Incident Response from a Cyber Insurance Perspective

One thing I have found incredibly interesting about starting in the cyber insurance world is the lack of many cybersecurity people not involved on the incident response side in how deeply cyber insurance is engrained in the process. Let me detail how an incident unfolds from the perspective of a cyber insurance professional:

1. Something tips you off that you have some kind of incident. An analyst notes some suspicious login attempts, and upon further investigation, realizes there was a successful login with an IP address associated with Russia. They follow proper reporting of this unauthorized access attempt and the incident response plan is initiated.

2. The first call in a cyber incident should be to your cyber insurance carrier or broker so they can help you get in contact with your carrier. Reputable cyber carriers have 24/7 hotlines that you can call to report an incident that will get the ball rolling on the claims process as quickly as possible.

3. Once the cyber carrier is contacted, they will put you in touch with breach counsel. Sometimes these hotlines are actually straight contacts to a privacy law firm. These attorneys with special expertise around incident response and privacy law will help quarterback the incident. They will ensure the entire incident is handled under attorney-client privilege.

4. The law firm will engage forensics on your behalf. This helps ensure that whoever is engaged is going to be covered under your cyber insurance policy. From the countless incidents that these law firms handle they will know which forensics firm has the greatest expertise around the kind of event being experienced as well as who has the most capacity when the event occurs. I have heard an objection from some cybersecurity professionals in the field that a cyber insurance policy is not going to be for a lot of organizations as it is going to force organizations that already have an incident response plan to use a specific vendor. Carriers will often add law firms or forensic vendors to their “panel” approved list if communicated ahead of time. There are also ones that will have no panel if that is something important to the organization. Really the key in these kinds of incidents is just to have open communication with the carrier as well as your broker in choosing the right policy for you.

5. Forensics will help contain and remediate. They will also help determine what information was truly accessed in order for you to work on properly notifying impacted individuals with your breach coach. For example, an email might have been compromised. The forensics team will be able to determine what emails were actually accessed and information was exposed.

6. The breach coach will be able to help guide you in giving notice to these individuals. There are different privacy breach notification laws for each state, and this is the state that the impacted individual resides in. This can get confusing quickly, so the breach coach will ensure you are giving the notice necessary as well as providing required resources to impacted individuals such as credit monitoring.

7. Forensics will help determine the way in which access was gained and work toward remediating this so no future attacks can occur.

8. PR will be engaged if necessary to help with communication during an incident to help maintain reputation and protect trust in the brand.

9. It is important to keep close track of expenses being incurred throughout the process. DO NOT INCUR ANY EXPENSES WITHOUT CONSENT OF THE CARRIER to avoid any discrepancies in the event of a claim. If there is business income loss being reported as a result of the cyber incident, it is important that this is properly documented. The carrier will engage a forensic accountant to help calculate loss using factors such as projected revenue, revenue figures from the same time period last year, and extra expenses incurred to help avoid this business loss.

10. Some cyber policies can offer coverage often called “post-breach remediation” which can provide extra funds or consulting after a breach to ensure that systems are patched and made more resilient after a cyber event.

But What Can I Do to Prepare?

There are some things you can do before experiencing an incident in order to better prepare and incorporate your cyber insurance into your planning:

1. Your incident response plan should include your cyber insurance carrier / insurance broker contact. This information should be on your cyber insurance policy, but you don’t want to be fumbling trying to find this contact in the case of an incident.

2. Understand who is on your carrier’s panel for law firms and forensics. Communicate with your broker or carrier if there is a certain provider you would like to use in the event of an incident or if you would prefer a policy that has no panel requirement.

3. You do not want your third party IT partner also acting as your forensics in the event of a cyber attack. I see this come up a lot where organizations will assume their IT provider will be their savior in the event of a cyber attack. Having conversations around what services your third parties are providing is important prior to an event. Having them act as your forensics will be a potential conflict of interest as well. It is important to have these conversations ahead of time rather than potentially incurring uncovered expenses in the event of a claim.

Why is Knowing Insurance Important for All Cybersecurity Professionals?

As explained in this article, having an incident response plan and being able to respond to incidents is something important to all cybersecurity professionals. A cyber insurance policy is an important tool in a cybersecurity professional’s toolbelt, but it is one largely misunderstood by the cybersecurity community at large. I hope this allows you to better integrate your cyber insurance within your incident response.