As cyberattacks rise, so does the call by business leaders and shareholders to be ready to respond to a cyber incident. Cyber insurance and a solid Incident Response plan are two critical components to make your company resilient.
Cyber attorney Shawn Tuma says one of these things is likely to influence the other, which surprises many organizations and may surprise you. Tuma is Co-Chair of the Data Privacy and Cybersecurity Practice at law firm Spencer Fane, www.spencerfane.com.
Tuma explains that cyber risk is a business risk. "Cyber is no longer just a technical issue; it's a legal issue, and it's also an overall business risk issue. It's the one risk that I know of right now, other than nuclear war, where in one night everything can change and completely impact your operations. There really is no other issue that I think rises above cyber in importance to the organization," Tuma shared, getting our full attention.
He also explains that resilience is key, and so is the need to understand how hard your company can get "hit" and still move forward. Also, according to Tuma, Ransomware changed forever the security landscape for companies, and the necessity to be prepared, no matter the size of your business. This is especially true as the evolution of ransomware hackers are using malware that encrypts your data and also steals it to try to extort you into paying a ransom to get it back. Even though your data may not seem important or useful to an outsider, it is always important to you. It may be so important that you might pay the ransom.
To give your company the best shot at cyber resilience, Tuma says there are two things you must have: cyber insurance and an incident response plan. You need these things no matter how much you spend on technical controls or security awareness which can reduce your risk. "There is no such thing as being completely secure when you are dealing with things in the cyber world," Tuma says.
However, he says that having a plan now saves you time and money in the future. In many cases, cyber insurance pays for a response to a threat or incident, but what might not be so obvious, according to Tuma, is the quick response time will also save you money and potentially your business.
Most insurers will bring in key professionals to respond on short notice on your behalf. Tuma says this is a tremendous indicator of how successful your incident response will be. Additionally, he says having cyber insurance might be the only way your company can afford a response team if one becomes necessary.
"I recommend cyber insurance even more for small to medium businesses. Here's the thing: if you have a ransomware situation, you won't be able to pay it if you are a small business."
What are incident response (IR) basics?
- Include instructions on what to do, when to do it, who is doing what, and how.
- Determine your leaders and key internal and external players.
- Educate the players on their roles.
- Have the IR team practice through tabletop exercises.
- Refine and be prepared to execute the plan if needed.
Tuma adds, "What I have found out of all the incident response plans I have led over the years, is that the single most important part of any incident response is a communications plan. It's knowing who the players are and knowing how to reach them at a moment's notice."
Does your cyber insurance policy allow you to use trusted vendors?
Ensuring that your policy and IR plan work seamlessly together is vitally important. Tuma explains that there are more than 100 insurance carriers writing cyber insurance policies, and those policies vary greatly.
One of the most important things to understand is the team of vendors surrounding an incident response. You must verify that the insurance policy you purchase covers the incident response team you have in mind. Does it cover the cybersecurity and forensics firms, a public relations firm, notification vendors, forensic accounts, legal counsel, breach coaches, and other helpers your organization will need?
And here is a significant surprise for many organizations: increasingly, cyber insurance policies dictate which companies you are required to use for incident response. This could leave you without the ability to use a trusted vendor partner that you were planning to use. Some policies deny coverage if you go with your vendor of choice, and others reduce their level of benefits if you "go out of network" like you might do when choosing which doctor to see for a medical issue.
As you consider the list below, Tuma explains that vendor costs are commonly paid by your policy, so it obviously behooves the insurance company to work with vendors charging preferable rates. However, he adds there are positive components for your organization if it works with the vendors chosen by the insurance company.
For example, having a knowledgeable team in place with vendors who already have a working relationship with one another is advantageous to your company. Additionally, carriers have a strong incentive to ensure the capabilities of vendors, so the vetting process is typically strict.
Here are the range of scenarios cyber insurance policies offer around incident response.
- No restrictions; you can use any vendor you choose (not common).
- You can choose your vendors, but the carrier will want to vet and approve them first.
- You can choose your vendors, but there is a financial incentive to use approved vendors (e.g. a difference in policy limits available).
- Pre-approval of vendors you choose before there is an incident (this is much easier to do before you pay for your policy).
- Very strict; you are only allowed to work with approved panel vendors.
Tuma says you can often negotiate these details up front and possibly get your preferred vendors added to the list of approved firms listed in your cyber insurance policy.
What questions should be asked when researching cyber insurance?
- What is generally covered/not covered under your policy?
- How quickly must notice be given to the insurance carrier?
- How do you give notice to the insurance carrier?
- Are you allowed to select your vendors? (see below for more details)
- When must you get pre-approval for steps taken to be covered?
- Is social engineering covered? (Phishing is 90% of the cause for most incidents, and not every policy covers it.)
- Details on contract liability; many policies only cover losses that you incur directly, not losses by way of contract.
Your insurance policy may cover a risk assessment. After all, it benefits the insurance company too. This allows you to fine tune your incident response plan and perhaps fill in security gaps within your company. "You can't protect against what you don't know," Tuma says.
Where should I begin assessing cyber insurance plans?
All the information is extremely relevant here. However, there is a key question that still needs to be answered. Where should you start when considering cyber insurance?
Jim McKee, CEO Red Sky Alliance stated, “The most important first steps are to keep the cyber actors out of your servers and networks in the first place. Our RedXray service can help you identify and block bad actors every day. We recommend the following to all organizations of any size. At Red Sky Alliance, we have included Ransomware coverage, at no charge to the enrolled entity when they enroll in our RedXray daily cyber threat notification services. Why not buy your cyber insurance from cyber threat professionals?”
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance and includes ransomware coverage.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA.
We are a Cyber Threat Analysis and Intelligence Service organization.
For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com