Cyber Insurance: Folies à Deux

[00:00:00.660]
Chris: I accept the fact that time exists only as a courtesy to others.

[00:00:06.480]
Ned: Time is a courtesy to others?

[00:00:10.790]
Chris: Time is a flat circle, dude.

[00:00:12.570]
Ned: Oh, right. I keep forgetting. Does that make it like a Bitcoin?

[00:00:17.410]
Chris: No, because time has value.

[00:00:27.360]
Ned: Hello, alleged human, and welcome to the Chaos Lever podcast. My name is Ned, and I'm definitely not a robot. I'm not a multidimensional being who just happens to manifest themselves as a humanlike personage on this dimensional plane. I am not projecting myself from the 16th dimension to experiment with you strange mortals and ensure that you create Necco wafers that I can squirrel back to the 16th dimension. That would be weird. Why would that be? I don't understand what you're even What it means, Chris, who's also here. Hi, Chris.

[00:01:03.050]
Chris: It's 90 seconds. We're off the rails, and now I want dessert.

[00:01:08.390]
Ned: Okay, point of contention here. Necco wafers are not dessert or sustenance.

[00:01:15.350]
Chris: And thus, you prove your non-humanity.

[00:01:20.520]
Ned: Really? That's the thing. That's the one. We finally pushed this- All this time, we finally got there. The joke The thing that I've heard before is that Necco wafers are a great stand-in for communion bread, except they taste worse.

[00:01:41.450]
Chris: I don't actually remember what a Necco wafer is. I think What is a type of flan.

[00:01:46.910]
Ned: A very flat, dense flan.

[00:01:49.800]
Chris: It's a flan.

[00:01:53.600]
Ned: I don't know which one I would be less interested in eating. I know we just lost the entire contingent of flan lovers out in the audience.

[00:02:03.690]
Chris: And it is significant.

[00:02:05.530]
Ned: Surprisingly so. Google's insights on podcast listeners are absolutely staggering.

[00:02:13.070]
Chris: But yeah, flan- Are you focusing mostly on flan? With Google Insights?

[00:02:16.190]
Ned: Yeah, and I think you would agree with me. That is a distinctly unappetizing dessert.

[00:02:22.870]
Chris: I mean, creme brûlé exists.

[00:02:26.530]
Ned: Yeah, we already did it, people. We perfected a Why? Just like Exchange 2013, which, if you listened to our earlier episode this week, is a relevant joke. And if you didn't, go back and do that.

[00:02:43.510]
Chris: Right. How dare you?

[00:02:45.170]
Ned: Get out of here. We don't even want you.

[00:02:48.790]
Chris: Actually, please stay and listen five times. Please.

[00:02:53.340]
Ned: Should we talk about some tech garbage?

[00:02:55.830]
Chris: Yeah. Let's go with, say, cyber insurance. Oh, my second favorite Fall Out Boy album. Since we're doing all the French stuff, let's roll with it. All right. Don't know how to spell it, don't know how to pronounce it, don't know what it means.

[00:03:13.650]
Ned: Are we talking about cyber insurance? Yes. Okay.

[00:03:18.260]
Chris: Because I know how to pick the party topics. Also, I love sequels.

[00:03:25.390]
Ned: Who doesn't?

[00:03:26.350]
Chris: I mean, who doesn't, actually? Who? Todd Phillips, apparently. Because as we all know, he recently released a sequel to the billion-dollar taxi driver ripoff movie Joker. And that sequel appears to be, let me double-check my notes, Awful. Everything about it appears to be wrong. With audience and critiques reviews ranging in opinions from, I want my three hours back, to, The sequel, just been met with disappointment, but also with sense of betrayal, to, Startlingly dull and not much fun, which actually, I got my notes confused. That one is actually a review of my dating life. Zing. Wait.

[00:04:14.640]
Ned: Wait. Wait.

[00:04:16.580]
Chris: Anyway.

[00:04:19.260]
Ned: As we slowly morph into the movie review podcast that we've always wanted to be.

