Companies need to create and rehearse an incident response plan to avoid late intervention during a cyberattack, according to panellists speaking at a conference in Toronto last week.
In the face of a breach, there’s no time to think about what to do or who to call, said Ruth Promislow, a partner at Bennett Jones LLP, speaking about the importance of early intervention during a panel on risk management and insurance claims following a cyberattack.
The Cyber Risk Summit, put on by NetDiligence, took place Feb. 23.
Promislow said it is important for companies to look at their cyber-insurance and ask if they’re properly covered.
“When you have this coverage, engaging your insurer immediately is helpful in that you have access to the panel of experts that they provide. In the face of a breach, there’s really no time to think about what you need to do and who you need to be calling. That’s why you need a well-rehearsed incident response plan,” said Promislow. “I say rehearsed because you should be rehearsing it and engaging in tabletop exercises and you need to be engaging those experts.”
Tabletop exercises are scenarios that mimic what a breach would feel like to the company.
Promislow advised organizations to tailor their coverage and obtain cyber-insurance that covers the most relevant risks.
“There’s not sort of this catch-all of you’re covered for every single contingency under the cyber-umbrella,” she said. “What it underscores is the importance . . . of understanding for this organization what [is] the scope of risks and vulnerabilities that this specific business faces, what are the assets they’re trying to protect, where are the potential gaps in their system and then obtain the insurance that covers the risks that [they] think are the most prevalent.”
Promislow saic it can come as a big surprise to companies when they find out that their insurance doesn’t actually cover them for the specific situation they’re facing.
“There’s no such thing as coverage for all things cyber,” she said.
When it comes to actually reporting a claim to the insurance company, it’s important to know the difference between a breach, an event and an incident, said Queen's University’s information security officer Denise Ernst.
“Particularly in a large organization, there is every day and every hour . . . events that are happening,” she said.
Ernst said companies don’t want to always be on the phone with their insurance companies.
“Disclosure and transparency is extremely important, but we have to keep in mind how much do you want to know, how often do you want to know it and having that knowledge what does it do . . . to the insurance,” Ernst said.
Catherine Hagerman, manager of insurance and risk management at Queen’s University, said it’s important for companies to really consider what they report to the insurance company after a breach.
“Sometimes, people jump and say I better advise my insurer right now [that] we’ve had a breach, but you want to be careful that the timing of this is right as well because, once you start notifying, you have to notify everyone,” she said. “You need to really understand the breach itself, how far-reaching it is, how critical it is, so that you can make sure that when you are advising, you are advising correctly and then you just proceed from there.”