By Holly Waszak ,
Head of Cyber Claims, Cyber Risk
19/04/2024 · 5 minute read
Cyberattacks and security incidents are an ever-present threat for all organisations, with one-in-five UK businesses recently identifying a sophisticated attack such as denial of service, malware, or ransomware. Embedding an incident response plan into business-as-usual activities can enable an organisation to respond calmly and effectively during a cyberattack.
In the first article in our guide to cyber risk for chief information and security officers (CISOs), we examine the steps an organisation can take before and during a cyber incident to mitigate its impact.
Marsh recommends that organisations have an incident response plan in place that defines its activities to detect, analyse, and remediate a cyber issue to restore normal operations as quickly as possible. Robust incident response plans include an escalation strategy, in case an attack spirals or becomes protracted, and a matrix to guide judgment of an event’s severity in order to determine priorities.
External and internal incident teams should be identified, and roles and responsibilities of individuals clearly understood in advance. Including templates for responses to regulators, media, and data subjects in an incident response plan can save a lot of time, should an incident occur. Contingency plans should also be readily available and tested.
Ensure that the plan is kept up to date and is accessible to members of the incident response team even if systems go down.
Organisations should carry out a tabletop exercise at least annually in order to identify weak points in the incident response plan, and feed any lessons learned back into the plan.
A cyber incident is defined as one or more information security events that compromise an organisation’s business operations and information security. This may include security breaches, denial of service, breaches of personal data, credential theft, phishing, compromise of systems and accounts, and data loss.
Once a cyber incident has been determined, an organisation should do the following:
As far as you are able, establish what has happened and the nature of the incident. Importantly, determine which systems and devices have been affected and if any data has been impacted.
Follow your incident response plan and ensure teams do not operate in silos. It is important that you work alongside key stakeholders across the organisation (including legal, risk management, communications, human resources, and finance) when required.
Contact insurers and brokers immediately, so they can triage and provide support and guidance. If the incident takes place out of office hours, cyber policies contain a 24/7 hotline which should be contacted, in the first instance.
Reach out for third-party expertise, when needed. Cyber insurance policies come with a panel of advisers, vetted and approved by your insurers. Prior approval is almost always required from insurers for vendors not on the panel. If you do engage vendors that are not on your panel, this should be communicated to your broker and insurer as soon as possible. Your insurer should also be updated with statements of work as they are produced.
Acting swiftly and competently in the first 48 hours of an attack is crucial to contain the incident and keep an organisation operational.
Establishing whether the incident has resulted in a personal data breach, and exactly what data has been affected, is fundamental in determining if a regulator needs to be notified. In the UK, an organisation is legally obliged to report breaches of personal data within 72 hours of becoming aware of them to the Information Commissioner’s Office (ICO), unless it can show the breach is unlikely to pose a risk to individuals’ rights and freedoms.
Once these initial steps have been taken, the CISO will typically work together with the insurers’ incident response panel to resolve an event. An incident response panel generally includes:
Marsh recommends that the CISO meets with any vendors they might want to engage with ahead of an event to understand how they work and, in turn, for the vendor to understand the organisation’s incident response process.
Ransomware negotiators will normally be part of an incidence response panel. However, the decision of whether to pay a ransom or not lies with the organisation. It is recommended that an organisation discusses its stance on this complex issue ahead of an event. This can be a good topic on which to engage the board, potentially opening and informing a more general conversation on cyber incident management.
Some 95% of cyber issues can be traced to human error. Organisations should integrate cyber security training in their culture and clearly define for employees what constitutes a cyber incident, and actions that could unintentionally trigger a policy.