How to pick an effective incident response team

The right incident response team is key to recovery after a cyber breach.

As well as making financial payouts following a data breach or other cyber incident, cyber insurance cover also provides additional services and support from the insurer.

As such, the effectiveness of any incident response service provided as part of the insurance policy is important for a broker to understand, as it not only helps the customer get back to business-as-usual quicker, it can also reduce the overall claims costs of an incident – and even help reduce the likelihood of a claim occuring in the first place.

SMEs require different treatment

When considering the pros and cons of the different incident response services available with a policy it is important to understand the type of business you are arranging cover for.

Tom Spier, director of international business development at CyberScout, says brokers therefore need to understand that SMEs are a very different beast to the large corporate organisations that incident response teams were first created for.

“On the surface of it, people need to look at a policy that is geared towards small and medium sized businesses in a slightly different way than they would for large corporates,” he says. “One of the problems with the mentality towards cyber insurance in the industry is that people are still looking at when the product first emerged in the early 2000s when the London Market started looking at large corporate risks and enormous tech companies.

“Those first policies built their response programmes with the assumption that that was the type of company they were servicing, and that has led to a mentality that your first port of call in a cyber incident should be either a lawyer or an IT consultant.”

Spier continues by saying that while a technical or legal response to a data breach is often essential, it should not be the main focus when choosing which incident response service is best for your client.

“Both legal and technical services are incredibly important in the value chain for insurance policies, but they are not essential in every incident and they are very expensive with big hourly fees,” he says. “That is why a market has emerged to service products with incident response specialists who really specialise in project management.

“Incident response management needs to be about managing the project as a whole and bringing the right people in to play at the right time in the right circumstances with the right brief and the intention to control costs for the insurer and give a joined up response for the policyholder.”

Find a one-stop-shop

Despite the industry having talked about cyber threats not being solely an IT issue for a number of years, many companies still believe that having the right technical support in place can effectively manage any cyber crisis. However, PwC cyber threat detection and response director Ollie Smith says that such an approach can be costly in the long-run, both for the business and the insurer.

“If you fall into the trap of viewing a breach response as a technical issue, then the chances are it could end up costing a lot more in the long run, and many organisations fall into that trap,” he says. “Properly handling a breach response requires a good understanding of the organisation and an integrated approach where you act as a one-stop-shop across all the verticals.

“Responding to an incident is not just about the costs of the technical response, there are also additional costs to the business [and its ongoing operations], so if you have conversations about managing those early on and have the right support in place, you are likely to position yourself that much better.”

“[For example,] response teams are important in reducing reputational damage following a breach as part of a holistic approach [to managing the process],” Smith adds. “For an effective response team, you need to have a holistic approach - you can’t just deal with the core issues separately.

“You need to make sure any incident response team has the ability to provide all the necessary components for responding to a breach.”

Spier agrees, and says that finding a cyber incident response team with the required knowledge, including any relevant industry accreditations, and a number of experienced, in-house experts is an important part of providing clients with adequate and effective cyber protection.

“The key [to an effective incident response team] is having people who know the industry, know the risks, are experienced and are able to effectively project manage,” he says. “That means you can bring all the different elements and components in to play as and when they are needed, whether that be IT consultants, IT forensic experts, forensic accountants, lawyers, or whoever it may be.

“There is also a bonus to engaging a company that can do a lot of the ancillary services, so it is great if you can find a company that can project manage a response to an incident and also do something such as IT forensics, manage PR or contact and respond to affected customers.”

“That has the added benefit down the line that if you do have any third party actions against you, you have continuity of evidence and the security that everything has been recorded, written down and documented properly and you know exactly where it is held,” he adds.

And with today’s global marketplace meaning even the smallest of companies can have overseas clients and cyber risk exposures, it is equally important than any response team has the ability to operate anywhere across the globe should a cyber incident occur.

Spiers says: “In today’s climate of e-commerce, there are a huge proportion of businesses, even at the smaller end of the market, that have customers or exposure to a number of countries and jurisdictions, and that is difficult to manage for incident response companies who only operate within one area or jurisdiction.

“A lot of the time, businesses say they can manage breach responses, but it is not their area of expertise, and that can end up having a negative impact on claims costs as well as customer satisfaction.”

Have the experts on speed-dial

Speed is critical when responding to a data breach or other cyber incident, and with the number of days before a breach is detected rising to 206 in 2017, according to a US study by the Ponemon Institute, reacting quickly is more important than ever before.

PwC’s Smith, however, says it is even more critical to have the right type of response, and that can only be achieved by doing your homework before a breach has occurred.

“It is always important to respond quickly following a breach, but there is often a disconnect between responding quickly and responding effectively to a situation,” he says. “If you have already gone through the process of understanding the organisation, their structure and their processes [before a breach has occurred], then a fast response with that information will be a lot better than a quick response without that information.

“Incident response teams are vital in the early stages [of a breach] when we have what you call the first responders providing the response. A lot can go wrong, and there is a lot you can get wrong, and in a lot of cases you don’t get a second chance, so having a knowledgeable and prepared external team to provide that immediate advice is critical.”

Ultimately, however, it is always best if the need for a claim can be avoided all together.

“Pre-incident support is vitally important - prevention is always better than cure,” CyberScout’s Spier says. “There is almost always some sort of risk management built in to cyber insurance protection. We offer an online platform that actively engages the end customer with educational material, and almost forces their participation in reading educational content and completing assessments.

“We also have a consultancy arm that can create an incident response plan, and there are many options available for that in the market. For SMEs, these are normally delivered in the form of an online learning management system, but getting customers to actively engage in that content is vitally important.”