Business Interruption Loss Calculation | The Cyber Playbook and Response Plan
- Published
- Nov 13, 2024
- Topics
- Share
As the digital and regulatory environment for businesses continues to evolve in its complexity, understanding the impacts of a cyber business interruption event on your organization is a critical part of effective planning.This panel includes Forensic Accounting, Insurance Claims, Legal, and DFIR specialists who will share their perspectives and tips for being prepared in the case of an attack.
Transcript
Joe DePaul:Astrid. Thanks for that. I appreciate it and welcome everyone to our webinar today. I think you're going to have some fun and I think you'll learn a number of things. We're going to be talking about business interruption. We're going to be talking a little bit about what that means, what a bi loss is, some other meanings and maybe some other definitions around what business interruption is. We're going to be talking about some of the events that actually have impacted companies and organizations and how that occurred. Steve's going to be talking about some of those things. We're also going to be talking about how organizations should prepare for this type of an event, not only from a cybersecurity perspective, but also from the event itself, the legal aspects, the communication aspects, some of the insurance aspects as well, and most importantly, the reason we're all here, really an understanding around what the preparation in a financial loss around a cyber business interruption event may be. So as Asher said, I'm Joe DePaul, CEO of Iron Gate today on the call with us. We've got great experts. I think you're going to enjoy the panel. I'm going to give them a moment to introduce themselves. Steve, why don't you kick us off?
Steve Ramey:Great. Hi everyone. Steve Ramey. I'm the Chief Cybersecurity Officer and co-founder of Iron Gate Cybersecurity. I've spent the last 20 years helping organizations of all sizes across the world investigate the anomalies that occur both internal and external to their firewall when we put technology in the hands of their employees.
Joe DePaul:Awesome. Eric, how about you?
Eric Benson:Thanks, Joe. Good afternoon everyone. My name's Eric Benson. I'm a cybersecurity and data privacy attorney with the law firm McDonald Hopkins. I focus my mostly in incident response and regulatory investigations that arise out of cybersecurity and data privacy incidents. I work with a lot of colleges and universities, healthcare organizations and financial services organizations. Great to be here. Thanks, Joe.
Joe DePaul:Excellent. Thanks Eric. Hey, Deb, how about you?
Deborah Hirschorn:Hi, everyone. Deborah Hirschorn. I am the US Cyber and Tech unit claims leader at Lockton. I've been at Lockton for two years, and before that I was on the carrier side, and then in my past life I was an insurance coverage lawyer. Happy to be here.
Joe DePaul:Awesome, Thanks. And Jason?
Jason MacMorran:Hey everybody. Jason MacMorran, partner with EisnerAmper in our forensic and litigation group. Long history in business interruption dating back to the natural disasters and hurricanes that affect the Gulf Coast, and we do a lot of business interruption work, other forensic work. So happy to talk about some of the financial elements of these type of events.
Joe DePaul:Awesome. Thanks Jason. So Steve, we're going to kick off with you. Cyber events can happen many different ways, and we call them events. We don't call them anything else that would potentially create a legal issue, but let's call it a cyber event for the moment. Unauthorized individuals, hackers, thieves, insiders, and system glitches. So we know that these events continue and are continuing and they're ticking up, as we all know, various sizes of organizations, small, middle market, complex, large, et cetera. It doesn't really matter what type of an organization you are, these events continue to happen. So maybe tell us about some of the most recent events, maybe some of the larger events as well, how they occurred, how these types of events occurred, and is there a limitation to just the size or type of an organization?
Steve Ramey:Yeah, great. Great starting point. I appreciate the thought there. I would love to talk about all the recent events, but I would hate to steal all the time from everyone. But really when we boil it down and we look at these events, it doesn't matter if you're a very large player like SolarWinds or 23 and me or a mom and pop paint shop down the street. It can happen to anyone. And these events are relative in the devastation to that business. So it could be a couple hundred thousand dollars to a paint shop, which could be their annual earnings or it could be millions or even billions of dollars. In the case of 23 and Me, where they mishandle the PR aspect of it and millions of their customers data goes out the door. So really the devastation, it's relative to that business size, but regardless of which it's detrimental.
A lot of that can be prevented, right? A lot of it can be mitigated upfront, proper cybersecurity planning, proper thinking about the type of data that business harbors and has access to and layering security controls around that information, making sure the data is available when it needs to be available, that it's treated as confidential information and that the integrity of that information is maintained throughout its life. Having that kind of approach really can mitigate the downstream effect. Unfortunately, in reality to your exact point, we're seeing a huge uptick in business email compromise and even the rise of ransomware again, from this year comparative to the last couple of years, we're seeing this, and a lot of it's because it's very simple for these attackers to identify a market segment and then go after it. 10 years ago, they were going after the large players and the individuals.
