Whether post-cyber breach remediation measures are covered largely depends on whether a standalone cyber program has been purchased, said Jennifer Rothstein, a former AIG executive who is currently a director with Kroll’s Cyber Security practice.
“Typically we get calls where something’s happened and a corporation needs us to go in and perform a forensic investigation,” Rothstein told Advisen.
At AIG, Rothstein facilitated the underwriting of electronic and intangible risks into corporate insurance policies. At Kroll, she maintains the company’s relationships with insurance companies, brokers and insureds.
Typically, insureds would take most coverage questions to their insurance brokers versus cyber investigation and mitigation firms like Kroll.
However over the last several months in particular, clients are starting to ask forensic teams directly whether their insurance policies will cover mitigation-related expense, according to Rothstein.
If the client has first and/or third-party coverage in force, specifically designed to cover cyber risks, there’s a good chance “a majority of our fees will be covered”, said Rothstein.
Costs in question might range from as little as $10,000 where “no data has actually left the system,” and there’s no need for Kroll’s clients to notify their customers of the breach—to as much as $2 million to $3 million where notification and other services like remediation and credit card monitoring are required, she said.
Of course, not every policy will cover the risks in question.
Rothstein commented:
The challenge occurs where there is no cyber policy or cyber endorsement in force, but a general liability policy or another program not clearly labeled ‘cyber’.
In that case, services like those offered by Kroll often won’t be included, she said.
Fortunately however, more and more carriers have begun offering coverage for breach remediation services in their cyber programs.
“We are starting to see more and more cases we work on have an insurance policy in play, which means we work closely with the claims group and breach coaches as well,” Rothstein said.
“During 2014 the opportunity is ripe to offer more coverage for remediation services,” she added. “We will see more and more carriers being clearer that they’ll cover something like credit monitoring.”
The service is offered because not every victim of identity theft needs it, Rothstein said. For instance, where personally identifiable health information is at risk, credit monitoring may not be called for.
There’s no need for insurers to be on the hook to “over-notify or over-remedy” under their cyber programs, Rothstein said.
What is important is that they are very clear about their intentions in their policy wording, she said.
Janet writes daily news including proprietary Advisen data analysis for Advisen’s cyber FPN and management liability FPN editions. She has been a financial writer since 1983 and an insurance writer for roughly 20 years, focusing on commercial property and casualty insurance. Email Janet Aschkenasy.
