P&C the March 2021 issue

Put Incident Response Front and Center

The lack of a fully developed and tested cyber response plan can cause a range of issues.
By Jody Westby Posted on February 28, 2021

If companies focus on one area of their cyber-security program this year, let it be incident response, often an overlooked area. The lack of a fully developed and tested incident response plan can result in increased business interruption, loss of market share and business partners, damage to reputation, regulatory investigations, and lawsuits.

The operational changes brought about by the pandemic forced many companies to “go to the cloud,” sign up with managed security service providers, or hand IT over to infrastructure-as-a-service providers. While solving one problem, it is easy to create another; any of these options can impact an organization’s ability to monitor and manage its networks, applications and data. Problems occur when companies do not rework their incident response plans to accommodate these changes to enable them to adequately respond to and manage a cyber attack.

The lack of a fully developed and tested incident response plan can result in increased business interruption, loss of market share and business partners, damage to reputation, regulatory investigations, and lawsuits.

Cyber incidents require a forensic investigation to determine what happened. This usually begins by securing impacted equipment, collecting logs from relevant equipment (e.g., firewalls, servers and workstations), gathering access control records, reviewing changes made by system administrators, and obtaining outputs from security tools. When the logs are not kept in the company’s system, when access control is managed through a cloud provider, when system administrator changes are performed by a third party, and when the security tools are managed by a service provider, incident response becomes chaotic.

Effective incident response requires a plan that identifies the internal and external players, defines their roles and responsibilities, contains rosters and points of contact, and defines all third parties that may be involved (what data they have, how to access it, and the boundaries for their involvement). After a year as tumultuous as 2020, all organizations should review their incident response plans and ensure that they include all third-party IT and cyber-security providers that might have data necessary to investigate a cyber attack.

Incident response involving cloud and other third-party providers may require revised internal procedures, customized scripts, and the remote acquisition of forensic data from cloud providers. Incident response plans need to anticipate these issues and have roles and responsibilities defined between the provider and the client. In the midst of a cyber attack, when minutes matter, is not a time to wonder where the logs are, how they can be accessed, how long are they kept, and who has access to system and domain accounts.

There tends to be a reluctance to engage the brass unless absolutely necessary and to call in board members only as a last resort. This is dangerous.

Another aspect to consider is that, with a remote workforce, much of the IT activity that would take place on a corporate network is occurring on a laptop off network. Thus, evidence may be scattered and not recorded by security tools. Piecing together a sequence of events and system activity may be much more difficult, making policies and procedures on remote working and incident response planning all the more important.

Additionally, cyber attacks today are sophisticated and often multi-pronged, making the investigation all the more difficult. When servers are zeroed out, confidential communications are disclosed, intellectual property is stolen, and consumer data is exfiltrated, the victim organization better be able to act swiftly and with a sure foot. If a coherent picture of the event cannot be constructed, the company becomes all the more vulnerable and might not be able to provide victims, regulators or their insurance carriers with definitive information about the event.

The lack of asset inventories and backup/recovery plans are the two Achilles heels in incident response. Even if logs are available and the investigators can determine what happened, if the security program does not have an up-to-date data inventory, know which data and systems are mission critical or sensitive, and have a tested backup/recovery plan, the company could face serious and unnecessary business interruption losses. At some point, insurance companies may refuse to pay on such claims—or may at least dispute them.

Replication of data between two locations is now commonplace and helps assure business continuity. But malware can traverse through the main system over to the replicated data and encrypt, modify or zero out all of it. Offsite backups with hash integrity checks are still a best practice. Companies also should not assume they can access their staff directories, system configurations, and incident response plans from a shared drive; it may not be available. Good incident response planning provides for offsite storage of such information—but make sure it is kept up to date.

Communication throughout incident response is critical, and it is important to keep senior management and the board informed of serious attacks. There tends to be a reluctance to engage the brass unless absolutely necessary and to call in board members only as a last resort. This is dangerous. Directors and officers have a fiduciary duty to protect the assets of an organization and manage risks, including cyber risks. Laws and regulations are increasingly requiring certifications from directors and officers about the completeness of their cyber-security programs, so they need to be involved in testing incident response plans and informed when serious cyber attacks occur. Incident response plans should define levels of incidents and indicate escalation up to and including the board. Plaintiff’s lawyers are routinely filing shareholder derivative and securities class action lawsuits following major cyber events, so director and officer involvement up front can be a good defense. Everyone understands security is not perfect, but neglect at the top is hard to forgive.

Standard & Poor’s predicts that cyber insurance rates will increase 25-30% in the near term, in part due to the rise in cyber crime. Insurance agents and brokers should discuss the importance of good incident response planning with their clients and ensure that they have reviewed and updated their plans to accommodate remote working and shifts to third-party providers. Additionally, agents and brokers should help clients review their current cyber coverage and ensure that it is valid if third-party providers are processing and storing company data or are responsible for system security.

More in P&C

Ransoming the Insurance Industry
P&C Ransoming the Insurance Industry
Strict underwriting may be helping with severity of ransomware claims.
P&C Backstopping Losses
Federal government requests information on cyber government backstop.
Systemic Threat Landscape
P&C Systemic Threat Landscape
A systemic cyber event could be triggered in multiple ways.
The Coming of Quantum
P&C The Coming of Quantum
As the development of quantum computing progresses rapidly, cyber experts warn t...
Prickly Peril
P&C Prickly Peril
The fast growing cyber market is on a collision course with ...
Cloud Cover
P&C Cloud Cover
Q&A with Jonathan Hatzor, CEO and Co-Founder, Parametrix