The phone rings and the voice on the other end says, “Uh, we’ve encountered a problem and we need some help.” Might be a breach, might be ransomware, could be any number of things, but the immediate question is always, “What do we do now?”
What Cyber Insurers Want to Know … and Why
All too often, there’s a long pause, and then the voice responds, “We developed an incident response plan a couple years ago, but it’s not up to date. Let me see if I can find it.” That’s a sure sign that it’s going to be a very busy week for a lot of people.
This lack of preparedness usually results from a pervasive myth among company leaders that their businesses are unlikely targets for cybercriminals. They believe they’re too small, or they don’t have the personally identifiable information criminals want or any number of other reasons—all of which are unfounded. Today, every business is at risk for a cyberattack, no matter how well-protected they may be.
Every Business Is at Risk for a Cyberattack
When that attack comes, the company will have to implement its incident response plan. What happens next depends on whether that plan is a living document or is something housed in a dusty three-ring binder, or worse yet, somewhere on the encrypted network. Far too many companies fail to devote sufficient time to preparing for cyber incidents. They create a plan to check that box and assume they’re okay. But cyber threats are ever-evolving, and if your plan isn’t keeping pace, it won’t be much help when you’re the target.
Business environments change constantly, too. Does your incident response plan address the changes COVID-19 forced upon your business? It’s much easier to secure an environment when everyone’s working in the office and hard-lined into your network. When you have hundreds or thousands of people working from their homes (using routers with passwords like “password”), the process becomes exponentially more difficult. If the system or even just your email server goes down, how will you communicate with all those employees? One telling sign, according to cybersecurity advisors at Arete, is that in 89.7% of ransomware cases, the victims were not using multi-factor authentication, so they had no way to verify that everyone on their network belonged there.
Another cause for concern is the growing dependence on third parties, whether that’s a cloud vendor, a payment processor or companies providing an outsourced service. The SolarWinds, Accellion and Microsoft Exchange attacks are great examples. You may have a decent defense, but if those third parties are attacked, you may experience most of the pain.
These third parties bring considerable risk to your cybersecurity, and it’s safe to say they won’t put your needs first in a crisis (unless you happen to be their largest client). Plus, if the attack puts them out of business permanently, you’re probably ultimately liable as the originator and owner of the affected information. Thinking a third party’s involvement limits your exposure is overly optimistic unless it’s clearly defined in the contract language, and even then, you may still not be adequately protected.
An Up-to-Date Cyber Incident Response Plan Is Essential
That’s why incident response planning is critical and must be updated constantly. You can’t afford to push it off until fourth quarter or whenever you think you might have some extra time. If you haven’t been updating your plan frequently, you need to start.
You also need to test your plan regularly. If you don’t, how will you know it’s going work? It’s like a football team drawing up what looks like a great play but never practicing it before the big game starts. When you don’t test your plan, you don’t know where the weaknesses are.
If your company hasn’t reviewed and tested its incident response plan in the last few months, start immediately. Tabletop exercises are an excellent way to ensure everyone understands the process and can identify the gaps that need to be addressed. Don’t limit those exercises to your IT staff, either. A cyber incident may affect every department, from the sales team who will need to explain to customers what’s happened, to legal counsel, to production, to HR and PR.
The company’s leadership team probably doesn’t need to know the technical details of every aspect of the plan, but they do need to be familiar with the high-level process so they can make informed decisions when needed, such as whether to authorize a ransom payment. (Don’t assume your company wouldn’t do that: many companies that swore they’d never pay ransom behaved differently when they realized they were losing millions of dollars a day because of inaccessible data.)
Coordinating incident response planning with your cyber policy is the best way to derive the greatest value from both. Even if your insurance carrier offers services to help with a response to an incident, having your own plan will help everything happen more quickly and smoothly. Just as schools regularly practice fire drills even though they know the risk of a real fire is minimal, knowing your plan backwards and forwards will ensure you’re prepared for the worst that could happen.
To learn even more about how to prepare your company for a cyber event before it happens, contact an expert at Hylant.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.