Cyber Risks - Preparing for a Breach: Discussion Key Point Summary
In February 2018, our London office hosted a small event entitled "Cyber Risks - Preparing for a Breach: Discussion Key Point Summary." Below is an outline of a number of practical steps that you can implement to prepare your organisation in the event of a cyber breach. Also included are the presentation slides.
- What are the organisational Prevent, Detect and Respond cybersecurity capabilities? A thorough risk assessment is essential to identify any weak spots or vulnerabilities in your cyber defences and detection capabilities. Consider to what extent any cyber incident or data breach might be covered by your existing insurance programme and whether a dedicated cyber insurance policy might be beneficial. Negotiate the terms to avoid any unduly onerous terms and conditions.
- Does the organisation have an effective and tested Incident Response Plan (IRP)? Consider internal and external team members who will execute the plan. Are they aware of the plan? Has it been tried and tested? Where is it located?
- Does the organisation have an Incident Response Retainer in place with external service providers? Consider which experts to appoint including lawyers, PR advisers and technology experts. Set up advance retainers addressing response times and terms of engagement. You don’t want me to negotiating these when you’re in the middle of a crisis!
- What is the escalation matrix in place? Consider and prepare severity categorisation in advance.
- What are the business interruption implications? Consider a business interruption assessment - what information and network systems are business critical?
- What happens if a supplier is compromised? Consider the potential implications of outsourcing if a supplier is compromised.
- What type of network and endpoint visibility does the organisation have? Consider how effective your organisational security monitoring capabilities are at detecting different types of cyber threats within your network, and on your corporate workstations.
- Who is responsible for what during a cyber breach (Inc. external parties)? This should be decided in advance at the time of preparing your Incident Response Plan. Ensure you have a hard copy crib sheet of emergency contacts in the event of an attack. This should include all relevant individuals and their replacements if unavailable at the type of the attack. Include your insurance provider, as failure to give prompt notice may be in breach of your policy terms.
- What should the level of your response be? Destroying the source of the attack may not be the best option in the longer term - your IT forensic team may need to assess the evidence, the route of the attack and the potential source. Your IT forensic experts should be allowed to assess the situation and enable you to make informed decisions on how best to proceed, taking account of the sensitivities of the situation. There may be scope to segregate information or isolate the attack in a way which avoids a complete meltdown of network systems.
- How can you make informed decisions during an cyber breach? Your IT forensic experts should be able to advise you on the privacy impact and the extent to which confidential or personally identifiable information may have been compromised. Your legal advisers will advise you on any potential legal or regulatory implications.
- How do you effectively contain and then recover from a cyber breach? Your IT forensic experts can advise you on how best to improve your cyber defences and mitigate the risk of further attacks going forward. Instructions to IT experts should come from external legal advisers as, where litigation is in contemplation, such communications may benefit from legal privilege.
- Who, what, when do you notify regulators? This will be dictated by the type of cyber incident you are facing and may depend on what information has been compromised. GDPR (which will take effect from 25 May 2018) will result in the mandatory notification of the loss of personally identifiable information to the Information Commission Officer (ICO) within 72 hours of becoming aware of the breach. Not every breach will be notifiable – legal advice is essential to determine whether (and whom) to notify.
- How do you manage the reputational fallout from a cyber breach? Think about your PR strategy and seek advice on how best to manage the reputational fall out.
- Do you need to notify customers or other third parties? Advice is needed from both a reputational and legal perspective, taking account of the risk of potential follow on claims (including claims from customers for compensation). Even if you don’t have a dedicated cyber insurance policy, you may have some elements of cover under more traditional policy forms, particularly for any knock on litigation or regulatory action. Check the notice provisions in advance as these may be quite stringent. Delay in notification may be in breach of policy terms.