Podcast: Business Interruption: What to Expect with Baker Tilly, Beazley Canada and CyberClan’s own Kadir Levent

EPISODE SUMMARY

Suffering a breach is hard enough, having your business go latent while you remediate the situation can be devastating. Laura Hodgins with Beazley Canada helps us understand the claims process, while Harriet Bateman with Baker Tilly takes us into the mind of a forensic accountant and Kadir Levent talks through the incident response and remediation processes.

EPISODE NOTES

In this episode we cover some broad topics about business interruption and the effects of a cyber breach.  Questions such as:

  • What are some of the most common misconceptions over what cyber insurance covers and doesn’t cover?
  • When an incident happens, how does it get routed within the claims department?  i.e. Is it dependent on what type of incident it is?
  • Are there specific ranges for periods of restoration based on what type of incident it is?
  • What is the fundamental job of the forensic accountant and what does that process entails?
  • What type of due diligence do you have to go through and how do you help set the expectations of your clients?
  •  Business interruption is a major expense, how do you work with the IR team, claims team, and restoration team to be sure you are properly assessing and minimizing the cost to the business?
  • How do all the teams work together to respond to the incident and move through to system restoration?
  • How can businesses better prepare?

Transcript

Erin Keating:
Welcome, everybody, to another episode of Incidentally, brought to you by CyberClan. Today we’re super excited to bring a couple of guests together to talk a little bit about the whole process that a company might need to do when an incident happens in cybersecurity, when there’s a data breach or other form of ransomware, malware, so on and so forth, that happens. We want to help paint a picture for customers to know exactly what they should be looking for and can expect in that type of experience.

Erin Keating:
Specifically, one of the things that a lot of people aren’t talking about is business interruption. When you are breached, there is a period of time where you are responding to that breach, but then your insurance is also kicking off their series of investigations, as well as forensic accounting comes in to assess the damages and so forth. And so there could be times when businesses are actually not just addressing breaches, but actually downtime in their businesses, along with all the public relations nightmares and everything else that comes with it. So we wanted to take some time to talk to some of our favorite partners and friends in the industry to get a little bit of a breakdown of that process. And so today, on this episode, we have Laura Hodgins here with Beazley Canada. We have Harriet Bateman with Baker Tilly, and we’ve got our very own Kadir Levent of CyberClan.

Erin Keating:
So Laura, if you wouldn’t mind just kicking us off with an introduction of yourself, your role at Beazley and help us just better understand how you fit into the picture.

Laura Hodgins:
Thanks, Erin. So my name is Laura Hodgins. I’m a claims Manager at Beazley Canada in the Toronto office, and I’m responsible for managing, amongst other types of claims, claims that insureds experience under our cyber policies.

Erin Keating:
Great. Harriet, thanks so much for joining us today. Let us know a little bit about yourself.

Harriet Bateman:
Thanks, Erin. I’m Harriet Bateman. I work at Baker Tilly, and I’ve been doing business interruption claims for eight years now, so I’m a forensic accountant. Essentially I’m brought in to assist with the analysis of the financial damages that are suffered following a breach.

Erin Keating:
Wonderful, and welcome back, Kadir. We’re so excited to have your expertise back, but if you wouldn’t mind taking a second to introduce yourself, for those who haven’t heard from you yet, we’d appreciate it.

Kadir Levent:
Yep. Hi, everyone. So I’m Kadir Levent. I’m the Chief Operating Officer at CyberClan. I look after the global operations across North America and the U.K. Also EMEA. And I also look after the incident response team, so we do a lot of work with the insurance companies, working closely with forensic accounting to help them provide, get the information, whatever they need as well. So thanks very much for having me back.

Erin Keating:
Absolutely. Well, let’s kick off on some questions around what happens when we get incidents happening within companies and who sort of jumps in first. Laura, I think we can all agree that for the most part, in this type of situation, we’re probably going to hear from the insurance company first. So if you wouldn’t mind taking just a quick moment to talk a little bit about some of the most common misconceptions about cyber insurance, particularly in regards to the business interruption coverage.

Laura Hodgins:
Sure. Thanks, Erin. I think that’s a really important question. And also, I’d note that we certainly hope that we’re an insured’s first call, or at least an early call, after an incident occurs. But if I were to state what I think the most common misconception is, I think it would be that this coverage won’t be meaningful coverage or be very limited or won’t be necessary.

