In April 2015, the U.S. Department of Justice (“DOJ”) issued guidance to assist organizations to prepare for and respond to cyber incidents. The guidance discusses the important steps that an organization should take before, during and after a cyber incident. The guidance is intended for smaller, less well-resourced organizations, but is useful for larger organizations as well.
Cyber-risk management is an increasingly important challenge for organizations of all sizes and kinds. Cyber-risk is the risk of damage, loss and liability (e.g. financial loss, business disruption loss, loss to stakeholder value, reputational harm and legal noncompliance liability) to an organization resulting from a failure or breach of the organization’s information technology systems. Cyber-risk can result from internal sources (e.g. employees, contractors, service providers and suppliers) or external sources (e.g. nation states, terrorists, hacktivists and competitors). Commentators have said that there are only two kinds of organizations – those that have been hacked and know it, and those that have been hacked and don’t know it yet.
U.S. DOJ GUIDANCE
U.S. Department of Justice Criminal Division, Cybersecurity Unit’s Best Practices for Victim Response and Reporting of Cyber Incidents (version 1.0, Apr. 2015) provides helpful guidance for organizations that want to prepare for cyber incidents. Following is a summary.
1. Before a Cyber Incident
An organization should have a well-established, robust, actionable and tested plan for managing and responding to a cyber incident. Following are some key considerations:
- Identification/Prioritization: The organization should identify its mission critical data, assets and services, so that the organization can prioritize its efforts and plan its cyber-incident response.
- Risk Management: The organization should implement appropriate cyber-risk management practices.
- Actionable Response Plan: The organization should have a comprehensive, actionable plan for responding to a cyber incident. The organization’s relevant personnel should be familiar with the plan and participate in appropriate training and regular exercises to test and update the plan.
- Required Technologies and Services: The organization should have in place, or have easy access to, ready-to- deploy technologies and services that will be used to respond to a cyber incident.
- Lawful Access: The organization should obtain from each user of the organization’s computer systems all authorizations required for the organization to lawfully monitor the use of the computer systems (including accessing email and other communications) and respond to a cyber incident.
- Legal Advice: The organization should obtain legal advice from experienced legal counsel when preparing for cyber incidents, and should ensure that required legal advice will be available promptly when the organization responds to a cyber incident.
- Policies/Practices: The organization should ensure that its policies, procedures and practices (including those relating to human resources and information technology) are designed to minimize the risk of cyber incidents and align with the organization’s cyber incident response plan.
- Proactive Relationships: The organization should establish relationships with relevant law enforcement agencies, cyber-risk management information sharing associations, cyber investigation/security firms and outside legal counsel.
2. During a Cyber Incident
An organization’s cyber incident response plan should provide actionable procedures for handling a cyber incident, continuing regular business operations during and after a cyber incident and working with law enforcement and incident response service providers. A response plan should have the following key steps:
- Initial Assessment: The organization should make an initial assessment of the nature and scope of the incident, and attempt to determine the cause of the incident.
- Mitigating Measures: The organization should promptly take steps (both practical and technological) to stop the incident and minimize resulting harm.
- Data/Information: Throughout the incident response process, the organization should collect, record and preserve all relevant data and information (including creating a forensic image of the affected computer systems) regarding the incident (including an ongoing incident) and the steps taken, and costs incurred, by the organization to respond to the incident, mitigate resulting harm and prevent similar incidents in the future. The data and information should be protected and properly handled (e.g. by designated personnel) so that they are admissible as evidence in legal proceedings.
- Notifications: The organization should give timely and appropriate notice to internal personnel (e.g. senior management, security coordinators, communications/public affairs personnel and legal counsel), law enforcement agencies, regulators (if notice is required by breach notification laws) and other potential victims (either by direct notice or through law enforcement).
An organization that is a victim of a cyber incident should not do the following:
- Do Not Use Compromised System: To the extent possible, the organization should not use a computer system that is suspected of being compromised by a cyber incident to communicate about the incident or the organization’s response to the incident.
- Avoid Social Engineering: The organization should avoid becoming the victim of social engineering (e.g. attempts by a perpetrator to deceive a target to take harmful action) by not disclosing incident-specific information to unknown persons.
- Do Not Hack Back: The organization should not attempt to access, damage or impair another computer system that appears to be involved in the cyber incident. Hacking back is likely illegal and the identified computer system might itself be an innocent victim of a cyber incident.
3. After a Cyber Incident
After a cyber incident appears to be under control, the organization should remain vigilant and continue to monitor its computer systems for anomalous activity; take steps to prevent similar attacks in the future; conduct a post-incident review of the organization’s response to the incident; and assess and improve the organization’s incident response plan and related preparation activities.
The DOJ guidance is a helpful summary of some basic, best practices for preparing for and responding to a cyber incident. More comprehensive guidance (including helpful questionnaires and checklists) is available from various regulators in the United States and Canada (e.g. the U.S. National Institute of Standards and Technology, the U.S. Securities and Exchange Commission, the U.S. Financial Industry Regulatory Authority, the Investment Industry Regulatory Organization of Canada, Canadian Securities Administrators and the Office of the Superintendent of Financial Institutions of Canada). Organizations of all sizes and kinds would be well served by following best practices to manage cyber-risks and prepare to respond to cyber incidents.▪