If you ask a group of cybersecurity experts what should be included in a Cybersecurity Incident Response Plan (“CIRP”), you will get a wide variety of answers. Happily, many of those answers contain similar themes including these ten important considerations your organization should be aware of when creating and managing a CIRP.[i] For more information, please see McCarthy Tétrault’s Cybersecurity Risk Management Guide for Businesses.
1. Have a Cybersecurity Incident Response Plan!
Having a CIRP is critical. Cybersecurity is expected by all the stakeholders of today’s organizations. The breach of security safeguards provisions in the Digital Privacy Act are set to come into force November 1, 2018, including requirements for mandatory reporting and notification. Creating a CIRP is thus an important aspect of your organization’s regulatory compliance.
It is important to note that the development of a CIRP is an iterative process. Moving from a “starter” CIRP towards something more thorough requires a strong organizational commitment and takes time. However, since cybersecurity risks are continually evolving it is important that an organizations CIRP evolve as well. Identifying a champion in senior leadership is key to making the CIRP an integral part of compliance and risk management. The right “tone from the top” makes a big difference.
2. Get the right people involved
A CIRP begins with the people who will develop, implement, and execute the plan. It is essential to ensure that an appropriate mix departments, roles and levels of authority are incorporated into the response plan in order to minimize an organization’s exposure if the plan is triggered. Furthermore, the individuals on the team should understand the communications channels, reporting structures, and accountabilities which fall into place in the event of a cybersecurity incident. When a business is confronted with a major cybersecurity incident, there is a significant risk that hurried decisions jeopardize the situation further. A CIRP should clearly specify internal contacts and external advisors so that there is no mistake about who is to be contacted for immediate support.
The actual members of the team will vary depending upon the organization and the nature of the incident. Generally, legal and compliance will work with outside counsel to implement a privilege protocol and manage statutory notifications and communications with regulators. Public relations and marketing will run internal communications and media relations as necessary. Customer care will deal with handling complaints and incident inquiries. Human resources will manage employees and handle disciplinary responses if the incident is the result of employee wrongdoing. Information Technology will work to identify and remove any malicious code or other artifacts of the incident. A broad-based approach reduces the risk that an important piece of the puzzle will be missed in the execution of the CIRP.
3. Which experts will you call?
Many cybersecurity incidents require specialized expertise in order to deconstruct what has occurred. For this reason, organizations may need to consult with an IT forensics company. An IT forensics firm should be able to identify and neutralize the threat while at the same time preserving and handling evidence with proven, forensically sound methodology, using data recovery tools and processes that are supported by case law and prior litigation experience. In many cases, retaining an IT forensics firm is a requirement of cyberinsurance policies.
It is also very important to engage external counsel very early in the process in order to minimize legal risk. External counsel have a sophisticated understanding of privilege issues and litigation holds, and will help the organization manage these issues with a particular eye towards potential regulatory and court proceedings. It often makes the most sense to have counsel retain the forensics vendor in order to ensure any resulting reports remain privileged. This can prevent discoveries of IT forensics evidence in any possible class action arising from the incident.
4. Ensure that you have the capacity to identify Cybersecurity Incidents
A CIRP is worthless if your organization is incapable of identifying a breach or assessing its severity. Additionally, the law requires that organizations have in place the ability to identify when breaches of security safeguards take place. The Digital Privacy Act states that organizations “shall… keep and maintain a record of every breach of security safeguards involving personal information under its control.” The regulations make it clear that these records must be kept for 24 months.
Given the history of business experience with cybersecurity incidents, it is worth emphasizing that the ability to identify a cybersecurity incident is not as simple as “paying close attention”. The ability to identify cybersecurity incidents is a topic that is very real and very serious. Recent history is replete with examples of breaches that were conducted in a manner that enabled the intruder access to business systems for lengthy periods without detection. A sophisticated attack will be difficult to detect and is unlikely to set off alarm bells immediately.
Identification of a cybersecurity incident is meaningful only when the incident is assessed in a thorough and realistic manner. Questions such as “How did the incident occur?”, “What is the scope of the data which was compromised?”, and “What is the risk that anyone’s personal information was accessed?” need answers. The answers to these questions can influence an organization’s strategy in notifying Privacy Commissioners, affected individuals and in litigation proceedings. Having a legally defensible assessment process which has been reviewed with counsel if therefore very important.
5. Assess your organization’s Cybersecurity challenges
At a minimum, an organization must be able to quickly identify a cybersecurity incident, immediately carry out its plan of action, isolate the affected systems, determine the damage, and remediate. The immediate goal is to neutralize the incident and return the business to its normal operating state as soon as is reasonably possible. The medium-term goal is to ensure business continuity and success in line with forecasts made prior to the cybersecurity incident.
