Beware the “Breach Counsel” System
It’s football season, so an appropriate analogy for insureds working with an insurance company’s preselected breach counsel is as follows: letting an opposing football team pick your quarterback, who you then must pay, according to prices determined by the opposing football team.
Depending on the scope of coverage, cyber insurance policies may or may not provide access to “breach counsel” following a cyber incident. Breach counsel are attorneys preselected by the insurer, who are supposed to advise the impacted party on how to best respond to the incident. Like shipwreck victims, individuals and entities suffering an adverse cyber incident are often desperate for help and lack the ability or time to evaluate the quality of assistance being provided.
Below are three reasons to beware the breach counsel system:
1. Breach Counsel have conflicting loyalties: The insured and the insurer are, fundamentally, in conflicting positions. The insured wants to maximize benefits under the policy, while the insurer wants to minimize expenses under the policy. Breach counsel must be approved (and are often preselected) by the insurance company before engaging with the insured or the insured risks losing potential benefits. And the hourly rates of breach counsel are often set, on a national schedule, after being pre-negotiated with the insurer. Therefore, in short, the insurer picks the available breach counsel, determines their rates (not based on local markets), but is then paid by the insured until deductibles are met, and then again when coverage limits are exceeded.
If breach counsel does not perform according to the insurer’s preference on a routine basis, the breach counsel (and his/her firm), will lose the business. It’s not hard to see the conflict of loyalties.
2. Breach Counsel use Dated Playbooks: Since an incredible majority of breach counsel are not tech savvy, regardless of the number of incidents they worked, they blindly follow an aged model of cyber incidents. Breach counsel are very often totally unequipped to handle any situation that does not follow this pattern: encryption, ransom demand, data exfiltration analysis, public notifications, wait for the lawsuit.
However, traditional ransomware events are becoming less common. Bad cyber actors can extract more value from a victim by acting as an access broker (buying and selling access to the victim’s network several times over), exfiltrating data and then extorting victims for cash. Ransomware events, if the victim recovers correctly, cuts-off access to that victim in the future.
Far too often, breach counsel do not understand or remain informed on the modern attack methods utilized by bad actors.
3. Breach Counsel lack operational security awareness: Possibly the biggest problem, is that because breach counsel want the event to end quickly to minimize risk for the insurer (and to temporarily appease the insured), they can lack operational security awareness. In non-ransomware events, in which the victim becomes aware of an exploited security vulnerability and reports it to the insurer, the breach counsel often want to immediately install tools to combat the vulnerability. However, without an understanding of how malware operates or the victim’s network redundancies, these knee-jerk and rote mentalities are harmful.
If a victim’s system never previously had endpoint detection and response software (EDR) on it, and it suddenly loads the software onto the victim’s network at the urging of breach counsel, it is very likely to alert the bad guys that the victim knows it has been infiltrated. And if the bad guy knows its exposed, it entices the bad guy to encrypt the entire network and cause total losses of data and equipment. Furthermore, if the malware utilized by the bad guy is embedded in the memory, known as memory malware, the EDR is likely to be ineffective anyways since the malware never touches the actual hard drive. By analogy, EDR would simply trim a garden weed (at best), but not pull it out by the root, thereby guaranteeing the weed’s return.
Now, not all breach counsel are ineffective. But those effective breach counsel are often trapped in a fundamentally flawed system.