Magnifying glass on computer keyboard showing digital forensics and incident response for cyber insurance

Your Digital Forensics and Incident Response Capabilities — Or Lack Thereof — May Be Weighing on Your Cyber Insurance Premiums

In 2021, most enterprises discovered that there is a heavy cost to protect their most valuable digital assets, especially during an historic rise in cybercrime. There are those such as Colonial Pipeline, CNA Financial Group and JBS Foods that found out first-hand when their systems were infected with ransomware and they paid a combined $55 million to regain control of their data. Those who didn’t suffer devastating cyber attacks didn’t go unscathed. They felt the effects of the rise in cybercrime in their cyber insurance premiums.

Enterprises have never been more at risk of suffering cyber attacks and when they do, the damages have never been higher. According to cyber insurance provider Coalition, claims have skyrocketed for enterprises in multiple sectors, including IT at 46 percent, materials at 99 percent and industrials at 263 percent. The average ransom demand made to its policyholders, meanwhile, increased by almost 170 percent to $1.2 million in the first half of 2021.

With their policyholders under great threat, cyber insurers are at equal risk of having to provide them with significant payouts to cover damages linked to cyber incidents. They’ve mitigated this risk by raising the price of cover. In the U.S., cyber insurers raised their pricing by 130 percent in the fourth quarter of 2021 alone, according to insurance provider Marsh. They’ve also demanded that their policyholders do more on cybersecurity to even qualify for coverage. For enterprises looking to increase their cyber resilience to qualify for coverage or to lower their premiums, the answer may lie in digital forensics and incident response.

No preventative cybersecurity measures are capable of stopping 100 percent of the attacks they face. When a cyber attack does eventually succeed, enterprises need to be prepared to respond to it. The actions they take after a cyber attack are just as important to their protection as the actions they take in advance of one.

Digital forensics and incident response tools give enterprises a vehicle to respond to cyber attacks by investigating them. After a ransomware attack, analysts use the technology to trace a cybercriminal’s steps and determine how they gained access, how many endpoints were compromised and what files they encrypted and exfiltrated. The same can be said for business email compromises, where a tried and tested incident response plan that leans on digital forensics can quickly verify that a payment took place and collect the necessary evidence to reverse it. When it comes to insider attacks, the same methods can be used to identify employees misappropriating data. With this information in hand, enterprises can stop further damage from occurring and begin recovery.

Digital forensics and incident response technologies are now essential to the modern cybersecurity toolkit. The National Institute of Standards and Technology’s cybersecurity framework, which provides security teams with best practices, lists digital forensics as a key action that takes place during the “respond” phase. Cyber insurers recognize the NIST cybersecurity framework and some of them use it to assess the maturity of cybersecurity strategies.

This is in line with what has emerged as an industry trend: Cyber insurers are asking applicants and policyholders to increase their own cyber resilience in response to the increased threat level. In the U.S., some of these decisions have come in response to cybersecurity policy actions taken by the Biden administration to introduce minimum cybersecurity standards for federal agencies.

Most cyber insurers followed suit and also mandated their current and prospective policyholders have minimum security standards in place. U.K.-based cyber insurer Griffiths & Armour, for example, lists advanced endpoint detection and response protection, incident response plans and security incident and event management systems among the list of necessary controls insurers may ask for before offering coverage. “For some insurers non-compliance with the above can result in them declining to provide any level of cover,” the firm warns. Marsh, meanwhile, has mandated endpoint detection and response technology and lists incident response planning and testing, in which digital forensics is a key element, as one of seven controls that will weigh heavily on the firm’s decision to accept a new client.

Throughout the application and renewal process, cyber insurers evaluate potential customers based on their internal and external cybersecurity capabilities. This is regularly done through the use of surveys that pose a variety of cybersecurity questions to applicants and assess the risk of insuring them.

How are incidents reported? Do you have an incident response policy? Do you have a dedicated digital forensics and incident response team or do you have a third party on retainer? Answer incorrectly and the cost of coverage may soar, if you’re even offered coverage in the first place.

Some enterprises keep an external digital forensics and incident response firm on retainer, while others may have a small internal team. What cyber insurers prefer is the most risk-averse option: A combination of the two.

For cyber insurers, an enterprise that solely relies on an external party for its digital forensics and incident response functionality still carries significant risk because of the potential payouts. Third-party digital forensics and incident response firms bring valuable expertise, specialized services and products to the table, but it comes at a cost that cyber insurers know they’ll need to cover. Third-party service providers often charge hundreds of dollars per hour and per endpoint they need to examine. Responding to a ransomware attack, for example, might require analysts to examine dozens of endpoints over multiple weeks. The costs for these services alone could easily surpass $100,000. Cyber insurers account for this risk with higher premiums.

Having an internal team significantly decreases the risk of large payouts to cover digital forensics and incident response costs. With an internal team to respond to cyber incidents, enterprises no longer need to refer every cyber investigation to a third-party and rack up costs that will need to be covered by cyber insurers. That doesn’t mean cyber insurers want enterprises to discard external firms altogether.

The reason a combination of the two is the most optimal option is because internal digital forensics and incident response teams are small. According to a study published by Magnet Forensics and IDC, the average digital forensics and incident response team at an enterprise with 1,000 to 2,499 employees has four members. Companies with 5,000 to 9,999 employees only have an average of eight. A ransomware attack can be too much for teams of this size to handle. Being able to call on external reinforcements lowers the risk for both an enterprise and a cyber insurer and that should be reflected in premiums.

In an incredibly high-risk environment, cyber insurers are within their legal rights to deny coverage or offer less for higher premiums to enterprises that have not acted to do more on cybersecurity. A thorough incident response strategy that leverages digital forensics can help enterprises ensure they have the means to protect themselves even after an attack has occurred. It ensures they have the necessary cyber resilience to operate in this new risk environment and plays a key role in determining whether enterprises can earn coverage, maintain it and do so at a reasonable cost.