Laura Hodgins:
For example, the thinking might be that if a company has comprehensive backups in place, any business interruption will be limited, because they’ll be able to simply trigger those backups and get back up and running. And unfortunately, we find that’s often not the case. There can be limitations with the backups. Sometimes it takes considerable time to trigger those backups. I’m sure Kadir can get into more of the technical detail there. But even in the case of a ransomware incident, where an insured decides to pay an extortion demand, that demand is paid, the decryption key is obtained, so presumably, you can then just unlock all your data and get back up and running. Unfortunately it can sometimes take days, weeks, even months to fully decrypt all the systems and get back up and running. So unfortunately, backups and even decryption keys aren’t always as reliable or operate as quickly as we’d like. And for that reason, I think all businesses need to consider risk of business interruption when they face a cyber incident.

Kadir Levent:
Yeah, and I think that’s really important, actually, Laura, one of the things that you mentioned there about the ransom side of things. So there’s definitely a common misconception that by paying a ransom demand or extortion demand or whatever that looks like, is the magical key. And all of a sudden, your systems are all back up online, and everything’s good to go. I mean, that is definitely not the case, and I’m sure you’ve experienced as well, that is definitely not what we see. Even if we do get the decryption keys from the [inaudible 00:04:37] or whatever you want to call them, and we then stand a chance of recovering your data. You know, I always use these terms loosely. Ultimately, at that point that you’ve got your data back, hopefully, we still don’t know how they got into your system, how long they’ve been there, what footprint they’ve put in there, what might be corrupted, what might not be corrupted.

Kadir Levent:
So there’s still a huge restoration piece that needs to take place in order to be able to get everything back to a fully functioning point. And for us, I think that’s where we see the business interruption side of things. Yes, we will always try and get the business back up onto its feet as quickly and as efficiently as possible. But like you said, it could be days, it could be weeks. In some cases it could be months, depending on the environment. But definitely, I think the misconception there is that this key is your savior, and all of a sudden, everything’s just going to go back to the way it was before the incident. And that’s definitely not the case.

Erin Keating:
That’s a great point that you make, Kadir, and I can’t wait to bring Harriet in a little bit to talk through how she and her team works through figuring all of that cost analysis out. But before we get there, Laura, can I just switch back to you, because that’s a rather specific incident. Ransomware and things like that. But when you get a claim in, are you delegating them to different teams, based on what type of incident it is? How does that work?

Laura Hodgins:
Well, I should note that the answer to this question will certainly vary, depending on which insurer you have, who your insurance company is. But at least speaking for Beazley and based on my experience in the industry, I’d say the first thing to note is that when it comes to cyber incidents, especially when you’re trying to trigger your first-party coverage, so you’re making a claim directly to your insurance company. The priority will be that that claim gets routed quickly and that it gets triaged appropriately so that the appropriate vendors or in-house claims team can respond, Beazley’s slogan which might be relevant here is that the cyber breach itself doesn’t have to be a crisis. It’s really mishandling it that can be a crisis. So at Beazley, kind of with that in mind, we have a somewhat unique structure for most of our cyber insureds who will have what we call Beazley breach response policy.

Laura Hodgins:
And that provides an in-house incident response team. That will be essentially the first call. So there’s kind of a 1-800 number, or there’s a dedicated email address that we ask our insurance to contact. And so that team is going to be the first contact for an insured when they’re experiencing an incident. And that could be a ransomware incident. It could be a malware attack, it could be anything. They could find out that certain documents were not shredded properly, and there could be a risk, all sorts of personally identifiable information being out in the public. So this in-house team will kind of speak to the insured and discuss what actually happened. What type of response is necessary and then counsel the insured client through the incident. So it’s really a team approach. But once that incident is reported, once we have our in-house team engaged, we’re also appointing a claims manager. Someone such as myself who is going to be responsible for communicating the coverage under the policy.

Laura Hodgins:
And sometimes it can be very simple. I can come in and our Beazley breach response team has already engaged someone like Kadir to start working with the insured on a forensic investigation approach, or they’ve already engaged privacy counsel, which are also very important component of the response. If you think personally identifiable information has been compromised and then I’ll come in and I’ll help work with the insured to understand exactly how the coverage operates. So often the first question the insured will ask will be well, you’re offering all these great services. This forensic response sounds great. These lawyers sound fantastic. They know exactly what they’re talking about. They explain all the different privacy laws and regulations in my jurisdiction, but is it covered?

