Cyber forensics: outsourcing incident response to third party suppliers

Incident response teams are already connected to insurers and law firms, bringing with them a wealth of resources, an Intelligent Insurer panel agreed. 

Intelligent Insurer brought together four experts in a virtual panel in May to delve into the detail of digital forensics.

George Chaisty, partner at Kennedys, and Gwenn Cujdik, manager of AXA XL’s North America cyber incident response (IR) team, joined Anthony Hess, chief executive officer of cybersecurity firm Asceris, and Jonathan Rajewski, North American head of cyber IR for Aon, to discuss the value of using digital forensics in post-incident management.

In this final report of our cyber forensics mini-series, we focus on third party suppliers and the benefits of outsourcing IR management services.

“They are unbiased and will therefore analyse and present the evidence impartially.” Jonathan Rajewski, Aon

Outsourcing shows impartiality

“Bringing in a third party cyber IR team as an independent will be, in my experience, viewed very favourably by customers and regulators because they are unbiased and will therefore analyse and present the evidence impartially,” Rajewski said.

“Even though a company’s internal team is very important in the early days of an incident, and can still play a very active role in the investigation, they should also consider third party IR firms and not rely solely on themselves.” 

However, for businesses lacking their own internal IR team, finding outsourced support on day zero could well lead to unintended consequences. “Smaller companies don’t have the capability for their own IR team and they don’t necessarily understand the difference between their local IT person and a forensics company,” said Hess.

“They may bring in third party support but it could be a local IT person who comes in and wipes out the entire environment and rebuilds everything,” he continued. “Unfortunately this means you don’t get to understand exactly what happened, so how are you going to deal with an issue such as Healthcare Insurance Portability and Accountability Act (HIPAA) requirements in a healthcare-related cyber incident?”

One such HIPAA requirement is that businesses regularly conduct risk assessments to identify potential vulnerabilities in their systems and processes. This becomes redundant if a whole system is wiped clean.

“If you bring in independent experts, you benefit from their high-level sophisticated experience.” Gwenn Cujdik, AXA XL

Erasing doubts of impropriety

Cujdik is a strong advocate for third party IR management, and she highlighted another concern linked to keeping the investigation internal. “It’s the adage of grading your own homework. If you bring in independent experts, you benefit from their high-level sophisticated experience, and also put yourself in a situation where other people trust what’s going on,” she said.

“It’s an enormous benefit to be able to lean on the experts, as it creates a shield over access to the findings.” George Chaisty, Kennedys

Not only other people, but governing bodies too. 

“Using industry experts under the guidance of, and instructed through, legal counsel will particularly help small organisations with limited resources,” Chaisty said.

“In theory, if you do it in the right way, you can ensure that findings from a forensic investigation do not become publicly available and under the scrutiny of regulators,” he explained. “It’s an enormous benefit to be able to lean on the experts, as it creates a shield over access to the findings.”

More connections

As well as potentially protecting businesses from reputational damage, third party IR suppliers will usually be connected to a network of additional services, and different relationship models are emerging between IR firms and insurers.

“Nowadays the insurance companies are much more involved and take control of the coordination and management of all vendors.” Anthony Hess, Asceris

“Insurers used to be fairly hands-off—they would ask one of their panel law firms to handle the IR,” Hess added.

“Nowadays—and more often than not—the insurance companies are much more involved and take control of the coordination and management of all vendors.”

Cujdik extolled the value of using a carrier that had IR training and experience, and that could recommend vendors for restoration and remediation based on past experiences.

“Our value-add is being able to say: ‘We’ve had three or four events with this same threat actor: here’s a vendor we think could do a good job for you’,” she said. 

“You get the benefit of leveraging the knowledge and experience they have had working with this particular group, and you can hit the ground running. We’ll also give you our negotiated rates.”

Using an external IR team can bring benefits to businesses that fall victim to a cyber attack: their findings are widely accepted, they offer legal privilege, they know what to look for in a data breach, and can “hit the ground running” in response.

To watch a video recording of the discussion click here.

Discover key insights into the cyber insurance market by tuning into the Asceris Podcast. Click here to listen and stay ahead of the curve!

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.