Back in 2012 the then director of the FBI (Robert Muller) used the famous phrase “There are only two types of companies; those that have been hacked and those that will be…”. Whilst the comment raised a few eyebrows at the time, just five years later, it’s no longer surprising when a cyber event happens to, or within, an organisation. The true test is now, arguably, not whether an event can be defended, or what the immediate damage is, it is the way in which the event is responded to.
So, we are no longer talking about ‘if’ and ‘when’ any more, it’s a case of ‘how’, how will an organisation deal with a situation?
The first 48 hours following a cyber event are crucial. This is the period where the incident response and subsequent decisions can have the biggest impact on any organisation. Slow or poor handling can have catastrophic implications and leave a reputation in tatters.
As Robert Muller would attest, cyber threats are not new and organisations can have few excuses not to identify and mitigate the risk. However, most of this focus has been on the defence as the major priority. If an attack can be prevented in the first place, then this should remove the problem. However, the threats in the cyber world evolve incredibly quickly, at a time when more and more businesses are dependent on technology to operate and function. So, there is now a recognition that there should to be a heavier importance given to a rapid response and recovery if the worst happens.
Most cyber policies should reimburse an organisation for costs and liabilities incurred in dealing with the fallout of a cyber event. But a good insurance product should do much more than that. Significant importance needs to be attached to the stages of incident response and the assistance provided. Immediacy of action and having the correct experts involved in those first few hours is crucial – this phase might not end up as the largest financial part of the claim for the insurer, but it could be the costliest part to the insured if done incorrectly.
It is also not just about checking what 1st party costs are covered by a policy, it’s about understanding how implementation occurs. Can one phone call from the insured give access to an incident response team dedicated to the process? Are they able to speak to a specialist lawyer within one hour of the event, under the protection of legal privilege, to help understand what has happened and what needs to be done, to assess the circumstances, deal with the immediate concerns and decide on the suitable next steps? This could require calling on experts in forensics, foreign privacy law, PR, notification and credit monitoring, crisis management, ID theft, extortion or ensuring any regulatory requirements are met (particularly relevant with the implementation of the UK Data Bill, in line with the General Data Protection Regulations coming into force in 2018).
Most organisations will not have this type of resource in-house, nor know where to find it in a time of crisis. A pro-active insurer who can offer this can therefore be vital. It is also important to note that any longer-term consequences (for example, 3rd party claims, mass actions, regulator fines, business income loss and reputation damage,) are all heavily mitigated or influenced by the immediate evaluation, action and handling of the short-term crisis. It’s mutually beneficial for both insured and insurer to have this speed and expertise available – there is no catch.
So, when looking at Cyber events and the risk involved, that shift in mitigation mind-set from defence to response is enormously important. As Warren Buffet said after 9/11, when he’d failed to fully mitigate the risk he’d foreseen in his business: “I violated the ‘Noah rule’: Predicting rain doesn’t count; building arks does”.