Cyber security vs incident response
Your house is on fireâ€¦ what do you do first?
You wouldn't call your insurance company to let them know your house was ablaze whilst watching the flames further engulf your property, would you? Of course not!
You'd ring the emergency services to come out immediately and extinguish the fire, stopping the situation from getting any worse - and hopefully salvage some of what was your home. In that same vein, you wouldn't wait until your house had totally burned down until you ring emergency services, either.
Now, to put that in a cyber security context, your organisation is currently under attack, or you suspect you've just been breached. What do you do next? Presumably, panic. However, hopefully, you have either an internal cyber team, external cyber security partner, or regular work with an organisation that looks after your cyber security provisions, and you have a Cyber Incident Response (CIR) plan (or retainer) in place - or maybe you only have a cyber insurance policy.
After the initial panic is over, who should you call first? Not your insurance company, that's for sure.
Having a CIR plan in place means you will have pre-agreed timeframes within which your cyber partner will respond to the attack or breach.
Firstly, assessing whether anything has happened, then moving onto containing the attack, before forensically investigating the damage caused and offering suggestions for remediation to prevent it from ever happening again.
A retained service with a known supplier provides a planned, and quicker, response time as the supplier will already know and understand your IT estate - much like a retained fire service where the team have detailed knowledge of your home!
CIR retainers and cyber insurance might seem like they're the same and offer you the same protection, however they are two different solutions.
Cyber insurance focuses primarily on protecting you against the losses caused by a cyber attack or breach - for solicitors' professional indemnity insurance, this excludes any first party losses - aiming to simplify the overall recovery process.
Policy wording and coverage will almost certainly vary between insurers, so it's up to you to ensure that you have the best level of coverage available, and what is suitable, for your organisation - remember to check with your insurer before implementing a retainer too. Knowing that your policy is fit for purpose can alleviate some of the stresses associated with a cyber breach.
Rather than choosing to have solely a CIR in place, or an insurance policy, you should consider combining the powers of the two solutions. The insurance policy aims to cover financial losses and may assist you with recovery from the breach, and any associated costs, but realistically they themselves won't stop it from developing or getting any worse (remember, you wouldn't call your insurance whilst your house is in flames).
A retainer ensures that you have experts on site, within a certain amount of time, to investigate the breach, prevent it from doing any further damage, and work on getting you back to business as usual as quickly as possible.
As ever, preventative measures work the best. With the ever-evolving threat landscape, it's a matter of â€˜when' rather than â€˜if'. Understanding your level of risk is the first step and implementing and tailoring your cyber provisions for adequate coverage is the next. Having a solid plan in place will speed up the overall recovery process - and give you one less thing to worry about.