CHAPTER 2
Fail to Plan or Plan to Fail: Cyber Disruption Response Plans and Cyber Insurance

Intellectuals solve problems, geniuses prevent them.

—Albert Einstein

Could it be time to start over with a blank sheet of paper?

When was the last time your organization performed a comprehensive, top-to-bottom examination of its cybersecurity program? This assessment includes cyber protections, framework(s), processes used, tools used, standards used, threat intelligence capabilities, cyber incident response capabilities, budget, legal aspects, emergency management procedures, contracts, network architecture, protections in place, cyber insurance, cyber playbooks, penetration tests, internal and external partnerships, staffing (skillsets and vacancy levels), training, and more.

Perhaps a data breach (or other security incident) prompted this review, or auditors have highlighted significant material weaknesses. In some cases, a new executive leader demands changes, upgrades, or a new way of thinking.

The reality is that, regardless of the reason(s), every organization needs to consider such a cyber review on a regular basis. The dramatic changes faced by all organizations, including new technology paradigms, evolving cyberthreats, increasing customer expectations for digital transformation, and radical shifts caused by major events like the COVID-19 pandemic, demand a fresh look at cybersecurity at least as often as you upgrade critical technology infrastructure.

But how do we do this? What about your legacy environment? Consider the following case study.

THE MAKING OF THE MICHIGAN CYBER INITIATIVE

It was time to reinvent the cybersecurity program – again.

What was about to be implemented would become best practices (and later versions would become standard practices) for numerous state and local government cybersecurity programs, incident response plans, government playbooks, public–private partnerships, cyber disruption response strategies, statewide tabletop exercises, and much more in governments around the globe.

In fact, the Michigan Cyber Range,¹ the Michigan Cyber Disruption Response Strategy of 2013,² the more detailed Michigan Cyber Disruption Response Plan of 2015,³ the Michigan Cyber Civilian Corps,⁴ the North American International Cyber Summit series,⁵ and other cybersecurity programs launched as part of the Michigan Cyber Initiative have been studied,⁶ emulated, repeated, built upon, and become a leading model for numerous government efforts and standard approaches to cybersecurity governance.⁷

Michigan had previously won awards, received global recognition, and established the national standard for state and local governments to emulate for information security management in the mid-2000s. Its teams partnered extensively with the best and the brightest in the private sector and the U.S. Department of Homeland Security (DHS) on cyber solutions.

But life moved on, and so did many of the experts and leadership team members.

After serving as Michigan's first CISO from May 2002 until January 2009, Dan moved on to become Michigan's chief technology officer over all technology infrastructure, including data centers, help desks, network management, desktop and mobile support, cloud services, system administration, and much more. This enterprise-wide deputy director of infrastructure role supported the state's 10 million citizens and over 50,000 state employees and contractors. The CTO managed over 750 state employees as well as several hundred contract staff, with an annual budget of more than $200 million.

But when Rick Snyder, the former CEO of Gateway Computers, became Michigan's governor in January 2011, a new opportunity arose. Dan turned down several private sector job offers and a chance to become the U.S. Department of Defense (DoD) CISO in order to lead Michigan's development of a comprehensive new security program overseeing physical and cybersecurity in government. He wore many hats in this new role, including managing statewide cyber coordination efforts that cut across public and private sectors.

Governor Snyder's cyber vision included vastly improving overall state toolsets and capabilities, educating the masses, university research, economic development with tech companies, new involvement with the National Guard, a new state police emergency coordination and fusion center that incorporated cyber, P-20 cyber programs, federal law enforcement involvement in programs, new grants, and much more. Michigan would also lead these cybersecurity efforts within the National Governors Association (NGA), and the governor was recognized as cutting-edge regarding cybersecurity advancements globally.

While still formally functioning as Michigan CTO in the spring and summer of 2011, Dan spent the vast majority of his time (including nights and weekends) working on this “secret” security project with intense urgency. With the full support of the governor and Michigan CIO David Behen, he brought together a diverse group of technology, security, and business experts across multiple sectors in Michigan to create and lead what became known as the Michigan Cyber Initiative.⁸

The in-person meetings started with a series of workshops and vision sessions with top experts from academia, government, leading companies, and more. These sessions would later continue in what were called “Kitchen Cabinet”⁹ meetings, with CIOs (and later as a separate meeting with public/private CISOs) from across the state meeting monthly on action items.