[00:04:25.420]
Chris: Everybody's Hopes and Dreams.

[00:04:28.370]
Ned: Anyway. Anyway. All right.

[00:04:31.080]
Chris: Way back in February, we talked a little bit about cyber insurance and about just insurance in general. Hammarabi made an appearance. It was a good time. There were a few predictions made in that episode. Two of the biggest ones that were not exactly huge swings. Number one, cyber risk is expected to significantly increase in 2024. Number two, these increasing cyber risks are creating more rigorous cyber insurance application processes. Both, I'll have you know, turned out to be completely true. We don't even have to get to the end of the year to nail that.

[00:05:09.380]
Ned: No, not even slightly.

[00:05:12.770]
Chris: Maybe not the biggest swings in the world, but I'm just saying two for two.

[00:05:19.750]
Ned: That's 200 %.

[00:05:21.290]
Chris: Where is my trophy?

[00:05:24.650]
Ned: I'll give you my trophy from when I was five for soccer.

[00:05:29.980]
Chris: Anyway, I don't believe you made a trophy.

[00:05:32.910]
Ned: Anyway- Well, I made the trophy.

[00:05:35.830]
Chris: Oh, yeah, you've got the 3D printer. You probably did. The second point where increasing risks are creating a more rigorous I'm going to take a look at the insurance application process. Looking over what we talked about, I thought that required a little bit more attention. To do that, I'm going to reference two cyber insurance policy applications that came from the same company. Okay. One of which was from the year 2020, and the other was from the year 2023. After a lot of hemming and hawing about it, I decided I'm not going to tell you all which cyber insurance company this comes from? Because I don't think that really helps.

[00:06:19.070]
Ned: It doesn't really make a difference. Just know that it is an actual company.

[00:06:23.120]
Chris: Yes, it's a real company that you have heard of that does, in fact, exist. It is Hasbro. But more importantly, what we're going to talk about, yes, I'm using some specifics from this one company, but it's general. This is happening across all cyber insurance policies at different rates of speed. And because things have to be as interesting as possible in the style of Joker 2, where the sequel is completely divorced from the original in both tone and content, I'm not even going to talk about cyber insurance for the entire time. I'm going to then pivot, spoiler alert, to incident response plans.

[00:07:03.410]
Ned: Oh, that's different.

[00:07:06.080]
Chris: But in a spirit of generosity towards an already exhausted and exasperated audience, I do promise not to break into song.

[00:07:17.230]
Ned: Our lawyers will be duly relieved.

[00:07:20.870]
Chris: And so will everyone with ears.

[00:07:24.850]
Ned: All right.

[00:07:26.900]
Chris: So part one, cyber insurance. What a difference four years can make. Now, ordinarily, I don't actually read those subtitles out loud, but I enjoyed that one, so I wanted everyone to appreciate it equally.

[00:07:42.740]
Ned: It was good and it was a solid read. I felt the title-ness of it.

[00:07:49.360]
Chris: The title-ness. Thank you. That's exactly what I was going for.

[00:07:52.310]
Ned: I know.

[00:07:55.120]
Chris: Okay, 2020, 2023. What differences did we find analyzing these two applications? If I had to put it into one word, that one word would be specificity. A lot of questions were only what I would call general in 2020. Well, they are now requiring more and more information, a. K. A.

[00:08:23.140]
Ned: Specifics. Okay.

[00:08:24.800]
Chris: That's why I said specificity. Try to keep up, would you? Jeez.

[00:08:29.000]
Ned: Always falling behind.

[00:08:31.880]
Chris: A lot of people probably remember that in 2023, the SEC mandated disclosures about breaches in a way that was not get aroundable. And furthermore, There is a lot of talk about CSOs being under more of a spotlight. In the terrified circles, some people might think that the CSO is specifically personally liable. That last part is an open question, but the rest of it is totally real. This rolled into the 2023 application unsurprisingly. It takes that SEC part of the disclosure and responsibility into consideration and asks you to name that CEO. Ciso.

