Podcast: Cyber Incident Readiness: Tabletop Exercises for Effective Risk Management

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

CJ Dietzman (00:09):
Welcome everyone to the latest Alliant Cyber monthly podcast. CJ Dietzman here with the Alliant Cyber practice, and I'm joined today by my colleague David Finz from Alliant Specialty Claims. We thought we'd get together today to talk about the critically important component of any cyber risk management and readiness program, which is the cyber incident tabletop exercise. So important; we talk about insurability, we talk about cyber readiness controls, incident response planning, core components, but if we don't do some validation and some testing of those plans to ensure with reasonable confidence that we are ready for a really bad day we hope never comes. Cyber threats continue to evolve and emerge and have material impacts on organizations across industry sectors. The cyber incident tabletop exercise is just one core component of cyber incident readiness.

We talk about preparation, detection, analysis, containment, eradication, and recovery, post-incident activity. We'll never achieve these control objectives if we don't afford the appropriate level of time and integrated effort to validate all the good planning that we've put in place. And it never ceases to amaze me with the integrated approach that Alliant takes. And recently we've delivered some of these together, David, leveraging the best of Alliant Cyber from a brokerage standpoint, from a security and risk consulting standpoint, from a claims standpoint, also in ensuring that our clients bring forward active participation from their risk management function from IT, from other aspects of leadership, from the relevant third parties, legal law enforcement, so on and so forth. When we take that truly integrated approach, the outcomes are usually quite impactful, extremely useful for our clients. Interested to hear your thoughts on the criticality of the cyber incident tabletop exercise, and also some of the best practices that we leverage together as we deliver them.

David Finz (02:21):
Yeah, absolutely, CJ. One of the challenges with cyber is that unlike some other product lines, the buyer of the insurance doesn't necessarily have line of sight into all of the areas of managing risk. The obvious is that you'd want it involved, but as you mentioned, legal, finance, PR across the organization, you need buy-in because those stakeholders are going to be involved in decisions around the execution of the incident response. And so, it's important to have their perspective in the room when you're going through the exercise. Additionally, this is a good time to do a gut check and think about who you want to have as your external vendors when you have an event, and to make sure that those vendors are available to you through the insurer's panel, because every insurer has a panel of approved providers. If you want to use somebody who's not on the panel, then now's the time to have the conversation with your broker and have them speak to underwriting about having that service provider added to the policy by endorsement. You don't want to be having that conversation while the claim is playing out in real time.

CJ Dietzman (03:33):
Fantastic points. David, when I think about cyber incident response and let's talk about sort of the key phases, the key aspects, certainly the preparation, developing a plan and approach, making sure we've got all the right foundational elements up to and including the exercises and the testing and the validation that we perform in a cyber incident tabletop exercise. But there's more than that; can we detect potential nefarious activity in the environment? Do we have the right mechanisms, expertise and logic built into our system for that matter to do meaningful analysis? Let's not understate the potential complexities associated with those aspects of responding to a potential cyber incident when you're under attack, when you've got malicious actors in the environment. After the technology storm in a cyber incident comes the legal storm. That's been my experience. So, if we don't get those technical steps right in the first 48, 72 hours, we might be setting ourselves up for really tough circumstances and some unwanted pain, agony and suffering, candidly, on the tail end of the response from a legal standpoint, from a compliance standpoint, and certainly from a claim standpoint in terms of facing off with your underwriter, with your carrier. Any thoughts on that David?

David Finz (04:56):
Two things come to mind as I'm hearing your comments on this. The first is communication is something that is difficult to maintain when you have a threat actor in the network. And one of the things that came out of the exercise we recently did was the idea that an organization needs to consider how their senior management is going to stay in touch with each other if their network is compromised and they can't use email. So to have a plan in place to open up a bank of email addresses through say a Gmail or a Yahoo, to be able to continue to communicate securely. In fact, if they're using voiceover internet protocol on their landlines, they may not even be able to communicate securely on the phone. So, they're going to need to have mobile numbers and different ways to stay in touch.

And that's something that a lot of organizations haven't really thought out prior to having this tabletop exercise. The other point that comes to mind is with respect to the insurance itself and the process. Everybody pretty much understands at this point the first party costs that are associated with it and having to get those approved by the vendor. But there's also the third party, and we don't see this in every cyber incident, but the larger and more salacious ones we do, and a lot of people don't realize that a cyber policy also provides coverage for regulatory proceedings. What's going to get really interesting for our clients now, particularly publicly traded companies, is that the SEC is now mandating disclosure of material cyber incidents within four days of their discovery. So, managing those expectations around investor relations, what needs to be put out in a form 8-K and other regulatory authorities.

Other enforcement authorities have their own standards, whether we're talking about the New York State Department of Financial Services or HHS, and different organizations have to consider how they're going to manage those communications while they're still trying to figure out what exactly is going on. And they have to thread the needle very carefully and stay in compliance with those regulatory requirements, not get in trouble with their regulators, but at the same time not cause panic or put out statements that they later have to walk back when they find out that additional facts develop that suggest that what they said initially might not have been a hundred percent accurate.

CJ Dietzman (07:17):
David, a few things you said there I think are so incredibly important. If the cyber incident tabletop exercise is going to have the desired depth, weight and impact on the organization and truly improved posture, it's certainly has to go beyond the scope of just technical response on the other end of the continuum. If we solely focused on the legal aspects and rules and requirements and that type of thing, we might miss some of those gems on the underlying process and the blocking and tackling. So, we've really got to strike the right balance there. There've been those instances where we've done these over the years, where we've actually done them in a couple different phases, a couple different exercises: an executive level, an integrated level, and then a super technical level; actually a three-tiered approach to a programmatic method around cyber incident readiness to include three separate tabletop exercises over the course of a year.

Not every organization does that, and if you can only do it once per year for budgetary and resource constraints, we strongly recommend an approach aligned with what you just shared. It certainly has to have the technical component, it certainly has to have the regulatory compliance and legal component, but we'd be missing out significantly if we didn't pull in communications, HR resourcing, risk management, the cyber insurance and claims aspect. You know, as I think about the exercises you and I have done together recently, David, some of the things that I think were difference makers just tactically in the execution of the exercise; one, we took a truly collaborative approach. We set some ground rules around open and freeform discussion, even encouraging that spirit of intellectual debate, fighting the problem together with our clients, not each other. That approach ruled the day and an extremely collegiate collaborative approach.

And, I think we've had success in fostering that. Two, coming out of the exercise and setting expectations with the client that we are going to find what I call the rats and mice, the pieces parts. We took a parking lot approach for those items that were extremely tactical in nature and just required some minor follow-up in some cases, specific actions to clean up the approach. But then we also had broader, more programmatic strategic observations and recommendations. And I think together as we look across the various disciplines, that truly integrated approach, and then also looking bottom up, we've got some soft spots, we've got some missing pieces in our integrated approach, but then also we've got broader programmatic or control level, process level issues, in some cases blind spots that we've got to address. So, it's that bottom up and top-down approach, truly integrated, consultative, collaborative, that to me is the essence of a successful cyber incident, tabletop exercise like the one you and I had recently.

David Finz (10:16):
Absolutely. And the client should not feel in any way self-conscious when we discover some of those blind spots. Because that's exactly why we're doing the exercise. It's wonderful if everybody knows the drill and there's no action items that need to be taken afterwards, but that's not realistic, right? But the purpose of doing this is to identify those potential snags so that they can be addressed and remediated upfront so that we don't have issues later on, whether we're dealing with establishing out of ban communication or considering that legal wants to use this particular law firm and nobody's ever discussed that with risk management and they haven't been added onto the policy. Let's identify those obstacles and overcome them in advance so that the process is smooth. Nobody wants to go through an incident like this, but at least we've anticipated as much as we can upfront, so there's fewer challenges later on.

CJ Dietzman (11:12):
Well said, David, something else comes to mind that I think is super important and you and I are getting ready to deliver another one of these shortly and putting together the plan for that and talking to the client. I think there's a bit of ransomware exhaustion and maybe I'm going on in a bit of a limb here, but hear me out, David, I'm keen to hear your response to this. We've been dealing with ransomware acutely for quite some time, malware more broadly, for years, for decades. If I think about the past five years and certainly the threat actor activity, the ransomware activity, but then from a preparedness standpoint, the incident response planning, the playbooks, the insurance carrier, focus on ransomware threats, supplementals, and I think about the tabletops we've done, including some we've done together recently, ransomware focused, no doubt, ransomware is not going away.

