Specialty Podcast: Building Cyber Resilience - From Incident Response to Business Impact Analysis

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Howard Miller (00:09):
Welcome to another episode of the Alliant Specialty Podcast. My name is Howard Miller with Alliant Cyber, and today we have a special guest and colleague, Grace Michael. Grace is a 20-year-veteran in cybersecurity and risk management and leads engagements at Alliant Cyber's consulting practice, helping complex organizations strengthen their security posture and achieve measurable outcomes. Today we're going to be discussing activities that businesses can do to save time, save money and recover from a cyber incident. To set the stage on the discussion, we'll start with a brief overview of risk quantification and the current threat landscape. A good risk scenario is really a story that has three components. First is an exposure, something of value to your organization such as digital property, operations, reputation or financial assets, basically value exposed to loss. Second is the cause of loss, are what we affectionately call perils in the insurance industry. These perils have a way of finding their targets and causing damage in the same way that cybercriminals find vulnerabilities in networks or human beings and exploit them, causing data breaches and security failures. The third component is the impact. That impact can be determined using both qualitative and quantitative methods. Quantification of impact is really helpful to determine reserves and financial loss of a cyber risk scenario. Reinsurers get concerned when it comes to aggregated cyber risk because technology has brought us together, and software is constantly evolving and unpatched vulnerability could be used to attack thousands of insureds at one time, causing a catastrophic financial loss to the insurance company. There are several companies providing catastrophic modeling platforms. One such tool is CyberCube, which utilizes data and sources from Symantec, insurance companies and its own user database.

We're currently using CyberCube to help our clients individually model the cost of a ransomware, data breach or network outage scenarios, running a simulation 50,000 times and then plotting the financial impact along an exceedance curve. This benchmarking compared to industry peers can provide due diligence for boards and executives as to what a potential financial loss could be and what limits may be appropriate to transfer to an insurance carrier. Beyond peer benchmarking, we have provided proprietary company-specific modeling based on an in-depth but efficient security assessment and interviews with technical and business operations to provide unique data to modeling risk scenarios that are a priority for specific companies. These results are going to be much more tailored to take into account how a company generates revenue or operational budget and how that impact is calculated. Here, you can actually start to look at what enhancements in the information security program, if implemented, can lower the financial impact of a loss and positively change the model outcome. Looking at the threat landscape, SentinelOne came out with some cybersecurity statistics recently, and according to the study by the University of Maryland, a cyber attack occurs every 39 seconds. CrowdStrike's Global Threat Report stated that the time it takes for an adversary to start to move laterally across a network reached an all-time low from 48 minutes to as little as 51 seconds. There was a 50% year-over-year increase in attacks related to access brokers who sell network vulnerabilities to be exploited. In a previous cost of a data breach report, it showed that companies saved as much as $1.49 million on the cost of a data breach, with a well-implemented incident response plan. Given the current threat landscape, it seems like preparing for a cyber incident can really reduce the severity and speed up recovery. Grace, what is cyber risk, and what is your view on the current threat landscape?

Grace Michael (04:27):
Terrific. Hello, Howard, and hello everyone. Howard, at Alliant Cyber, we consider cyber risk as a potential for financial loss, a business disruption to our client's operations or reputational damage resulting from a business disruption or crisis. A disaster at a data center is another example of a cyber risk or a disaster at a client system environment as well, or an exploited incident such as a failure or data breach of our clients' information assets and within their technology systems, platforms and networks. A cyber risk is not a single event, Howard, but a combination of several factors. There's an existence of a threat, a potential cause of harm, such as a malicious hacker, a disgruntled internal employee or a man-made disaster. That vulnerability is another component of cyber risk. It's a weakness in the system application or process that can be exploited by the precursor threat that I just mentioned. And then the risk: the negative business impact that occurs when a threat exploits that known vulnerability. The potential consequence is financial loss, operational downtime, data theft and regulatory fines. Now Howard, you talked about the landscape earlier with those great statistics. In the current cyber landscape, ransomware still prevails, primarily because social engineering is still so exploitable. It's that weak chain, which is typically people, but including business email compromises that are exploited by individuals. However, we at Alliant Cyber have seen supply chain threats on the rise in 2025.

Howard Miller (05:56):
Grace, you talked about weaknesses from a social engineering perspective. A lot of times even companies with stellar controls can still be vulnerable, and this starts to speak of an incident response plan where you need to respond to these types of incidents. Could you explain to us, what is an incident response plan, and what are a few recommendations you have for organizations that are rewriting or putting one together for the first time?

Grace Michael (06:25):
The primary purpose of an incident response plan is to minimize the damage, cost and disruption caused by an incident like social engineering, like an exploited business email compromise. A robust incident response plan has to be tested, and we'll talk more about that, so I'm going to table that for now. But an IR plan, incident response plan, can significantly reduce recovery time, protect sensitive information and help maintain stakeholder trust, leadership's trust, and regulatory compliance. Now Howard, a few key contributors to an effective IRP, incident response plan, an over resilience strategy, is first and foremost leadership support. Your C-level and board should be on board with this plan and resilience strategy. Also, a dedicated, assigned, identified, trained cyber incident response team is really key. A communication plan, including out-of-band communication, what we call low-tech, that when an incident is exploited, we stay off the environment because there could be bad actors in our network. Lastly, again, test a plan. After you test that plan, update or maintain the plan and then repeat the cycle. This is just a brief list, it isn't conclusive, but I hope it's a good start for many of our clients.

Howard Miller (07:39):
There's leadership involved here, there's various roles, this needs to be tested, and I think this starts to tie into maybe the tabletop exercise. What is a tabletop exercise? How do you put one together, and why is this so critical for organizations?

Grace Michael (07:57):
I have to tell you, this is the cherry on top of the cake of my day. I thoroughly enjoy delivering tabletops because it's a wholly a collaborative experience with our clients. Howard, when a client is ready with their incident response plan and they're ready to test that plan and bring it to maturity, we put together engagement. We do an initial kickoff, and then we hop into a planning session with key stakeholders. Our planning session includes identifying scenarios that are important in a client environment that we might want to exploit during a test or an exercise. We hold the exercise on a given day and we invite different, not just IT, not just engineering, not just leadership, but functional departments that may be impacted if an incident is exploited in their environments. After the exercise, we do a comprehensive lessons learned where we identify gaps, threats and risks during the exercise. Then, Alliant discusses with our stakeholders, our clients, recommendations and so on. And lastly, we provide a debrief of the final report. In Alliant, a tabletop exercise is a party. We have a good time as we prepare our clients for recovery and post-incident activities.

Howard Miller (09:11):
Well, it sounds like a very educational party, and there's an opportunity to also mature from a cybersecurity perspective. I always thought that the lessons learned part of the incident response was critical to evolve the organization from a cyber risk management perspective. I know there's been some changes. What changed in NIST 800-61 Rev. 3, and why is this important?

Grace Michael (09:36):
NIST 800-61, which is the layman's term to incident response planning, Release 3, absolutely is governance. Governance has always been in place. It was in release 2.2 of 61. However, there was no emphasis in actually acting upon it. It was a, hey, have the lessons learned and then checkmark it and put it on the shelves. With Release 3, there's now a call to action, if you will. Lessons learned is mapping out, discussing with the stakeholder a comprehensive corrective action plan, we call a CAP. That's putting in place budgets and projects to remediate those items that we identified in the lessons learned, and that's why it's so important. Rather than being a final isolated step in 2.0, it's now a post-incident learning and integrated into the organization's overall governance structure.

Howard Miller (10:25):
That sounds a lot more effective. Now, there's another area that I know you've spoken about with a number of clients and publicly, and it's called a business impact analysis. Could you tell us what is a business impact analysis? How does this take the incident response plan to the next level?

Grace Michael (10:45):
Terrific. The business impact analysis in short, BIA, takes incident response planning to a different level altogether, as you mentioned, by shifting the focus from purely technical. “Let's take a look at our systems, where did we get hacked?” into “Let's think about it before there's an incident.” We take out that “put out the fire” mindset to a strategic, business-driven, leadership-approved approach. BIA is a very formal, systematic process to determine and evaluate the potential effects of a disruption of a crisis to our client's business operations. The way that Alliant Cyber approaches this is with an engagement where we identify the business processes, the assets, which not only include systems and all the technology, but also devices. If we're talking about a hospital, some of the critical devices that a hospital utilizes, talking about manufacturing, the automated ICS systems and things of that sort. It truly identifies all of that. The BIA provides data-backed hierarchy of which functions are most critical to the business survival, what we call a priority list. This allows our clients' leadership and responders to make smarter decisions when they're under pressure because they've just had an incident. Also, a business impact analysis provides a very thoughtful and evidence-backed approach to understanding the recovery time objective, the RTO, the recovery point objective, the RPO, how much data can our clients lose as they go into their planning for the IRP, the business continuity planning and the disaster recovery planning as well.

Howard Miller (12:17):
It sounds like this can create a lot more certainty when you're responding and working to be resilient from a cyber attack. I know with insurance, insurance is the risk transfer portion of risk management. Most businesses understand there is a direct impact from cyber risk. Costs include forensic investigations, notification, cost to repair network systems, as well as potential legal defense, and the payment of damages to third parties affected by a data breach or security failure. What's more difficult to quantify is the indirect loss. This happens after a direct impact due to an operational disruption for lost sales, extra expenses to get back up and running, and damage to reputation impacting revenue. Now, this can happen when we rely on third parties who suffer a cyber impact, which in turn causes an indirect loss to the business. This is becoming more and more common because so much of our business operations and communications are interconnected by technology. As more businesses rely on a key technology or technology provider, it becomes a single point of failure. This is where business interruption coverage for indirect loss can be a significant portion of the total cost. What I really like about the business impact analysis that you're providing, Grace, is that if a company has done the BIA, they have a much better idea of what systems need to be brought up and how to resume operations as quickly as possible. My understanding is part of this exercise includes input from forensic accounting. This pre-loss exercise is going to make it much easier to explain to an insurance company what the above normal operating costs were and how the actual loss of profit and extra expenses were cataloged. That's going to save a lot of time and set our clients for maximum recovery in a loss scenario. The other thing I like about the BIA is quantification of loss. It really empowers companies to determine in a way that's specific to their organization, what a potential loss could be for a given scenario and how much insurance they may need. I always believe that risk tolerance is individual to any given company. By completing the business impact analysis, the company could better decide what retention makes sense. If we know it's going to cost a hundred thousand dollars per hour, let them decide what self-insured retention they're comfortable with before the insurance company steps in. That concludes this episode of the Alliant Specialty Podcast. We're happy to schedule an introductory consultation or deeper dive into any of the topics we've covered today. You're welcome to contact myself or Grace Michael. Our website to find out more is at www.Alliant.com. Thank you for joining us, and Grace, thank you for lending your expertise today.

Grace Michael (15:16):
My pleasure, Howard. Thank you.