While many of the elements of the Michigan Cyber Initiative fall beyond the scope of this book, it is essential to understand that a robust incident response capability was a core deliverable. Here is a brief excerpt from that initial document's executive summary:

Elements of Michigan's Cyber Threat Response – … cyberattacks pose a real and serious hazard to our safety and security. Both situations can result in long-term implications that are costly and often produce irreversible damage. Therefore, Michigan is approaching cybersecurity with the same level of commitment when preparing for and responding to threats to the natural environment:

Prevention – taking steps to keep an event from happening

Early Detection and Rapid Response – discovering an attack in its early stages and responding to minimize the consequences

Control, Management, and Restoration – taking appropriate steps to minimize and contain the effects of an event and return to normal operations

Through continued research, education, and collaboration in these areas, the state of Michigan will positively leverage its people, businesses, and technology expertise to deter and prevent attacks against our digital infrastructure. With proper execution, each of these elements will secure our cyber ecosystem, enhance Michigan's leadership in this critical 21st-century arena and provide new economic development opportunities in our state. …

Beyond the creation of the initial strategy, many other steps were essential to the immense success of the Michigan Cyber Initiative. One element was the very public backing of top leadership – in this case, the governor, who led the 2011 Michigan Cyber Summit.¹⁰ This summit was the biggest event of its kind to that point; Michigan's congressional delegation, federal government leaders, and top private sector tech companies (such as Facebook, Microsoft, Google, Symantec, AT&T, Comcast, Unisys, and IBM) were speakers.

Why was that initial cyber summit so important? Because the executive leadership in state government and in the private sector, as well as federal partners, knew (and heard firsthand) that the cyber strategy was a top priority that required their attention and actions, and they agreed to be held accountable for their specific deliverables that were planned with dates assigned.

That event set the stage for what was to come. DHS Secretary Janet Napolitano provided the keynote; the importance of cyber issues had finally grown to the point that this was the first time that a DHS secretary discussed cybersecurity outside the Capitol Beltway.¹¹

Governor Snyder quickly raised the bar: “If people walk away tomorrow saying that we had a nice conference with good speakers, we will have failed. We need everyone walking away saying that it is time to act now on cyber – whatever their role.”¹²

CONFRONTING CYBER EMERGENCIES: THE MICHIGAN CYBER DISRUPTION RESPONSE PLAN

The CSO “Kitchen Cabinet” was a group of leading government and private sector CISOs from around the state of Michigan who met monthly to share cyber best practices, strategies, and tactical plans. Beyond peer networking, the top cybersecurity leaders from their organizations voted on the priorities for statewide issues that needed to be addressed for the benefit of all.

The group worked together to establish structured documents on a variety of topics, including information sharing regarding cyberthreats, action plans, and joint attention to critical gaps in capability. Note that the individual organizations developed and confidentially shared their internal cyber incident response policies, standards, and plans for day-to-day escalation of cyber incidents. The need was identified to address a cyber emergency with statewide impact, assuming that Governor Snyder declared a formal emergency via an executive order or directive.

In partnership with the private sector companies that owned and operated Michigan's critical infrastructure, the first Michigan Cyber Disruption Response Strategy mapped out a clear communication strategy and the necessary actions following a major cyber incident in the state.¹³ This document was studied by FEMA and other states, and a later version became a best practice for all 50 states.¹⁴

In 2016, the National Association of State CIOs (NASCIO) published a Cyber Disruption Response Planning Guide¹⁵ that offered:

• A call to action for states to develop state cyber disruption response plans that include: a governance structure that clearly designates who is in charge in a given event or phase of an event; development of a risk profile for state assets; collaboration among the various agencies that have cyber responsibility; and a communication plan to ensure that the right people have the right information as early as possible so they can respond effectively.
• A checklist for states to work with in developing progress toward a cyber disruption response operating discipline.
• A cross-functional process description that can be used as a starting point for states to develop their own unique cross-functional process for orchestrated planning and response at various threat levels.

Some of the key questions and decision points in the checklist include:

• Establish decision points mapped to the lifecycle of an event, including determining threat level, action plans, and resource allocation.
• How do we classify an event and its severity?
• What are the critical decision points for each classification?
• How are decision points staged, coordinated, and/or integrated
• How is information shared, tracked, and managed?
• Who is responsible for escalating or de-escalating a cyber event?
• Who has lead responsibility at each point?
• Who has supportive responsibility at each point?
• Who is responsible for after action, evaluation, reports, and improvements?
• Who is involved in cyber disruption planning, and have they been consulted and included?

