The past few years have been hard on cybersecurity professionals.
An onslaught of new attack innovations and evolutions have raised the risk — and the costs — of an attack. More organizations than ever before are attempting to transfer a portion of that risk through cyber insurance. However, cyber insurance policies, once easy to get and robust in coverage, have become challenging to obtain, difficult to maintain, and costly to keep. Premiums have surged while policy providers have increased the number of required controls organizations need to qualify for coverage. It’s a challenging insurance landscape that organizations are struggling to navigate while facing daily threats from global cybercriminals.
However, there’s one solution that can not only help an organization swiftly stop an attack and restore business operation, but also help them secure a high-quality cyber insurance policy: incident response.
What is Incident Response?
Incident response (IR) is a set of processes and tools used to identify, contain, and remediate cyber attacks, and to restore the organization to pre-incident operations. It is the process of:
1. Securing an environment by eliminating the threat actor’s access
2. Analyzing the cause and extent of the threat actor’s activities while inside the network
3. Restoring the network to its pre-incident condition (including ransom negotiation and payment, if necessary)
Each part of the process is performed concurrently and relies on and informs the other parts.
There are multiple expert types within the field of incident response. For example, some responders focus on forensics analysis while others specialize in data recovery and system restoration. It’s vital that all team members work in unison, collaborating and communicating throughout the process to bring the business back online quickly with minimal costs.
Incident Response vs. An Incident Response Plan
The National Institute of Standards and Technology (NIST) defines an incident response plan as “the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information system(s).”
But an incident response plan is more than bulleted items on a piece of paper. It needs to be a living document that can be tested and adjusted based on changing security and business needs. Some incident response plan components include:
- Formulating a strategy for how to respond to early stages of an incident
- Identifying stakeholders and their roles
- Appointing a response team
- Conducting tabletop exercises to test the strategy
- Testing backup and recovery systems
An incident response plan is, quite frankly, table stakes for any organization looking to take their cybersecurity seriously. It’s also one of the major core controls insurance providers now expect organizations to have to obtain and maintain a cyber insurance policy. However, an incident response plan is not the same thing as incident response. It can best be described via analogy:
Having a plan in case of a fire can help keep you and your family safe. A good fire escape plan will identify multiple escape routes, a safe meeting spot, and even whose role it is to call the fire department. But having a robust fire suppression system built into your home can stop a fire quickly before it has a chance to spread, limiting the damage done, and the cost to restore things back to the way they were — That is incident response compared to incident response planning.
Why Insurers Value Incident Response
As little as a decade ago, cyber insurance was a niche market, with only a handful of carriers offering policies to only around a quarter of U.S. organizations. In the intervening years, the rate of published vulnerabilities as well as attempted cyber attacks have both skyrocketed, which has led to a surge of new policy seekers, with 47% of insured organizations having secured their policy in the previous 12 months.
As insurers filled more policies, they also quickly sought to right-size the market in the wake of rising ransomware attacks that annually set new records for number of attacks and median ransom demands. The median initial ransom demand for cases investigated by Arctic Wolf Incident Response in 2023 stood at $600,000 USD.
The major focus of these right-sizing efforts revolved around the creation of new requirements organizations must meet to obtain or maintain a policy. Cyber insurance policies have now caught up to the scrutiny and evaluation standards found in home, auto, business, and life insurance policies, and experts expect they will soon eclipse them, as the cyber landscape continues to grow over the coming years. Cyber insurers now tend to place organizations into what could be colloquially described as “risk buckets.” Those organizations who have proven implementation of core controls like MFA, patch management, and the creation of an incident response plan have cleared the barrier to entry and can obtain a cyber insurance policy, however these are the minimum requirements and won’t reward organizations with a premium or elite policy.
For an organization to find themselves in that “elite” risk bucket, where the premiums are the most affordable and the coverage is the most comprehensive, they’ll need to go much further, making significant progress on their security journey through the implementation of proactive security operations solutions that afford them 24×7, real-time monitoring, detection and response against cyber attacks, robust vulnerability and risk management, and effective security awareness training for users, to help them minimize human risk and thwart social engineering attacks like phishing.
There’s one more solution which can tip an organization into that elite bucket, as well: incident response. In evaluating an organization’s risk profile, insurers take a good amount of solace in knowing that the business has fast access to a team of response and remediation experts who can help with everything from backup restoration to digital forensics to threat actor negotiations, if needed. This kind of full-featured incident response mitigates the damage, and therefore mitigates the cost the insurer may be asked to cover. Because of this, if an organization has IR services on retainer, they just might find themselves in the elite risk bucket, with access to the best policies and premiums available.
Evaluating IR Providers and Retainers
To fully eradicate the threat and restore normal business operations — and to stand the best chance of cyber insurance providers placing you into that elite risk bucket — you need a full-service incident response (IR) provider. It’s not enough to simply delete the threat. Instead, finding the root cause, documenting what happened, and restoring business operations to pre-incident conditions are vital in every response scenario to get the organization back online and prevent future incidents.
Incident response is available from a variety of providers, each offering a range of services directly to organizations — some even through cyber insurance carriers themselves. No matter whom you choose, be sure to select a full-service vendor with in-house expertise who can provide comprehensive digital forensics and data recovery services. Only full-service providers eliminate the threat actor’s access to the environment, analyze the extent of the attack, and restore the business to normal pre-incident operations.
Effectively achieving all three of these objectives requires an IR firm with a multifaceted team of in-house expertise. Coordination across the team and with the customer is vital to the response process, and everyone from the SOC to the board room needs to understand the status of the investigation and the significance of the findings.
Additionally, engaging with IR services often comes in the form of a retainer. Traditionally, this has meant pre-purchasing a certain number of hours that you either use or lose over the course of a year. However, new retainer models, like Arctic Wolf’s IR JumpStart Retainer, provides proactive incident response planning with a 1-hour response time and no prepaid hours, ensuring priority access without upfront costs.
Discover how coverage is evolving with the current cyber threat landscape and get insurance insights directly from cybersecurity leaders in The Cyber Insurance Outlook.
Download our Best Practices for Cyber Insurance data sheet and learn the most common controls insurers are looking for, and the five first steps you can take on your way to getting the best policy possible.
Learn more about Arctic Wolf Incident Response and our IR JumpStart Retainer.
