Surviving a Breach: 8 Incident Response EssentialsHow to Rapidly and Effectively Respond to a Data Breach
Organizations that suffer a security incident must be prepared to rapidly respond.
Ideally, organizations will have a breach response plan in place that they regularly practice and refine, based on emerging types of attacks and risk management strategies. (See part one of this series: To Survive a Data Breach, Create a Response Playbook.)
"In terms of preparedness, companies have progressed in a good and thoughtful way in recent years," says attorney Nicole Friedlander, a partner at Sullivan & Cromwell in New York, where she's a member of the firm's criminal defense and investigations group and co-heads its cybersecurity practice. "They have moved from a largely reactive stance - acting only if and when a breach occurred - to a world in which they appreciate preparedness matters. It affects how well they are able to respond and recover from the breach and can reduce the likelihood of follow-on criticism from regulators or the public."
Here are eight incident response essentials for any organization that suffers a security incident.
1. Notify Stakeholders
When a breach occurs, an organization's playbook will specify who to inform and when, based on the type of incident.
Inside many organizations, once a security team suspects that there may have been a breach, "internal counsel will always get the first call," says attorney Chris Pierson, CEO of cybersecurity firm Blackcloak. "But very quickly they need to be able to spin up - with the incident response team - outside counsel resources and to have outside counsel legally engage all third parties to allow for attorney/client privilege protection."
A large number of individuals might need to be involved in responding to a security incident. "Some of these players include: legal, compliance, risk, privacy, the CISO, chief privacy officer, general counsel, marketing, PR, human resources - for internal breaches, customer service, physical security and the security/infrastructure teams as well as the heads of the various business lines," Pierson says. He's a member of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee as well as its cybersecurity subcommittee.
Organizations that have cyber insurance policies will also need to know when to alert their insurer. "You don't want to go to submit a claim, only to find that the claim may be declined, or worse in breach of contract, because you didn't notify the insurance company until after the fact," says Rocco Grillo, managing director of global cyber risk services at consultancy Alvarez & Marsal in New York.
2. Activate External Service Providers
When organizations develop their response playbooks, part of that process will include identifying the list of companies to be retained and approved ahead of time.
Pierson says a typical list of external firms will include:
- Approved counsel from the organization's cybersecurity insurance provider, typically with one firm or team able to focus on data breach remediation and the other for litigation counsel;
- Cybersecurity insurance company offering a policy to help mitigate the risk posed by business disruption;
- A credit reporting agency or identity theft monitoring provider;
- A public relations firm;
- Mailing/phone providers for toll-free telephone-based data breach support (may be covered by the ID theft provider);
- Contractors offering space for war rooms or extra meeting spaces;
- Digital forensics firms;
- Regulatory experts for dealing with the nuances of national and state laws.
Some of those service providers will require retainers "so they can be spun up in 24 hours," Pierson adds.
3. Respect Crisis Communications
Organizations should avoid attempting to handle breach communications in-house and instead work with crisis communications experts, some security advisers say.
"Many times, the companies we work with will absolutely reach out to forensics and outside counsel, but when it comes to communications, some companies feel they're so large, and they do external briefings all the time, detailing the comings and goings of executives, M&A activity and so on, that they're equipped to handle breach disclosures," Alvarez & Marsal's Grillo says. "But how many breach disclosures have you responded to? And how about communicating internally? Because it's not just about external communications.
"We've all gotten the breach notification letters. But the company that's going through the fire isn't the same company that's penning those letters all through the night. There are external parties that will set up call center, issue those letters, as well as provide credit monitoring."
Some of this work should be done in advance. "The time to be preparing your press statements is not in the middle of a crisis; have them prepared in advance of a breach," says Brian Honan, head of cybersecurity consultancy BH Consulting in Dublin, who's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol. "This enables you to communicate quickly and effectively once a breach happens."
4. Know The Ins/Outs of Cyber Insurance
When evaluating which insurance coverage an organization requires, take time to understand what each offers, and whether, for example, it covers such events as business disruption, Pierson says. "Cybersecurity insurance for data breach events is massively different than cybercrime insurance, which covers losses from business email compromise or other monetary scams."
Grillo says cyber insurance serves as one piece in a company's overall risk posture. "It's not just about getting cyber insurance and we don't have to worry about our other response requirements or responsibilities. Instead it's almost akin to having health or fire insurance - just because we have fire insurance doesn't mean we're not concerned about a frayed wire under a rug or in the wall."