Outline the responsible party(ies) from, and any decision rights for, the following entities:

Office of the Governor

State CIOs office and CISO

Homeland Security

Emergency Management Agencies

Public Safety, incl. State Police

Fusion Centers

National Guard

Other State Agencies/Health, Transportation, Education, Regional Partners (other states, tribes, nations, and territories)

Utilities, Private Sector, Industry and Service Providers (e.g., Health)

Intergovernmental Agencies (federal and local)

Other ________________________

These state cyber emergency response documents evolved over time. In mid-2019, the National Governors Association published an issue briefing covering State Cyber Disruption Response Plans.¹⁶ Topics covered included:

• State Cybersecurity and Response Planning
• State Cyber Disruption Response Plans
• The National Cyber Incident Response Plan
• Recommendations for Creating a State Cyber Disruption Response Plan
  • State Cyber Response Plans and the Emergency Operations Plan
  • Threat Schemas and Plan Activation
  • Lead and Supporting Agencies
  • Roles and Responsibilities
  • Cyber UCG and Cybersecurity Response Teams
• Appendix (With Table Showing Public Plans in States and Where the State Plan Resides)

U.S. FEDERAL GOVERNMENT GUIDANCE ON SECURITY INCIDENT HANDLING

At the federal level, the National Institute of Standards and Technology (NIST) has released several important standards and documents. To start, NIST Special Publication 800-61 Revision 2 – Computer Security Incident Handling Guide was last released in 2012.¹⁷ The Guide starts with this abstract:

Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

An organization's cybersecurity incident management process is a part of the organization's business, technology, and cyber program that includes other components included in the Michigan Cyber Initiative, such as training, threat intelligence, and the Michigan Cyber Disruption Response Plan. An organization's strategic and tactical plans must address many types of business risk, and cyber risk is just one aspect to consider.

The internationally recognized guidance contained in the Cybersecurity Framework,¹⁸ or CSF, offers five core components (Figure 2.1): identify, protect, detect, respond, and recover (other frameworks use other labels). Note: The NIST CSF is a subset of NIST 800-53 and also shares controls found in ISO 27002. The NIST CSF takes parts of ISO 27002 and parts of NIST 800-53, but is not inclusive of both.

FIGURE 2.1 Five Core Functions of NIST Cybersecurity Framework

Source: “The Five Functions,” NIST, https://www.nist.gov/cyberframework/online-learning/five-functions.

There are differences in opinion about whether NIST or SANS offers the best incident response framework. A helpful article from ATT offers a comparison guide between the two approaches.¹⁹

While there are many different names used to describe an organization's internal incident response plan, every plan must establish the incident response policies and procedures to ensure that an organization can effectively address computer security incidents that may have compromised sensitive and/or personally identifiable information (PII), or have a serious impact on an organization's ability to accomplish its missions.

An incident response plan also specifies the organizational methods for preparation, detection, analysis, eradication, and containment of an incident. The plan describes, in detail, the actions that an incident response team will take upon notification of an incident that could represent, but is not limited to, unauthorized access, alteration or compromise, denial of service (DoS), malicious code, or misuse.

The following laws and regulations are applicable to incident planning:

• State-specific data breach reporting laws as listed by the National Conference of State Legislatures (NCSL)²⁰
• Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347]
• Management of Federal Information Resources [OMB Circular A-130]
• Records Management by Federal Agencies [44 USC 31]
• Safeguarding Against and Responding to the Breach of Personally Identifiable Information [OMB Memo M-07-16]

The Resources section at the end of the book offers additional standards and guidance that are useful for understanding incident planning, in addition to NIST Special Publication 800-61 Revision 2, mentioned earlier.

Many organizations cover incident response under the wider umbrella of emergency management planning, and take what is known as an “all hazards” approach to emergency response. For example, regardless of what caused an incident like a power outage or the contamination of a water supply, the response processes would be similar. Of course, the root cause analysis would be different for a cyberattack and a thunderstorm.

POSITIVE SECURITY AND RISK MANAGEMENT FOR INTERNATIONAL ORGANIZATIONS

First released in 2005, ISO/IEC 27001 is an internationally recognized standard that sets out the specification for an information security management system (ISMS). ISO/IEC 27001:2013 is the most current version of the standard and incorporates changes made in 2017. The standard contains a set of best practices to enable organizations to implement an effective risk management system and strategize their security investments.

An increasing number of private and public sector organizations in Australia and the Association of Southeast Asian Nations (ASEAN) now insist that their suppliers and contractors demonstrate effective management of information security in compliance with ISO/IEC 27001. Privasec (a Sekuro company) has observed that positive security and risk management outcomes are a driver for companies determined to demonstrate their commitment to security.

Romain Rallu, CEO of cybersecurity consulting firm Privasec, explains, “By establishing a security roadmap with ownership amongst the founders and senior leadership for a company-wide focus on security, implementing security as a culture and baking it into operations has helped many businesses scale and increase enterprise market credibility.”

