Crisis response teams form critical part of cyber security planningReprints
NEW YORK — Instituting a detailed plan to stem damage when a data breach occurs is essential to corporate cyber security, as is controlling access to data among employees and outside providers.
Such a plan should be formalized, including designating incident response team members and notifying senior management, and should be practiced before a major event occurs, said Ethan Harrington, director of insurance and risk management at H&R Block Inc. in Kansas City, Missouri.
“Insurance and risk management should take the lead,” Mr. Harrington said during a discussion of cyber risks at the Business Insurance Risk Management Summit earlier this month in New York.
The function of the insurance and risk management team is to consolidate and coordinate all communications internally as other departments, such as legal and information technology, become involved, he said.
The response team should include the company's chief information security officer, said Grace Crickette, Emeryville, California-based senior vice president and chief risk and compliance officer at the American Automobile Association of Northern California, Nevada, and Utah.
“The CISO needs to be on the response team if it's a (data) breach,” Ms. Crickette said. Sometimes it's helpful to have the IT department on hand also to lend investigative and technical support even when the event is not an IT event, she said.
Ms. Crickette said chief information security officers generally are happy to have a risk manager heading the response.
“In my experience, the CISO is really, really glad to have the risk manager actually be the coordinator. This frees up the CISO,” she said.
Having a detailed and well-practiced plan in place is key to any incident response, said Molly McGinnis Stine, a partner at law firm Locke Lord L.L.P. in Chicago.
“The whole point of the plan is to have thought about this ahead of time and to have identified scenarios where you might need to have a team ready to go,” Ms. Stine said.
“You need to act very quickly in cyber situations,” said Richard DeNatale, a partner at Orrick, Herrington & Sutcliffe L.L.P. in San Francisco.
He also recommended that a company's accounting/finance department be represented on the response team to track costs.
Typically, a company's board and senior management are not members of the response team, but the response team must keep them informed, Ms. Stine said.
“Part of your planning must be when you tell them, who tells them, what do you tell them — and that needs to be carefully thought about ahead of time,” she said.
A key aspect to mitigating any cyber threat is to limit access to a company's data by insiders and outsiders alike.
“A big part of information technology security is actually controlling the data,” Ms. Crickette said. A company can reduce and segregate data to minimize exposure, “but it goes back to access management — who gets to see it,” she said.
“Vendors are incredibly important,” Mr. DeNatale said. “A company is only as strong as its weakest link,” he said of limiting outside providers' access to company data.
Ms. Stine agreed and said controlling outside providers is an improving science.
“I think we're part of an evolution of learning how to better vet vendors,” she said.
Panelists also agreed that human resources should be involved in efforts to monitor and control employee access to data.