Ransomware Resiliency Starts with a Plan. What’s Yours?

Your incident response plan is the key to coming back from a hack attack.
By: | September 27, 2022

Threat actors will never stand idly by. As Gallagher noted in its “2022 Cyber Insurance Market Conditions Report,” hackers are constantly looking for new ways and easier targets to infiltrate systems. Supply chains can offer multiple entries into several businesses at once; companies with far-reaching capabilities and vast systems of interdependencies are fertile hunting grounds. 

And the cost of a ransomware event is soaring: During the first six months of 2021, $590 million was paid in ransom payments, as opposed to $416 million paid in all of 2020, Gallagher reported. 

There is no such thing as a “simple” ransomware event, either. Threat actors take the time to lay the groundwork so that they are in your systems well before detection.  

“Encrypting your files is really the last thing they’ll do,” said Rachel Bush, AVP, threat detection and response, Nationwide. “One of their first objectives is to set up mechanisms to maintain access in your environment.” That could mean finding ways to gain administrative privileges, compromise Active Directory, steal usernames and passwords, and much more in order to be fully embedded in the system. 

Having the right insurance in place is a good start to combat ransomware loss. But it isn’t the only risk management tool worth investing in. Companies are putting in the time, effort and resources necessary to create resiliency in the face of ransomware.  

IBM’s “Cost of a Data Breach 2022” report revealed, “Businesses with an [incident response (IR)] team that tested its IR plan saw an average of $2.66 million lower breach costs than organizations without an IR team and that don’t test an IR plan.” 

That’s nearly 58% in cost savings, according to the report. 

“A ransomware event can be catastrophic. It’s a business killer — or can be. With an encrypted network, you’re not going to be able to do business. Lawsuits could follow, regulatory investigations, reputational harm,” said David Rock, vice president, North American Claims Group, Allied World. “Being able to anticipate the threats ahead of time and coming up with a good plan to attempt to defend against these types of attacks is crucial.” 

First Line of Defense: A Tested IR Plan  

Suffice to say, creating an incident response plan should be step one in ensuring cyber resiliency for a business. And it’s something that companies can invest in long before a ransom note lands in their inbox. 

Michael Phillips, chief claims officer, Resilience

An incident response plan, or IR plan, will have pertinent information on what to do, who to call, which team member is responsible for what, as well as have insight on the type of data the company stores and how it’s being stored. 

When putting together this plan, it’s important to ask the following questions: “What data do you have and where do you keep it?” shared Catherine Lyle, head of claims/attorney, Coalition. “There’s a lot of data out there that companies keep. Through the IR creation process, if you realize you don’t need [certain data], you should be getting rid of it.” 

On the opposite end, if the stored data is important to operations, the company will want to review where it’s being stored and why it’s information the company is holding on to. 

After data review, it’s key to bring the IR team together. 

“Every organization should convene appropriate leaders who will coordinate certain streams. So, for example, there would be someone who is responsible for assessing the technical recovery — an IT leader. The unfortunate fact of ransomware is that many threat actors steal data and threaten to leak it, which often triggers legal concerns, so you would want a legal leader,” said Michael Phillips, chief claims officer, Resilience. 

For larger businesses, the roles of the C-suite, IT, legal, risk management, finance and other departments should be defined in the IR plan. For smaller organizations that may not have the same access to robust resources, it is still key to identify who is responsible for what in the event of an attack. 

As Phillips noted, the main point for small and large businesses is to break down any silos between internal stakeholders and leaders so that the right member is notified at the right moment through the life cycle of the ransomware event. 

Additionally, getting the right external team together is just as key to a successful IR plan. 

Cyber insurance, outside legal counsel, forensic investigators, cybersecurity consultants — you name it, they should be included in the IR plan.  

“The best cyber insurers will play the role of your trusted cybersecurity partner,” said Andrew Lipton, VP, head of cyber claims, AmTrust Financial Services. This partnership will open the door to third-party vendors that can assist in a ransomware event. “Insurers will have a wealth of access to proactive services that can potentially prevent these incidents from happening in the first place.” 

Team members on the IR plan, internal and external, should have an understanding of how the company wants to respond to cyber ransoms as well.  

Then, that final step in the IR plan process should be practicing, practicing, practicing. It’s one thing to have the plan, but if a ransomware event takes place and stakeholders don’t know their first line of action, all the prep work will be for naught. 

