[BreachExchange] Hit by a cyber attack? What to do, who to contact and the importance of a rapid response

Audrey McNeil audrey at riskbasedsecurity.com
Fri Nov 11 14:05:06 EST 2016


http://www.lexology.com/library/detail.aspx?g=e81c501f-f22e-4991-9b40-
1431cae51cf0

The first 48 hours following a cyber attack are critical. Making the right
calls will manage the threat and mitigate the risk to your business. You
need a rapid response - but, what are the right calls? We set out the steps
you should take.

The threat

You are the chief information security officer at a high profile,
multinational company, well known and well respected. You know about the
risks of data breaches and cyber attacks and convinced the board to include
a cyber insurance policy within your suite of cover.

Late one afternoon, you receive a call from one of your employees. From
what they tell you, you suspect the company is currently under a cyber
attack. You're not sure and you do not know where to begin looking. But
thousands of clients' data may be at risk if your suspicions are correct,
although you are not sure precisely how many.

Lucky you have that cyber policy; that should come in handy… what do you do
now?

The 'cyber' risk

Much has been written about the real and present risk of a cyber attack on
businesses and individuals ̶and with good reason.

Recent cyber attacks on motor vehicles, airlines, insurance companies,
health organisations, retailers, e‑tailers, law firms, hotels, charities,
online service providers, restaurants, aerospace companies and government
organisations (among others) have categorically demonstrated that every
industry has exposure to cyber risk and is susceptible to data breaches.

Government and regulators (both Australian and international) are
increasingly focused on cybersecurity and cyber resilience, with the
Australian Securities and Investments Commission (ASIC) identifying cyber
resilience as a key area of focus for the coming years. Most recently, the
Australian Government has finally taken further steps towards enacting a
mandatory breach notification scheme by reading the Privacy Amendment
(Notifiable Data Breaches) Bill 2016 in parliament.

Against this background, it is clear that cyber risk management should be
at the top of every company's agenda. Like any other risk, cyber risk can
be managed and mitigated. Increasingly, cyber insurance (and the response
teams that often come with such insurance) is being considered as a key
aspect of a business' risk management and mitigation strategy.

The role of a breach coach in a rapid response

In responding to a major cyber attack, rapid response cover can play a
pivotal role in controlling the fallout from an attack and also limit the
financial and reputational damage.

The first 48 hours after a company has identified it is under a cyber
attack are pivotal. The decisions made on how to deal with an attack at
this time will impact how the matter will be handled going forward.

Ideally, any business facing a cyber attack will have in place a considered
and tested incident response plan to provide guidance on how to react. The
importance of preparation in effectively managing a cyber attack or data
breach and some proposed steps were set out in our previous article, 'Data
breaches – how to effectively avoid them and manage them if they happen'.

Where rapid response cover is available (through cyber insurance cover or
otherwise), a company should immediately contact the rapid response
provider (often referred to as a breach coach, details of which are often
in the cyber policy or incident response plan) as soon as it becomes aware
it has been the subject of an attack.

The breach coach will act in a coordination role, summoning team of legal,
privacy, security, technology and media experts to determine how to handle
the current situation in very short order.

The following matters are among the most critical issues that are managed
by a breach coach and dealt with in the immediate wake of a cyber incident:

Manage and protect communications

In the heat of the first 48 hours it is often the case that purported
admissions or incriminating statements can be made by a company's staff
(particularly IT staff), which can be misinterpreted in the public domain
and impact the company's reputation or worse lead to third party claims. It
is imperative that these and other communications about the attack are
carefully managed and protected as soon as possible.

It is highly recommended that a legal advisor be assigned the duty of
coordinating the rapid response team as they will be able to liaise with
team members and the company and claim the protection of legal professional
privilege over most of those communications.

The ability to preserve privilege following a data breach has been
considered in detail in our article, 'Preserving privilege following a data
breach'.

Plugging the hole

It is of course critical that any cyber attack be stopped as soon as
possible. However, depending on the nature of the attack, a heavy handed
response is not always best. This is particularly the case with more
complex attacks that may be exploiting multiple weaknesses to attack your
systems in a multi-pronged manner.

A brute force approach in those circumstances may simply alert the
attackers of your knowledge of the attack and cause them to retreat, which
may in turn prevent you from identifying all the system weaknesses that
were exploited.

