Ping Service
Feedback Forms

Underwriters and Their Policyholders Agree: Less Is More When It Comes to Crisis Management Expenses

Doug Pollack of IDExperts recently published a blog post on cyber insurance that caught my eye. Insofar as IDExperts is a respected provider of cyber breach response services, I assumed the article would address technical issues. Upon reading the piece, however, I was disappointed to find that the article addressed insurance-related matters, including criteria for the selection of insurance products and programs, a topic typically the province of risk managers, brokers, underwriters and lawyers. Hmmm…

At the outset, the article addresses technical issues, as the author correctly suggests that “privacy, compliance and legal officers should work closely with their risk manager to ensure that the organization is getting a policy that meets its needs.” Having hooked me with that truism, I was looking forward to reading on. But that is where the technical commentary (and our common perspective) ends. From there, the author moves on to express his views (and, in my counter-view, misconceptions) on cyber insurance products and how they should operate.

Specifically, the author calls-out Beazley, a large London market and U.S. liability and personal lines insurer, suggesting that that the company provides a “cookie-cutter approach to data breach response.” In my humble opinion, such criticism is unfair and untrue as regards each of the leading cyber insurance markets, Beazley included. Indeed, virtually all of the leading data breach insurers offer policyholders the opportunity to work with experienced and highly-respected “data breach coaches” and “breach response managers” in order to assist them in developing an appropriate – and cost-effective– response to a breach event.

Since the author focuses on Beazley, let’s use that company as an example, although the following could apply to many cyber underwriters. (Full disclosure: I do not now and have not ever been retained for any purpose by Beazley or any affiliated entity; in turn, I suspect that my firm has). As a value-added feature, Beazley offers policyholders the services of Alex Ricardo, a highly experienced breach response manager and Certified Information Privacy Professional. Mr. Ricardo, like his counterparts at other leading markets, provides policyholders with advice and guidance on a host of cyber breach-related topics, such as leakage prevention, data/e-discovery, messaging encryption, internal threat management and expense containment/management. The availability of such expertise is a great benefit to policyholders, particularly since cyber insurance products typically have a crisis management sublimit and thereby limited funds available for breach response services.

I made a comment at the recent ACI cyber conference which applies with equal force and effect to both attorneys and vendors. Simply because one firm’s hourly rates or billings are higher than others doesn’t make that entity better. It simply makes them more expensive. But price is not necessarily indicative of quality. It is axiomatic that the work performed requires highly technical knowledge and expertise. However, it does not require a Harvard degree or a NASA pedigree. A $350 per hour lawyer who handles breach response matters can be every bit as good as one who charges $800 per hour for the same services. So too, a forensic analyst or other vendor who charges $20,000 for a project may be just as effective as one who quotes $50,000. And where the pot of money available is finite, such as in the case of cyber breach response costs, managing expenses is critical to prevent unnecessary leakage and avoid a policyholder having to take a “net” position with respect to crisis management expenses. And, God forbid a policyholder gets hacked a second time during one policy period after having exhausted a breach response sublimit in responding to a prior intrusion.

The point is that the interests of policyholders and their shareholders, insurers and brokers are aligned in seeking to obtain the highest quality services for the most reasonable costs. Just as bigger isn’t always better, so too more expensive doesn’t equate to higher quality. All it means is that you’re paying more.

Mr. Pollack further suggests that Beazley robotically extends credit monitoring services in response to every cyber/privacy event, no matter the industry, company size, or nature of the claim. I find this proposition difficult to comprehend, as few prudent companies, including insurers, thoughtlessly spend their limited capital on products and services that provide no benefit to their customers (or policyholders), either as a matter of business practice or economics.

On the other hand, I do agree that a cookie-cutter approach to cyber response offerings is not the best approach to servicing a client. This is why Beazley, like other leading cyber insurers, provide a host of alternative offerings, such as credit monitoring, credit restoration services, healthcare record restoration services, legal services, public relations services and computer forensic services. Needless to say, a flexible well-considered approach to data breach events is far more effective and efficient than a one size fits all approach. And this is why the vast majority of cyber insurers provide their policyholder with choices.

In short, it is in an insurer’s and its policyholders’ best interests for insurers to provide their policyholders with alternative response offerings which best fit the circumstances of a particular breach incident. A badly managed data breach incident will only anger the policyholder and its customers, and could exacerbate an already bad situation.

