In 2015 The Internet Crime Complaint Center received 288,012 complaints of cyber attacks totaling more than $1.07 billion in reported losses. Those numbers are based only on incidents that were reported to the FBI. When we talk about cyber risk, data theft, and the threat of Ransomware, we usually focus on prevention strategies. But being prepared to respond quickly and efficiently when an event does occur is just as important to operations recovery, cost reduction, and reputation management.
So how can we prepare for the fallout of a breach?
Having a well-defined, documented, and regularly tested Incident Response Plan (“IRP”) that aligns with your Disaster Recovery/Business Continuity Plan (“BCP”) can help your organization recover from and remain operational during a cyber breach event.
Your organization has been breached. What now?
As mentioned above, it’s absolutely critical to have a well documented and tested Incident Response Plan at the ready should a cyber event occur. These situations are highly stressful and confusing, so trying to work through it without proper planning will lead to costly and time consuming mistakes. So with that said, here’s what to do to recover from a cyber attack.
1. Activate your Plans. Consult the Incident Response and Disaster Recovery plan documents. Contact the plan administrators and assemble the teams. The organization’s IRP and BCP should help navigate through a cyber incident when stress levels are high and time is of the essence. Clear internal communication is key.
Ponemon’s 2016 Cost of a Data Breach study found that an incident response team reduced the cost of data breach by $16 per record, from $158 to $142.
2. Notify your IT department. IT should begin to determine the validity, breadth, and impact of the breach and trigger the Business Continuity Plan to reestablish access to data, systems, and applications.
3. Engage Legal Counsel. A legal firm specializing in cyber breaches and breach coaching should be retained to assess notification requirements to insurers, customers, third parties, local and federal law enforcement and any other impacted parties. Make sure that the legal firm you retain is both pre-approved by your company’s cyber liability insurance carrier and that breach response expenses are covered by your policy.
4. Contact your cyber insurer. With assistance from your legal counsel, report the incident/claim. Your Cyber Liability Insurance policy should have instructions on how to report a claim and will usually include contact information for the insurer’s cyber breach hotline. Be sure to document all steps taken to identify and remediate the breach and any expenses incurred to perform forensic investigation and adhere to legal obligations. This includes costs to notify impacted parties, pay fines and penalties, recover data/systems and retain experts.
5. Determine legal obligations to notify customers and offer breach services. Your legal counsel/public relations firm should help you determine what legal obligations your organization has to notify impacted parties, provide call center service, and offer credit/identity monitoring services. Notification laws vary from state to state. Curious about the laws in your state? See the article at the bottom of this page on state by state security breach notification laws.
6. Restore corrupted or encrypted files from a local or offsite backup (if possible). If restoration from backup is not available during a ransomware event, consider paying the ransom to obtain the key to decrypt your files7. Do a Deep Dive on the breach to determine the cause and discover vulnerabilities. This will help prevent further breaches and allow your organization to mature the Incident Response and Disaster Recovery plans.
What to Do After a Ransomware Attack --- Risk Management Magazine
State by state security breach notification laws --- National Counsel of State Legislatures
How to prepare for and respond to a cyber attack --- Ed McAndrew and Anthony Di Bello for Networkworld.com
At the ALS group, we manage more than a quarter billion dollars of insurance premiums and have years of experience crafting custom cyber insurance policies. If you need assistance developing a cyber risk mitigation strategy, documenting an Incident Response Plan, or purchasing a cyber insurance policy please contact us for more information.