They realized the large players can quickly implement security controls that disrupt their operational procedures from a ransomware attack standpoint. And then we saw them move into the middle market over the last five or six years ago. They started making that transition, and there they've wreaked havoc. The middle market players as well as the insurance companies have gotten very smart. They've gotten very confident with the security controls, and together they've been able to work together to enhance the security controls in the upper middle market area. But now what we're seeing is a trend in the lower middle market, in the smaller market businesses where these controls just don't exist. And it could be due to a lack of foresight, it could be to a lack of funding, whatever that might be. So now these threat actors are actually targeting these smaller businesses, and so we're seeing an uptick in that type of demographic for a company.
The craziest part about it, and that's what brought us together, is that ransomware business email compromise doesn't end when the investigation ends. There's still aspects of the business that are devastated that continue on. It could be a litigation, it could be a damages aspect for business interruption, it could be regulatory inquiries. So if you have HIPAA related health information or if you have payment card information, any type of regulatory in inquiry can linger on months or weeks, months, years later, should those regulatory bodies had a lot of questions for your security practices. So really when we look at the lay of the land, the uptick, a lot of it has to get back to the planning, the foresight, understanding that security controls really drive that conversation. But again, that matter isn't just resolved when your investigation concludes. There's still a lot left to be done with experts on this call here.
Joe DePaul:Steve. Thanks for that. That was great info. So when we're looking at an event and an organization is involved in an investigation and doing some diligence and really going through a forensic investigation, not a forensic accounting investigation, but the digital forensic investigation, is there anything there that would be helpful to an organization to uncover or understand as they're looking at obviously the business interruption loss moving forward, and how does that play well, or maybe it doesn't, you tell us with that type of a, with the forensic accounting investigation itself?
Steve Ramey:Certainly. So when we think about the security planning aspect of this, we really have to model a scenario that's the most devastating to a business. And up until ransomware, we really thought about natural disasters. We thought about tsunamis or hurricanes or tornadoes, wiping out data centers or a large office building where our employees would come in to perform their duties, and that type of scenario forces the business to think about how to continue their operations without reliance on technology. Let me pause there and emphasize this without reliance on technology. We live in the technology age where all of our business operations run through a computer at some point, mobile phone, Microsoft Word, email, databases, everything in between. Even the cloud. When we use these web apps, if one of those technologies or all of those emphasis on all of those technologies goes down, how will your business continue to operate?
And the operation really gets into some critical areas. One, generating revenue. How do you collect revenue from your customers, from your clients? Two, how do you pay your employees? And then kind of the third area, this is a later on aspect of it, but what type of damage actually occurred because of the public disclosure of your investigation of this? Heck, what's that damage to your branded valuation? How many customers might you lose? How did you handle it? How could you have done it? How do you minimize that catastrophic aspect of it? So really when we boil into the planning piece of this, we get into a business continuity exercise, and that has two different outputs. One, how do we maintain business? Some businesses actually have the ability to revert back to paper and pencil. That's perfect, right? They can take their sales across the phone, handwritten notes, manually enter those into the system.
Once the system comes back online, that is a business dependent procedure. Some can follow. Hospitals can follow it that way. Sales orgs, manufacturing can follow it that way. Other businesses probably can't. So really, when you get into that design element, you have to figure out what your operational procedures will be in that catastrophic event. How long can you actually maintain your business without technology? Then that second output, really you're finding pieces of your business that are critical. So part of the planning process, what systems are critical to our operations to deliver? How do we get those systems back up and running as quickly as possible? So if your business can assume you can be down for two or three days without technology means by the end of the third day, you have to have your technology back up and running. If it's not, how much money are you losing every single day?
Is your technology down? These pieces of information, as we understand our business, are actually vital to a lot of the forensic account, the business interruption. So understanding this at the forefront, forefront of no event has even incurred your planning stage at this point. So understanding what that number is, and when you actually get into it, you can help your accountants understand your business a lot better. You can start that process a lot earlier. And then when it comes to working with your insurance company through your broker, you have the ability to have a very detailed conversation along the way because you were thinking about your brand, your operational aspect of your business, and how much money has basically you've not been able to account for because of this interruption to your business.
Joe DePaul:Yeah. All great points, Steve. Thanks. And we're going to get to some of those things you mentioned. Deb's going to tell us all about in a few minutes what's covered and what's not covered under a cyber insurance policy, and specifically the business interruption or dependent business disruption. But for the moment, let's go to, let's move to Eric. Eric. So tell us a little bit about from the legal perspective, what you see, right? We've got an event. What happens during the most recent aftermath, right? Who's the point of contact in the organization? How does this unfold? What are some of the legal requirements? What about disclosures, et cetera? Tell us about some of that, if you would.
