Captive.com logo

Captive Insurance News

Free Report on Captive Insurance Trends 2017

Captive Insurance Issues and Trends 2017

A FREE 30-page special report courtesy of Captive.com

Dig deep into important issues and trends in captive insurance. Download this FREE special report featuring practical knowledge and insights from 11 respected captive insurance thought leaders!

Download FREE Report Now

Utilizing Captives for Cyber-Liability Risks: The Breach Response Plan

Breach Response Plan
November 06, 2017

By Scott Uhl
Senior Vice President
Practice Leader, Specialty Casualty E&S Wholesale & Co-broker Division
EWI Re, Inc.

Editor's note: This article is the second in a three-part series. Read the first installment, "Using Single-Parent Captives for Cyber Liability Risks."

The first article of this series provided guidance for approaching and quantifying a company's cyber-liability risk profile and identified insuring agreements to include in a customized single-parent captive cyber-risk program. The next step, and the focus of this article, is the creation of an enterprise-wide cyber-liability breach response plan. 

An effective breach response plan can materially improve the cyber-risk profile of a company and typically enable the buyer of facultative reinsurance to negotiate lower reinsurance premium. As with any line of insurance, improved loss control generally equates with lower premium expense, and cyber-liability is no exception.

The development and implementation of a company-specific plan should focus on action item steps and the internal processes that will occur in the immediate aftermath of a confirmed security incident.

A breach response plan (BRP) should be a collaborative and interdepartmental group effort between the following departments within a company.

1. Information Technology (IT),

2. Risk Management and/or Human Resources (HR),

3. Legal, and

4. if the company is publicly traded, Investor Relations and/or Treasury.

In the first 24–48 hours after a breach has been detected, each department should have specific duties and responsibilities to perform in a crisis environment. Without prior interdepartmental collaboration on the development of the BRP, the company risks either not performing the tasks and action items necessary to escalate the risk as required by company policy and by state and federal statute or duplicating certain tasks. This could easily compound economic, reputational, and/or insurable losses.

The purpose of a cyber-BRP is to set up a framework to guide, assess, investigate, remediate, and eradicate the breach while providing the necessary response as required by regulatory or other disclosure parameters. In preparing, developing, and writing a company-specific breach response plan, it is imperative to focus on key areas of the business that are particularly sensitive to business interruption or confidential information breaches, by business unit or department.

The interdepartmental BRP committee should first undertake an end-to-end cyber-enterprise risk management survey examining the organization's specific "high-impact" connected exposures. This task should lead to the creation of a threat awareness and incident matrix. The matrix should isolate cyber-perils that will likely give rise to an incident requiring a cyber-crime investigation.

In its 2015 white paper, Breaches Do Happen. Are You Ready?, EY provides an illustration of such a matrix. The EY matrix illustration breaks down examples of incidents and threats into three areas: high-impact, medium-impact, and low-impact.

Next, the EY matrix serves as a source for the following examples of each of these threat levels and suggested corresponding crisis management action items.

High-impact:

  • Customers' personally identifiable, personal health, or payment card information is leaked.
  • Infrastructure and control systems are physically damaged.
  • Highly confidential data is stolen.
  • Intellectual property is stolen.
  • A widespread malware infection occurs.
  • A denial of service attack occurs.
  • Other incidents are identified by working group.

» Action items:

  • It is critical that the company's board, legal, risk management, compliance, and public and/or investor relations representatives become involved.
  • Determine what must be potentially disclosed to the company's external customers, stakeholders, regulators, and third-party business partners.
  • Activate the BRP immediately.

Medium-impact:

  • Remote access that is unauthorized
  • Data transmission that is unauthorized
  • Demilitarized zone/perimeter network exposure and weak credentials
  • Other as identified by working group

» Action items:

  • IT conducts a routine assessment to determine the cause.
  • Take remediation action if the cause is discovered.
  • Continue investigating and monitoring, pending further action, if the cause is not discovered.

Low-impact:

  • Computer equipment is misused.
  • Cloud file shares/removable storage are illicitly used.
  • Software is pirated.
  • Illicit websites are accessed.

