How organizations should respond to a complex cyberattack

When a cyber incident occurs, organizations need to be ready to respond with speed and precision. We explore five critical steps.

Responding to a complex cyber incident requires extensive investigation to support recovery, remediation, regulatory inquiries, litigation and other associated activities. Organizations need to conduct competent investigations with speed and precision. Otherwise, the financial and reputational impact can be profound – including, but not limited to: risk of revenue loss from disruption to the business, regulatory fines from noncompliance and loss of customer trust.

In the event of a large, complex cyberattack, many stakeholders are affected. Their involvement in response activities is critical. However, an effective and timely response requires more than just their involvement – close and around-the-clock collaboration is key. Only when the stakeholders effectively work together can a timely, accurate and cost-efficient response be possible.

It is very common that an organization engages an independent third party to help manage the response activities in the event of a major cyberattack. The third party needs to possess in-depth legal, compliance and investigative experience to be able to effectively communicate with all stakeholders. They help conduct timely and thorough investigations, activate the business continuity plan with precision, enforce a communication process among all stakeholders, and centrally manage all inquiries received from external and internal groups, as the incident continues to unfold over days, weeks or even months.

A centralized cyber response plan is critical to bring together stakeholders who may have different priorities but must collaborate to resolve the cyberattack. Exploring their roles.

• Board: Risk oversight is a function of the full board. The board oversees the response strategy that includes communicating with employees, the public, shareholders and, most likely, regulators and law enforcement. The board (or audit committee) also needs to work in lockstep with the CFO and the external auditor.
• CFO: The CFO has the responsibility to verify the integrity of the company’s financial controls and data, understand the potential adverse financial impact of the incident and determine the appropriate financial disclosures in relevant filings, all of which have a direct impact on the board’s communication with shareholders and the broader public.
• In-house counsel: The in-house counsel has an active role in working with the forensic investigators in practical matters such as evidence gathering, root-cause analysis and electronic discovery. In-house counsel usually takes the lead in communicating with regulators and external counsel. They must quickly determine the incident’s potential compliance and legal impacts to be able to interface effectively with various external stakeholders.
• Communications: Internal and external communication teams are important to ensure that the incident is properly communicated to employees, customers, shareholders and other third parties who may be impacted. If properly educated, employees can help to facilitate the investigation and take necessary measures to stop the breach from spreading further. Timely communication to the public is critical to restore trust and instill confidence in the organization’s ability to manage cyber risk and minimize the incident’s negative impact on its operations and customers.
• Compliance and ethics: The chief compliance officer (CCO) is responsible for assessing the regulatory compliance risk in the event of a cyberattack, whether it is related to data protection and privacy, or sector-specific regulations. A major cyberattack often spans multiple countries or jurisdictions; the CCO can face challenges in addressing the disparity — and sometimes even conflict — between jurisdictions. The CCO must work closely with privacy specialists, the legal department, the board, and the executive team as they manage these issues.
• CSO: Many large organizations employ a chief security officer (CSO), whose key responsibility is the overall security of all assets – whether physical, IT, intellectual property or people – against all threats, such as from accidental negligence, malignant insiders, professional criminals or state-sponsored groups. In regulated industries, government and defense contracting, and critical national infrastructure services, the CSO is often accountable for compliance with the national legislation governing security as part of the organization’s “license to operate.”
• CISO: The chief information security officer (CISO) works closely with the investigation team to quickly determine the root cause of the attack, understand its scope and assess its risk impact — data stolen, systems impacted and level of penetration — to contain and eradicate the threat and perform remediation activities. The CISO should also carefully study the investigation results and gather helpful information so that lessons learned are used to strengthen the company’s information security strategy and future responses.