How digital forensics are changing the cyber claims landscape
Our mini-series on cyber forensics continues with insight and advice from four experts across the industry who came together for an Intelligent Insurer virtual panel discussion.
George Chaisty, partner at Kennedys, and Gwenn Cujdik, manager of AXA XL’s North America cyber incident response (IR) team, joined Anthony Hess, chief executive officer of cybersecurity firm Asceris, and Jonathan Rajewski, North American head of cyber IR for Aon, to discuss cyber insurance and particularly the cyber claims environment.
In this third report of four, we focus on digital forensics and its role in cyber IR plans.
Digital forensics is an emerging area of cybersecurity that focuses entirely on data breach incident management including fraud detection, IT systems and security information.
Extrapolating the truth
Pre-vetting an IR team can help mitigate the severity of a cyber incident by providing immediate support and decision-making capabilities, and a comprehensive and targeted forensic investigation will minimise the legal requirements, namely notifications.
“An accurate forensic investigation can narrow the scope; it can help you ascertain that, for example, a ransomware threat actor stole only a handful of files and didn’t have the time to grab the entire system,” Hess explained.
“When forensics are involved, you don’t have to start with the assumption that everything has been compromised or taken.” Anthony Hess, Asceris
“With business email compromise you can identify that the threat actor accessed only six emails and did not do a full synchronisation.
“When forensics are involved, you don’t have to start with the assumption that everything has been compromised or taken,” he added.
Being able to call upon a forensics team from day zero is paramount, Rajewski suggested. “Clients need help to understand the scope of an incident and be guided through the necessary steps to resolve it.
“You need a team that can detect what abnormal looks like.” Jonathan Rajewski, Aon
“Having the right experienced team on game day, focused on helping the client with forensic and legal advice, is the right approach here,” he continued.
“Threat actors are living off the environment and aren’t necessarily bringing malicious tools into that environment, so they’re going to blend in.
“You need a team that can detect what abnormal looks like when unauthorised individuals are using that technology for malicious purposes. Forensics does all of that.”
Early involvement is key
From a legal perspective the use of forensics in cybersecurity is important, and early involvement can make a drastic difference.
“Getting forensics in early gave us enough visibility to issue a legal takedown notice to the file-sharing platform.” George Chaisty, Kennedys
Chaisty described a ransomware incident where the threat actor claimed they had encrypted all systems and exfiltrated a huge amount of data. “The threat actor said they would publish everything on the dark web if the ransom wasn’t paid,” he recalled.
“Getting forensics in early gave us enough visibility to issue a legal takedown notice to the file-sharing platform that the data went through, so we were able to block the threat actor’s access to that data,” Chaisty added.
“That is invaluable when you think of the costs associated with the publication of data on the dark web—even if it’s a small amount of data, it’s intellectual property that competitors of that business might secure and leapfrog into the industry.”
For Cujdik, there are three aspects to a forensic investigation: legal, technical, and remediation.
“Remediation and containment are a vital part of the investigation. You need the technical assistance, to ensure it doesn’t happen again, and to plug all the holes and make sure there’s no further damage,” she said.
“Forensics expertise helps minimise the severity of the event and provides accurate answers about, for example, where a threat actor has been in your system and for how long.
“If you don’t know those answers from a technical perspective, then you can’t provide them from a legal perspective either.”
Mitigating loss
From any perspective, it is clear that digital forensics can identify and explain security threats.
Rajewski observed: “In the last 12 to 18 months, we’ve seen severe and very deliberate actions by threat actors to litter the environment with ‘back doors’ that are commercially available, and that hide in plain sight.”
“Without forensics to properly identify the evidence, the threat actor is still watching what’s going on as you’re trying to restore the environment, and maybe continuing the attacks.”
Understanding the scope of a data breach is crucial for managing its impact and preventing unnecessary costs.
Accurate forensic analysis can differentiate between exaggerated claims and actual data exposure, potentially saving organisations from significant financial and legal repercussions.
“You might get a ransom note that says: ‘we took 30 terabytes of data’. If you intend to review 30 terabytes of data, somebody has to look through every piece of paper to figure out who was impacted and what the datapoints are,” said Cujdik.
“Forensic investigations can help identify the extent of data taken and avoid unnecessary notification of the people affected.” Gwenn Cujdik, AXA XL
“That could run into millions of dollars to do, but if you had a good forensics investigation, you could avoid over-notification of the population.
“Forensic investigations can help identify the extent of data taken and avoid unnecessary notification of the people affected, reducing the risk of class action suits. ”From a claims perspective, there are heaps of losses that can be mitigated by having a forensics investigator come in.”
Bringing in the digital forensics investigators can determine the extent of a breach, prevent further unauthorised access and reduce the amount of legal paperwork.
A further question to be considered is how insurers can persuade their insureds to value the benefits of using third-party suppliers.
To watch a video recording of the discussion click here.
