Effective Cyber Incident Response in Insurance Companies

Similar documents
Cyber Security Incident Response Fighting Fire with Fire

Cyber Risks in the Boardroom Conference

It s Not If But When: How to Build Your Cyber Incident Response Plan

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Incident Response Plans: The Emergency Shutoff Control for Cyber Risk. Tabitha Greiner, Acumera Chris Lietz, Coalfire

The Evolving Threat to Corporate Cyber & Data Security

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Managing Cybersecurity Risk

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

Security and Privacy Governance Program Guidelines

INTELLIGENCE DRIVEN GRC FOR SECURITY

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Building and Testing an Effective Incident Response Plan

Incident Response Table Tops

Cybersecurity Auditing in an Unsecure World

Emerging Issues: Cybersecurity. Directors College 2015

You ve been breached: Now What? Minnesota s Data Breach Preparation and Notification for Electronic Data

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

The value of visibility. Cybersecurity risk management examination

Regulatory Update Cyber Security

Defining Computer Security Incident Response Teams

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

CYBER RESILIENCE & INCIDENT RESPONSE

SOC for cybersecurity

CYBER INSURANCE: MANAGING THE RISK

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Tangible Measures to Prepare for Intensified Regulatory Oversight of Cybersecurity in 2016

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

MNsure Privacy Program Strategic Plan FY

Professional Training Course - Cybercrime Investigation Body of Knowledge -

Disaster Recovery and Business Continuity Planning (Mile2)

Cyber crisis management: Readiness, response, and recovery

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Certified Net Revenue Analyst (CNRA)

Cybersecurity The Evolving Landscape

Cybersecurity, safety and resilience - Airline perspective

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Bringing Cybersecurity to the Boardroom Bret Arsenault

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Les joies et les peines de la transformation numérique

Global Statement of Business Continuity

BHConsulting. Your trusted cybersecurity partner

Information Security Controls Policy

Healthcare HIPAA and Cybersecurity Update

From Russia With Love

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Cyber Insurance: What is your bank doing to manage risk? presented by

Reducing Cybersecurity Costs & Risk through Automation Technologies

External Supplier Control Obligations. Cyber Security

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Global Security Consulting Services, compliancy and risk asessment services

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

State of South Carolina Interim Security Assessment

The Cyber War on Small Business

Canada Life Cyber Security Statement 2018

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

The hidden cost of smart buildings

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

locuz.com SOC Services

Incident Response and Cybersecurity: A View from the Boardroom

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

DHS Cybersecurity: Services for State and Local Officials. February 2017

Customer Breach Support A Deloitte managed service. Notifying, supporting and protecting your customers through a data breach

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Headline Verdana Bold

Assurance over Cybersecurity using COBIT 5

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Where Would Batman Be Without His Belt?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

MassMutual Business Continuity Disclosure Statement

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Must Have Items for Your Cybersecurity or IT Budget in 2018

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

CLOSING IN FEDERAL ENDPOINT SECURITY

CCISO Blueprint v1. EC-Council

Assessing Your Incident Response Capabilities Do You Have What it Takes?

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Information Technology General Control Review

Transcription:

August 2017 Effective Cyber Incident Response in Insurance Companies An article by Raj K. Chaudhary, CRISC, CGEIT; Troy M. La Huis; and Lucas J. Morris, CISSP Audit / Tax / Advisory / Risk / Performance Smart decisions. Lasting value.

