Prevent, Prepare, and Prevail
Developing and testing an effective cyber incident response plan.
Cyber risk is a nightmare. That’s almost universally believed sentiment, albeit a blind one. But it’s easy to see how this view emerged: The global interconnectedness that has fueled both incredible economic growth and social advances has resulted in increased exposure.
Yet we aren’t always entirely sure how that new exposure manifests. Basically, we have more to lose now than ever before—a situation that’s unlikely to change anytime soon. And with exposure poised to grow further with Internet-of-Things developments, among other factors, the need for companies to have cyber incident response plans has never been more acute.
Learn from the Past
The subhead above offers a practical suggestion, right? Take a look at history, learn from the mistakes of others, and apply those lessons to the benefit of your company, clients, and shareholders. The ability to bring cyber incident preparation and response guidance to risk managers, for example, could make cyber protection more attainable and simpler to manage. Insurers would likely have an easier time underwriting the risk, and mitigation measures could work to the benefit of the claims department.
History, unfortunately, doesn’t have much to offer as a guide to the present.
There have been many well-publicized breaches, although their severities vary widely. Some have involved the loss of a few records; others have resulted in hundreds of millions of dollars in economic damage and significant commercial insurance claims. Even the notion of “severity” is up for interpretation. A breach in which millions of records are stolen but not used remains a story of potential severity with some near-term impact sustained, but the company has time before the other shoe drops.
Nevertheless, incident response planning should include a look at the past. According to research conducted by Verisk’s Property Claim Services (PCS), only three events in the past five years have resulted in claims of around $100 million: Anthem, Home Depot, and Target. Two recent events may have the potential for significant claims—Yahoo and Dyn—although it will take time for losses to develop and the full impact to become clear.
Of course, the $100 million threshold can be somewhat deceiving. That number was reflective of the limits written at the time, and the market has since grown as a result of the needs that those losses revealed. Aside from the catastrophic cyber events that have occurred, available data shows that breaches can have a profound impact. According to a 2016 IBM/Ponemon Institute study, the average economic cost of a breach is $4 million, with the average cost of each stolen record reaching $158. In addition, time tends to be a significant factor when dealing with a cyber event. Although the overall cost of breaches is coming down and response times are largely falling, taking longer to resolve the event generally increases the cost to the affected company.
Prevention as the Best Response
No discussion of cyber incident response planning is complete without considering prevention. After all, the best way to remedy a cyber event is to keep it from happening in the first place. All risk management strategies should involve a considerable amount of effort invested in prevention, and cyber is no different. Your investment in cyber incident prevention should include the following key planning measures.
Understand your exposure. You can’t prevent or protect if you don’t know what is at risk. Take a broad view of your risk from within and without. Even before you think about the risk of breach, consider the business itself. What do you stand to lose if a breach occurs? Does your operation slow down? Do you have to divert resources to crisis management and remediation? What’s the lost revenue implication? These are often difficult questions to answer quantitatively, but it’s worth taking the time to do so. Consider the Target event, in which the reported economic damage was three times that of the insurance recovery (potentially higher). Conventional thinking holds that the situation could have actually been far worse.
Review your infrastructure and broader technology environment to find weaknesses and review your employee base, as well. After all, people are the greatest risk in the cyber area, and internal activity (both intentional and erroneous) can bring significant consequences. Identify the exposures in your environment that can be hardened to reduce the risk of a breach. Where prevention isn’t feasible economically, note the real risk that your company has to assume, and account for that in both risk transfer and incident response planning programs. Ultimately, you need to know the full set of risks that you face, fix what you can, and remain fully aware of the risks that you are forced to assume. Unknown risk assumption can be devastating.
Plan your support. Similar thinking should be familiar to catastrophe coordinators, for example. If you wait for the event to occur before identifying which outside experts and service firms will help you, then you will likely be in trouble. You will lose time identifying and vetting vendors when you should be putting them into action. Depending on the nature of the cyber incident (as with catastrophe events), you may not have access to the best talent because someone else may have engaged them already. Begin to assemble your external team before you need it and your incident response capabilities will become far more effective.
This process starts with engaging the right experts to support your risk prevention planning activities. As you begin to understand your exposures, outside experts can help you identify the full set of risks you face, quantify your exposure, and help you plan and implement prevention measures that can save you time, money, and reputation in the future. Further, it’s a chance to see a vendor’s capabilities in action, which can help you decide whether that vendor would be helpful in responding to incidents when they actually occur. There is no better way to test a company than to see it at work. Get your team in place early, engage it regularly, and test it periodically. In addition to knowing your exposures, you’ll want to know what your response will look like.
