Cyber Response and Insurance
October 22, 2019
Cybersecurity experts say it’s not a matter of if your system is attacked: it’s a matter of when. In the spirit of hoping for the best, it’s sound policy to plan for the worst. Two things that can help you do this are: 1). Having an emergency plan in case of an attack or breach, and 2). The right insurance coverage.
In this post, we’re concerned with planning for a system attack. Many cities and counties have begun to include a cyberattack annex in their comprehensive emergency management plans (CEMP). Plans with detailed specifics on cybersecurity are kept secure by most jurisdictions and are not publicly available, nor are entities willing to share their plans. Because of this and because each jurisdiction is unique, the guidance here is largely around form and process to help develop plans and procedures that can be modified for your staffing levels.
Form a technical incident response team, led by an incident response commander
If your jurisdiction has a chief technology officer, or head of IT/IS, you may want to designate that person to be your incident response commander. In some jurisdictions, IT personnel are part of Administrative Services or the Finance Department; in others, they may be part of the Mayor’s Office or the City Manager’s Office. In such cases, the department head may already be tasked with a position on the CEMP incident response team and you will want to decide whether that will be the case for a cybersecurity incident as well.
If your team is small, or a 1-person department, you may be able to form a small incident team made up of staff from other areas to handle the early stages of an event. Small entities should decide whether to enlist outside expertise during an event. MRSC’s Rosters program has a list of IT consultants that can help develop your plans or may be able to assist you with a cybersecurity incident.
How do we know we have an ‘incident’?
This may seem like an odd question but cyberattacks can be like strokes or heart attacks—the sooner you identify the problem and get help, the higher your chances of survival and recovery are. Discovery of a breach or attack should be immediately reported; but how and to whom? The Pierce County Response and Incident Management Plan and Procedures is an editable template document with a flowchart for cybersecurity event response (page 16). It also has a succinct procedure with a chain of communication and reporting from discovery of a breach to escalation as an incident requiring an emergency response. You can encourage reporting by making it clear and simple for staff to contact the right person quickly.
Determine roles and responsibilities
The sample annex from the City of Bothell includes a Concept of Operations section that details the services and systems it provides to all city departments and a list of contracted services and work. The Information Services Department is named as the lead department for major cyber incident response, and the Executive Department serves as lead for managing consequences outside of the effects on computers and servers. The Police Department serves as lead for any resulting criminal investigation within the city’s jurisdiction. Each of these groups has a list of entities that they serve as liaison to, which will be useful in developing a communications plan.
Develop levels of response
The Center for Internet Security’s CIS Controls V7.1 is a set of basic, foundational, and organizational controls to protect, detect, and respond to cyber incidents. The controls are scalable depending on the size of your organization. CIS Control 19 on page 65 covers incident response and management and serves as a framework for writing control policies relevant to your organization’s size and maturity. Each control details what it addresses and why it is critical. The entire publication is worth review and can help you assess and plan according to your staffing and circumstances, but Control 19 will help you scale your response no matter what level of staffing you have. The document is licensed under Creative Commons.
Training and practice for responding
Washington Military Department offers trainings and exercises in cyber incidents and attacks. Upcoming courses are: Recovering from a Cyber Incident, Community Preparedness for Cyber Incidents, and Understanding a Targeted Cyber Attack. All trainings take place at the Emergency Operations Center in Tacoma.
There are tabletop exercises from the Washington State Office of CyberSecurity that can help you think about and work through cybersecurity incidents. Each exercise has a guide to help the team through a discussion of the scenario. There’s an option to have someone at the Consolidated Technology Services Security Operations Center facilitate the exercise with your workgroup upon request.
Pierce County held a tabletop exercise in October 2018 designed to validate its cybersecurity incident response plan and improve its cyber incident annex. The presentation from that 5-phase exercise lays out a cybersecurity scenario that escalates in scope and severity. Each section includes a description of the phase and questions for participants. This scenario raises important questions about how to respond to each phase of the incident and can be another guide in developing your response plans by working through the questions posed in the scenario.
A note for emergency call centers
As public safety answering point (PSAP) systems are upgraded to Next Generation 911 in Washington State, these emergency call centers will have new security risks to contend with that didn’t exist in the analog system. PSAP operators and administrators may need extensive training in using the Internet Protocol (IP) platform and technology securely. The National 911 Program website hosts information on policies and implementation guides, training opportunities, fact sheets and newsletters, and reports and studies.
The Office of Emergency Communications offers Cyber Risks to Next Generation 9-1-1 (NG9-1-1), a publication that explains the risk landscape, describes the NG9-1-1 cyber infrastructure, and provides a sample risk assessment plan. Mitigation strategies and response and recovery actions outline potential actions to secure and recover capabilities and services affected in a cybersecurity event. Appendix A is a list of resources for NG9-1-1 administrators and staff.
Insurers like the Washington Counties Risk Pool have resources and assessments for incident readiness, phishing, incident response policy review, and social engineering that can help you prevent and prepare for a cyber incident, but do you know if your jurisdiction has adequate insurance coverage? In a presentation at a recent conference of the Washington Finance Officers Association, the Washington Counties Risk Pool recommended asking your insurer the following questions:
- What first-party coverage do we have?
- What third-party coverage do we have?
- What are the per-claim and aggregate limits?
- Does our policy include data breach response, such as crisis management and notification support?
- Is it a deductible or a Self-Insured Retention (SIR)?
- Do expense costs erode the deductible or the SIR?
- Does the policy pay for the payment of ransom in a cyber extortion incident?
- Is social engineering covered and, if so, do conditions apply?
- Do we have a retroactive date?
- Do we have a claims made or per occurrence coverage?
- If it is claims made, when is it claims made and is there an extended reporting period?
- What is the definition of occurrence?
- Who qualifies as an “Executive Officer” for claim reporting purposes?
Getting answers to these questions will help you formulate your response plan by knowing who should report the claim, how expenses should be tracked, and what expenses may be claimed. Understand what sublimits are and how they work, and understand the difference between cyber coverage and crime coverage; specifically, what types of events are considered crimes and what types are cyber incidents, and what is different about reporting and claims for each?
Does your cyber policy have a condition that limits coverage for incidents resulting from Social Engineering? For example, it may have a condition that says it “applies only if the insured verifies the instruction to transfer money or securities by following a pre-arranged callback or other established procedure to authenticate the validity of the request prior to transfer.”
Beware of social engineering, and make sure you have coverage
Social engineering is defined as the transfer of money or securities to an account outside the insured’s control, pursuant to instructions made by a person purporting to be an authorized employee, provider, or customer of the insured. Since these incidents are not considered ‘direct’ fraud by insurance companies, they may not be covered by a crime policy. Furthermore, traditional crime policies often have an exclusion for losses incurred as a result of anyone on staff acting with authority who ‘voluntarily’ gives up company property, so watch for a ‘voluntary parting’ exclusion. Cyberattacks or incidents that result from social engineering may be covered under either a cyber or a crime policy and may present the biggest potential gap in your coverage.
Social engineering attacks are currently on the rise in local governments, so this is a coverage area that you will want to understand well. Cyber insurance may be covered on a limited basis by your insurer or pool. Make sure you ask the list of questions provided and get specifics on social engineering coverage.
MRSC is a private nonprofit organization serving local governments in Washington State. Eligible government agencies in Washington State may use our free, one-on-one Ask MRSC service to get answers to legal, policy, or financial questions.