Insurers and businesses are contending with
The damage from cyber breaches can be less from the immediate, short-tail business interruption or need to fix systems, and more from the time and resources spent on investigation, litigation and public relations communication, stated Thomas Barrett, partner in data protection and privacy at CyXcel, a cybersecurity consulting unit of U.K.-based law firm Weightmans. "It's no longer just about when your system is down, it's about everything else too," he said.
Insurers can, however, shorten the tail after a cyber breach, according to Randi Zimmer, director of cyber incident response at Epiq, a technology services provider. They can prevent incidents by proactively getting, "really good information governance and an incident response plan," she said. "There's certainly a direct link between the incident response and further litigation."
A business cannot respond until it discovers a breach, Zimmer observed. It has to then choose a form of notification, whether that's a simple web posting or press release – typically if the breach does not exceed a minimum level set by regulators, an internal notification, or the lowest risk response, a formal notification with a discovery process identifying compromised data. A formal detailed response adds to a long tail for risk, she added.
"If that's not done properly, you get not just your typical regulators and AGs, asking for things," Zimmer said. "Then it gets deeper, and they want to know why they're asking for all this information. Sometimes insurers are pushing back on that and even filing their own actions against the regulators, because the scope that they're asking us to see is too broad. If you get it right, that will shorten what is adding to the tail."
Another way to avoid a long-tail cyber breach problem is to identify and stop "threat actors" before they act, stated Lauren Winchester, senior vice president of risk advisory at Corvus, the cyber insurance managing general underwriter
"If there's tools in place to identify anomalous activity early for whatever users might be compromised, the security, either in-house security or the managed security, is able to pinpoint that something's going on and they need to run it down," she said. The threat actor can then be blocked from getting to user credentials or valuable data in a company's systems. Without a data breach, there is no risk of litigation and therefore no long tail from an incident, Winchester added.
Litigation for cyber breaches is also citing use of tracking code (similar to online cookies) as a vulnerability that can facilitate a threat actor's penetration in a breach and turn an incident into a long-tail event, explains Brooke Tanner, global head of claims at Ryan Financial Lines. "We've seen a huge proliferation of tracking code," she said. "Session replay code is absolutely enormous, because when you go onto a website, you don't have to do anything, it starts recording. You're seeing what we thought were completely benign and somewhat archaic federal statutes now being pleaded in certain jurisdictions, and these claims are being brought."
