SAN FRANCISCO – To be cyber-resistant, risk managers should update their incident response plans to reflect the onslaught of ransomware and other emerging threats, experts say.
Many organizations developed their plans several years ago, often on behalf of their legal departments, which saw states pass laws on data breaches, said Katherine Keefe, Marsh LLC’s Philadelphia-based cyber incident management leader for the United States and Canada.
She was among the speakers during a session on Tuesday on cyber resilience at the 2022 Risk & Insurance Management Society Inc.’s annual conference in San Francisco.
Nowadays, with attacks often involving data encryption combined with data infiltration, incident plans need to be more sophisticated, she said. “You really have to update it if there is a plan,”; or create one if there is not one in place, Keefe said.
Developing incident management plans is challenging because of the complexity, says Laura Meade, Head of Risk Management, at Telephone and Data Systems Inc. in Chicago.
“The role of the risk manager is to pull people together and get that buy-in. It’s your job, to make people understand what’s important and what you could potentially lose if you do not handle an incident properly,” she said.
Keefe said: “One of the problems that needs to be corrected is that incident response plans sometimes only exist in IT”, and IT often responds to problems from a technical point of view. Instead, there should be an interdisciplinary approach that involves other stakeholders, she said.
The damage process after cyber incidents was also discussed. It “can be a very collaborative experience,” said Meredith Schnur, New York-based CEO, leader of cyber brokers in the United States and Canada, at Marsh USA Inc., which moderated the session. Many people mistakenly approach it as “it has to be resilient in some way,” she said.
Keefe said that since the supplier’s landscape is constantly changing, it is important to keep a current list of suppliers.
One area that “needs a lot of tire kicks,” she said, is blackmail services, where there is a “world of nuances.” Some providers only offer extortion services, while others include forensic technology.
“Do not assume that one case suits everyone,” Meade said.
She said she has worked with a provider for cases involving the Health Insurance Portability and Accountability Act of 1996, but “I do not want them near a ransomware or even a normal data breach.”