The way an organization responds to a cyber incident can make or break its operational, financial and reputational stability. In the event of a poor response, an organization may encounter various consequences—including the exposure of sensitive data, compromised technology, widespread business disruptions, disgruntled stakeholders, lost customers and diminished market value. Fortunately, organizations can mitigate these damages through proper cyber incident response planning.

A cyber incident response plan establishes steps to ensure timely remediation amid cyberattacks and keep related losses to a minimum. Effective response planning requires coordination across an organization.

A solid response plan should outline the following:

  • Who is part of the cyber incident response team (e.g., company executives, IT specialists, legal experts, media professionals and HR leaders)
  • What roles and responsibilities each member of the response team must uphold during an incident
  • When and how stakeholders and the public (if necessary) should be informed of an incident
  • How the organization’s key functions and operations will continue throughout an incident
  • What forensic activities will be leveraged to identify the cause and prevent future incidents
  • Which federal, state and local regulations the organization must follow when responding to an incident (e.g., reporting protocols)
  • When and how the organization should seek assistance from additional parties to help recover from an incident (e.g., law enforcement)
  • How an incident will be investigated

For cyber incident response plans to be successful, they should address a number of attack scenarios. By including different scenarios within their response plans, organizations can be ready to handle any type of attack and protect themselves from large-scale losses. One of the most important scenarios to include in a cyber incident response plan is a ransomware attack, which entails a cybercriminal compromising a device or server with malware and demanding a large payment in exchange for restoring the technology (as well as any data stored on it). Keep reading for an example of a ransomware attack scenario and a summary of how a cyber incident response plan can address this scenario.

Attack Scenario

On Monday, an entry-level employee at a small financial organization received a phishing email from an account claiming to be one of their co-workers.

The email, which included an attachment labeled “project files,” encouraged the employee to download and review the attachment to prepare for an upcoming assignment. However, upon downloading these files, the employee inadvertently launched malware on their device. In a matter of minutes, the malware program infiltrated several of the organization’s systems and encrypted a wide range of sensitive data, including confidential customer information and financial records.

From there, the cybercriminal responsible for sending the phishing email and deploying the malware program displayed a message on the employee’s device, explaining that they had compromised the organization’s data and would only restore this information via digital encryption key in exchange for a wire transfer of $1 million to a private bank account, with a payment deadline set for Friday. At this point, the employee reported the attack to their manager. Facing the potential loss of critical data, the organization needed to react swiftly to minimize widespread operational disruptions and reduce the risk of severe reputational damage.

Response Plan Reaction

In this particular ransomware attack scenario, a well-crafted cyber incident response plan would guide the impacted organization through the following steps:

  • Detection and research—Upon receiving the employee’s report of the ransomware attack, the organization promptly assessed the situation to determine whether the incident posed a genuine threat. After validating the attack, the organization conducted additional research regarding the scope and severity of the incident by documenting which systems and data were affected and calculating potential losses. From there, the organization activated its cyber incident response team and notified important parties (e.g., local authorities and insurance professionals) to kickstart the investigation and insurance claims process.
  • Containment—To prevent further damage and stop the malware program from infiltrating additional workplace technology and resources amid the attack, the organization’s cyber incident response team isolated the employee’s infected device from the company’s larger network and moved all impacted systems offline. During such containment, the response team still made sure to prioritize critical operations and limit possible business disruptions by developing temporary workarounds for compromised systems and keeping technology that hadn’t been affected by the incident up and running. Additionally, the response team relied on offline communication methods (e.g., phone calls) throughout this process to reduce the risk of the cybercriminal responsible for the attack intercepting any important conversations.
  • Eradication—The organization’s cyber incident response team then worked together to wipe the malware program from the employee’s device and all impacted systems, thus restoring this technology to its original functionality. At this time, the response team also scanned the organization’s larger network for any remaining vulnerabilities to ensure the cybercriminal wouldn’t be able to prolong or relaunch the ransomware attack from a different digital avenue.
  • Recovery—After eradicating the malware program and addressing any further network vulnerabilities, the organization’s cyber incident response team focused on recovering the compromised data. Fortunately, since the organization had effective data backup protocols in place prior to the attack, the response team did not have to engage with the cybercriminal. It was able to restore this information to a clean and uninfected state by accessing the secondary versions stored in a secure, offline location. As a result, the response team determined it was safe to enable the employee’s device and take all impacted systems back online, therefore resuming normal operations and refraining from making the ransom payment.
  • Communication—Following the recovery process, the organization’s cyber incident response team worked closely with the local authorities and insurance professionals to provide any further information and documentation that would help these parties complete their investigation and resolve the associated insurance claim. The response team also took this time to release a public statement regarding the attack and communicate directly with any regulators or stakeholders who needed to be informed of the incident (i.e., employees and customers whose data was targeted).
  • Post-incident analysis—Lastly, the organization conducted a post-incident analysis. This analysis focused on where the ransomware attack originated; how it was detected; how effective the incident response plan was in handling this event; the different technical, operational and financial impacts of the incident; and whether any organizational failures played a role in the event (e.g., poor employee training and unpatched security software). The results of the post-incident analysis ultimately guided the organization’s identification of its cybersecurity weaknesses and supported its effort to fill possible gaps with bolstered defenses (e.g., enhanced employee training, routine phishing simulations and patch management solutions). This analysis also helped the organization make necessary updates to the cyber incident response plan, thus improving mitigation techniques for future cyber incidents and reducing related damage.

