Call the monitoring counsel
As the demand for cyber coverage expands and insurer competition heats up, the monitoring counsel role could be London’s competitive edge.
Hiscox Global Insight talks to Christina Terplan, a US-based lawyer and monitoring counsel from Clyde & Co.
Describe your role as a monitoring counsel following a data breach?
Often I'll be the first to hear from the insured of a potential claim on a cyber policy, or my clients [insurers] will get notice of a claim and pass it to me to represent their interests. I'll send the acknowledgement and call the insured to explain how the policy works: whether there is a deductible, if there's a panel of vendors such as privacy counsel, forensic examiners, or PR consultants.
For many insureds this will be their first cyber event, so we see a lot of incidents that are non-events. I work with the insured on the first call to decide whether they need to respond, to retain privacy counsel or forensics experts. For example, if they report the loss of an encrypted laptop, more often than not it will be a non-event, from a policy perspective.
The idea is to make a really messy situation clean. You can't be easily excitable; you have to go in there with the insured and be really calm, and walk them through it.
The insurer retains you – so what’s your relationship with the insured?
Often I'll know the insured before an event occurs. I'll go and meet them or the broker will arrange a call to introduce myself. So there is a level of trust and they’ll know to reach out to me if there is an event such as a data breach.
How involved are you in selecting which vendors an insured will use?
If I think they need external counsel I will tell them about the options, and encourage them to retain counsel. The next step would often mean me reaching out to the vendors selected to understand if there are any conflicts and sometimes helping to interview the vendors with the insured.
How important is flexibility in your role?
Every one of my insurers has a different ethos as to how they want to handle their claim. So it is balancing that ethos with how it will work in connection with the event. It’s not a plug and play response – and I probably wouldn’t be retained if it was.
I've had situations where I'll know that there might be a forensic examiner who'll be perfect for an event but I know that they already have ten different investigations underway. So I'd recommend someone else. The same thing with the privacy counsel; I know which ones are jammed at any particular time.
Do you think your role in controlling costs on behalf of the insurer creates a conflict?
No one wants to overpay. A lot of insureds will have a sizeable deductible. If I can go in and renegotiate contract terms for vendors, then more often than not, both the insured and the insurer will be happy for me to do that.
It's pretty rare that an insured says: “No – we don't want you to be involved or try and help save us money.” And the directors and officers don’t want to be accused of not trying to get the best pricing.
How much effort do you put into vendor relationships?
I meet with a vendor every week to keep the relationships up and they trust me; they know that I have an ear to the ground and know what is going on. Equally I can challenge them if I know they have overpriced someone.
How aligned are everyone’s interests?
Cyber insurance is supposed to cover the risk and the insurers I work with just want to make sure it is handled properly. Interests are aligned to make sure the incident is handled appropriately in order to mitigate the third party liability.
When it's done well, the monitoring counsel role is about absolutely highlighting that interests for both the insured and the insurer are aligned.
Even when cover is declined, oftentimes the insurer will still have me assist the insured with choosing their counsel and the forensic examiner. Even though the insurer isn't paying for it, the insured still gets the benefit of my knowledge, so that when the next cyber breach comes around and it is covered, they feel like they had a positive experience.
What are the most common mistakes businesses make when reporting potential breaches?
I'm still seeing a lot of insureds hanging on for a long time before they report potential breaches to their insurers. I had one instance of an insured where 30 days had elapsed after the discovery of the incident, before it even made it to the insurer. In certain US states that would have already breached the notification deadline.
At the other end, you still have some insureds who don't want to report potential claims to their insurance carrier until they really know it's a loss, and so hold it close to their chests for as long as possible. That's one of the critical roles of the monitoring counsel; I get asked quite a lot: “When do you think we should notify our insurer?” I always tell them to report early and often, and trust your insurance carrier is sophisticated enough to not make a big deal out of tiny events.
How has the monitoring counsel role changed?
When cyber insurance first came out ten years ago, the market had a more hands-off approach. You would go in and advise on coverage but the vendor relationships weren't there.
Today, the monitoring counsel role gives clients a feeling of having more control; there is less distance now between the insured and the insurer.