Mayer Brown provides legal services to organizations across the globe and recently released a report entitled Preparing For and Responding to a Computer Security Incident: Making the First 72 Hours Count. The authors of the report, Marcus Christian and Stephen Lilley, spoke with the Cipher Brief about the key elements of a strong response plan, and how businesses can best recover after a cyber-attack.
The Cipher Brief: When it comes to cyber attack recovery, it is just as important as prevention. Why is that the case?
Marcus Christian: There is an often quoted statement by former FBI Director Robert Mueller that basically people have been breached or that they are going to be breached—that is a paraphrase. The reality is sooner or later it is going to happen, despite any prevention effort a particular entity may engage in. That means everyone needs to be ready to recover. If you are going to have an incident, then the damage from the incident is going to depend upon your ability to recover in large part.
TCB: Your publication highlights that the first 72 hours is critical. Why is that window of time unique?
MC: In a nutshell, when critical incidents happen, the idea that you are standing still really means that you are moving backwards. We feel that is clearly the case when you respond to data breaches and other computer security incidents. First of all, in the early stages, this is no longer an event occurring outside of your knowledge. There is further damage that could be occurring. For example, if a cyber criminal organization or a nation-state gets into your system, it will not automatically and instantaneously pull all of the information out of it. Depending upon when you can catch the intrusion, you could prevent them from extracting or even accessing any information. So, that is certainly a good result.
A response can be, in large part, an investigation to see what has actually been affected and who is involved and to determine the damage. The bottom line is that evidence can be fragile in a number of ways. For example, if you have to conduct interviews of people, memories can fade – particularly in times of stress.
In addition, if you are not ready to respond correctly, people often do things that can be counterproductive. For instance, people may want to pull the plug immediately on systems, and that can actually destroy important electronic evidence. So insufficient preparation can make it very difficult to figure out what has happened, if not impossible.
The first 72 hours are critical for incidents that are subject to either federal or state notification laws, as the timeframe for notification can start to run upon discovery of an intrusion. That trigger also can be relevant for contracts with third parties that require notification, for insurance policies, or for providing mitigation services to other companies.
Another big one is, if you are an organization, your purpose is to run your business. If you have an intrusion and you find out about it, you want to be able to resolve it as soon as possible so that you can actually keep your operations up, or get them back up and running.
With any of these incidents, you’re going to be scrutinized about what happened before you learned about it, to some extent. And you will be scrutinized about what you did after you learned of the incident. This is critical because that is the part you knowingly control–what you do once you know about it. You need to be able to move early on to set the stage for what is going to happen afterwards.
TCB: What are the key elements, the key aspects of a strong recovery plan? What should be at the top of a company’s list?
MC: There are a number of priorities, because organizations often are named in lawsuits or enforcement actions. A response needs to be executed in a way that will maintain privilege and confidentiality, wherever possible and to the greatest extent possible.
In addition, a strong recovery plan is something that is well thought-out and is not cookie cutter or one size fits all. It will be tailored to the organization, to its resources, to its personnel, to its operations, to its critical assets, and to its crown jewels. It will also be tailored to its particular regulatory environment.
A strong recovery plan will be dynamic and trained and rehearsed through a number of exercises. It will be informed by past experiences and improved by lessons from post mortem analysis, if the organization has prior incidents.
Stephen Lilley: Companies should recognize that responding to a major cyber event is often a very public task for a company. As a result, being able to manage it as a crisis, including by having the appropriate types of communications resources and relationships in place before the event, is very important. Looking like you’re handling a data breach ineffectively can be very harmful even if you are in fact handling it effectively. Making sure that you are able to give comfort at the appropriate times to investors, regulators, customers, and the public can be critical. Having a crisis communications firm as part of your team is certainly valuable.
MC: A crisis communications firm is one of several external parties that may be a part of your team. Whoever the external members are, it is important to have those relationships lined up beforehand, because you want an organization that it going to be very capable, and also you want an organization that will be available. And the only way you can really ensure that is to build those relationships and to dot the i’s and cross the t’s beforehand – prior to the crisis.
TCB: What have you generally found in terms of your experience advising clients, what aspects of the recovery plan are most companies including already? What aspects and areas are most or some businesses falling behind? Where on the lists of things to do, where are companies falling, in terms of what they are doing and what they are not doing?
