Author: Morgan Machado is a CPA and CFE and Manager at Imperium Consulting Group.
Cyber incidents continue to rank among the top risks businesses face in 2022. In addition, the war between Russia and Ukraine has drawn even more attention to cybersecurity. Unlike conventional warfare, cyberwar could have immediate global impacts across all industries, particularly due to the already strained supply chain heavily interdependent on electricity and communications.
Insurance companies have increased their scrutiny of cyber policies, concerned with significant losses that may accompany the increased risk of cyber-attacks. The war in Ukraine is just one example of how insurers are looking closely at exclusions like the war to protect their exposure, while cyber threats and vulnerabilities have prompted more analysis by markets providing cyber coverage. As a result, policyholders should be proactive in assessing organizational cyber risk and creating an incident response plan to minimize the adverse impacts of cyber events.
Policyholders should consider the following areas as part of their incident response plan:
Before an event occurs, businesses should ensure that they are prepared from IT security and risk management perspectives. First, policyholders should identify significant threats to their organization. Then, once these threats to the organization are identified, it is essential to review whether adequate controls are in place to respond to these threats. Scott Takaoka, Cyber Risk and Consulting Solutions Leader at Imperium Consulting Group, notes, “a solid foundation for starting this analysis is to evaluate your security controls in the context of a security framework such as the NIST (National Institute of Standards and Technology) Cyber Security Framework or SANS Institute's CIS Controls (formerly called SANS top 20). Either framework defines a taxonomy of cyber security controls that should be considered; however, businesses should seek to prioritize those controls that align with their security strategy.”
Businesses should evaluate the strength of their internal controls to respond to cyber threats in tandem with their policy coverage. Methodologies to assess cyber risk should include analysis regarding both the probability and severity of potential cyber threats and vulnerabilities to better inform decision making by insureds, as well as demonstrate stewardship to carriers.
For potential areas of weakness, policyholders should look to quantify the financial impact of cyber threats and evaluate if the current coverage is adequate. This evaluation should include both out-of-pocket expenses (legal fees, professional fees, IT costs, etc.) related to cyber response and recovery and loss of income due to inability to operate or reputational risks associated with data breaches. Given the inflationary environment of today, its critical that insureds ensure values for all of these items are updated. Depending on the complexity of such an analysis, insureds may elect to engage a forensic accountant to assist in this assessment.
Further, as Mr. Takaoka recommends, a comprehensive cyber risk assessment should also provide the policyholders’ management with recommended solutions to remedy areas of weakness, including wherever possible, the cost of such improvements and enhancements. With the proper risk analysis, policyholders can be better prepared to make capital expenditure decisions regarding upgrades to technology, as well as discuss how such fortifications can lower the cost of cyber insurance or make coverage possible.
Lastly, businesses should have the appropriate people on standby should a cyber incident occur. This “breach team” should include IT, finance, risk management, legal counsel, and forensic accountants who can assist with the response and recovery during and following a breach. This team should be approved by the carrier when discussing their incident response plan with the carrier.
If a cyber incident is identified, it is essential to ensure that the breach is addressed and contained immediately. If the business has adequately prepared for a cyber incident, it will already have its breach team identified and contracted so that when an incident occurs, it can quickly assemble the team and begin the investigation and remediation process. It is equally important to verify that your cyber liability insurance responds to events. Timely notification to your carrier and ensuring that your breach team is pre-approved are essential requirements for the Insured and lay the foundation for a positive claims experience.
Throughout the response phase, personnel involved should put together a detailed timeline of events, keep a well-documented log of all work performed and document the time spent on each task. This step is critical to the claim recovery process and is frequently missed when responding to a cyber-attack.
After a company responds to, contains and eliminates the breach from company systems, the next step is to bring all compromised systems and devices back up. When the business returns to normal operations, the IT, risk management and finance department teams should evaluate the scope of the breach. In addition, policyholders must understand what geographic locations, systems and revenue streams were impacted and identify any critical data lost or if Personally Identifiable Information (PII) was compromised due to the event.
All expense-related documentation should be collected for the claim preparation process. Additionally, financial documentation will need to be collected and analyzed if there is a loss of business income due to the cyber incident. The level of granularity of data required will depend on the length of the impact period, otherwise referred to as "the period of restoration."
Should a cyber event occur, policyholders should consult with insurance professionals to help identify potential areas of coverage under their cyber policy and assist with claim preparation. Overall, taking proactive steps before, during, and after can help minimize the impact of a cyber event.