According to Harvard Business Review, more than 80% of organizations report having been the victim of multiple data breaches. A sophisticated resilience plan coupled with a well-structured insurance policy are crucial for dealing with the ever-growing world of cyberthreats. Yet even with comprehensive planning, organizations experiencing a cyber incident still aren’t guaranteed a successful recovery. The best plans in the world require sound implementation to be effective.

So what can organizations do to effectively enact their resilience plans and navigate the claims process to recover well?

• Develop a response playbook to react with an organized speed.
• Begin documenting everything as soon as a breach is discovered.
• Quantify losses, including business interruption and additional expenses related to the incident.
• Structure cyber insurance policies to meet the organization’s needs.

Responding to the Breach

Cyber breaches can play out in different scenarios. Some are direct, where employees attempt to log in to their computers but are met with blank screens and notifications that ransomware has encrypted network files. In an instant, business comes to a halt. Making matters worse, cybercriminals may now have full access to sensitive information, including client and employee personal data, intellectual property, and other internal documents.

Other attacks are more surreptitious, with hackers slowly worming their way into systems and quietly extracting valuable data without anyone aware the network has been compromised. It isn’t always the system that acts as the point of failure. Social engineering attacks rely on employees divulging sensitive information that can be exploited by cybercriminals, granting them access to a company’s network. Regardless of how it occurs, once an organization discovers a data breach, the clock starts ticking.

There are several steps IT teams should take as soon as they become aware of an incident:

• Remove everyone from the system: Security teams need to start by removing everyone from the organization’s network and restricting access to it. While extricating cybercriminals is a logical first step, it’s equally important to ensure employees and other third parties aren’t accessing systems either. As long as people are working within the system, the potential for further damage remains.
• Secure the network: Once system administrators have verified no one is present in the compromised network, then IT needs to establish how the system was breached. According to Tokio Marine Group, almost 70% of ransomware attacks result from software vulnerabilities or brute-force credential attacks. It’s crucial to discover how the breach occurred to stop cybercriminals from replicating the attack.
• Assess the damage: In the process of enhancing network security and patching vulnerabilities, IT also must determine the extent of the damage, including if data was stolen, what it was, and if it can be retrieved.

It isn’t just IT teams who need to mobilize. Based on the roles and responsibilities delegated with an organization’s response strategy, employees need to start documenting key data points to establish a record of loss. This includes business interruptions, additional expenses resulting from the breach, time spent resolving issues, etc.

The Notification Process

Documentation is only part of the process; there are also reporting requirements. Publicly traded companies must file an 8-K form with the SEC within four days of discovering a cyberattack if there are material losses. Even in situations when an 8-K isn’t required, some organizations opt to file one voluntarily.

That transparency illustrates why it’s becoming a best practice for privately held companies to disclose cyber incidents in the same way. Despite whether it’s legally required, the de facto standard across industries is to follow established reporting guidelines and do what any reasonable organization would. Going against what is becoming accepted practice and choosing not to disclose a data breach can have lasting consequences. Those include a loss of brand trust and reputational damage, as well as potential liability to any injured third parties.

Recovering Well

Responding quickly and enacting preplanned strategies in the moment are important, but those are only the first line of defense. Cyber liability insurance remains a critical component of a sound resilience plan and successful recovery, but having a cyber policy isn’t enough. It’s imperative for organizations to understand their policy, including the types of coverage and their limits. An inadequately written policy can lead to unplanned, painful expenses and slower claims resolution.

For example, an automotive services manufacturer suffered a cyberattack that halted production at one of its main facilities. With a response plan in place, the company was able to shift production to other sites and avoid any significant disruption to its overall productivity. But although their response to the incident was effective, they quickly realized their insurance policy wasn’t.

The policy was written in a way that provided high limits for business interruption coverage, which proved unnecessary since it was able to shift production to other facilities. However, their policy wasn’t set up to cover the extra costs incurred from that shift. Simply put, the organization had the right amount of coverage but in the wrong area.

The Importance of Quantification

Even with the proper coverage and limits, insurance companies still require proof of losses suffered. According to a report in Insurance Journal, the average cost of a data breach rose to $4.35 million in 2022, but an insurance company’s valuation can often be lower than the actual loss incurred. That’s where forensic accountants and other claims advisory professionals can assist; they help organizations identify, document, and quantify a dollar value associated with losses. They can also help organizations better understand their cyber insurance coverage and review existing policies for inefficiencies, potentially leading to cost savings and more appropriate coverage.

Coming Out on the Other Side

When organizations take the proper steps to react to a cyberattack, they position themselves to get the most out of their insurance policies. The trouble with the threat landscape is that it’s often not a matter of if a cyberattack will happen again, but when. According to a 2022 report, 83% of surveyed organizations have experienced multiple data breaches, and 60% of them increased the price of their services or products because of the associated impact.

It’s possible to turn the negative consequences of an incident into a positive, though. By digging into the events that lead to a cyber breach and putting together the facts, organizations can enact policies and procedures to enhance their operational resilience and address areas of high-risk exposure that bad actors exploited.

At Cavanaugh & Co, we work with individuals and businesses to help them make smart financial decisions. Contact us today to schedule an appointment.

Written  by Mark Millard, John Petzold and Daniel Healy. Copyright © 2023 BDO USA, P.C. All rights reserved. www.bdo.com