Risk in Context: Cyber incident management best practices

Facing more frequent and intense cyber threats, it’s vital that businesses to be ready for attacks.

This episode of Marsh’s Risk in Context podcast features Brian Warszona and Katherine Keefe from Marsh’s Cyber Practice on how organizations can build effective cyber incident management plans and the actions they can take before, during, and after an attack.

Transcript

Brian Warszona:

Hello. I’m Brian Warszona, UK Cyber Deputy Practice Leader at Marsh. Welcome to Risk in Context, which features conversations with Marsh colleagues, risk professionals, and others intended to help you better understand key risks, build more effective insurance programs, and think creatively about what’s possible in a world of risk.

In today’s episode, we’re wrapping up our series on cyber, which remains a significant risk for businesses around the world. In the last two weeks, we dove into ransomware and cybersecurity controls, and this week we’re going to take a closer look at how to manage a cyber incident.

In this episode of Risk in Context, you’ll listen in on a discussion between me and Katherine Keefe, Marsh’s North American Cyber Incident Management Leader, about the steps organizations can take to manage risk before, during, and after a cyber event.

=====

Brian Warszona:

So, Katherine, diving right into this, as ransomware and other cyber threats are growing in frequency, severity and sophistication, it's become even more important for businesses to be ready for attacks.

So, from your perspective, what are some of the key items that businesses should start to think about when responding to a cyber event in this growing risk environment?

Katherine Keefe:

Yeah, absolutely Brian. The preparation for a cyber incident is a drum that we've been beating for years with the clients that we represent and now there's a greater urgency. And we're spending time with clients who are in different places on the spectrum of incident preparedness.

Many clients have very evolved incident response plans, and now need to look at those plans with fresh eyes from the perspective of ransomware. And we are working with clients to build in decisional frameworks that are unique to the attacks that are happening, unfortunately, with great frequency, as you mentioned, and more complexity, because ransomware is a unique animal. It places clients in a very difficult position around encrypting their networks or a portion of their networks and their data, potentially releasing their data into the wild.

And all of those potential impacts can be planned for. And we can pick apart a little bit what those action steps should be on the preparation side.

Brian Warszona:

And are you seeing more organizations take more of a specific focus on the ransomware response, considering the heightened severity and that specific type of attack in the last few years?

Katherine Keefe:

Absolutely, yes. And organizations should pay particular attention to how they're situated and prepared for a ransomware attack. Looking at how their internal team comes together to make decisions around the impact or potential impact that they might face in a ransomware attack, the kinds of resources that they would need to support them during their analysis of the situation and its impact, the way they could respond and restore their networks, and then coming out the other side in terms of restoration and getting the business back up and running.

All of those pieces can be and should be built into a plan, and we spend a lot of time with our clients building those pieces into their plans.

Brian Warszona:

And that's a great point. What I've seen is a lot of communication goes around in responding to a cyber event.

We're sitting here having this discussion on a Friday, where we typically see a lot of these events occurring in the afternoon because it goes into the weekend.

You've mentioned resources. What types of resources are available to businesses in the event of an attack? And specifically, how do you see insurance policies playing out during an actual event itself?

Katherine Keefe:

Yes, so absolutely, the cyber insurance industry has responded to the ransomware, and I'll call it an epidemic, I believe it's an epidemic. It's at crisis proportions in terms of frequency and severity of these attacks.

But most cyber insurance policies, bring with them coverage for a variety of aspects and services that organizations would need to help investigate the impact of a ransomware attack. So, by that I mean expert law firms who can provide guidance on structuring an appropriate investigation of the ransomware situation and keeping conversations, analysis, and certain documents under the attorney-client privilege as best as possible.

The legal piece is very important as a resource, and we encourage our clients to understand the legal resources that are typically available to them under their cyber insurance policy.

Similarly, a lot of internal IT/IS teams need some external forensic support to help assess, forensically, the impact of the ransomware attack. What is the malware variant that's at play here? Who are the threat actors? What is the ability of the organization to contain the attack, to ameliorate it, to assess the impact to the network or portions of the network? So, the external forensics piece plays a huge part here, and again, that is another service that's typically covered under a cyber insurance program.

Maybe in a minute, we can talk about the role of the extortion services provider because I think that warrants its own discussion. If I thought, ten years ago, when I got into the cyber insurance industry and business that the services of an extortion services provider would be required ten years ago, I would not have known what you were talking about or why that would be necessary.

But it's become an unfortunate reality that these particular skill sets are what organizations need, and again, the cyber insurance programs cover these specialized services. 

Brian Warszona:

That's a great point.

You say ten years ago, we wouldn't be looking at extortion specialists in the cyber world, per se, but there is also a process that goes around utilizing these resources.

