The first 48 hours following a cyber attack are critical. Making the right calls will manage the threat and mitigate the risk to your business. You need a rapid response - but, what are the right calls? We set out the steps you should take.
You are the chief information security officer at a high profile, multinational company, well known and well respected. You know about the risks of data breaches and cyber attacks and convinced the board to include a cyber insurance policy within your suite of cover.
Late one afternoon, you receive a call from one of your employees. From what they tell you, you suspect the company is currently under a cyber attack. You're not sure and you do not know where to begin looking. But thousands of clients' data may be at risk if your suspicions are correct, although you are not sure precisely how many.
Lucky you have that cyber policy; that should come in handy… what do you do now?
The 'cyber' risk
Much has been written about the real and present risk of a cyber attack on businesses and individuals ̶and with good reason.
Recent cyber attacks on motor vehicles, airlines, insurance companies, health organisations, retailers, e‑tailers, law firms, hotels, charities, online service providers, restaurants, aerospace companies and government organisations (among others) have categorically demonstrated that every industry has exposure to cyber risk and is susceptible to data breaches.
Government and regulators (both Australian and international) are increasingly focused on cybersecurity and cyber resilience, with the Australian Securities and Investments Commission (ASIC) identifying cyber resilience as a key area of focus for the coming years. Most recently, the Australian Government has finally taken further steps towards enacting a mandatory breach notification scheme by reading the Privacy Amendment (Notifiable Data Breaches) Bill 2016 in parliament.
Against this background, it is clear that cyber risk management should be at the top of every company's agenda. Like any other risk, cyber risk can be managed and mitigated. Increasingly, cyber insurance (and the response teams that often come with such insurance) is being considered as a key aspect of a business' risk management and mitigation strategy.
The role of a breach coach in a rapid response
In responding to a major cyber attack, rapid response cover can play a pivotal role in controlling the fallout from an attack and also limit the financial and reputational damage.
The first 48 hours after a company has identified it is under a cyber attack are pivotal. The decisions made on how to deal with an attack at this time will impact how the matter will be handled going forward.
Ideally, any business facing a cyber attack will have in place a considered and tested incident response plan to provide guidance on how to react. The importance of preparation in effectively managing a cyber attack or data breach and some proposed steps were set out in our previous article, 'Data breaches – how to effectively avoid them and manage them if they happen'.
Where rapid response cover is available (through cyber insurance cover or otherwise), a company should immediately contact the rapid response provider (often referred to as a breach coach, details of which are often in the cyber policy or incident response plan) as soon as it becomes aware it has been the subject of an attack.
The breach coach will act in a coordination role, summoning team of legal, privacy, security, technology and media experts to determine how to handle the current situation in very short order.
The following matters are among the most critical issues that are managed by a breach coach and dealt with in the immediate wake of a cyber incident:
Manage and protect communications
In the heat of the first 48 hours it is often the case that purported admissions or incriminating statements can be made by a company's staff (particularly IT staff), which can be misinterpreted in the public domain and impact the company's reputation or worse lead to third party claims. It is imperative that these and other communications about the attack are carefully managed and protected as soon as possible.
It is highly recommended that a legal advisor be assigned the duty of coordinating the rapid response team as they will be able to liaise with team members and the company and claim the protection of legal professional privilege over most of those communications.
The ability to preserve privilege following a data breach has been considered in detail in our article, 'Preserving privilege following a data breach'.
Plugging the hole
It is of course critical that any cyber attack be stopped as soon as possible. However, depending on the nature of the attack, a heavy handed response is not always best. This is particularly the case with more complex attacks that may be exploiting multiple weaknesses to attack your systems in a multi-pronged manner.
A brute force approach in those circumstances may simply alert the attackers of your knowledge of the attack and cause them to retreat, which may in turn prevent you from identifying all the system weaknesses that were exploited.
To determine the best approach to secure the attack, the breach coach will direct technology and security experts to liaise with the company's staff to determine the best response to the attack.
Where available, a security and technology plan is often executed to respond to the attack, part of which will involve identifying the extent of damage caused by the attack and also to limit the extent of business disruption caused.
