In my previous two posts (Part I, Part II), I’ve explored general awareness related to cyber security and ways to prevent breaches, two foundational elements of overall corporate health and risk management. As many of us know, however, it’s impossible to fully eliminate cyber risk, and the reality is that cyber incidents still occur. In this post, I will explore the types of breaches that are most likely, the ways to respond to these incidents, and the role CEOs can expect cyber insurance to play.
From an incident perspective, the two most common varieties of breaches involve either the theft of information or attempts to generate ransom payments.
Despite the important differences between these two types of breaches, step one in incident response is essentially the same: conduct initial forensics to identify the hole used by the bad actor and get it closed. From a talent perspective, day zero forensics is a highly specialized skill, and is one that, for most firms, is best outsourced to a private sector security firm.
If a breach poses a risk to an individual’s rights and freedoms, you must notify the appropriate supervisory authority without undue delay; in the UK, this would be the ICO (Information Commissioner’s Office), but across the world there are several national data protection authorities tasked with information privacy. If you are in the US and the breach includes the theft of highly meaningful data or the encryption of data / systems, it is also appropriate to immediately notify the FBI. (note: while the FBI provides meaningful support in areas like negotiating ransom payments, they are typically not equipped to conduct initial forensic analysis).
Once you have identified the source of the breach and have it contained, you can move on to dealing with the implications of the incident. At this juncture, the type of breach has a large impact on what needs to be done.
If the incident was primarily related to the loss of information, incident response should be focused on mitigating the downstream impact of this data loss. For corporate information, this likely includes an assessment of the competitive impacts of the lost data.
If customer / personal data was also taken (e.g. the well documented Target and Home Depot breaches in the U.S.), the task becomes much larger and should include a full-blown incident management team to handle internal and external communications, identity protection services, customer service, etc.
For ransomware incidents, the biggest short-term risk is often the ability to continue operating your business. The folks who conduct these attacks are looking for leverage, something that is maximized when a company is not able to conduct business until paying for a decryption key. For this reason, hackers will attempt to both encrypt / delete primary data stores as well as backups stored locally or in the cloud. If successful, they’ll have done their homework and will establish a ransom payment request large enough to really hurt, but small enough to still get paid.
If you have cyber insurance – and at this point, every company should – your insurance provider will be closely involved with both the ransom negotiation and corresponding recover support (e.g. selection of service providers to assist in decryption and downstream recovery).
It is important to note that the bad actors who conduct ransomware incidents do not specialize in customer support, and the decryption keys often only work in a partial manner. In many situations, we have seen firms recover only 40 – 60% of their encrypted IP.
Also, because encrypted systems are typically infected by breaches, firms will need to stand up new systems to run their business going forward, something that can be an onerous, long-term task. And very costly!
From a financial perspective, the good news is that firms can expect a good portion of the ransom to be paid by their cyber insurer. The bad news, however, is that when assessing the full cost of the incident, insurance will cover only 30 – 50% of the full financial impact of the incident. So, while it’s vital to carry insurance, it’s even more important to reduce the likelihood of a breach.
As with many situations, in the world of cybersecurity, an ounce of prevention is worth a pound of cure.
Partner & UK Country Head
Andrew is a life-long consultant with a very successful and diverse background, having served in MD or CEO roles for several technology and services companies. Andrew has over 25 years of technology leadership experience at an executive level, with a strong client background in the consumer, financial and professional services sectors. He’s lived and worked in Europe and North America and has built high-performing teams that have consistently achieved double-digit revenue growth. Andrew possesses a proven track record in the delivery of large-scale operations and technology transformation agendas across the B2C and B2B space. Andrew has also participated in numerous speaking roles over his career, most recently for Private Equity International, as well as the Business Forum at the Commonwealth Heads of Government Meeting.