As one of the fastest-growing independent governance, risk, and compliance security consulting firms in the region, Privasec has partnered with large and medium-size organizations across industries. Out of the many success stories, Romain shared a key case study of a multinational company that Privasec brought through the ISMS journey:

“With close to 10,000 staff located in more than 200 offices, the company was made of diverse lines of businesses across 20 countries, some organic and some through acquisition. We had to engage stakeholders worldwide. This required us to build a comprehensive plan, leverage the unique diversity of our team to engage using different languages in nearly all time zones. We also had to build a program of work which allowed flexibility to cater for constant operations changes, inherent to a company of this size with a global footprint. Finally, we had to work closely with the certification body and their audit team to plan, facilitate and guide audits in all regions.”

Despite the seemingly large magnitude of the task, Romain commented on the impact of this far-reaching program: “This gave our client a unique opportunity to capitalize on the momentum to grow a network of security champions which enabled them to identify and respond to security events faster and in a more coordinated manner. This ensures continuity of operations and unified communications, which is paramount.

“With the continuous news of security incidents, people judge organizations more on their response to an incident than on having the incident,” he elaborates. “Your market, as well as many regulators, can forgive an incident but won't forgive a poor or disjointed response.”

This multinational company was positioned as an early adopter of security in their industry, which gave, and continues to give, them an edge when pitching for work. It also raised the awareness of domestic executives and allowed the company to start “baking in” security in their culture, the same way quality and occupational health and safety were, thus not only improving their response to incidents but their resilience as well.

Ang Leong Boon, Head of IT Security at the National University of Singapore (NUS), known for their academic programs ranked among the top globally, sat down with Shamane in her Mega C-Suite Stories podcast recording and walked through key milestones of their security journey.

“Let me go back in time, to more than 10 years back when cybersecurity wasn't a thing globally. Back then, it was more of reacting to various incidents that might occur in an organization. For example, you might have a malware infection that could lead to a worm spreading through your network, which would require immediate response. That was when NUS formed our Computer Emergency Response Team (CERT); we were one of Singapore's first CERTs.²¹ As the name suggests, the main task was to perform incident response. In a university especially, there are many incidents where we would need to handle, whether it's internally, perhaps from mischievous students, or external hackers trying to breach our network.

“With that as the foundation, it created a technically strong team as I believe that the best way to learn about cybersecurity is through experiencing and handling real world attacks. The main reason the team has remained very competent is because of our contact with various kinds of incidents that we've handled. Quite a number of our team members right now, including myself, started out doing incident response, and now branched out to other areas of work, which includes looking at detection and prevention in a timely manner.”

Leong Boon revealed that a major cyber incident years ago triggered a positive change in the way the university has executed their cybersecurity strategy since then. “We were one of the first to do our own phishing drills, as early as 2013, before these phishing drill platforms became popular. We have always been investing a lot in security awareness training, but I would say that the incident actually created a culture change across our entire organization.”

In 2017, NUS, along with other local universities, suffered from one of the largest security breaches in Singapore as a result of a bid to steal government and research data. “Of course, this was overshadowed by the 2018 SingHealth data breach, but it was the biggest-ever attack the University suffered from. This was the work of a sophisticated nation-state threat actor.” Leong Boon continued, “Through that one incident, everyone realized what it was like to fight a real battle out there. It was the first time we had a full-blown war room. We lived and ate in that room for two weeks or more. It was also the first time our different colleagues in IT sat with us together in that room, to investigate, find root causes, to resolve issues. Through that, it was an experience all of them remembered, and one that probably no one wants to relive.”

CHANGES IN THE PLANNING APPROACH POST-INCIDENT

Leong Boon explained the security growth of the university since the incident: “Since then, we've put in many more controls because we've experienced firsthand what it was like to be attacked and breached by an attacker of such sophistication. Much effort was dedicated into acquiring capabilities for us to detect threats in a timely fashion. Comparing and contrasting to previously where we were doing mostly incident response, which is more of a reaction (because we are reacting to an incident only after it has happened, or only after they have been reported), we are now moving to a more proactive or even predictive approach, where we use various technologies to help us detect these threats before they escalate.

“Part of what we are focusing on right now is to leverage cyber threat intelligence to provide us with an added layer of visibility of who might be attacking us, and different kinds of tactics, techniques and procedures (TTPs) they could be using.”

He also commented on the difference it makes when there is a connection between the different functions and security within the organization, “Many times, we see that there is a disconnect between different IT functions when it comes to cybersecurity. For example, for our infrastructure colleagues, they would be most concerned with availability. … However, through the incident, where we were all in the same war room together, we have realized that our colleagues now also view security as a very important aspect, and they have started to see security through our lens.”

On the changes in the other IT function approaches, Leong Boon added, “They have started to integrate security as part of their project implementation, starting right from the planning and foundation stage. This is something that I feel would only have been possible if you were part of that experience of being in that war room, and you would not want to relive that. And how would you not want to relive that? That is to get all of your systems secured right from the start, and even then, as an ongoing process, you would want to keep your systems constantly patched.”

