How organizations should respond to a complex cyberattack

When a cyber incident occurs, organizations must be ready to respond quickly and accurately. We explore five critical steps.

EY LAW - Responding to a complex cyber incident requires extensive investigation to support recovery, remediation, regulatory inquiries, litigation and other associated activities. Organizations need to conduct competent investigations quickly and accurately. Otherwise, the financial and reputational impact can be profound - including, but not limited to: risk of lost revenue from business disruption, regulatory fines for non-compliance, and loss of customer confidence.

In the event of a large and complex cyber attack, many stakeholders are affected. Their participation in response activities is critical. However, an effective and timely response requires more than their participation - close and ongoing collaboration is key. Only when stakeholders work together effectively can a timely, accurate and cost-effective response be possible.

It is very common for an organization to hire an independent third party to help manage response activities in the event of a major cyberattack. The third party needs to possess deep legal, compliance and investigative expertise to be able to communicate effectively with all stakeholders. They help conduct timely and thorough investigations, activate the business continuity plan accurately, enforce a communication process among all stakeholders and centrally manage all inquiries received from external and internal groups as the incident continues to unfold over days, weeks or even months.

A centralized cyber response plan is critical to bring together stakeholders who may have different priorities but must collaborate to resolve the cyberattack. Exploring their roles.

• Board of Directors: Risk oversight is a board-wide function. The board oversees the response strategy that includes communicating with employees, the public, shareholders and, most likely, regulators and law enforcement. The board of directors (or audit committee) also needs to work closely with the CFO and the external auditor.
• CFO: The CFO is responsible for verifying the integrity of the company’s financial controls and data, understanding the potential adverse financial impact of the incident, and determining the appropriate financial disclosures in relevant documents, all of which have a direct impact on the board’s communication with shareholders and the general public.
• In-house counsel: In-house counsel takes an active role in working with forensic investigators on practical matters such as evidence collection, root cause analysis and electronic discovery. In-house counsel generally takes the lead in communicating with regulators and outside counsel. They must quickly determine potential incident compliance and legal impacts in order to effectively interact with various external stakeholders.
• Communications: Internal and external communications teams are important to ensure that the incident is properly communicated to employees, customers, shareholders and other third parties who may be affected. If properly educated, employees can help facilitate the investigation and take the necessary steps to prevent the breach from spreading further. Timely communication with the public is critical to restoring trust and instilling confidence in the organization’s ability to manage cyber risk and minimize the negative impact of the incident on its operations and customers.
• Compliance and ethics: The chief compliance officer (CCO) is responsible for assessing compliance risk in the event of a cyberattack, whether related to data protection and privacy, or industry-specific regulations. A major cyberattack often spans multiple countries or jurisdictions; the CCO may face challenges in addressing the disparity - and sometimes even conflict - between jurisdictions. The CCO must work closely with privacy specialists, the legal department, the board of directors and the executive team as they manage these issues.
• CSO: Many large organizations employ a chief security officer (CSO), whose key responsibility is the overall security of all assets - whether physical, IT, intellectual property or people - against all threats, such as accidental negligence, malicious infiltrators, professional criminals or state-sponsored groups. In regulated industries, government and defense contracting, and critical national infrastructure services, the CSO is often responsible for compliance with national legislation governing security as part of the organization’s "license to operate."
• CISO: The chief information security officer (CISO) works closely with the investigation team to quickly determine the root cause of the attack, understand its scope and assess its impact on risk - data stolen, systems impacted and level of penetration - to contain and eradicate the threat and perform remediation activities. The CISO should also carefully study the results of the investigation and gather useful information so that lessons learned can be used to strengthen the company’s information security strategy and future responses.