A cyber security incident calls for a fix, and the quicker the better. But as a company deals with immediate issues in the wake of a breach, can it also grow a stronger, more secure system? At the NetDiligence Virtual Summer Summit on June 30, panelists Tim Francis (Travelers), Sean Curran (West Monroe), and Ron Raether (Troutman Pepper) joined moderator John Farley (Gallagher) for a deep dive into the question “What is Remedy and What is Improvement?” Bringing together insurance, forensics, and legal expertise, this dynamic group explored the fuzzy border between remedy and improvement and stressed how understanding the difference can aid organizations.
Curran laid out how the steps taken to address a breach might be difficult to categorize. As incident response moves through the stages of identification and crisis management to a period of remedy and remediation, many actions may ride the line between remedy and improvement. Active directory recovery, workstation and server recovery, data recovery, and endpoint detection and response are all examples. Curran noted that any step of remedy that includes decreasing the likelihood or reducing the impact of future breaches can also be seen as improvement.
So, why then is categorization important? As Francis noted, identifying an action as remedy versus betterment may impact the way that it is covered by a company’s insurance policy. Traditionally, cyber policies have focused on remedy, covering a wide range of services including breach coaches, forensics, and legal services as well as financial compensation for business interruption. Still, the overall standard was to bring a client back to the moment before the breach. Recently, the insurance industry has recognized that helping companies build better practices into recovery makes financial sense, as improved security will reduce future claims. However, betterment coverage may be separate, offered at a sublimit, or be subject to copayment. Therefore, it is important for insureds to have a clear understanding of how their policy will function.
Turning to the legal side, Raether explained how the recently enacted CCPA has complicated the line between remedy and improvement while simultaneously making its explication more critical. By introducing the standard of “cure,” the CCPA requires an entity that has suffered an incident not only to remedy the breach, but also to show that “no further violation shall occur.” The ramifications of this language remain unknown, but Raether stressed the importance of clear and thoughtful documentation of controls – technological, administrative, and physical. Furthermore, companies should be aware that only some forensic reporting will be subject to legal privilege.
In their summation, all panelists agreed that foresight and preparation will always trump remedy. Recognizing the complexity and sophistication of threat actors, conducting risk assessment specific to an organization, and documenting the decisions made to determine reasonable security should be at the top of any organization’s list.