As cyberattacks rise, so does the call by business leaders and shareholders to be ready to respond to a cyber incident.
Cyber insurance and a solid Incident Response plan are two critical components to make your company resilient.
And cyber attorney Shawn Tuma says one of these things is very likely to influence the other, which surprises many organizations and may surprise you.
Tuma is Co-Chair of the Data Privacy & Cybersecurity Practice at law firm Spencer Fane. He is also SecureWorld’s 2019 Advisory Council Member of the Year, and recently appeared on our series of SecureWorld Remote Sessions to discuss this critical topic.
Cybersecurity has become a top business risk
Tuma explains that cyber risk is business risk.
“Cyber is no longer just a technical issue; it’s a legal issue, and it’s also an overall business risk issue. It’s the one risk that I know of right now, other than nuclear war, where in one night everything can change and completely impact your operations. There really is no other issue that I think rises above cyber in importance to the organization,” Tuma shared, getting our full attention.
He also explains that resilience is key, and so is the need to understand how hard your company can get “hit” and still move forward.
Also, according to Tuma, ransomware changed the security landscape for companies, and the necessity to be prepared, no matter the size of your business.
This is especially true as the evolution of ransomware hackers are using encrypts your data and also steals it to try to extort you into paying a ransom to get it back.
Even though your data may not seem important or useful to an outsider, it is always important to you. It may be so important that you might pay the ransom.
Two requirements for cyber resilience
To give your company the best shot at cyber resilience, Tuma says there are two things you must have: cyber insurance and an incident response plan.
You need these things no matter how much you spend on technical controls or security awareness which can reduce your risk.
“There is no such thing as being completely secure when you are dealing with things in the cyber world,” Tuma says.
However, he says that having a plan now saves you time and money in the future.
What are the key benefits of cyber insurance?
In many cases, cyber insurance pays for a response to a threat or incident, but what might not be so obvious, according to Tuma, is the the response time will also save you money and potentially your business.
Most insurers will bring in key professionals to respond on short notice on your behalf. Tuma says this is a tremendous indicator of how successful your incident response will be.
Additionally, he says having cyber insurance might be the only way your company can afford a response team if one becomes necessary.
“I recommend cyber insurance even more for small to medium businesses. Here’s the thing: if you have a ransomware situation, you won’t be able to pay it if you are a small business.”
What are incident response (IR) plan basics?
1. Include instructions on what to do, when to do it, who is doing what, and how.
2. Determine your leaders and key internal and external players.
3. Educate the players on their roles.
4. Have the IR team practice through tabletop exercises.
5. Refine and be prepared to execute the plan if needed.
Tuma adds, “What I have found out of all the incident response plans I have led over the years, is that the single most important part of any incident response plan we look to is that page dealing with communications. It’s knowing who the players are and knowing how to reach them at a moment’s notice.”
Does your cyber insurance policy allow you to use trusted vendors?
Ensuring that your policy and IR plan work seamlessly together is vitally important.
Tuma explains that there are more than 100 insurance carriers writing cyber insurance policies, and those policies can vary greatly.
One of the most important things to understand is the team of vendors surrounding an incident response. You must verify that the insurance policy you purchase covers the incident response team you have in mind.
Does it cover the cybersecurity and forensics firms, a public relations firm, notification vendors, forensic accounts, legal counsel, breach coaches, and other helpers your organization will need?
And here’s a significant surprise for many organizations: increasingly, cyber insurance policies dictate which companies you are required to use for incident response.
This could leave you without the ability to use a trusted vendor partner that you were planning to use. Some policies deny coverage if you go with your vendor of choice, and others reduce their level of benefits if you “go out of network” like you might do when choosing which doctor to see for a medical issue.
As you consider the list below, Tuma explains that vendor costs are commonly paid by your policy, so it obviously behooves the insurance company to work with vendors charging preferable rates. However, he adds there are positive components for your organization if it works with the vendors chosen by the insurance company.
For example, having a knowledgeable team in place with vendors who already have a working relationship with one another is advantageous to your company. Additionally, carriers have a strong incentive to ensure the capabilities of vendors, so the vetting process is typically very strict.
Here are the range of scenarios cyber insurance policies offer around incident response.
1. No restrictions; you can use any vendor you choose (not common).
2. You can choose your vendors, but the carrier will want to vet and approve them first.
3. You can choose your vendors, but there is a financial incentive to use approved vendors (e.g. a difference in policy limits available).
4. Pre-approval of vendors you choose before there is an incident (this is much easier to do before you pay for your policy).
5. Very strict; you are only allowed to work with approved panel vendors.
Tuma says you can often negotiate these details up front and possibly get your preferred vendors added to the list of approved firms listed in your cyber insurance policy.
What questions should be asked when researching cyber insurance?
1. What is generally covered/not covered under your policy?
2. How quickly must notice be given to the insurance carrier?
3. How do you give notice to the insurance carrier?
4. Are you allowed to select your vendors? (see below for more details)
5. When must you get pre-approval for steps taken to be covered?
6. Is social engineering covered? (Phishing is 90% of the cause for most incidents, and not every policy covers it.)
7. Details on contract liability; many policies only cover losses that you incur directly, not losses by way of contract.
Tuma offers a final tip in this area: make sure the details of your plan and insurance policy do not solely live on your network. That will be a problem when a ransomware hits and you no longer have access to that policy.
Should I perform a risk assessment?
Your insurance policy may cover a risk assessment. After all, it benefits the insurance company too. This allows you to fine tune your incident response plan and perhaps fill in security gaps within your company.
“You can’t protect against what you don’t know,” Tuma says.
Where should I begin assessing cyber insurance plans?
All of the information is extremely relevant here. However, there is a key question that still needs to be answered. Where should you start when considering cyber insurance?
Tuma believes finding a good insurance broker is the best way to get the most fitting coverage for your company’s needs.
“You need someone who is truly knowledgeable of your business, your risks, and the cyber insurance market, and what your needs are. The key to that is to have a broker who has different carriers they can go to and get an appropriate policy with an appropriate carrier that will fit your need.”
Web conference: cyber insurance and incident response planning
We highly suggest you take the time to watch the SecureWorld Remote Sessions episode where Tuma shares his experience with cyber insurance policies and IR plans with more examples and best practices.
