By Mark Sadler, JD, CPCU, CIPP/US, Divisional Senior Vice President; and Dominick Zangaro, MS, CPCU, CPLP, Senor Loss Control Specialist, Great American
A cyberattack can be one of the most damaging and disruptive events faced by an organization. Whether the event involves ransomware, hacking, hacktivism, business email compromise or cybercrime, a cyber event can lead to significant monetary loss and negative public attention for the victim. Although the risk is severe, there are steps that can be taken both before and after a loss to limit its impact.
Pre-loss mitigation
Cyber risk management is the continuous process of mitigating risks related to your information technology systems. At its core, this means reducing the frequency and severity of potential loss producing scenarios, and mitigating the likelihood and impact of cyberattacks. The National Institute of Standards and Technology’s Cybersecurity framework is considered the gold standard for managing cybersecurity risk.
Under the NIST framework, two key security solutions that should be implemented pre-loss include
- a secure email gateway, which reduces the likelihood that a phishing email will reach an intended target and is often packaged with training materials; and
- multifactor authentication, which assists in controlling access to sensitive assets or databases, reducing the overall impact and minimizing the likelihood of initial access being gained.
In addition, secure back-ups that are both air gapped — meaning they are disconnected from the network — and immutable — unable to be changed — are favored under the NIST framework. These steps help reduce the impact of a ransomware event and ensure that there is adequate data to restore data and systems providing an alternative to paying a ransom to a criminal threat actor.
Finally, endpoint detection and response, or EDR, is a software tool that can reduce the likelihood and impact of a cyber loss. It can be programmed to automatically detect anomalous activity and stop that activity before it starts and prevent a malicious actor from moving throughout a network after they have compromised a device. Many organizations look to have this tool managed externally, through managed detection and response, or MDR.
Post-event-loss mitigation
The first step that should be taken upon discovery of a cyber event is providing notice to your cyber insurance carrier. Most carriers provide call center access and the ability to report a claim at any time of the day or the week. Upon notice of a claim, your carrier will help you to immediately mobilize a team of experts to address the incident. The team will usually include these parts:
- Privacy counsel, which assists in guiding the investigation under the appropriate privilege and work product protections. Privacy counsel will also begin the process of determining any applicable notification duties to individuals, regulators and others that may be required.
- Digital forensics consultants work with your IT team to help eradicate the threat, determine the attack vector, map the portions of the environment that may have been compromised and provide objective data that can be used by privacy counsel in evaluating the legal exposure and inform the need to provide notification to individuals, regulators and others.
- Restoration firms provide IT experts to assist in restoring your environment.
- Notification firms provide assistance where notification is required, including notice, offering credit monitoring and standing up a call center to make sure trained persons are available to assist the recipients of the notices that may have questions.
In addition to immediately notifying your cyber insurance carrier, you should also consider the following steps to mitigate the loss and assist in its investigation:
- Do not engage with the attacker or pay a ransom without legal consultation.
- Preserve system logs and do not wipe hardware prior to consultation with a forensic expert.
- Do not turn off any systems prior to consultation with a forensic expert.
- Notify law enforcement.
Although the threat posed by cyber-attacks can be daunting, there are steps you can take before and after discovery of an attack to mitigate its impact. Your cyber insurer can be an essential partner in this effort.
The Great American Insurance Company provides optional cyber insurance for SC Municipal Insurance and Risk Financing Fund members. Great American will present during the Municipal Association of SC Risk Management Services Annual Members Meeting on November 6 in Columbia.