Effective Cyber Incident Response in Insurance Companies With cyberattacks increasing in both number and severity, insurance companies like all businesses must be prepared to respond promptly and effectively when an information security breach occurs. Developing and implementing an effective cyberattack response capability is not just the concern of IT managers and their departments. The responsibility for monitoring and mitigating cybersecurity risk starts at the very top of the organization and is shared by all levels of management and employees. Cybersecurity is everyone s concern, and everyone throughout the organization has a role to play in being prepared to respond when the inevitable attack occurs. If, When, and How Long? Virtually every credible cybersecurity resource agrees: Data breaches are increasing, both in number and severity. For example, the Identity Theft Resource Center (ITRC), a not-for-profit fraud and identity theft educational organization, recently reported that the number of data breaches during the first half of 2017 was running nearly 29 percent ahead of the pace recorded in 2016 from January 2017 through June 2017, more than 10 million records were exposed. The long-term view is even more disturbing. The ITRC estimates that nearly 900 million individual records have been exposed since the organization began tracking data breaches in 2005. 1 Cybersecurity professionals long have warned businesses that it s not a matter of if a breach will occur but when. Given the accelerating pace of attacks and the pervasive nature of attackers, businesses today should add another element to that formulation: In addition to when, they must also be concerned with how long a breach might continue. It is common for attackers to break into business networks and remain undetected before the breach is discovered. During this time, intruders can gather intelligence, escalate their access, or extract data from the network. If the breach is not discovered early, it often can take time before the damage is contained and the system once again is secured. The goal of an insurance company s cyber response efforts must be to reduce both the discovery and containment times from a matter of months to a matter of minutes. Improving detection capabilities and breach investigations can help limit organizational damage, stop further exposure, and allow the organization to resume normal operations more quickly. 2 August 2017 Crowe Horwath LLP

Industry Preparedness Opportunities for Improvement Recent experience suggests the insurance industry generally is taking the threat of data breaches and cyber incidents seriously. Yet despite the attention these threats receive, a number of opportunities for improvement still remain. For example, in a recent Crowe Horwath LLP webinar, a group of more than 100 insurance company executives were asked about the formation of cyber incident response teams in their organizations. Ninety percent of the participants reported that they have such a team in place, and 70 percent said their teams were formalized. Yet when asked about specific elements of their cyber incident response plans, the results were less clear-cut. Because training and testing are particularly important elements of cyber incident response planning, the webinar participants were asked how often their companies tested their cyber incident response plans and what methods they used. While a majority of participants reported they test their plans annually using either tabletop exercises or actual scenario-based testing, almost four out of 10 (39 percent) reported they have not tested their plans within the past year or longer, have never tested their plans, or worse, have no plans at all. Exhibit 1: Incident Response Plan Testing 13% 13% 13% 27% We test it at least annually through tabletop exercises We test it at least annually through actual scenario-based testing We have not tested the plan in the past year We have never formally tested the plan We do not have a formal plan 34% These responses suggest that, while a majority of the participating insurance companies are working to prepare for an effective response to a cybersecurity attack or breach, there is still considerable opportunity for improvement among a very sizable segment of the industry. crowehorwath.com 3

Effective Cyber Incident Response in Insurance Companies Asking the Right Questions Given the volume, sophistication, and variety of potential attacks, management can be easily overwhelmed by the challenge of deciding where to begin. The inherently technical nature of cybersecurity preparedness also can cause board members, executives, and managers to relinquish oversight responsibility to the IT team. One way to overcome this tendency is by learning to ask the right questions about cybersecurity preparedness. The Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors Research Foundation (IIARF) recently published a joint report, Cybersecurity: What the Board of Directors Needs to Ask, which offers specific guidance to board members about how they can more effectively monitor and influence cybersecurity policies and practices. 2 Building on the guidance in the ISACA and IIARF report, board members and senior executives should develop their own broader understanding of critical cybersecurity questions, beginning with some basic questions, such as: What are our organization s top-five cybersecurity risks? What are we worried about protecting? Do our employees understand their individual roles and contributions to our cybersecurity posture? How are they made aware of their roles? How do we identify a breach or other incident? Do we do so via self-identification, or do we engage with vendors, customers, or other third parties? When a cybersecurity incident occurs, how are we going to respond? Do we use a specific security framework? How was the framework selected? How often is it reviewed? How is cybersecurity oversight managed? Have we already been breached? Do we recognize indicators of compromise? Obviously, this list is by no means exhaustive or all-inclusive, but paying attention to basics such as these can be an important first step in preparing or upgrading an organization s cyber incident response capabilities. 4 August 2017 Crowe Horwath LLP

