyber insurance.
They should have a robust internal cybersecurity staff able to work with an incident response team. Know what your Cyber Insurance covers “specifically”. So, engage a real expert to “read between the lines”. For example, Exclusions – what is an exclusion and what is all of this “Act of War” stuff we are hearing about?
Third, How Does Cyber Insurance Impact Your Incident Response Preparation?
More particularly, what are the security controls “must-haves” now for getting cyber insurance? Is MFA a must have? What required controls are needed for underwriting. Can companies fall out of compliance with these controls during the coverage period and lose coverage as a result? What happens if you say you have controls that you really don’t have? What are the types of coverages, what are the limits, what retentions (and what are these things)?
Fourth, who is your key stakeholder who is ultimately responsible?
Who in the organization should have input into the coverage and purchase of Cyber Insurance? Who is the ultimate key stakeholder responsible for procurement and completion of all this information for obtaining this coverage? Are all cyber insurance companies alike? What is different? Are cyber costs and coverage regulated? What about personal liability and accountability? Should you have your own personal attorney?