An organization should determine its needs using a risk-based assessment of cybersecurity vulnerability. The assessment needs to go far beyond the technical security capabilities of to include a wide variety of factors such as:
- Industry (i.e. – medical, pharmaceutical, government);
- Third-party relationships (processing, contracts, binding corporate rules);
- Geographical operation (physical, virtual presence, customer base);
- Nature of stored information (personal health, financial, political affiliation, intellectual property such as patents and trade secrets);
- Motivation for Cyberintrusion (i.e. – international competition, geopolitical issues, sanctions enforcement, trade laws, high value data, cryptocurrency and other digital assets); and
- Political Exposure (i.e. – customers include politically exposed persons or other attractive targets).
Does the organization have cybersecurity risk insurance? If so, is the incident covered and to what extent? Agreements and policies will need to be reviewed to make these determinations. As well, insurance agreements generally have a requirement that the insured promptly notify the insurer of a suspected incident – organizations will want to make sure they know when such an obligation is triggered, how long they have to report, and what information is required. A proactive approach to insurance is key. The best time to think about buying cyberinsurance is obviously not after the breach has been discovered.
7. What is the internal and external communications strategy?
Communication is vital to executing a CIRP. The commencement of a significant hack or breach event is not the time to figure out who should be contacted, and how those people should be contacted.
The internal communications strategy for a CIRP should not assume that electronic systems will be accessible during and after the incident. Physical copies of the CIRP need to go beyond listing people’s names and their roles, to include phone numbers, alternate phone numbers, secondary contacts, email addresses, specific locations where those people are likely to be located, and the same detailed information for a delegate who will take the place of each primary contact should the need arise.
Perhaps the most important communication issue your organization will face upon discovery of a cybersecurity incident is the decision about notification. This is a multi-faceted and extremely complicated issue because it is dependent on the ability of the organization to identify and assess the nature and extent of the breach. This decision should be made forthwith but with a complete view of the facts including but not limited to the scope of affected systems, the security and technical controls in place and the likelihood that personal information is going to be disclosed to a third party as a result of the breach.
Among other things, organizations should consider establishing a call centre to address consumer concerns. In addition, consumers often expect organizations involved in significant data incidents involving payment cards or identifying information to offer credit monitoring and/or identity theft monitoring. A well thought-out and robust customer response can, in addition to helping retain customers and preserve brand value, have a significant impact on potential class actions fees and damages.
8. Business Continuity
The reputational loss to business in the age of social media may be greater than the fine a regulator would impose. The risk that a cybersecurity incident could be misunderstood by the public, or that a failed response could destroy years of goodwill is one of the greatest risks facing businesses today.
A CIRP should contain a detailed plan to ensure that the business does not suffer unduly or ultimately fail as a result of the incident.
Some of the business continuity issues that should be factored into the plan include:
- an appropriate insurance plan;
- preapproved emergency financing;
- plans for direct communication with investors, partners and suppliers; and
- the outline of a media and public relations campaign to give the public and more particularly, customers confidence to stay with or return to the business.
9. Educate your people
Computers and networks and the software and people that run them have improved over the years. A properly updated system run by talented professionals is hardened against all but the most sophisticated hackers. Nevertheless, “where there is a will there is a way”. Cyberattackers continually develop new ways to counter security measures.
The improvement of logical and technical controls has corresponded with an increase in human engineering cyberattacks such as phishing. Why attack the fortress with a full frontal assault when you can trick the guard into handing over a key to the front door? It is widely recognized that the human element is the weakest link in the chain when it comes to cybersecurity. Awareness, education and training about risk and attack indicators is key to your human weak spots. Employees who are well-trained are better able to identify a cybersecurity incident once it has occurred and prevent one from occurring in the first place.
10. Practice Practice Practice!
Even the best CIRP is useless if it sits in a drawer gathering dust. To be effective, it is imperative for organizations to regularly rehearse and update their CIRP. Organizations should train, practice, and run simulated data incidents to develop response “muscle memory.” This is particularly important to do if there is turnover within the organization, as new executives may not be familiar with the organization’s cybersecurity risk profile. The best-prepared organizations routinely conduct war games to stress-test their plans, increasing managers’ awareness and fine-tuning their response capabilities. Outside counsel, with sophisticated understanding as a result of having handled dozens of data incidents, will often be invited to run the simulation, and evaluate the organization’s response.