Incident response plans are essential to mitigate ransomware threat

inline-icon-clock 4 MIN READ 11/08/21

Nick Woodward Claims Director
inline-icon-clock 4 MIN READ
Nick Woodward Claims Director

Incident response plans are essential to mitigate ransomware threat

The much–reported spike in cyber claims, particularly ransomware, continues to keep many claims departments on their toes. With one broker recently declaring this a ‘digital pandemic’, the need for a tightly managed, co-ordinated and swift response by various experts is as critical as ever in assisting clients under attack. Claims managers who’ve gained much experience in this recently, whether they wanted to or not, know that unlike claims in most classes of business, cyber claims are a race against time.

As soon as an insured becomes aware a breach has occurred, no time should be wasted in notifying their insurer by calling the relevant 24/7/365 incident response hotline listed in their policy. These hotlines are operated by local law firms or digital forensic experts that can obtain critical information from insureds within minutes. They also advise on early imperatives such as notifying regulators following a data breach. For example, the UK’s ICO and the US’s HHS require disclosure within 72 hours and 60 days respectively.

The initial speed, quality and quantity of information flowing from insured to insurer can make all the difference in the end result. Insureds should expect questions such as: was the breach inadvertent, malicious or supply-chain related? They will also be asked if they have an incident response plan, was it ever practiced, has it been put into effect and what their IT team is doing.


Establishing facts early

Establishing such facts early is vital, with delays likely to compromise or confound efforts later on. Far too often insureds notify their insurer after trying and failing to investigate and contain a breach for several days, in some cases making the situation worse.

Calling the relevant hotline should always be the insured’s first move. The insurer’s claims team and designated specialist law firms will immediately be notified and quickly begin working with the insured’s IT, management team and broker to assess the situation and advise accordingly.

The claims team will also swiftly select and appoint other experts on their panel based on the insured’s situation. Digital / IT forensics can then work to establish what has happened and what data has been stolen, while breach counsel lawyers, which orchestrate these investigations, advise on regulatory and individual notification obligations, and provide protection from disclosure through legal privilege. Other early actions may include taking key systems offline, contacting law enforcement and making the first steps toward restoring systems from backup.

With much intensive effort underway, the insured at the centre of it, watching their company’s future hang in the balance, is often terrified. While quickly reinstating their businesses and limiting the potential for further costs or loss of income are all critical, at every stage insurers must be empathetic. This is not only kind but essential to build client trust, reduce panic and avoid costly mistakes. Insureds need to know they can readily access a friendly, approachable and expert team that between them have handled thousands of claims.


Ransom alternatives

If a ransom is demanded, it must be quickly determined whether any data has actually been stolen, and if so, if the insured needs to pay or if there are alternatives, such as restoring from back up instead of buying a decryption key. Checking if the threat actor is on any international sanctions lists is also imperative. While there are a whole host of different types, the most successful threat actors tend to operate as businesses. They care about their reputations and want to be known for quickly decrypting systems on receipt of payment, with some offering hints and tips for improved future security and others profusely apologetic if the decryption fails.

A highly coordinated crisis response can be extremely effective in helping clients avoid catastrophe, yet it is far better that they operate on the basis that prevention is better than cure. Some business managers have learned to their cost that many nerve-racking hours could have been avoided if they’d instituted thorough pre-incident preparation and good internal security, such as dual-factor authentication, anti-virus patch management, robust backup and disaster recovery plans, strong passwords and privilege minimisation and network segmentation. Getting to know the incident response specialists that insureds would partner with before an event occurs is also highly advisable. Devising and testing an incident response plan and assembling a small, designated team of well-briefed staff to work with the insurer, breach counsel and other experts are also excellent preparatory measures.

With a mass ransomware attack underway at time of writing, in which a demand of $70m is reported to have been made to restore the data of hundreds of companies, the digital pandemic continues to rage. There has therefore never been a better time to prepare, and this also brings enormous psychological benefits for management teams. Should the worst happen, the knowledge that they have well-rehearsed processes to follow, and reliable expert partners at hand, can help them avoid debilitating panic and remain clear-headed and focused in engaging with the effort to disentangle their business from threat actors.


This article was originally published by Insurance Day on 29/07/2021. See original post here.