You are probably sick of hearing that a cyber incident is now an inevitability – it's "when – and not if".
A cyber incident extends beyond a cyber attack and includes for example, a denial-of-service incident arising from a flood of traffic taking down a website.
Our 5th space of warfare article shares guidance on how to avoid, manage and respond to a cyber incident and focuses on technical response.
But what if you are expected to play a key role in the incident response team (IRT) but your role is not core technical response – you aren't going to be able to remediate or eradicate the technical aspect of the incident and you won't be directly involved in, for example, recovering data from the back-up once the system is cleaned.
In that case, you're probably an in-house lawyer or a senior manager and your role will be to manage the incident and make sure that regulatory, legal and contractual requirements are complied with whilst also coordinating the response and documenting outcomes. Let's call this the Incident Coordinator role.
If you are the Incident Coordinator, how can you best help the business make good and quick decisions under the pressure of a real-life cyber incident?
In this article, we discuss how to effectively manage cyber incidents, address regulatory obligations and best practise when conducting post-incident review.
Save our 24/7 cyber incident response line (+44 (0)3300 577 071) to your contacts to provide you with additional means of contacting us and obtaining support and advice when you need it, in the event of a cyber incident.
Plan Prepare and Practice
We all know the adage, if you fail to plan, you plan to fail.
This has never been truer than when it comes to cyber incident response.
Our 5th space of warfare article sets out the steps you might take to protect the business from a cyber incident and to mitigate the risks. Ensure you test your Cyber Incident Response Plan (IRP). It goes without saying that you should not be learning how to use your IRP during a cyber attack. Those with named responsibilities should be especially familiar with it. For further information on how we can help you prepare – including tabletop and war gaming exercises, please see contact details below.
Consider options for secure or alternative forms of communications. How will you communicate with the IRT if normal channels are unavailable (because the attack is a denial-of-service attack or because it is no longer safe to use those channels)? You might consider using a secure form of out-of-band communication (meaning a communication method that occurs outside of an organisation's primary network). Certain messaging services (like Slack and WhatsApp) are usually out-of-band and will likely still remain available and might be the safest and most practical option. Speaking face-to-face is an "old school" form of out-of-band communication which is unlikely to fail you if it can be arranged!
The worst has happened – what's next?
Your IRP should guide you through managing the cyber incident from the outset to conclusion.
In the first instance, it should tell you who your central point of contact is (that lucky person might be you!). The central point of contact will be responsible for managing the incident which will involve communicating, overseeing, tracking and documenting throughout. It will also set out who will be responsible for what and how they will be contacted. This is key to ensuring that an incident is managed successfully.
At the outset, you won't know how serious the incident is. The IRP should provide you with a means of assessing the type and severity – we expect that this will look like a "severity matrix" and a "category matrix". A severity matrix sets out what matters most to the business and allocates a severity rating to each. A category matrix helps determine the type of incident (categories might include denial of service and/or data breach). By way of an example, if you are an online retail business, being unable to process online customer orders as a result of a ransomware attack which has shut down your ordering system might be classed as "high" severity, and the category of issue might be "malicious code".
Your initial assessment will help you understand the urgency of the response and the individuals who should be involved but it shouldn't delay you in taking action – this isn't meant to be an in-depth analysis – just an initial assessment. Once you have made your initial assessment of the incident, your IRP should guide you through next steps. Not all incidents require that you assemble the full IRT – some might only require a watching brief.
Whatever you do, make sure you keep a record of the incident response, decisions made, actions taken, data captured (or missing) as this will help you keep track and coordinate. Itwill be useful for post-incident reviews. Remember, keep your records factual and avoid drawing conclusions. The records may not be protected by legal privilege and so could be disclosable in any future litigation or regulatory investigation.
Who should you be speaking to?
If a cyber incident happens, depending on the outcome of your initial investigation, you will need to consider your regulatory and other reporting obligations.
Most businesses will benefit from taking legal advice in order to make key decisions particularly those which may have regulatory or contractual consequences.
Depending on the outcome of your initial assessment, you may need to:
- Make an assessment as to whether a personal data breach has occurred. If it has, you should be thinking about whether you are a controller or a processor of the data in question. If you are a controller, you may need to make a notification to the Information Commissioners Office (ICO) and the affected individuals (and you will need to pay attention to timing). If you are a processor of the data, you will also have notification obligations to the data controller.
- Decide whether the cyber attack meets the threshold for notification in your insurance policy (if any) and whether you should notify.
- Consider your third-party contracts and understand what your reporting requirements are. There might also be commercial reasons why you would want to keep those parties in the loop.
- Keep employees updated and cascade important messages to employees.
- Monitor the media (including social media) and be mindful of the need to make statements.
- Report to the market and/or key stakeholders, shareholders and other regulators (like The Pensions Regulator if you are a Trustee).
- Notify enforcement authorities like Action Fraud and liaise with the National Cyber Security Centre (NCSC).
What about a ransom payment?
To pay or not to pay is a big question. Given the consequences of getting it wrong, it's a question best answered with the benefit of legal advice.
Ransom payments are unlikely to be covered by your insurance and they are discouraged by the UK Government, the ICO, the NCSC and the Law Society. Payment of a ransom to a cyber criminal does not guarantee that you will get the outcome that you want (these people are criminals – they are inherently untrustworthy) and it will not serve as mitigation in any subsequent regulatory investigation.
However, at the time of writing, payment of a ransom is not in and of itself unlawful in the UK.
If you do plan to pay a ransom, you need to be mindful of how relevant sanctions regimes (in the UK and out of jurisdiction) and their associated public guidance may change that position. Breaches of financial sanctions are a serious criminal offence and carry a custodial sentence and/or the imposition of a monetary penalty.
What should you do once it's all over?
Once you have concluded the response to the cyber attack, it is best practice to consider the lessons learned and what you can and should be doing differently – both to prevent any future attack and in respect of your response to the attack.
Remember that it is unlikely that your lessons learned document will be privileged (meaning that it could be disclosed in any regulatory investigation or civil claim) and so you should keep it factual and avoid admitting fault.
If you're not in a technical role, perhaps as an in-house lawyer or senior manager, your focus will be on coordinating the response and ensuring compliance with legal and regulatory requirements. This is where a well-prepared Cyber Incident Response Plan comes into play.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.