InfoSec Insider

Cyber Risk Retainers: Not Another Insurance Policy

The costs associated with a cyberattack can be significant, especially if a company does not have an Incident Response plan that addresses risk.

The one-two punch of a cyberattack can be devastating. There is the breach and then the related mitigation costs. Implementing a comprehensive Incident Response (IR) gameplan into a worst-case-scenario should not be a post-breach scramble. And when that IR strategy includes insurance, it also must address a business’s level of cyber risk.

A 2021 study by NetDiligence analyzed over 5,700 claims and the average claim cost for an organization with less than $2 billion in revenue was $354,000. Larger organizations incurred on average over $16 million in costs.

The cost issue is compounded when ransom payments are included in the calculation, which can significantly increase insurance claim payouts. Unsurprisingly, this trend has led many cyber liability insurance carriers, as well as law firms who specialize in data breach, to encourage their clients to strengthen their cybersecurity controls and seek more formal relationships with digital forensics and incident response firms.

For most, an IR retainer will be a formal relationship to safeguard the organization if the worst was to happen. It grants firms expedited response under a pre-agreed service level agreement (SLA) and avoids potential delays around legal and financial decisions when every minute counts. It is incredibly valuable in a crisis but offers limited value when the organization manages to avoid incidents.

IR Retainers Shouldn’t Just Be Another Insurance Policy

While the majority of organizations do treat the “hardening” of their controls and the search for an IR retainer as separate projects, the biggest value would come from achieving both under a true “cyber risk” retainer. Pure IR retainers typically don’t offer security leaders flexibility to maximize their investment, but by being permitted to use credits toward preparedness, testing, simulations and so forth, cyber risk can be mitigated. There are three key elements to achieving an effective cyber risk retainer: negotiation, structure and  execution

One: Negotiate with Transparency

Identify a firm with experience beyond IR. Are they familiar with incident preparedness needs, such as tabletop exercises, breach and attack simulations, red team exercises, etc?

If gaps in your essential security controls (e.g. MFA, backups, email hygiene) are identified, would this firm have the capability to assist? If an incident leads to a breach of sensitive data, would this firm be able to help with breach notification needs? Would retainer credits cover the costs?

Once you identify an initial set of firms that can satisfy these criteria, it’s helpful to ask what sort of onboarding is needed. Experienced firms will run a thorough process of learning about the client’s IT security program, including what policies and plans they have, as well as to gain an overview of their IT environment. This leads us to step #2, where the fun starts with structuring retainers based on key requirements.

Two: Structure Retainers According to Your Security Strategy

Retainer structuring begins with mapping out the most effective allocation of retainer credits.

A cost estimate should be given for common IR scenarios (ransomware and Business Email Compromise, for example) and that becomes a set percentage of the retainer.

The remaining retainer allocation should be mapped to your security strategy. Perhaps the organization is moving to the cloud and will need to deploy MFA to the Azure active directory, for example. A portion of the retainer could be set aside for penetration testing that can identify MFA weaknesses. Simulations and tabletop exercises that are specific to the industry and / or risk appetite should also be conducted to ensure everyone from executives, PR to compliance teams are prepared should the worst happen.

Three: Execute with Guidance from Your Retainer Partner

The best cyber risk retainers are collaborative exercises. Keeping in constant contact with the retainer team can provide you with frontline threat intelligence and analysis of complex security issues being faced by organizations like yours. This ensures that investment is also well targeted to areas of potential vulnerability utilized by today’s threat actors.

With most infosec teams critically understaffed, those in your retainer team can become a valuable resource for advising on and prioritizing key cyber resilience issues.

In helping firms to become more secure, retainer teams often also take on the role of project manager. They are in a good position to bring stakeholders to the table, prepare necessary communications and seek appropriate technical permissions.

By encouraging firms to use their excess retainer credits for proactive services overall cyber resilience will be enhanced. More vulnerabilities, gaps in security policies, processes and technology will be identified. Organizations can do risk assessments, penetration tests and tabletop exercises, ensuring that security is not only improved but the wider business is assured of its maturity.

An additional benefit of a longer-term retainer relationship is that the cyber practitioners are afforded the opportunity to learn about a client’s cybersecurity program and the context in which it exists. Knowing the various policies and processes in place, the toolsets that are deployed, along with the configurations in their network can become vital contextual intelligence. With this in-depth knowledge, if a client suffers a cyberattack its on-hand practitioners will already have a solid understanding of the client’s IT environment which will allow them to expeditiously contain and remediate the issue.

In an ideal world incident preparedness and response should be tightly intertwined. True cyber risk retainers allow organizations to do this in a way that not only improves resilience in theory, but equips teams with the practical intelligence to do the very best job they can, both in a crisis and business-as-usual environment.

Suggested articles

Securing Your Move to the Hybrid Cloud

Infosec expert Rani Osnat lays out security challenges and offers hope for organizations migrating their IT stack to the private and public cloud environments.