In part two of our series on preparing, responding and recovering from a cyber attack we look at the way your risk, tech and legal teams should respond in the event of a breach. Read part one to find out how to build up your organisation’s cyber resilience against threats before they occur.
The reality of cyber threats in the current day is that while you can protect your business against the more obvious attacks or breaches, it is almost inevitable that they will still occur in some form.
In our previous article we discussed what to do to prepare for a cyber attack. There are definite ways that you can reduce the probability of a breach and limit its severity should it happen. But what can you do if, or in reality, when, a major attack happens?
There will be multiple actions that need to take place immediately to investigate, contain, minimise and rectify the impact of the incident. Your response, like the preparation beforehand, will require coordinated action from all parts of the business, in particular, the risk, IT and legal functions. As with any crisis, a calm and coordinated response is key.
Here are our top recommendations:
Risk management recommendations
- Maintain your values, principles and priorities — In an attack event it is essential to get key decisions right the first time. Having detailed and tested response plans available, including your crisis communications plan, will facilitate timely decisions and communications being made to employees and customers in alignment with your organisation’s values, principles and priorities. Clear communications can significantly reduce secondary reputational impacts on your business despite the initial incident. Knowing what your critical assets are, as outlined in the preparation phase, will allow rapid, risk-based decision-making.
- First responders are critical — To contain, monitor and limit the impact of the security incident to your business, you need people on the ground ready to react. This capability must be supported with an appropriate budget, resources, technical expertise and access to third party relationships (such as forensics and data recovery services) that can be relied on.
- Don’t leap to conclusions — Containing the incident is not about trying to get back to ‘business as usual’ but about limiting the impact to your organisation while gaining time to obtain further information or a greater understanding of the incident to support the investigation. Don’t leap to conclusions when triaging — use the facts available to support decision-making.
- Get help if you need it — With preparation, most cyber attack incidents are minor and can be handled by your IT security team. However, if you’re dealing with a large or complex cyber incident such as a ransomware event or serious data breach, you need to know if your team can, or should, respond. Have a process in place to bring in incident responders under a retainer arrangement, with agreed response time. Make sure they have the technical capability to supplement and fill the gaps in your own team (for example, specialist forensic equipment and skills).
- Beware red herrings — At the start of the investigation you will have the least information about what has happened and every security lapse, account compromise, or phishing email will feel like it could be related. In the first few hours and days it’s important to stay focused on what you know is connected. You can and will get phone calls about possible related activity, and triaging this information quickly is crucial to staying focused on the main event, allowing the team to get to the critical information on what happened.
- Disconnect, don’t disable — Once you have a handle on the nature of the incident, the next step is to contain and reduce the harm it can cause. Containment will depend on the nature of the breach, but if you face a threat that is still spreading, you may need to protect healthy systems by disabling them. The fastest and safest way to do this is to remove network connectivity — don’t shut things down. This preserves evidence that might be on affected systems, and usually reduces the time it takes to get systems up and running again.
Legal and regulatory lessons
- Assess your exposure — It’s essential that you know the level of access and privileges obtained by the attacker. Identify impacted data sets, including whether personal information has been compromised, if individuals or third parties have been impacted, and the jurisdictions involved. Whether contractual or regulatory in nature, your legal rights and obligations need to be assessed quickly. Confirm potential regulatory notification obligations and assess your contractual obligations (and potential liabilities).*
- Manage legal privilege — Various elements of your breach response may include legal advice and this may attract legal privilege. While this is ultimately a question of law, legal advice is an important aspect of maintaining the confidentiality of your investigation. Clear, manageable and effective confidentiality protocols should be in place and understood by legal and non-legal teams alike. Where possible, third parties should be engaged by your legal advisers, who will then be able to form a legal opinion on any legal/regulatory issues by considering inputs, such as root cause analysis or security uplift recommendations.
- Develop, document and undertake a robust assessment process — Implement your breach response plan.** It should include a comprehensive, robust and defensible assessment to determine whether personal information was accessed, lost or disclosed, what and who it relates to (type and jurisdiction), and notification obligations. It should also align with your business continuity plan so that relevant evidence is not impacted by the breach or any containment activity. Under the Australian Privacy Act, for example, certain organisations must carry out an ‘eligible data breach’ assessment if they suspect such an incident. They must also notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals of ‘eligible data breaches’. Other jurisdictions (which may apply to you also) will also have mandatory assessment and notification requirements. This is more than just a compliance exercise and early regulator engagement will enable you to meet your regulatory obligations and ensure impacted individuals are appropriately informed.
In the final part of this series we will look at what actions the risk, IT and legal functions can take to help the organisation get back on its feet after a cyber attack as quickly, and safely, as possible.
For further information on how your business can shore up defences against cyber attacks, and how to respond if an incident occurs, check out PwC Australia’s cyber security site.
*For example: Are you under a mandatory obligation to notify regulators and impacted individuals? Do your contracts include incident related obligations or do they expose you to termination triggers? Are you across your insurance arrangements, including your cyber insurance policy requirements?
**The OAIC provides a robust framework for this covering containment, breach assessment, eligible breach notification and information on reviewing the incident.1
Also contributing to this article:
Andrew Morrison, Senior Associate, Financial Advisory – Legal, PwC Australia
James Patto, Director, Financial Advisory – Legal, PwC Australia
David Stocks, Senior Manager, Consulting – Digital Transformation, PwC Australia
Helen Teixeira, Senior Manager, Assurance – Trust & Risk, PwC Australia