Eric Benson:Yeah, absolutely, Joe. So with respect to business interruption events, what we're most commonly seeing now in a recent trend that we're seeing is we're moving away from, I mean, in addition to, I should say, requirements surrounding the letter you get in the mail that says your name and social has been breached. Now we're having a new body of law emerge with respect to mandatory reporting of outages. So for example, last year the SEC launched a new rule for publicly traded companies to have to report outages. Banks already had existing rules with respect to reporting to the FDIC when they have outages. So it is more important, more than ever now that organizations that are experiencing these incidents get immediately connected with an attorney that's familiar with the applicable regulations to the industry, whichever industry the organization is in, such so that those reporting requirements can be met.
It's no longer the case that we can kick the can down the road and figure out after a forensic investigation who is impacted and wait 30, 40 days to put out letters that those days are over. We now have a new framework where we have to report in real time as it's happening, the business interruption event to the applicable regulators. It's going to depend on, again, what organization or what industry rather is the organization in that will dictate which regulators are at play and which frameworks we're under, and also the size of the incident and the scope of the incident scale. Are we talking about a three hour interruption or are we talking about a 30 day interruption? What is a reasonable investor to borrow from the SEC standard? What's a reasonable investor going to care about? Those are the types of factors that we consider with respect to, in particularly these preliminary reporting obligations.
Joe DePaul:One quick question just to follow up on that. So if you do disclose and the type of information you do or maybe you don't disclose, does that affect liability?
Eric Benson:Absolutely. It can. Yeah, especially in the immediate outset, because what happens is anytime an organization is making a report to a required or out of an abundance of caution, even report to a regulator more and more frequently, not always, but increasingly, regulators are listing breaches on their respective website. So in my practice, I often work the most with the Department of Health and Human Services office for civil rights, which maintains a list of breaches affecting over 500 individuals. So absolutely, it has an impact. And then who has that page on bookmark in addition to the news media? Think about plaintiff's attorneys ready to launch the next class action lawsuit. So absolutely, there's a direct line between these interruption events and publicity and ultimately liability.
Joe DePaul:Yeah, no, that's excellent. Thanks. So thinking about the liability and communication specifically, and as we think about a business interruption loss very specifically, those messages that an organization provides to stakeholders, to the public, to all of us, right? Many folks listening on the call as well, it's important on how you craft that language around a communication, what should be said, what shouldn't be said, and you probably have some stories around maybe a rogue organization that went ahead and said, yeah, we've got 50 million worth of losses or 10 million or five or a million, and it has not gone well. So those communications are extremely important. And who's involved in those communications? Again, specifically thinking your own business interruption?
Eric Benson:Absolutely. I would say in terms of addition to who's involved, I think the number of people involved is the most important thing. The more people you have involved crafting messages and pushing out messages during an event, the worse of an outcome it's going to be because inevitably, there's going to be conflicting information. So whether it's in a smaller organization, if it's the present or in a larger organization, somebody who is already in a role with respect to comms, regardless of who it is, you can't have too many people because the message gets twisted, and that could cause a lot of obvious loss of confidence in the organization and their ability to handle the incident. I'd say also too, in terms of the medium in which the message is posted, keep in mind that if an organization is posting on their own website, they generally have control of that platform as opposed to other platforms where there's algorithms and manipulation of the message that can occur. If you stick on your own website, that's usually the safest platform to push out messaging. And the cadence too is going to depend on obviously the severity of the incident and various factors around the nature of the incident. But absolutely, it matters who's writing the message and how many people are involved.
Joe DePaul:That's great. I was going to ask you about the cadence as well, but when an organization has a business interruption loss demands come in fairly quickly. You've got, whether it's a first party event or Deb is going to tell us a little bit about dependent and what that all looks like, but those demands come in pretty quickly because you might not only be experiencing an interruption yourself, but there might be other people that are actually reliant or dependent on you. So those demands for indemnification liability, how does that work? How quickly does a response in some of those communications, what would that look like?
Eric Benson:Yeah, I would say most frequently we're going to see these demands coming through after the dust has settled a bit, usually within the first year, the first calendar year of an incident occurring, but not always. Oftentimes there's extensive processes that need to occur with respect to insurance and other factors that allow the organization, the downstream organization that has suffered to realize it and truly understand what their losses are, and then you'll get the demand for indemnification. Sometimes what we'll notice too, particularly with organizations that are not represented by council, is that the demand will be, they'll bite too soon, right? The demand will be made before they themselves get hit with a class action lawsuit in relation to the incident. So the timing of making the demand is really important because there's unknown expenses potentially right on down the road that you may not see. So we're seeing organizations fine tune the timing around those demands for sure, but usually within the first year or at most two years, it's pretty rare to see it after that.