Laura Hodgins:
That’s always literally the million dollar question and that’s where the claims manager comes in to help work through that. And the answer to that question with the insured. Explain… Sometimes it’s just basic things like how the deductible works, what the retention is, what the limits are under the various components of the policy. Cyber coverage…. And it fortunately, because that’s… I think we’re all developing some pretty sophisticated products. Is necessarily complicated in order to respond to the range of incidents in her world right now, but it’s not always intuitive. So that’s why we’re there to work with our insureds and the other team members to make sure that the insured get answers to all those important questions.

Erin Keating:
Great. Could you maybe add a little bit of color to how then… Because it sounds like your responsibility would be very wrapped up in this first phase. So obviously you’re likely getting a call from a claims department that is utilizing you all as an incident response team or a direct client. How do you start organizing with all of the different players in the picture?

Kadir Levent:
Yeah, and I think that’s really, really important. I think one of the things that Laura mentioned was how critical it is that… Just because you have an incident, it doesn’t mean it’s that bad. And I think just reporting that early, no matter the size of it, will really help everybody in the picture to support you throughout your incident.

Kadir Levent:
So what we sometimes see is that if you engage us right at the beginning, contact your insurance company, they may contact us to support you through it. That process can start very quickly, which means if there is an ongoing incident, we can help contain that. And then the recovery efforts begin a lot quicker. We’ve seen incidents where insurance companies and ourselves, we’re not involved until maybe a week or two weeks down the line. And I think it’s that moment that the policy holder thinks, “I don’t think I can get out of this.” And it’s at that point they pull the trigger and then you’ve really lost time. And there’s so many things that we could have done to support them through that before that happened and then got to that stage. So it’s definitely an interesting space. But in terms of the way we work and the way we operate, we understand that when someone picks up the phone, to report that incident, it’s important.

Kadir Levent:
So we respond to everything as quickly as we can. And typically, for us, we try and respond to any contact that we get within 15 minutes, which is a pretty big ask, to be honest, to be able to get the right person on the phone in that time. But the fact of the matter is we understand that its urgent and that person that’s calling us at that particular time needs our help.

Kadir Levent:
So we respect that. It’s like when you phone 911 or any emergency service around the world. You don’t want them to say, “Hey, yeah, no worries. We’ll get back to you in, I don’t know, a day or an hour.” You want that immediate response. So when we are engaged or contacted by either Laura’s team or any other carrier or by the client directly. We have a team of experts ready to sweep into action. So that is the right people, on the end of the line, ready to support the client. And we typically do that within 15 minutes and then it’s all hands on deck. It’s what do we need to do there and then to help contain the incident, let’s get a bandaid on it. Let’s make sure we stop the bleeding and then we can help to take the necessary steps to get that client back up online.

Erin Keating:
So I know that CyberClan has a rule of some of always trying to make sure we’re closing out any projects within two weeks. But of course, I think this starts to bring up language like waiting period or restoration period. So maybe flipping back to you really quickly, Laura, can you help us just better understand those terms. A waiting period or a period of restoration?

Laura Hodgins:
Absolutely. So, yes, these are two important terms that you are likely to find in most cyber products in today’s market. So waiting period refers to the period of time that must elapse before coverage will be triggered for a business interruption loss. So you might compare waiting period to the idea of a retention or a deductible and other types of insurance policies. So it’s that portion of the business interruption loss, once it’s quantified, that is retained by the insured or needs to be incurred before the policy actually starts to respond. It can certainly range depending on the policy and depending on what the insured has decided is reasonable with their broker.

Laura Hodgins:
But we often see between eight and 12 hours. And it’s important to note that the waiting period begins when the business is interrupted. Not when the breach itself occurs. So if the breach occurs at midnight, but you’re a retail business and you don’t open until 9:00 AM, the business interruption would presumably occur at 9:00 AM when your business is actually interrupted. In terms of period of restoration, that refers to the period during which a covered business interruption loss can occur. So it’s really kind of the parameters of the coverage for a business interruption loss. It’s the maximum length of time for which a loss is payable. Following that interruption in business caused by a security breach or a system failure. And again, different policies will provide for different periods of restoration. And it’s almost always a defined term in a cyber policy, but often policies will stipulate periods of restoration between say 120 and 180 days.

