Understanding Cyber Readiness

Understanding Cyber Readiness

In the event of a Cyber-attack you may ask yourself:

• W ill everything work when the company needs it to?

• How do I know whether my company is prepared?

• Have I thought about everything?

Being able to confidently describe one’s company as “Cyber Ready” is certainly stressful, and one of the most demanding challenges a CISO/ Risk Manager faces.

Picture this:

After months or years of investment and implementation of technical controls and new policies, evaluating how the company will respond in the face of a Cyber incident, is the last step… the “Final Judgement”.

Finding out whether the plans put in place will be efficient in mitigating potential exposure, is the ultimate moment of truth; the test that will validate the significant investment you the CISO/Risk Manager recommended.

A Cyber incident brings with it a significant amount of stress that impacts across the organisation. The executive team, employees, board members, business partners, regulators and media, will be turning to you for explanations. They will want reassurance that the situation is under control and will want to know when they can expect to return to business as usual. Being confident that you are “Cyber Ready” will help reduce the amount of stress your organisation will undergo in the event of an incident.

According to the latest IBM Cost of a Data Breach Report 2024, Incident Response planning is a key element to consider.

The study shows that longer breach lifecycles led to higher costs.

Longer breach lifecycles led to higher costs

In this year’s report, researchers found data breaches with a lifecycle exceeding 200 days had the highest average cost, at USD 5.46 million, compared to breaches with lifecycles under 200 days. These findings are consistent with those from the previous year. Notably, while costs for longer data breach lifecycles increased 10.3% this year over last year, costs for shorter lifecycles also increased, but by a smaller amount, 3.6%. See Figure 1.

Source:IBMCostofaDataBreachReport2024

The IBM report also highlights the fact that Incident Response (IR) Planning is among the top 5 element that help decrease the average breach cost.

Figure 2. Cost difference from USD 4.88M breach average; measured in USD

Employee training

AI, machine learning driven insights

Security information and event management (SIEM)

Incident response (IR) planning

Encryption

Threat intelligence

DevSecOps approach

IR team

Identity and access management (IAM)

Proactive threat hunting

Security orchestration, automation and response (SOAR)

Insurance protection

Offensive security testing

ASM

Endpoint detection and response tools

Gen AI security tool

Data security and protection software

Board-level oversight

CISO appointed

Managed security service provider (MSSP)

Source:IBMCostofaDataBreachReport2024

Looking at the evolution of the Cyber threat landscape and current incident trends, it is now becoming obvious for the CISO/Risk Manager duo, that they will face an incident sooner or later. As a Cyber incident can happen at any time, it is crucial for companies to prepare in advance and get the business on a footing where it can be ready to withstand and respond to it successfully.

But what does it mean to be “Cyber Ready”?

A succinct definition of readiness would be the state of being fully prepared for an occurrence.

From a more philosophical point of view, it also implies not only the willingness to act in the event of an occurrence but also an acceptance of the fact that an event will occur. This willingness to accept your fate and to know that, despite all your best efforts to secure and protect, something will happen is readiness. When the event occurs all our preparations will be tested

In the context of cybersecurity, readiness is specifically about identifying, preventing, and responding to Cyber threats.

How does one become “Cyber Ready”?

Where should we start building this last bastion against online threats?

Throughout this white paper, we will help you identify threats by exploring the threat landscape offering our analysis of the threats or threat level; we will offer best practices in prevention that will help mitigate risks as well as practical tips to help keep a business resilient from a Cyber-attack; but ultimately we want to drill all the way down to the most important aspect of readiness which is response

How to make a company “Cyber Ready”

When discussing Cybersecurity readiness, the focus is typically on identifying, preventing, and responding to Cyber threats. While every aspect of a defence strategy is crucial, this white paper zooms in on the response component, underlining its significance in enhancing a company’s capability to mitigate and recover swiftly from Cyber incidents.

The journey to effective Cybersecurity readiness is ongoing and requires constant vigilance, improvement, and adaptation to new threats. By focusing on thorough asset identification, dynamic response planning, comprehensive training, and continuous monitoring, organisations can create a robust Cybersecurity framework that adapts to the changing threat landscape.