Joe DePaul:Right. Understood. Thanks. What about, last question for you is what about some of the contractual types of defenses those come into play? Certainly you are advising your clients during these events. What do those look like? How do you have those conversations?
Eric Benson:Yeah. Typically what we're looking at is ensuring that our client now, oftentimes, again, I'm meeting my clients after the incident has occurred, but what we will be looking at in terms of future incidents is how can an organization on down the road or come after you in terms of a couple theories of liability, particular negligence based claims and contractual claims, what is in your master services agreement, for example, with respect to the things you have to do as an organization to update your systems. Those are and maintain security and technical and physical safeguards. Those are the types of things that an attorney that's drafting a demand for indemnification are going to look for, right, in those terms, to make a claim for a negligence based claim or contractual claim on down the road.
Joe DePaul:Yeah, no, that's great, Eric. So going back for just a second to some of the comments Steve made around preparing and maybe putting in place an incident response plan, a continuity plan, what's going on, your discussions around this, all of these things, some of the contractual items that should all be thought of beforehand, right? As we're planning for any event, but in particular a business interruption event as we're talking about today, those become extremely important to make sure that you've got all of these well as much as you can, have the i's dotted and the T's crossed.
Eric Benson:Absolutely.
Joe DePaul:Yeah. Awesome. So Jason, we're going to move to you, right? A lot of this conversation we're talking about business interruption and really the forensic accounting piece. Certainly there is a collaboration around all of the folks on the call today around what has happened, how did it occur, what are the legal aspects, what is the communication like? Deb's going to tell us about how everything is covered under an insurance policy, or maybe not. But Jason, from your experience, looking back, maybe hindsight, but as we look at, again, preparing this is not is generally the run of the mail kind of preparation, incident response planning. When you're talking about a business interruption plan, it's not just the usual suspects potentially of maybe a risk manager, the cso, the CTO, et cetera. You need some other business people in there. You need some financial folks in there that really understand the business and what a potential loss would look like. So tell us a little bit about that.
Jason MacMorran:Yeah, and I think to pick up from something that Steve said earlier is identifying what your critical business systems are is one of the first things you really need to understand because you want to make sure your coverage is right for your critical systems. So I think there's been a lot of education for folks this year. How many dealers, car dealers really knew that CDK was going to be such a big piece of how they did their day-to-day business, how many healthcare providers really knew that change in Optum would be such a big piece of how they process their claims and that that would be such a linchpin for their cashflow, CrowdStrike, the list goes on, and part of that continuity plan really on the front end is to understand where your risks really are going to be. You can have a first party issue that affects your systems.
You may be down and that may be covered, but if one of your vendors is really what caused you to have a revenue issue or a cashflow issue, does your policy cover that? So all of those are the types of things that really need to be thought about on the front end, and more times than not, it's sort of the lessons learned from other people's mistakes that will guide a better policy for your clients or your customers in the future. Getting your arms around what real risks you have and are they covered is I think where the big collaborative piece comes in for all of your advisory teams. Because if you have perfect information, perfect financial data, but it wasn't a covered loss, you may not be able to move forward with a claim and you may have financial exposure.
From our perspective, understanding what's in your policy, what's covered, does it really cover your risks, is the best planning piece of information that you can do because that's going to govern where your risks are going to be covered and what type of information you have available. So we advise talking with your insurance agents as soon as one of these events takes place, understand what your coverage is and understand what you're going to be able to do in response. One response tactic that we see from clients pretty frequently is they'll immediately put their internal people to work, and then they'll try to say the CFO, the CO spend a bunch of their time on this claim. That may not be a recoverable issue outside vendor might be. So understanding how all of that works in your claim is going to drive a lot of the economics on what you can actually make a business interruption claim for.
Joe DePaul:Yeah. So let me ask you this. You've been doing this for many years and in the events where you've had the ability to talk to some clients or some others about thinking about the preparedness and who's involved and having those discussions with a broker and with their carrier, et cetera, how often, again, specifically for a cyber business interruption claim, how often are those folks generally prepared to talk about the losses around a cyber event?
Jason MacMorran:It depends on how well they connect with some of their other C-level executives and peers. Where we've seen the most successful responses have been when accounting, finance and IT are sort of in lockstep at the beginning of the event. So that accounting starts to know what are the issues that are going to be our lost drivers? It can say, this is what our system impacts are. We'll probably get into this a little bit later, but what's the recovery time on the IT side or a period of restoration is going to drive how long you measure that claim? So when we see collaboration across technology and finance within a client organization, that's the best outcome. But oftentimes we don't see that type of collaboration. The business interruption piece on the financial and forensic accounting side, I don't want to say it's usually the last things people think about, but what we very often see is the immediate response to how do we get our systems back online? What are our legal obligations? How do we communicate? And then when that dust settles, they look at their policy and ask, are we able to recover for any of these business losses? And the people that are thinking about it sort of in a continuum from the beginning are going to be more successful. They'll document what's happening in real time and it'll be a better narrative for their claim to really understand what happened, how it happened, what those impacts are, and what that road to recovery looks like.