The key is that security is no longer an afterthought, but something the team actively considers right from the get-go, as they know the situation they want to avoid. “The incident ended up being a very powerful lesson that created a lot of positivity in the organization.”

The Cyber Security Agency of Singapore (CSA) offers a helpful incident response checklist structured around the IPDRR (Identify, Protect, Detect, Response, Recover) framework as part of their GOsafeonline awareness campaign.²² Once response plans are written, the important tasks of training staff and testing the plan via tabletop exercises must be addressed. These topics are covered further in Chapter 3.

THE WISCONSIN GOVERNMENT APPROACH TO CYBERSECURITY INCIDENT RESPONSE

To offer a different perspective on this important topic of planning for, and responding to, cyber incidents, we turned to Bill Nash, a respected government CISO who was involved in numerous security incidents. Bill was the CISO for the State of Wisconsin from June 2013 until February 2021.

At the state government level, Wisconsin has centralized IT infrastructure operations while agencies manage endpoints and applications. In addition, Wisconsin is a Home Rule State, which from the cyber perspective means that IT is managed locally, and local law enforcement has jurisdiction for the community's cybercrimes.

Within the Wisconsin public sector, there are more than 60 state agencies, commissions, and attached boards; 72 counties; 1,950 municipalities; 11 American Indian nations and tribal communities; 444 school districts; 16 public technical colleges; 31 public colleges and universities; 81 municipal electric utilities; 575 drinking water utilities; 1 gas utility, and 600 wastewater utilities that all need to be aware and prepared for a cyberattack.

Keeping the public sector in Wisconsin secure was going to require collaboration with all levels of government. Shortly after Bill was hired as the State's CISO, the Wisconsin leadership team took a trip over the lake to meet with the Michigan technology and security teams to discuss the Michigan Cyber Civilian Corp.

Bill elaborated on setting up their program: “We also shared our plans for Wisconsin to get the Michigan team's input. This led to the Wisconsin Cyber Responses Teams (CRTs) that were started in 2015 with $50,000 of Homeland Security Grant funding with the goal to recruit and train local government IT staff to respond to cyber incidents. The concept was based on the Federal Emergency Management Agency's (FEMA) draft pre-decisional “National Incident Management System (NIMS) Resource Management for Cybersecurity” model, and the goal was to have 3 teams of 10 volunteer cybersecurity personnel aligned to Wisconsin Emergency Management regions.

“The grant funding continued to grow each year and still provides reimbursement for the training classes, covers lodging for exercises, and provides incident response equipment for Cyber-Response Team (CRT) members. The CRT member's employer is responsible for covering their CRT member's salary, benefits, and other expenses while participating in CRT activities. CRT participation benefits the member's organization by providing training and experience to their employee that helps to better secure their organization.

“The CRT program is a whole community approach to provide training, experience, share intelligence, and provide cyber assistance (like mutual aid) to Wisconsin's public sector organizations in a cyber incident. In addition to individual and group cyber training classes, the CRT members participate in one to two exercises per year that include the Wisconsin National Guard cyber team, the Wisconsin Statewide Intelligence Center/Fusion Center cyber analysts and private sector CIKR members. These exercises validate cyber response plans and procedures for the deployment of WI cyber resources in response to a cyber incident.

“There are currently 78 CRT members, representing counties, cities, towns, villages, tribal communities, K–12 schools, and technical colleges. Even though the CRT capability is still being developed, CRT team members have already responded to over 35 Wisconsin local government cyber incidents either onsite with a team or provided guidance via phone since inception. In addition to the CRT responding to incidents, they also analyze threats, and exchange critical cybersecurity information with trusted state and federal partners. On the prevention side, the CRT has assisted local units of government with vulnerability assessments, best practice recommendations, and cyber security awareness activities.

“We also offer full-scale, inter-team, cyber-response exercises training for these key organizations.

“The teams are not intended to compete with private sector resources but are there to support local government organizations in Wisconsin in mitigating, responding to, and recovering from a significant cyber incident, in which private sector resources are not available.”

A PRIVATE SECTOR PERSPECTIVE ON COMPUTER SECURITY INCIDENT RESPONSE

Mike Davis is the current CISO at ExactlyIT Inc., a digital transformation company. He began his career in the U.S. military, served as Director of IT Security (functioning CISO) for the American Bureau of Shipping (ABS) and was the CISO for alliantgroup.

Here are Mike's top recommendations and his overall perspectives on building a cyber incident response program:

“There is never any substitute for being well prepared ahead of time. We must have an actionable Computer Security Incident Response (CSIR) Plan in place and well-practiced.

“I always start with NIST (and this is an overall reference):

• NIST SP 800-61r2 (as mentioned in our earlier government section), followed by
• CREST Cyber Security Incident Response Guide;²³ and
• Cynet Incident Response Plan Templates (six to choose from/templates too)²⁴

“For cyber security incidents and emergencies, the essence of the CSIR plan should be twofold:

1. Rapid identification and containment of the incident; those immediate actions that are critical to have harmonized between OPS/IT, Security and your SOC/MDR, and
2. Sample messaging for initial notification of a service disruption and follow-on details of the incident for the media group.

“The rest of the CSIR plan should have supporting details on other processes (forensics, restoration, etc.), whereas they are not as time critical as stopping the attack. The immediate actions need to be practiced frequently – recommend every clearly unusual computer event be treated as a potential incident as a practice session, at least between OPS/IT and security. This also exercises the communications and coordination processes between them and the SOC/MDR team. It's all too easy for too many players to pile on and offer suggestions (especially managers), while the immediate actions get delayed.

“Playbooks are essential, as no one has the CSIR plan ready at all times, and even then, there is a lot of added material for the steps after containment that can be followed using the actual plan. Immediate actions for all parts of the team need to be created (again, especially OPS, SEC, SOC/MDR with something shorter for management to follow, and also the messaging group: media, legal, CISO, etc.). Playbooks need to be always accessible, and so digitally stored where all the players can access them, including the service desk.

“Recommend a digital war room be established, with rooms for the action team, management, and the media group, where the CSIR on-scene leader keeps the three aligned. Always best to have the event status messages in one spot as well … with various versions for employees, clients, and external. Then all messages are sent using various mediums using a link to those messages, which can be updated and also have stricter access control. In addition, it's harder to send the information to others (like social media) and so that the messages are structured and continue.

“Always have a non-email communications process as well, since compromise[d] accounts can monitor the email traffic and know your status, next moves.

“In the communications section of the CSIR plan, address all the potential contacts and when they are notified and by whom. This includes law enforcement, outside counsel, and your cyber insurance agent, to name a few. Address if/when you would consider paying the ransom, and even then, do that only through your cyber insurance agent. In the CSIR comms section, make it clear that only legal ever calls a data event/incident a “breach” – as the reporting clock starts then, and attorney/client privilege is invoked and communications can then be considered as exculpatory evidence… .”

INCIDENT RESPONSE AND CYBER INSURANCE

More and more public and private sector organizations are purchasing cyber insurance that covers them should a costly incident occur. While there are many great resources that describe the pros and cons of purchasing cyber insurance,²⁵ it must be stressed that having cyber insurance does not relieve an organization from responsibilities of due diligence in protecting sensitive information. These duties include a robust incident response program and repeatable processes being implemented by well-trained incident response teams.

On the contrary, cyber insurance policies require comprehensive security programs with lengthy checklists to ensure that adequate protections are in place and followed, before cyber insurance policies are even executed. The National Governors Association published a two-page public sector guide to cyber insurance in 2019,²⁶ and the practice of using cyber insurance has grown rapidly since. However, after large losses from insurers in 2020, cyber liability insurance premiums are rising fast as well.

According to a range of hospital CISOs we spoke with in mid-2021 who worked with cyber insurance companies, current trends include:

• 2021 renewal rates are typically 35–50% over those in 2020.
• Ransomware riders are often required.
• Ransomware questionnaires are more complex.
• Scanning the network environments is often performed before policies are issued.
• There is often a proactive assessment of enterprise risk before policies are executed.

To examine cyber insurance in more detail and offer recommendations to consider, we turned to Mark Stamford, the founder and CEO of OccamSec, a cyber security company based in New York City. OccamSec works with organizations across the world to identify how they could be attacked and how to prevent attacks, such as hacking networks, applications, vehicles, and anything else with a computer in it; hackers also break into buildings, wear disguises, and conduct intelligence work.

According to Mark, these are the first things you need to know if you're thinking of making the investment in cyber insurance:

• Ask yourself, what controls are the insurers requiring you to have in place to issue a policy? Some of these may not necessarily apply to your company, so what happens then? There tend to be blanket requirements, but depending on what you do and how you do it this may not be practical.
• Thoroughly read all war clause fine print, especially given how difficult attribution is for an attack. “War clauses” have caused problems in the past – cyberattacks believed to have originated with a nation-state (such as Wannacry) enable insurers to not pay out on policies (since a cyberattack is considered an act of war).
• Find out if there will be any additional costs.
• Brokers are really more useful in finding you the best deal than if you try to shop around yourself.

Going deeper into specific tips, here are recommended questions at each stage of an incident.

