Believe it or not, having cyber-Insurance may be the silver lining between promptly containing and recovering from a significant security incident to enduring an onslaught of disruption, outage and loss.
We have responded to many cyber security incidents, some with insurance, some without – and some common themes have emerged:
- those without insurance, it’s a struggle to finance and manage those gnarlier engagements. It becomes nearly impossible to give stakeholders the assurance they need that the attack vector is known and remediated, the actor is contained and evicted, and you’ve fully catalogued your risk exposure to determine the next best steps.
- those with insurance sometimes hesitate to make a claim or even notify their insurer they are responding to an incident. These hesitations can create the dwell time needed for actors to capitalise within your compromised estate. Holding back Incident Responders to a Security Incident is like holding back firefighters from a fire.
Incident Responders want to help – it’s in their DNA – and it is far better to let them lose on an incident early, even just to ensure containment and preservation activities are well underway – which ironically, are usually the two cheapest phases of an incident but, if not completed correctly, can lead to cost blow out later on.
If you have been beavering away at an incident all week, and realise at 4pm on Friday you need help, the ship has well and truly sailed by this point. This makes the Incident Responders job harder which has a direct bearing on cost. Insurers want to hear you have responded quickly, taken steps to secure the environment, stemmed the bleeding and sought expert support (if needed). The last thing insurers want to hear is you have been working on an incident for a week, it’s not contained, and now its snowballed into tomorrow’s news.
Whilst it is unlikely the insurer will deploy internal capability to respond to an incident; panels are formed with approved Incident Response Vendors that can respond on the insurer’s behalf. The makeup of the insurer panels extends well beyond Incident Responders, it should also include access to specialist Cyber Legal Counsel, Crisis Comms Experts or Threat Actor negotiators.
Historically, obtaining Cyber Insurance required boxes to be ticked with little validation. This evolved into more regimented and rigorous Q&A and today it is somewhere in the middle of those two extremes.
We recommend looking at what preparation activities you can embark on now that will paint you as a ‘good risk’ to sign – or support your discussions with your broker to improve your coverage options or premiums. DFIR Retainers and Incident Response Plans could be considered as the backbone of your intended response, augmented by a managed security service, with practical validation through Assumed Breach and/or Tabletops – all evidenced and provided as supporting collateral to your broker.
Something we have picked up on over the years; insurers do not like being considered the scapegoat to undervalued security hygiene practices. For example, omitting to deploy proactive services because you have Cyber Insurance is one way to see disengagement from the insurer.
Consider this … should an insurer cover a total loss on a physical asset - such as your corporate office - if it has no fire alarms or sprinkler systems? Probably not. This is not dissimilar to asking whether an insurer should cover your on‑premises or cloud infrastructure against total loss or compromise when basic security and resilience controls are absent. Just as a building owner is expected to implement reasonable physical safeguards, organisations are expected to take baseline responsibility for protecting their IT environment through appropriate security controls, monitoring, backups, and incident response capability.