“It’s great to have a team in place and have the C-suite involved, but if your team doesn’t know what to do with the incident response plan, then it’s ineffective,” Lyle said.  

Diagnosis Is In: It’s a Hack Attack 

While getting an incidenct response plan together and testing it is absolutely vital to resiliency, these tools do not automatically mean a business is bulletproof. This is not the time to think, “It’ll never happen to me.” 

“You can take all of those key, best-in-class precautions and still be hit with ransomware,” said Phillips. “You can take all of the appropriate defense steps and still fall victim. How you bounce back shows how resilient you actually are.” 

But once the hacker is in the system, what should the next steps be in order to have true resiliency? A key point cyber experts agreed on was that the first hours after ransomware detection are most crucial.   

“How an incident is triaged and managed upfront can make a real difference in how quickly a cyber event is resolved, greatly reducing business downtime and costs, as well as help to avoid severity driven third-party events down the line,” said Roger Francis, managing director at CFC Response. 

This is why having a tested IR plan will go a long way. When a ransom is detected, the IR team can jump right into action, because they have been equipped with the knowledge of what to do. 

“The first step should always be to deploy your incident response plan,” Rock said. “That plan should contain a list of roles and responsibilities for team members. It should have a business continuity plan laid out, a list of crucial networks and recovery processes for those networks, a communication plan, and your cyber insurance information.” 

“In the context of ransomware, time is of the essence. Losing access to your data and systems, for any business in this day and age, can be detrimental,” Lipton said. When a hacker’s in, it is time to react; not time to decide where to start. 

Because resilient businesses have taken the time to create a plan well before an event, they will not need to ask themselves where their data is or what to do with their systems. 

“Having a technical plan in place [before an event] will help you anticipate under which conditions you would or would not consider paying a ransom, and whether you would want to rely on a third party or have a retainer with an industry-recognized cyber response company,” Bush added.   

Additionally, the IR plan will eliminate confusion on other items that crop up after an attack, including what to do with a public-facing website if it’s unavailable or compromised, where documentation exists outside of the digital realm, what kind of internet presence the company should have, or even if the company should notify shareholders or the media. 

“Companies should also be prepared to limit damage and contain the threat by taking measures as difficult as disconnecting temporarily from the internet. That can be a complicated thing to perform, but in developing a ransomware response plan, you should be ahead of the game,” Bush said. 

Other Ways to Increase Resiliency 

Ransomware resiliency doesn’t end because a hacker got in. Companies with a tested IR plan in place that have had to use that plan will still need to find ways to build resiliency in order to remain whole. 

Catherine Lyle, head of claims/attorney, Coalition

“After an attack, companies can review the areas [in their system] where they could prevent something like that from happening in the future,” Lyle said. 

Assessing the damage and reviewing vulnerabilities with a cyber expert is key. Coalition, a cyber insurer and cybersecurity partner for businesses, “tries to leave clients in a better and healthier position than they were before the event,” Lyle added. “We will think like a hacker, insuring in the areas where needed and helping clients make smarter choices on controls so that they are more secure in the future.” 

It’s no secret, though, that the cyber insurance market has become somewhat wary in the face of the ransomware epidemic.  

“Some insurance companies are taking an immediate defensive approach to ransomware,” said Phillips, “reducing coverage or increasing prices. But the best players in the cyber insurance market are thinking more comprehensively about cyber risk than they ever have before and are investing in tools and services that can make companies more resilient.” 

Some ways cyber partners are increasing resiliency is through running table-top exercises with clients long before an event to help them prepare and understand what might need to be done — something that Phillips’ company, Resilience, does in-house. 

Others are actively helping to build the IR plan from the start in order to make sure companies are covered. 

“There is no better incident response plan starter than going to your cyber insurance first and looking at the whole process together,” said Lipton.  

“More importantly, companies should scrutinize the proactive capabilities of their cyber partners,” added Francis. They should be asking what their partners are doing to prevent them from falling victim to a cyber event in the first place. Are they proactively scanning the business 24/7/365 for specific risk factors and vulnerabilities actively being targeted by cybercriminals? Will they alert about threats in real time? Will they work with the client to mitigate the issue and prevent the attack before it happens? 

“If the answer to any of these questions is no, I would recommend finding a cyber insurance partner that provides a comprehensive service that works to protect their insureds from the moment they become a customer to proactively prevent claims, as well as minimize the impact should an incident occur,” Francis said. & 

Autumn Demberger is a freelance writer and can be reached at [email protected].

More from Risk & Insurance