Aug. 9, 2017
By Raj K. Chaudhary, CRISC, CGEIT; Troy M. La Huis; and Lucas J. Morris, CISSP
With cyberattacks increasing in both number and severity, insurance companies – like all businesses – must be prepared to respond promptly and effectively when an information security breach occurs.
Developing and implementing an effective cyberattack response capability is not just the concern of IT managers and their departments. The responsibility for monitoring and mitigating cybersecurity risk starts at the very top of the organization and is shared by all levels of management and employees. Cybersecurity is everyone’s concern, and everyone throughout the organization has a role to play in being prepared to respond when the inevitable attack occurs.
If, When, and How Long?
Virtually every credible cybersecurity resource agrees: Data breaches are increasing, both in number and severity. For example, the Identity Theft Resource Center (ITRC), a not-for-profit fraud and identity theft educational organization, recently reported that the number of data breaches during the first half of 2017 was running nearly 29 percent ahead of the pace recorded in 2016 – from January 2017 through June 2017, more than 10 million records were exposed.
The long-term view is even more disturbing. The ITRC estimates that nearly 900 million individual records have been exposed since the organization began tracking data breaches in 2005.1
Cybersecurity professionals long have warned businesses that it’s not a matter of if a breach will occur but when. Given the accelerating pace of attacks and the pervasive nature of attackers, businesses today should add another element to that formulation: In addition to when, they must also be concerned with how long a breach might continue.
It is common for attackers to break into business networks and remain undetected before the breach is discovered. During this time, intruders can gather intelligence, escalate their access, or extract data from the network. If the breach is not discovered early, it often can take time before the damage is contained and the system once again is secured.
The goal of an insurance company’s cyber response efforts must be to reduce both the discovery and containment times from a matter of months to a matter of minutes. Improving detection capabilities and breach investigations can help limit organizational damage, stop further exposure, and allow the organization to resume normal operations more quickly.
Industry Preparedness – Opportunities for Improvement
Recent experience suggests the insurance industry generally is taking the threat of data breaches and cyber incidents seriously. Yet despite the attention these threats receive, a number of opportunities for improvement still remain.
For example, in a recent Crowe webinar, a group of more than 100 insurance company executives were asked about the formation of cyber incident response teams in their organizations. Ninety percent of the participants reported that they have such a team in place, and 70 percent said their teams were formalized. Yet when asked about specific elements of their cyber incident response plans, the results were less clear-cut.
Because training and testing are particularly important elements of cyber incident response planning, the webinar participants were asked how often their companies tested their cyber incident response plans and what methods they used. While a majority of participants reported they test their plans annually using either tabletop exercises or actual scenario-based testing, almost four out of 10 (39 percent) reported they have not tested their plans within the past year or longer, have never tested their plans, or worse, have no plans at all. These responses suggest that, while a majority of the participating insurance companies are working to prepare for an effective response to a cybersecurity attack or breach, there is still considerable opportunity for improvement among a very sizable segment of the industry.
Asking the Right Questions
Given the volume, sophistication, and variety of potential attacks, management can be easily overwhelmed by the challenge of deciding where to begin. The inherently technical nature of cybersecurity preparedness also can cause board members, executives, and managers to relinquish oversight responsibility to the IT team.
One way to overcome this tendency is by learning to ask the right questions about cybersecurity preparedness. The Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors Research Foundation (IIARF) recently published a joint report, “Cybersecurity: What the Board of Directors Needs to Ask,” which offers specific guidance to board members about how they can more effectively monitor and influence cybersecurity policies and practices.2
Building on the guidance in the ISACA and IIARF report, board members and senior executives should develop their own broader understanding of critical cybersecurity questions, beginning with some basic questions, such as:
- What are our organization’s top-five cybersecurity risks? What are we worried about protecting?
- Do our employees understand their individual roles and contributions to our cybersecurity posture? How are they made aware of their roles?
- How do we identify a breach or other incident? Do we do so via self-identification, or do we engage with vendors, customers, or other third parties?
- When a cybersecurity incident occurs, how are we going to respond?
