“It’s going to be a bad day. The question is: How bad of a day is it going to be?” says John Farley, vice president and cyber risk practice leader at Hub International. In the immediate aftermath of a cybersecurity event, risk managers must make myriad decisions. “If the wrong decisions are made, a bad day can become a catastrophic day,” Farley says.
Farley gets calls from corporate risk managers every week asking for help in making those business-critical decisions to mitigate both the financial and reputational harm that’s sure to occur. “Breach response involves multiple disciplines, but the risk manager will be really front and centre,” he says.
Here are the steps your company needs to take to make sure that a bad day is just a bad day.
1. Have a planning call
The first step your organisation needs to take on day one of a cybersecurity event – whether it’s a data breach, an employee mistake, or the mishandling of personally identifiable information – is having a conversation about the facts. The risk manager, sometimes along with the CFO, IT director, or general counsel, will go through all the known information about what happened with an expert like Farley.
“It’s very rare they know all of the facts,” says Farley. “They usually know some facts, but there are still a lot of other things they have to find out.” For that, an IT forensics investigation is needed.
2. Bring in a privacy attorney
But before anything can be done, the risk manager needs to bring the most critical external team member into the fold. “One of the most important vendors is the privacy attorney,” says Farley. “They’re going to be acting as what we call a ‘breach coach.’”
The breach coach can act as the face of the firm throughout the crisis, particularly when regulators start coming to the company with questions and scrutiny. The breach coach also oversees the hiring of a team of vendors, maintaining attorney-client privilege, and, of course, interpreting legal obligations.
This is where companies tend to go wrong. “If a client decides to hire an attorney who’s not a privacy attorney, that person may not really understand the regulations or the legal obligations,” says Farley, “and if you get that wrong you can be subject to fines and a lot of bad press.”
3. Conduct an IT forensics investigation
The next step is to carry out an IT forensics investigation to discover exactly what happened during the cybersecurity event. The investigator will trace the digital footprints of the hack to determine where they got in, what information they accessed, what information they did not access, if they are still in the system, and if the breach can be closed.
The privacy attorney (aka the breach coach) is the one who hires the investigator on the organisation’s behalf. It needs to be done that way to ensure that the investigation has attorney-client privilege in case litigation arises in the future.
In all, the investigation can take anywhere from a few days to several weeks – or even months – to complete. It’s hard to predict how long each case might take. “It really depends on the nature of the attack,” says Farley, “so that’s a wild card.”
4. Understand your legal obligations
Once the investigation is complete and there is a much clearer picture of what happened, the privacy attorney will be able to provide advice concerning the legal obligations of the breached organisation. Information about what data elements were compromised and where the affected individuals live will determine the appropriate response.
In some cases, organisations may be required by regional or international regulations to give notice to the affected individuals. Ironically, notification of a cybersecurity event will be sent the old-fashioned way – by post. “That letter has to say how the event happened, when it happened, and what the organisation is doing to help the affected individual,” says Farley. Compensation could include anything from an offering of credit monitoring for a year or two, ID theft restoration services, dark web searches, or some combination of all of those.
5. Set up a call centre
If the number of people affected by the breach is large, you may have to set up a call centre. “You’re going to expect a certain number of people to make phone calls back to the organisation to ask questions,” says Farley. If your organisation doesn’t have the capacity to handle all the calls, you’ll need to employ the services of another vendor to help.
6. Hire a public relations firm
Equifax’s data breach last year serves as an important reminder that reputational damage in the wake of a breach can be significant. Media inquiries are sure to arise during the response period, and if you don’t have a dedicated spokesperson and ample media expertise, you’ll need to outsource that to a professional public relations firm.
7. Ransomware specifics
The nature of the response will vary depending on the specific breed of attack. If your company is hit by a ransomware event, for example, you may have to negotiate with a hacker. In an ideal world, you’ll have a backup of the data the hacker has stolen. But if not, you may need to bring in another vendor – a professional negotiator – to deal with the hacker. “Hopefully you have a backup and you can access it,” says Farley. “If you can’t, and that information is vital to your business, you may be left with no choice but to consider paying the ransom.” One thing you’ll never want to do, he says, is go it alone and pay the full amount up front. The flight risk is too high.
8. Reporting the crime
A cyber hack is a crime, and you’re expected to report it. In the US, the Federal Bureau of Investigation (FBI) has been so inundated with reports of attacks that it’s set up a dedicated website for companies to easily report incidents. The FBI can help your company by tracking down the criminals, and in some situations, can help to freeze stolen funds before hackers get away with them. They’ll also make recommendations, particularly when it comes to negotiating with hackers after ransomware attacks. “When it’s a ransomware case, the FBI is very fast to tell you that they do not recommend payment to be made because it will probably perpetuate the crime,” says Farley. However, if the stolen information is vital to the existence of your organisation, you’re going to have to make a tough call.
John Farley currently provides cyber risk advisory services to HUB International clients. He also serves as a network security and privacy liability consultant. He is based in New York City and has 23 years of risk consulting experience.