Joe DePaul:Yeah, yeah. No, that's great. So again, as we look at these types of events, business interruption, it's different. It's different than a property policy. It's different than a property loss where there are very specific items, valuations, for example, on a property, what does it cost to replace? What does it cost for a property loss? We look at business interruption on the cyber side, it's very different, right? The thought around preparing a claim, analyzing what's needed, what documentation, what information, et cetera is really needed to pull that claim together and have a real conversation with the organization around, well, what is your loss and how do we actually prove that loss for you working with the broker and the insurance carrier and your legal team. So what are some of those things that an organization needs to prepare or should be thinking about before an event happens?
Jason MacMorran:No, it's a great question and I'll come back to two different elements of that. One element is going to be, it always goes back to the policy, what's allowed as a recovery, but there may be remediation costs that will go into restoring systems, maybe restoring technology, maybe some technology upgrades are going to be required, and those may need to be some of the first things that are done to get the business back up and running. A lot of that's going to be driven by policy and some of the technical experts that are involved. The business interruption or loss of income element itself, that's going to involve a couple of key themes. One is going to be how much revenue did you lose and what are the variable costs or saved costs associated with that lost revenue? The lost revenue element is you're going to need to understand what systems were impacted, what business issues were impacted, did it impact the entire company or a particular segment?
What were your mitigation efforts and compounding? Some of this is if your digital systems were compromised, do you have backups of those records? Because most folks, if they're running a modern ERP or accounting system, it could be corrupted as well. So backups become a key piece of this, but measuring your loss revenue for either the business segment or the business as a whole is the first step. And having access to typically what we see would be two years of monthly financial information on the affected business or segment drives a lot of that discussion. And for whether you want to call it a cyber issue or a property or natural disaster, having good backups around that data is critical. And I would say that type of information would be the same to get lost revenues, cyber that would be in the property. But we're surprised a lot of times where business owners don't think about, how do I get that?
Joe DePaul:And I was having some microphone issues. Hopefully you can still hear me and hopefully we're not having an issue. Yeah, good. Okay. No, that's great. So that's great information. I really appreciate that. But I'm going to just dig into that for a moment. Again, some of the information, if we're talking about a business interruption loss on the cyber side, downtime certainly comes into play. How does an organization really think about if they haven't been, what Steve's example earlier was, you've got to think about this without the use of technology. So maybe you can't access some of your documentation, you can't access tax returns, you can't access payroll records and budgets and forecasts. Now eventually that'll all hopefully come back online. Sometimes it takes longer than it should, or you hope it would. How does an organization then begin preparing? How do you help them with that process if they really don't have access? Again, looking at a timeline generally, it happens at a little later, but how do you advise your clients about that?
Jason MacMorran:Okay. Alright. So again, I think we started with the premise that sometimes the business interruption claim calculation, we'll start a little bit later in the process and let's take two different scenarios. So one scenario would be there was a complete shutdown in business activity for the period of restoration. There may be no activity, there may be no sales to try to recreate. The business may have been completely shut down. More often than not, there will be some shutdown of a particular piece or slow down. And I think understanding what the business impact is then going to drive what the accounting records will need to look like. One example that we saw maybe a year or so ago, one segment of a business was completely shut down. The rest of the business was functioning. So we were able to measure by looking at what's called a before and after, what was the activity of the business before the event, what activities should they have expected during that period of restoration and help them reconstruct the revenues using some type of a model, or if one particular location was affected. We can help reconstruct what the revenues may look like for a particular location using what we'll call yardstick data. So typically we'll try to find what data was available and then benchmark it back to past activity or activity from a related business segment to map that lost revenue or a particular event.
Joe DePaul:Yeah. Okay. Sorry about that. I'm not quite sure what's going on, but so let's just talk about for a moment and really appreciate that. I mean, that was really helpful. I think the information was great. So let's talk about, Deb, we're going to get to you. Let's talk a little bit about the claim process because everybody's listening to this call, the pieces that we've talked about thus far. But really when we're talking about business interruption and a cyber business interruption for those individuals that have a cyber policy in place, and we hope that you all do, if not, talk to your broker. But if we have a cyber policy in place, how does that look from your perspective? What is a cyber loss? What is a business interruption loss? What's a dependent business interruption loss? How are those things correlated and how are they different?