It is a pervasive threat. We need to ensure that we're ready for it, but I also strongly encourage clients to take a bit of a rotational approach. Let's not make this year's cyber incident tabletop exercise the same as last year, which by the way, was the same as 2019 and before, I guess the point being that cyber threat actors will continue to pivot and evolve in terms of what vectors they're exploiting, the methods, tools, and techniques they're using. Yes, we need readiness for ransomware, but we need to ensure that we don't have blind spots for other threat scenarios. What's your thought on that?

David Finz (12:39):
That's absolutely right. Ransomware isn't going away, but it is simply the latest wave and the previous waves haven't gone away either. Companies still suffered data breaches, companies still have denial of service attacks, companies still get phished. And so the reality is that each successive wave doesn't replace the previous ones, it's just they continue to have a ripple effect. And so changing the fact patterns, not losing sight of the fact that other threat vectors are still out there is critical. And so, we absolutely need to make sure that clients are aware that in this risk landscape, it's not ransomware instead of what you dealt with five years ago, it's in addition to. And so we need to make sure that the scenarios we put them through reflect that reality.

CJ Dietzman (13:26):
Absolutely. We'd be remiss if we didn't spend a moment saying that the cyber incident exercise itself, it’s super important what happens in that room or if we do it remotely, that we've got some dynamic interaction, some free and open exchange of ideas and perspectives. Now having said that, what happens next is more important than the exercise itself. So, wanted to hear your perspective as we deliver these reports for our clients, these post exercise debriefs, ensuring and enabling the client to take that feedback and put it into action. It's not just checking a box, whether it's parking lot on items, extremely tactical, low level items that need care and feeding and attention. Also some strategic items, some process gaps, some control gaps, maybe some roles and responsibilities that need to be refined. What are your thoughts, David, on ways in which clients can truly capitalize not only on the exercise itself, but the results of those exercises?

David Finz (14:28):
I think that's spot on. That’s the purpose of doing the tabletop, not to check the box and say, okay, we did that exercise, now we can go about our business; it's to identify issues that need to be addressed. It's the same thing if you go to the doctor for your annual physical and you find out that your blood pressure's off the charts. You don't say, okay, well thanks for letting me know and leave it alone. You say, well what can we do about that? So much the same way to make this exercise worthwhile, to make it actually something that has a lasting impact, requires that follow-up. And obviously we are here to assist our clients with that. Like you said, whether it's those parking lot items that need to be addressed as a matter of housekeeping or there's some technical expertise that's lacking within the organization, that we can put them in touch with strategic partners, service providers, that we have relationships with that we trust to be able to come in and deploy whatever controls may be lacking, whatever additional testing or diagnostics may need to be done.

And that's really the integrated approach that we're taking now, thanks to yourself and the entire team that we've recently brought on that are able to provide that risk consulting element and really take a holistic approach. It's not just about the insurance transaction anymore, it's really about making the client a better risk.

CJ Dietzman (15:46):
Great stuff, David. And just in summary here, when I think about the approach that we bring to bear as Alliant Cyber to cyber incident readiness, and specifically to these cyber incident tabletop exercises that we're delivering to our clients. The integration, the diversity and skills and expertise, yourself as a former attorney with just incredible depth and experience in claims, cyber claims and other specialty claims, individuals like myself who represent security controls, architecture, incident response, and investigations expertise, cyber brokers; we always pull in a cyber broker and other leaders from our consulting practice to really drive the perspective of that integrated approach. A diverse voice in addition to ensuring that our clients are bringing the right participation, legal, risk management, human resources, technology, business operations. And the result of these are not only incredible and impactful cyber incident tabletop exercises, which are rewarding and exciting to be a part of, but also some actionable output and outcomes.

Things that are going to put the client higher in the water from a cyber incident response readiness standpoint, that are going to help them address and quite honestly become more insurable, better cyber risk management, but also when and if they have a really bad day, they're in a much better situation and they won't get sideways or find themselves squarely in a really tough position as unfortunately we continue to see happen far too often. Super important and exciting topic. Alliant Cyber is thrilled to help our clients with cyber incident tabletops as part of their broader cyber risk management program. So thank you once again everyone for attending today's podcast.

National Cybersecurity Awareness Month