On May 8, 2024, Paul Hastings hosted the Cybersecurity Law Workshop at this spring’s Privacy + Security Forum featuring a panel on cybersecurity insurance trends and insights. The panel was moderated by Paul Hastings’ David Coogan and featured Alisa Langford-Marion, a cybersecurity insurance broker from WTW and Jennifer Sadoff, Deputy General Counsel at AvidXchange.

The panel covered recent insurance market trends, litigation developments, and practical guidance for companies as they seek coverage, plan and prepare for incidents, and navigate the claims process.

Here are some of the main takeaways from the panel—

Pre-incident Considerations. Before an incident occurs, organizations should purchase cyber insurance. Panelists emphasized companies should work with their broker and think through the cyber insurance risks they are trying to insure against to ensure they get the most out of their cyber insurance coverage. Organizations should also establish an incident response program prior to an incident. Speakers explained that, in developing their incident response program, organizations should include information about their broker, outside counsel, and insurance policy. Speakers went on to note that, before an incident occurs, organizations should hold tabletop exercises and consider their preferred vendors in the event of an incident. When conducting tabletop exercises, panelists recommend organizations conduct these in such a way that their internal teams are not expecting it so that it is more realistic to an actual incident and the organization can be better prepared when an incident occurs. 

Considerations During Incident. Panelists discussed several considerations organizations should account for when responding to a cybersecurity incident. Speakers noted that organizations should implement the incident response plan that they had previously established. Organizations should also work closely with outside counsel, outside vendors, and their broker in responding to the incident. Panelists highlighted that claims advocates who work for insurance brokers can be integral in working with an insurance carrier.  Finally, speakers noted that organizations should plan in advance if the company needs approvals for ransomware or extortion payments.

Considerations After Incident. Upon closing out the organization’s response to an incident, panelists discussed the administrative requirements for reimbursement including submitting a proof of loss, labeling invoices, implementing safeguards, and reviewing the incident response plan. For proof of loss, panelists explained that a formal proof of loss may not be required and companies should work with their broker and carrier to understand what is required.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz, and brings together leading experts in the areas of privacy and security law. Paul Hastings was a sponsor for this spring’s Forum, which took place from May 8-10 in Washington, D.C.