How Coalition’s incident response helps reduce risks during a cyber attack
Traditional cyber insurance protects businesses from the impact of a cyber breach after it occurs. However, what if cyber coverage could actually help reduce the risk of an attack before it happens?
As cyber incidents increase across the globe — cyber claims severity rose 56% for small businesses last year — reducing the risk of an attack proactively is critical to reducing overall business risk.
Enter: Coalition’s Incident Response (CIR).
Driven by a team of technical experts, incident responders, forensic specialists, and security engineers, Coalition provides security across the lifecycle of a business, elevating the ability to respond to bad actors, including a security support center to help prevent attacks before they happen — and respond more effectively if they do.
From ransomware to reputational impacts, CIR solved 46% of incidents reported to Coalition last year — without additional costs or using up policyholder deductibles. Even more consequential, CIR helped many policyholders prevent cyber incidents last year, as Coalition’s insureds experience less than one-third the frequency of claims compared to the broader cyber insurance market (based on 2020 and 2021 National Association of Insurance Commissioners [NAIC] report data).
The incident timeline: investigate, remediate, communicate
When a cyber incident does occur, policyholders should be encouraged to report the incident to their insurance provider immediately.
Reporting an incident gets the ball rolling and alerts all necessary vendors and experts to mobilize, with the goal of reducing the overall impact of the incident. Coalition’s Claims team responds immediately to help determine what services to activate, from forensics specialists to a breach coach, and/or a PR firm to manage crisis communications.
The Coalition team will walk an insured through an investigation and remediation of the incident, while also working on all points of critical communication simultaneously. Here’s the Coalition Incident Response timeline as seen through an investigate-remediate-communicate lens:
Investigate what happened, to determine the tactics and techniques used by the threat actor during the incident. Building off of the insured’s Active Risk Assessment — a scan of how the insured’s network is seen on the dark web, so all vulnerabilities are visible — CIR collects and analyzes forensic artifacts and system logs to dive into what vulnerabilities may have enabled the incident and how the business can react to protect itself. This includes determining if the business has available backups and utilizing tools to have oversight and block the threat actors from gaining more access. Were any previous vulnerabilities noted and not patched? Were all the potential protections implemented in good time? While Coalition’s in-house team leads the investigation of the cyber incident, based on its complexity, third-party specialists could be also called in to supplement Coalition’s expertise.
Remediate for both the short- and long term. While remediation steps are informed by the investigation, this step happens alongside the investigation. The goal here is to act quickly in order to minimize the damage. CIR recommendations will be based on what is known and learned about the business, as well as on protection implementations recommended to them during earlier stages of the Active Insurance life cycle. For example, if the business has viable backups in place for all of their critical data, CIR can guide the business through a process that avoids interacting with the bad actor and gets them back online more quickly. As a general rule of thumb, offline backups offer the greatest chance of survival during a cyber incident, because they’re unreachable to the threat actor. Online backups are often also seized or locked up by the threat actors along with your network. The CIR team guides insureds through the entire process of restoring from backup, from negotiation, to testing encrypted data, and finally (if necessary) paying the threat actors for a decryption key to regain control of the network. Remediation is also a time during which CIR will make network recommendations for the future. These may include:
Multi-factor authentication (MFA), the electronic authentication of two or more pieces of evidence in order to be granted access to a website or application
Endpoint detection response (EDR), software installed on all servers and endpoints, designed to stop ransomware and identify unusual behavior in an application
Network segmentation, a strategy that provides limited network access to employees, based on job qualifications, tasks or seniority. This helps businesses reduce network access.
Communicate the technical details. CIR will act as the business’s technical expert during the incident’s communication process. This includes communicating with the bad actors if necessary, but also providing the appropriate technical detail to include in internal and external communications about the incident. For example, depending on the regulatory laws in effect in the states in which the business operates, CIR will provide guidance on what needs to be communicated to anyone with breached data. CIR can also work with the policyholder to provide an accurate understanding of how much the claim will cost based on the remediation necessary and forensic investigation that took place.
Very often during and after a cyber incident, it’s important to engage a special public relations firm that deals with cyber incidents and their crisis communications needs. Coalition’s cyber coverage includes this service, and such a team is engaged if necessary by the CIR team as well.
Coalition Incident Response is active
Coalition’s Active Insurance goes beyond a cyber insurance standard, playing an integrated role in your business’ cybersecurity across its lifecycle. It’s like combining the safety features of a vehicle — reverse backup sensors or automatic braking — with the post-accident coverage.
Coalition's Active Insurance approach consists of Active Risk Assessment, which takes place before the policy is written, Active Protection during the policyholder period, and Active Response, a post-breach response. All three phases of this lifecycle provide a continuous feedback loop of the business’ current risk level and vulnerabilities.
To report a cyber incident, Coalition policyholders can reach CIR here.
To learn more, download the Broker's Guide to Active Insurance.