Information security and system resilience are strategic issues for every business, with media reports of security breaches in businesses, government agencies and other organisations now a daily occurrence.

This is the second in our three part e-bulletin series on the latest developments in relation to cybersecurity. The first note discussed best practices in relation to cybersecurity policy. It highlighted the importance of having established policies in place to ensure that organisations, and their data, are protected. This e-bulletin reviews the key elements of an effective crisis management plan to ensure a swift, and effective, response tin the event of a cyberbreach. The final note will summarise the steps being taken to address cybersecurity issues and encourage a coordinated approach, and response, to a cyberattack, in particular in Asia-Pacific.  

Cybersecurity crisis management plan

An effective crisis management plan should identify which critical business functions could be vulnerable to cyber threats. Cybersecurity crisis management plans should be tested and rehearsed.

There should be a communications plan (for regulators, police, insurers, banks, public relations, social and other media, and other reputation management). The plan should deal with what happened, why, whose fault it was, what happens next, how long it might go on, what type of response should happen.

The following needs to be considered in relation to any insurance – the cover (e.g. exceptions of loss of data), limits, exclusions, time limits to notify, admissions of liability, loss adjusters, management of investigations, cost advances.

From an operational perspective, service recovery or restoration will be important but similarly preventing future events (e.g. vulnerability testing, encryption, back-ups, audits, review of policies and procedures, etc.).

A typical response could be divided into the following areas:

Containment and recovery

  • Who should take the lead on investigating and ensure appropriate resources (e.g. technical forensic experts)?
  • Who needs to be made aware and what are they expected to do (e.g. isolating compromised network, changing access codes).
  • Any actions to recover losses and limit damage, physical recovery, backup tapes or ensuring staff recognise issues.

Assessment of ongoing risk

  • What type of data is involved? How sensitive is it, by nature or what might happen if misused.
  • What has happened to the data? Could it be used harmful purposes (this poses a different type and level of risk and therefore the action to be taken)?
  • What other harm can come to the organisation? Risks to physical safety or reputation, financial loss or a combination and others?
  • Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?
  • Review internal policies and practices.

Notification of breach

  • Are there any legal or contractual requirements to inform any regulator, authority or body? Does applicable law expressly require you to notify this particular breach? Even if the answer is no, do sector specific rules lead you towards issuing a notification?
  • Are there any legal requirements to tell individuals? If not, can notification help the individual to mitigate risks, e.g. by changing passwords?
  • If a large number of people are affected, or there are very serious consequences, it is likely that you should inform relevant regulators.
  • Consider how notification can be made appropriate for particular groups.
  • Have you considered the dangers of ‘over notifying’? May well be disproportionate.
  • Also consider who to notify, what to tell them and how. The following points may be relevant to your decision:
    • A sector specific regulator may require you to notify them of any type of breach but any data privacy regulator should only be notified when the breach involves personal data.
    • Bear in mind the security of the medium and urgency – do not compound the breach by including the exact data.
    • There may be local rules about what needs to be included, at least a description of how and when the breach occurred and what data was involved and what has been done to respond to the risks posed.
    • When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them.
    • Provide a way in which they can contact you for further information or to ask you questions about what has occurred – this could be a telephone helpline number or a web page, for example.
  • Inform the police.
  • Considering informing insurers (bearing in mind admission of liability issues).
  • Consider informing lender/financiers.
  • If individuals’ bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use.

Evaluation and response

  • Understand what data is held and where and how it is stored. Makes dealing with a breach much easier.
  • Understand where the biggest risks lie.
  • Risks will arise when sharing with or disclosing to others. Method of transmission should be secure and only share or disclose the minimum amount necessary.
  • Identify weak points in security measures.
  • Monitor staff awareness of security issues and look to fill any gaps through training or tailored advice.
  • Possibly establish a group of technical and nontechnical staff who discuss ‘what if’ scenarios.
  • Test and update business continuity and disaster recovery plans for cyber attacks.
  • Consider whether you need to keep a central log of the incident and what it should contain.
  • Consider the scope and approach of the investigation and privilege issues.
  • It is recommended that at the very least you identify a group of people responsible for reacting to reported breaches of security.