Low Hanging Fruit: Incident Response Plans
Cyber insurance claims activity has proliferated at a break-neck speed. The frequency of incidents has risen as ransomware, business email compromise, and other perils have become more successful and sophisticated. With that success comes hefty price tags for ransoms and remediation costs that can span months. In our ongoing series, Low Hanging Fruit, we explore cybersecurity solutions that your organization can implement to boost cybersecurity.
What is an Incident Response Plan?
Many companies are familiar with the process of a plan for disaster recovery. Be it a flood, windstorm, or active shooter, companies want to be sure they are prepared for everything. When it comes to incident response (IR) planning for cyber threats, companies may be less sure. Questions often asked include:
- Who needs to know if there is a suspected incident?
- How do we report a claim to our insurance?
- What differences in protocol exist for ransomware, business email compromise, and social engineering?
- Do we need to report to law enforcement?
The process is often overwhelming, and assistance is often needed from third party vendors specializing in legal, incident response, and insurance.
Why are Incident Response Plans important?
In a suspected cyber incident, time is of the essence. Companies do not have the luxury of taking time to negotiate with vendors at the time of an attack. When a process is not in place, response slows, costs balloon, and a bad day for a company quickly becomes worse. An IR plan will provide direction and tools including a chain of communication, the process for reporting a claim, lists of vendors who can be engaged, and a checklist of steps that need to be taken through the incident. Additionally, regulators are taking a tougher look at organizations preparedness when a data breach or cybersecurity incident occurs.
How will this assist in the claims process?
The old adage “time is money” applies to a cyber incident! If a company has a plan to proceed forward, with some flexibility for unanticipated events, they will curtail their costs for vendors. More important, they may prevent reputational harm that is often associated with these events. An insurance carrier looks very favorably upon those who have a plan and are prepared, and will ask to see a copy of the plan along with information on how often it is reviewed, revised and tested. As cyber insurance policies are usually duty-to-defend and vendor panels are strongly dictated, working with your insurance broker to understand the nuance of these policies is a critical step in its implementation.
When cybercriminals shake the tree, it can create a mess that executives must clean up. A plan to respond to this clean-up is a critical, and often simple step that companies can do to help their responsiveness. Taking time to create, review, and test an incident response plan puts companies in a much better place to respond to cyber incidents.
READ THE FIRST POST IN THIS SERIES: HOW MULTIFACTOR AUTHENTICATION BOOSTS CYBERSECURITY
READ THE SECOND POST IN THIS SERIES: CLOSE YOUR OPEN PORTS
READ THE THIRD POST IN THIS SERIES: ENDPOINT DETECTION AND RESPONSE