Crafting a cyber response playbook to protect the bottom line

Amy Gross, Global Private Equity Practice Leader for Liberty Mutual & Dan Frusciano, North America Head of Cyber Underwriting for Liberty Mutual

Statistics on cyberattacks in the U.S. from IBM’s 18th annual Cost of a Data Breach report are staggering.

“The global average cost of a data breach in 2023 was USD $4.45 million, a 15% increase over 3 years.”

“Fifty-one percent of organizations are planning to increase security investments as a result of a breach, including incident response (IR) planning and testing, employee training, and threat detection and response tools.”

“Nearly one-quarter of attacks involved ransomware. Ransomware attack costs increased significantly in 2023.”

As we’ve touched on previously in this three-part cyber series – in our first post overviewing due diligence best practices and in our second post on how private equity boards can amp up their cyber expertise – cyber security issues for private equity firms are unique in that they can arise for individual portfolio companies as well as for the firm as a whole. This setup means that cyber incidents by nature don’t occur in total isolation. An attack on a single portfolio company can cause ripple effect damage across the entire organization.

In this final post, my colleague Dan Frusciano, Liberty Mutual’s North America head of cyber underwriting, and I explore the ins and outs of a cyber incident response plan, which is critical to the long-term success of a business. We have seen time and time again – both in the private equity sector and more broadly – that taking a proactive approach to address cyber risk and fostering resiliency with a plan for a response is ultimately a smart operational, reputational, and financial move. And, for private equity firms with responsibilities to investors, protecting the financial health of the firm and portfolio companies is paramount.   

What is the general framework of a cyber incident response plan?

While they all differ according to the organization, a thorough incident response plan should specify:  

1. Incident response team – overview of who needs to be notified and what role and responsibilities each person/party has.
2. Response process overview – a high-level flow chart of what steps need to be taken and when should an incident occur.
3. Incident detection and reporting – instructions on documenting an incident, preserving evidence and properly reporting specifics.
4. Engagement and initial analysis – initial investigation of what systems or information have been impacted, the extent of the disruption and the classification of the incident.
5. Responding to the incident – instructions on everything from conducting a forensic investigation to determining legal obligations to notifying impacted third parties and people.
6. Post incident review, documentation and wrap up – assessment of the strengths and weaknesses of the response and guidelines on regular incident reviews and updates.

How is a cyber incident response plan unique for a private equity firm?

Private-equity-specific incident response plans should go beyond the basics and take into account the added vulnerability that a parent firm has across its entire portfolio. The plan should include:

• What companies are connected to the firm’s network and specify how a response should be rolled out depending on the firm’s digital makeup and connectivity.
• Where there is aggregation of vendors. This means knowing if multiple portfolio companies are using the same vendor and, when they are faced with the same cyber issue with that vendor, developing a response and plan that can blanket the entire firm. 
• How best practices developed for one portfolio company can be shared across the entire firm to boost overall cyber and business security.
• What the cyber sophistication is of potential acquisitions. Firms with an aggressive growth strategy want to move on deals speedily, but targets – mid-size ones in particular – may not have the controls or budget in place for robust cyber security. It’s important to not overlook these gaps or take steps to address it when developing a plan.  

Who are the players when a cyber incident occurs?

There is a team of people who should spring into action if a cyberattack occurs. Internally, this may include members of the private equity executive team, such as the CISO and CIO; in-house legal counsel; human resources; or the finance team. Externally, depending on the nature of the incident, third-party vendors, law enforcement or regulators should be alerted.

Why should a private equity firm turn to their insurance carrier during a cyber incident?

Insurance carriers are often a firm’s greatest advocate for weathering a cyberattack. They have the shared goal of minimizing any financial damage and most likely have a panel of resources available to assist companies. Many, for example, will have breach coaches, forensic incident response firms, access to bitcoin vendors and cyber extortion negotiation firms to help respond to ransomware claims. These resources are crucial when negotiating, resolving, and sometimes paying in a ransomware situation, for example. Forensic firms, tapped by an insurance carrier, specialize in minimizing losses and the amount of data that may be compromised – experience that can prove invaluable in tense situations.

The bottom line: Insurance carriers bring experience and access to resources, which can dramatically change the impact of a cyberattack.  

How do you maintain an incident response plan?

It is a best practice to be proactive and develop an incident response plan ahead of an attack, but it is also important to ensure the incident response plan is properly maintained. There are a few milestone moments to revisit an incident response plan each year:

1. Each year at a cyber renewal is a great time to reassess whether an incident response plan is up-to-date and has current carrier information and. A parent firm can also ensure any newly acquired portfolio companies have adequate coverage and response plans in place. Going through these steps helps analyze and address where any reputational or D&O risk lies in addition to cyber vulnerabilities.
2. It’s not enough to write up an incident response plan, it has to be tested regularly. It’s best practice to conduct tabletop exercises and tests two or three times per year. Doing so helps reveal where gaps are in the plan, keeps cyber security top of mind and provides the incident response team with a blueprint for responding in a real situation.

While it’s daunting to think about developing a cyber incident response plan, it’s vital to do so. Private equity firms small and large have unique cyber vulnerabilities that necessitate proactive planning. Developing a plan, testing it, and making an effort to continually keep cyber security top of mind ultimately helps protect a firm’s investments and long-term business objectives.

Liberty Mutual’s dedicated underwriters, close partnerships with our clients and brokers, and expert mitigation and claim resources help us deliver cyber liability solutions appropriate to the individual needs of companies across geographies and industries.