Laura Hodgins:
And that’s on the basis that most cyber incidents are what we call short tail. So they don’t go on for years and years, we certainly hope, and they can be resolved or the the business interruption can be contained within that period. I just like to highlight one other term that came to me when I was thinking about those two terms just now and that’s extra expense, and I’m sure Harriet can expand on this as well. But we sometimes see business interruption claims submitted where the actual income loss to the business has been avoided because the company, for example, hired additional employees to compensate for reduced production capacity or paid significant overtime to their current employees, to make up for that business interruption.

Laura Hodgins:
And while the company might’ve avoided lost sales of orders by doing that, they incurred what the policy defines as “extra expense” to do so. And so that’s also a very important component of the business interruption coverage under a cyber policy and the idea behind the extra expense coverage, and how we define it, is that it’s those expenses that are incurred to minimize, reduce or avoid income loss. And those are certainly an important type of coverage under your standard business interruption coverage.

Erin Keating:
Well, Harriet, I think it’s about time we bring you into this conversation. So as I understand it, the fundamental job of the forensic accountant is to ascertain the true cost of a cyber breach. And so given everything that Laura is saying now, there’s a waiting period. Then there’s a restoration period. There’s an incident response time. How do you get involved in… Can you help our audience better understand what the process entails for your role?

Harriet Bateman:
Yeah, absolutely. And I mean, I think the key thing to always remember is that the fundamental concept of business interruption cover is to put the policy holder back in the position that it would have been if this incident hadn’t occurred. But obviously that’s subject to policy wording, as Laura’s just described in terms that there are a number of things in the policy that we have to bear in mind, obviously, when we’re trying to do that and perform that loss calculation. And [inaudible 00:15:46] terms of the true cost and you just reference, you know, we’re really talking about business interruption, but that also includes the cost of data restoration, which is included under the policy, but that’s probably a topic for another day. So I’ll stick to business interruption for now. In terms of the process, we get involved in cyber claims.

Harriet Bateman:
In a number of different capacities, I think the most traditional route, and I think the one that most insureds are familiar with if they’ve had other claims in property or fidelity, and typically on the larger losses team is that we review a proof of loss once that’s been submitted by an insured. So, if you’re an insured and you’ve suffered a business interruption loss, and then you put together an estimate of what you think that loss is looking like, then at that point, we would then review that and help get to the bottom of, okay, is this an accurate production?

Harriet Bateman:
Is this a reasonable representation of the loss that’s been sustained by an insured? I think in cyber, some insurers, and particularly in the SME, the small medium businesses, we’re sometimes asked by insurers uninsured to sort of have a joint role and we’re involved a bit earlier in the day and they’re saying, “Okay, this insured needs hand holding a bit, needs a bit of guidance on how to put together a business income loss calculation.” And at that point we’re really guiding the insured in terms of, okay, this is the key… These are the kinds of things that you need to consider. And this is the data that you’re going to need to collect. And like I say, that’s typically earlier in the day, maybe when the breach has just happened, when we’re talking to an insured about what they need to start thinking pretty early on about collecting to avoid any surprise later on.

Harriet Bateman:
And I mean, I will just say that I think the key to inefficient processes. I think, as Laura and Kadir both touched on, is to get that process started as early as possible. And that’s even from a forensic accounting perspective as well. I think it’s really key to managing expectations. And when it comes to the quant and the size of the loss, so that we’re avoiding any difficult discussions further down the line when an insured or an insurer has expectations on what the size of the loss looks like. I think if we can have that discussion early on in the process, then we can avoid any of those surprises further down the line.

Erin Keating:
So, Laura brought up an interesting point about extra expense, which I hadn’t thought about till we started having this conversation. And I know for instance, there’s a lot of businesses that are going through a PR nightmare because of what happens. So target or you’re a large health system or something like that. Recently, there’s a massive law firm in New York that’s just been hit up for 42 million over records that might be released. When you’re in there in forensic accounting, is that also part of your responsibility, is to see what is the reasonable extra expense that companies may need to be incurring in order to tamp down what their PR outcomes might be? Or is that separate and that’s not really much to do with business interruption?

