How should risk managers respond to a cyber attack?

Coalition's incident response lead on ransoms, efficient data backups, and why it’s never too late

How should risk managers respond to a cyber attack?

Risk Management News


As the threat of cyber attacks continues to grow, it becomes more and more apparent that companies and their risk managers should have plans in place if the worst comes to pass. With a proper cyber insurance policy in place and the support of incident response teams, dangers like malware and ransomware can be more easily tackled, especially in an environment where bad actors are becoming more confident, emboldened by digital advances.

In conversation with Insurance Business’ Corporate Risk channel, Coalition incident response lead Leeann Nicolo (pictured above) said that the most important thing to remember is that regardless of severity of the breach, awareness of the situation should always be number one.

“It’s important to ask what data you have, what kind of legal obligations, etc. But in terms of the priority, I think that the most important thing, at least from my point of view, is awareness, like advising people on your team, what occurred, etc,” Nicolo said.

Ransomware, as the name implies, holds data hostage from a company, a situation which could severely affect business continuity. When asked if paying the ransom is a viable solution, Nicolo said that the question is a very nuanced one, and it requires a better understanding of the situation. However, for these cases, time is always of the essence.

“So often we’re contacted – and I hate to say too late, because it's really never too late – days, weeks, and in rare cases, we’re contacted months after the event. In that timeframe, the threat actor has progressed to act on their objectives and do whatever they're going to do. That data could have already been posted on the dark web or sold. There could also be threat actors that maintain persistence on a network and are waiting for another attack in the future. So, we really ask our policyholders and pretty much all of our clients to just alert us as soon as possible,” she said.

“The worst outcome is that we deem it noncritical, and you can go about your day, and this is actually not an incident. The best-case scenario is that we can prevent further attack on your network or further exploitation of your data,” she said.

Addressing clients’ data leaks

Every so often, a cyber breach can become a full-blown issue that could result in damages far beyond financials. In these cases, client or user data is usually involved, either with information being held hostage, posted on the dark web, or sold off to the highest bidder.

These very real dangers are also why it is necessary to have a proper process in place, Nicolo said, as data breaches can be quite “extremely noisy” affairs, especially once news of it reaches employees.

“They have a million questions, everybody's panicking, and then you have 2,500 people emailing and calling and contacting IT and shutting off their computers. It could be mayhem, when, after forensics is completed, we can prove what was accessed,” she said.

In these kinds of possible public relations disasters, it is always best to rely on the experts – for these situations, the lawyers who can advise what can and should be said publicly.

“The lawyers can also help with how to advise employees internally, they also advise once forensics is completed, what obligations they have by state, by country, where they do their business, and what they need to tell their clients and how they need to tell their clients,” Nicolo said.

“I think that that process is really important, to utilize the experts in place, because we've seen clients just say, ‘we emailed all employees, and we started calling our clients.’ By the time we get involved, it's mayhem, because instead of trying to clean up the mess, they're now responding. They're skipping important steps,” she said.

Data backups can end up being useless

Backing up data can be a lifesaver in the case of a serious cyber breach, especially if the threat actor continues to hold a system hostage. However, Nicolo said that these data backups also need to be properly done, lest they end up being useless in their entirety.

“We do continue to recommend clients to back up data – and when I say backing up, it’s backing up properly, because we so often get clients that have backups, but they haven't tested them in a year, or something broke with the backup process, and they don't have clean backups, or the threat actor found their backups and deleted them or encrypted them. By then, that’s just a put-your-hand-on-your-head moment,” she said.

Offline data backups are the best case, Nicolo said, and if companies could layer them with separate credential access as well as different usernames and passwords locked behind a multi-factor authentication (MFA) tool, all the better.

“In all cases, it appears that one of the most important things that clients face in the case of a cyberattack is business continuity. The only way to continue after a breach is from having another copy of your data somewhere, especially if it's impacted by ransomware,” Nicolo said.

“The companies that get back up and running the fastest and have dedicated teams that manage their backups can roll things back to normal as quickly as their backups can work. However, sometimes we do run into situations where the backups are also impacted by the threat actor. As we identified in our cases, the companies that do best are the ones that are able to kind of follow their checklist and restore the data that they do have. So, I continue to say backups are important. You just really have to make sure they're configured correctly. Otherwise, they could be useless,” she said.

Preventing cyber breaches before they happen

While it is important to be proactive during a cyber attack, it is far more important to avoid experiencing one in the first place. Proper cybersecurity measures help temper the dangers that may attract threat actors, and Nicolo said that these measures will always evolve to keep up with ransomware groups.

“Cybersecurity is always changing. It is always evolving. We constantly have policyholders and clients that implement some new technology, and they think it's kind of set and forget,” Nicolo said.

This “set and forget” mentality may be a huge driver for cyber incidents, as new vulnerabilities and exploits come out and companies remain oblivious. Nicolo said that part of keeping cybersecurity healthy comes down to being aware of updates that should be in place to critical software, as well as moving away from end-of-life software that may already be obsolete.

“We also see a lot of claims with unpatched critical vulnerabilities. There’s a lot of technologies out there that we see, and organizations either are in the process of planning to update, or don't know that there's an update available, which leads to a claim. And that's a shame, because a lot of times the information is out there, you just have to be aware of what you have in your environment, and make sure that it’s up to date,” Nicolo said.

“Second to that, I'd say multi factor authentication (MFA) is a big one. Of course, there's ways to bypass MFA, depending on the technology it is on. But clients that do not have any MFA, however, we believe they are getting attacked or impacted by cyber much more often than clients that do enforce MFA wherever it's available,” she said.

Expect cyber attacks to continue – worsen, even

Driven largely by huge technological leaps, the main one being generative AI, Nicolo expects the trend of rising cyber threats to continue.

“We get asked this all the time, and I think the most common answer is that we're seeing a lot of larger, more advanced ransomware groups. They're starting to impact clients in a group rather than these one-off ransomware as a service (RaaS) actors impacting these low-level companies,” Nicolo said.

Thanks to advances in computing, ransomware groups have also started to become more organised, something which Nicolo noted is very new in the space.

“In all our cases, we see what we call access brokers. These individuals act as intermediaries that look for access into client networks all day long, and then sell that access to the groups. It also causes the pricing with the associated attack to go up because there's more parties in the chain, rather than just the author of the malware. We think that that's one of the major reasons,” she said.

Sophisticated attacks are being driven by generative AI, but there is also the continued trend of geopolitical tensions. With so many conflicts across the world, Nicolo said that companies will have to continue weathering the storm that is cyber attacks.

“The influx of these larger groups – such as what we saw with CL0P – and the influx of new actors are also often a result of law enforcement involvement. So, when there's a breakdown of a group, the people that are left behind sync up and make a new group. I don't think that's going to go away anytime soon, unfortunately,” she said.

What are your thoughts on this story? Please feel free to share your comments below.

Keep up with the latest news and events

Join our mailing list, it’s free!