Cyber incident response planning 101 – here's what brokers should know

Building resilience after the global cyber outage

Cyber incident response planning 101 – here's what brokers should know

Cyber

By Gia Snape

As organizations continue to rely on technology to drive business operations, the risks associated with cyber incidents grow exponentially.

The recent CrowdStrike outage has served as a stark reminder that even without the hand of malicious actors, cyber incidents can have far-reaching consequences, including financial loss, reputational damage, and legal liabilities.

During a virtual event hosted by Marsh McLennan last week, cyber security and insurance specialists stressed that it’s more important than ever for organizations to build resilience against a variety of cyber disruptions.

“A well-drilled, regularly tested, and comprehensive cyber incident response plan is no longer a nice-to-have capability; it's an absolute essential,” said Gill Collins, head of cyber incident management and cyber advisory at Marsh Pacific.

More than two weeks after the CrowdStrike outage, Collins said that Marsh had received more than 375 claims notifications, while more than 500 of its clients had been affected.

“[The outage] affected businesses of all sizes in all industries and has highlighted the importance of building organizational resilience in the face of these types of unfortunate but foreseeable events,” she added.

“Lots of attention has been placed on cyber risk management and preparing for malicious cyberattacks, but what the CrowdStrike incident taught us is that significant disruptions can come from a whole variety of different types of events, and we need to be drilled and prepared to respond.”

Must-haves in a cyber incident response plan

A well-defined incident response plan is not just a reactive measure; it is a proactive strategy that prepares an organization to handle unexpected cyber events effectively.

In the wake of the CrowdStrike outage, experts stressed the importance of “out-of-band” communication capabilities, a focus on third-party supply chain risk management, and regular, routine testing to ensure an incident response plan is adapted to the current threats.

“Out-of-band” communication refers to those that occur outside of an organization’s network, allowing team members to communicate securely when primary channels are unavailable or compromised.

“There's a real need to have out-of-band communication capabilities for when your systems and networks are out of action, and when you're testing your incident response plan, you should be testing that in both an out-of-band and in-band fashion,” stressed Collins.

During the Marsh McLennan webinar, speakers also raised other important points for organizations to keep in mind, including:

  • The need for a formal incident command structure and an emergency operations center to make real-time decisions during a cyber incident;
  • Having defined public information and warning processes with faster approval processes than normal for communications; and
  • The importance of detailed, mission-critical-focused continuity of operations plans focused on virtual environments and technology dependencies, not just physical location.

The most common mistakes, according to experts, are a lack of regular testing and failure to adapt plans to new threats.

“Traditionally, most of our clients, I think, tend to do maybe one incident tabletop or simulation a year, and perhaps look at their incident response plan maybe once a year,” said Collins.

“The reality is, going forward, our clients need to test their incident response plans, business continuity and crisis escalation processes on a regular basis across the whole enterprise. I would suggest that probably three to four times a year is necessary to do that, and a variety of types of events should be tested.”

Key components of a cyber incident response plan

On a fundamental level, a cyber incident response plan should contain five elements:

  • Preparation and prevention
  • Detection and analysis
  • Containment and eradication
  • Recovery and restoration
  • Communication and coordination

The first step in cyber incident response planning is conducting a thorough risk assessment. This involves identifying potential threats and vulnerabilities within the organization’s systems and processes. By understanding the specific risks they face, organizations can prioritize their resources and implement preventive measures to reduce the likelihood of a cyber incident.

As part of preparation and preparation, an effective response plan must prioritize regular employee training sessions and awareness programs to educate staff about the latest cyber threats and the importance of following security protocols.

At the same time, organizations must ensure they have the necessary technology and tools in place to detect and respond to cyber incidents. This includes implementing advanced security monitoring systems, intrusion detection tools, and automated response mechanisms.

Next, vigilant and continuous monitoring of network traffic, system logs, and user activities is essential for the early detection of cyber incidents. Organizations should establish a robust alerting system that can quickly notify the incident response team when suspicious activities are detected.

Once an incident is detected, it must be classified based on its severity and potential impact so leaders can take the appropriate actions and allocate resources effectively. During the immediate response, the primary goal is to limit the spread of the incident and minimize its impact. This may involve isolating affected systems, shutting down compromised accounts, or blocking malicious traffic.

After containment is successful, the next step is to eradicate the threat from the environment. This includes removing malicious software, patching vulnerabilities, and ensuring that no residual threats remain in the system.

After eradicating the threat, organizations must work to restore affected systems and services to their normal operating state. A critical aspect of the recovery phase is conducting a post-incident review, which includes analyzing the incident response process, identifying any gaps or weaknesses, and implementing improvements to enhance the organization’s resilience against future incidents.

Finally, internal and external communications are key in the event of a significant cyber incident. Organizations must establish clear communication with all stakeholders, including management, IT teams, and legal departments. They may also need to communicate with external parties, such as customers, partners, regulators, and the media to ensure transparency and protect the organization’s reputation.

Have something to say about cyber incident response planning? Please share your comments below.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!