5. Decide: Forensics-Led or Intelligence-Led
David Stubley, CEO at 7 Elements, a security testing firm and consultancy in Edinburgh, Scotland, says it's important to remember that forensics is a business-support function, and that real-world concerns will drive organizations' incident response. Also, not every type of incident response involves digital forensic investigators painstakingly poring over systems.
If an organization believes that a case will end up in court, however, then from the outset it needs to ensure that its approach complies with evidence-gathering and evidence-handling requirements.
But if the organization only wants to understand what happened, then he says it may be better served not with a forensic-led approach, but rather an intelligence-led one, which can facilitate a more rapid response.
"Taking an intelligence-led approach broadens the tools and overall options available as part of an incident response," he says. "It will enable your organization to gain a rapid understanding of the size and complexity of the event without the overheads of a forensic investigation. This can often result in the ability to contain or even stop the attack at an earlier stage, or even isolate compromised systems and therefore protect the wider environment."
6. Comply With Breach-Reporting Rules
Some data breach and privacy regulations require organizations to notify authorities, and sometimes also victims, within 72 hours of learning that they've suffered - or suspect that they have suffered - a data breach. Such stipulations are included in some states' breach-notification requirements, such as rules rules issued by the New York State Department of Financial Services, as well as the EU's General Data Protection Regulation.
Security experts recommend that breached organizations, whenever possible, not just alert victims to a breach, but provide them with actionable steps they can take immediately to protect themselves, in light of what actually happened. Issuing those types of communications helps minimize harm as well as breach notification fatigue (see: Data Breach Notifications: What's Optimal Timing?).
But 72 hours is very little time, which can leave organizations risking having to say something might have happened, without being able to provide practical guidance to victims.
"We do advise when you're in a situation where you don't have all the facts, but you're coming up against a disclosure deadline, it is better to share what you know and what else you're doing to uncover the relevant facts, and to do your best to give regulators and the public confidence that you're going to keep them updated," says Sullivan &Cromwell's Friedlander, who previously headed the complex frauds and cybercrime unit at the U.S. Attorney's Office for the Southern District of New York.
"There are also steps companies can take in advance to be in a better position to provide helpful information to affected people if a breach occurs," she says. "You can plan in advance to offer credit monitoring and to have hotlines to address people's questions, for example. You can identify the vendor you will use for those services, so you don't have to scramble to find one in a crisis. These are steps the company can take in advance, at little cost, to help limit harm if they have a breach."
7. Avoid Internal Communications Roadblocks
After discovering a data breach or other suspected security incident, cybersecurity teams will be working overtime to attempt to identify what happened and to remediate it. While those teams may otherwise be comfortable communicating with law enforcement and regulators, and may do so regularly outside the context of a cyber breach, Friedlander says having counsel involved in those communications is important.
"I strongly encourage companies to have counsel involved in communications with outside parties, including law enforcement and regulators, in a cyber crisis," Friedlander says. "Counsel understands well the potential legal impact of these communications, and in my experience, often helps avoid miscommunication."
Identifying everyone who should be involved in breach response can be difficult. That's why it must be done in advance.
"A pretty typical challenge for a large, sophisticated institution is that there are many stakeholders in breach response, and it can be challenging for each to understand the role of the others," Friedlander says. "For example, legal and information security need to work together closely in a post-breach context, and because they may not otherwise work together frequently, it's not necessarily intuitive for them to be having discussions about cybersecurity and the role they each will play in breach response. But it's really helpful for them to do that."
Who needs to be involved, of course, depends on the type of incident.
"To give you an example: If you're talking about a bank, if a breach occurs, not only does legal need to be involved, but compliance may need to file a suspicious activity report on a timely basis, and of course, if compliance doesn't know that the breach has occurred, then it can't file the report," Friedlander says. "So it's very helpful for all these constituencies to be talking about cybersecurity before there's a crisis, so that everybody knows who else needs to be informed of a problem, and what everybody's respective responsibilities are. It makes the it makes the crisis situation flow much more smoothly."
8. Maintain Confidentiality
Maintaining confidentiality during a breach response is essential (see: Ex-Equifax CIO Gets 4-Month Prison Term for Insider Trading).
At the same time, however, different groups will have to be notified - in confidence - about a breach during the course of an investigation, including members of the board of directors.
"Board members should not be finding out about a compromise via the media," Grillo says. He notes that many organizations regularly run breach-response exercises with their boards, both to ensure compliance with regulations as well as to educate board members about how such incident response will unfold and their responsibilities for supporting that process.
"Remember that for public companies, the board has a fiduciary responsibly to protect corporate assets," he says.