A security app is used on someone's phone

Uncovering the Lifecycle of a Robust Cyber Incident Response Plan

Make sure you have the right cyber insurance, which starts with having a plan in place to prevent devastating cyber-attacks.
At the current rate of growth, damage from cyberattacks will amount to about $10.5 trillion annually by 2025 — a 300% increase from 2015 levels.1 These numbers are enough to give any business pause. With more regulations being implemented from the government and sophisticated attacks becoming more frequent, it’s critical that companies are aware of cybersecurity best practices.
Once the realization comes to light that a company has fallen victim to a cyberattack, it is time for them to execute on an incident response plan (IRP) which is an outlined approach to dealing with a cyber threat head-on. During an incident, a company is required to make several decisions quickly and in a coordinated manner. It is not the time to come up with an IRP on the spot. If a plan is not in place and familiarized by leadership, the company can end up overlooking many elements during the attack, resulting in more resources spent to remediate the incident.
A robust IRP will include many vendors and services that are professionals in their respective areas and assist with remediation and recovery efforts. These groups all fit in within the lifecycle of the plan – from preparing for a cyberattack, identifying the incident, containing and mitigating the damage, and recovering the operations.

Crafting an IRP

A company can easily access multiple resources to build out an IRP specific to their organization. A company’s cyber insurance carrier should play a critical part in the planning process, and tapping into their resources should be a main priority. Whether it’s pulling an off-the-shelf incident response plan template and customizing it to their organization’s needs or going direct to a third-party cyber firm to draft a plan, an IRP is a necessary instrument for businesses of all sizes.
Standard considerations should be included within the IRP, like a list of key people needed during a crisis, their contact information and clarity in role and responsibilities during a cyberattack. The plan should be updated periodically because an outdated IRP will not be helpful during a crisis. An IRP should also be kept as a hard copy, in addition to a digital one, in case computer systems are inaccessible.

The Quarterback of Remediation

Too often, companies rush to their IT teams as the sole first responders to a cyberattack. While such a reaction is understandable, businesses might be losing out on critical services that a cyber insurance provider can leverage in those situations.
Immediately upon receipt of notice from an insured that there is a cyber incident or attack ongoing, the carrier will engage an incident response coach or cyber attorney to work with the company. An attorney can be seen as the quarterback of the response team. Establishing privilege in communications up front will allow for the attorney to give their client detailed instructions on how to best respond to the cyber incident. Speed of response is critical, and companies could be wasting valuable time that could negatively impact their ability to recover as quickly as they could have.

The Supporting Team

The attorney will assist in engaging additional resources and services to help build out a remediation strategy for the company, making sure each step along the way is covered by a service provider who has deep breach response expertise.
The carrier works very closely with the following vendors throughout the course of the claim to make sure the insured is doing everything they need to respond and investigate the incident and restore them to their pre-incident state.

Computer Forensics and Data Restoration

Computer forensics are professionals who identify the source of the cyberattack and the scope, as well as impact of the breach. These experts can help companies determine the perpetrators and pinpoint specific directions for remediation. Understanding the threat vector can also help companies fortify their cyber defenses in the future.
Data restoration vendors are also key players who help determine how the lost or corrupted data can be revived. Their efforts may allow a company to operate and help get back to the functionality they had prior to the attack.

Notification Services and Call Centers

Incident notification laws dictate that companies need to notify specific parties about an incident usually within a short amount of time. These laws vary state by state and are ever evolving. Whether the parties are customers or business partners whose data might be compromised, they may be required to be notified in a required time frame. Lack of a proper response to an incident can lead to the company having penalties imposed on it or exposing it to civil liability. Notification vendors can identify these notification needs and take care of the efforts quickly and at scale.

Threat Actor Negotiators

During a ransomware attack, a negotiation service may be needed to work directly with the cyber threat actor. Working with the attorney will help the victim of the attack navigate the various laws and regulations in this area. They will negotiate and facilitate a payment if necessary for that extortion so the company’s systems can get back up and running so that operations can continue.

Crisis Communications

Crisis management is often an overlooked step when remediating a cyberattack. Companies should consider involving a crisis management public relations firm that is part of their cyber carrier’s vendor panel. These firms can help protect the reputation and brand that takes years of goodwill to burnish. A company will want to get in front of the crisis and deliver an accurate and coherent message to both internal and external stakeholders.

No Plan Is Complete Without a Test

IRPs should be tested and not just talked about. It isn’t until a company is running a simulation that they might realize a piece of their plan isn’t clear or is missing entirely. To test an IRP, its best for a company to do the following:
  • Identify certain scenarios that are unique to the company to verify whether they are addressed and protected by the plan that is put in place. Go a step further and conduct tests on situations that may be relevant to the industry or type of business operation.
  • Assess policies and procedures with the staff to make sure they are still the right approach given changes could occur within the organization since the last test.
  • Scan and identify any weaknesses within the security system and address any gaps.
  • To keep leadership up to date, conduct a hands-on tabletop exercise or a simulation test with the key stakeholders so they know how to take action during a cyberattack incident.
Companies are not expected to know all these steps upfront, so getting to know their cyber carrier’s service providers will help them to understand who they need to engage in the event of a cyberattack. Company leaders should educate themselves to the appropriate level and scope of cyber insurance, allowing them to benefit from the services that an experienced cyber claims team can afford. An ounce of prevention is worth a pound of cure.
For more insight on the latest industry trends, read our 2024 Risk Monitor Report.
1 “New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers,” McKinsey & Company, October 2022.
La información proporcionada en estos materiales brinda información general y de asesoría. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations contained herein are as of June 2024.
The Hartford Financial Services Group, Inc., (NYSE: HIG) operates through its subsidiaries, including the underwriting company Hartford Fire insurance Company, under the brand name, The Hartford®, and is headquartered in Hartford, CT.  For additional details, please read The Hartford’s legal notice at www.thehartford.com. © 2024 The Hartford
Tony Dolce
Tony Dolce
Tony Dolce, Head of Professional Liability and Cyber