Cyber Insurance Considerations for Privacy Professionals with Joe Brunsman.

Listen to Teresa Troester-Falk and Joe Brunsman highlight some key issues that privacy professionals should think about when it comes to Cyber Insurance and Compliance. Watch the video here.

Teresa Troester-Falk

Hello everyone, and welcome to today’s PrivacySnapshot, where we’re going to be talking about Cyber Insurance, which is a topic that is being referred to a lot, especially in light of the increased requirements and obligations stemming from the California Consumer Privacy Act. I’m really excited that Joe Brusnman is with me today. He’s the VP at Chesapeake Brokers. But he has a background in IT, including a Robotics degree and a Masters in Cybersecurity Law, and has recently co-authored a book called “Damage Control,” which we are going to be providing the link for at the end. It is an excellent publication with lots of considerations on cyber insurance coverage.

So Joe, with PrivacySnapshot, we have a short amount of time to talk about a big thing, but Cyber Insurance is just on everybody’s mind, and you’re a cyber insurance guy. I  come more from the legal side of things, and with my background, I’ve worked on operational compliance. So the first question I have relates to how somebody like me, somebody who’s working privacy compliance operations and, you know, the legal considerations, really fit into the whole process of cyber insurance and what kinds of things they should be thinking about.

Joe Brunsman

That’s a really great question. So there’s a huge overlap between the compliance side and the insurance side. To kind of give you just a broad example, and most cyber insurance applications will ask you some derivative of a question such as, are you compliant with all state and federal cybersecurity and privacy laws? And so a question that broad is just a minefield for cyber insurers to actually deny coverage to somebody. So that’s just one amongst many questions where really the privacy side needs to come in to the insurance side.

Okay, first of all, what laws actually apply to you? Are you compliant, if that’s even possible? Right, because we know compliance is more of a journey, not really a destination. So that’s just kind of a brief example there of how that comes into play because it’s really important not only to help denied coverage, but also because the regulatory fines and penalties, those are really starting to ramp up. And I think every Attorney General is thinking about running for Congress, and they’re hanging their hat on consumer protections. And kind of the easy interesting one that people would understand is cybersecurity. So, a company was breached, and the Attorney General came in and did an investigation.

They weren’t, you know, adhering to some or all of the particular law that adheres to their circumstance. And then they get a fine and the Attorney General looks good. So it’s going to be a big deal going forward.

Teresa Troester-Falk

Yeah, I think this is a really important point because I still observe; there’s a notion out there that if I have cyber coverage, I’ll be fine. So maybe I don’t have to worry so much about things. So,  comply with all cyber security laws?  That’s to your point. And compliance is a journey. It’s not a moment in time. I think the best most companies can do is to demonstrate that ongoing capacity to comply. So what could you say to professionals like myself and others about what we should be thinking about? To meet those requirements in the event they have a breach?

Joe Brunsman

Yeah, so it’s, you know, just talking about how to actually comply. You know, that’s another area where I don’t think companies really understand what goes on after a breach occurs. So they’ll see some snapshots. In the news, a journalist who really doesn’t know what he’s talking about just says, “Hey, this company got breached.” But what you don’t see, and I can say is from firsthand experience, having dealt with well over a breach a week last year, just for my own clients, on top of people who have already been breached, and where my clients calling me, I mean, just the mountains of data you have to pile through.

So I mean, just to kind of like bare bones, you know, let’s say that you’re an online retailer, well, you could potentially have to deal with 50 different state and territory Breach Notification laws, which, honestly, you’re not going to do that yourself. Then you’re going to have to deal with each one of those laws having particular requirements, such as who you notify within that particular state. So various governmental and regulatory agencies within that state have specific timelines that you have to deal with all of these issues. I mean, it just turns into this huge spiderweb and so in a cyber policy, you know, most cyber policies will allow for an attorney to be provided to you that specializes in this area. But companies make the mistake where they haven’t kind of thought about this beforehand.

And sort of figuring out, okay, who’s going to be in charge of what issues? And how are we going to relay this information to our clients to avoid losing clients? You know, how do we make this as smooth as possible? because realistically, I think every company should now come to the conclusion. Eventually, we’re going to get breached in one way or another. And we’re going to have to deal with this issue. So let’s make plans. Now. Let’s work with that privacy attorney, see what our requirements are currently what they’re going to be, and how we’re going to deal with that issue.

Teresa Troester-Falk

So we could talk for a very long time about this. And I have so many questions, and because this is a snapshot, and then I’m going to wrap it up with a final question and refer people to your book, where you get into a lot of the details about things to look for and lots of considerations. I don’t know, this may be an unfair question, but when you said you dealt with a breach a week last year, and that was just your clients, I mean, that’s astounding. You’re one person.

So how many more? When you think about that, is there one thing you learned over all other matters that could be a key takeaway if there’s one thing that just stands out in your mind as a great takeaway? For example, would it be assigning ownership, doing tabletop exercises, or knowing how to do your notifications? What would be the one thing that would make that process easier? I know there’d be many, but if there’s one thing that stands out more than others,

Joe Brunsman

So, essentially, like how to make the post-breach process easier, right?

Teresa Troester-Falk

Once you’re in that, so it’s not a firestorm, and you’re not scrambling. Would there be one thing that could make that just go a little smoother had more work been done ahead of time?

Joe Brunsman

Yeah, I’d say probably; the single greatest recommendation I would have that kind of ties everything together would actually be getting all the stakeholders in the company together, right along with some sort of privacy attorney and privacy specialists, and actually go through that tabletop exercise. So really, you know, in the kind of the computing world, it’s If This Then That. So if this happens, then what do we do? And that would tie in to assist you really thinking about, okay, what are your vulnerabilities? Who is going to be assigned to deal with those? So that way, you know, I have seen in a number of companies. Actually, a breach occurs, everyone’s stressed out, and all of a sudden, everybody has a good idea and wants to be in charge.

You can just squash that before it ever happens. You can assign who’s going to be in charge of what because there’s going to be many, many facets involved with a breach you probably don’t think about. So you go through the exercise. And the other aspect of that is if this than that, okay, who’s in charge? What happened? Then let’s look at your cyber policy and see if it’s actually covered under your cyber policy. Because, unlike pretty much every other area of insurance, there is no standard cyber insurance policy. As a matter of fact, cyber insurance isn’t even a thing. It’s not a legal term. It’s not an insurance term. It’s just this idea that society has that we’ve placed upon somehow having insurance if something bad happens with a computer.

So it’s a very sophisticated multi-layered kind of process. But just starting with that tabletop exercise, bring all the right people in and just kind of war game through, what if we send money to the wrong place? Okay, how did that happen? What if we get ransomware? Okay, do we have backups? What’s the period in the backup that was encrypted? Now what do we do? Just kind of going through that process. I think that would save people a lot of pain and heartache later down the road if they just kind of thought through these fundamental steps.

Teresa Troester-Falk

That is great advice, tabletop exercise, strategy, and tactics, and somebody’s got to be in control, but knowing who that’s going to be. So thank you, Joe.  I know we could go on and on, and it would be interesting to do that, but I’m going to refer people to your book, which is chock full of great information. And, of course, at Blue Sky Privacy, we’re here to support your privacy compliance program goals and needs. Thanks, Joe.

Download the book Damage Control: Cyber Insurance and Compliance here.

Are you ready to demonstrate compliance with the CCPA, the GDPR, or other privacy laws? The key is operational know-how, a practical plan, and privacy expertise.

Ask us how we can help you feel confident and at ease with your privacy compliance efforts.

Follow us on LinkedIn: