Situation
A healthcare insurance company with customers in many states had a cyber security assessment performed that identified areas of cyber vulnerability, and was making good progress in addressing them. One area that had not been fully addressed, however, was a plan for exactly what to do in the event of a breach into the company’s systems. It had come to the CIO’s attention that as a healthcare company with widespread customers, they were more exposed to new strict regulations with potential penalties being established by federal, state, and international jurisdictions over cyber security breaches. More importantly, when the company CIO recognized the potential risks to customers and the company of not being ready to respond through all the aspects and consequences of a cyber invasion both quickly and appropriately, he realized the company should have a detailed action plan thought through and prepared right away.
Solution
The CIO brought in an experienced E78 partner, who had prepared the original cyber security assessment two years before, to prepare a complete cyber breach response plan. The company already had cyber risk insurance, but one of the first things the E78 partner did was to analyze the complete list of outside service providers for breach response, including outside legal counsel, forensics, and public relations teams, among others. He then considered the internal resources to manage these services and who might have responsibilities for taking the considerable number of specific actions required in the hours, days and weeks following initial discovery of the breach. From this he was able to rationalize these services and internal resources to eliminate redundancies and inefficiencies, and to engage new resources to fill gaps. Importantly, this part of the analysis enabled the E78 partner to pre-negotiate with the cyber insurance company which outside services, such as forensics and public relations, would be allowed and paid for under the policy after a breach. This would save considerable response time, which would be critical after such an event.
He then took a deeper analysis of all the key decision points the company would face after the breach, including the pros and cons of different policy directions, and came up with responsibilities and timelines, as well as guidance, for these decisions. With further discussion and analysis, this enabled him to prepare a complete checklist of actions, responsibilities, deliverables, and timelines during all phases of the response, from the initial identification of the breach, through full containment, notification, customer care and restoration. The action plan also included lessons learned from the breach and follow-up to harden the company’s systems to keep ahead of future threats. The plan was to be updated annually.
Results
Once presented with the complete action plan for breach response, the executive team was able to sleep better at night, knowing they had a complete list of specific steps and responsibilities for the hours and days after discovering a breach. Since the checklist had been thoroughly thought through and rehearsed, they had the reasonable assurance that little was left out, and this would help them during the hectic hours after discovery. The risk of fines and other penalties from not having such a plan was substantially reduced. Further, by eliminating redundant services, the E78 partner was able to save the company $250,000 in annual costs while also reducing risk of finger pointing from overlapping roles.
