Integrating Your Cyber Insurance Into Your Incident Response EffortsYou don’t want to be six weeks and six figures into a crisis only to be informed that the majority of the work just completed isn’t covered by cyber insurance. By: Neal McCarthy - Senior Consultant IT Security
- Cyber Insurance is an integral component of your Incident Response strategy
- Make sure the vendors/services/terms they provide are OK with you
- Make sure the person managing the insurance policy is a member of your CIRT
Cyber insurance has become a significant component of organizations’ cyber risk mitigation efforts. Cyber insurance primarily covers the often excessive and normally unbudgeted expense of responding to a major cyber incident. In 2020 the U.S. cyber insurance market was $7.8 billion.1 It is estimated that by 2025, it will be over $20 billion.1 Unfortunately, most cyber insurance policies are purchased in conjunction with Workers Comp, E&O, D&O, etc., and without direct interaction by the cyber security group.
This can be a real problem. Cyber insurance policies are contracts that establish expectations between the insurer(s) and the insured. If these expectations are not satisfied, the insurance policy may not deliver on its promise. Even if IT management is aware of the cyber insurance policy, they lack the legal and insurance expertise to sufficiently interpret and satisfy the various stipulations of the policy. Also, during an actual incident, other demands will most likely overwhelm IT and IR management.
Prevent Ransomware Attacks: Ransomware Report 2021 Vol. 1 - A compilation of recent ransomware information and guidance from the Secureworks experts
IT and IR management need to proactively integrate cyber insurance into their IR plans. At a minimum, they must ensure the person responsible for the cyber insurance policy is part of the Incident Response Team.
Ideally, you should review the cyber insurance policy prior to a crisis, as policies typically provide a range of services from a list of preferred vendors. These preferred vendors cover a gamut of needs: forensics, crisis communications, notifications, call centers, credit monitoring and legal support. However, their preferred vendors may not be your preferred vendors.
You may also require additional resources depending on the type of incident. For example, external network and server rebuild support may be required. If you outsource your day-to-day legal counsel, they will likely also be needed during a crisis. Both of these resources will charge you for their support. If you want these costs to be covered, you will need to adjust your policy to meet your needs, but you can’t do this the day of a crisis.
There are a number of other concerns that should be reviewed prior to crisis: notification requirements of the insurance carrier, initiation of IR support (i.e. Breach Coach), responsibility regarding initiation of any Ransomware bitcoin payment, and any “Gotchas” in the contract (e.g., 72-hour ransomware notification requirement). All of these, and more, should be part of your Cyber Incident Response Plan (CIRP).
You don’t want to be that IT/IR manager who realizes 6 weeks and 6 figures into a crisis that you missed one (or more) crucial conditions of your cyber insurance requirements for payment coverage.
Mitigate incident impact and the cost of cyber breaches - Learn more about our Cyber Risk Partner Program.
1See Munich Re, Cyber Insurance: Risks and Trends (April 14, 2020).