To determine the best approach to secure the attack, the breach coach will
direct technology and security experts to liaise with the company's staff
to determine the best response to the attack.

Where available, a security and technology plan is often executed to
respond to the attack, part of which will involve identifying the extent of
damage caused by the attack and also to limit the extent of business
disruption caused.

Has there been a data breach?

In addition to identifying and plugging the attack, technology and security
experts assist in determining if a data breach has occurred and its extent.

Contrary to common misconception, a cyber attack and a data breach are not
the same. While many cyber attacks have the primary aim of extracting data
from a system, constituting a data breach, other forms of attack aim to
directly extort funds from a company (for example, certain malware
attacks). A 2015 AON Cyber Impact Report revealed that only 29 per cent of
cyber attacks experienced by respondents in the past 2 years resulted in
the theft of confidential company data. Many data breaches also occur due
to improper internal handling of data.

Breach notifications

If a data breach has occurred, it is important to identify as accurately as
possible the extent of the records stolen, particularly the nature of the
information stolen and the location (or locations) of the affected
entities, which is required for notification purposes.

The data breach information the security experts gather is conveyed to the
breach coach, who is burdened with the potentially substantial task of
coordinating the identification of and compliance with relevant
notification laws.

The first step will be to identify jurisdictions that are affected by the
data breach. The identification of jurisdictions a company may be exposed
to is an often overlooked risk that companies do not properly consider. In
fact, AON's report revealed that only 24 per cent of respondents are fully
aware of the consequences that could result from a data breach or security
exploit in other countries in which their company operates.

Identifying the jurisdictions and breach notification laws of each
jurisdiction as soon as possible is critical given the diversity in the
requirements that notification laws across the world impose. Advisors with
a global reach greatly assist in undertaking this possibly mammoth task
within a reasonable time frame.

The variety of the notification requirements for even a relatively minor
breach can be surprising, with regulations in some jurisdictions amounting
the breach to criminal conduct, whereas no action may be required in other
jurisdictions. The deadlines by which a breach needs to be notified also
vary.

The breach coach must often prioritise which of the jurisdictional
requirements are the most pressing and connect legal advisors in the
relevant jurisdictions with company staff so suitable notifications can be
drafted in compliance with regulations.

Of course, the breach coach will also need to liaise with the security
experts and be mindful to ensure that any breach notification will not
further expose the company to additional attacks.

Managing communications

Depending on how serious a breach is and the extent of the notification
that will be made, a breach coach may also need to consider, in conjunction
with the jurisdictional legal advisors and the company, whether any public
relations material or campaigns will need to be prepared to protect the
brand and reputation of the affected company.

The extent of public relations involvement may be heavily guided by how
successfully communications regarding the breach have been protected.
Generally, the more information that needs to be disclosed about a breach,
the greater the need for the involvement of public relations and damage
control.

What about cyber insurance coverage?

Cyber insurance is somewhat different to other types of insurance. The most
comprehensive cyber policies include rapid response cover. Unlike most
other policies, the protection afforded by rapid response could come into
play as soon as a potential cyber attack has been identified, before the
existence of a claim has been established.

In this respect, in the midst of responding to an attack, coverage issues
may also be lingering. However, it is likely that the information required
to determine coverage may not be able available for days, weeks or perhaps
months. For insurers and their agents to be acting in good faith and to
minimise the extent of any loss and damage, particularly business
interruption losses, coverage issues should not impede a rapid response to
a cyber attack or data breach incident.

Where policies have significant deductibles, the majority of the rapid
response costs will likely fall within the ambit of the deductible and to
the feet of the insured. Any delay in coverage determination should not
adversely affect insurers or insured businesses (as those costs will fall
within their deductible) in such cases.

It is not so clear cut where policies have smaller deductibles. However,
insurers and insured businesses should work together and structure their
policies appropriately to account for rapid response costs.

Cyber insurance - not your traditional policy

The protections afforded under a cyber insurance policy and the steps that
insurers and insured businesses need to take to maximise the benefit of the
policy are unique.

The most comprehensive policies in the market have a rapid response cover
and access to a team of experts on call to respond to a cyber attack.
However, access to a team of experts in and of itself is not enough. That
team needs to be quickly and efficiently coordinated by an experienced
breach coach to minimise the loss and damage caused by a cyber attack and
to ensure the optimum outcome for all parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161111/ee85db23/attachment.html>


More information about the BreachExchange mailing list