Cyber security affects all businesses and industries and it is now a board-level agenda item, placed at number three on the Lloyds Risk Register (2013). Dealing with cyber attacks is a “whole of business” issue, affecting every team within an organisation. It is also a people and operational issue, rather than just a technical issue.
In today's modern environment, where every single organisation is reliant to a certain extent upon technology and telecommunications, it is not a case of "if" a cyber security breach occurs, but rather a case of "when".
>See also: The 2015 cyber security roadmap
When a breach is discovered, it is essential to act comprehensively and quickly, or it may expose the business to greater liability. There are six critical steps the organisation must take to deal with it.
It is important to bear in mind that these steps are not sequential – in practice, it will be necessary to think about most of them in parallel, particularly in the initial aftermath of the breach where the priorities will be to contain it in order to mitigate any risk of further damage or loss of data.
1. Mobilise the incident response team
An incident response team should be formed and include all relevant internal stakeholder groups, such as a technical team to investigate the breach, HR and employee representatives where the breach affects employees, intellectual property experts to help minimise brand impact or recover stolen IP/information, data protection experts where personal data is involved, and public relations representatives. There may also need to be external representatives – for example, where the internal teams do not have sufficient capability or capacity.
The team should also include representatives from the organisation's legal team and possibly also external counsel. There are a number of legal implications of any cyber attack, and it will therefore be of vital importance to the organisation to seek legal advice as soon as possible after becoming aware of an attack.
As part of this, it will also be necessary to check whether losses from a cyber attack are covered under the organisation's existing business insurance policies. Where there is insurance in place, the organisation will need to review the relevant policies to determine if insurers must be notified of a breach. Some policies cover legal and remedial costs, but only from the date of notification.
2. Secure systems and ensure business continuity
Following a breach, the first key step from a technical perspective will be to secure the IT systems in order to contain the breach and ensure it is not on going.
This could mean that an organisation has to isolate or suspend a compromised section of its network temporarily or possibly even the entire network. This can of course be extremely disruptive and potentially costly for the business.
It is necessary also to consider how and when the breach was detected, and whether any other systems have been compromised. Organisations should have in place suitable measures to ensure that any network or other intrusions are detected immediately.
3. Conducting a thorough investigation
An investigation will need to be carried out as to the facts surrounding the breach, its effects and remedial actions taken. The organisation will need to decide who should take the lead on the investigation and ensure that they have appropriate resources available to them.
Where there is potential employee involvement in the breach, the investigation will also need to take into account any applicable labour laws, and the investigation team should therefore consult and involve HR representatives as appropriate.
Finally, the investigating team will need to ensure that they document any and all steps taken as these may be required as part of any regulatory notification to be submitted. In practice, investigations are usually iterative: further lines of enquiry will become apparent as the circumstances surrounding the breach become clearer.
Whenever there is a breach, it is important to feed back the conclusions from the investigations into the policies and procedures in place and the incident response plan, and to ensure that employees are given appropriate notice and training on them. Regulators are often just as interested in what has been done to remedy processes going forward, as in the breach itself.
4. Manage public relations
This will be a key requirement of the incident response team, particularly where the organisation involved is a consumer-facing organisation.
Not all security breaches will become public, but for many it will be inevitable – for example, where customers' personal data has been compromised and is in the public domain, or where the relevant data protection legislation requires the affected individuals to be notified. Being timely in managing announcements to the public and being accurate, open and honest in the messages given are crucial.
5. Address legal and regulatory requirements
Specific legislation may contain regulatory notification requirements that apply in the event of a breach. Although most jurisdictions do not (yet) have a specific and all-encompassing cyber security law, there is often a patchwork of laws and regulations that have developed in response to evolving threats.
Some of these laws will apply universally across sectors, whilst industry-specific legislation is continuing to develop to target the most at-risk sectors – for example, financial services, critical utilities infrastructure and telecommunications.
In the US, the legal patchwork includes: the National Institute of Standards and Technology Cybersecurity Framework, which consists of standards, guidelines, and practices to promote the protection of critical infrastructure; and Executive Order 13636, which, amongst other things, expanded the existing programme for information sharing and collaboration between the government and the private sector.
In the EU, organisations should pay particular attention to data protection legislation. The proposed new Data Protection Regulation in Europe includes a mandatory obligation for organisations across all sectors to inform their relevant data protection authority of any security breaches, including the facts surrounding the breach, its effects and any remedial actions taken by the organisation.
The EU is also proposing a new Cyber Security Directive, which would include a requirement for "market operators" (for example, electricity, oil, gas, transport, financial/banking etc.) to report security incidents to the competent authority.
Some legislation may also require, in addition to a regulatory notification, the notification of individuals whose data have been compromised as a result of the cyber security breach.
Deciding who to notify is not easy – it may not be possible to identify whose data has been affected, as opposed to whose could have been affected. If an organisation has many millions of customers, the prospect of notifying all of them should not be taken lightly.
6. Incur liability
Unfortunately, no matter how prepared an organisation is, it is nonetheless likely to incur some form of liability in the event of a cyber-security breach. There are various ways in which an organisation could incur this liability.
There could be direct non-legal liability as a consequence of a cyber attack. This liability could arise, for example, through blackmail attempts, theft, ransomware and ex-gratia payments that an organisation may choose to make from a public relations and customer relationship perspective. This final category can be a major cost to organisations following a cyber attack but can really help to mitigate any damage to the customer relationship. For example, an organisation for which customer credit card details have been compromised might choose to offer complimentary credit screening for the affected customers for a period of time.
There will very often be regulatory liability resulting from cyber security breaches. From a data protection perspective, current EU law requires organisations to have in place appropriate technical and organisational security measures to protect personal data. If an organisation is found to have failed in its implementation of this regulatory requirement, it could be subject to a penalty. In the UK, the current maximum fine under the Data Protection Act 1998 is £500,000, and Sony was fined £250,000 by the UK Information Commissioner for its PlayStation breach in 2011.
However, if the EU's proposed new Data Protection Regulation is adopted, this could see the maximum fines being increased to €100 million or 5% of the organisation's annual worldwide turnover, whichever is the greater.
In certain areas, sector-specific regulation could also apply. In the UK financial services sector, the regulator has historically levied greater fines for security breaches than the Information Commissioner. For example, in August 2010, the FSA fined Zurich Insurance Plc £2.275 million following the loss of 46,000 customer records on an unencrypted backup tape, which was being sent to a South African subsidiary for processing.
Liability for cyber security breaches could also be incurred in litigation for breach of statutory obligations, breach of contract, breach of equitable duties, and negligence. To date, the majority of cases have occurred in the United States. For example, in March this year, Target agreed to pay $10 million in a proposed settlement of a class-action lawsuit related to its 2013 breach.
>See also: 3 ways cyber security must evolve
Although the focus of this article has been on what to do in the event of a breach, it is also important to bear in mind that there are a number of proactive steps that organisations can take in order to mitigate the risk of a cyber attack before it happens.
In particular, organisations should carry out a comprehensive assessment of their existing processes and procedures, identifying what needs to be protected and assessing the specific risks and potential impacts on the business.
Thereafter, a response plan should be put in place including designating a suitable response team and making any necessary changes to policies and procedures to deal with any immediately apparent issues.
In addition, given that many data security breaches happen as a result of employee action or inaction, user education and awareness is crucial.
Sourced from Andrew Moir, Nick Pantlin and Miriam Everett, Herbert Smith Freehills LLP