I was attending a webinar recently on incident response planning. As we got to the end, questions started coming up like:
“Can I use my existing legal team?”
“Should I have a firm vetted out for investigative forensics ahead of time?”
“How do we make sure that attorney client privileges are in place for forensics investigation?”
One member of the audience even chimed in and commented:
“I've heard cyber insurance is pretty much worthless, they don't pay claims because you either used providers along the way that they didn't approve or you didn’t notify insurance fast enough…”
These are all good points, but it doesn’t have to be this complicated. One simple step included in your Incident Response Plan pretty much takes care of all of these concerns.
It makes sure you are using the right providers during an incident.
It makes sure you have a solid legal team in your corner.
It makes sure you maintain attorney client privilege if the incident ever goes to court.
It makes sure your organization’s claim gets paid when it’s all said and done.
That simple step is to notify insurance first.
Put it at the top of your list in your incident response checklists.
Put it above contacting your legal team.
Put it above contacting a forensics investigation firm.
Put it above contacting your regulators.
Put it above contacting law enforcement.
Your cyber insurance company needs to know first.
Just for clarification: you still have to have the means to contain the incident. You need someone that can stop the ongoing damage of the incident, this is usually in the form of internal IT staff, a contracted IT firm, or a combination of the two.
But once the incident is contained. Your very next step is to contact your cyber insurance provider. And the beautiful thing about this is that everything else will fall into place from there.
You may be asking: “What? I’m going to notify our cyber insurance provider every time we think we have an incident?”
The answer is yes, and it’s as simple as giving them a heads up that you have something going on that you are currently investigating. Let them know you’re not sure if it’s an incident, but you will keep them updated when you know more.
So, once the event is truly an incident, your cyber insurance provider should begin to make the process a little easier and help steer the ship.
You see, their goal is to make the incident as painless, and ultimately, as least expensive as possible. So, they have developed relationships and processes to do so. They don’t want to write a blank check to someone who’s never done this before. And I don’t blame them.
So once you identify that you do have an incident on your hands, they will assign you a legal team that has already gone through similar incidents. You will contract with that legal team to help guide you through the process. That legal team, on your behalf, will contract with a forensics investigation firm. Because that firm is now under client attorney privilege, it means that, technically, they can't share that report of the investigation in a court of law if the incident ever resulted in a lawsuit.
Your insurance provider will put you in touch with a customer notification and response firm to help handle notifications out, but also being the first line of defense on incoming inquiries.
They will put you in touch with an identity theft protection provider for services that you'll be offering affected individuals.
Your legal firm will help you understand the legal ramifications of every affected individual under their home state’s unique cyber and privacy protection laws.
And oh, by the way: unless you've done something really out of line along the way, this greatly improves your chances of having your claim paid.
Our firm has experienced this several times now on incidents that we've been brought in on. So, I've seen it work firsthand.
It's still not pretty. It's still not fun. There's still a lot of work that has to happen on the part of the affected organization.
But it takes a lot of the headache and guessing out of an already uncertain situation.
One thing to note about cyber insurance coverage: We hear comments all the time like, “Oh, we've got $5 million in cyber insurance coverage, so we’re good.” You have to be really careful with just looking at aggregate limits when it comes to cyber insurance.
The typical cyber insurance policy is broken up into very specific buckets, each with their own sub-limits.
You may have $5 million in aggregate coverage, but you may only have a sub-limit of $250,000 for crisis management, which typically includes: forensics investigation, response efforts, customer notifications, and identity theft protection.
I can tell you that even in a relatively small incident, you can burn through that $250,000 very quickly.
So, you definitely want to make sure you've reviewed all the components that are included, and NOT INCLUDED, in your cyber insurance policy ahead of time.
Finally, you need to make sure that all of this included in your Incident Response Plan. You also need to regularly test it against common scenarios, to make sure your team knows how important this simple step is, and to make sure they don’t miss it in all the chaos.
If you need help incorporating some of this into your Incident Response Plan or want help testing and improving your current one, we can help you with that.
If you need someone to do a cyber insurance assessment, we can help you with that too.
Just let us know at support@bedelsecurity.com
Mobile Device Security
https://www.bedelsecurity.com/blog/mobile-device-security
5 Tips for Cyber Incident Tabletop Testing
https://www.bedelsecurity.com/blog/5-tips-for-cyber-incident-table-top-testing
5 Takeaways From the FFIEC Joint Statement on Cyber Insurance
https://www.bedelsecurity.com/blog/5-takeaways-from-the-ffiec-joint-statement-on-cyber-insurance