EN- Industry Focuses

Q&A with Hart Brown, Executive VP and COO of Firestorm Solutions

Issue link: https://resources.genetec.com/i/1031822

Contents of this Issue

Navigation

Page 1 of 2

Security conversations with Hart Brown, Executive Vice President and COO at Firestorm Solutions "Cyber insurance can be as complex as the types of security incidents. The first thing to understand is that most cyber policies are actually a package that can include as many as 12 different coverages with various types of triggers." Q: What isn't cyber liability insurance? A: Cyber liability insurance isn't a get out of jail free card that exonerates the board from ensuring and maintaining a high level of overall security. It doesn't take away the need to conduct the appropriate due diligence when vetting a new supplier. It doesn't make it any less important to ensure security patches are routinely being applied. And it certainly doesn't lessen the need for all employees to be educated on appropriate security measures. As stated above, it will enable you to access some funds in the aftermath of an incident. However, it won't compensate you for the longer-term effects such as reputational damage, reduced employee morale, and being excluded from future tenders. Q: What should boardroom professionals know about cyber insurance? i.e how does it work and if the need arises, how do they file a claim? A: Cyber insurance can be as complex as the types of security incidents. The first thing to understand is that most cyber policies are actually a package that can include as many as 12 different coverages with various types of triggers. This brings up the need for someone to have a good understanding of all of the coverage options for both the cyber/data related online and offline risks. In addition, there are over 100 insurance companies involved in providing cyber insurance policies. Some have good experience in both evaluating and supporting the risk management efforts, and some may not. Knowing the difference can be vital if an event were to occur. This leads into the response aspect of a policy. When a policy is triggered by notifying the insurer and filing a claim, there should be a process that the insurer will go through to provide support and assistance. This can include crisis management, legal defense, forensic investigations, forensic accountants, and other support firms. Knowing which firms are already involved with the insurance carrier and how to work with them are imperative. If there is a preference on using a different firm, getting those firms pre-approved by the carrier can avoid potential claim denials. All of this information should be included into a good cyber incident response plan for any organization. Finally, knowing how the policy is positioned within other insurance coverages and understanding how to engage each one, is also important. Normally we like to perform a cyber incident exercise and then review how the insurance would or would not have been triggered. This can become a highly enlightening process and assists in recognizing potential gaps. Q: What are the key considerations when procuring cyber liability insurance? A: It is critical, and difficult, to be able to translate the cyber risk into a financial model. The most complex issue with this is to ensure the financial translation is specific to the organizations' actual operations and not a simplified generalization of the industry at large. While this can be an incredibly complex process, there are financial models that can be tailored to each ecosystem and by accomplishing this, the fiduciary aspect of evaluating the financial risk transfer options becomes possible. This includes how broad the policy needs to be, the limits, the retentions, and if a tower of multiple carriers needs to be built.

Articles in this issue

view archives of EN- Industry Focuses - Q&A with Hart Brown, Executive VP and COO of Firestorm Solutions