How do you build an insurer cyber incident response unit?

Response head on trends, growth plans, and talent

How do you build an insurer cyber incident response unit?


By Jen Frost

Larry Crocker, head of DFIR and incident response at At-Bay, joined the cyber insurer in January of this year. Speaking to Insurance Business at NetDiligence Philadelphia earlier this month, he outlined plans for the unit he’s been tasked with building and shared how the business is dealing with threat actors that are increasingly seeking bigger chunks of change.

Insurance companies have worked tirelessly to attract cyber, negotiation, and forensic experts into the industry, and Crocker and his team are no exception. Hailing from Alabama, where he’s able to work remotely, Crocker is a retired special investigator with the Alabama Attorney General’s Office, a role he took on after spells as a special agent, forensic examiner, and police investigator in the state.

Following his retirement from law enforcement, and prior to joining At-Bay, Crocker also held leadership roles at cybersecurity companies Secureworks and Kivu Consulting.

The At-Bay role presents a new challenge, and a new opportunity, for Crocker, who has been tasked with building out the insurer’s DFIR and response unit “from the ground up”.

What does it take to build a cyber incident response unit?

With more than 30 years of experience in incident response and digital forensics, it’s a task that Crocker has relished. Talent is a top concern, and he has been adding retired FBI agents, ex-government workers, and endpoint detection and response (EDR) professionals to his team’s roster.

“We have a good, well-versed group of folks that are helping us on the incident response, and we’re doing great,” Crocker said.

The At-Bay Security business is a separate entity from At-Bay, as its own LLC, but it is still funded and managed by the insurer, which became a full-stack carrier earlier this year.

Given the security firm’s differentiated status, additional considerations have been at play, and while these may not be “showstoppers” in Crocker’s words, these technical details have proved important. For example, invoicing platforms must be selected, and building out a separate business from scratch presents “more things to worry about” in terms of administration and how the entity works in practice.

“We have a good foundation, we have strong processes and procedures, we have good relationships with breach counsellors on the claims team,” Crocker said of the situation six months in. “I feel like we will be growing more and more as we go along.”

The cyber threat – clients may lack internal resources and expertise

Clients may have some expertise on board to deal with cyber incidents, but smaller and medium-sized enterprises (SMEs) may only be expected to deal with one case in their lifetime – this is edging closer to two now, Crocker said – and this means they may lack the resources to tackle a breach by themselves.

“They don’t get the experience that my team or another response practice [might have] by working multiple cases, understanding multiple yield,” Crocker said.

The “big thing” for his team is looking at how you can learn from each incident, and apply this to the next case, and so on.

“The more we learn about our current actors – their access vector, how they get into the environments, what they do with the tooling that they use – the better we can apply that to the next thing, and make [our response] better, faster, and stronger,” Crocker said.

Business email compromise and ransomware are top threats

Business email compromise, “a down and dirty, quick way for threat actors to get money”, has been an emerging threat for cyber insureds and Crocker said that At-Bay is seeing a “steady influx” of such cases.

Ransomware perpetrators, meanwhile, are becoming “more sophisticated” in how they access victims’ environments. Decryptor demands have also surged, at a “higher than normal” level for the SME market.

“[Years ago] demand for decryptor pricing was somewhere in the neighborhood of $5,000, $6,000, sometimes $20,000,” Crocker said. “Now, we’re starting to see that increase to $500,000, $1 million, or more depending on what [leverage] they think they have over the clients.”

Negotiating with cybercriminals

Demands may be increasing in size, but, according to Crocker, this can be a negotiation tactic from malicious actors; by going in with a $1 million price tag, they may be looking to knock this down substantially, for example to $500,000, and in doing so obtain more funds than had they gone in with a lower figure.

When dealing with bad actors, one of the biggest challenges for At-Bay’s incident response team is establishing and understanding who they are and what their goals are, especially with more popping up all the time.

“You may have no idea who they are officially, who they’re affiliated with,” Crocker said. “In establishing that relationship, communicating with them, understanding what their demand is, there’s a lot of things you can look at during the negotiation phase to try to determine who they are.”

Given it’s illegal to pay a ransom to a sanctioned entity, which might include nation state actors, this part of the process is vital.

When businesses are under fire from nation states, this is more likely to trigger federal involvement. While it may not be possible to pay a ransom in such cases, vital intelligence can still be gleaned.

“We try to identify who they are as quickly as possible, but also being thorough to ensure we’re not paying anybody we’re not,” Crocker said.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!