At the beginning of February, I had the pleasure of attending the NetDiligence Cyber Conference in Ft. Lauderdale. As usual, NetDiligence continued to exceed expectations. The content, the attendees, and the speakers all were exceptional. As was the weather, which was appreciated even more when I returned to Kansas City during a snow storm!
In case you couldn’t attend the NetDiligence Cyber Conference, here are some of my top takeaways:
WE ARE ALL IN THIS TOGETHER
It’s a hard cyber market, there is no doubt about it. And unfortunately, the hard cyber market is likely to be the “new normal.” Premiums and retentions are up, capacity has gone down, and security requirements are now mandatory. These are challenges brokers, carriers, and Insureds will continue to face.
The silver lining? The positive spin? Since the security requirements are here to stay, the industry as a whole has the opportunity to help organizations improve their security posture. A couple of years ago, no one in the industry was overly concerned about MFA, EDR, or encrypted back-ups. But we probably should have been. These new “requirements” should be pushing conversations Insureds are having internally, and if they aren’t, we are able to assist with those holistic risk management discussions. Although Insureds can be frustrated by the increased requirements, ultimately, these security controls are there to protect the Insured. Cyber risk is now a business risk, and part of addressing that risk is making sure an organization is as secure as possible.
One group of panelists continued to mention the now infamous phrase from High School Musical “we’re all in this together”, and it’s so true. For there to be real change within the market, the carriers, clients and brokers must all work together. Although we all agree the market is challenging, we truly are all in this together, and hopefully for the better.
CLAIMS, CLAIMS, AND MORE CLAIMS
Although ransomware has been the largest driver of claims and concerns from an underwriting perspective, ransomware is not the only concern facing Insureds. If you are only talking to Insureds about ransomware, you aren’t doing your job.
NetDiligence releases a Cyber Claims Study every year, and the 2021 report was discussed by a panel. This year’s claims study analyzed 5,797 claims. Of those claims, 99% of claims came from small to medium enterprises (SMEs) with less than $2B in annual revenue. The average cost for a ransomware incident for these SMEs was $267K, with the majority of the costs relating to the actual ransom amount. Definitely a large number. However, the average costs for a business interruption incident were $508K, ranging from $4K to $17.5M. A lot of times, ransomware and business interruption costs go hand-in-hand, but not always.
Ideally, the enhanced security control requirements will reduce the severity and frequency of claims, and carriers have seen some of that. But, cybercriminals will continue to change tactics, as will nation states looking for intel.
THE ATTORNEY CLIENT PRIVILEGE DOCTRINE IS STILL UP FOR DEBATE
Although it’d be nice to claim everything created following a cyber incident is privileged under the attorney client doctrine, that simply isn’t the reality Insureds are facing.
Why does this matter? Well, following a cyber incident, Insured almost always engage forensics to determine the cause and scope of the incident. The forensic firms then typically provide a detailed report about their findings to the Insured. Some of these reports contain information that Insureds don’t necessarily want opposing counsel to have access to if a class action or other lawsuit is filed against them stemming from the incident.
At this point, courts are divided as to whether forensic reports following a data breach can be protected under this doctrine. Like all good attorneys, the panelists response on this topic was “it depends”. And it truly does. Ultimately, the court is going to make decisions based upon whether the actions of the Insured were done from a business standpoint or whether they were done in anticipation of litigation. If the decisions are made purely for business reasons, then the attorney client privilege likely doesn’t apply even if done at the direction of counsel.
Even though “it depends” upon the specific facts, the breach response should be directed by counsel. Counsel should engage any additional third-party vendors, such as forensics. It doesn’t necessarily mean privilege will apply, but it will definitely provide the Insured with a better argument that it should. Biggest takeaway – you have to establish a basis for privilege – it is not a given.
BACK-UPS? WHAT BACK-UPS?
MFA, EDR, segregated and encrypted back-ups. The last one tends to be the most overlooked, but in the event of a ransomware incident, it is the most valued. Segregated and encrypted back-ups give the Insured a chance to recover without paying the ransom as they are in a position to restore from back-ups. It’s not a guarantee, but we’re saying there’s a chance.
There is often a false comfort in paying ransom demand. Even if and Insured pays, it doesn’t mean you will get your data back. If you happen to get your data back through a decryption key, it can take a long time to decrypt that data. When it comes to business interruption, time is of the utmost importance. When data is backed-up on a segregated network, an Insured has the ability to start recovering from back-ups immediately as opposed to waiting on negotiations with the cybercriminals.
Testing the back-up is also paramount. A back-up is only useful if you can use it to recover your data when you need it. Just because you think you are backing-up data doesn’t mean that it’s functioning properly. You also don’t want to waste additional time learning how to restore your data because you haven’t previously tested the back-up plan.
As mentioned above, the total incident cost for business interruption and recovery expenses for SMEs averaged $508K. The study wasn’t able to capture whether or not these Insureds had back-ups, but every panelist emphasized the importance of back-ups in reducing these claims costs.
If you haven’t previously attended a NetDiligence cyber conference, you should, ASAP.