Before an incident:

1. Review your policy: What do you need to have in place, or need to be doing, to meet the requirements of your policy? Do you need to perform regular security assessments? Incident response exercises? What tools is the insurer requiring you to have? Keep in mind that cyber insurers are flying in the dark as much as it seems everyone else is.
2. War clauses: Are they in there? If so, who gets to decide what's an “act of war”?
3. What will your policy cover? Notifications to customers? Lost revenue? Other?
4. What happens if the incident is caused by a third party? How will that be covered?
5. Does the insurer provide support during an incident? What's the service level agreement on that? (It's not always very quick.) What's the coverage if there are approved incident response (IR) vendors?
6. Do you have an IR process? Have you tested it?

During an incident:

1. Check with the insurer about whether they will provide support, and if you need to notify them, or otherwise deal with the incident.
2. Make sure you document your incident handling (this should be covered in your IR policy).

After an incident:

1. Keep evidence to show what you did before and during the incident. They are going to ask you for that.
2. Be aware that insurers are looking for “gotchas” to not pay. There are several recent examples where insurers did pay, and companies had to pay the money back due to a lack of due diligence in areas such as patching vulnerabilities.

Mark concludes, “I would also consider what you need the insurance to cover, and why. How much is the policy going to pay out? And is that going to cover your possible costs? Is it worth the investment?

“Organizations that experience a successful cyber attack will find themselves required to undertake a range of responsive actions with some degree of urgency, often at significant cost. This is not just related to technology and/or cyber consulting, but legal fees, media management, and customer support, and even compensation can add up very quickly.”

Michael Cracroft is the former chief security and technology officer of Service NSW, a New South Wales Government executive agency in Australia that provides one-stop access to government services. Originally from the UK, Michael has been leading digital transformation initiatives in Australia, including public cloud migrations and modernizing technology services for community platforms to leverage cloud-native architectures. Some of his other achievements include cyber risk management for the highly successful Digital Driver Licence program and the award-winning Covid-Safe Check-in app, which saw mobile app usage increase from 600,000 to a staggering 6 million customers during 2021.

Having signed up for cyber insurance coverage for Service NSW a few years ago, Michael shared his thoughts on the matter:

“Cyber insurance is a complementary measure that should be considered part of any defense in-depth design in addition to, not in place of, actionable controls. Your board will be glad that you secured cyber insurance beforehand, if an attack should occur and the worst-case scenario happens.

When you look at the economics, it will be interesting to see what the cyber insurers are going to do to manage the increasing volumes of organizations needing to submit a claim from a cyber attack. When you consider this, it seems likely that a couple of things may happen:

1. Cyber premiums will start to rise and smaller organizations may start to get priced out of the cyber insurance market.

   The implications may be a loss of ability to appropriately manage breaches. Consequently, we may see organizations struggling more with the ethics of incident response, such as paying ransomware or failing to notify impacted customers.

2. Insurers may start to require organizations to validate their security compliance posture as part of balancing their premiums. This may translate to a broader community-wide adoption of cyber compliance standards, such as ISO 27001 or SOC2, which may have the benefit of raising the bar of industry cyber maturity.

“We have recently seen new partnerships forming between public cloud providers and insurance companies, which allude to cyber insurance being packaged with the services – if you appropriately conand secure your cloud. If this becomes a de-facto relationship, we may see those organizations running on-premises infrastructure disadvantaged in securing insurance and needing to apply increasingly complex assurances to secure a reasonable premium.

“It is essential to address cyber resilience measures before an attack occurs, as it seems clear the cost of being compromised is climbing and boards need to understand that cyber insurance is not a control which absolves them of responsibility. However, it is important that we acknowledge any system may potentially be breached and in those circumstances, cyber insurance is a risk mitigation that should not be underestimated.”

