Cyber attack – incident response communication
March 2018 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2018 Issue
Any organisation could be subject to a cyber attack. Last year’s ‘WannaCry’ and ‘Petrwrap/Petya’ attacks are the most prominent recent examples to have demonstrated once more that immediate action by companies subject to an attack is key to preventing further damage and harm.
Cyber incidents are complex, global and unique. In this respect, a tailored cyber incident response plan (CIRP) – essentially a contingency plan, including proper communications management – is required. However, many organisations have not drafted a CIRP, let alone done any response drills. But what exactly is a CIRP and what legal requirements must be observed in this regard?
Once attackers have passed through the IT security systems and the underlying measures of an organisation, an immediate, efficient and dedicated contingency system is the critical success factor of minimising and mitigating damage to the organisation and, subsequently, its stakeholders. As surveys show, only one in four organisations is prepared for cyber attacks – across industries. Damage-minimising mastery of the attack is impossible where no CIRP has been enacted. Not having a CIRP imposes substantial liability and reputational risks on the organisation.
A CIRP lays down, in writing, contingency management as well as required immediate actions, including a communication strategy, and is binding to all relevant people in the organisation. In practice, a holistic approach has proven effective for crisis preparedness and response, covering not only technical and organisational measures but also legal and PR aspects. The immediate notification of supervisory authorities or the public is not always required by law but is expedient from a communications point of view. Inversely, in the event of an existing notification duty, such as the data breach notification obligation under Article 33 EU General Data Protection Regulation (GDPR), special care must be taken that the notification of authorities and affected stakeholders is consistent in timing and content with the general communication of the organisation. This is to mitigate risks resulting from fines or damages.
A CIRP is both a manual for crisis preparedness, as well as a tool for crisis support. In terms of preparation for and prevention of cyber attacks, and taking into account legal and communications aspects, a CIRP should comprise: (i) a description of relevant scenarios and escalation levels, for example an outflow of sensitive business or customer data, inaccessibility of crucial internal or external systems, such as e-commerce services or production downtime due to a cyber attack; (ii) identification of relevant stakeholders, such as authorities, investors, customers, suppliers, employees and media, and contacts, for instance internal departments, particularly IT, legal, compliance, IR and HR, as well as external parties such as IT security, forensics and investigative authorities; (iii) the definition of processes, activities and responsibilities; (iv) the preparation of templates for the crisis, for example holding statements and Q&As; (v) training; and (vi) the amendment of internal policies, such as IT policy. In doing so, it is essential to lay down scenarios and escalation levels requiring engagement with external consultants, when and how to involve authorities and government agencies, and how and when to notify the public and personnel about the incident.
If a cyber attack has been discovered, certain processes and actions – which should also be incorporated in the CIRP – must be observed. Internal investigations, such as the detection and repair of system vulnerabilities, plus continuous monitoring systems regarding new attacks or exploits, should be conducted. It is also vital to assess any damage suffered, such as data leakage or loss. Aside from these technical and organisational actions, the continuous evaluation of communications requirements from legal and tactical perspectives is required, in particular the execution of legally required steps, for example notification duties vis-à-vis supervisory authorities, as well as the development of messages and storylines as a basis for internal and external communications. This includes the legally-sound preparation of necessary communications materials comprising intranet notes, customer letters, press releases and tweets. In this respect, real-time monitoring of media, internet, social networks and authorities rounds off the immediate action points.
To mitigate liability risks and prevent administrative fines, companies must assess whether any notification obligations vis-à-vis supervisory authorities and affected stakeholders are triggered by the incident – both domestically and abroad. In Germany, and many other European countries, ad hoc publicity duties, government notifications by operators of critical infrastructure (such as a public or private entity providing a service which is essential for the maintenance of critical societal or economic activities, including energy, transportation, telecommunications and digital infrastructure, banking and financial services or health) as well as data breach notification duties toward data protection authorities (DPA) or data subjects, in line with the GDPR, may be required.
The 2016 EU Directive on security of network and information systems requires operators of critical infrastructure in Europe to notify, without undue delay, the competent authority, for example the Federal Office for Information Security in Germany, of any incidents which will have a significant impact on the continuity of the essential services they provide. Notifications shall include information enabling the competent authority to determine any cross-border impact of the incident. However, notification does not make the notifying party subject to increased liability. When determining the impact of an incident, in particular parameters, such as the number of users affected by the disruption of the essential service, the duration of the incident, the geographical spread with regard to the area affected by the incident and the extent of the disruption to the service, have to be taken into account.
Aside from such specific notification requirements, the GDPR, which comes into force on 25 May 2018, constitutes a strict data breach notification duty vis-à-vis the competent DPA for any data controllers subject to the GDPR which, due to its extraterritorial scope, may also address organisations outside the EU having an establishment in the EU or processing personal data of data subjects who are in the EU. To trigger this notification obligation, a personal data breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed – as defined in Article 4(12) GDPR needs to occur, unless the personal data breach is unlikely to result in a risk to the rights and freedom of natural persons. Most cyber incidents will pass this threshold in practice. Notification of affected data subjects, however, is only required when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
In this respect, the GDPR follows a risk-based approach. A predictive decision of the data controller is required when assessing the risks to the rights and freedoms of natural persons resulting from the cyber attack. Decisions based on forecasts are naturally subject to uncertainties. If the prediction proves to be false in retrospect, the forecast itself does not trigger sanctions (such as administrative fines imposed by a DPA) but rather the question as to whether the data controller had based its predictive decision on valid and reliable assumptions. In this regard, the criteria laid down in a CIRP may be used as the basis for exculpation and demonstrate that the data controller has carried out an appropriate prognosis. Apart from the risk level, any personal data breach must be documented according to Article 33(5) of the GDPR.
The data controller must, without undue delay, and, where feasible, not later than 72 hours after having become aware of the data breach, notify the competent DPA. In relation to the beginning of this term, knowledge of the data controller is required. The GDPR does not provide any indication of how quickly threats to personal rights and freedom must be detected. In practice, this will highly depend on the risk predisposition of the respective data processing. It should be noted that a wait-and-see communications approach for tactical reasons may run counter to this legal obligation.
The GDPR provides for the minimum content of a personal data breach notification (Article 33(3) GDPR), but does not give details on the scope and extent. This means that, in practice, there is scope for action that only has to take into account the purpose of impact mitigation. In this context, close cooperation between the legal and the IR department of an organisation is highly advisable. Internal guidance should be laid down in the CIRP.
Cyber attacks are inevitable. Liability and reputational risks, however, can be mitigated by a detailed CIRP, insofar as all relevant departments in the organisation have been involved in the drafting and drill. This requires consolidating legal communication with tactical communication into a joint approach and concept. This safeguards that not only are legal information duties complied with, but also the best protection of the company’s other interests is ensured at the same time.
Tobias Neufeld is a partner and Frank Schemmel is a compliance specialist at Allen & Overy. Mr Neufeld can be contacted on +49 (211) 2806 7307 or by email: firstname.lastname@example.org. Dr Schemmel can be contacted on +49 (211) 2806 7307 or by email: email@example.com.
© Financier Worldwide
Tobias Neufeld and Frank Schemmel
Allen & Overy