United States: Underwriters And Their Policyholders Agree: Less Is More When It Comes To Crisis Management Expenses

Originally published on CyberInquirer.

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm...

At the outset, the article addresses technical issues, as the author correctly suggests that "privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs." Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Specifically, the author calls-out Beazley, a large London market and U.S. liability and personal lines insurer, suggesting that that the company provides a "cookie-cutter approach to data breach response." In my humble opinion, such criticism is unfair and untrue as regards each of the leading cyber insurance markets, Beazley included. Indeed, virtually all of the leading data breach insurers offer policyholders the opportunity to work with experienced and highly-respected "data breach coaches" and "breach response managers" in order to assist them in developing an appropriate – and cost-effective– response to a breach event.

Since the author focuses on Beazley, let's use that company as an example, although the following could apply to many cyber underwriters. (Full disclosure: I do not now and have not ever been retained for any purpose by Beazley or any affiliated entity; in turn, I suspect that my firm has). As a value-added feature, Beazley offers policyholders the services of Alex Ricardo, a highly experienced breach response manager and Certified Information Privacy Professional. Mr. Ricardo, like his counterparts at other leading markets, provides policyholders with advice and guidance on a host of cyber breach-related topics, such as leakage prevention, data/e-discovery, messaging encryption, internal threat management and expense containment/management. The availability of such expertise is a great benefit to policyholders, particularly since cyber insurance products typically have a crisis management sublimit and thereby limited funds available for breach response services.

I made a comment at the recent ACI cyber conference which applies with equal force and effect to both attorneys and vendors. Simply because one firm's hourly rates or billings are higher than others doesn't make that entity better. It simply makes them more expensive. But price is not necessarily indicative of quality. It is axiomatic that the work performed requires highly technical knowledge and expertise. However, it does not require a Harvard degree or a NASA pedigree. A $350 per hour lawyer who handles breach response matters can be every bit as good as one who charges $800 per hour for the same services. So too, a forensic analyst or other vendor who charges $20,000 for a project may be just as effective as one who quotes $50,000. And where the pot of money available is finite, such as in the case of cyber breach response costs, managing expenses is critical to prevent unnecessary leakage and avoid a policyholder having to take a "net" position with respect to crisis management expenses. And, God forbid a policyholder gets hacked a second time during one policy period after having exhausted a breach response sublimit in responding to a prior intrusion.

The point is that the interests of policyholders and their shareholders, insurers and brokers are aligned in seeking to obtain the highest quality services for the most reasonable costs. Just as bigger isn't always better, so too more expensive doesn't equate to higher quality. All it means is that you're paying more.

Mr. Pollack further suggests that Beazley robotically extends credit monitoring services in response to every cyber/privacy event, no matter the industry, company size, or nature of the claim. I find this proposition difficult to comprehend, as few prudent companies, including insurers, thoughtlessly spend their limited capital on products and services that provide no benefit to their customers (or policyholders), either as a matter of business practice or economics.

On the other hand, I do agree that a cookie-cutter approach to cyber response offerings is not the best approach to servicing a client. This is why Beazley, like other leading cyber insurers, provide a host of alternative offerings, such as credit monitoring, credit restoration services, healthcare record restoration services, legal services, public relations services and computer forensic services. Needless to say, a flexible well-considered approach to data breach events is far more effective and efficient than a one size fits all approach. And this is why the vast majority of cyber insurers provide their policyholder with choices.

In short, it is in an insurer's and its policyholders' best interests for insurers to provide their policyholders with alternative response offerings which best fit the circumstances of a particular breach incident. A badly managed data breach incident will only anger the policyholder and its customers, and could exacerbate an already bad situation.

Virtually all of the leading data breach insurers have gone to great lengths to provide highly effective, efficient and cost-effective solutions to data breach incidents. Too often, crisis management has become an expensive and time consuming process. And some vendors may have little incentive to minimize the associated costs since it may be a one-and-done situation with the breached – and vulnerable – entity. Thus, insurers and policyholders need to hang together and accomplish a result that it is their mutual best interests: quality services for the most reasonable cost. For this reason, one of the greatest values provided by a cyber insurance policy is the experience and efficiency provided by the insurer's claims and other expert professionals.

Protection, experience and efficiency. That's what insurance is all about. Just ask your broker. Or underwriter. In turn, should you ask a third-party vendor? I'll leave that decision to you. I know how I would respond to that question, though.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.