It is every IT manager, CISO, CFO and CEO’s worst nightmare. The FBI has notified you that a cyber attack of unknown origin and scope has been identified as occurring in your network; An employee advises that a mobile device that contains personally identifiable information is missing; a ransomware note suddenly appears on a desktop computer indicating that your system has been encrypted by outside actors demanding payment in bitcoin; an employee was tricked via a phishing email into sending a spreadsheet containing W-2 information on your employees to an outside source.
These are just a few of the real life examples of cyber attacks and data breaches that companies have faced. Experts agree that cyber security will always be defensive in nature and how a company responds to the situation can mean life or death to a business.
How prepared are you to respond ? Do you even know what constitutes a “data breach” and if the situation you are experiencing meets the definition and triggers a response? Under what circumstances are you required to notify individuals, vendors, business associates, and regulators? Do you have contractual relationships that require the other party to be notified and if so, under what circumstances is notification required?
It is crucial for all businesses to have a Breach Response Plan that is well thought out, flexible enough to adapt to various scenarios, and tested. The first step in the plan is the ability to determine if the circumstances trigger your response plan. How do you determine, for example, if the data breach encompasses unauthorized access or unauthorized acquisition of personally identifiable information? Are you familiar with the various laws in the jurisdictions that the affected individuals reside to be able to determine your next steps? Within the United States there are 47 different breach laws. In addition, each country has their own set of laws that must be followed. Regulatory bodies such as HIPAA, FTC, PCI, have different requirements as well. How do you plan on conducting an investigation and who are the participants, internally and externally?
At what point does law enforcement need to be notified? Or should law enforcement be notified? If law enforcement takes control of your system or confiscates your computers, what impact does that have on your operations? But without their assistance how can the attack be stopped?
One thing however is clear, without a plan the response will be PANIC! Decisions will need to be made quickly and under pressure. Similar to the fire drills and tornado drills that we all experienced in school, preparation is key.
The first step is to identify stakeholders. This is not an IT only issue. Develop a CIRT – Computer Incident Response Team. Determine what positions need to be included on the team not the individuals. Before the plan is implemented individuals may have changed or left the company.
Establish a command center/war room where the team can convene. Remember, every minute that it takes to respond costs you money.
What is your communication plan both internally and externally? It is important that your employees be trained that they are not to communication anything that they “think” they know. Until the facts are determined communication channels need to be controlled.
It is likely that an outside forensic IT investigation firm will need to be engaged in order to determine what has happened, how it happened, and what is the status. What firm will you engage and what is the cost?
Do you have legal counsel that is prepared to respond ? Are they experts in this area of the law and familiar with the various statutory and jurisdictional requirements? What is the scope of your engagement with the firm and their fee? Will they be in a position to be your liaison with law enforcement and regulators? Will these attorneys be able to prepare notification letters?
Included with notification are the costs of paper, postage, call center, website management, etc. Are you prepared to make these arrangements and absorb these expenses?
When it comes to communication, maintaining your reputation with your customers, vendors, employees and the public will be crucial. Will you be engaging with a Public relations firm to manage these communications? How will the media be managed when reporters request information?
How will the communication with regulators be handled. Various bodies have the authority to fine and penalize a business.
Do you have experience in negotiating with cyber extortionists? Will you be in a position to decide to pay or not pay a ransom demand? How familiar are you with bitcoin?
According to a recent survey by 451 Research, 30% of businesses indicated that they have a breach response plan and only 25% have cyber insurance. However, various studies indicate that the cost of a data breach ranges from $160 to $360 per record, depending on the industry and specifics of the breach.
Cyber insurance can play an important role in this entire process. I say CAN because the scope of coverage, risk management services, and breach response vary greatly and significantly among the 60+ carriers that offer “cyber” insurance. The insurance is not an alternative to having a robust response plan but can complement and provide outside resources and vendor relationships. It is important to choose an insurance partner that can help you not only identify your risks and exposures, will provide you with a vital partnership in assessing and responding to situations as they arise.