Harriet Bateman:
So I think when it comes to business interruption the primary trigger that we’re working with is a network interruption. So that’s typically a security failure or a ransomware incident. And that’s what we’re responding to. And from an extra expense point of view, I think, yeah, we’re always involved. Forensic accounting is, without trying to downplay what I do. It’s really as simple as measuring a reduction in revenue or an increase in cost. And I think that’s what translates to a loss of profit for a business. That, again, coming to that point, it’s all subject to policy wording. So yeah, I mean, it sends a bit… The PR perspective, it’s all subject to making sure we have that trigger for the business interruption element. An extra expense should always be incurred to mitigate the loss of revenue. So the two run hand in hand.

Erin Keating:
Understood. And I’m going to jump around here just a second, because that triggered something else that I hadn’t thought of. But Kadir, when we were doing an episode, I think last week or two weeks ago. And even according to an article today, I saw in the Wall Street Journal, some of the things that are specifically happening in COVID now is that there are a lot of IT departments that have previously based what their insurance needs are on having an IT team and the breach, in fact, happening on-site.

Erin Keating:
So everybody’s in an office, the server rooms, everything is containable. And now we’re seeing a lot more incidents where people are having to remote in and potentially take longer to solve some of these challenges because of the pure logistics that are engaged, I guess, to all three of you, but maybe Kadir, you could speak a little bit to what that’s been like in this particular period, and then Harriet, maybe you can help us better understand the due diligence that has to go into quantifying and understanding that type of additional thing that’s coming up now in unforeseen circumstances.

Kadir Levent:
Yeah. I mean, I can definitely comment on that. So I think we continue to have the same challenges. Let’s put it that way. So we are getting more and more incidents coming in regularly where… It’s a common thing, and that is that businesses have to scramble, last minute, to allow remote access into their systems. And I think that for them operationally, that’s what it was all about. Let’s just get people working, let’s get the business ticking over. And they unfortunately opened doors to the kingdom that weren’t originally open.

Kadir Levent:
So you’re right. I think when it was coming from an insurance perspective, and I suppose when, and maybe Laura can comment, but I suppose from an underwriter’s perspective when they were probably looking at this and looking at the risks that were involved. They were probably very different to what it is today, then I can only assume, because one of the questions I remember when I was in insurance was, do you allow remote access into your infrastructure?

Kadir Levent:
So do you have remote desktop protocol open? And at the time it would have been, “No, we have it locked down.” So, that was probably accurate, six months ago. But now it’s not. And now we’re seeing these doors being opened up and unfortunately these criminals are exploiting that. They know that businesses are doing that. So they’re targeting it. They know how remote access is enabled. So all they need to do is systematically work through that and just look for businesses that have left the door open. And then they exploit them. So we are definitely seeing that, it’s still very much on an upward trend. And even in small things like business email compromises where, again, where people are working remotely, the support mechanism isn’t necessarily in place.

Kadir Levent:
So where someone may have seen something that they would have thought was suspicious and they could have just picked up the phone and called IT or walked down to the IT team and said, “Hey guys.” Or look to your colleague and say, “What do you think that is? Do you think this look strange?” They don’t have that anymore. So those comforts aren’t there. So more things are going undetected and unreported until they become a big problem. And that’s when they’re getting picked up. So definitely that’s what I’m seeing in terms of trends from an incident perspective. Maybe Laura can comment more on that.

Erin Keating:
Yeah. And I mean, Laura and Harriet, if you could maybe just chime in, I know this is sort of a left ball question here, but the idea that what you might’ve seen six months ago, as far as a response. Again, if you’re looking at your claims and how much you might be paying out or what you expected the response time to be. Now knowing that there may be handicapped, not even just from the availability of the system to hackers, to be getting in, but then the availability to the incident teams to get in and actually respond. Be able to take hold of those data files, especially if it’s on backup tapes and things like that, that used to be on site and easily accessible to IT teams. Those IT teams may now be completely remote.

Erin Keating:
So they now have to figure out how to get into buildings, how to get backup tapes, how to sort of lengthen that response time that wasn’t necessarily expected six months ago when you wrote the policy. And now you’re on the claim side having to work through a policy that maybe isn’t congruent, exactly, with what the new circumstances are. How do you all sort of, again, this is sort of a free for all question, but how do you all start to see that? Or have you? I’m making that assumption again, based on an article I read, that that’s becoming more apparent.

