Five Components for a Cybersecurity Response Plan for the Inevitable Breach
Cybersecurity breaches are becoming so common that it’s no longer a matter of IF a breach will occur but rather WHEN. And because breaches can cause any number of business challenges, from financial and reputational damage to a loss in shareholder value, it is critical that you prepare for a cyber incident with the same discipline and rigor as you would an operational one. Here are five critical components to a successful cybersecurity response plan:
Involve the board of directors and a variety of departments. Make cybersecurity planning part of the board’s ongoing risk management review process. As we discussed last week, responsibility for cybersecurity is increasingly falling on the shoulders of the board of directors. Therefore, directors should make sure that the firm’s cybersecurity plan is consistent with the board’s appetite for risk and that directors monitor these policies to ensure they are operating properly.
The plan should also be created in conjunction with a variety of internal departments including legal, IT, marketing, and investor relations, and if necessary, external cyber security reputational specialists. It should be updated regularly to account for the changing dynamics in cybersecurity attacks including those on big data files and Twitter accounts.
“Even if a company experiences a highly publicized security incident, an effective response during the crisis may reduce reputation damage,” says Henry Ristuccia, a partner and risk leader at Deloitte & Touche. “Every decision during a major crisis can affect shareholder value.”
Know your stakeholders. Determine which stakeholders need to know and when. Prioritize them in the order to be informed. Stakeholders might include customers, investors, regulators, vendors, and employees. Know in advance the best way to communicate with each of these stakeholders and determine how that communication will take place, i.e. press release, mass text messages, private phone calls, video conferencing, or letters.
“A voice message should be developed for all potential victims, employees, customers, partners, and the media,” said Gina Savoie, of Proactive Risk Management, a provider of enterprise risk management and security services. “The statement must be open and sincere. Apologize, admit and accept responsibility for what happened.”
Run drills. Company-wide drills on how to react to a cybersecurity crisis should be run on a regular basis. In a cyber attack, a company’s internal communications may be shut down, making internal communication close to impossible. During the 2014 attack on Sony Pictures Entertainment, the company lost access to phones and email. Practicing how to handle that kind of crisis ahead of time will help your organization react with grace under pressure.
“An organization should ensure that it has an incident response plan; a crisis management plan, full media training for any spokespeople, and that a war games exercise is performed to test resilience,” said Jane Frankland, managing director of KnewStart, a consultant to the cybersecurity industry.
Disclose quickly but carefully. Companies should be sure of their facts before disclosing any information. If they don’t, they will be left with the embarrassing task of having to correct their own information. Target originally said 40 million customer records were affected but later changed that figure to 110 million. Home Depot had a similar problem. At first, they disclosed that 56 million customer records were affected but later revised that to 109 million records.
“The biggest mistake companies make is to say too much, too soon, too confidently,” according to Siobhan Gorman, a communications consultant. “In the days immediately following a breach, no company can fully know the scope of the incident. Providing too much detail early on is the first step down a road of repeated, and uncomfortable, corrections of your own story, which keeps the issue in the news while eroding your company’s credibility.”
Learn from experience. Learn from both the drills and an actual attack. What worked and what didn’t work? What factors were most important to stakeholders? What did stakeholders say about the company’s disclosure performance?
“The best thing a company can do is to immediately begin preparing for the next incident,” Gorman said. “Assess strengths and weakness and incorporate them into your response plan in the future.”
Next week I'll look at what information to disclose related to a cybersecurity attack and how to disclose it.