Deborah Hirschorn:So if you have a ransom, let's say you have a ransomware event and you are so focused, as the gentleman spoke about before, you're very focused on getting back up and running. One of the things you cannot forget, which is usually three to four times more than a ransom payment, is your business interruption. So what is business interruption coverage? Business interruption coverage is to get you back to the position you were before the event occurred. So when you're looking at gathering your BI documentation, what are the things that you should be focusing on? Now remember that there are certain things you need to think about when you're looking at your policy. One is the period of identification. So what does that mean? It's the time period that your income loss is covered and every policy is different. I mean, what you're really looking for is you want the longest period of time possible.
So it could be 365, it could be 1 20, 90, 60, 30. I've seen those are really low. And why is that concerning? It's because it takes time to get back up and running, and really it takes time to see your business interruption unfold. It could be several days, weeks for that to really unfold. So that's something that you really need to be concerned about. We talk about dependent business interruption. What does that mean? Well, let's say there's an organization that has a security failure or a system failure, a security incident or a system failure, and then you are dependent on that particular organization. It interrupts your business. Then that would be dependent interruption. You are dependent on that organization to run your business. So that's also a first party coverage. Third party coverage would be a claim that would be filed against you by others. So that is obviously concerning that you're worried about on a notification purpose for sure.
If notification is sent out to folks that you have a data breach or a security failure and their information was compromised, then you're worried about the third party piece, which is regulatory and also class action lawsuits. So that's most concerning. So that's kind of the dependent and just the regular course of a business interruption coverage. So business interruption coverage would be if you have a system failure or you have a security incident, and then dependent would be somebody else has a computer issue that causes any sort of interruption for your business. And that is obviously the difference between the two. And those are both first party coverages. I said a lot.
Joe DePaul:No, I think the way you answered it was great one. I appreciate that one. Okay.
Jason MacMorran:Yeah, a lot of times in these policies too, there may be a provision that pays for some of the professionals. So be mindful of that, that there may be a provision in the policy to help you hire an expert to put some of these claims together.
Deborah Hirschorn:So that's a great point. So you do see in most policies there either a sub limit or there's just blanket coverage on coverage for a forensic accountant to help you prepare what's called a proof of loss, which is what you would submit to the carrier. Also, we talked in the beginning of the webinar about getting out the right message. Carriers will provide you with a panel of public relations experts that they do specialize in reporting cyber events, and you should definitely take advantage of that. If you have an event, they will use the right language to put out to investors, to the public to make sure that you're not putting out the wrong message. And that is really important because you don't want your CEO or your CFO to go online after an incident happens and say, oh my gosh, this is our fault. We're so sorry. We'll send everybody coupons. Well, in theory, I understand where that comes from, but your insurance is not going to cover that. So you need to be extremely careful with the message that you send, and that's why it's important to have. That's why it's important to have experts. Experts. I'm getting some feedback.
Joe DePaul:So looking at a bi loss a little bit deeper, right? And nobody's holding you to this, right? Nobody's going to say, well, Deb told us it's all covered. But under a cyber policy, what actually is covered with obviously the exceptional broker advocating? And that's another question who advocates for the insured here, but what is actually covered under these policies?
Deborah Hirschorn:So I can tell you what's not covered and then we can work back from there. Just thinking of the things and the examples that we've talked about. So we mentioned changed healthcare. One of the things that I think is very frustrating for insureds is that there was a delay in payment. And for a lot of them that delay in payment was really difficult, especially for a solo practitioner where they have to keep their business going, they have to pay their employees and they can't. The insurance carriers looked at that as delayed payment. So you will eventually get paid by Optum change, so that's not something that they would reimburse you for. However, let's say you had to take a loan out on your house in order to make a payment. You most certainly could submit that interest as an extra expense to your insurance carriers, and that's something that should be considered.
So any sort of delay of payment is not going to be covered. If you are an attorney and you miss two weeks of billing, they're going to say that you can make that time up. Now, someone who is a reformed practicing attorney, I can tell you that's extremely difficult, but that is the argument of the carriers that that time could be made up at a later date. So those hours are not going to be covered. Something else that would be covered, and I think this was mentioned, is let's say that you need to bring in a vendor to help you. For example, Steve used a company goes back to pen and paper, rather than they don't have access to their computers. Well, you may need to hire additional people to help you with that. Not everybody, it's not as quick when you don't have a computer in front of you to reach out to clients.
So you may have to bring in temporary workers. So that should be covered under your policy. You're not going to get coverage for bonuses. So to say to somebody like, well, my employees worked really, really hard, I'm going to give them a thousand dollars bonuses. That's not going to be covered. Any sort of upgrades that are not necessary. And we always use the example you went from a Ford to a Mercedes kind of system that's not going to be covered. Now if you do need upgrades because something becomes obsolete, that's a very different story. And I've seen that happen where you have people reusing blackberries and then nobody uses blackberries, they're obsolete and they had to upgrade to iPhones. That's something that potentially could be covered. So there are more arguments I feel that you can make to get things covered, but those are sort of the big ones that you'll see are just not covered under a policy.