Laura Hodgins:
Well, Erin, just speaking from the claims side of the business, I’d say, we’re constantly seeing new iterations of cyber events, security breaches and kind of emerging challenges in terms of how we effectively deal with them and how our forensic experts deal with them. But what I would say you gain, I have an experienced cyber insurer who works with experienced forensic vendors and those who are constantly on the front lines, is some insight into that evolution.

Laura Hodgins:
So the one thing we’re able to do easily, because we see thousands of incidents globally every year, is understand… We kind of see trends early on and understand appropriate responses and who is best suited to respond to them. So for example, Kadir might have some unique insight into the particular circumstances you described, and at Beazley we would quickly develop some insight into who the best vendors are to respond to an insurance incident.

Laura Hodgins:
So if we see that situation arising more frequently then we might say, “This is the firm that we would recommend is hired in order to help respond to that incident.” And we saw it particularly when it comes to ransomware. There were certain vendors, forensic experts who were able to effectively negotiate with certain threat actors, more effectively than others. And so we were able to say to insurance, based on the type of ransomware you’re dealing with, based on the strain of malware, we think we need to get this expert in place to help you, because we think they’ll be more effective than this other company.

Laura Hodgins:
So that’s what I think an experienced cyber insurer can offer to an insured because, as you mentioned, the threat landscape is constantly changing and evolving. And just as we try to respond in different ways with system upgrades and new and better security measures the threat actors and the attackers are also becoming more sophisticated.

Erin Keating:
Harriet, do you have anything to follow up that, again, your job is very heavy in due diligence and setting expectations for customers in an ever changing environment. Cyber security is just an ever changing environment. We all know that, right now it may be particularly challenging, but how do you normally work through that setting expectations and helping build out the due diligence?

Harriet Bateman:
Yeah, and I mean, just to follow on from this change in the new norm, and I think one area that our job has become particularly interesting in the last few months is obviously with the whole COVID thing we’re tasked with measuring what a loss would look like. What an insured would have achieved if the cyber incident hadn’t occurred. Obviously now that looks very different to what it was before COVID. So we have to take into consideration the fact that maybe some businesses wouldn’t be operating, maybe production would have halted in any event. Maybe the insured would have done better. I know some businesses, certainly trade [inaudible 00:26:56] around the corner from me and bustling and busy as hell.

Harriet Bateman:
But some businesses are doing better than others in this new normal that we’re experiencing. So we have to take that into consideration when we’re then reviewing what business interruption loss looks like under these circumstances. And again, that makes for interesting conversations with insureds if they haven’t fully grasped how these business interruption calculations work.

Harriet Bateman:
So I think that leads on to what we were saying about managing expectations. And I think there’s, definitely in the market, there’s an issue that a lot of insureds don’t understand the methodology and the calculations that we’re running. So, again, the earlier these conversations can [inaudible 00:27:41] the best we can help them the best because then we can walk them through, okay, this is what we’re looking at, this is how we’re going to measure this loss. And then there’s going to be less difficult conversations after we’ve sorted… After they’ve reviewed our calculations and realized that there are some things that they thought they could claim for that just don’t make sense in terms of the business interruption. So I think one common thing we see, for example, is salaried expenses.

Harriet Bateman:
Every business wants to claim for their salaried costs, whilst they’re down and their workers are unproductive. And our conversation’s normally centered then around, okay, let’s think about the salary as a normal cost, but what was the loss resulting from those workers being unable to do that productive activity, then we’re talking about whether there was an extra expense when you were making up that loss or whether there was a loss of revenue due to the fact that those workers couldn’t work. So, these are the ways that you…The earlier you have that conversation the better and ensure that the expectations are managed and those conversations are always easiest and insured run those models and understood a business interruption calculation before they’ve even purchased cyber insurance, which is rare, but it happens.

Erin Keating:
That’s a really good point. I hadn’t even thought about the fact that… And Harriet, this just makes me feel very stressed for you, but in this situation, I mean, what a business could have assumed they might’ve been doing in Texas in the beginning and now Texas now, and, or New York. Right now in the United States, especially, it’s very, very based on where you are in the country of whether your business is back up or back down. So you all must just be having to do mental gymnastics to consistently be figuring out, but what is the basis of the business right now in relation to what it might’ve been pre-COVID and as the COVID thing keeps going. So that’s… Thank you for educating me on that. That was very interesting point.