I don't know if you want to expand a little bit on how the process may go through. Say you have an event from an extortion standpoint or ransomware-type malware, how does that process fit in, in terms of pulling all these types of resources together?

Katherine Keefe:

Yeah. There are many trains running down tracks at the same time when a ransomware situation occurs.

Firstly, the organization is scrambling to understand the scope of the technical problem, the impact to networks, file servers, etc. And either through internal resources and/or additional external resources, that technical analysis has to begin right away.

If there is an insurance policy, we very much encourage our clients, either with our assistance or independently, to reach out immediately to the cyber insurance carrier. Because they'll come to the table, and having now seen dozens, if not thousands of these events — each carrier, over the past three to four years — the carriers are very adept at being responsive, number one, getting with the policyholder very quickly and arranging and organizing the various service providers to come to the table quickly and support the client in this event.

So, typically, what you'll see as a process is the event is escalated inside the organization. The insurance broker and carrier are notified and come to the table and have a conversation very quickly with the client. The client then engages counsel, engages forensic support to begin the investigation and understand the scope.

Meanwhile, and maybe now is where we talk about the extortion services provider, that expert comes to the table and assists the organization in starting a communication channel directly with the threat actor. Because believe it or not, these threat actors expect to be communicated with.

And there have been, if you can believe it, best practices grown up over the past couple of years, wherein the extortion services provider will act on the client's behalf, open a dialogue with the threat actor, understand — based on historical experience with this particular threat actor — what their behavior patterns have been. Are they "honorable thieves"? In which case, I mean, will they make good on the promise to give a clean decryption code if the organization is faced with actually paying the extortion payment? Or are they some kind of scruffy, lesser-than type of criminal who is not reliable in terms of making good on promises?

So, the value of the extortion services provider here is that they're feeding back information to you, the client, to give you a better picture of who you're dealing with, at the same time as your internal team is working with counsel and forensics, to understand the scope of the situation and whether you're in a position to restore the network or the files from your own backups, or whether you have to seriously consider potentially paying the extortion demand.

The other thread that's happening at the same time, through the extortion services provider, is that they are negotiating with the threat actor to lower that extortion demand. And truly, as has been borne out in the cases that we've been involved with, the extorters — the criminals — will negotiate and at the end of the day will lower their demand if they believe that the client is seriously considering and able to pay.

So, the extortion services provider is really helping feed information, helping the organization buy some time to make these critical decisions about hopefully being able to restore the situation themselves, versus having to pay the extortion payment to the criminal. 

Brian Warszona:

It's interesting. It's amazing how the sophistication, not only of the attacks themselves, but actually the response, have now come along in the last few years alone. And I know that we often run these types of scenarios with our clients, whether it be ransomware, or if it's something else like a data breach, or any other type of cyber event.

But you mentioned just how important that extortion service provider is. Do you see any benefit of businesses getting to know these types of risk professionals or resources at the insurers, prior to an event, versus waiting until that event actually occurs?

Katherine Keefe:

Oh, very much, Brian.

I think that’s another really important piece on the preparation side, is to have met and understand the approach of the service providers that will come to the table on your behalf if you were to have a situation, ransomware or otherwise.

So, we spend a lot of time introducing our clients to the law firms, the forensics firms, the various extortion services providers, so that they have, literally, they have a list of go-tos that maybe they've even done a little precontracting with up ahead of time, so that the first time everyone is meeting each other is not at the point of impact.

Brian Warszona:

No, that's a great point. I know that multiple different insurers have different panels, so not every single panel for every insurer is going to be the same to the next one depending on which might be your primary carrier.

In terms of trying to understand who these panelists are, and trying to invite your own panelists or individual vendors that you may have, have you seen different businesses actually include their own contracts within the policy to have that continual relationship prior to even purchasing a cyber insurance policy?

Katherine Keefe:

There are many situations where, particularly in larger organizations which have relationships with technical service providers who also provide forensic services and may also even additionally provide extortion services. There are those existing relationships.

And then when overlaid with the insurance policy, sometimes that existing relationship, that vendor is on the insurance panel, and sometimes not. And so, organizations are faced with — and we help our clients through the decision-making around — do we go to the carrier and ask that the existing relationship be added to the policy? If there's flexibility on the carrier's part, sometimes that can happen.

Sometimes, other carriers are a little more stringent in their approach and say, "In order to have a benefit of coverage under the policy, you must use the panel choices that we're offering." In which case, we encourage our clients to kick the tires of the panel choices.

And in our experience and having done this now for over ten years, the vendors who work with the cyber insurance carriers have been doing this for a while. They eat, breathe and sleep these issues, so that they're tried and tested, and they work well with each other. Because in this ecosystem, it's very advisable to have a law firm who knows the forensics firms that they're using, that you're choosing, and that there's a smooth handoff of information and process between the various players. So, where there's a carrier panel, we encourage our clients to at least familiarize themselves with it and potentially consider options on that panel.

