Cyber Insurance Musings - Part Three

In Part One, we defined the term “cyber insurance” and briefly discussed some of the challenges in getting affordable, right-sized coverage.

In Part Two, we touched on a few of the ways organizations are effectively communicating the efficacy of their security programs to negotiate the best possible insurance coverage.

Here in our final Part Three, we’ll discuss ways to practice responding to an event or incident and how you can involve your insurance company and other key stakeholders.

Practice makes perfect…well almost! I don’t think anyone believes they have a perfect security program or response plan to cyber incidents when they occur. That said, if you develop a well-thought-out process and plan and then practice it at least once a year, you’ll be in much better shape than if you are learning on the fly during an actual incident.

How should organizations go about developing and practicing these plans?

First thing is to recognize and document the difference between an “event” and an “incident”. This is a critical activity because you should have both an event and incident plan and the process flow of actions and involvement of respondents may be drastically different. Security events happen every day. They may be minor like a single endpoint becoming infected, to an alert that needs to be investigated because of anomalous behavior being suspected. Generally, security events don’t result in negative impact to the business or data/systems being compromised and you would not normally involve 3^rd parties like insurance companies or legal teams to respond to and correct such issues. Nevertheless, it’s important that the security operations team, and sometimes broader IT teams, are pulled in to address these events timely. An incident, on the other hand, means that something has been compromised. It might be data that has been exfiltrated, systems or files that have been locked, or a substantiated unauthorized access to sensitive data. The process and activity flow for incident plans are much more involved and include teams outside of security and IT. Make sure your plans are comprehensive, are tailored to your organization and environments, and that they include all the appropriate stakeholders.

Next, schedule at least one operational and one executive-focused tabletop exercise a year to practice walking through these plans. I recommend you conduct separate and more frequent drills to test and practice your event management plan. You will likely have team members joining and leaving your security and IT teams and so making sure these folks are versed on the plan to address events timely should be top of mind. For the incident response plan, typically you will want to also break the table-top exercises into technical and executive sessions. You won’t want senior leaders and 3^rd parities to sit through the technical parts of the practice session, but you will want them available when escalation and decisions are needed by these stakeholders. One way to conduct this exercise is to start technical, maybe the first 2 hours of the drill with indicators of attack being supplied to security operations staff and then, at some point, inject the need to decide on ransom payment or response that would certainly require input from these executive and 3^rd party teams.

Lastly, make sure you debrief on the outcomes and learnings from the drills. All parties involved can learn from the exercises and may make different decisions or take different courses of action depending on the unique drill scenario. Insurance companies will appreciate being included in the executive part of the drill and, ultimately, it may help you negotiate better insurance rates and terms if they have increased confidence in your team’s ability to identify and response quickly to incidents.