Five Key Questions for Readiness

1. W hat are our most critical assets and how are they protected?

Companies should start defending their organisation by identifying which assets are vital to their operations causing significant disruption or reputational damage if compromised. These assets typically include sensitive customer data, intellectual property, financial information, and essential operational technology. Once identified, the protection mechanisms for these assets - encryption, access controls, and regular security audits - should be evaluated for adequacy and effectiveness based on potential threats and vulnerabilities. A key criterion for this is whether it is possible to reach the application from outside the organisation’s network, which can be checked through regular penetration tests.

2. I s our incident response plan clear and comprehensive?

A robust incident response plan should not only be clearly written but also comprehensive, covering all potential scenarios and detailing specific steps for containment, eradication, and recovery. It should clearly define roles and responsibilities, communication protocols, and escalation paths. The plan should also integrate well with business continuity plans and other organisational procedures to ensure minimal disruption to business operations during a Cyber incident.

3. H ow frequently do we test our response capabilities?

Regular testing of the incident response plan is essential to ensure it remains effective and that employees are familiar with their roles in an incident. This testing can be conducted through tabletop exercises, simulated attacks (such as red teaming, explained below), and live drills. Each test should be followed by a review session where the response is evaluated, and improvements are made. These exercises help identify gaps in both the plan and the team’s response capabilities.

4. Are our employees adequately trained to identify and report Cyber threats?

Continuous employee training is critical, as the nature of the Cyber threat continues to evolve at a rapid pace. Training programmes should include awareness of current Cyber threats, the importance of following company security policies as well as the procedures in place for reporting suspicious activities. Phishing simulations and other practical exercises can reinforce learning and help assess the effectiveness of the training.

5. H ow do we keep abreast of the latest Cyber threats and defensive strategies?

Staying up to date with the latest Cybersecurity trends and threats can be achieved in several ways. Subscribing to threat intelligence feeds, participating in Cybersecurity forums, attending industry conferences, and engaging with Cybersecurity thought leaders are all effective strategies. Additionally, companies should consider partnerships with Cybersecurity firms that can provide expert insight and solutions tailored to their specific industry and threat landscape.

The journey to effective Cybersecurity readiness is ongoing and requires constant vigilance, improvement, and adaptation to new threats.

Where

Asset Identification and Risk Assessment

The foundation of being Cyber Ready begins with conducting thorough identification and classification of the organisation’s assets, followed by a comprehensive assessment of the risks they may face. It is crucial that companies understand, in addition to the nature of their assets - be they physical devices, intellectual property, or sensitive data - the specific threats to which each type of asset may be susceptible. This assessment forms the basis for all subsequent Cybersecurity efforts, tailoring the approach to the unique contours of the business’s digital and physical footprint.

Dynamic Incident Response Planning

While traditional incident response plans provide a framework, they must evolve continuously to address emerging Cyber threats and incorporate new technologies. An effective incident response plan is not a static document but a living strategy that includes clear procedures for addressing various types of Cyber incidents. This plan should detail steps for containment, eradication, recovery, and post-incident analysis. To ensure its relevance and effectiveness, the plan should be reviewed and updated regularly, incorporating insight from recent security incidents and emerging threat intelligence.

To enhance the resilience of incident response strategies, it is critical to integrate third-party risk management into the broader security framework. This integration should begin with a thorough assessment of all vendors based on the extent and sensitivity of the access they have to the organisation’s systems and data. It should also categorise vendors according to their risk level and how critical their services, which in turn dictates the rigor of the monitoring and compliance standards applied to them.

Comprehensive Employee Training

Employees are often the front line of Cybersecurity, making their capability critical to the organisation’s overall security. A robust Cybersecurity training programme should go beyond basic awareness, educating employees on specific Cyber threats such as phishing, social engineering, and safe internet practices. Training should be an ongoing process, adapting to

new threats and reinforcing key concepts on a regular basis. Training that is engaging and practical can significantly enhance an employee’s ability to recognise and properly respond to Cyber threats, potentially stopping Cyber incidents in their tracks, before they escalate.

Formation and Empowerment of a Cybersecurity Response Team

The establishment of a dedicated Cybersecurity response team is critical to manage and mitigate incidents swiftly and effectively. This team should have well-defined roles and responsibilities, including the authority to take quick decisions in a crisis. Regular training drills should be conducted to test the team’s readiness and the practicality of the incident response plan. These drills will help to identify gaps in both the team’s and the organisation’s response strategies, providing a crucial feedback loop for continuous improvement.