» Action item:

  • Routine internal investigation conducted and resolved by IT, legal, risk management, and HR representatives

The resulting threat awareness and incident matrix created from the end-to-end risk management survey should dovetail to the BRP and, upon discovery of a breach, the BRP should be activated immediately.

The BRP is also highly useful for the development and manuscripting of the single-parent captive insurance company's cyber-liability policy. A custom-worded cyber-liability policy's insuring agreement should be tailored for the company-specific cyber-exposures that are identified in the high-impact threat and incidents section of the threat awareness and incident matrix. The matrix-backed policy is a beneficial tool for pricing and other negotiations when marketing the facultative placement in the US, Lloyd's of London, and Bermuda reinsurance markets.

Finally, it is imperative that all members of the newly constituted interdepartmental breach response committee share a basic understanding the typical life cycle of a data breach. A step-by-step diagram titled "Life Cycle of a Data Breach" and attributed to Pullman & Comley LLC Attorneys that appears on the Connecticut Technology Council website in a blog post provides an example of tasking assignments relative to the creation, implementation, and continuous improvement of a BRP. Each and every committee member should know what his or her specific responsibilities are in the first 24–48 hours after a data breach regarding notifying customers, vendors, patients, stakeholders, and shareholders. Effective mitigation and escalation immediately following a data breach will reduce liability in post-breach third-party litigation.

Using the Pullman & Comley LLC Attorneys diagram as a source, a company's data breach life cycle might follow these 10 steps.

  1. Discover breach. In most cases, hackers and denial of service attacks are the cause of a data breach instead of system glitches or negligence.
  2. Investigate and remediate. The sooner the data breach is terminated, the sooner the resolution process as outlined in the BRP can begin.
  3. Assemble internal response team. The BRP committee appoints a lead person for the incident response team to ensure all post-breach activities are being addressed by specific individuals of the BRP committee.
  4. Contact law enforcement. Notify and engage the proper authorities, and submit any necessary reports, if applicable.
  5. Employ external partners. Include outside forensics, data breach resolution, law, public relations, as required.
  6. Begin notification process. There is no federal standard; each state has enacted legislation requiring notification of security breaches based on either a "harm" or an "acquisition" threshold requirement for notification.
  7. Make a public announcement and launch breach website. Transparency is an important part of rebuilding trust.
  8. Email/mail notifications. Affected third parties want to see facts about the breach, information about the risks they might face, steps they may take to protect themselves, and an offer for credit monitoring or identity protection included in a breach notice.
  9. Respond to inquiries. Inward call volume can be overwhelming, depending on the size of the breach. The BRP committee may consider outsourcing to a breach response call center or vendor.
  10. Resume business as usual. Planning and remaining focused on preparation and response for a future breach are critical for brand reputation and fast mitigation.

(Watch for Part 3 of this series, where the author will provide specific examples of recent cyber-litigation and settlements and contrast them with potential allocation conflicts.)

Bibliography:

Breaches Do Happen. Are You Ready?, EY, April 24, 2015.

Pullman & Comley LLC Attorneys "Life Cycle of a Data Breach" diagram, blog, Connecticut Technology Council, June 5, 2015.

EWI Re, Inc.Mr. Uhl is senior vice president of EWI Re, Inc., and the practice leader for the Specialty Casualty E&S Wholesale and Co-broker Division. Mr. Uhl's core placement and consulting focus is on information security and privacy liability (cyber); technology errors and omissions; directors, officers, and corporate securities liability (D&O); and custom solutions for captives.

Mr. Uhl's practice is unique because it bridges reinsurance and insurance markets and can provide custom risk transfer solutions for specialty casualty risk utilizing reinsurance, traditional insurance markets, or both. EWI has direct access to both the US domestic market and Lloyd's, Bermuda, and other offshore markets, via its London-based intermediary, EWI Re, Ltd.

Mr. Uhl regularly speaks and writes on specialty casualty liability trends. He is a guest lecturer at the University of Texas at Dallas Naveen Jindal School of Management and is also on the membership committee of the Vermont Captive Insurance Association.

Copyright © 2017 International Risk Management Institute, Inc.

Follow Captive.com on Twitter

Popular News Categories

Twitter Feed