How to Respond to a Cyber Incident

The steps Corvus recommends you take at each stage of cyber incident response

1.  The Discovery of an Incident - when to notify Corvus

If there’s a reason for concern at your organization, perhaps there’s a ransomware attack or even a security flag, you should notify Corvus as quickly as possible. Even if the incident is minor, don’t be hesitant to contact us. We’ve seen situations quickly escalate: much like a fire starting, dealing with a low flame is a lot more manageable than a three-alarm inferno. 

  • Have a system in place before there’s an incident. Define at what point in your incident response plan you will notify us, and stick by that system.
  • We know you won’t want to tell us every single time there’s a flag on your antivirus software, but you don’t want the response to get too far along before you notify us. Rule of thumb: If you plan on involving outside vendors — it’s time to notify us
    • We work with incident response vendors on a daily basis and can help speed up the process.
    • Your policy requires that we approve vendors before you start working with them.
    • It allows us to view the scope of work and determine coverage.
    • We’re here to partner with you every step of the way, including walking you through vendor options.
  • If ransomware is suspected, or an email inbox may have been compromised — notify us.

2.  Notify Corvus via Hotline or Email 


You’ve discovered a potential breach — and need help ASAP — now what? 

Ideally your Incident Response Plan identifies exactly who within your organization should notify Corvus, and that person has offline access to the information about how to do so. 

You can reach us either through email or our hotline. You can find the contact details for both on your policy, on the Policyholder Dashboard or through your broker. 

  • Our response speed is the same either through phone or email, so use whichever method you prefer (and feels more secure - see next point).
  • If you believe your email may have been compromised, use the hotline or an email off the compromised network, such as a personal account or an account you set up for the company in advance specifically for incident response.
    • Let us know that you’re keeping communications outside of your corporate email.
    • Make sure if you believe that your desktop or laptop is infected that you’re using a mobile browser or another device.

3.  Work with Corvus Risk + Response Team


Once you file your claim, someone from our team will be in touch with you to discuss the details and start making recommendations. Our goal is to get a full understanding of what happened, and provide you with a roadmap on where to go from here. You should leave the call knowing:

  • How we’ll work with you through the process, and what your next steps are. 
  • Our guidance on lining up a suite of vendors that fit your needs. 

4.  Begin Investigation 


At this point, we have worked with you to find recommended vendors that fit the scope of work. This could involve privacy counsel, a digital forensics firm and in some cases a data recovery vendor firm. The introduction of various vendors will move the investigation forward.

  • Counsel is engaged on scoping calls in order to help protect the investigation under  privilege and the work product doctrine. They will keep things moving and drive the investigation, as well as advise your organization on what requirements you need to meet in the next step.
  • The forensic firm will help your team answer some necessary questions: how did the threat actors gain access, and what did they do? They will help identify what the remnants are of their activities so we can piece together a full picture.
  • The forensic firm will also give actionable advice on the initial call to stop the spread within your system, but to also preserve evidence.
  • In these initial calls, we’ll be able to determine the overall estimate of cost with these vendors.
  • In a ransomware scenario, a forensic firm or additional vendor can help your organization recover data so you can get up and running as quickly as possible. 

Expect to have initial forensics findings within a week to two, but the investigation can go up to two months depending on the sophistication of the threat actor. 

5.  Work with Counsel and Notify Individuals via Vendors


Counsel will help your organization determine your organization’s obligations under applicable laws and regulations. If there are impacted individuals from the breach, we will line up necessary vendors such as notification and call center services vendors or credit monitoring vendors to help notify individuals if necessary. 

  • Counsel will help your organization draft various letter versions depending on state and l federal statutes.  
  • Call center will have a FAQ script to work with aided by counsel, as well as the capabilities to help mail out letters to impacted individuals. 
  • Regulators will be notified if necessary. 

6.  Notify Corvus of any Lawsuits or Regulatory Investigations 


There may be a regulatory investigation that follows after the notification process, but the details will end up being dictated by your industry and who your regulators are. Another thing to be prepared for at this stage is that impacted individuals may escalate the situation with a lawsuit or a demand.

  • Your policy will have potential for coverage for every step we’ve mentioned so far, including defense counsel that can help in regulatory investigations or lawsuits.

Incident Response vendors may include:

Privacy Counsel:

Lewis Brisbois

Mullen Coughlin

Fisher Broyles

Forensics:

Tetra Defense

Kroll