Continuous Monitoring and Improvement

In today’s dynamic Cyber threat landscape, continuous monitoring of the organisation’s Cybersecurity posture is essential. Using advanced monitoring tools allows an organisation to detect potential vulnerabilities and threats in real-time. These tools can provide actionable insights that help refine and improve security strategies, ensuring that defences keep pace with evolving threats. Moreover, the continuous monitoring approach extends to all aspects of the Cybersecurity framework, from network traffic and anomaly detection, to access controls and endpoint security.

Regular Security Audits and Use of Security Ratings

Regular security audits help organisations assess the effectiveness of their security measures. While traditional audits provide a snapshot in time, continuous security ratings offer a dynamic view of an organisation’s security posture. Like a credit score, security ratings provide a quantifiable metric that organisations can use to measure their Cybersecurity health against industry standards and best practices. This approach helps to quickly pinpoint vulnerabilities and assess the effectiveness of current security measures in near real-time.

Key Elements to Cyber Readiness

Business Continuity Planning (BCP)

Business Continuity Planning (BCP) is the process of creating and documenting strategies to ensure essential business functions are maintained during and after a disaster or disruption, including Cyber incidents.

Technical Tips

• Conduct a Business Impact Analysis (BIA) to identify critical systems, processes, and dependencies.

• Establish Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for key systems and business processes based on the results obtained from the BIAs.

• Implement redundant infrastructure, failover mechanisms, and alternative communication channels to minimise downtime.

• Develop a detailed plan outlining procedures for response and recovery in the event of a Cyber incident or other disruptions. (This includes identifying key personnel, establishing communication protocols to ensure that key stakeholders are informed of the situation, and outlining the steps to be taken to restore business operations).

• Regularly review and update the BCP to reflect changes in the organisation’s infrastructure, processes, and threat landscape.

• Test the BCP through simulated exercises and table-tops to identify weaknesses and areas for improvement to ensure that the BCP remains effective, and the organisation is prepared for any potential disruptions.

Backups

Backups involve creating and storing copies of data to restore it in case of loss, corruption, or unauthorised access, serving as a crucial component of disaster recovery and ransomware mitigation strategies.

Technical Tips

• Implement a robust backup strategy that includes regular, automated backups of critical data and systems. Backups should be performed according to the RPO.

• Follow the 3-2-1 backup policy: Keep at least three copies of data stored on two different types of media, with one copy stored offsite.

• Encrypt backup data both during transmission and storage to protect it from unauthorised access and to ensure data confidentiality.

• Implement immutable backups to prevent unauthorised modifications or deletions, ensuring data integrity and resilience against ransomware attacks.

• Regularly test backups for reliability, completeness, and recoverability, including periodic restoration drills and integrity checks.

Penetration Testing

Penetration testing (pentesting) involves simulating Cyberattacks to identify and exploit vulnerabilities in systems, networks, or applications, providing valuable insights into an organisation’s security posture.

• White Box Pentesting: This involves testing a system or network with full knowledge of the system’s design and configuration.

• Grey Box Pentesting: This involves testing a system or network with limited knowledge of the system’s design and configuration.

• Black Box Pentesting: This involves testing a system or network without any knowledge of the system’s design or configuration.

Technical Tips

• Conduct regular penetration testing using a combination of the three testing methodologies to assess different levels of access and knowledge.

• Narrow the scope of the pentests according to what is strictly needed (e.g., specific application, system, network, etc.).

• As per best practice, perform pentests before going into production.

• Ensure testing is conducted by qualified and experienced professionals.

• Document and prioritise findings based on their severity and exploitability and remediate vulnerabilities promptly to reduce the risk of exploitation.

Internal Security Teams

Internal teams should be established to test and improve the organisation’s Cybersecurity readiness. In addition, proactive threat hunting activities and the implementation of external ‘bug bounty’ programmes can help boost an organisation’s Cyber readiness.

• Red Team: A team of offensive security professionals responsible for simulating Cyber-attacks to test and try to break into the organisation’s defences.

• Blue Team: This team is responsible for defending against Cyber-attacks and improving the organisation’s Cybersecurity posture.

• Threat Hunting: is a proactive Cybersecurity practice that involves actively searching for signs of malicious activity or security vulnerabilities within an organisation’s networks, systems, and endpoints. The goal of threat hunting is to identify and mitigate threats that have bypassed existing security controls or have not been detected by automated security solutions.

• Bug Bounty Programme: This is a reward programme that incentivises individuals to identify vulnerabilities in the organisation’s systems or networks.

Technical Tips

• Establish clear roles and responsibilities for red teams (offensive security) and blue teams (defensive security) within your organisation. When internal resources are not available, these functions can be outsourced.

• Encourage collaboration and knowledge sharing between red and blue teams to improve detection and response capabilities.

• Provide adequate training and resources to internal teams and bug bounty participants to enhance their effectiveness in identifying and addressing vulnerabilities.

• Implement bug bounty programmes to crowdsource security testing and vulnerability discovery, leveraging the expertise of external researchers.

A Panel of Experts Ready to Go

This panel should include individuals with expertise in Cybersecurity, legal, public relations, and other relevant areas that can provide specialized assistance and guidance during a Cyber incident.

Technical Tips

• Identify and establish relationships with Cybersecurity experts, incident response firms, and legal counsel in advance to ensure timely access to expertise when needed.

• Develop and maintain a communication plan with contact information and escalation procedures for engaging the panel during Cyber incidents, with clearly defined roles and responsibilities in place.

• Involve the panel in tabletop exercises and simulations to familiarise them with the organisation’s environment and incident response processes.

• Regularly review and update the panel based on changes in the organisation’s risk profile, threat landscape and cybersecurity needs.

Maturity Assessment

Regularly conduct maturity assessments to measure the organisation’s Cybersecurity readiness. This can be done using Cybersecurity frameworks such as NIST or CIS with assessments conducted regularly to identify and address vulnerabilities before they become active threats.

Incident Response Plan (IRP)

An Incident Response Plan (IRP) outlines the steps and procedures to follow when responding to a Cybersecurity incident, including how to detect, contain, mitigate, and recover from the incident.

Technical Tips

• Clearly define roles and responsibilities for members of the incident response team, including incident coordinators, analysts, and communication liaisons.

• Establish communication protocols and escalation procedures to ensure key stakeholders are informed of the situation and of the steps being taken to address the incident. (Include contact information for internal stakeholders, external partners, and regulatory authorities).

• W ithin the IRP, develop specific playbooks for different types of incidents, such as ransomware, data breaches, or DDoS attacks.

• Regularly review, test and update the IRP based on lessons learned from incident response exercises, threat intelligence, and post-incident analysis.

• Integrate the IRP with other Cybersecurity processes and systems, such as threat intelligence, logging and monitoring, and forensic analysis tools.

Security Awareness Training

Security awareness training educates employees about Cybersecurity risks, best practices, and the policies in place to reduce the likelihood of a security incident arising from human error.

Technical Tips

• Provide regular security awareness training sessions covering core Cybersecurity principles and hot topics. (Examples include phishing awareness, password hygiene, social engineering tactics, data protection principles, secure remote work practices and secure online shopping).

• Tailor training content to different roles and departments within the organisation to address specific security concerns and requirements.

• Utilise interactive training methods, such as simulated phishing exercises, gamified learning platforms, and scenario-based simulations, to engage employees and reinforce learning objectives.

• Track and analyse training metrics to identify trends, gaps, and areas for improvement in the organisation’s security culture and awareness program. (This can be measured via click-through rates on simulated phishing emails, completion rates for training modules, and improvements in security behaviours).

Assessing the Level of Readiness of a Client (Underwriting Questions)

Business Continuity

Criticality Scale:

Have you defined a business continuity or disaster recovery plan which is aligned with your Business Impact Analysis and tested at least annually?

• Assessing the existing process. BCP/DRP is necessary to understand whether the client considers the risk of IT unavailability.

• Assessing the level of compliance with regulation. Some regulations like Bale II or DORA for the financial industry require the implementation of a BCP.

• The frequency of testing shows whether it is a continuous process.

• Implementing a BCP/DRP assumes the client has created a BIA, and so is completely aware of its critical assets.

• A BCP/DRP which is completely aligned with a BIA and tested annually could have an impact on how we calibrate the waiting period for the Business Interruption coverage.

Criticality Scale:

Have you defined a Return Time Objective (RTO) and Return Point Objective (RPO) for all your IT assets related to business-critical functions?

And if yes, could you please share these figures?

What is the frequency of your backup policy? Is it aligned with your RPO?

Does your organisation conduct the following backup policies:

• Online backup stored offsite?

• Online backup stored onsite?

• O ffline backup stored onsite?

• O ffline backup stored offsite?

• Encrypted backup?

• Immutable backup?

Assessing the client technology dependency.

• A n RTO close to 0 hours means there is a high IT system dependency which is critical for the client business.

• A n RPO close to 0 hours means backup frequency should be full and in real-time. So, the minimum backup policy we should expect from the client is in real-time or a daily backup.

Assessing the balance between the RPO and the backup policy.

• Backup frequency should be less or at least equal to the RPO.

• (Understanding the recovery ability of the client and the way he can recover efficiently).

• Defining RTO and RPO shows the client awareness of critical asset protection. It allows the client to anticipate and prepare the recovery plan.

• A low RTO and RPO means a huge resource allocation to restart the activity.

• RTO can allow us to define the waiting period for BI but must be put into perspective with other security controls.

• The choice of the backup policy should depend on the RPO value.

• Online backups are not considered the best option considering the Cyber threat landscape especially with ransomware intensity. Immutable backup is now the best solution available on the market to prevent crypto locker threat.

• L ack of offline and/or immutable backup could impact the limit of coverage offered or at least sublimit the ransomware coverage.

• The BI coverage is considered as the biggest exposure when there is a lack of backup policy.

Criticality Scale:

Do you have a formally documented incident response plan supported by a dedicated team?

Have you performed a tabletop exercise with your incident response plan team?

Have you involved third-party forensics in your incident response plan process?

Have you tested your incident response plan process with a red teaming exercise?

Business Continuity

Criticality Scale:

Questions

Have you implemented the following mechanisms to prevent your IT system breakdown / disruption following human error or a malicious attack?

• Disk mirroring

• Redundant servers

• Load balancing servers

• Mirror site, hot site warm site or cold site

• Understanding if there is a team in place to intervene in the first minutes following the Cyber incident.

• Understanding if the client has ever simulated a Cyber crisis to be prepared in case of an incident.

• Red teaming exercise is a way to test the effectiveness of the company’s incidence response plan.

• A detailed incident response plan could provide underwriters with sufficient reason to apply a positive decreasing coefficient to the premium.

• Cyber insurance coverage offers crisis management services including forensic partners. We may preapprove the client’s forensics service providers in case of incident.

• Understanding the fault tolerance. The backup site classification should depend on the level of the defined RTO.

• A low RTO should bring the client to consider a warm or cold site as minimum.

• System Failure coverage is not considered to be standard coverage that a Cyber insurance contract should cover. However, insurers are going further offering this coverage.

• Having technical business continuity controls in place should give enough comfort for insurers to consider offering this coverage or not, with the full limit or sublimit.

Conclusion

In the moment of truth, no risk manager, CISO or CIO ever wants to be unprepared. Readiness, even in its most basic form, is a crucial element of any successful Cybersecurity strategy.

Getting started on the development of that strategy can be a daunting task, even for the most experienced operators, but the only way to build effective protection, is to make a start somewhere.

As this paper makes clear, the Cyber landscape is largely hidden from view, incredibly complex and riddled with active threats to business. But there are a huge range of measures – both simple and complex – that a business can take to bring clarity to that landscape and to reduce the risks it poses.

Companies are like ‘living entities’, constantly evolving with the introduction of every new product, service, process or tool that is introduced and when new locations are established and new territories explored. As such, any readiness strategy must be flexible and adaptable enough to match the evolution of a company’s risk profile.

And businesses should be prepared for their strategy to be questioned and tested, particularly by underwriters. They will probe and explore every corner– not to pick holes but rather to understand how robust it is and, by extension, how well a business’ risks are being managed.

Embrace this engagement and be proud of any measures that have been implemented so far. Share the story and explain the journey the business has been on, as this will allow the underwriter to become better acquainted with the risks and the business’ ability to manage them. It is only by being open and honest about a business’ current state of readiness that insurance can deliver full value.

It is a complex and sometimes frightening landscape for businesses to navigate but as we all know, ignoring a problem will not “make it go away”. The best defence a business can implement against Cyber threats is to start becoming Cyber Ready today, engaging with the risk, exploring exposures and seeking out professional support where needed to protect the business for the long term.

of Cyber International

Cyber at Tokio Marine HCC

Tokio Marine HCC has been innovating in Cyber Liability Insurance worldwide, for over 20 years. Our dedicated global team is made up of cyber insurance and in-house claims experts with deep industry knowledge and a wealth of cyber security experience. We promote active knowledge exchange, making us a global leader when it comes to cyber risk, while keeping you at the forefront of emerging threats on the ever-evolving cyber landscape.

From offices in the U.S., our cyber team insures US-domiciled businesses, with a focus on the small- to mid-sized segment, as well as individuals concerned with protecting their family, home and privacy from cyber threats.

From Europe and the U.K., our team concentrates on mid- to large-sized businesses domiciled anywhere outside of the U.S. In addition, we leverage our in-house cyber expertise to enhance other Tokio Marine HCC insurance coverages, letting you take on risk with confidence.

Learn more about Cyber at Tokio Marine HCC by visiting tmhcc.com

Follow us on LinkedIn: #TMHCC_Cyber

Contact us

Barcelona

Tokio Marine EuropeSpanish Branch

Torre Diagonal Mar

Josep Pla 2, Planta 10 08019 Barcelona, Spain

Tel: +34 93 530 7300

Fax: +34 93 530 7301

London

HCC International

Fitzwilliam House, 10 St. Mary Axe

London EC3A 8BF, United Kingdom

Tel: +44 (0)20 7648 1300

Fax: +44 (0)20 7648 1301

Lloyd’s Box 252, Second Floor

A member of the Tokio Marine HCC group of companies

Munich

Tokio Marine Europe - German Branch

Rindermarkt,16 80331 Munich

Germany

Tel: +49 89 3803 4640

Tokio Marine HCC is a trading name of HCC International Insurance Company plc (HCCII), Tokio Marine Europe S.A. (TME) and HCC Underwriting Agency Ltd (HCCUA), members of the Tokio Marine HCC Group of Companies.

HCCII is authorised by the UK Prudential Regulation Authority and regulated by the UK Financial Conduct Authority and Prudential Regulation Authority (No. 202655). Registered with Companies House of England and Wales No. 01575839. Registered office at 1 Aldgate, London EC3N 1 RE, UK. TME is authorised by the Luxembourg Minister of Finance and regulated by the Commissariat aux Assurances (CAA); registered with the Registre de commerce et des sociétés, Luxembourg No. B221975 at 26, Avenue de la Liberté, L-1930, Luxembourg; Operating through its Spanish Branch, domiciled at Torre Diagonal Mar, Josep Pla 2, planta 10, 08019 Barcelona, Spain, registered with the Registro de Entidades Aseguradoras de la Dirección General de Seguros y Fondos de Pensiones under the code E0236, VAT number in Spain (“N.I.F”) W0186736-E, registered with the Registro Mercantil de Barcelona, at volume 46.667, page 30, sheet number B-527127, registration entry 1; and through its German Branch, domiciled at Berliner Allee 26, 40212 Düsseldorf, Germany, registered with the Handelsregister beim Amtsgericht Düsseldorf under the number HRB 84822, authorised by the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) under the number 5217 VAT ID No: DE320932530. We have authority to enter into contracts of insurance on behalf of the Lloyd’s underwriting members of Lloyd’s Syndicate 4141 which is managed by HCCUA.

The policyholder will always be informed of which insurer in our group will underwrite the policy according to jurisdiction. Not all coverages or products may be available in all jurisdictions. The description of coverage in these pages is for information purposes only Actual coverages will vary based on local law requirements and the terms and conditions of the policy issued. The information described herein does not amend, or otherwise affect, the terms and conditions of any insurance policy issued by Tokio Marine HCC Group Companies. In the event that a policy is inconsistent with the information described herein, the language of the policy will take precedence.

Understanding Cyber Readiness*09/2024 Email us on: cyber@tmhcc.com