As previously mentioned, an organization’s cyber incident response team typically consists of various experts and professionals across multiple fields. It’s also worth noting that, depending on an organization’s size and in-house resources, its response team may consist of either internal or external parties. In other words, larger organizations may have entirely in-house response teams, whereas small organizations with fewer resources may seek the assistance of third-party vendors.

In any case, before hiring any vendors to help respond to cyber incidents, organizations should consult their cyber insurer to determine whether any policy provisions include vendor-related stipulations or requirements. Specifically, some insurers mandate policyholders to work with preselected vendors that offer negotiated rates, therefore limiting associated claim costs. In this particular ransomware attack scenario, the impacted organization had limited in-house experts due to its size and developed a response team consisting of insurer-recommended vendors.

In addition, keep in mind that this scenario resulted in minimal damage not only because of sufficient cyber incident response planning but also due to effective data backup protocols. These protocols permitted the affected organization to restore its compromised information without having to engage with the cybercriminal responsible for the attack or navigate the ransom demand. This also resulted in a smaller and simplified insurance claim, as the organization only needed coverage for vendor-related expenses. In situations without data backup options, ransomware attacks can be far more disruptive and costly. Even in such situations, however, the FBI generally advises against complying with ransom demands, as there is no guarantee that cybercriminals will follow through with their end of the negotiations, potentially compounding overall losses. Furthermore, organizations that pay ransom demands may be more likely to be targeted in future ransomware attacks, as cybercriminals will remember their willingness to deliver payments in the past.

With this in mind, organizations and their cyber incident response teams should work together to establish clear criteria on when they will adhere to ransom demands (if at all). Such criteria should be based on existing system recovery and data backup capabilities, as well as the nature of organizational operations. In some instances, it may even be valuable for organizations to have crisis negotiation experts on standby to further assist them in navigating ransom demands when incidents occur. Nevertheless, organizations should be sure to consult trusted insurance professionals to discuss how their cyber coverage will (or won’t) respond to ransom payments, as some policies may have exclusions for losses resulting from compliance with ransom demands.

We can help.

Through proper response planning, organizations can adequately prepare for cyber incidents and reduce the potential fallout. Yet, organizations should understand that their response plans are always a work in progress; as operational needs change and cyber exposures evolve, response planning should follow suit. Thus, organizations can leverage several practices (e.g., tabletop exercises and penetration testing) to assess their cyber incident response plans and make adjustments over time. In doing so, organizations can remain prepared for the latest cyberthreats and successfully navigate the ever-changing digital risk landscape.

If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our eBook, or if you’re ready make Cyber Liability Insurance a part of your insurance portfolio, Request a Proposal or download and get started on our Cyber & Data Breach Insurance Application and we’ll get to work for you.