Cyber ​​forensics: outsourcing incident response to third parties | Insurance

A panel of Intelligent Insurers agreed that incident response teams are already networked with insurers and law firms and thus have a wealth of resources at their disposal.

Intelligent Insurer brought together four experts in a virtual panel in May to delve deeper into the details of digital forensics.

George Chaisty, Partner at Kennedys, and Gwenn Cujdik, Manager of AXA XL’s North American Cyber ​​Incident Response (IR) team, joined Anthony Hess, CEO of cybersecurity company Asceris, and Jonathan Rajewski, North American Head of Cyber ​​IR at Aon, to discuss the value of digital forensics in post-incident management.

In this final report in our cyber forensics mini-series, we focus on third-party vendors and the benefits of outsourcing IR management services.

“They are unbiased and will therefore analyse and present the evidence impartially.” Jonathan Rajewski, Aon

Outsourcing shows impartiality

“In my experience, engaging an independent third-party cyber IR team is very well received by clients and regulators as they are unbiased and will therefore analyze and present evidence impartially,” said Rajewski.

“While a company’s internal team is very important in the early stages of an incident and can still play a very active role in the investigation, it should also consider involving external IR firms and not just rely on itself.”

However, for companies without their own internal IR team, seeking outside support can have unintended consequences. “Smaller companies don’t have the capacity for an in-house IR team and don’t necessarily understand the difference between their local IT staff and a forensics firm,” Hess said.

“You might get third-party support, but it could also be a local IT person who comes in, wipes the entire environment and rebuilds everything,” he continued. “Unfortunately, that means you don’t understand exactly what happened. So how are you supposed to handle an issue like Healthcare Insurance Portability and Accountability Act (HIPAA) requirements in a healthcare-related cyber incident?”

One such HIPAA requirement is that companies conduct regular risk assessments to identify potential vulnerabilities in their systems and processes, which becomes unnecessary if an entire system is wiped.

“When you bring in independent experts, you benefit from their extensive experience.” Gwenn Cujdik, AXA XL

Dispel doubts about inappropriateness

Cujdik is a strong advocate of third-party IR management, and she highlighted another issue related to conducting the investigation in-house. “It’s the saying to do your own homework. When you bring in independent experts, you benefit from their extensive experience and also put yourself in a situation where other people trust what’s going on,” she said.

“It is a huge advantage to be able to rely on the experts, as this protects access to the findings.” George Chaisty, Kennedys

Not only other people, but also government agencies.

“Using industry experts under the guidance and direction of legal counsel will especially help small organizations with limited resources,” Chaisty said.

“If you do it right, you can theoretically ensure that the results of a forensic investigation do not become public and do not come under the scrutiny of regulators,” he explained. “Being able to rely on the experts is a huge advantage because it creates a shield for access to the results.”

More connections

External IR providers not only potentially protect companies from reputational damage, but are also usually connected to a network of additional services. In addition, different relationship models arise between IR companies and insurers.

“Today, insurance companies are much more involved and take over the coordination and administration of all providers.” Anthony Hess, Asceris

“In the past, insurers paid relatively little attention to IR processing and commissioned one of their contract law firms to do it,” added Hess.

“Today, insurance companies are much more involved and often take over the coordination and administration of all providers.”

Cujdik emphasized the value of using a carrier that has IR training and experience and can recommend restoration and remediation providers based on their experience.

“Our value is that we can say, ‘We’ve had three or four incidents with the same threat actor: here’s a vendor that we think could do a good job for you,'” she said.

“You benefit from the knowledge and experience they have gained working with this particular group and can get started right away. We also give you our negotiated prices.”

For companies that fall victim to a cyberattack, the use of an external IR team can be beneficial: the team’s findings are generally recognized, it offers legal confidentiality, it knows what to look out for in the event of a data leak and can react immediately.

To view a video recording of the discussion Click here.

Were you able to gain something from this story? Sign up for our free daily newsletter and get stories like this delivered straight to your inbox.