Virtually all of the leading data breach insurers have gone to great lengths to provide highly effective, efficient and cost-effective solutions to data breach incidents. Too often, crisis management has become an expensive and time consuming process. And some vendors may have little incentive to minimize the associated costs since it may be a one-and-done situation with the breached – and vulnerable – entity. Thus, insurers and policyholders need to hang together and accomplish a result that it is their mutual best interests: quality services for the most reasonable cost. For this reason, one of the greatest values provided by a cyber insurance policy is the experience and efficiency provided by the insurer’s claims and other expert professionals.

Protection, experience and efficiency. That’s what insurance is all about. Just ask your broker. Or underwriter. In turn, should you ask a third-party vendor? I’ll leave that decision to you. I know how I would respond to that question, though.

Free PDF    Send article as PDF   

2 Responses to “Underwriters and Their Policyholders Agree: Less Is More When It Comes to Crisis Management Expenses”

  1. JohnRandolph Says:

    Thanks Rick! This is a really nice posting

    The typical data breach is regarded to cost is in excess of $200 per record. it is an open secret that some breach response vendors are taking advantage of these incidents either in the form of $800/hour attorneys or $50,000 forensic consultants. Kudos to the insurers for trying to get a handle on the situation and provide an efficient solution.

    Everyone loves to bash the insurance industry. Yet obtaining the “highest quality services for the most reasonable costs” strikes me as exactly what insurance companies should be doing.

  2. Doug Pollack Says:

    I’m pleased that Mr. Bortnick has chosen to continue the dialog started with my blog post(see the entire discussion at http://www2.idexpertscorp.com/blog/single/considerations-selecting-cyber-insurance-for-data-breach-risks/).

    While I respect his opinions regarding cyber insurance underwriters generally, and the Beazley Breach Response offering in particular, I very much disagree with his conclusions in this post.

    Mr. Bortnick implies that because my firm, ID Experts, provides data breach solutions to organizations, that our perspective is tainted and that we operate by advising our clients to adopt a data breach response strategy that is more costly than necessary. Honestly, I am offended by this assertion.

    We have managed dozens and dozens of data breaches for many of the most prominent national healthcare providers in the US. We pride ourselves on our ability to work in tandem with our clients carefully assessing the unique and specific circumstances of every breach, and advising them in conjunction with their legal counsel on whether notification is warranted, how best to notify the relevant individuals and agencies, and communicate with and provide protection for affected patients. Our solutions are so broadly adopted by healthcare because our focus is to help our clients in managing the financial, legal, and reputational that they face with a privacy breach incident.

    The lion’s share of costs in healthcare data breaches are in reputational damage, lost patients, litigation defense costs, and fines and penalties. An organization risks being “penny-wise but pound-foolish” in attempting to cut costs in systems or forensic analysis, or in communicating with and providing protection to their patients, in such instances.

    Now on to Mr. Bortnick’s assertion that “Beazley, like other leading cyber insurers, provide a host of alternative offerings, such as credit monitoring, credit restoration services, healthcare record restoration services, legal services, public relations services and computer forensic services.” While I believe many other leading cyber insurers do allow their clients freedom and flexibility in handling data breach incidents, I do not think that is the case for Beazley.

    Beazley, uniquely, has vertically integrated themselves by providing data breach services directly. Since my issue regards their fit for healthcare organizations, one way to think of it is that they are more like an HMO, while the other leading insurers use more like a PPO approach.

    When a healthcare organization chooses Beazley Breach Response insurance, they relinquish their freedom in choosing advisers and providers that they are most comfortable with and understand their organization and industry best. They must use Beazleys. It is this underlying question of choice, and the related issue of control, that is at the root of this discussion.

    When a healthcare organization has a breach, their privacy and compliance officials effectively cede “control” of key decisions to Beazley. There are cases where an organization wanted to provide affected patients with a healthcare-focused monitoring solution that was not offered by Beazley, and such a request was rejected. In our view, most large hospital systems, for instance, have very knowledgeable and capable officials in these roles. And they are steeped in their organizations patient-centric culture. They should have the freedom to select their advisers and service providers, and to ultimately have “control” to determine the most appropriate and effective strategy for addressing each data breach incident. I disagree with Mr. Bortnick that a healthcare privacy officer should effectively relinquish control and decision making for a significant breach response to their insurance company.

Leave a Reply

You must be logged in to post a comment.