Joe DePaul:Yeah, no, I appreciate that. So I just want to get back to the advocating for the organization or from your perspective, the insured side who advocates for the insured during these types of events.
Deborah Hirschorn:Your broker advocates for you. Breach counsel's not going to advocate for you. Your forensic accountant will obviously be the one in your corner preparing the proof of loss, and they will be the one depending on the policy. And what do I mean by that? There are so many variations of how business interruption can work. It could be that you retain, and it should be that you retain your own attorney, I mean your own forensic accountant, and then there's a supplement that will cover that under your policy. Some policies require that you retain a forensic account that's on their panel, but usually the way it works is you'll have a forensic accountant on your side and the carrier will have a forensic accountant on their side. You should meet together with those. A forensic accountant should meet and formulate a methodology before anybody puts to paper.
So one of the things we talked about, how many years do you go back to really get an idea of the holistic claim? Was it a seasonal event? Is it a seasonal business? Do you go back one year? Do you go back two years? It's really important to figure that out before you start, mainly because you don't want to get eight months down the road. Everybody's using the wrong methodology and then you have to start over again, which obviously ties into the timing. So number one, who's your advocate? Your broker, they should be the ones that are pushing for you. Breach counsel is not involved whatsoever, and that's not their purpose, and they will not opine on that. They're not your coverage counsel, they're your breach counsel. You most certainly could retain coverage counsel if things get super hairy, but we obviously don't want that.
That's why you have your broker to help you along that path or that journey. And how long does it take? Well, it really depends. One on the complexity, two on communication, and I can't say that enough. Communication. Communication and setting expectations. I can tell you that the biggest problems that I've seen on business interruption claims getting paid is understanding what the request for information is. It used to be 5, 6, 7, 8 years ago, you would just have the client kind of throw everything in the kitchen sink into their proof of loss. It's really not practical to do that now. It's really a much better approach. One you need to know, do the proactive work and know where your revenue streams are. Be able to figure out where my information is. Maybe do a bi tabletop alongside with your incident response tabletop so you know where your financial information is.
So when this does happen, one, you're aware of it. Two, you have somebody, maybe a forensic accountant already working with you to understand your business because even though the underwriter may have understood your business claims adjusters who are sitting at the desk have between 150 and 200 claims, they're just not going to know your business the way that you do. So once you get past that hurdle of everybody understanding your business, then you can really proceed pretty quickly with the process. But setting expectations, if you are, for example, a healthcare organization and your cashflow is maybe you've got two weeks of cashflow, you need to think about maybe getting a loan to pay your vendors to make sure that you have medical supplies to keep the lights on because it is a process. It's just not going to be done in two weeks.
Joe DePaul:No, Deb, thanks for that great information and thanks to all of you. So we've got a few minutes left and we actually have a couple really good questions here. I'm just going to run through them. I'm not going to tell you who they came from, but they're pretty good. So I think this one probably Deb will come to you. The question is, does the waiting period for a BI event serve as the retention?
Deborah Hirschorn:It depends on the policy. I mean, I hate to say that, but it really does depend on the policy in a way it's written. I've seen it in both instances where it can serve as the retention and others. It's waiting until that waiting period is done. Say it's 12 hours and then 1201, that's when the retention starts to kick in. And then on top of that, your policy kicks in. I would say really does depend on the language.
Joe DePaul:Yeah, it always depends on the language, doesn't it? Deb, what about if an insured loses a customer because of the event? What about that?
Deborah Hirschorn:I just had this conversation with somebody, and we have a couple of these claims that we're handling right now at Lockton. So you have to do your due diligence. If you have a lost contract within that period of indemnity, you need to be able to prove it. And what does that mean? Well, you're really going to have to pull out emails, anything that's very specific that says the client is cutting ties with you or they're canceling their contract because of this event, because otherwise they're going to say it's speculative and you need to have concrete proof. So is it a burden? Yes, it is. But if you have a client who you had maybe for 20 years and walked away because of this event, there should be some evidence that this is the reason why they walked away. So is it possible? Absolutely. Absolutely.
Jason MacMorran:Yeah. And Joe, I'll add on the forensic accounting side. If we're looking at that type of an issue, we are looking for a lot of what I'll call causation factors on can we prove that that customer left as a result of the event and not as a result of something else or some other market force. Otherwise it could be just speculative.
Deborah Hirschorn:So I'd say rule of thumb, whenever you're dealing with BI is to think of it as anything that you incur. It had to be, but for that event. So it's just approximate cause argument every time. I didn't do but for this event, I would not have incurred this expense or I would not have had this income loss. If it could be four or five other things, then think about whether or not that's worth submitting.
