JKJ’s Bretschneider: Greater “duty of care” awareness needed for email compromise

Johnson Kendall & Johnson’s cyber practice leader has said insureds need a greater awareness of the “duty of care” obligations associated with business email compromise breach events, warning this could lead to claims being challenged down the road.

Alexandra Bretschneider – who leads the retailer’s cyber practice but also handles all lines of business – was speaking to The Insurer TV on the sidelines of last week’s Net Diligence Cyber Risk Summit in Miami Beach.

In a wide-ranging discussion, she spoke about the role a retail broker plays in incident response, the value of non-admitted MGA cyber products, the value of wholesalers and the current state of capacity, in addition to raising concerns over the seriousness of business email compromise events.

Bretschneider shared a story where she received a phishing email from a client, and immediately alerted that client that their email system had been compromised.

“We're the ones telling them, ‘Hey, you've got an issue’, and unfortunately, what I'm still sometimes getting as feedback [is], ‘Okay, yeah, we know, IT took care of it, we got them out’,” Bretschneider said, highlighting that some clients are failing to grasp the severity of the matter.

“Lack of understanding” on duty of care

“There's a lack of understanding of what the duty of care is, [where] in that moment, actually now you have a duty, since your system has been compromised, to determine what, if anything, [the threat actor] did while they were in there,” Bretschneider explained.

“There's still the exposure of data, and I think that's getting missed a lot right now. I think a lot of organisations have an email compromise, and they diminish really what the impact was – naively so,” she added.

Bretschneider said clients may face potential consequences down the line if the issue is more serious than initially thought.

“The concern I have is, your insurance carrier would be in a position to deny that claim that if something materialises later, that determines there's been a breach of data that gets misused, and it was from that initial email compromise,” she continued.

“You just got the bad guy out, and you closed the doors and called it a day. So that's a big concern I have, and I think we're going to see a lot more of that.”

Role of the broker in incident response

Sometimes brokers can have limited involvement in the incident response in the event a client is breached – owing to attorney-client privilege – but Bretschneider said it is still important for a broker to provide guidance on the incident response process.

“I think it's so important for the broker to ease the [client’s] understanding of what's to come,” she said, which could include detailing what parties will be involved in the incident response, and to give a client confidence in those parties’ experience and ability.

“Here's what you can expect: you can expect an engagement letter, you can expect the attorney-client privilege [form] and that the legal breach coach is going to want to be party to that agreement with the forensics firm,” she explained.

Bretschneider highlighted the importance of giving a client a feeling of “flow and comfort” in the aftermath of a breach.

“So that every step taken from that bad day forward doesn't feel out of the blue and confusing, or unnecessary, or overkill, or underkill, or any of those things,” she explained, adding that “communication is everything”.

“Especially at the start of that incident, the broker plays such a key role in managing the communication and creating that sense of comfort that you're going to get through this,” she added.

Value proposition of E&S market, wholesalers

Bretschneider also said she’s a “big fan” of E&S and MGA products that have come into the market, citing an example where a client recently opted to go with a slightly more expensive non-admitted product because it provided broader coverage.

“I think it's incumbent upon the brokers to understand what those differences are and give the insureds those options. Some insureds do have a strong preference that they want to work with admitted, fully backed carriers, others are going to just trust your guidance and make sure you're recommending the right solution,” she explained.

Bretschneider also said she is a little wary about the proliferation of cyber MGAs that have emerged in recent years.

“I do exercise patience in selecting the MGAs that I think are viable, that can stand the test of time, that have the right backing financially, and have created the right relationships even within the industry,” she said.

“So, I'm cautious. I think it goes both ways there, but I still do love the MGAs and E&S solutions, and I think that that will continue,” she added.

Cyber business has flooded the E&S channel in recent years, and Bretschneider said that while wholesalers have been valuable as the cyber market has matured in recent years, retailers now have the volume of business where they are increasingly able to access markets directly.

“I think [wholesalers] need to continue to prove what their value prop is right? It needs to be special terms and conditions or better negotiated pricing, because of their volume that they're able to offer. But it's no longer just that they're a single point of access,” she explained.

Watch the full 14-minute interview with Johnson Kendall & Johnson’s cyber practice leader Alexandra Bretschneider to hear more on: