Cyber Insurance versus Incident Response: it’s not the same
The title of this blog is rather indicative of a battle. The term “versus” suggests that doesn’t it?
But this is certainly not my intention. Orange Cyberdefense works closely with insurers, including some well-established partnerships to provide incident response services on their behalf.
We understand one another and we understand that we are here to serve those in need – namely our clients – and that in the end, we want the same thing. Sure, sometimes we don’t agree on everything. You only have to read our blog Is ransomware insurance detrimental to cybersecurity? to understand that.
The point is cyber insurers are not competing with Computer Security Incident Response Teams (CSIRT). So why are they so often pitched in battle? Quite often I hear the question coming back from potential customers of our Incident Response Retainer service “why do I need a retainer when I have cyber insurance?”
Complimentary, not conflicting
Let us look at the objectives here:
- Cyber insurance, like other insurance types, seeks to give businesses a way to ensure that if the worst happens, they can recover some of the cost.
- Our Incident Response Retainer looks to provide rapid, on-demand expertise to act as an emergency service if the customer invokes them.
If we can compare it to another industry – you call the fire brigade and you have insurance against fire. You don’t choose one or the other. If a fire needs putting out, you don’t call the insurance company, but the insurance company does payout (provided you bought the correct coverage of course!).
Okay, so in cybersecurity, the Incident Response teams out there are not a public service. If only they were. But fundamentally the situation is the same. Call in the people to put out the fire, find out how it started and get some advice on how to prevent it from happening again.
A shift in the market
Things are in a state of flux in the cyber insurance market right now. Whereas the value a skilled and trusted CSIRT team can bring remains a constant in the ongoing fight against cybercrime.
Cyber insurance companies are undergoing a rethinking of their policy coverage plans, whether to give up on paying ransoms completely, and look at increasing prices given the sheer number of successful cyber attacks.
The Orange Cyberdefense CSIRT teams are “in the trenches” every day. Called in to stop attackers in their tracks, to work for our customers with the sole goal of minimizing the impact and damage, then evaluating the root causes in order that they leave those customers better prepared than when we found them to deal with such disruptive scenarios.
Isn’t incident response included in my insurance policy?
In many cases, yes it may be. And perhaps this is where the confusion comes. But there are some key points to consider:
- Incident Response Retainers carry an SLA. Cases can be raised and IR specialists can be working on things within a very short time (hours, sometimes even minutes!).
- An Incident Response Retainer will involve some considerable preparation to integrate with wider Security Operations processes, ensuring that you are well prepared for a breach and know when to bring in the cavalry.
- If you are taking a Managed Detection and Response service, this process can be even more integrated as the teams (such as our CyberSOC for example) can have all of the data available for the CSIRT and hand over in a seamless manner if a major incident should occur.
- Cyber insurers will often pay out anyway, as long as the incident is covered by the policy, should a company have an Incident Response retainer in place. Their objective is of course to help cover the financial losses that result from cyber events and incidents and in numerous policies, the presence of a retainer agreement with an external Incident Response provider can bring down the premium of the policy.
- A good Incident Response retainer will let you repurpose unused hours that were pre-purchased so that you can gain some value from the subscription fee, even if the emergency function has not been utilized during the year.
- Selecting a retainer means you get to choose the CSIRT team you are going to be working with. You can assess their credentials, their experience, talk to their other customers – all before an incident happens.
So if you are considering Cyber Insurance and Incident Response requirements, please do consider them. But do not consider them as competition. They are not the same and in fact, they can and do work very well together.