The behind-the-scenes is that the carriers have negotiated discounted rates with these vendors and pass those discounts on to the policyholders. So, there is some good financial benefit also to an organization to work with the carrier choices. 

Brian Warszona:

I think that's a great point, too. One of the things that we often don't hear about is the discounted rates to these vendors on the panels that you could potentially get if you purchase a cyber insurance policy.

Just to switch gears a little bit, we've talked about the resources, getting to know them a little bit. But let's talk a little bit about the testing of these plans and keeping these up to date on an annual basis, if not more often.

In your previous role, you assisted a lot of businesses with doing these so-called tabletop exercises, as it's known. Could you explain why this is so beneficial to businesses to test out these plans and have them set up ahead of time?

Katherine Keefe:

Yeah, it really is well advised to run what we call a tabletop exercise.

Prior to coming to Marsh, I ran a breach response unit at one of the preeminent carriers. And that was a value added service that we offer to our larger policyholders to facilitate a conversation, internal to the organization, that tested how they would come together to address a cyber incident. And then in more recent years, most of those tests and cyber incidents were ransomware incidents, because that's what is happening. And the benefits of doing that are many.

One: Doing this in an interdisciplinary way is very important, because at the end of the day, a potential data breach or ransomware crisis is not just an IT issue. If an event that's significant like this were to happen to your organization, there are many other disciplines besides IT that need to come to the table and make decisions on a collaborative basis within the organization. You have HR professionals; you have legal professionals; risk-management professionals; IT and IS, of course; sometimes physical security; information security, depending on the organization; and internal communications or marketing.

These are all disciplines, that if a crisis were to happen, each of those roles would have a job to do, or a decision to make, or be part of a larger decision to make. And so, coming together in a safe space to hypothetically work through a fact pattern that can test the organization's internal incident response plan is very useful.

I can remember, and have been in the room with incident response teams at very large organizations where sometimes the professionals in the room are meeting each other for the first time. A lot of times companies work in silos because they're highly specialized and professionals are hired to do their specialist work, but this is a time where collaboration across disciplines is very important.

And having taken the time to test a hypothetical scenario in a tabletop format, really begins to develop some muscle memory for the organization such that they can kick that into gear if and when a real situation were to occur. So, it's very much time well spent.

Brian Warszona:

Yeah, I've sat through a couple of these tabletop exercises with clients, both in the US and the UK.

And I remember a couple of different stories going back five, ten years ago, where individuals would keep trying to communicate during a crisis through email, even though their systems were down, so there were some lessons learned right there off the bat at the beginning of the tabletop exercise.

In your experience, going through these exercises with several businesses, both on the sides of the carrier and now with Marsh, what is one of the biggest things that you've seen come out of these in terms of lessons learned?

You mentioned, bringing all the stakeholders together. Is there anything else that you would see other organizations learn before they get into these exercises?

Katherine Keefe:

Yes, I think there’s always… The best tabletop exercise results in a bit of a to-do list for the organization. And by that, I mean not that they have to go back and rewrite their entire incident response plan because it blew up and it didn't work. That's never the case.

Usually, what happens is that in running the tabletop exercise, the company learns that maybe they left out a critical department who they needed for the discussion or to help in the decision-making. Or maybe they realize they don't have the right escalation procedures, such that the top executives are kept informed as the investigation and decision-making unspools. So, maybe there's a communication link that needs to be addressed.

Another takeaway I've seen is that the folks in the room, they're not all responsible for the insurance relationship between the company and the cyber insurance carrier. And so, the tabletop can perform a consciousness raising among the group around the coverages that are available and the resources that are available, and maybe this is the first time they're hearing about that. And so, they can bake that aspect of the coverage and the panel requirements and working collaboratively with the carrier into their plan.

So, I've seen a variety of lessons learned and opportunities to augment plans as a result of tabletops.

Brian Warszona:

Yeah, and it's interesting that you mentioned just bringing back into the panel discussion with the carriers.

We've gone through the resources, the relationships, and testing out these incident response plans. So, let's say we're facing an incident. What's the importance of having the insurer alongside as this event is going on, and what have you seen change over the last five years from this type of collaborativeness going on with the carrier and the named insured?

Katherine Keefe:

Yes. We're all learning as we go, right? No one really wanted to be in this position of incessant ransomware attacks. I think, everyone in the broker space, in the carrier space, in the client space, has had to learn and adapt on the fly as these attacks have been happening.

And in that process, we've seen the support, maturity, sophistication, and knowledge on the part of claims adjusters within the cyber carriers really advance and really be quite helpful to our clients at the point of impact. Because, again, these carriers are seeing many of these, and so have developed a knowledge base and an ability to transfer that knowledge in a way that's helpful to the client who's experiencing the point of impact.

