Canadian Underwriter

One simple question your cyber clients can’t answer

April 4, 2023   by Jason Contant

A data centre with multiple rows of servers

Print this page Share

Your cyber clients likely don’t know the answer to basic questions such as what is being done on a particular server, or even how many computer servers the company has, an expert from a cyber response and recovery firm said recently during NetDiligence’s Cyber Risk Summit.

“We’ve been doing this for five years across the globe [and] we have yet to come into an incident response phase on the recovery aspect where a client knows basic things like a list of all their servers,” said David Humphreys, founder of recovery firm Avasek, which has offices in Toronto and Cherry Hill, N.J. “And more importantly, what does that server support? What is actually being done on that server?”

Generally speaking, the insurance industry has done a good job of “phase one” of implementing reasonable cybersecurity, which Humphreys describes as “what can we expect everybody to implement, regardless of size, regardless of budgets?” For example, some insurers are now requiring clients to have a solid backup solution and protection of remote access points for policy renewals.

But it’s also about the business functions and which servers support these functions, Humphreys said during the What is Reasonable Cyber Security panel. He noted that during status calls on the recovery progress, there are often different audiences, such as C-suite executives and IT staff.

“So, when we talk about restoring 20 servers, the C-suite executives, the CFOs and COOs, they really don’t care about that, because you can restore 20 random servers but that doesn’t mean any business functions are working again,” Humphreys said. “Where we try to come in is we try to say, ‘Okay, pre-incident now, CFO, how do you categorize your organization? What are your different business functions that make up your organization?’”

Speakers at the NetDiligence Cyber Risk Summit

(L-R) Daniel Couillard (Canadian Centre for Cyber Security), David Humphreys (Avasek), Roger Francis, CFC Response.

For example, business functions could include both accounts receivable and accounts payable, which might be different departments. There might also be marketing, customer service and shipping and returns departments.

“Once we know what the different functions of the business are without talking to an IT guy, we take those functions and then we go to the IT guys and say, ‘Okay, here are all the functions of your business according to your management, what are the servers that support each of these functions?’”

Knowing that, recovery firms can then prepare for when an actual cyber incident occurs by determining business function priorities, Humphreys says. “That changes based on the day that the incident happens.

“If it’s the day before payroll, accounting might be the most important thing,” he says. “If it’s the day after payroll, customer service might be the most important thing. You have to have a plan that is adaptable to basically what the priority for the day is.”

So, reasonable cybersecurity should not only be looking at good and bad risks, but also mapping servers to business functions. “That way, things can be restored in a non-chaotic manner, which helps to reduce the business interruption and the overall claim cost and recovery,” Humphreys said.

But sometimes it can be difficult to fully encapsulate the concept of reasonable cybersecurity. For example, some companies may have third-party systems or outsource through software-as-a-service providers; others may have undergone acquisitions or have shadow IT departments.

Said Roger Francis, managing director of CFC Response: “Most organizations actually don’t know themselves very well, I’m going to be brutally honest.”


Feature image by