NOTES

1. 1. Michigan Cyber Range: https://en.wikipedia.org/wiki/Michigan_Cyber_Range ; Dan Lohrmann, “The Michigan Cyber Range: Who, What, When, Where and How,” CSO Magazine, November 15, 2012, https://www.csoonline.com/article/2135792/network-security-the-michigan-cyber-range-150-who-what-when-where-and-how.html; https://www.nga.org/wp-content/uploads/2020/05/MiC3-Memo.pdf; Rachel Cohen, “A Civilian Cybersecurity Reserve Corps Is Needed for the Pentagon and DHS, Lawmakers from Both Parties Say,” Air Force Times, April 28, 2021, https://www.airforcetimes.com/news/your-air-force/2021/04/28/a-civilian-cybersecurity-reserve-corps-is-needed-for-the-pentagon-and-dhs-lawmakers-from-both-parties-say/.
2. 2. Michigan Cyber Disruption Response Strategy of 2013: https://www.michigan.gov/documents/cybersecurity/Michigan_Cyber_Disruption_Response_Strategy_1.0_438703_7.pdf.
3. 3. Michigan Cyber Disruption Response Plan of 2015: https://www.michigan.gov/documents/cybersecurity/120815_Michigan_Cyber_Disruption_Response_Plan_Online_VersionA_507848_7.pdf ; see also Michigan Cyber Command Center (MC3) https://www.michigan.gov/msp/0,4643,7-123-72297_72370_72379_99838---,00.html.
4. 4. Michigan Cyber Civilian Corps: https://www.michigan.gov/som/0,4669,7-192-78403_78404_78419---,00.html ; Dan Lohrmann, “The Michigan Cyber Civilian Corps: Like a Volunteer Fire Department for Cybersecurity,” CSO Magazine, June 9, 2014, https://www.csoonline.com/article/2360732/the-michigan-cyber-civilian-corps-like-a-volunteer-fire-department-for.html.
5. 5. North American International Cyber Summit Series: https://www.michigan.gov/som/0,4669,7-192-78403_78404_78405-403764--,00.html ; Dan Lohrmann, “Michigan Governor Snyder Releases New Cyber Initiative for Next Four Years,” Government Technology, November 23, 2014, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/michigan-governor-snyder-releases-new-cyber-initiative-for-next-four-years.html.
6. 6. FEMA Analysis of initial Michigan Cyber Disruption Response Strategy: https://cip.gmu.edu/wp-content/uploads/2015/11/nps73-090514-05.pdf.
7. 7. CISA Case Study Examining Michigan Cybersecurity Governance Model: https://www.cisa.gov/sites/default/files/publications/Michigan_Cyber_Governance:Case_Study_508.pdf.
8. 8. Michigan Cyber Initiative, 2011 version: https://www.michigan.gov/documents/cybersecurity/MichiganCyberInitiative2011_365631_7.pdf.
9. 9. For more on CSO Kitchen Cabinet meetings, see Dan Lohrmann, “Top Five Mistakes New IT Security Leaders Make,” Government Technology, November 24, 2013, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/top-five-mistakes-new-it-security-leaders-make.html.
10. 10. Dan Lohrmann, “A New Call to Action – Backstage at the Michigan Cyber Summit,” Government Technology, October 8, 2011, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/a-new-call-to-100811.html.
11. 11. “Secretary Napolitano Kicks Off National Cyber Security Awareness Month at Michigan Cyber Summit,” Department of Homeland Security, press release, October 7, 2011, https://www.dhs.gov/news/2011/10/07/secretary-napolitano-kicks-national-cyber-security-awareness-month-michigan-cyber.
12. 12. Lohrmann, “A New Call to Action.”
13. 13. Michigan Cyber Disruption Response Strategy of 2013: https://www.michigan.gov/documents/cybersecurity/Michigan_Cyber_Disruption_Response_Strategy_1.0_438703_7.pdf.
14. 14. FEMA Lessons Learned on Information Sharing Covering the Michigan Cyber Disruption Response Strategy: https://cip.gmu.edu/wp-content/uploads/2015/11/nps73-090514-05.pdf.
15. 15. The National Association of State Chief Information Officers (NASCIO) Cyber Disruption Response Planning Guide: https://www.nascio.org/resource-center/resources/cyber-disruption-response-planning-guide/.
16. 16. National Governors Association (NGA) Issue Brief on State Cyber Disruption Response Plans: https://www.nga.org/wp-content/uploads/2019/04/IssueBrief_MG.pdf.
17. 17. NIST Special Publication 800-61 revision 2: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
18. 18. Development of NIST Cybersecurity Framework: https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework and https://www.nist.gov/cyberframework.
19. 19. Comparison Guide between NIST and SANS incident response processes: https://cybersecurity.att.com/blogs/security-essentials/incident-response-steps-comparison-guide.
20. 20. State-specific data breach reporting laws as listed by the National Conference of State Legislatures: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
21. 21. List of incident response teams participating in FIRST, the Forum of Incident Response and Security Teams: https://www.first.org/members/teams/.
22. 22. GOsafeonline in Singapore incident response checklist: https://www.csa.gov.sg/gosafeonline/resources/incident-response-checklist?s=09.
23. 23. Crest Security Incident Response Guide – Version 1: https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement-Guide.pdf.
24. 24. Cynet Incident Response Plan Templates and Guide: https://www.cynet.com/incident-response/incident-response-plan-template/.
25. 25. Sam Friedman and Adam Thomas, “Demystifying Cyber Insurance Coverage,” Deloitte University Press, 2017, https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-fsi-demystifying-cyber-insurance-coverage-report.pdf.
26. 26. NGA, “States Confront the Cyber Challenge: Cyber Liability Insurance for States,” https://www.nga.org/wp-content/uploads/2019/09/Cybersecurity-Insurance-Two-Pager-Final.pdf.