Legal As Incident Response Quarterbacks: Overcoming Costly Planning Pitfalls
Back in 2017, in a global survey of senior corporate counsel, Kroll identified over 45% of general counsels (GCs) had their role expanded to cover cyber incident planning. Four years later, nearly half (47%) of security leaders polled for the 2021 State of Incident Response report stated their teams lack clarity around when to engage legal counsel about a potential incident. The disconnect between legal and information security (“infosec”) teams is obvious and the consequences are getting harder to ignore—GDPR fines increased sevenfold in 2021, cyber insurance policies are more expensive and selective and both media and customer scrutiny is at an all-time high. While no incident response plan (IRP) is flawless, avoiding common planning pitfalls can strengthen your organization’s security posture and the bonds between legal and infosec teams.
Working with hundreds of legal professionals worldwide to respond to thousands of incidents every year, our global team has identified costly planning pitfalls that trip up organizations of all sizes and are typically within corporate counsel’s ability to influence. These pitfalls are listed below, along with key stakeholders the legal team should approach in preparation:
• Not knowing what data is stored and where: Data-mapping exercises, which are now mandated by some privacy regulations, enable organizations to quickly identify the potential impact of an incident. Knowing if an encrypted server is hosting old marketing brochures or payroll data can greatly influence the severity and scope of the response.
Key stakeholders: IT and infosec
• Undefined authority and responsibilities: It must be clearly stated who has the authority to determine whether an incident has occurred, how the company will react and who will invoke initial response steps. Upon commencing the IRP, every team and individual must understand their role.
Key stakeholders: Senior management, IT, infosec, HR, corporate communications, external vendors, including cyber security counsel, digital forensics vendors, crisis communications providers and others
• Negotiating contracts during an incident: Quickly enacting the IRP only to then kick off contract negotiations with external vendors becomes a source of critical delays. It is important that legal teams have been involved in lining up external vendors beforehand, with agreement on capacity allocation and pre-negotiated response times (typically within hours of initial call).
Key stakeholders: Procurement, infosec, senior management, legal teams and external vendors
• Communicating via compromised or insecure channels: Threat actors frequently target corporate email and can intercept internal discussions via compromised accounts. Consequently, it’s important for the details around communication to be agreed prior to an event, particularly with regards to relaying information to executives, board members and external parties. This includes the time and location of meetings, the preferred communications channels (alternate email provider, SMS, etc.) and what type of information can be transmitted in writing vs. verbally.
Key stakeholders: IT, infosec, senior management, external vendors, executives and board members
• Lacking “muscle memory” in the response: Even the most diligently created IRP can fail if its members are learning the process mid-crisis. Technology, personnel and the threat landscape are constantly changing, requiring updates to the IRP. Tabletop exercises can help build muscle memory and revise the IRP for new scenarios and should be coordinated at frequent intervals, twice a year or quarterly, led by the legal team.
Key stakeholders: IT, infosec, senior management
Incident response requires a whole host of key decisions be made in a stressful situation. There are many pitfalls that an organization can fall into; this article touches on only the most common. This further reinforces the value of frequent IRP exercises, focusing on different threat scenarios.
To effectively minimize the legal, regulatory and reputational impact of a cyber incident, corporate counsel should embrace its role as the response quarterback and act in lockstep with infosec, IT, senior management and external vendors. Dedicating time to writing—and practicing—an IRP is vital. Only by “walking the walk” will you know where your weaknesses lie, what gaps you need to plug and where practice is required. Experiencing an incident without a plan or with an untested plan could put the business at much greater risk.
This content is advertising.