The essential business of cyber security incident response planning
November 2019 | EXPERT BRIEFING | RISK MANAGEMENT
Cyber attacks and privacy breaches have dominated global news in recent years. From British Airways to Marriott, Facebook to Equifax, many of the world’s biggest companies have fallen victim to hackers preying on a dangerous combination of lax cyber controls and human error.
National and state authorities have acted to protect their constituents from these incidents by passing increasingly punitive data privacy laws and ramping up investigations and enforcement. Europe’s General Data Protection Regulation (GDPR) sent companies worldwide scrambling to comply with its requirements, and the California Consumer Privacy Act (CCPA) is doing the same in the US as its 1 January 2020 implementation date approaches.
These laws and others they have inspired not only require more privacy by design for the companies in their scope, but they carry with them the potential for substantial financial impact. Early GDPR enforcement actions show European data protection authorities willing to levy fines in the hundreds of millions of dollars against culpable companies. In the US, the CCPA’s private right of action and statutory damages scheme promises to bring with it a spate of class actions against companies with a California nexus.
Add to these laws the increased willingness of federal agencies like the US Federal Trade Commission (FTC) to levy fines against companies that fail to secure private data, and it is clear that the costs for failing to take cyber security and privacy seriously go far beyond the investigation, business interruption and consumer remediation inherent in any security breach.
All of this means that companies can no longer relegate data security and privacy issues to IT or compliance departments alone, just as executives and senior management can no longer plead ignorance or Luddite tendencies as a reason for disengaging with technology. Instead, cyber security and privacy must be an enterprise-wide undertaking embraced from the C-suite all the way to the mailroom.
It also means that a company’s ability to weather a cyber security incident will have serious financial consequences. With billions potentially at stake in fines, plaintiff’s damages and business interruption costs, incident response readiness is an essential piece of corporate compliance and business planning in the 21st century. Accordingly, it is a vital component of deal and investor due diligence – especially because incident response planning is a reliable barometer for company cyber security readiness writ large.
The incident response planning process forces organisations to understand where their data is kept, how it is maintained, and who is responsible for it. It pushes them to assemble a response team that involves the C-suite, to rank potential incidents in order to assess appropriate response, and to work together across departments to communicate and execute a crisis solution. It requires companies to think about insurance, connections to third-party vendors and law enforcement authorities, communications both internally and externally, alternative forms of communication and information and systems backup, and maintaining privilege and confidentiality.
Outsiders hoping to gauge a company’s cyber security preparedness must understand what effective incident response planning means. First, proper planning starts not with a document but with a team. That group of company insiders – the incident response team (IRT) – is composed of stakeholders who both coordinate a response to an incident and, thanks to their leadership positions throughout the enterprise, ensure that a company has the resources it needs to respond to the incident. Perhaps the most important first step is choosing a team leader. A company’s chief privacy officer (CPO) is a natural choice given the subject matter, but to the extent that a CPO is not a lawyer, a company’s general counsel is a compelling pick to lead the IRT because of the role’s ability to cloak IRT activities in privilege.
While a breached entity may later choose to waive that privilege in order to demonstrate its incident response acumen or as part of working with law enforcement, an IRT acting at the direction of counsel affords an entity the possibility of privilege from the outset. The IRT leader will coordinate execution of the incident response plan, hire outside legal counsel, and bring in other company resources as appropriate to address the incident.
While other members of the IRT can vary depending on the size and nature of the organisation, common choices include: (i) a representative of the IT department or the chief information security officer (CISO) to address the technical aspects of the incident and liaise with computer forensics experts called in to assist with the incident investigation; (ii) the head of the business team most impacted by the incident to address the potential data at risk and remediation efforts; (iii) a marketing or communications representative to help with both internal and external messaging; and (iv) a member of the company’s executive team to assess big-picture strategy for dealing with the breach and secure required IRT support and resources. Other company personnel may be asked to join the IRT for a particular incident given their various fields of expertise (for example, an HR representative if the incident involves employee data or an employee bad actor), but a company’s core IRT should be constant and established before an incident occurs.
Especially savvy companies will have also pre-assembled a team of outside experts and contacts to call on in the event of a cyber security incident. This expert IRT includes outside counsel, a data security company, a computer forensics firm and a public relations or crisis management company. Corporate entities routinely dealing with sensitive electronic data may choose to keep these expert resources on retainer, but all companies should know who to call and have formed relationships with these incident response experts well ahead of an actual incident. The better these experts know a company and its culture, the better they will be at identifying, remediating and managing the fallout from a cyber incident.
With a team in place, the real planning can begin. Most incident response plans consist of the following elements: (i) detection (discovering a potential incident); (ii) validation (confirming that the incident is real and not merely an innocuous event); (iii) investigation (assessing the incident’s severity and invoking the IRT as necessary, working with a forensics firm to uncover the cause and scope of the incident, and coordinating with affected business teams or vendors); (iv) communications (with the assistance of outside counsel and a crisis management firm, implementing a communications plan that includes internal and external messaging and possible notifications of insurance carriers, law enforcement and affected individuals); (v) remedial measures (addressing business interruption and restoration details while shoring up network defences with the assistance of a security firm); and (vi) audits and testing (engaging in an official assessment of IRT and company performance after an incident and practicing putting the incident response plan into action at least annually).
Among these plan components, the last – testing – may be most important. Because IRT members must carry out the incident response plan action items simultaneously and do so while in a state of emergency, the risk of error is high during an actual cyber security incident. A company that practices its incident response plan through a tabletop exercise or incident response simulation is far likelier to successfully manage a cyber attack or privacy breach than a company scrambling to put its plan in place for the first time during an incident.
The pervasiveness of privacy breaches and massive associated costs have transformed cyber security from an IT-only concern to a company-wide priority. An entity’s incident response plan, the team it has assembled to implement that plan, and the testing it has undertaken to put its plan into practice are important markers for assessing a company’s ability to handle a cyber security incident, and information about all three is essential for gauging a company’s cyber and financial strength.
Michael D. Reif is a principal at Robins Kaplan LLP. He can be contacted at +1 (612) 349 0171 or by email: firstname.lastname@example.org.
Michael D. Reif
Robins Kaplan LLP