IT Providers, Incident Response, and Cyberinsurance
As the number of cybersecurity incidents rapidly grows, incident response (IR) has become an important buzzword. Sometimes companies pay for IR out of pocket, but in most cases it is tied to an insurance claim. We are seeing lots of marketing from IT providers about IR, but the problem is that many are not qualified or approved. This means that when your cyberinsurer starts working on your claim, suddenly work is having to be redone, or not approved, and you are left with an unpaid invoice, or even worse, an insecure /re-compromised environment.
Please note we are only addressing the IT component of IR in this article. There are other components such as legal, notifications, PR and more. These all should be covered by a robust cyberinsurance policy and are a major reason why you want one.
There are two important parts of IT that any IR team should have a plan to address. The first is stopping the attack, which many IT teams can handle. The second is forensics, which is the art of finding out what was accessed, how the attackers got into your systems, etc. Forensics is a highly skilled trade, and practitioners need to have extensive training and certifications.
Some of the mistakes that are made during IR include:
In the event of a ransomware attack or similar, IT may start restoring from backup. The problem is the attackers may have been in the system for a long period of time, and restoring from backups does not lock them out, exposing you to the exact same attack again. This is a great example where forensics is important.
Cyberinsurance has a strict process for IR, and an IT team acting on its own without guidance may run afoul of what is required or approved. Cyberinsurance should always be engaged as soon as possible for proper guidance. The IT team you find via a cold call or Google is likely not allowed to do work on behalf of a carrier.
How do I make sure my IT team is qualified to handle IR?
They should be an approved IR provider by your cyberinsurance carrier. This ensures a base level of competency, and helps ensure the success of a claim, including the claim being covered.
If they are providing forensics services, make sure their team is professionally credentialed such as by GIAC.
Make sure your IT vendors have a comprehensive cyberinsurance policy as well. Providers require a special type of policy called Tech Errors & Omissions, and currently it is very difficult for companies to find coverage, resulting in many being uninsured.
Clear Guidance Partners is NOT an IR team or insurance provider, but we do have strong partnerships with the industry leaders. We prepare ahead of time “when not if” a breach occurs as part of our risk planning for your business, including documenting your insurance info and having a robust plan in place. Interested in discussing how to raise your security baseline and make sure your business is fully protected from risk? Schedule a call with one of our partners today.