Gather your scenarios. There is no substitute for understanding the threats you face. Review the types of attacks that have affected other companies—particularly your peers. Study how they responded to similar events. Develop specific prevention measures for the threats that seem most relevant and consider how you would respond if your defenses aren’t sufficient (it seems there is always a way to bypass even the best-planned security frameworks).
Keep in mind that you won’t be able to think of everything. Put some thought into how you would address the unknown and unexpected. This entire process should be ongoing, particularly given that cyber is an emerging risk. Regular reviews of the threat landscape and the evolution of your organization’s technology environment should provide fresh and continual insights that will likely be relevant to your risk management and incident response plans. Try to anticipate the types of events that occur, do what you can to prevent them, and invest in planning for a response.
Transfer some of the risk. Insurance exists for a reason. While risk transfer alone may not provide all of the protection you’ll need—reputational risk in particular comes to mind—it can provide significant help when you need it most. Insurance recoveries can help finance cyber response activities, mitigate the impact of an event on earnings, and support continued operations at a time when you’ll want to show your customers that they can still rely on you.
The cyber insurance market is still young, but in some ways it shows sophistication beyond its years. Working with insurers that truly understand cyber and can help you with prevention, planning, and remediation can be as important as their ability to pay a claim. This thinking isn’t new; original insureds regularly seek such benefits from commercial insurers in a wide range of lines, and cyber is no different.
Ask questions as you review and select insurers. Don’t be afraid to probe their capabilities beyond the strength of their balance sheets.
Put the Pieces Together
Your cyber incident response plan, of course, should not exist in a vacuum. It should contemplate your risk mitigation measures to help ensure that it will be relevant if your protections are circumvented. As you develop your full cyber incident response plan, think about how you will handle the entire process from the moment you understand that an event has occurred and how it happened.
Know the regs. While some decisions will be driven strictly by the needs of the business, others will likely be based on regulatory requirements. Understand your obligations around such issues as customer notification and disclosure, which will help frame subsequent business decisions. Every situation is different, and business drivers often will vary, but regulation will likely remain a factor in shaping the post-event response. There can be a difference between what you have to do and what you want to do, and, at times, you may have more flexibility on the latter than you realize.
Getting the regulatory aspect of cyber incident response is crucial. In addition to general compliance concerns, making a mistake relative to regulatory requirements could compound the effects of a breach, making your company look even worse at a time when perception management is crucial. Additionally, rushing to exceed regulatory standards—intentionally or otherwise—may not be prudent. When you have the time to wait, it may make sense to understand the full extent of an incident before initiating public response measures.
Get the band back together. Assemble your incident response team. Your plan should identify all of the team members along with their specific roles and responsibilities. Think broadly when planning your cyber incident response team. In addition to legal and risk management resources, you will want to include information technology and security team members, public relations/communications team members (and perhaps an outside crisis management firm), and other crisis management experts. Understand expectations that senior leadership may have as far as its involvement, or at least how and when it receives updates. And don’t forget to include the human resources department, particularly for events that may include intentional or accidental employee actions that led to the breach.
Use your insurance resources. Again, your insurer can do more than pay the claim. Talk to it from the earliest moments of the incident to understand the nature of your coverage, whether any exclusions apply, and, perhaps most important, to learn what sort of support they can provide beyond simply handling the claim. Your insurer may have more experience dealing with cyber incidents than your risk management team, and that presents a unique opportunity for you to respond to an incident using industrywide experience rather than just your own.
Don’t wait for a live event to test your cyber incident response plan. Practice makes perfect, so invest in regular reviews of your plan and work it through hypothetical scenarios. Practice your response, identifying where it works well and which areas need improvement. Refine your plan and keep testing. While economic constraints may prevent the ideal amount of testing, practice as much as you can and put what you learn to work.
Prepare to Thrive
Cyber incident “doomsday” scenarios often focus on what it takes to survive following a devastating incident. While it’s important to keep the company operating, your goal should be more than to simply get by. Not every breach will be catastrophic (most aren’t), and a robust and reliable incident response plan should help you return to normal fairly quickly. Effective incident response planning will help equip you to identify the problem, correct it as quickly as possible, and communicate confidently with the public. Proper planning will help you prevail rather than merely limping along for months or longer when cyber disaster strikes.