Organizations are increasingly using technology to assist and enhance nearly every aspect of their business. The upside of this trend is that companies are operating more efficiently and can adapt quicker than ever. Unfortunately, this has also created more opportunities for cyber criminals seeking to exploit vulnerabilities. It's becoming more evident that every organization will be targeted at some point, if it has not happened already. When a cyber-attack does occur, things happen quickly, and the response needs to be swift in order to mitigate the potential damage. Having a clear understanding of the events that take place in the hours, days and weeks after a cyber incident will help support any insurance claim that is ultimately presented. Having a detailed timeline of important milestones can help explain why certain expenses were incurred and, more importantly, how operations were negatively impacted. This is especially critical when a business interruption loss has been sustained and the impacts may extend beyond an obvious period of disruption.
Compared to traditional property claims, cyber claims are much shorter in nature. However, it is not uncommon for the claim process to still take three to six months, or even stretch into multiple years in some instances. Over that time, people will forget exactly what happened, and the personnel involved in the loss may no longer be around. For those reasons, it is absolutely vital that organizations begin to memorialize the timeline of a cyber incident without delay in as much detail as possible. Here are some tips on what type of information to capture throughout the lifecycle of a cyber incident.
The 1st Day - Track Milestones on an Hourly Basis
If it's possible, the exact time that the cyber incident began and was discovered should be recorded. Many policies have a "waiting period" which requires a disruption to last longer than a minimum amount of time (e.g. 8 hours) before the insurance coverage will respond. Knowing the time when the incident started will mark the point of time that the waiting period begins and from which any losses can start to be measured. The difference between an event starting on a business day or a weekend day can result in significantly different levels of recovery on a business interruption loss. (We touched on this subject in a previous blog post)
Take care to note all actions taken on the first day on an hourly basis including when communications, both internally and externally, were sent. After the insurance broker, insurance carriers are often one of the first parties to be notified. By putting the carrier on notice, policyholders gain access to the valuable resources that carriers have lined up to respond quickly and efficiently.
If vendors are engaged as part of the incident response, such as a breach coach or a forensic IT firm, track their activity and progress.
The 1st Week - Track Milestones on a Daily Basis
As the event continues to unfold, be sure to track what is happening from an operations perspective. Which systems have been impacted across the organization? Are impacts limited to a specific geographic region or business unit, or is the entire business affected globally? Usually, the full scope of a loss is not known until at least a few days, or weeks, as all areas of an organization are reviewed for potential exposure to the cyber incident.
Customers may be notified and the ability to deliver services or products may be disrupted. Any communications or material impacts from a customer perspective should be collected and saved.
It is likely that your workforce is unable to perform their work in a normal manner. Track the specifics on how their roles are being impaired. For example, can work product or important client data be accessed by the team? What about financial records or the CRM system? Understanding the specific disruptions to operations will help to support any business interruption claim that will be presented. It's quite common that after a cyber-attack, organizations fall back on more manual methods of working which can cause productivity losses.
What recommendations and advice are being provided by the vendors engaged as part of the incident response? Documenting what the professionals are suggesting can help to support a recovery of the expenses incurred after a loss.
The 1st Month - Highlight Important Milestones
Within the first month, it is very common that an incident has been identified, a response plan was activated and the actual incident itself may be over. For example, if an organization has sustained a ransomware attack, the negotiations with threat actors tend to progress rapidly and ransoms are often paid within a few weeks after the initial ransom demand. However, the negative impacts of a cyber-attack can extend beyond the immediate aftermath. Customers may be slow to return or may have taken their business elsewhere.
As the response to the incident is deployed, it will be important to note when critical systems are brought back online. It is recommended to track each system separately, such as email, ERP, CRM, and certainly any business-critical software or systems that were disrupted by the incident.
Month 2 & Beyond - Identify Any Lingering Impacts and Progress
By this point, hopefully the majority of the impacts from the cyber incident are known. However, if the organization is still recovering, all important milestones should continue to be recorded. These include:
The date(s) when systems have been completely restored and are reliable
The date(s) when data is available and accessible
The date when operations are restored to their normal levels
The date when the financial impacts from the incident are no longer material or have ended.
Determining when an organization is back to “normal” can be difficult to do. While a specific date may not be identified, the management of an organization should have a sense as to when the negative impacts of the cyber incident are no longer being felt.
When it comes to submitting a cyber claim, the importance of understanding the timeline of events following an incident is paramount to a successful recovery. Organizations should capture as much detail as possible, no matter how insignificant it may seem. It is always easier to pare down information later on rather than trying to go back and uncover important details. Having a reliable timeline will help to tell the "story" of what took place after an incident began. At RCG, we help organizations by connecting the timeline of events to the losses and expenses sustained by organizations, which helps to expedite the overall claim process.
Comments