From containing and reporting the breach, what steps should an organisation take following a cyber attack?
Cyber security incidents at global institutions can affect operations throughout the world. An organisation’s response to a cyber breach may require it to confront different laws and regulations and interact with different regulators and stakeholders in numerous jurisdictions. Below is brief description of 10 of the most important things to consider for an immediate global response to a cyber security incident, from a legal and investigatory perspective.
1. Alert the response team and establish internal lines of communication
Often, an organisation will have only very limited information on first learning of a potentially serious breach. Cyber attacks can take a multitude of forms and can be brought by a number of bad actors possessing a variety of motives, including criminals (possibly well organised or possibly amateur) seeking monetary gain, foreign governments or competitors conducting espionage, disgruntled employees, terrorists or activists seeking to inflict direct reputational or financial harm. Initially, an organisation may have no idea who has breached its network or why—or even whether a breach has, in fact, occurred. However, in almost any case, time will be of the essence. The presence of a bad actor and the possibility of ongoing harm necessitate swift action.
For this reason, arganisations should develop a written cyber incident response plan. The plan must be customised to the organisation’s particular circumstances and contemplate various potential scenarios. Foremost, the plan should identify and assign responsibility to a core group of individuals, who will constitute the initial response team. The team should include senior representatives from IT and legal. The plan should also include protocols for swift communication to the C-suite and, if necessary, to the board. Where an organisation has cyber liability insurance or an outside IT security vendor, the response plan may contemplate communications with representatives from the insurer or vendor. Depending on the circumstances, it may also make sense to involve outside legal counsel experienced with global crisis management and investigations at an early stage.
Organisations should consider that, in the event of a possible ongoing and widespread compromise of the internal network, an attacker may have access to the contents of the cyber incident response plan or even to ongoing electronic communications between members of the response team. In such cases, members of the response team must be mindful that their communications over the compromised network could be monitored.
2. Verify the breach
Not every threat received or possible breach detected will prove significant enough to warrant a full-scale investigation. Detailed information about the extent of the breach may emerge only on a rolling basis, but the first step on receiving a threat or detecting a possible breach will be to determine (either through the organisation’s internal capabilities or through an outside IT security vendor) whether a real vulnerability exists.
3. Contain the breach and secure the institution’s network
If a breach has occurred, the obvious next step from an IT perspective is to ensure that it is not ongoing and to secure the organisation’s network. This may require a temporary suspension of network activity, which can be costly and disruptive for the organisation’s employees or customers. While this process unfolds, the rest of the response team must, in parallel, begin grappling with the legal and business fallout. In practice, an organisation cannot afford to conduct the steps described in this article in serial sequence because information will be fluid and uncertain. For example, it may take weeks or longer before an organisation’s IT experts feel confident that they have contained an ongoing intrusion.
4. Commence a thorough investigation into the source and extent of the breach
In the event of a serious breach, a thorough investigation will be required to determine the source of the intrusion and the extent of the compromise. What type of data was compromised? Was the breach global or geographically limited? This investigation will be important to assess business and legal costs, including what legal jurisdictions are implicated and to prevent future attacks. If the organisation suspects potential involvement by an employee, the import and delicacy of the internal investigation will be increased. The methods available to an organisation in conducting its internal investigation may vary depending on the relevant jurisdiction. For example, employee privacy rights in France may preclude certain avenues of investigation that would be available to an employer in the US. The organisation must be careful to appropriately document its investigation, as its efforts could be scrutinised in subsequent litigation, including shareholder derivative suits or employee or customer data privacy suits.
5. Consider notifying regulators
For corporations in regulated industries, an urgent consideration will be whether and when to notify their regulators of a breach. For example, organisations within the finance sector—which are particularly prominent targets for cyber attacks—may need to notify financial regulators in multiple jurisdictions. Of course, corporations generally prefer to avoid needlessly alerting regulators to what may, ultimately, be a false alarm. On the other hand, regulators will prefer to learn of a serious breach promptly and from the corporation itself.
6. Consider notifying law enforcement
Similarly, organisations facing a possible or confirmed cyber attack must consider whether and when to notify law enforcement. Under most circumstances and in most jurisdictions, institutions are not legally obligated to notify law enforcement of a cyber attack. If alerted, law enforcement may be able to bring additional resources to identify and combat the attackers. Once law enforcement becomes involved, however, an organisation may lose control and autonomy in its handling of the situation.
7. Address data breach notification requirements
Many jurisdictions have data breach notification laws, which require organisations to notify individuals whose personal data may have been compromised in a data breach. If customer or employee personal data has or may have been compromised, an organisation must quickly determine which jurisdictions’ laws apply and what the organisation’s notification obligations are. The timing and content of such a notification can have important legal and public relations effects.
8. Manage public relations
Not every incident will become public. However, if an incident is likely to become public, it is generally in an organisation’s interest to take the lead in releasing information to the press. Depending on the organisation’s industry and business model, the loss of customer confidence from a cyber breach can be extremely costly. Any press release should be as accurate as possible and sufficiently complete to avoid the need for subsequent corrections, which can prolong and exacerbate the media fallout. This can be especially difficult within the evolving information landscape that accompanies a data breach.
9. For publicly traded corporations, consider disclosure in public filings
Cyber attacks, and their ensuing legal and business fallout, can constitute material adverse business developments. Securities regulators in various jurisdictions have begun to issue guidance about when and how publicly traded corporations should publicly disclose cyber security-related events. (For example, the US Securities and Exchange Commission’s guidance is available here.) Organisations must review the requirements of the relevant jurisdiction and consider whether disclosure is required.
10. Assess the institution’s response and refine its response plan for future incidents
Following the immediate crisis management, an effort must be made to follow up and evaluate the effectiveness of the institution’s response. In addition to eliminating the vulnerabilities exploited by the attacker and any other identified vulnerability, the organisation should review and revise its response plan in light of the lessons learnt. A failure to take remedial steps after a serious incident could increase legal exposure resulting from any future incidents.
Scott S. Balber is a partner and US head of investigations and financial services litigation and John J. O’Donnell is a partner is the New York office of Herbert Smith Freehills
(The authors thank associate David Leimbach for his assistance in preparing this article.)