Hopefully, organizations never have ransom attacks. But if they do, hopefully, they only have one. So, they don't have that wealth of knowledge that brokers who deal in this space have or that claims adjusters of the carriers have. So, I think that's been an evolution.

The other evolution is that the carriers want to work collaboratively with policyholders, because at the end of the day, they're paying the bill for the coverage. And one issue that we try to convey pretty clearly to our clients is that in a ransomware situation, where the client is really having to seriously consider paying the ransom, the carrier needs to be kept quite updated as  to that thought process. Because at the end of the day, again, they're writing the check.

So, many of the cyber insurance policies require prior consent, before the organization actually pays the ransom through the extortion services provider over to the criminal. So, keeping the carrier in the loop, advising them on the thought process of the organization around paying the ransom is the way that there is a successful outcome in terms of the process going smoothly, the carrier granting its consent, and the reimbursement being made back to the policyholder.

Brian Warszona:

That's an absolutely great point, in terms of the carrier is actually paying for this and when you go through the approval process, you don't want to have any hiccups without having them involved throughout the process. So, that's an absolutely great point to make there.

Katherine Keefe:

In our experience, I just have to elaborate a little bit on that, the carriers are not there to second-guess the policyholder's business decision. And I've never seen that happen. If a policyholder decides it's in the unfortunate position of having to pay a ransom to a criminal, the carriers will support that decision.

What they need in order to support that decision, though, is information from the policyholder about the impact to the organization, the length of time that the organization has been down and not able to operate. There are business interruption loss considerations that factor into an organization's decision around restoring from backups or paying the ransom.

And this is the kind of information that the carriers are looking for. And the most successful outcomes are where there's collaboration between the client, the broker, the vendors working on the situation, and the carrier. 

Brian Warszona:

Yeah, and that's a great point, because we're starting to see the scope of work that needs to be done by a vendor having to be approved and go through that process. Also, looking at the cost, it goes beyond just the actual ransom payments, but that business interruption that you mentioned. What is the aftermath of, say, a ransomware event to occur? And what the cost may be — the quantification, the qualification side of those things, and lining that all up with, hopefully, a claims payment at the end of it.

Katherine Keefe:

That's right, Brian, because there are a variety of coverages in the cyber policies, typically. Some going toward extortion, some going to breach response services, some going to business interruption loss.

And the equation around all of this is that we as brokers and carriers do not want to see our policyholders and clients unable to operate for extended periods of time.

So, we all work together to try to bring those tactical vendor solutions to bear quickly to reduce the amount of time that a hospital is unable to treat patients, or a manufacturer is unable to run its lines, or a hotel is unable to conduct reservation activities. And so, the way to work together on this is to make sure that there's expertise that comes to the table quickly and helps the organization get back up and running with as minimal amount of financial loss as possible.

Brian Warszona:

Yeah, and you hit on it there, too. This is hitting all different types of industries as we're seeing technology start to expand and develop over the last few years, especially as we're going through COVID, and with the surplus of technology being implemented at organizations. These types of events are now becoming more and more mindful in terms of how to respond.

So, thank you, Katherine, for going through everything that you did just there, and we've touched on a lot of really key topics. Is there anything you want to add before we sign off? 

Katherine Keefe:

No, Brian, I think we've covered a lot here and there's a lot of detail behind everything we just said.

I will close with just a point around, since this is a ransomware podcast, the US government and other governments take a dim view of paying extortion payments and there are particular federal rules, prohibitions around paying specified entities who have been identified, for example, by the US Department of Treasury's OFAC division.

And so, just keeping in mind that working with counsel and extortion services providers are going to enable clients to better position themselves from a compliance perspective to not run afoul of some of these federal rules that govern these restricted payments. I don't want to close on a down note, but that compliance piece has become very important for clients to factor into their planning as well.

Brian Warszona:

Not a downer at all. And it's actually, hugely informative to our listeners to understand how this is actually all starting to play out from a government aspect, as well as looking at a compliance standpoint.

=====

Brian Warszona:

That’s all for this edition of Risk in Context. I hope you enjoyed our discussion, and I thank you for listening. And thank you to our guest, Katherine Keefe, for her wonderful insights.

You can rate, review, or subscribe to Risk in Context on Apple Podcasts or any other app you're using. You can also follow Marsh on LinkedIn, Twitter, Facebook, and YouTube.

For more on cyber risk, make sure to listen to our previous episodes on ransomware and cybersecurity controls. In addition to your podcast feed, you can find those episodes of Risk in Context and more insights from Marsh at our website — www.marsh.com.

Until next time, thanks again for listening.