The last few years have been hard on cybersecurity professionals. An onslaught of new attack innovations and evolutions has raised an attack’s risk — and the costs. More organisations than ever are attempting to transfer a portion of that risk through cyber insurance.

However, once easy to get and robust in coverage, cyber insurance policies have become challenging to obtain, difficult to maintain and costly to keep. Premiums have surged while policy providers have increased the required controls organisations need to qualify for coverage. It’s a challenging insurance landscape that organisations are struggling to navigate while facing daily threats from global adversaries.

One solution that can help an organisation swiftly stop an attack and restore business operations is incident response (IR), which can also help them secure a high-quality cyber insurance policy.

What is incident response?

IR is a set of processes and tools used to identify, contain and remediate cyberattacks and to restore the organisation to pre-incident operations. It is the process of:

Securing an environment by eliminating the threat actor’s access;
Analysing the cause and extent of the threat actor’s activities inside the network; and
Restoring the network to its pre-incident condition (including ransom negotiation and payment, if necessary).

Each part of the process is performed concurrently and relies on and informs the other parts. There are multiple expert types within the field of incident response. For example, some responders focus on forensics analysis, while others specialise in data recovery and system restoration.

All team members must work in unison, collaborating and communicating throughout the process to bring the business back online quickly with minimal costs.

Why insurers value IR

As little as a decade ago, cyber insurance was a niche market, with only a handful of carriers offering policies to only around a quarter of US organisations. In the intervening years, the rate of published vulnerabilities and attempted cyberattacks has skyrocketed, leading to a surge of new policy seekers, with organisations having secured their policy in the previous 12 months.

As insurers filled more policies, they sought to right-size the market due to rising ransomware attacks that set new records for several attacks and median ransom demands. The median initial ransom demand for cases investigated by Arctic Wolf Incident Response in 2023 stood at US$600 000.

The primary focus of these right-sizing efforts revolved around creating new requirements that organisations must meet to obtain or maintain a policy. Cyber insurance policies have now caught up to the scrutiny and evaluation standards found in home, car, business and life insurance policies, and experts expect they will soon eclipse them as the cyber landscape continues to grow over the coming years.

Cyber insurers now tend to place organisations into “risk buckets”. Those organisations with proven implementation of core controls such as multifactor authentication, patch management and the creation of an IR plan have cleared the barrier to entry and can obtain a cyber insurance policy. However, these are the minimum requirements and won’t reward organisations with a premium or elite policy.

For an organisation to find themselves in that “elite” risk bucket, where the premiums are the most affordable and the coverage is the most comprehensive, they’ll need to go much further, making significant progress on their security journey through the implementation of proactive security operations solutions that afford them 24×7, real-time monitoring, detection and response against cyberattacks, robust vulnerability and risk management, and practical security awareness training for users, to help them minimise human risk and thwart social engineering attacks like phishing.

IR is another solution that can tip an organisation into that elite bucket. In evaluating an organisation’s risk profile, insurers take a lot of solace in knowing that the business has fast access to a team of response and remediation experts who can help with everything from backup restoration to digital forensics to threat actor negotiations if needed.

This kind of full-featured IR mitigates the damage and therefore mitigates the cost the insurer may be asked to cover. Because of this, if an organisation has IR services on retainer, they might find themselves in the elite risk bucket, with access to the best policies and premiums available.

Evaluating IR providers and retainers

To fully eradicate the threat and restore normal business operations — and to stand the best chance of cyber insurance providers placing you into that elite risk bucket — businesses need a full-service IR provider. It’s not enough to delete the threat. Instead, finding the root cause, documenting what happened and restoring business operations to pre-incident conditions is vital in every response scenario to get the organisation back online and prevent future incidents.

IR is available from various providers, each offering services directly to organisations — some even through cyber insurance carriers themselves. No matter who you choose, be sure to select a full-service vendor with in-house expertise who can provide comprehensive digital forensics and data recovery services. Only full-service providers eliminate the threat actor’s access to the environment, analyse the extent of the attack and restore the business to normal pre-incident operations.

Effectively achieving all three objectives requires an IR firm with a multifaceted team of in-house expertise. Coordination across the team and with the customer is vital to the response process, and everyone from the security operations centre to the boardroom needs to understand the status of the investigation and the significance of the findings.

Additionally, engaging with IR services often comes as a retainer.

Traditionally, this has meant pre-purchasing a certain number of hours you use or lose over a year. However, new retainer models, like Arctic Wolf’s IR JumpStart Retainer, provide proactive IR planning with a one-hour response time and no prepaid hours, ensuring priority access without upfront costs.

About Arctic Wolf
Arctic Wolf is the market leader in security operations. Using the cloud-native Arctic Wolf platform, we help companies end cyber risk by providing security operations as a concierge service. Highly trained triage and concierge security experts work as an extension of internal teams to provide 24×7 monitoring, detection and response, ongoing risk management, and security awareness training to give organisations the protection, resilience and guidance they need to defend against cyberthreats. For more information, connect with Arctic Wolf on Facebook, X, LinkedIn and YouTube.