Panel: What a robust cyber incident response plan looks like

Identifying the right people before a cyber crisis takes place is crucial, as well as continuously testing an incident response plan, an Intelligent Insurer panel agreed. 

As part of our focus on cyber risk and insurance, Intelligent Insurer put together an expert panel to discuss the importance of having a well-tested cyber incident response (IR) plan in place to minimise the severity of a loss or claim. 

George Chaisty, partner at Kennedys, and Gwenn Cujdik, manager of AXA XL’s North America cyber IR team joined Anthony Hess, chief executive officer of cybersecurity firm Asceris, and Jonathan Rajewski, North American head of cyber IR for Aon, to discuss the cyber insurance landscape and how digital forensics can support claims investigations. 

In this first report of four, we focus on IR plans themselves: the need for a tailored plan, business continuity, and the value of having an IR plan in place to help mitigate the severity of an event.

In recent years, cyber threat actors have spread and their methods are diversifying at an alarming speed. 

“The important part is to test at least some of them with scenarios, workshops and tabletops.” Anthony Hess, Asceris

Ensuring companies have a robust cyber IR plan is crucial if companies want to survive an attack but, as Hess explained, just having a plan isn’t enough.

“If you create a deep response plan that’s ready for everything but you then put it on the shelf and nobody understands it, it doesn’t really work as an IR plan because you’re not going to use it during an incident,” he said.

“An IR plan helps you work through all the different scenarios that are reasonable, and the important part is to test at least some of them with scenarios, workshops and tabletops.”

Choose the right team

When creating an IR plan, it’s important to ensure the right people are involved, both internally and externally. 

“The first part of IR is usually asking who needs to be brought in? Do we need to reach out to external parties? We are all here to walk you through what that looks like and how to tailor it specifically to your company and the external partners you want to work with,” Cujdik explained.

“If you have pre-vetted your legal team and your external IR team, they will already know your infrastructure.” Jonathan Rajewski, Aon

The panellists discussed “game day” and how picking your team only once an incident has taken place might not give you the best support. 

“If you have pre-vetted your legal team and your external IR team, they will already know your infrastructure and your team and they will be much better positioned to help you immediately after an incident starts,” Rajewski said.

Preparing an IR plan will also help a company implement crucial defence tactics such as ensuring offline accessibility for important data, as Chaisty highlighted.

“I’m shocked at how frequently I am supporting a client on a ransomware incident in particular, and because of the encryption that’s been applied within the environment, the IR plan, as great as it is, is not accessible to the people who need it when they need it,” he said.  

Is there a plan B in case those people are on leave or away from the office at the time of the event? Rajewski stressed the importance of identifying decision-makers early on.

“One of the things that slows down the IR process is not knowing who the decision makers are, or where the data is. A good IR plan would look at all that, ensuring there’s a plan in place that allows the incident to move forward in a pragmatic way,” he said. 

Prepare, prepare, prepare

Having an effective IR plan will help save time and minimise business interruption in a ransomware attack. 

The first few hours or days after an attack are the most important in the timeframe of a response.

“Businesses should already have thought about questions such as ‘Are we the type of business that would consider engaging with a threat actor to pay a ransom?’ and ‘Are we the type of business that tells employees we’ve been hit by a cyber attack’?” Chaisty reiterated. 

Another concern for Chaisty is a company suffering reputational impact downstream, arising from “an inability on the part of companies to lean on decisions that have been made in a sample environment and stress-tested, pre-incident”. 

Not having a well-tested IR plan could lead to disastrous consequences, Hess elaborated. “The worst-case scenario is going out of business or experiencing heavy fines when in fact both scenarios could have been avoided,” he said.  

“Companies will say ‘I would never pay a ransom’, but it’s more useful to think through the different factors that may lead to various outcomes so that when an attack takes place, you can immediately reduce the impact because you’ve prepared for it.” 

Leverage AI to keep up with the threat actors

Another way of preparing for a cyber incident is by studying how threat actors are using tools such as artificial intelligence (AI) to produce increasingly convincing deep fakes and launch social engineering attacks. 

“We use tools such as AI to get a programmatic view of the data from a digital perspective.” Gwenn Cujdik, AXA XL

Having access to the best tools is vital for saving time and reducing costs when managing the aftermath of an incident.

“We receive very big datasets and have to sift through them to understand what’s in them,” Cujdik explained, “so we use tools such as AI to get a programmatic view of the data from a digital perspective, because the computer can look at a million documents far more quickly than a human.

“It’s the same with logs for forensics investigation,” she continued. “Without AI, I don’t know how we would analyse millions of lines of data.”

However, as Rajewski pointed out, there’s a need for caution around data privacy when using AI. “There are still many unknowns when it comes to clients and sensitivity around what’s going into AI: how it can be leveraged and how it should be used.”

Aim to be one step ahead

But in an age when voices can be accurately mimicked and people are being socially engineered to take detrimental actions which leave their businesses wide open, there is also a need to keep up with the threat actors by using and exploiting the same AI tools that they use. 

“If we’re not aware of the ways AI can be used, we’re not going to be able to spot it being developed.” George Chaisty, Kennedys

Deep fake technology is already being used to coax people into making payments they shouldn’t. Chaisty observed: “If we’re not aware of the ways AI can be used, we’re not going to be able to spot it being developed by those who are going to use it in a much more sophisticated way in the future.” 

Taking the time to identify key decision-makers pre-incident, regularly updating IR plans through scenario-based testing and having confidence to lean on new AI tools are all solutions poised to help the insurance industry deal more efficiently with the aftermath of cyber threats. 

To watch a video recording of the discussion click here. 

Discover key insights into the cyber insurance market by tuning into the Asceris Podcast. Click here to listen and stay ahead of the curve!

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.