Priority breach response intrinsic to BHSI's Australian cyber-insurance debut

The decision to forge a strategic partnership with Symantec is helping Berkshire Hathaway Specialty Insurance Company (BHSI) set the bar for cyber-insurance in Australia by supporting policyholders with rapid access to security specialists in the event of a breach, according to the newly-appointed local head of the firm's cyber-insurance operations.

Having begun designing its Australian cyber-insurance products early this year, BHSI's representatives realised the company “had a great opportunity as a new product to really be thoughtful about what we're putting in the market,” head of cyber liability insurance Emma Osgood told CSO Australia. “We took a step back and looked at what was crucial from a client perspective, and we realised the response has to be front and centre. Cyber policies are more of catastrophe or crisis cover in that an insured suffers a breach and they need an immediate response.

When people buy a cyber policy, they're not buying a promise to pay; they're buying a service.” The new policies include coverage for business interruption and rectification costs as well as third-party liabilities arising from a data breach, as well as emergency response costs to enable rapid access to the Symantec breach-response team.

If a company suspects a breach, BHSI will organise a group call with Symantec specialists who will collect details of the breach and triage the incident – allowing them to variously focus on remediation activities, troubleshooting, forensic investigations, and more.

A 'breach coach' – a qualified lawyer who “acts as a project manager to the incident” – will work with all parties concerned to manage the incident to a resolution. The joint response “is all built around speed and basically provides direct access to Symantec,” Symantec Incident Response Team APJ leader Paul Black explained.

“If you've got bad guys in your environment, speed is of the absolute essence. The way in which BHSI has constructed their policy gives their insureds the fastest possible response, and access to our team to start investigating. That's critical in the time of an incident.” Resources available to policyholders, Osgood said, also include legal expertise, forensic IT services, and public relations and credit monitoring firms “to handle the reputational damage that can accompany an incident.”

Because the cyber-insurance field is relatively new in Australia – and competing with conventional policies that a Centre for Internet Safety analysis suggested may not cover cybersecurity breaches and have significant exclusions due to vague policies – BHSI intentionally set out to simplify and refine the language used in cyber-insurance policies, Osgood said.

This included the use of words like 'all' and 'any' – uncharacteristically broad in an insurance industry where hedging exposure to risk is a way of life. “That's a big deal from an insurance perspective,” she explained. “Often insurers like to pinpoint specific risks that are covered.” “Given the evolving threat landscape,” she continued, “we want to be broad and say that if [a breach] happens it doesn't matter where it happens from. We're happy with that exposure, and we fully anticipate that we will pay losses. We want to be able to demonstrate that we can do that – and do that effectively.”