Cyber insurance is the US's fastest-growing property and casualty insurance market segment. Premiums written increased 51% in 2022 to over $7.2 billion, according to Fitch Research.
As the market for cyber insurance matures, policies are increasingly expensive, coverage is limited, and underwriting is more restrictive. Insureds (those who can purchase coverage) are finding significant practical issues in realizing the benefit of their coverage.
Two key points have caused firms to reconsider how they use cyber insurance: who picks and who controls the legal counsel and the response firms necessary to remediate the claimant’s cyber incident.
The Illusion of Choice
If you ever need to file a claim under a cyber policy, insurers rarely allow a policyholder the right to select legal counsel and the incident response firm to oversee the incident response.
Unless you are a large client, insurers are unlikely to issue policy endorsements listing your choice of legal counsel and/or response firm. Instead, insurers will require the insured to use someone from an approved panel with pre-negotiated arrangements.
Preferred firms may get a significant amount of their business from the insurer, and the insurer’s criteria for third-party vendors could differ from yours. Insurers have not been known to disclose their selection process or criteria for vendors.
Moreover, many of the panel providers were formerly employed in the same insurance industry. Would the panel firm take a position adverse to the insured to preserve its relationship with the insurer? You never know. The potential for a conflict of interest should be disclosed to the insured, and the insurer should be reasonably compelled to accept a policyholder’s selection of legal counsel. The insurer can set the terms of reimbursement but shouldn’t be permitted to quash the selection option by offering ridiculous (20%) reimbursement rates if you use a firm not listed on their panel. All this merely creates the illusion of choice.
You Could End Up Footing the Bill
Furthermore, the insurer controls the defense of claims under the policy “as they deem necessary.” The costs of the insurer’s decisions may devastate the limits of coverage otherwise available to the policyholder. We observed a recent example of this.
The client, a healthcare company located in the southwest US, had a cyber policy placed with a well-known London-based insurer by their broker. The client believed they had experienced an incident and engaged local legal counsel to advise them along with our firm to provide forensics and incident response.
After kicking off the response, the CEO of the client company called their insurance broker to see what services were available to help. The broker then called the insurer. Upon notification, the insurer told the CEO to stand down his team or risk denial of coverage altogether. Not wanting to forgo his options, he stopped and unwittingly turned over the matter to his insurer.
The insurer promptly appointed legal counsel in London, who in turn engaged legal counsel in New York, who then engaged legal counsel licensed where the client was domiciled.
The New York counsel selected an east-coast-based incident response firm to collaborate with the client. The appointed firm had no prior knowledge of the client or its operations. Additionally, the response firm could not start work until the following week. (Too busy from all the other insurance work.)
The New York law firm then decided it would be best to engage yet another firm to negotiate with the criminal ransomware operator – all in the interest of speed.
So, imagine the impact on the client’s coverage sub-limits with three law firms, an (unavailable) response firm, and a ransom negotiation firm each billing away.
The insurer’s legal team then decided paying a ransom to the criminals was quicker than waiting for the response firm to mobilize. It was the best course of action for the client, they said. Yet the client felt they had no say in any of this – and it was
Additionally, the victim firm wondered if the threat actor would really be eradicated from their system completely or if they would be back in a few months. This experience was more difficult and expensive than it needed to be, given the circumstances.
Why couldn’t the client use the local law firm and response firm they had already engaged and trusted? It would have been faster and far less costly.
On top of that, they wondered what would happen if the insurer ultimately decided to deny the client’s coverage? Was there something arguably inaccurate on the policy application? Was MFA (Multifactor Authentication) functional on
This situation resulted in a high level of frustration and confusion amid the crisis. The parent company lost confidence in the victim firm’s management, and the firm was ultimately merged into an affiliate. No winners here.
As companies consider renewing their cyber policies, they are beginning to question the entire process because of experiences like this.
Questions You Should Ask Yourself
Here are a few questions you should ask yourself before renewing or starting a cyber insurance policy:
Are you best served by delegating complete control of a cyber incident to an insurance company and their cohorts?
Does it make sense to buy pre-breach services from an insurance company versus directly from experienced providers?
If the insurer’s response is done poorly, against your wishes, or in a less-than-comprehensive manner, what is your practical recourse?
Is self-insuring for at least some of your risk, backed up with an incident response retainer, a better plan of action?
Nowadays, firms have direct access to a multitude of skilled legal advisors and qualified response firms to assist them through the incident response process. This, coupled with rising premiums and stricter underwriting requirements, may lessen the need to purchase pre-breach services from an insurance company. Self-insuring a portion of the risk and preserving control of the response may be a better choice for your firm.
The legal advisors and response firms engaged directly with your firm have a contractual duty to you, the client – not the insurer. Those firms may even be more responsive and less expensive than the total premium and the retention amount required under the firm’s policy renewal.
Insurance is great for transferring some risks and dealing with trivial claims but not for something as important as this to your business. Consider which risks are best to transfer to your insurer and which are best to self-insure.
Please take a moment to consider these points before you purchase or renew your policy.
Chuck Matthews is the CEO of PacketWatch, a US-based cybersecurity firm focused on digital forensics and incident response, managed detection and response, and advisory services utilizing their proprietary PacketWatch network-based threat hunting platform.