December 10, 2019

Why cyber tabletop exercises are a must-do for organisations in 2020

'Don't be left in the dark' was the theme for Privacy Awareness Week in Australia this year. What is your organisation doing to ensure you're not left high and dry when the lights go out?

With so much noise about cyber risk, often organisations are left wondering how to meaningfully tackle this ever-evolving threat. While many organisations invest time and resources in preventing the occurrence of a cyber incident that could put the confidentiality, integrity, or availability of data and information systems at risk, less frequently organisations prepare for the occurrence of an incident.

So how can you improve your organisation's cyber resilience?

In two simple steps, organisations can do this by developing an incident response plan and testing it through a simulated incident called a ‘tabletop exercise’.

In six questions, this article helps organisations understand why they should shift their focus momentarily from prevention to preparation.

Why do so few organisations prepare for an incident?

  • Scepticism of it impacting their organisation - Organisations must necessarily accept the often-touted proposition that ‘it is not a matter of if, but when they will be impacted by a cyber incident’, a somewhat difficult proposition to accept.
  • Not in an 'at risk' sector - Certain industry sectors believe that they are not at risk of being targeted by malicious parties, on the basis that they do not hold sensitive data. This approach however discounts the multitude of cyber-related exposures that all organisations face, irrespective of their size, profile, or industry sector, beyond just privacy risk.
  • Operational impact of a cyber incident not considered - Organisations assessing their cyber risk should consider the operational impact of various incidents, including disruption from system outages, reputational impact from the erosion of client and stakeholder trust, and financial harm in the event of social engineering funds fraud.
  • Supply chain risk not assessed - Organisations should also be acutely aware of the risks posed by incidents impacting their supply chain vendors that hold data on their behalf, and managed service providers that can access their systems. Often this is where the true risk lies.

How can organisations prepare for a cyber incident?

  • For those organisations that accept the risk of a cyber incident occurring, often they will prepare an incident response plan setting out how to triage, assess and respond to an incident. This is to be highly commended.
  • However, don't be caught out by just having an incident response plan in place. Unless regularly tested, it may not in fact serve your organisation in time of crisis. Be sure to put it to the test to make sure.

What are the potential loopholes with your plan?

  • Preparing plans on a situational basis in anticipation of specific events - this can result in a plan not being flexible enough to suit all incident types, thereby reducing their overall utility in the event of an unforeseen incident. With the cyber risk landscape constantly evolving, incident response plans prepared on this basis often become out of date. 
  • Too focused on the technical aspect -  typically incident response plans have a heavy focus on the technical response. This is usually premised on the assumption that cyber incidents fall within the remit of the IT function to resolve, with a primary focus on remediating the cause of the event and restoring business operations.
  • Too focused on getting back to business - while getting back to business quickly is necessary to mitigate loss, by focussing too heavily on this aspect, organisations often overlook their wider regulatory obligations. Often we see for example evidence not being preserved in restoration efforts, thereby jeopardising the prospects of any subsequent investigation. Additionally, in many data breach incidents, organisations often focus on re-securing compromised systems without considering the underlying privacy impact post-remediation.

How should an incident response plan be prepared and what to include?

A good incident response plan will allow an organisation to quickly identify and escalate incidents that require a whole of business assessment.

Top tips:

  • Prepare it on principaled, not situational basis - this allows organisations to flexibly respond to various types of incidents in a consistent manner, and in compliance with various regulatory and legal requirements.
  • Define key roles and responsibilities – clearly identify when various business functions need to be consulted to provide input on an organisation's response including Legal, Communications, HR, Risk and Compliance and Investor Relations functions.
  • Identify when to seek external assistance – to limit the potential exposure, map out preferred external legal counsel and other service providers, where appropriate including key contact details (inside and outside business hours).
  • Know when to notify insurers - this will enable you to obtain the benefit of insurance cover and support available under various insurance policies, including cyber insurance. This process should also be agreed in advance with brokers, insurers, and incident response managers nominated in the insurance policy.

Why test the incident response plan through tabletop exercises?

Once a plan has been prepared, it is important to test how the core incident response team will respond to various types of incidents to reveal organisational blind spots and enhance the team's overall response capabilities.

The major benefits of conducting tabletop exercises are as follows:

  • Avoid common mistakes – during a crisis, there is no time to learn how to respond to incidents, and easy mistakes can be avoided with practice. Common mistakes include not co-ordinating a response quickly enough, notifying affected stakeholders too soon or too late, saying too much or too little in public facing communications, not effectively managing external parties' interests following initial communications, and not having clearly defined roles amongst incident response personnel throughout an incident response.  
  • Speed up decision-making – timing is critical, and being prepared helps teams make difficult decisions in real time. When a data breach occurs, often there will be a cascading series of decisions to make – irrevocable decisions which must be made quickly and with imperfect information. It is critical to think ahead of time about the series of recurring decisions that need to be made and the requirements for sign off on key decisions.
  • Reputational risk management – often the story is not about the incident, but how organisations respond to an incident, with the response often becoming bigger than the incident itself. It is critical that organisations have a plan for gaining control over the narrative, being able to stand by initial statements made in the short and long term as investigations develop, demonstrating overall responsiveness, maintaining trust with stakeholders, and responding to media and public criticism.
  • Loss mitigation – cyber incidents attract a risk of third party claims being made, and regulatory investigations being instigated against impacted organisations. However, a well-handled incident response reduces if not altogether removes risk of third party claims and regulatory investigations being made.
  • Reduce business disruption – practically speaking, being prepared enables organisations to minimise the impact on the business that inevitably occurs while resources are diverted from usual day to day tasks, to responding to an incident. Frequently, this is the biggest cost to any business and is often difficult to quantify.  

How often should an organisation run a tabletop exercise?

Tabletop exercises should be completed at least on an annual basis, or as critical members join or leave the incident response team. Exercises are usually 4 to 8 hours in length, and can include functional heads of business, board members, and external providers, as necessary.

Why 2020 the year for tabletop exercises?

The OAIC's recent annual insight report[1] into the Notifiable Data Breaches Scheme makes it clear that the regulatory focus will now be on what steps organisations are taking to prepare for incidents.
Accepting that there is no such thing as perfect security, there will be an increased focus on how organisations address in advance the potential for multi-party breaches (where one incident affects a number of organisations), and multi-jurisdictional incidents (which impact individuals who reside in multiple countries). By adequately preparing for incidents in advance, organisations will be better equipped to respond to these challenges should an incident occur, and also be able to subsequently demonstrate compliance to the OAIC and affected stakeholders that they have taken steps to pro-actively manage cyber risk.

Conclusion

In an increasing regulatory environment, we therefore strongly encourage all organisations to put preparing an incident response plan and robustly testing that plan through a desktop exercise on their list to be completed in 2020.

Would you like more information on how we can help your organisation become more cyber resilient through incident response plans and tabletop training? We offer clients a range of fixed fee packages tailored to your organisation which aim to boost your cyber resilience and help to make sure you're legally compliant and fully prepared to respond to a cyber incident. Contact one of the team for more information.

In addition, our team advises clients on a broad range of privacy and incident response related matters, including in assisting organisations address their legal and regulatory obligations as well as in preparing for and responding to data breaches and other cyber incidents. In the event of an incident, you can reach the 24/7 cyber incident response hotline on +61 2 9210 4464 or email cyberbreach@clydeco.com.

[1] https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/.