12.23.2019

Pre-Breach Planning

By Emily Short

Pre-Breach Planning

Even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen.  When technology or cyber incidents occur, it’s critical for an organization to have an effective means of responding.  Pre-breach planning can greatly reduce the impact and reputational harm associated with a breach.

1. Implement a cyber incident response plan

Having a plan when a cyber breach strikes is one of the best ways to minimize the financial and reputational impact.  An incident response plan (IRP) provides the roadmap by which organizations intake, evaluate, and respond to a suspected or actual incident.  The goal is to manage a cyber breach in a way that limits damage, reduces costs, satisfies legal obligations, and restores confidence in the company.

According to the IBM Security and Ponemon Report, the presence of an IRP team combined with extensive testing of the IRP “produced a greater cost savings than any single security process.  Those organizations who conducted extensive testing of an IR plan had an average total cost of a breach that was $1.23 million less than those that neither had an incident response team or tested their incident response plan ($3.51 million vs. $4.74 million).”

In order for an IRP to be effective, stakeholders from multiple departments should be involved, including the C-suite, legal, IT, risk management, human resources, and communications.  In smaller organizations, an IRP should include individuals responsible for making decisions associated with the business units listed.  Although the board of directors does not necessarily need to be a member of the IRP, they should review the plan and approve it.

While the goal is always to prevent a cyber incident from occurring, in reality, even the most secure companies have vulnerabilities.  When a cyber incident occurs, a coordinated and well-rehearsed response have proven to significantly reduce the impact.  In short, pre-breach planning makes all the difference.

2. Participate in breach exercises

Having an incident response plan in place is part of the process; testing it is the other part.  As we mentioned above, testing the IRP can greatly reduce the costs associated with an incident.

Once a plan has been implemented, it’s vital that the plan is frequently reviewed and tested.  Team members and external providers will inevitably change over time, and the plan is only helpful if it’s current.  Participating in breach exercises and tabletops helps the team determine whether the plan is realistic, and can also identify gaps in the process.

3. Implement (and update) policies and procedures

Policies and procedures related to cybersecurity should be implemented and followed.  Employees should be aware they exist and should be notified when they are updated.  Recently, we’ve seen a number of regulatory fines and penalties related to improper data collection, data retention, and violations of privacy policies, to name a few.  Some of these penalties can be avoided with proper policies in place.

Companies should also educate themselves on applicable privacy laws, such as the GDPR and California Consumer Privacy Act, and develop underlying data and cyber security policies and procedures to address them.  Some laws, such as The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (NCR) that took effect in March 2017, mandate that entities falling under its purview implement policies that adequately address the company’s unique risks.  These policies and procedures should fulfill legal requirements while also supporting the confidentiality of data.

4. Third Party Risk Management

Third parties introduce tremendous risk to business operations, data security, and even technology products and services.  As companies continue to rely on, and engage with, third-party service providers and vendors, it’s important to assess the risks they present from a cybersecurity standpoint.

Prior to partnering with vendors, companies should review relevant security documents, including the vendor’s cyber incident response plan and security audit reports.  Contractual language setting forth the party’s obligations and rights regarding confidential personal data and insurance requirements should also be included in the contract at the onset of each engagement.

5. Training

Human error is still one of the main causes of a cyberattack.  Criminal actions such as ransomware and social engineering fraud generally dominate the conversation, and many of these threat vectors are successful because people clink on a link or open an attachment that includes malicious software.  Employee training is one of the least expensive and most effective tools an organization can use to reduce the risk of a cyberattack.  A culture of cybersecurity awareness should occur from the top-down, and it’s the best way to minimize the chances of employees, or executives, clicking on the link offering them a free iPhone or Amazon gift card.

6. Have appropriate security measures in place

Backing-up your systems is a great way to minimize harm after a cyber incident, particularly a ransomware attack.  Over the summer, ransomware hit municipalities especially hard.  Baltimore was one of the first, and they ultimately decided against paying the $76,000 ransom demand to decrypt their data.  A recent report indicates Baltimore has expended more than $18.2 million in recovery and related expenses.  And guess what, they apparently did not have basic policies for backing-up their systems.

System patches and product updates are also vital.  The Equifax breach is still top of mind for many consumers, and according to a House Oversight Committee report, the breach was “entirely preventable.”  Simply put, Equifax failed to patch a vulnerability in a web server that attackers ultimately used to access consumer data.

7. Have the right insurance

Although it’s often overlooked, the right insurance can greatly improve a company’s risk profile.  Even with the most stringent security measures in place, cyber incidents are likely to occur.  As evidenced in the media, how a company handles breach response is critical, and it’s often expensive.

A quality cyber insurance policy does more than provide coverage; many cyber insurance carriers now offer portals that include risk management tools and services, and incident response applications or hotlines to assist with initial triage after a breach.  Most carriers also have panel providers with pre-negotiated rates and deep experience related to responding to data breaches.

Cyber insurance should not be seen as a replacement for a properly developed cybersecurity program, but it can provide a number of vital resources, and will greatly reduce the financial impact stemming from a breach.

Pre-breach planning can seem tedious at times, and most of us would like to think our security measures will prevent a cyber incident from ever occurring, but in today’s interconnected world, pre-breach planning is a more realistic solution to the ever expanding cyber risks.

Some Additional Resources:

In 2010, the Australian Signals Directorate published key lessons related to cyber intrusions and penetration testing for government agencies.  The report, which was updated in 2017, includes 35 strategies to mitigate targeted cyber intrusions.  According to the ASD, the top four strategies block 85% of attacks: 1. Application whitelisting; 2. Patch applications; 3. Patch operating system vulnerabilities; and 4. Restrict administrative privileges.  Check out the full report for more information.

 

Emily consults on risk management and insurance solutions across a variety of industries, with a particular focus on technology, venture capital, and private equity risks. Emily previously worked as a cyber and technology insurance broker at one of the largest international brokers.  Prior to that, Emily was practicing law, focusing on professional liability insurance defense.  In addition to her Juris Doctor, Emily completed the Certified Information Privacy Professional (CIPP/US) designation and the Registered Professional Liability Underwriter (RPLU) designation.  She is licensed to practice law in Kansas and Missouri and has her Kansas insurance license. Connect with Emily on Linked here