SAN DIEGO – Risk management concerns should be part of cyber incident response plans to ensure companies make the best use of their insurance coverage and reduce unnecessary disclosure of potentially damaging information, experts say.

By overlaying insurance information on response plans, companies can quickly access approved vendors and ensure that communications during the crucial period after a breach are covered by legal privilege, they said.

Companies should have cyber incident response plans in place long before they are hit by a cyberattack, said Andrea DeField, a partner at Hunton Andrews Kurth LLP in Miami. She spoke Tuesday during a session at Riskworld, the Risk & Insurance Management Society Inc.’s annual conference.

The first step risk managers should take after a cyber incident is discovered and their organizations are mobilizing their response is to review their insurance policies. To ensure they have access to the policies, they should have hard copies or have them located on another system, such as with a broker, she said.

In addition to cyber liability policies, organizations may be able to seek coverage under other policies, such as directors and officers liability insurance, if the company’s stock price is affected by the disclosure of a breach, or kidnap, ransom and extortion coverage in the case of a ransomware attack, Ms. DeField said.

Next, insurers should be notified of the breach. “Keep the notice high-level. Notice is potentially discoverable by third-party claimants and regulators if you end up in litigation or regulatory action following a cyber incident,” Ms. DeField said.

In addition, policyholders should put a nondisclosure agreement in place with their insurers to keep their communications under privilege, “so that if you get sued by a plaintiffs lawyer down the road, they aren’t accessing your communications with your insurer,” Ms. DeField said.

As the response to the incident progresses, policyholders should be aware of the proof of loss deadlines contained within policies – they often have one-year deadlines – and seek extensions when necessary, she said.

Risk managers should also build relationships with other professionals within their organizations and draw on those relationships in the event of an incident, said Jason Palomino, director, treasury, at ServiceNow Inc., a software company in Santa Clara, California.

“It’s really important to build a coalition of resources, whether that be external counsel, general counsel, making good friends with the (information security) team, that really helps drive a lot of these processes,” he said.

And effective communication between the various departments helps ensure that insurers are aware of and agree to the outside vendors used in an incident response and their costs are covered, Ms. DeField said.