Has there been a data breach?
In addition to identifying and plugging the attack, technology and security experts assist in determining if a data breach has occurred and its extent.
Contrary to common misconception, a cyber attack and a data breach are not the same. While many cyber attacks have the primary aim of extracting data from a system, constituting a data breach, other forms of attack aim to directly extort funds from a company (for example, certain malware attacks). A 2015 AON Cyber Impact Report revealed that only 29 per cent of cyber attacks experienced by respondents in the past 2 years resulted in the theft of confidential company data. Many data breaches also occur due to improper internal handling of data.
If a data breach has occurred, it is important to identify as accurately as possible the extent of the records stolen, particularly the nature of the information stolen and the location (or locations) of the affected entities, which is required for notification purposes.
The data breach information the security experts gather is conveyed to the breach coach, who is burdened with the potentially substantial task of coordinating the identification of and compliance with relevant notification laws.
The first step will be to identify jurisdictions that are affected by the data breach. The identification of jurisdictions a company may be exposed to is an often overlooked risk that companies do not properly consider. In fact, AON's report revealed that only 24 per cent of respondents are fully aware of the consequences that could result from a data breach or security exploit in other countries in which their company operates.
Identifying the jurisdictions and breach notification laws of each jurisdiction as soon as possible is critical given the diversity in the requirements that notification laws across the world impose. Advisors with a global reach greatly assist in undertaking this possibly mammoth task within a reasonable time frame.
The variety of the notification requirements for even a relatively minor breach can be surprising, with regulations in some jurisdictions amounting the breach to criminal conduct, whereas no action may be required in other jurisdictions. The deadlines by which a breach needs to be notified also vary.
The breach coach must often prioritise which of the jurisdictional requirements are the most pressing and connect legal advisors in the relevant jurisdictions with company staff so suitable notifications can be drafted in compliance with regulations.
Of course, the breach coach will also need to liaise with the security experts and be mindful to ensure that any breach notification will not further expose the company to additional attacks.
Depending on how serious a breach is and the extent of the notification that will be made, a breach coach may also need to consider, in conjunction with the jurisdictional legal advisors and the company, whether any public relations material or campaigns will need to be prepared to protect the brand and reputation of the affected company.
The extent of public relations involvement may be heavily guided by how successfully communications regarding the breach have been protected. Generally, the more information that needs to be disclosed about a breach, the greater the need for the involvement of public relations and damage control.
What about cyber insurance coverage?
Cyber insurance is somewhat different to other types of insurance. The most comprehensive cyber policies include rapid response cover. Unlike most other policies, the protection afforded by rapid response could come into play as soon as a potential cyber attack has been identified, before the existence of a claim has been established.
In this respect, in the midst of responding to an attack, coverage issues may also be lingering. However, it is likely that the information required to determine coverage may not be able available for days, weeks or perhaps months. For insurers and their agents to be acting in good faith and to minimise the extent of any loss and damage, particularly business interruption losses, coverage issues should not impede a rapid response to a cyber attack or data breach incident.
Where policies have significant deductibles, the majority of the rapid response costs will likely fall within the ambit of the deductible and to the feet of the insured. Any delay in coverage determination should not adversely affect insurers or insured businesses (as those costs will fall within their deductible) in such cases.
It is not so clear cut where policies have smaller deductibles. However, insurers and insured businesses should work together and structure their policies appropriately to account for rapid response costs.
Cyber insurance - not your traditional policy
The protections afforded under a cyber insurance policy and the steps that insurers and insured businesses need to take to maximise the benefit of the policy are unique.
The most comprehensive policies in the market have a rapid response cover and access to a team of experts on call to respond to a cyber attack. However, access to a team of experts in and of itself is not enough. That team needs to be quickly and efficiently coordinated by an experienced breach coach to minimise the loss and damage caused by a cyber attack and to ensure the optimum outcome for all parties.
Clyde & Co advise clients on a broad range of privacy related matters, including in assisting businesses address their legal and regulatory obligations as well as in preparing for and responding to data breaches. We offer fixed price privacy packages to provide certainty and to help you effectively manage your legal costs.