Erin Keating:
Well, I don’t want to take up too much of all of your time, but if there’s any parting thoughts on business interruption and just the process in general, I’d love to hear it. Feel free to just jump in. And then I’d love to close us out with just any pointers that we could give to clients and audience that are listening alike on how people can be thinking and reframing their minds on breaches and what they could potentially be doing to avoid having some of these conversations at all in the future, but at a minimum, mitigating their risk. So first let’s just say any parting thoughts on the process that people have to go through when a breach has occurred?

Kadir Levent:
From our perspective, I think planning and preparation is the key. So keeping the bills locked before they’re opened, or if you are going to change something, just having someone check that. Just have someone come in and say, “Hey, actually, you know what? I know you’ve made some changes. Based on everything we can see that’s going on out there. You’re good. And you’ve put the correct controls in place.” And having a solid incident response plan. So if something does happen, how do you respond to that in the correct manner? Who do you call first? Are you still able to call them? If you can’t use your emails, do you have a cell phone you can use? Really simple things like that. So just thinking about all the eventualities that make up that plan.

Kadir Levent:
And when it comes to security, if you don’t have one already, consider having some sort of managed security service that someone you can tap into, if it’s a virtual CSO or whether it’s just someone come in and doing a vulnerability assessment externally and saying, “Hey, this is what we can see. This is what your exposures are.” So, preventing it happening before it happens, it’s much better than trying to clean up the mess afterwards. So from our perspective, from a security standpoint, definitely tap into anyone that you can, and we’re here to support as well. So if you need any advice, let us know. But definitely try and be proactive in your security stance. That’s my final thought.

Laura Hodgins:
The only thing I’d add, Erin, to the conversation that we’ve had thus far is that when it comes to business interruption in particular. What our BBR team and what our clinic team is going to emphasize to an insured is the importance of keeping records. Keeping records so that we can properly assess that claim as efficiently as possible down the road. As I’m sure Harriet has experienced, sometimes just collecting the information necessary for that proof of loss document can be a really time consuming and challenging process. Because at that same time, the insured is trying to get their business up and running. They have a full time job running their business and having to collect all this information for their insurance claim is not always, understandably, priority one. And so if during the incident process they can just make sure to keep all that information, keep a folder of that, or have someone assigned as the point person. That can really expedite the process down the road.

Harriet Bateman:
Yeah. And I think from a forensic accounting perspective, again, preparedness is key. So consider what your loss might look like. If you suffer a cyber incident, what is going to happen to your revenue, what is going to happen to your costs? Do you expect that it would be a small loss, a big loss? How long will you be impacted? Test your policy, ultimately. Read your policy and check that it’s correct for your business, because there are lots of instances where it’s not the correct period that you’ve got cover for, or it’s not… You haven’t tailored it necessarily to fit what a loss would look like for your business. So, run scenarios, run different scenarios of how things would be impacted, and whether you think you would collect the right amount of loss, according to what you’ve purchased.

Erin Keating:
That’s great. Well, I sincerely appreciate this conversation as always. I feel so educated coming out of these to get a full picture of what’s going on. And now I can make sense of the news articles I read. So, speaking with you experts is really helpful. If we don’t have any parting thoughts, I would just love to say, thank you so much to Laura, Harriet and Kadir for being with us today and helping people better understand what it looks like when you do have a breach and how to address it and what to expect, and most importantly, how to be best prepared for it. So Kadir, Laura, Harriet, thank all three of you so much for being with us today.

Harriet Bateman:
Thanks, Erin.

Kadir Levent:
So much, thank you.

Laura Hodgins:
Thank you.

Knowledge Base

CyberClan proud to be platform sponsors of the Advisen Awards 2020

Read More +

Podcast: Phishing and Its Dangers to Your Security with CyberClan’s own Bryan McNeil and Joseph Serrano

EPISODE SUMMARY Phishing may seem like a familiar old topic in cybersecurity but it still remains a large threat to your business. In this episode we go back to the

Read More +
icon-dark icon-light icon logo-light