[00:09:17.200]
Ned: I know what you meant. I was already thinking of a come on down joke from the price is right, and it just didn't coalesce. I think we were both distracted.

[00:09:27.260]
Chris: On the application, naming the CISO is followed up with what can only be defined as a terrifying question, if you're a person of that level. Who is primarily responsible for the applicant's cyber security program?

[00:09:42.680]
Ned: Shouldn't that be the CISO?

[00:09:46.380]
Chris: You would think.

[00:09:47.580]
Ned: I would think.

[00:09:48.660]
Chris: I mean, the question is interesting because in the application, it actually is making the implication you have to choose or you have to explain, are you as a company handling it, or do you have a third party? Do you have an Have you outsourced to some other company, et cetera?

[00:10:04.930]
Ned: It makes sense.

[00:10:05.930]
Chris: It's a difference depending on how your company is organized. Another category in 2023 that wasn't even a category before, data security and governance. You might have heard of those two things.

[00:10:22.530]
Ned: I feel like that should have been a question before.

[00:10:27.040]
Chris: And there's that fun word should.

[00:10:30.260]
Ned: Fair.

[00:10:30.900]
Chris: In 2020, the questions about data were basically yes, no, and there were not many.

[00:10:40.190]
Ned: Okay.

[00:10:41.690]
Chris: Lest you think that I'm being dramatic, I shall quote the only times the word data shows up in the 2020 application. Are you ready?

[00:10:51.920]
Ned: I am prepared sitting on the edge of my seat, even.

[00:10:56.290]
Chris: Who said you were allowed to have a seat? Not after the way you've acted.

[00:11:00.770]
Ned: Well, it's less of a seat and an uncomfortable box.

[00:11:04.260]
Chris: Back onto the exercise ball.

[00:11:06.440]
Ned: It's so hard to balance.

[00:11:09.740]
Chris: I fell on the floor twice. The cat laughed at me. Okay. Number one, from 2020, estimate the annual volume of payment card data that you process or store. Number two, do you use network segmentation to protect connect sensitive data like PII? Number three, do you back up all mission critical systems and data? And finally, number four, are you compliant with all applicable data security standards such as PCI-DSS?

[00:11:48.230]
Ned: These are all, well, with the exception of one, they're all yes or no questions. Correct. The annual volume of payment card data could almost be a yes or no. In in the sense that either you are storing it or processing it or you're not. The other three don't ask you to prove it or provide any certification.

[00:12:10.320]
Chris: Correct on all points.

[00:12:12.400]
Ned: Yay. What do I get? What do I get?

[00:12:14.720]
Chris: You actually get audited.

[00:12:16.600]
Ned: Oh, the worst prize ever.

[00:12:20.470]
Chris: The other thing here, I mean, they do throw in question number two, they do say network segmentation to protect sensitive data like PII. But other than that, they are heavily We're really focusing in 2020 on credit card data, financial transactions and stuff, and that's it. As we have learned in the few short years between 2020 and now, there's a lot more data that needs to be protected than just that.

[00:12:46.330]
Ned: Yeah.

[00:12:48.820]
Chris: Also, to your point, these are very generic questions, not what I would call specific.

[00:12:56.080]
Ned: I imagine that's changed a little bit.

[00:12:58.350]
Chris: Just a A scoach. A quiesanart. In 2023, we now have an entire data security and governance section. This section is comprised of 39 questions. It is spread across two and a half pages, making up the bulk of the application.

[00:13:24.470]
Ned: Wow. Okay.

[00:13:25.930]
Chris: I'm going to read you the entire thing. Go. I'm just kidding. That's ridiculous. I would put myself to sleep.

[00:13:33.410]
Ned: Yeah.

[00:13:35.120]
Chris: A few quick highlights, though, just as a compare and contrast. Number one, MFA is referenced five times in this section. It is asking in no uncertain terms, are you using it to protect various levels of email, devices, accounts, networks, etc. In 2020, it came up one time, and for some reason, it centered around email.

[00:14:05.390]
Ned: It's like a client probably got burned, and they got burned in turn by not having MFA on an email. So we should add that one. But just that.

[00:14:15.150]
Chris: Don't think harder about it. Right. Also, in terms of talk about the sign of the times, in 2020, we were still begging people to use MFA. Just gnashing of teeth, rending of garments, claw at hair. It was a problem. Now it's basically the default. I think you have to have MFA to get on to Twitter.

[00:14:40.350]
Ned: Why you would go on Twitter is an open question, but yes.

[00:14:43.450]
Chris: At least your account would be secure. I mean, your password wouldn't because Twitter has been breached five times, but let's talk about that later.

[00:14:50.310]
Ned: Okay, moving on.

[00:14:52.740]
Chris: Number 2, 2023. There are significant questions about backups, including details Also, questions about how they're protected. Actually, I edited myself. Mfa came up again, so it was actually referenced six times. Also questions about how quickly can your backups be restored and how frequently they are tested. Questions that are important and were not discussed in detail in 2020.

[00:15:23.530]
Ned: Yeah, I imagine the volume of clients they had to deal with that got hit by ransomware was pretty high. So whether or not you're backing up your data and whether or not you can restore it suddenly become very pertinent questions.

[00:15:38.850]
Chris: Third major section, they started to ask probing questions about your security posture in platforms in general. There are now questions about EDR, whereas before they were just asking about antivirus. They're asking questions about logs. They're asking questions about whether you're using a SIM. Do you do security awareness training? Et cetera. Again, all of which completely absent in 2020.

[00:16:07.610]
Ned: Wild.

[00:16:08.980]
Chris: Then finally, question number 38 in this section is a new question Oh, wait, that counted as singing. Crap.

[00:16:17.630]
Ned: And we're sued.

[00:16:21.090]
Chris: Does the insured implement any of the following response plans? Business Continuity Plan, Incident Response Plan, Disaster Recovery Plan. And then more details about each.

[00:16:35.410]
Ned: They did not ask about any of that in the original application?

[00:16:40.450]
Chris: Not in so many words.

[00:16:43.360]
Ned: That's wild.

[00:16:44.450]
Chris: Is it not?

[00:16:45.830]
Ned: It is wild to me. Yes.

[00:16:48.440]
Chris: So, yeah, it also definitely shows that insurers are getting a lot more prescriptive about what they expect. Because think about this. A lot of these were, in fact, yes, no questions. But we know when it's put into a document like this, the answer better be yes.

[00:17:11.400]
Ned: It's heavily implied.

[00:17:13.990]
Chris: Or it's going to cost you.

[00:17:15.550]
Ned: That policy price is going to go way up if you answer no to any of these questions.

[00:17:21.670]
Chris: Alternatively, they will just deny your policy at all. True.

[00:17:27.690]
Ned: If you lie on the policy and say yes, and they figure out you weren't doing it, they don't have to pay you.

[00:17:35.160]
Chris: That is correct. Now, that's an interesting point, because in 2023, that has expanded. The expectation now, going forward, and again, this is not every single insurer, but expected in the future. They want you to prove what you say in the application before the policy begins. That is a new thing that is absolutely happening. You are being asked to submit proof of what you say. And it's interesting because as you just stated, every insurance plan that has ever existed, even before cyber insurance, will have something in there that says, If you lied about what is your situation when we signed the papers and insured you, you are now not going to get a payout. Right. That has always been in there. That is not new. The question has to be asked, why all of a sudden is this ratcheting up in terms of requirements and prerequisites for an application?

[00:18:40.890]
Ned: Money. The answer is money, Chris.

[00:18:43.710]
Chris: Right. And the answer for money is all the stuff we talked about at the top. The amount of attacks that are happening continue to increase. The amount of risk that every single company takes on continues to increase. And if an insurer has to go through the exercise of trying to figure out after the fact whether or not you were compliant, that is a waste of their time and money. Time and money that they would rather not waste. Yes. That's why everything is becoming front loaded. It is becoming more onerous for the shopper than it is for the store.

[00:19:27.470]
Ned: Do you think that cyber insurance has now become a necessity?

[00:19:34.190]
Chris: I mean, in a lot of cases, literally, yes. There will be regulations or rules that require you to have some secondary assistance in the incident, in the event that an incident occurs.

[00:19:48.630]
Ned: I'm also thinking when you own a house and you have a loan for that house, you have to have homeowners insurance. That's not an option. Because the organization that is securing the loan for you wants to make sure they get a payout if your house burns down or something else happens to it. If you're going as a business to go get a loan somewhere and you're highly dependent on your information technology systems, they're going to want you to have a cyber insurance policy to guarantee that your company will still be functional after an event so that they can get their money.

[00:20:28.960]
Chris: Because money is good.

[00:20:34.420]
Ned: My daughter asked me this morning to explain what capitalism is, Chris.

[00:20:40.700]
Chris: And you decided to play monopoly, and now no one in the family is talking to each other?

[00:20:45.070]
Ned: Oh, no. I just threw a copy of DAS Capital at her head and ran away.

[00:20:48.690]
Chris: That's good.

[00:20:49.900]
Ned: She won't get up for a while.

[00:20:53.490]
Chris: Dark.

[00:20:55.040]
Ned: Well, so's capitalism, god damn it. Do you have another thing? Yeah. I wanted to drill down a little bit more deeply on that whole incident response plans thing. Okay.

[00:21:13.380]
Chris: Now, I know what you're thinking, but I'm not done talking about insurance yet. I mean, it's true. It is true. I'm totally ready to talk about leveraging reinsurance arbitrage through facultative placements and quota share treaties, thus maximizing capital officiny. Damn it.

[00:21:34.280]
Ned: You tried so hard. Why would you do that to yourself? You wrote that. Actually, did you write that or was that a ChatGPT? Give me financial gibberishish.

[00:21:44.460]
Chris: I can't imagine what you could possibly mean. Everybody loves talking about leveraging reinsurance arbitrage through facultative place. That is a real word, facultative.

[00:21:57.670]
Ned: Facultative.

[00:21:59.520]
Chris: There you But we can talk about incident response plans instead.

[00:22:07.100]
Ned: It's certainly easier to pronounce.

[00:22:09.210]
Chris: God bless somebody. So incident response plans are a part of IT, and they're known for two things. They've been around forever, and nobody pays attention to them. Or at least they haven't. Ominous music in the background.

[00:22:33.200]
Ned: There we are.

[00:22:36.970]
Chris: As all of the above about insurance clearly lays out, they are becoming increasingly more important, not just for your business if you have an incident, But for the cyber insurers that insure it, facultative.

[00:22:54.050]
Ned: Facultative.

[00:22:58.190]
Chris: Okay, let's do a little test. This is tough to do without visuals, so I'm going to try to summarize a lot here. We're going to do a little hypothetical. I'm going to tell you about a document, and you tell me if it's an incident response plan or not. Okay, I'm ready. Section one, problem. The website went down. Sure. Solution. Call Dave and make him fix it. The end.

[00:23:30.780]
Ned: What do we think?

[00:23:33.080]
Chris: Incident response plan?

[00:23:34.320]
Ned: You have to add or else to the end, but yes.

[00:23:38.340]
Chris: Well, I thought the implied exclamation points was going to cover that, but you make a solid point. Let me do a quick edit.

[00:23:46.090]
Ned: Dave needs to know that we mean business.

[00:23:52.450]
Chris: I'm going to guess, now that I've given everybody an opportunity to think about it, I'm going to guess everybody knows that this is not going to cut But I'm also going to guess that a non-zero amount of people who are listening to this are working with exactly the above and calling it a plant.

[00:24:11.820]
Ned: Yeah, I mean, it's going to be like Mark or Stephanie instead of Dave, but otherwise, yes.

[00:24:17.580]
Chris: Yeah. So what's the problem? So first of all, it doesn't define any terms at all. What's the website? Where's the website? Who Who's Dave? What do we do if Dave is on vacation or if he left the company five years ago? This document leaves a lot to be desired. Okay, so that's a little silly. Let's be more serious. Put on our serious hats. I'm going to summarize another document, and you tell me what you think.

[00:24:57.650]
Ned: Okay.

[00:24:58.720]
Chris: Here we go. Problem. Upon loss of production server, server one, described in section 2, the following steps should be taken to restore emergency services and eventually, full production services. Solution. Verify the hardware in the DR site is still appropriate. Currently, it's called server 2. Verify the software is still current. Verify the OS is still current. Change Place the IPs of server 2 to the IPs of server 1. Restore from tape the most recent backup of server 1. The end.

[00:25:43.200]
Ned: Okay.

[00:25:44.930]
Chris: Now, obviously, the actual document has a lot more detail, but I think you get the gist of what it looks like.

[00:25:52.640]
Ned: Yeah.

[00:25:53.440]
Chris: What do we think?

[00:25:57.000]
Ned: It sounds like it might pass as a disaster recovery plan server one, but I don't know if that makes it an incident response plan. There's also a lot of assumptions in here about how I would determine that there was a loss of the server. What does a loss mean? How do I determine if the software is current, the OS is current? What IP address should I change? There's just a lot of vagaries here that I would probably want to be more explicit.

[00:26:33.550]
Chris: Yeah. There's something else that's missing that, ironically enough, was in the first one.

[00:26:39.920]
Ned: Who has to do all this stuff?

[00:26:41.690]
Chris: Exactly. Okay. What we have here is not an IR plan. What we have here is a procedure. This is a very narrow scoped piece of information that simply answers the question, if server one goes down, how do we bring it back up in the DR site? And that's it. No terms, no responsible parties, no expectations on time to recovery, not even anything that describes what an incident is. I told you this was going to be more fun than cyber insurance, though, right?

[00:27:16.460]
Ned: It's certainly more interactive. I hope that our listening audience is screaming at us right now.

[00:27:22.450]
Chris: With joy.

[00:27:23.760]
Ned: Yeah, of course. How else would they yell?

[00:27:27.120]
Chris: The thing is, again, remember, this documentation, we are getting into a realm where it's not just for you or for your company or for your team. This is something that you have to submit to a cyber insurer as support for answering the question, Yes, we have an incident response plan. If you do that with the above, you're going to have a bad time. That's two quick examples of what an IR plan isn't. Since we're in tech, we can We can use acronyms. It's an IR plan now.

[00:28:02.700]
Ned: Yeah, no problem there.

[00:28:05.010]
Chris: Let's talk about what an IR plan is. To do that, we are going to rely on our good friend NIST. You remember NIST?

[00:28:15.490]
Ned: Yeah, she ate all the potato chips at the last party, and everyone was mad at her.

[00:28:19.940]
Chris: That was Nicole.

[00:28:21.450]
Ned: Oh, shit. Yeah, you're right. Oh, Nist.

[00:28:23.570]
Chris: And I told you not to invite her.

[00:28:27.320]
Ned: But she does such great karaoke. You take the good, you take the bad, and there you have Nicole.

[00:28:34.950]
Chris: You're fired.

[00:28:35.600]
Ned: You can't fire me. I quit.

[00:28:41.050]
Chris: So Nist is a great resource for basically everything on Earth. There are plenty of completely solid IR plan frameworks and templates out there that are not NIST, but we like to rely on NIST because, one, a lot of the time, it's just the bedrock of the other shit anyway, and two, it has the advantage of being free. So if you're a company that is strapped with cash, wants to do something like this, there is a link in the show notes where you can download the breakdown of what an IR plan is, along with some documents that are templates and examples of ones that they have created for you. Super duper helpful. But in short, what is an IR plan? Nist expects you to have three phases in your plan Detect, respond, and recover. Each of these is its own activity, that's a capital A activity, that goes in order, that roughly aligns to before the incident, during the incident, and after the incident. So immediately, just with these headers, you can see the difference between this and the second example from above. Why this procedure is not enough, why you have to have all this other information.

[00:29:59.550]
Chris: In any case, ideally, an IR plan is something that you hope you never have to use. But if you do, the expectation is you're going to have enough data, contacts, access, backups, DR infrastructure, etc. To satisfy all three of those activities from start to finish. I know we're getting short on time, and I think a few people haven't fallen asleep yet. I figure let's just briefly go through some of the best practices of what absolutely has to be in N-I-R plan.

[00:30:38.880]
Ned: Okay.

[00:30:40.160]
Chris: So section one, I'm sorry, activity one, the before. You've got to define a list of key people and assign them to various tasks and responsibilities. It's a matrix. You're going to have a table. There will be dots that are filled in. It's an exciting time. It's graphical. Everybody loves a matrix.

[00:31:01.520]
Ned: It could be one of those Racy things.

[00:31:04.420]
Chris: Well, I mean, if you're IR plan after hours.

[00:31:09.330]
Ned: I mean, there, you know what I meant. R-a-c-i, which don't ask me what those four things stand for because I wasn't paying attention.

[00:31:18.350]
Chris: First of all, we're in IT, we use acronyms. We don't explain what the acronyms are.

[00:31:23.030]
Ned: Precisely. We assume everyone knows and we all nod our fucking heads. Exactly. Yes. I know what that stands for. Moving on.

[00:31:32.200]
Chris: You defined your list of key people. This is often defined as the incident response team. Stakeholders are at the very titty top, and then at the bottom, you've got technicians who are actually doing the work. But In between, there's a lot of vagary. Depending on the size of your company, that all might be one person. I wish I was making that up.

[00:31:53.690]
Ned: Not Dave, though.

[00:31:54.820]
Chris: No, no. That freaking guy. The reason for this is it helps set you up for a communication, and it helps set you up for responsibility in the next section. So just keep a pin in that. Still in the before activity is train your staff on how to actually execute. This is the same as a backup. If you don't test it, you don't have it. And the reason for this is twofold. The first is, if you test it and it fails, that is a lot better than having to do it in the moment and it fails. But also, if you test it and you find flaws, you can fix them. These are often called tabletop exercises. A lot of people sit around the room, and ideally, you've got a third party that doesn't know anything about the environment that just calls out plays and says, Okay, server 1 went down. What's the first thing that has to happen? It sounds... Actually, they're fun, especially if you've got somebody that has had way too much caffeine. The reason this is important, and the reason I'm dwelling on it, is when you do this as practice, you're not stressed out.

[00:33:09.980]
Chris: When you do this when there's an actual incident, you are absolutely 1,000 % stressed out.

[00:33:16.760]
Ned: Exactly.

[00:33:17.670]
Chris: Mistakes are going to be made. So better to have a very rigorous document that has been tested and practiced without that stress so that when you go into the incident, you're ready. And next in the before section, share the document. Now, I'm not saying put it on the front page of your website, but everybody in that list above has to have access to it and has to be familiar with it. And ideally, you've got a way to at least get them to sign off and prove that they read it. Again, familiarity here really, really helps.

[00:33:59.250]
Ned: And make make sure that you don't put it on a system that is going to be part of the incident response when it goes down.

[00:34:07.830]
Chris: Don't put the plan to recover S3 in an S3 bucket. And finally, update the plan. Keep it current. Quarterly reviews at a minimum. I promise you, the first time you write this document is the longest you're ever going to have to spend with it. It will take you 10 times longer to write it the first time than it will to edit it and double-check it and confirm everything is accurate every three months. But this is super important, again, for the procedure part that we talked about up top. What if server names change? What if IPs change? What if the website is not hosted there anymore? That's got to be reflected in a current IR plan. There's more to it, but we're moving on to activity number two, during an incident. First of all, you've got to be able to define what an incident is and who can declare one. Now, again, this part is going to be very different depending on the size of your company. A lot of times you're going to have to have stakeholders make approvals, things might have to go to the board, et cetera. But once an incident is declared and defined as what is the problem, somebody needs to be in charge.

[00:35:27.090]
Chris: Somebody from that list above, the key stakeholder the web service. That person's in charge now, and everybody knows it because they've all memorized the document. This person being defined in the before phase means that there's no confusion, no finger-pointing, and no wasted time. Now, ideally, that person will also have a backup just in case they're on vacation. Step two, communicate, communicate, communicate, and communicate. Notify everybody who needs to be notified about all the steps that are happening. Keep people current. This is open a phone bridge and let everybody sit on it. It can be a phone tree for all I care. As long as everybody on that list that's a stakeholder is aware of what's going on as fast as humanly possible. And then all that stuff sets you up for success to do the part that everybody thinks is the only part, which is, Fix the problem. Isn't it interesting that this is where we finally get to the procedure. All that other stuff is prerequisites and prequels, if you will. Other words that start with pre.

[00:36:40.830]
Ned: It's setting the stage, making sure things are in their proper places. So when you need them, when you reach for them, they are there. Right.

[00:36:51.640]
Chris: And then finally, the after activity. So you've done the procedure, things are back up and running. The fires have been put out. The first and most important thing you need to do is hold a postmortem. Now, this is basically like the tabletop that we talked about before, except you're going through what actually happened. Identify what went right, what went wrong, how long did it take, were there any mistakes, was there any omissions, why? This is incredibly important. This cannot be about blame. You need everybody on your staff to be on board and open and honest and communicative about what happened and why. So if you make this a blame game, people are going to start to obfuscate. That's a long, complicated word that means lie.

[00:37:47.330]
Ned: Yeah, I was going to say, we don't have to sugarcoat this. They're going to lie.

[00:37:52.730]
Chris: But if you set the stage, I mean, this is great for C-suite level people to assert some serious ownership and leadership. Come into the room, prompt. There is no bad guy here. We just need to get to the bottom of what happened. And hopefully your staff trusts you enough to believe you. Once again, if you've done all the other steps in advance, You have that credibility. It's all about making the IR plans better for next time.

[00:38:23.010]
Ned: Right.

[00:38:24.530]
Chris: And obviously, the next part of that is obvious. Update the document with what you've learned.

[00:38:29.920]
Ned: It seems like a good way to close the cycle. Yeah.

[00:38:34.030]
Chris: Then finally, communicate again. Tell the entire company or the entire necessary audience that you need to communicate with. That could be outside the company. Who knows? What happened? Why did it happen? What did you do to make it better so that it doesn't happen again? All of that is your IR plan. There are steps involved for every single thing I just talked about and a whole bunch of stuff that I omitted for time. Once all is said and done, you'll end up with, frankly, a giant document, probably 50, 60 pages for a mid to mid-large company. But honestly, that's just an estimate. It could be anywhere. It depends on the complexity, et cetera. Whatever it is, is a damn site longer than the two examples we went through in the middle there. You get that thing together and you hand that to your cyber insurer, They are going to feel a lot better about insuring you and possibly even giving you 0.1% off your rate.

[00:39:39.720]
Ned: Maybe. If the sun is in the right position and mercury is in the house of cancer or whatever.

[00:39:46.560]
Chris: It's the dawning of the age of Aquarius.

[00:39:48.540]
Ned: It is the dawning.

[00:39:50.650]
Chris: Hey, we said no singing.

[00:39:51.450]
Ned: Damn it. I can't help it. My heart's got to sing, Chris. Hey, thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end. So congratulations to you, friend. You accomplished something today. Now you can go sit on the couch, fire up high school musical, The Musical, the TV series, and sing along. You have earned it. You can find more about the show by visiting our LinkedIn page, just search Chaos Lever, or go to our website, chaoslever. Com, where you'll find show notes, blog posts, and general Tom Fouhry. We'll be back next week to see what fresh hell is upon us.

[00:40:24.810]
Chris: Ta-ta for now.

[00:40:34.080]
Ned: Index spiked as hedge fund manager scramble to rebalance their portfolios in anticipation of quantitative easing while the yield curve inverts and signaled potential economic downturns.

[00:40:44.730]
Chris: Facultative.