InfoDevSec

Business Continuity Planning

A cyber risk insurance plan should take into account an organization’s planning and desired response. There are four key steps involved.

  1. Conduct Pre-Breach Education and Planning
    It is important to look at pre-breach planning. Proper planning decreases the frequency likelihood and positively impacts an organization’s ability to respond to an incident. A key component of planning is organization-wide education. It is not just about the IT personnel. Education should occur from the board to the basement.
  2. Develop an Incident Response Plan and Crisis Management Plan
    An incident response plan escalating to a crisis management plan outlines responsibilities, procedures, and decision trees at a high level if an incident occurs that is then not contained within standard IT incident protocols. It is important to keep such plans fresh, as technology and the cybercrime landscape continue to evolve. The plans should consider issues at an enterprise-wide level, not just IT security.
  3. Create a Breach Business Continuity Plan
    An organization is advised to take a hard look at its capability to recover from a breach. Organizations have business continuity plans in place to weather physical perils that shut down operations. The same should be in place for cyber incidents that bring operations to a halt. This means augmenting an organization’s business continuity plan to address technology breaches and the responses required to maintain operations.
  4. Review or Implement Cyber Insurance
    Conduct an assessment of current insurance policies, such as property and general liability, to determine the potential need for additional coverage and an insurance action plan to address same. The assessment of coverage and gaps can encourage an open dialogue about opportunities to shore up systems and procedures. It can also help identify holes in processes and protocols as well as gaps in insurance coverage that potentially could be filled with cyber insurance.

Insurance Placement Constraints

Privacy and security laws are two categories of the various laws and regulations that affect cyber operations and insurance.

Business Continuity Management and Cybersecurity

A business continuity management system (BCMS) can be considered a specialized child and subset of its parent enterprise-level risk management system (ERM). 

Risk:

  • Data loss and theft of confidential data.
  • Unauthorized access—both intentional and unintentional—by internal and external parties.
  • Data loss or corruption when transferring and transmitting data using different communications media and devices.

A single point of failure could be represented by many different designs, each of which includes only one resource that, if unavailable, would cause business processes to fail. Redundant systems and failover communication links are examples of high availability to avoid a single point of failure.

Information Asset Management for Cyber

  • Create a contingency plan and document it in a handbook.
    • analyzing how these potential scenarios could impact finances, operations, legal, and other activities, as well as investor relations, customer relations, regulatory affairs, and other external-facing entities. Once a company has mapped out possible scenarios and plans, they should create handbooks (or playbooks) that ensure a coherent, coordinated response.
    • It is important for an organization to develop specific playbooks for different types of cyber incidents in advance so that a formal response is developed, roles and responsibilities are assigned, and tasks needing to be completed are written down to keep the response team organized.
  • Conduct war games to improve the plan and train staff.
    • provide insights into anticipated cyber incidents and planned responses, helping organizations refine their plans and identify all the capabilities required for an effective response.
  • Appoint a crisis action officer to create and execute plans.
    • This role can be called the crisis action officer or crisis executive.
  • Four steps of the business continuity planning process.
    • project scope and planning, 
    • business impact assessment, 
    • continuity planning
    • approval and implementation. 

Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency situation.