Securing your organisation in an evolving world
14 July 2022
14 July 2022
Edward Lewis, Lead Partner, Weightmans LLP
Our connected world is a vibrant but dangerous place. The incidence of cyber-attacks on organisations has sharply increased in the last 12 months. Insurers have had a rough ride, with loss presentations far exceeding predictions. The reaction has seen underwriting criteria, rates and capacity all tightened. This is a short-term solution to a long-term problem though because it sends a negative signal to buyers that their interests rank second, eroding trust and confidence, and Insurers’ credibility.
It would be a lie to say there is an easy fix. The problem is multi-faceted, but with the greatest challenge a lack of predictability in what’s coming next. Fundamentally, cyber risk doesn’t behave like risk in other classes. Looking to the past as a guide to the future is futile. The pace at which technologies evolve and are mashed together to satisfy consumer demand for novelty is breathless. Function is too often prioritised over form, with insufficient thought to security and user safety. A few security buzzwords have evolved and are paraded like badges of honour – MFA, encryption at rest, immutable backups, segmentation, least privilege. Whether these controls really make any difference in practice requires a much deeper investigation of the environment in which they are deployed and the behaviour of its users. Even then, there will always be vulnerabilities; with an ever-expanding army of bad actors looking to find and exploit them.
Managing cyber risk is incredibly hard and time-consuming, and many businesses could not hope to survive without cyber insurance. Its public benefit is undeniable. But scarcity of supply could quickly become a problem if we don’t rapidly improve not just the incidence but also the scale of losses. There are no silver bullets, but some quick wins are possible, especially in how policyholder notifications are managed and supported, leading to significant savings.
Remember that cyber insurance is primarily a crisis product. It requires a different adjusting mindset to most other classes of insurance. Multiple activities will need to be managed and delivered simultaneously in real-time; too many to be owned by just one person. Moreover, you cannot assume decision-making control from the owners or officers of the policyholder in distress. If you do, you risk exposing them to personal liability because they have legal obligations to make those decisions in the best interests of their organisation. Rather, the role of an external breach response manager must always be to advise and guide, empowering them to make confident decisions quickly and calmly that will get their organisation back on its feet with least consequences as soon as possible.
There are lots of frameworks and methodologies but ultimately adaptability is key. When the call comes in for help, there isn’t time to leaf through manuals and playbooks, and ultimately there is no substitute for experience and expertise. As a good rule of thumb, however, attention to the following themes when developing a response strategy are likely to set policyholders up for the best possible outcomes:
- Organise. It may sound trite, but you should always prepare for the worst. That means having a plan, and that plan should be clear about who needs to be involved in the management and response efforts. Think about stakeholders and subject matters expertise, and if necessary outside support from specialist vendors, especially legal and technical forensics.
- Triage. You need to know what you’re dealing with, and ideally as early as possible. A technical system for monitoring unusual activity within any IT environment and then qualifying those findings is essential. Most alerts will be false positives or trivial issues; but some may be the early warning signs that a much more significant event is in progress, which could then escalate into a major incident.
- “Go Big Early”. Time is a luxury which in a crisis you can ill afford to lose. Once an alert has been triaged and assessed as being an event which could escalate, make sure your incident response team is notified and ready to deploy. It’s far easier to stand down than it is stand up a response, and keep in mind also that irreversible impacts typically occur within hours not days during a cyber incident.
- Workstreams. The reality is no detailed plan ever survives contact in a cyber incident; but having a good framework or methodology for how you will deploy your IR team is invaluable. And because of the intensity of work, there will be different focusses, expertise and activity required simultaneously. Workstreams give clarity on ownership and delivery, and ensure important tasks are not overlooked.
- Privilege. Legal advice and litigation privilege guards against the risk of being compelled to disclose sensitive information about a breach. It’s by no means a silver-bullet, but a lawyer-led response to incidents offers the best protection against uncomfortable information requests from regulators and pre-action disclosure applications from claimant lawyers.
- Careful candour. You should always exercise caution when sharing information externally during an incident. It’s important to be seen to be open and doing the right thing in a crisis, but equally facts change all the time and uncertainty is a constant. So, share what is certain but make sure the potential risks in doing so are also fully assessed legally before doing so.
- Pre-emptive support for commercial clients and data subjects. Taking the heat and sting out of their reaction to being told their information may have been exposed to harm is key to avoiding escalation into claims activity. If population size allows, there is no substitute for confidential in-person briefings. Otherwise, careful wording of notifications is essential, as is offering support services to allay anxiety and distress.
Cyber incident response will always be a “blue light” service. The unpredictability of the risk is what creates the mischief that makes insurance such a compelling risk transfer solution for organisations looking to insulate themselves against exposure in the first place. It’s not a risk whose incidence is likely to abate at any time soon, but effective controls, preparation, and experienced leadership to tackle crises can dramatically reduce the fiscal and reputational pain to far more manageable and sustainable levels in the future than the market has experienced in more recent times.
This document is believed to be accurate but is not intended as a basis of knowledge upon which advice can be given. Neither the author (personal or corporate), Society of Claims Professionals or Chartered Insurance Institute, or any of the officers or employees of those organisations accept any responsibility for any loss occasioned to any person acting or refraining from action as a result of the data or opinions included in this material. Opinions expressed are those of the author or authors and not necessarily those of the Society or Chartered Insurance Institute.