Risk managers need to run tabletop exercises and facilitate discussions in their organizations to better understand their cyber risk and prepare for attacks, a risk manager said Wednesday during a session at the Risk & Insurance Management Society Inc.’s Riskworld conference in Atlanta.
Carey Almond, Atlanta-based director of corporate insurance at Colonial Pipeline Co., said risk managers should ask for cross-functional discussions to determine what their organization’s biggest risk is in the event of a cyber attack.
“For us, shutting down our pipeline was our most important risk, but for your companies, I’m sure it’s different,” Almond said.
In 2021
, Colonial Pipeline suffered a ransomware attack and shut down its pipeline, disrupting fuel supplies in the southeastern United StatesBetter understanding of the risk scenario will drive what insurance coverage is important to organizations, he said.
Companies should also run drills to prepare for what they would do in the event of an attack, Almond said.
Running a short table-top exercise internally is helpful so risk, legal and IT teams are on the same page and know who will do what if there’s an emergency, he said.
For example, it’s important for everyone to know whether the company’s cyber insurance policy specifies which vendors it’s allowed to use after a breach, he said.
Cross-functional discussions are also useful for answering questions like: “If we were hit by a ransomware attack, would we pay the ransom? Do we have a policy on that? Are we going to debate it in the heat of the moment, or do we want some guidelines and set the policy?” he said.
Many cyber insurers now require companies to run tabletop exercises, said Andrea DeField, Miami-based partner and leader of cyber insurance at Hunton Andrews Kurth LLP.
“If you’re doing them in your organization, that’s something you want to highlight as part of your application and renewal process, because it shows that you’re diligent and thoughtful,” DeField said.
“I see a lot of disconnected organizations where the IT team, the CSO and his team run exercises like this, but they don’t involve the risk team, so it’s not very useful,” she said.
Companies need to have all parts of the organization involved, she said.
Source link
