Subject:
Title
Cyber incident response team and legal services agreement.
label
Recommended Action:
Recommended Action
Approval and execution by the County Administrator of the cyber incident response team and legal services agreement with the law firm of Mullen Coughlin, LLC, a Pennsylvania Professional Limited Liability Company.
• Services provide for a pre-approved negotiated agreement for a cyber coach if needed, enabling engagement of services from an incident coach immediately should a cyber incident occur.
• Paragraph 4 of agreement (Compensation), limits the initial cost to the County to $100,000.00, which is the same amount as the retention (deductible) for incident response coaching services; an additional $150,000 is included if the Chubb policy does not respond to pay requested fees or expenditures, for a total not to exceed amount of $250,000.00.
• The term of the agreement remains in full force and effect until resolution of a cyber matter or unless otherwise terminated or extended. No funds will be expended unless required due to a cyber matter.
Body
Strategic Plan:
Ensure Public Health, Safety, and Welfare
2.1 Provide planning, coordination, prevention, and protective services to create and enhance a safe, secure, and healthy community
Deliver First-Class Services to the Public and Our Customers
5.2 Be responsible stewards of the public’s resources
5.3 Ensure effective and efficient delivery of county services and support
Summary:
The purpose of this agreement is to provide a pre-approved negotiated agreement for a cyber coach if needed, enabling engagement of services from the incident coach immediately should an incident occur.
Background/Explanation:
The County has been covered for cyber liability coverage through Chubb since 2013. The coverage pays up to $10M for cyber indents. In addition, the County has $5M excess cyber policy for a total of $15M in coverage. The policy has a $1M deductible.
In April of 2021, Risk was informed by Business Technology Services (BTS) that there was a potential cyber incident at Safety and Emergency Services (SES). Staff reviewed coverages, notified the County’s broker of a possible incident, and then spoke to Chubb regarding the incident.
Chubb suggested enlisting the services of a cyber incident response coach as the first step in the process. They provided a list of preferred coaching firms that operated in Florida. These “coaches” are law firms that specialize in cyber incident claims. Chubb recommends these firms and relies on their expertise to assess the situation and to bring in forensic teams they feel are best suited to handle cyber incidents, similar in concept to a medical gatekeeper in an HMO health program.
With guidance from the broker, BTS and County Attorney’s Office, a decision was made to select Mullen Coughlin as the “Incident Coach”. This agreement has been in negotiation for 4 months between the County and the incident coach, primarily regarding the lack of limits on cost of services. Fortunately, it was determined that the incident with SES did not cause any damage. BTS advised that they had isolated the situation and could block any further potential damage.
Following the incident, BTS was concerned that had this been a true incident where systems were shut down, the County could not wait months to have an agreement signed. It was agreed to negotiate a pre-approved cyber coach agreement that would enable engagement of services from the incident coach immediately if needed.
There is no immediate cost to the County to have this agreement in place. It allows County staff to work quickly should an actual event occur without wasting time negotiating terms and conditions. Actual expenditures would only occur in the event services are utilized.
Paragraph 4 of agreement (Compensation), limits the initial cost to the County to $100K, which is the same amount as the retention (deductible) for incident response coaching services. Beyond that amount, the County’s policy holder, Chubb, would respond to policy limits. Wording is also included that would make the County responsible for fees up to an additional $150,000 if the Chubb policy did not respond to pay requested fees or expenditures. County Risk staff has been advised by both the County’s broker, Author J. Gallagher and the cyber incident coach, Mullen Coughlin that based on prior incidents, cyber incident coaching fees rarely exceed $70K.
A pre-approved agreement is vital to have in place with the County’s Cyber Security Policy. The agreement should be in place from the initiation of the policy coverage. Without the agreement, the County would be left without assistance until an agreement is negotiated which could take months to complete.
The only other option would be to handle the claim internally. This is not an attractive alternative as the Chubb policy has a clause that would then reduce the County’s total cyber coverage from $15M to only $1M without the intervention of a cyber coach and forensic experts. This defeats the purpose of spending $250K in Cyber coverage for a $15M policy, but only receiving $1M in cyber benefit coverage.
Once this agreement is signed, Risk will work with BTS to pre-negotiate forensic expert agreements should they be needed for an actual incident.
Fiscal Impact:
Amount not to exceed: $250,000.00
Fees paid under this agreement will be funded from the Risk finance operating fund.
Delegated Authority:
Authority for the County Administrator to sign this agreement is granted under Code Section 2-62 (a)(1).
Staff Member Responsible:
Merry Celeste, Division Director, Purchasing and Risk
Joe Lauro, Director, Administrative Services
Partners:
N/A
Attachments:
Agreement