MC: It is a pretty well understood fact that you will need people with IT expertise to be involved in a recovery plan. That is something that I think most organizations that have done any thinking about it at all, get. But the problem is that too many organizations begin there and end there. Then, I think at another level, organizations oftentimes have a plan that someone wrote at some point in time and maybe put it away. But a response plan must be living and dynamic, and it cannot be something that simply exists in writing. It needs to be in writing, but it needs to become operationalized through performing table-top exercises and in other ways, including lining up the essential relationships and other necessities in advance. This is a truly interdisciplinary undertaking. It is not simply an IT, legal, HR, privacy, or compliance problem. It’s going to cut across those areas and include operations and other disciplines, because cybersecurity is an enterprise risk. It needs to be addressed accordingly.
SL: To build on Marcus’s point, data breach response is one part of an integrated cyber security strategy that ultimately needs to have oversight at the board level. The companies leading in this area have appropriate reporting structures at the board level and in senior management to make sure that the enterprise as a whole has more than just a data breach response plan and other relevant plans. These companies also have relevant contracts and policies in order, to make sure that they can deliver appropriate technical, litigation, or regulatory responses, whatever the circumstances may be, and address the risk on an appropriate scale.
MC: One other thing that I think is important to understand is that when you approach cybersecurity, it is not simply about a potential data breach. It could be a denial of service attack that distracts you and something else could happen. It could be that it is not someone from around the globe who is attacking you; rather, it could be someone within your organization who has physical access. Or it can be through a phishing email or even through a thumb drive that is left lying around, and someone takes it and inserts it into a computer, thereby introducing malware to the system. Its good to be aware of varying types of threats, to understand which ones are going to be most relevant to your organization, and then to be ready to deal with them.
TCB: What are the current legal and regulatory issues that companies are currently facing as they grapple with the threat? What do you believe are the changes that need to take place in both the legal and regulatory regimes to make it easier for businesses to respond to cyber breaches?
SL: One thing that has remained constant is the threat of class-actions. Anytime there is a major breach, class-actions routinely get filed within a week. This is something that companies have been addressing for a number of years, especially when there is significant publicity around a breach. Realistically, that is probably going to continue.
The challenge for companies is that there are so many different legal standards that appear to be potentially applicable. Whether they’re created by legislation or regulation, some level of standardization and coordination of these standards is going to be important, and I hope that will come in the coming years. The general principle that you would want to see is that companies have flexibility to comply with whatever standards or best practices emerge. Treating cybersecurity as a question of risk management means that companies understand their networks, understand their assets, understand the risks of those assets, and should be encouraged to address those risks in an appropriate manner. The worst case is that companies get judged by ad hoc standards that are made up after the fact: effectively getting doubly victimized when, despite their best efforts, they get hacked, and then immediately get blamed for it even though they made very reasonable efforts to avoid that event.
The other overarching theme that I would stress is that it is important there be as much collaboration as possible between government and industry. Obviously, there are privacy issues that can arise when government and industry work together, but there must be a way to work those issues out and find ways to share threat information between the government and the private sector—to find a way to help companies with their response function and generally build towards a more cyber secure future together, rather than in an adversarial posture.
MC: Among all of the different laws and regulations that apply to data breach, there are 47 different state laws in addition to the District of Columbia and certain other jurisdictions. They are similar in some regards, but different in others. Some businesses and other organizations are looking to the federal government, hoping there may be some form of uniform notification standard that could emerge that would eliminate the need to navigate approximately 50 different jurisdictions plus any federal requirements in the event of a data breach or other cyber intrusion or computer security incident. Another thing is that proposed legislation also has addressed information sharing. Companies are concerned about what liabilities they face if they share important threat information but somehow, by accident, some private information gets out. The government, certainly could be very helpful by providing liability protection and mechanisms to enable companies to share general threat information, defense information, and classified information. There is no certainty that it will happen in the near future. Certainly there are signs of hope, but legislation has been introduced in the past and has died without passage.
Stephen Lilley is a senior associate in Mayer Brown’s Cybersecurity & Data Privacy practice. He focuses his practice on complex and interrelated litigation, regulatory, and policy issues. He can be reached at slilley@mayerbrown.com.
