The occurrence or discovery of a data breach can be a traumatic time for a business, particularly when this involves a ransomware or denial of service attack. This article sets out the key steps for organisations to take when experiencing or detecting a data breach.
Key actions when responding to cybersecurity incidents
With cyber-criminals continuing to be on the offensive and with both increased threats and decreased cyber-resilience at present, the risk of falling victim to a cyber-attack is very real. Unfortunately it is not possible to completely eliminate this risk. However, preparations can, and should, be made to respond to such an incident.
At the very minimum, consideration should be given to the following when preparing a response to an incident of cybercrime.
1. Internal response team
It is quite possible that all IT systems will be unavailable following a cyber-attack. Thought should be given to who will be involved in initiating the initial response to the incident and how the team will communicate with each other.
2. External specialists
With systems potentially unavailable, the immediate priority will be verifying the breach and understanding what options are available for restoring core business processes. This may require specialist expertise so it is critical to know who can advise and undertake any necessary investigation and how can they be contacted.
3. Legal advice
Legal risks arising from a cyber-incident can be both extensive and time critical. In-house legal should be involved from the outset with external advisors engaged as necessary. This may include helping to protect privilege, particularly where litigation is contemplated or where a report is required to be submitted to the Information Commissioner’s Office (ICO) or other regulators or law enforcement agencies.
4. Communications
Managing communications is an important activity of any incident response and can have a big impact on the on the longer term effects of an attack.
In addition to the regulatory reporting obligations described below, employees, customers and suppliers will likely become aware of any cyber-incidents when they attempt to log-on, log-in or deliver respectively. In certain circumstances you must notify affected individuals under GDPR and terms of existing contracts with customers and suppliers will likely include requirements to notify of data breaches. Consideration should be given to how decisions will be taken regarding communications and who will produce, review and distribute information throughout an incident response.
5. Regulators
Loss of data, even where there is only temporary loss of availability, can be reportable to regulators. ICO reporting timelines under GDPR and the NIS regulations are 72 hours. OFCOM, FCA and market disclosure of details of the incident will be required for some businesses. It is important to report accurately and failure to do so can affect penalties issued by regulators should they subsequently investigate and decide to take action.
6. Law enforcement
It is likely that cyber-criminals will have committed various criminal offences, particularly where ransom demands are made, so the police should be made aware. Action Fraud is the UK’s national reporting centre for fraud and internet crime. It is also worth bearing in mind that a victim of cybercrime can also be an offender – payment of a ransom can amount to a criminal offence.
7. Insurance
Most businesses carry insurance that provides coverage from some of the losses and liabilities that arise from cyber and data breach events. This can take the form of a tailored Cyber and Data policy, or as a series of extensions to your Property Damage and Third Party Liability policies. Invariably, such policies require that the insurer is promptly notified of a cyber or data breach as a pre-condition of cover – these conditions can be onerous, sometimes requiring notification within a matter of days or even hours of the event. Reviewing your insurance to assess the extent of potential cover and making the appropriate notifications is therefore a priority.
8. Third party notifications
Your counterparties and stake holders, such as your lenders will want to be made aware of incidents of cybercrime so that they can both assist your response and protect themselves from risks arising from the incident. Existing arrangements may specify notification and response obligations, so it is worthwhile being familiar with these and having them to hand when dealing with an incident.
Preparing your response
This list outlines some of the key issues to consider when preparing a business for being victim to cybercrime. If you would like further assistance with your cyber incident response preparations, please contact David Varney.