Are your cyber clients ‘red-teaming?’

Brokers placing cyber insurance should advise their commercial customers that it’s not enough to just have a plan to respond to computer security breaches — they need to test the plan, or “red-team” it.

“An incident response plan is not fully implemented and useful until it has been tested,” Terri Mason, assistant vice president of cyber and professional liability at CNA Canada, said in an interview Thursday with Canadian Underwriter.

Brokers may not be information technology experts,  but they can still advise clients to make sure they have a plan to respond to cyber security incidents, said Mason. An incident response plan provides “detailed instructions” for responding to incidents such as distributed denial of service attacks, data breaches, employee error, virus and malware outbreaks.

But the key is to make sure the plan is battle-tested. A rehearsal is “usually part and parcel of an organization’s incident response plan,” said Mason.

Rehearsals can take the form of “red team” exercises, also known as penetration testing or ethical hacking, said Charles Carmakal, vice president of Mandiant Services. Mandiant is a computer security company acquired in 2013 by Milpitas Calif.-based FireEye Inc.

For example, a client may hire a computer security consulting firm to hack into the network, Carmakal said. The internal audit staff might be told about the rehearsal, but it’s useful to keep the client’s computer security staff in the dark.

“Not only is the company trying to determine whether or not the bad guys can break in, they are trying to figure out whether the company has the security monitoring, the people, and the processes to even detect that something is happening,” Carmakal said in an interview.

A rehearsal could even take the form of a “paper-based” table-top exercise, which does not entail trying to break into the company’s computer system. In this form of rehearsal, managers might sit in a room for a few hours, in some situations maybe a full day, and present certain scenarios. One example might be a scenario in which a criminal defaces the company website, Carmakal says.

When companies test their incident response plans, “underwriters do look upon that favourably,” Mason said. “Not just because it says that the IT department and many employees in the organization will know what to do if something happens, but because it also speaks to an organization’s overall approach to culture and cyber risk as a whole.”

Cyber risks such as data breaches and hacking are “becoming more of a C-suite issue rather than just an IT department issue,” Mason said.

Applications for cyber insurance policies have technical questions and “typically good answers mean good coverage and good rates,” added Mason.

That said, two different clients may have exactly the same answers, and yet one client may still have different risks from the other. This could occur, for example, if one is a manufacturer and the other is an online retailer.