- Do we use a specific security framework? How was the framework selected? How often is it reviewed?
- How is cybersecurity oversight managed?
- Have we already been breached? Do we recognize indicators of compromise?
Obviously, this list is by no means exhaustive or all-inclusive, but paying attention to basics such as these can be an important first step in preparing or upgrading an organization’s cyber incident response capabilities.
Establishing a Cybersecurity Framework
In addition to board-level guidance such as that offered by ISACA and IIARF, numerous other private and government organizations provide resources to help management teams prepare to respond to cybersecurity incidents. Some of the most widely used resources are published by the National Institute of Standards and Technology (NIST), which has produced a series of publications offering information security guidelines, recommendations, and reference materials.
One of these publications – NIST Special Publication 800-61, “Computer Security Incident Handling Guide” – is particularly relevant to incident response.3 It organizes the massive number of questions, procedures, and guidelines for cybersecurity preparedness and response into four categories, which correspond to the four phases of the incident response life cycle:
- Preparation. Initial steps include defining what constitutes an incident and spelling out what type of events would trigger the use of an incident response plan. Identifying potential incidents also can help make threats more tangible. Other preparatory steps include identifying indicators of compromise, establishing notification and escalation procedures, and identifying and preparing all those who will be involved in incident response. Effective preparation involves coordinating among numerous participants, including internal sponsors and response team members and external stakeholders, such as law enforcement, insurance providers, software suppliers, regulatory agencies, and customers.
- Detection and analysis. It is important to establish minimum investigation standards related to documentation, evidence handling and preservation, and communication with both external and internal audiences during the course of an incident response. In addition to complying with all relevant standards, those responsible also should validate that the organization maintains a current and accurate inventory of all critical data, and that necessary logging, monitoring, and alerting software and patches are up to date.
- Containment, eradication, and recovery. When data security is compromised, the immediate goal is to prevent damage from spreading and to keep data theft or losses from continuing. In addition to identifying the cause of the incident, a key component of this process is determining whether system configurations or other processes should be changed to help prevent further incidents. Regular, ongoing testing also is necessary in order to verify that data recovery and restoration processes are functioning as designed and that reconfigured systems and procedures are performing as expected.
- Post-incident activity. In the wake of an incident, a host of questions need to be addressed. In addition to the obvious questions – such as what was affected, how the breach occurred, and who was responsible – other important issues include determining if the incident was an isolated event or part of a larger, more ominous threat; which protective tools and controls need to be strengthened; what additional end-user training is necessary; and what can be done differently the next time a similar incident occurs.
First Steps: Laying the Foundation for an Effective Program
As mentioned previously, the preparatory phase of the NIST framework is particularly critical to the overall effectiveness of an incident response program. Doing it right provides a solid foundation for the phases that follow. Management teams should pay particular attention to several broad components of the preparatory phase, including:
- Documentation. Document in detail the planned reaction, identification, and notification procedures; the roles and responsibilities of incident response team participants; and the communication protocols to be followed when an incident occurs.
- Sources, technology, vendors. Identify sources of information, available tools for detecting and responding to a breach, and available external sources of assistance and expertise.
- Hands-on practice and education. Perform penetration testing, tabletop exercises, scenario-based testing, and other exercises to identify whether adjustments are necessary before updating the system. Such tests also can point out where additional training and communication are needed.
The interrelationships of these elements are illustrated in Exhibit 2.
Source: Crowe analysis
As the number of data breaches continues to increase, and as cyberattackers become more sophisticated and aggressive, these essential preparatory elements will become even more important. As they accelerate their efforts to develop and enhance their cyber incident response capabilities, insurance company boards, executives, and managers will need to reinforce and build on the foundation provided by these components.
1 Identity Theft Resouce Center, July 18, 2017, http://www.idtheftcenter.org/Press-Releases/2017-mid-year-data-breach-report-press-release
2 The joint ISACA and IIARF report can be downloaded at https://bookstore.theiia.org/cybersecurity-what-the-board-of-directors-needs-to-ask
3 The NIST guide can be downloaded at https://www.nist.gov/publications/computer-security-incident-handling-guide