Austria
Belgium
Estonia
Finland
France
Germany
Greece
Iceland
Ireland
Italy
Netherlands
Norway
Poland
Portugal
Spain
Sweden
Switzerland
Turkey
United Kingdom
Australia
New Zealand
Hong Kong
India
Indonesia
Malaysia
Philippines
Singapore
Thailand
Brazil
Chile
Colombia
Mexico
Peru
Bahrain
Israel
Morocco
Oman
UAE
Tanzania
Turkey
Are you ready for Cyber Claims?
Published
Read time
In 2022, Howden saw an astonishing 200% increase in cyber-incident notifications. Whilst each notification gave us new insights into the diverse ways a cyber-incident could occur, equally, each also presented a myriad of outcomes depending on various factors such as the type and quantum of data affected, the extent of infiltration and/or exfiltration, as well as how the incident was managed.
At Howden, we take each cyber claim experience seriously. Instead of merely looking forward to the claim payment as a happy ending, we reflect on and analyse how we and our clients could have managed the claim better and can be better prepared for the next cyber claim.
Drawing on our cyber claims management experience, here are some tips which will help make any future cyber claim process a smoother and less stressful one.
BE AWARE: After purchase of your cyber policy
- Familiarise yourself with your insurer's cyber notification and claim management processes by reading the policy and asking questions. Preferably, set up a meeting with the insurer and Howden to clarify any doubts you have.
- Incorporate your cyber insurer's and/or their incident response manager's (IRM) hotline numbers into your company's emergency plan.
- Failure to follow the insurer's claim processes may result in less claim payouts. Forewarned is forearmed!
ACT: Upon discovery of the cyber-incident
- Notify your insurer/IRM and Howden immediately upon suspecting or discovering a cyber-incident or cyber claim. The situation will be quickly assessed by the insurer/IRM who will then activate other relevant vendors. The key information needed are:
- Brief Description and Nature of Incident (eg. date of discovery, ransomware)
- Extent of Impact (eg. type and volume of data affected, outage hours)
- Actions taken so far and by whom
- Have you notified the insurer/IRM?
- Any relevant documents?
- Contact person details
- As much as possible, try to engage your insurer’s panel vendors as they are carefully pre-selected by insurers to ensure competency and best rates so that costs are minimised and your indemnity limits are conserved. If you want to engage a non-panel vendor, you must obtain prior written consent from your insurer.
- Keep your insurer/IRM and us informed of the expenses and material developments on an ongoing basis. This will allow insurers to provide appropriate practical or coverage advice based on their experience handling similar claims, which will in turn enable you to make better decisions.
- Obtain your insurer's prior written consent before incurring any major expense as much as practicably possible, for example if your IT vendor is proposing an upgrade of a software/hardware or an additional service that was originally not found in the engagement letter.
- Failing to obtain consent may prejudice the insurer’s ability to manage the expenses and may result in you not receiving full indemnity if the vendor costs are unreasonably high. In some cases, it may constitute breach of policy condition precedent, thereby entitling the insurer to deny the claim. When in doubt, please clarify with your insurer/IRM or Howden.
- Provide your insurer with at least the interim forensic report/advice for their preliminary coverage assessment.
ASSESS: When your business has returned to business-as-usual
- Provide your insurers with the requested information and documents (eg. final forensic report, invoices) in a timely manner to expedite the claim assessment
- Furnish detailed timesheets so as to allow insurers to determine that the time spent by the vendors fell within the scope of the policy. Vague entries will only result in delays in claim payments as insurers need to spend more time seeking clarifications.
- Perform an after action review with your team, your insurer and Howden to improvise cyber claims processes in the future.
Case Studies
Below, we share two contrasting case studies which will illustrate how cooperation by insureds and their adherence to the policy terms and conditions can make a real difference to the claim outcomes.
Case Study #1: Do not make the same mistake! :(
Whichever industry your organisation may belong to, there is always a risk that a third party vendor you engage to manage your company’s computer system may inadvertently or negligently expose your organisation to cyber risks.
For example, a coding error by a third party vendor can result in emails with personal data being sent to unintended recipients! No one is immune to such situations – as was the case for a few of our clients. Like any responsible organisation would, some of our clients immediately engaged various service firms to contain the damage and manage the potential liabilities resulting from the error. They then turned to the insurers to claim for the fees of the hired vendors.
However, because the insurers were deprived of the opportunity to review the engagement and terms of the vendors, such as the vendors’ hourly rates and scope of work, not only did it result in claim processing delays, but some clients even had to absorb a substantial difference between the actual vendor fees charged and the vendor fees the insurers felt was reasonable based on the charge-out rates and the time spent.
What can you learn?
Cyber insurers typically pre-approve a panel of reputable specialist vendors to assist their insureds in the event of a suspected or actual cyber incident, and their policies typically contain a condition requiring insurers’ prior written consent for the engagement of a non-panel vendor.
These measures facilitate expedient incident response by placing management of the cyber incident in experienced and competent hands. This minimises not only uncertainty and confusion for insureds but also excessive erosion of their policy limits due to unnecessary remediation costs.
Upon request, Howden can help facilitate a meeting between you and your cyber insurer to familiarise yourself with the cyber claim process and the insurer’s panel of existing vendors as soon as it is practicable following inception of your cyber policy. Always remember, if you prefer using your own cyber incident vendors, you should seek pre-approval of these vendors prior to policy inception or as soon as that decision is made during the policy period, or in the event of a cyber-incident, your cyber insurer’s prior written consent.
Case Study #2: We are all in this together. :)
Another client of ours experienced double extortion where their confidential corporate data (including the backup copies) were encrypted and exfiltrated in return for a ransom.
In this case, our client did not hesitate to seek guidance from their insurer, the incident response manager and Howden when required. Transparent and open communication between the various stakeholders throughout the whole claim process resulted in the insured not falling foul of the policy terms and conditions and being able to furnish the insurer with the relevant information and documents in a timely fashion. Overall, with almost no administrative hurdles, the claim was paid in full and processed in the most efficient manner.
What can you learn?
When insureds work in sync with insurers, the cyber incident vendors and Howden, they increase the chances of enjoying full indemnity and faster payout under the policy.
Confirmation of coverage doesn't mean everything is covered
In the course of handling the above and other cyber claims, we observed that insureds tend to get confused between coverage confirmation and extent of coverage. Confirmation of coverage simply means the policy will respond to the cyber incident. However, that does not mean every expense incurred in consequence to the incident is covered. The extent of coverage will depend on the specific policy language.
That is why it is important for insureds to have an honest and continuous conversation with insurers (either directly or through the IRM/Howden), throughout the claim process, on the expenses to be incurred and the scope of work to be done so as to enable insurers to provide guidance on whether a certain item would likely fall within the scope of the policy. Otherwise, insureds could end up having some of their expenses not indemnified.
We have many more of such interesting stories to share with you and continue to grow “cyber-ready” together. Stay tuned for more!
Authored by:
 |  |
John Poon | Azlin Fathima |