A day in the life of a cyber incident responder

Ever wonder what’s involved in handling a cyber claim? What is the process? Who needs to be notified of a cyber event? What steps should be taken to address the resulting chaos?

If you follow Ash Burdon, Cyber Claims Manager at CFC, around for a day, you might not guess he works for an insurance company. Donning his trademark black hoodie and a pair of faded jeans, Burdon starts his day like many of us, with a quick scan of his emails. He’s looking for any fires that have landed in his inbox overnight — clients who’ve been the victim of a cyberattack, their data held hostage, systems suspended or payments redirected by some faceless criminal halfway around the world.

The incident

At his desk, he picks up a panicked call from an insured, a large architecture firm based in the Midwest. The caller reports that the company’s systems have been locked down and employees can’t access any of their data. Employees working remotely are unable to log in, and many have had their laptops encrypted too. No one in the business can access email or customer files.

Taking careful notes, Burdon asks about the company’s backups. Where are they located? Can they be accessed? The caller confirms that the company’s backups, which are stored online, have also been encrypted. A ransom note, located within an innocent-looking text file on user machines, demands  Bitcoin worth roughly £200,000 in exchange for a decryption key that will unlock the frozen systems. The business has never experienced a large-scale cyber attack before, and they certainly don’t know how to access the Bitcoin needed to pay off the hackers, or if it’s even the right thing to do.

Burdon knows the first job is to get to the bottom of what’s happened — identifying the hackers and determining how they accessed the company’s systems. He puts in a call to his counterparts on the in-house cyber incident response team who examine the ransom note and a few samples of the encrypted files.

His next call is to the team’s specialist negotiators, who will assume the role of the client in their dealings with the hackers. They’re working to buy more time for the forensics team to investigate the extent of the damage and potential for recovery. Burdon’s goal is to get as much information as possible to provide the client with their response options.

A rise in ransomware

Using various threat intelligence feeds and insights gained from other cyber claims, the incident response team quickly identifies which of the thousands of variants of ransomware they’re dealing with — in this case, it’s Ryuk.

Ryuk has become a prevalent form of ransomware in recent months and is associated with large ransom demands. It’s typically distributed through phishing emails that deceive employees into silently downloading a ‘backdoor’ onto the company’s network. The criminal network behind this particular strain of malware has already netted over several million from companies that have fallen victim to this scam. Burdon and the response team are determined to help their insured to ensure they don’t add to these worrying statistics.

Ransomware has existed for more than three decades, but now ranks as the most common type of claim cyber insurers receive. Not only are attacks more frequent, but they are far more severe. When WannaCry hit in 2017, ransomware demands averaged around £200. Since then, attacks have taken a more targeted approach, and it is not uncommon to see demands in the hundreds of thousands or even millions of dollars with entire systems, including backups, having been encrypted.

Making a decision 

By now, it’s been just 24 hours since the client first notified Burdon about the incident. Gathering the relevant parties on a call — the client, the response team and lawyers provided through the partner panel under the policy — Burdon details the client’s options, along with their legal and regulatory obligations.

One option is that the client chooses to pay the hackers for the decryption key. Gaining access to such a large amount of Bitcoin isn’t easy and will raise alarm bells, but Burdon and the team have access to third-party resources that make this possible. The drawback is that Ryuk decryption is a complex process that takes 50% longer on average to restore networks than other forms of malware. While decryption keys are known to be reliable, they do fail in roughly 10% of cases.

Alternatively, the client can ignore the hackers and focus on rebuilding their systems and data. Their IT provider has discovered a weekly offline backup tape that offers a starting point, but the process will be slow, and the company could be disrupted for multiple weeks while the malware is eradicated, machines are rebuilt and data restored.

Having seen this play out numerous times before, Burdon reassures the client and guides them through both scenarios. Given the potential legal risks, coupled with the chance of failure and the time it takes to decrypt, the client opts not to pay the ransom and will rebuild instead. Burdon will oversee the recovery project, ensuring the security and IT operations teams work in tandem to maintain the client’s safety and expedite recovery while assessing those activities against the policy and determining the overall financial loss to the company.

The shift to response 

When cyber policies first came to market, they centred primarily around third-party liability exposures stemming from data breaches, particularly in the United States, where class action litigation is more common, and privacy regulation was more advanced. But in response to the changing cybersecurity landscape, the scope of these policies has broadened significantly, with most policies now heavily weighted toward first-party exposures such as the business interruption impact associated with ransomware events and the financial losses incurred due to funds transfer fraud and other types of cybercrime.

Mirroring this shift, cyber claims have changed, too. Today, more than 95% of cyber claim costs stem from first-party exposures as opposed to less than 5% for liability claims. This shift in the claims profile has changed the approach and skillset required for cyber claims managers, with a strong technical understanding as important as the need for a detailed appreciation of the law.

While many cyber insurers still outsource their claims handling, there is an increasing move to bring the incident response capabilities in-house to expedite client recovery as well as reduce the overall cost of claims.

In 2015, AIG acquired a stake in K2 Intelligence, a cyber-defence firm; in 2017, Beazley acquired Lodestone Security; in 2020, Aon acquired digital forensics company Cytelligence following their high-profile acquisition of Stroz Friedberg in 2016; in 2019, CFC acquired incident response provider Solis Security; and just this year, we acquired Australian firm Insane Technologies. 

The cyber firefighter

This is the new world of a cyber claims handler or cyber incident manager as they prefer to be called. To the untrained eye, they look like a typical claims professional, but they spend most of their days triaging security incidents, negotiating with hackers and project managing business recoveries.

Their backgrounds are varied. Some come from traditional claims handling, but others are technically certified or have held roles with law enforcement or intelligence companies.

With each claim, the cyber incident manager stands between their customers and what could be a catastrophic loss or getting back online quickly. However, finding cyber claims handlers with the necessary experience or skills has proven challenging for insurance employers in recent years. Cyber claims roles can be the toughest to fill and tend to stay open the longest. The cyber insurance market is relatively young, which means many claims professionals in this area will rarely have more than a few years of experience under their belts.

For claims professionals interested in a new career path, however, the opportunity in this growing market is great and success is tangible.

Ultimately, the mindset of a cyber incident manager is what matters most. The ability to navigate between the technical and the commercial — and adapt quickly to a changing market and threat landscape — is what defines success for claims handlers and the market alike.

To see the original piece, check out the PC360 website.