Establishing a Cybersecurity Framework In addition to board-level guidance such as that offered by ISACA and IIARF, numerous other private and government organizations provide resources to help management teams prepare to respond to cybersecurity incidents. Some of the most widely used resources are published by the National Institute of Standards and Technology (NIST), which has produced a series of publications offering information security guidelines, recommendations, and reference materials. One of these publications NIST Special Publication 800-61, Computer Security Incident Handling Guide is particularly relevant to incident response. 3 It organizes the massive number of questions, procedures, and guidelines for cybersecurity preparedness and response into four categories, which correspond to the four phases of the incident response life cycle: 1. Preparation. Initial steps include defining what constitutes an incident and spelling out what type of events would trigger the use of an incident response plan. Identifying potential incidents also can help make threats more tangible. Other preparatory steps include identifying indicators of compromise, establishing notification and escalation procedures, and identifying and preparing all those who will be involved in incident response. Effective preparation involves coordinating among numerous participants, including internal sponsors and response team members and external stakeholders, such as law enforcement, insurance providers, software suppliers, regulatory agencies, and customers. 2. Detection and analysis. It is important to establish minimum investigation standards related to documentation, evidence handling and preservation, and communication with both external and internal audiences during the course of an incident response. In addition to complying with all relevant standards, those responsible also should validate that the organization maintains a current and accurate inventory of all critical data, and that necessary logging, monitoring, and alerting software and patches are up to date. crowehorwath.com 5

Effective Cyber Incident Response in Insurance Companies 3. Containment, eradication, and recovery. When data security is compromised, the immediate goal is to prevent damage from spreading and to keep data theft or losses from continuing. In addition to identifying the cause of the incident, a key component of this process is determining whether system configurations or other processes should be changed to help prevent further incidents. Regular, ongoing testing also is necessary in order to verify that data recovery and restoration processes are functioning as designed and that reconfigured systems and procedures are performing as expected. 4. Post-incident activity. In the wake of an incident, a host of questions need to be addressed. In addition to the obvious questions such as what was affected, how the breach occurred, and who was responsible other important issues include determining if the incident was an isolated event or part of a larger, more ominous threat; which protective tools and controls need to be strengthened; what additional end-user training is necessary; and what can be done differently the next time a similar incident occurs. First Steps: Laying the Foundation for an Effective Program As mentioned previously, the preparatory phase of the NIST framework is particularly critical to the overall effectiveness of an incident response program. Doing it right provides a solid foundation for the phases that follow. Management teams should pay particular attention to several broad components of the preparatory phase, including: Documentation. Document in detail the planned reaction, identification, and notification procedures; the roles and responsibilities of incident response team participants; and the communication protocols to be followed when an incident occurs. Sources, technology, and vendors. Identify sources of information, available tools for detecting and responding to a breach, and available external sources of assistance and expertise. Hands-on practice and education. Perform penetration testing, tabletop exercises, scenario-based testing, and other exercises to identify whether adjustments are necessary before updating the system. Such tests also can point out where additional training and communication are needed. The interrelationships of these elements are illustrated in Exhibit 2. 6 August 2017 Crowe Horwath LLP

Exhibit 2: Cyber Incident Response Program Elements Sources, Technologies, and Vendors Sources of information Our tools Involvement of outside assistance Documentation Reaction, identification, and notification procedures Roles and ownerships Communication protocols Hands-on Practice and Education Testing methods Education Maintenance Source: Crowe analysis As the number of data breaches continues to increase, and as cyberattackers become more sophisticated and aggressive, these essential preparatory elements will become even more important. As they accelerate their efforts to develop and enhance their cyber incident response capabilities, insurance company boards, executives, and managers will need to reinforce and build on the foundation provided by these components. crowehorwath.com 7

Learn More Raj Chaudhary Leader, Cybersecurity +1 312 899 7008 raj.chaudhary@crowehorwath.com Troy La Huis Principal +1 616 233 5571 troy.lahuis@crowehorwath.com Lucas Morris +1 214 777 5257 lucas.morris@crowehorwath.com 1 Identity Theft Resouce Center, July 18, 2017, http://www.idtheftcenter.org/press-releases/2017-mid-year-data-breachreport-press-release 2 The joint ISACA and IIARF report can be downloaded at https://bookstore.theiia.org/cybersecurity-what-the-board-ofdirectors-needs-to-ask 3 The NIST guide can be downloaded at https://www.nist.gov/publications/computer-security-incident-handling-guide crowehorwath.com In accordance with applicable professional standards, some firm services may not be available to attest clients. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure FS-18700-006E

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback