3 minutes read

Prevention vs Cyber Incident Response: How To Achieve A Balance

How should insureds balance their resources between attack prevention and cyber incident response? How can IR mitigate cyber claims costs?
Prevention vs Response cyber security

Cyber insurance clients are often reluctant to devise a proper Incident Response plan, often citing a lack of time or a lack of need as significant challenges. It is not uncommon for cyber insurance brokers to be faced with clients prioritizing other cyber-related tasks and spending and dismissing the need for an IR plan – that is, until a cyber event occurs. In our recent IR Masterclass, Blue Team Alpha’s Joe Kingland, emphasized the need for realistic, proactive planning rather than relying solely on prevention methods in a threat landscape where cyber attacks are increasingly prevalent.

IR plans are crucial for both insurers and insureds. On average, organizations with instant response teams and tested plans incur costs that are $2.6 million to $2.7 million less than those without plans or practice. Companies that have not invested proper time and care in incident response preparation have significantly longer RTOs, with an average recovery time of 21 days. This shorter downtime also helps to manage reputational damage and associated costs. 

Prevention and preparation go hand in hand: While prevention is important, it is not foolproof. Balancing both prevention and preparation is recommended since there is no “Silver Bullet” solution to cybersecurity. It is crucial to prepare insureds for incidents when prevention methods fail.

Balancing Resources Between Cyber Attack Prevention and Incident Response

Our IR Masterclass leader, Joe Kingland, shared key considerations for insureds when allocating and prioritizing cybersecurity spending. He also emphasized the need to tailor these considerations to suit clients’ individual needs and requirements. 

He recommends beginning with a business continuity plan that includes incident response. The plan should outline how to operate the business in a cyber event. Only after establishing the business continuity plan does Joe recommend focusing on prevention measures. This includes setting up a Security Operations Center (SOC) to monitor and mitigate potential threats. 

Balancing resources between prevention and incident response: step-by-step diagram.
Balancing resources between prevention and incident response: step-by-step diagram. Source: Blue Team Alpha.

Insureds might also want to consider Honeypots at this point – as these can play a crucial role in the detection phase of an Incident Response (IR) component. Honeypots are a tool used to detect and monitor attacks by placing a vulnerable computer in the network to attract threat actors. When the Honeypot is attacked, it alerts security professionals to the presence of a potential attacker in the network. While Honeypots are effective for detection, they require a functioning security operations center and appropriate tools to collect and respond to the data generated by the Honeypot. Therefore, while not essential, they are considered a valuable subset of prevention measures in the IR process.

Boost your career
Boost your salary

Stay Relevant with the Global Standard in accredited Cyber Insurance Certification.

Mitigating Cyber Claims Costs

Focusing solely on prevention without adequate planning leads to prolonged recovery times, but where should insureds be placing their focus in preparing for an incident? 

Proper incident response planning can result in significant cost savings, with an average of $2.6 million saved for those organizations that are prepared for cyber events compared to those who are not.Mitigating Cyber Claims Costs
Proper incident response planning can result in significant cost savings, with an average of $2.6 million saved for those organizations that are prepared for cyber events compared to those who are not. Source: Blue Team Alpha.

Incident Response preparation should include incident management firm selection, breach coach selection, pre-selecting Digital Forensics and Response Firms (DFIR), ensuring proper documentation, having reliable backups and testing them, maintaining an accurate inventory of assets, and implementing a resilient infrastructure. 

However, where cyber claims costs can be substantially reduced lies in the business continuity plan and data backups. Sound backups play a crucial role in reducing delays and avoiding ransom payments in the event of a full ransomware incident. Having reliable backups minimizes the need to negotiate with threat actors and purchase decrypters, which can be a slow and uncertain process.

In conclusion, investing in comprehensive incident response planning and balancing prevention and preparation measures is vital for both cyber insurance clients and insurers. It enables organizations to effectively respond to cyber events, minimize financial losses, and safeguard their reputation in an ever-evolving threat landscape.


Watch the rest of the IR Masterclass

Fill in the form to recieve your on-demand recording. Masterclass Learning Objectives:

  • Explain the benefits of preparing for a cyber incident beyond the scope of a cyber insurance policy.
  • Demonstrate knowledge of loss control techniques specific to Cyber Insurance, namely backup methodologies, IR plans and data segregation. Identify key relationships for clients to develop ahead of an incident.
  • Assess and respond to smaller cyber incidents, distinguishing between those that need to be reported to carriers and those that can be managed internally by the client.
  • Apply loss control and risk mitigation techniques to real-world scenarios.


Why Choose
Cyber Insurance Academy?

We are the global standard for accredited cyber insurance certification, with +4,000 Members from +40 countries.


Reach Out to Us

Can’t find what you’re looking for? Leave your details and we’ll get back to you shortly