7 minute read 5 Dec 2019
Discussion on a digital surface

How organizations should respond to a complex cyberattack

By Todd Marlin

EY Global Forensic & Integrity Services Technology & Innovation Leader

Global leader in technology & Innovation, with significant experience serving the financial services industry.

7 minute read 5 Dec 2019

Show resources

  • Who and what is involved in a high impact cyber response (pdf)

    Download 344 KB

When a cyber incident occurs, organizations need to be ready to respond with speed and precision. We explore five critical steps.

Responding to a complex cyber incident requires extensive investigation to support recovery, remediation, regulatory inquiries, litigation and other associated activities. Organizations need to conduct competent investigations with speed and precision. Otherwise, the financial and reputational impact can be profound – including, but not limited to: risk of revenue loss from disruption to the business, regulatory fines from noncompliance and loss of customer trust.

In the event of a large, complex cyberattack, many stakeholders are affected. Their involvement in response activities is critical. However, an effective and timely response requires more than just their involvement – close and around-the-clock collaboration is key. Only when the stakeholders effectively work together can a timely, accurate and cost-efficient response be possible.

It is very common that an organization engages an independent third party to help manage the response activities in the event of a major cyberattack. The third party needs to possess in-depth legal, compliance and investigative experience to be able to effectively communicate with all stakeholders. They help conduct timely and thorough investigations, activate the business continuity plan with precision, enforce a communication process among all stakeholders, and centrally manage all inquiries received from external and internal groups, as the incident continues to unfold over days, weeks or even months.

Centralized cyber response plan

A centralized cyber response plan is critical to bring together stakeholders who may have different priorities but must collaborate to resolve the cyberattack. Exploring their roles.

  • Board: Risk oversight is a function of the full board. The board oversees the response strategy that includes communicating with employees, the public, shareholders and, most likely, regulators and law enforcement. The board (or audit committee) also needs to work in lockstep with the CFO and the external auditor.
  • CFO: The CFO has the responsibility to verify the integrity of the company’s financial controls and data, understand the potential adverse financial impact of the incident and determine the appropriate financial disclosures in relevant filings, all of which have a direct impact on the board’s communication with shareholders and the broader public.
  • In-house counsel: The in-house counsel has an active role in working with the forensic investigators in practical matters such as evidence gathering, root-cause analysis and electronic discovery. In-house counsel usually takes the lead in communicating with regulators and external counsel. They must quickly determine the incident’s potential compliance and legal impacts to be able to interface effectively with various external stakeholders.
  • Communications: Internal and external communication teams are important to ensure that the incident is properly communicated to employees, customers, shareholders and other third parties who may be impacted. If properly educated, employees can help to facilitate the investigation and take necessary measures to stop the breach from spreading further. Timely communication to the public is critical to restore trust and instill confidence in the organization’s ability to manage cyber risk and minimize the incident’s negative impact on its operations and customers.
  • Compliance and ethics: The chief compliance officer (CCO) is responsible for assessing the regulatory compliance risk in the event of a cyberattack, whether it is related to data protection and privacy, or sector-specific regulations. A major cyberattack often spans multiple countries or jurisdictions; the CCO can face challenges in addressing the disparity — and sometimes even conflict — between jurisdictions. The CCO must work closely with privacy specialists, the legal department, the board, and the executive team as they manage these issues.
  • CSO: Many large organizations employ a chief security officer (CSO), whose key responsibility is the overall security of all assets – whether physical, IT, intellectual property or people – against all threats, such as from accidental negligence, malignant insiders, professional criminals or state-sponsored groups. In regulated industries, government and defense contracting, and critical national infrastructure services, the CSO is often accountable for compliance with the national legislation governing security as part of the organization’s “license to operate.”
  • CISO: The chief information security officer (CISO) works closely with the investigation team to quickly determine the root cause of the attack, understand its scope and assess its risk impact — data stolen, systems impacted and level of penetration — to contain and eradicate the threat and perform remediation activities. The CISO should also carefully study the investigation results and gather helpful information so that lessons learned are used to strengthen the company’s information security strategy and future responses.

Cyber response consists of a series of stages that must be carefully planned. The plan needs to involve professionals with diverse backgrounds in investigation, information security, legal, regulatory compliance and communication. 

Five steps to respond to a crisis

The current threat environment is such that it is only a matter of time before an organization suffers a major cyberattack. Organizations need to have a clear understanding of the key steps of cyber response to be adequately prepared when the crisis strikes. The five steps of cyber response are interdependent and without any sequential order. Performing them in parallel can shorten the time to resolution and reduce risk exposure.

1. Plan

A cyberattack can go undetected for a long period of time. Consistently performing enterprise-wide monitoring and diagnostics is the key to early detection and resolution.

2. Identify and escalate

In this stage, knowledge of the enterprise network environment is critical as the response team isolates the incident and zeroes in on the affected systems and data. Depending on the severity, complexity, and urgency of the incident, appropriate escalation procedures are enacted based on pre-established criteria. The triage guidelines should be continuously fine-tuned to stay current with the organization’s risk environment so that critical risks are not missed, and low-level risks don’t take up precious resources.

3. Investigate

Investigators usually work closely with information security to determine how and when the compromise occurred, the root cause and the impact on the organization. A major incident can involve several cycles of investigation and each cycle includes four key activities: evidence gathering, analysis, containment, and eradication.

Forensic investigations flow chart
  • Evidence gathering needs to be conducted in a forensically sound manner, so findings can stand up to legal and regulatory scrutiny.
  • Analysis helps identify the root cause and contaminated computers and systems that should be isolated and removed so the virus doesn’t spread further in the network. 
  • Containment and eradication could reveal new risks that need to be analyzed further — the cycle of activities will continue until the system is back to its normal state, and all exposed areas have been thoroughly studied and mitigated. All activities must be coordinated and executed with speed and precision, as attackers will often try to re-establish a presence and entrench themselves into the network.
4. Remediate

The compromised organization should identify and address vulnerabilities in the environment, sufficiently strengthen the environment to complicate the attacker’s effort to get back in, enhance its ability to detect and respond to future attacks, and prepare for eradication events.

5. Resolve and learn

This stage largely entails data preparation for regulatory reporting, insurance claims, litigation, threat intelligence and/or customer notification. Beyond reactive activities, it is also important for the organization to turn a reactive crisis management case into lessons for proactive cyber risk management. The cyber response team should summarize information security improvement measures based on the investigation’s outcome.

Cyber response consists of a series of stages that must be carefully planned. The plan needs to involve professionals with diverse backgrounds in investigation, information security, legal, regulatory compliance and communication. The response team needs to be able to mobilize at a moment’s notice and work as a well-oiled machine. In order to do so, they should conduct tabletop exercises on a regular basis to make sure that skill sets are kept up-to-date with the latest threats, and communication links remain operational.

 

Summary

A well-defined cyber response plan provides guidance to all lines of business involved in the response, sets a level of understanding about what information is critical – as well as when and how to express it – and allows continuous reaction with precision. The plan needs to involve professionals from investigation, information security, legal, regulatory compliance and communication backgrounds with the ability to mobilize at a moment’s notice and work together. To do so, they should make certain that their skill sets are as up to date as possible with the latest threats and communication links remain operational.

About this article

By Todd Marlin

EY Global Forensic & Integrity Services Technology & Innovation Leader

Global leader in technology & Innovation, with significant experience serving the financial services industry.