Dominic Trott, head of strategy – UK, Orange Cyberdefense
Cyberattacks on businesses increased by 13% in 2021 compared to the previous year. Yet while it’s not necessarily the case that the number of bad actors is increasing, it is the scale on which they’re operating that has broadened exponentially.
In addition, the manner in which cyberattacks are being carried out has also evolved. While some cybercriminals hack for fun, the vast majority of malicious activity is, unsurprisingly, conducted for financial gain and targets organisations on the basis of two simple principles: first, where there is the most value to be targeted; and second, where the attacks are most likely to be successful.
It’s also likely that the full extent of the cybercrime landscape is hidden. Accurate data on the impact of cyberattacks is often hard to come by because, in many cases, the breached organisations are unaware of the full extent of the attack – or even that one took place. They might genuinely not know this information if they don’t have accurate oversight of their digital estate, or keep quiet for fear of incurring legal liabilities or causing reputational damage.
The current security landscape has created the perfect storm for cybercriminals, as cyber insurers and Computer Security Incident Response Teams (CSIRT) often end up fighting over the same budget. Traditionally, it has been relatively easy for firms to obtain cyber insurance coverage at low premiums. However, the heightened cyber risks and exponential growth of ransomware attacks in recent years has led to premiums rising.
The question that businesses often ask, therefore, is ‘why do I need an incident response retainer when I already have cyber insurance? Surely, it’s a waste of money? If the worst does happen, the insurance company will pick up the bill for any damage done after the event’. I would argue that is a short sighted and potentially dangerous approach. Let’s look at the different roles of incident response and cyber insurance.
- Cyber Insurance: like other types of insurance, this aims to give businesses a way to ensure that if the worst happens, they can recover some of the costs. Cyber Insurance will likely cover you for some of the tangible costs associated with a breach, but it probably won’t cover all of them. By acting quickly and limiting the scale of the breach, you may be able to reduce the full impact. In addition, some insurance companies will expect you to have demonstrated a level of preparedness before accepting your claim – a bit like having a burglar alarm or dead-bolt locks on your house before a house insurance claim is accepted.
- Incident Response Retainer: aims to provide rapid, on-demand expertise in an emergency if the customer calls them immediately after an incident. The key to mitigating the impact of any cybersecurity incident is the reaction time between detection and response. Many companies lack the infrastructure needed to react in a quick and secure manner. Having an incident response team available 24/7 to identify, contain and eradicate threats and to get businesses back up and running as soon as possible may be crucial to their ability to continue successfully trading.
Cyber resilience
But isn’t incident response included in the insurance policy? In many cases, it will be. And perhaps this is where the confusion comes. Cyber insurers will often pay out, but only as long as the incident is covered by an incident response retainer. Their objective is of course to help cover the financial losses that result from cyber events and incidents and in numerous policies, the presence of a retainer agreement with an external incident response provider can help prevent severe losses. This will often bring down the premium of the insurance policy. Having a retainer also means you get to choose the CSIRT team that you are going to be working with in advance. You can assess their credentials, their experience, talk to their other customers – all before an incident occurs.
The key thing here is building cyber resilience. Of course, there is no such thing as complete security. For starters, incident response alone is insufficient to deliver cyber resilience from either a technical or procedural perspective. Good practice advocates that solutions should be in place across the full threat lifecycle. For example, the NIST framework recommends that organisations identify their threats and vulnerabilities; protect against them with security tools and operations; detect threats as they address the enterprise; respond to contain and remediate an incident as it occurs; and recover to take lessons learned from incidents and improve ‘business as usual’ appropriately.
But, leaving an end-to-end approach to threat lifecycle management to one side, having both cyber insurance and an incident response retainer working seamlessly together will at least provide organisations with a fighting chance of continuing their core business functions if and when disaster strikes.
Making cybersecurity a joint enterprise
There are worrying trends emerging in the cybersecurity market. While attacks are becoming more sophisticated and ransoms are rising, there are concerns that there might not be enough money in the still-emerging sector to cover everyone’s needs. So, what can companies do? They should still invest in insurance coverage, but they also need to look for other ways to cover their potential exposure, including CSIRT rapid response teams.
It cannot remain a budgetary decision for a CTO and a CFO to fight over whether to firefight OR recoup what has been lost in cyber-attacks. Both are important. An incident response team is the first port-of-call to help respond to any cyber accident or incident. Then and only then – once the breaches have been made safe – should you call in the moneymen.