Cyber breach plans should be ready to deployReprints
The challenges of dealing with any cyber attack are multiplied if companies lack a detailed, flexible plan to respond to a breach.
Experts also say it's important to update the plan after every breach — at least annually otherwise — and conduct tabletop exercises to test it.
While most large companies already have a cyber breach plan in place, many midsize and small companies do not, experts say.
“Large organizations are a lot more educated on the importance of having a formalized incident response plan, whereas (most) small and medium-sized businesses don't have enough resources or haven't identified their importance,” said Zach Scheublein, New York-based vice president at Aon P.L.C.'s professional risk solutions group.
Being a cyber attack victim without having a response plan in place “is like being in a high rise without a fire escape” when your building is on fire, said Patrick X. Fowler, a partner at Snell & Wilmer L.L.P. in Phoenix.
Such breaches frequently occur on the Friday afternoon of a holiday weekend or during the holiday, which is “the worst possible time,” and even a small breach can have significant consequences.
“So to start from scratch at that point is really difficult,” said Holly K. Towle, a partner at K&L Gates L.L.P. in Seattle.
Response plans “run the gamut” in quality, Ms. Towle said. “Some are incredibly sophisticated” and have “it down to the tiniest detail. Other plans are not. That's why the more time you put into the plans upfront, the less agonizing it will be later.”
“A plan has to be built for your organization,” said Alan Brill, senior managing director at Kroll Associates Inc. in Secaucus, New Jersey. “One of the issues we see is an organization will adopt another organization's plan, sometimes when somebody brings it with them from their previous job.”
The response plan team should include the company stakeholders, such as the risk manager, chief information security officer and representatives of public relations, human resources, finance, security and legal — whomever will have a role in addressing a cyber breach, experts say.
Some observers say outside counsel also should be a member of the team, because any information the attorney learns is considered privileged, and the company will not be obligated to turn it over to a plaintiff attorney if there is a lawsuit.
Protect the company's privileged information “because of the potentially harmful things a team might find out in the wake of the breach,” in case there is litigation, said Karla Grossenbacher, a partner at Seyfarth Shaw L.L.P. in Washington.
Firms also should determine in advance which outside experts they would bring in, such as forensics, PR, crisis management, credit monitoring and call center firms.
Be flexible, said Michael P. Hindelang, a partner at Honigman Miller Schwartz & Cohn L.L.P. in Detroit. For instance, bringing in an outside PR firm “makes perfect sense if you have 10,000 customers involved. It may not make sense if you have 10 customers” affected.
“You want to have a level of flexibility and discretion in the plan so you can bring in the resources you need but not waste the company's efforts,” he said.
Tabletop exercises do not have to be “extremely complex, full-scale disaster tests, but I am suggesting that at the very least they need to run tabletop exercises,” Mr. Brill said.
Periodic tabletop exercises determine what works and what needs improvement, and enable the company to refine the plan, Mr. Fowler said.
Aside from updating a cyber breach response plan at least once a year or after a breach, experts say it also should be updated if a team member leaves the company, if the company is reorganized or if the firm's technology changes significantly.
“You want to be sure you're changing along with the environment,” said Adam Cottini, New York-based managing director of insurance and risk management of the cyber liability practice and area senior vice president at Arthur J. Gallagher & Co.
Businesses “need to continue to update those plans as business models change or people internally change to make sure they're consistent with what the internal message might be ... making sure people have the right roles and responsibilities in place,” said Jason Warmbir, Chicago-based vice president and cyber team leader of FINEX's Midwest region at Willis Towers Watson P.L.C.
“It's a constant living and breathing process. None of these plans are written in stone,” said Robert Parisi, managing director and national cyber risk product leader at Marsh L.L.C. in New York. “They're meant to be evolving, they're meant to be adaptive. That's the most critical piece.”