Joe DePaul:Yeah, so there's definitely got to be a linkage to the event for the type of loss. So great. Thank you both. So another question, Eric, I think this one might come to you actually, is what is the suggested messaging for business internal employees when a system goes down and maybe compromised? Right? So what's that communication look like?
Eric Benson:Sure. It's going to depend on, well, first sitting aside, the messaging for a second, whether or not a communication needs to go out is going to depend on the severity of the event itself, right? So the less we're talking about an incident, the happier I am as an attorney. But if we do have to talk about an incident, right? Employees can't access their workstations. It's an obvious disruption. And what we'll want to do is ensure that communications are as narrowly tailored as possible surrounding the topic of the disruption. So for example, talking points might look like we discovered an incident. Don't call it a breach because that's a legal term of our, that implies privacy exposure, but we've discovered an incident, we're working on it. We expect workstations or whatever it is to be down for the next however long, the approximate, and then keep folks updated. This is not the place to comment on forensic results or theories as to how a threat actor access the environment or how to prevent it from happening in the future. Just keep the messaging on the incident itself.
Joe DePaul:Awesome. Good. And Steve, I see you're answering, but this is a great question. This one's probably for you, the best way for a small organization to put in place good cyber controls, given limited resources, are the companies out there that can do that type of thing. And this will probably be our last question. We're going to wrap it up after this. Some of the questions we didn't get to, we will actually be able to respond to you after the presentation. But Steve, I'll leave this one to you.
Steve Ramey:Yeah, I'm going to call you a big brother from now on Joe instead of Uncle Joe know you're always watching. But yeah, I was in the middle of writing up writing back. So short answer is yes, there's there's companies of all sizes that could help cater to security programs of all sizes. Obviously you wouldn't want someone that's servicing the s and p 500 for a five person accounting firm, but there are specialized MSPs that can support security programs for smaller companies. It just really gets down to what type of data do you have, and then we can find a suitable MSSP for you. I'll drop my contact information into the chat here. Feel free to reach out, happy to get you in touch with my network to find one or two or three SSPs that could help you along your way.
Joe DePaul:Awesome, Steve. Thanks. So we're coming near the end of the presentation here, at least the time we have allotted. What I'm going to do very quickly is give you guys each 30 seconds just for some final thoughts. Eric, I'll start off with you.
Eric Benson:Thanks very much, Joey. Yeah, I'll just reiterate, this is a really informative discussion. I'll just reiterate the fact that as soon as possible you, you're a business owner, you're dealing with an incident involving a cybersecurity event or privacy incident. It's just so important to get connected with each of the types of experts we've discussed that have spoken up today on today's call, because there's so many things that can go wrong, as we've talked about throughout today, so early on in the process, right each second that goes by, mistakes can be made. So I just want to emphasize that each of these experts has years of experience in a particular field that has its own specialty with respect to the process. So make sure to get connected early on.
Joe DePaul:Awesome. Thanks Eric. Jason,
Jason MacMorran:Yeah, I think know what's in your policy. Do your homework in advance, have backups. Think about where your real risks are. Keep detailed records of what's going on with your event response in real time. Because when you do get a month, two months into the process, things will start to blurb. And the better your detail is and the better your information is, the more likely you'll be able to be prove a claim.
Joe DePaul:Awesome. Great advice. Chase, thanks so much. How about Deb?
Deborah Hirschorn:Rely on your broker to help you. What else can I say? I mean, when you're going through your renewals, you need to think about how can I be proactive with business interruption? It really shouldn't be an afterthought. It should be part of your instant response planning process. So take the time, even though it may be a little bit painful, take the time to really sit down and think about it, because at the end of the day, it really only takes one incident to possibly put you in a very dire situation as an organization.
Joe DePaul:Very true. Thanks, Deb and Steve.
Steve Ramey:Yeah, there's no problem with planning, right? There's an esteem panel here. Everybody has a perspective. Absolutely reach out, have a planning conversation. And to Deb's point, I can't emphasize enough the value that insurance adds. Start with your broker. Say broker, we need the help in these areas. What can you offer us? If your broker can't offer it to you, which I highly doubt they won't be able to, I'm sure your policy will have an ecosystem that you can tap into as well. So absolutely start with planning. Contact us, contact your broker. Let's make sure that if something does happen, we can minimize the devastation afterwards.
Joe DePaul:Awesome. Thanks Steve. Listen, thanks to the four of you. Really, this has been a great discussion. I hope that, I believe our audience got a lot of information out of it. So thank you all for presenting and thank you all for attending the webinar today. We all really do appreciate it. Astrid, back to you.
Jason MacMorran:Thanks everyone. Thanks again.
Transcribed by Rev.com AI
What's on Your Mind?
Start a conversation with Jason
 
				 
		 
		 
		 
		 
		 
		 
		 
		 
		 
		 
		