In the wake of numerous cross-border, well-publicized cyber-attacks, cyber-insurance has quickly become a hot issue. This area has also become a trending topic because of the abrupt and quick need for response in a generally uncharted area. The increasing levels of revealed vulnerabilities, the multiple methods of security breaches and the domino effect damage exposure are all major concerns. Aware of this problem, it becomes imperative to understand best practices aimed at solving and/or minimizing issues that may arise in the context of reporting a cyber-attack or breach to a carrier. Looking specifically to the practice in Mexico, here are some examples of claim reporting and handling in this field.
Notice of Claim:
Article 66 of the Mexican Insurance Contract Law indicates that the occurrence of a claim must be reported to the insurer within 5 days, unless the policy has another reporting provision. In the event that the claim is untimely reported outside of the statutory or policy deadline, the insurer may reduce the indemnity to what would have been paid had the claim been timely reported (Article 67). In view of the nature of the risk, it is best to report a cyber loss immediately upon learning of it. One of the obvious reasons is that even with timely reporting, the claim investigation is time-sensitive and very involved. Between the identification of the attack, verification, provisional decision-making, notice to the risk management area and to the corresponding insurer and to those impacted by the cyber breach, critical hours, days and even weeks may pass.
What would be the impact of failure to report cyber-attacks "immediately" or at the "first opportunity" or "promptly"? Presently, cyber claim teams are very scarce throughout Latin America, and insurers sometimes rely on general adjusters that may not have a wealth of experience in this area. The scarcity of these types of claims cause steep learning curves, difficulty in launching teams that may not be geographically ideal, or have individuals unfamiliar with the insured’s computer systems and unable to quickly stop the loss of information. Because of this, one critical question may be, “can the insurer reduce the amount of its obligations by arguing that it would have taken immediate steps to reduce the loss?”
It has become common for insurance policies to include a panel of cyber forensic consultants and suppliers in the event of a loss. However, many times these suppliers’ fees are likely to fall below the deductible. If the insured wishes to utilize an off-contract consultant or supplier that may charge a lesser fee, the issue of compelling the insured to stick to the policy’s listed consultants and suppliers even where the amount is below the deductible may arise.
In addition, Article 113 compels the insurer to pay expenses incurred by the insured in mitigating its damages post-loss. Therefore, one may wonder, are Article 113 and the policy supplier provisions at odds?
In practice, consultants and suppliers written into the policy usually have the function of verifying that there was an actual "attack" -a trigger of many cyber policies- therefore assisting the claim progression by streamlining the verification and recommendation process. One of the reasons why this becomes imperative is because there have been instances where the policy – subject to Mexican law and delivered in Mexico – requires the insured to absorb the costs of the cyber consultant or supplier in completing this otherwise claim handling role.
In case the "advisers" swing quickly into action to assist, if it is then established that the loss is excluded for some reason, the insurer has already intervened through the experts appointed in the policy to provide crisis control, which might be interpreted as an acceptance of coverage for the claim.
As with any facet of claim handling, but particularly in the context of cyber-attacks, it is imperative to have a specialized strike force. Knowing the local law, the practical realities, and keeping up with the continual evolution of this growing area are vital tools that make each type of consultant and supplier uniquely qualified for the challenge.
Posted by Daniel Baron* and Nestor Rodriguez, Socio Director en Medina y Rodriguez Abogados
*Not licensed to practice law in Florida
*Not licensed to practice law in Florida