Responding to a cyber security breach - a step-by-step guide
22 July 2021
by Kurt Roosen, Head of IT, Cayman National Bank
Cyber security breaches are becoming ever more common across the globe. Here are the steps to take in the hours and days following a breach.
There were almost 4,000 confirmed data breaches in globally in 2020 so it’s no surprise that most industry experts talk about “when” a breach happens, rather than “if”. Cayman National suffered a breach in 2019 when its Isle of Man-based bank and trust company was targeted by hackers. The bank knew the importance of a rapid response and executed a carefully developed plan. Here’s what they did.
The first 24 hours
When an incident is discovered the most important thing is to respond calmly. Panicking or rushing the response is more likely to lead to mistakes. At this point, we are still talking about an “incident”. A breach triggers regulatory obligations, so don’t announce publicly – to customers, for example - that you have suffered a breach until it is confirmed. However, for our purposes we will assume that we are talking about a confirmed breach.
Having a plan makes it easier to stay calm. Ensure that whoever discovers the incident or receives the initial incident report understands the internal risk escalation process. Someone with decision-making power needs to be told of the breach as soon as possible. That person should then convene the incident response team.
At a minimum, the incident response team should include the Chief Technology Officer (CTO) or Chief Information Officer (CIO), the Data Protection Officer (DPO), Chief Risk Officer (CRO) and representatives of the board, the legal team, PR, HR, and security. Depending on the organisation, the legal and PR representatives might be external. Even so, involve them from the outset.
As soon as possible you should inform your insurers. This could be done while the incident response team is coming together. Next, appoint or engage a professional Incident Response Coordinator - a specialist law firm. Communications with them will be covered by legal privilege and they can advise how to protect your communications.
This is important because an organisation’s customers or shareholders might take legal action following a breach if they feel that they have suffered a loss. Your communications - emails, letters, meeting minutes, computer logs and other records - can be requested by the court. Some of these communications, particularly if taken out of context, might make your organisation appear culpable - even if they are not. Legal privilege ensures that the communications it covers – and your lawyers will advise you which ones those are - remain confidential.
The next step is to provide an incident report to your industry regulator. Meanwhile, ensure that all systems logs are retained and issue all staff with document preservation notices. Securing these documents is not only vital to your investigation but also shows third parties, such as the regulator, that you have responded to the incident in a responsible manner.
Lockdown your systems while you assess the extent of the breach and limit any further damage. This might require service interruption, so you will want to keep the lockdown as brief as possible, but it is a vital step. Then engage a professional, third-party cyber security team. They will act as an Independent second pair of eyes on your incident response.
Finally, with all that done, you can issue a public statement and publish it on your website. Don’t say anything in this statement unless it is definite. It is better to tell people that more information will follow than to announce something that turns out to be wrong.
The second 24 hours
Clear your diary and log everything you do from now on. Ensure that your PR team understand how to answer press, regulatory and industry enquiries. Make sure they aren’t drawn into speculation, for example about whether any data has been stolen or if financial losses have been suffered. Set up a dedicated helpline and email address for customers, with pre-prepared scripts and a Q&A paper so that anyone who contacts you knows the situation. Consider outsourcing this to a call centre.
Inform your staff. Schedule briefings, ideally face to face, and explain what has happened. You can give staff a little more information than you have given publicly. People will be worried that they might lose their jobs or be disciplined if they are blamed for the breach. Different parts of the business might require slightly different information, but the aim is to assure everyone that the incident is under control and business will continue.
You must inform the Information Commissioner’s Office in the relevant jurisdiction within 72 hours of the incident being discovered. Do this as soon as possible because you will get invaluable insistence and the more transparent you are with them, the more smoothly any subsequent investigation will go.
The following days
The pace of events will calm down after the first 48 hours but there is still plenty to be done. Consider all the people who might need to be notified. Each jurisdiction has different notification requirements, so be sure to refer to the relevant rules when deciding who needs to be contacted, how quickly, and what they must be told.
Telephone or write to key suppliers, contractors, service providers, and other third parties. Notify any regulators that haven’t been notified already, for example those overseas, if applicable. As well as current customers, you might need to contact closed, declined and potential customers or data subjects, all of whom might have been affected by the breach. Similarly, though you should have briefed all your current employees by now, consider contacting former employees - they are data subjects too.
Finally, communicate with any other relevant authorities. Who these are will depend on your industry. In financial services, for example, you might need to file a suspicious activity report (SAR) as well as any other type of anti-money laundering or sanctions-based orders.
Throughout the following days you should be regularly sharing your incident response plan with your regulators. This should include actions taken, dates and outcomes regarding: client support and protection to help them understand their own risks; forensic investigation, containment and network remediation; engagement with regulators; internal and external communications strategy.
Mitigating the risk
You can’t predict when you might fall victim to a breach, but you can take steps to prepare the best response. Most important is to have your IT systems in shape. That means patch, patch, patch! Ensure your systems are up to date so that newly discovered exploits or flaws can’t be used against you.
Deploy effective security information and event management tools, backed by a monitoring and analysis team. Log everything in detail and ensure that the logs are backed up, preferably offsite. Most monitoring tools do not store logs going back very far and some attackers will delete the logs anyway to cover their tracks. Storage is cheap so back up everything you might need to review in the event of a breach.
Use multi-factor authentication everywhere, preferably push-based and not time sync. Deploy a layered security infrastructure including firewalls, software protection, intrusion detection, endpoint protection, intrusion response systems, user and application-specific access control and monitoring, and patch management tools from different manufacturers.
Assume that you need to see dynamic patterns rather than meet a checklist. Never have just one system to support a security function, have a least two – systems can have different opinions. Deploy a zero-trust policy of systems, security and suppliers and test all scenarios.
Delete obsolete data now to reduce the scale of any future breach. Deleting obsolete data is also important for GDPR, so there are plenty of reasons to do it. Ensure that the data you keep is encrypted, which is often easier said than done, and dispersed as much as possible.
Even with all those measures, even if you do everything right, you can still suffer a breach. That’s why you should have expert legal, PR and security help available in advance. Build a relationship with them so that they know you and your organisation when you need them.
Don’t assume that it won’t happen to you. All it takes is one omission - and it might not even be yours. You can outsource a task but not the responsibility for the task, so if a third party causes a breach with your data, then it’s still your problem.
Takeaways
There’s a lot to be aware of, as we have seen, but remember the following:
- Observe IT best practice and always meet agreed security standards
- Be realistic - don’t assume that you won’t be breached. Plan for when you are
- Have a dedicated incident response plan ready but don’t try to anticipate every eventuality. You will be able to adapt the plan as you go
- Retain legal privilege and preserve evidence
- Communicate quickly, honestly, effectively, and collaboratively
- PR expertise is essential. Don’t overlook it
- Take action to protect data subjects if the worst happens
- Keep the right regulators informed AND
- Do not forget your staff, they are your most valuable long-term business assets.