‘Seek legal advice’, this has to be my top recommendation if you have suffered a cyber-incident that could be deemed material, involves personally identifiable information, or if your business is classed as critical infrastructure.
Cybersecurity teams around the globe are on the front line of defending against cyberattacks and securing company assets. At the same time, they are also on the front line of dealing with regulators and avoiding fines. For example, in the UK, a security breach may need to be reported to the Information Commissioner’s Office (ICO) where reporting an incident has various options:
- UK GDPR personal data breach (DPA 2018)
- Trusted service provider breach (eIDAS),
- Communications services security breach (PECR)
- Digital Service provider incident reporting (NIS)
If you’re a financial organization, you may also need to report the incident to the Financial Conduct Authority (FCA). For critical infrastructure and services there are other obligations; for example, operators of essential transport services need to report incidents to the Department of Transport. Then, of course, you will need to contact your cyber insurer and inform them of the incident, not forgetting the board, investors, bank, business partners, potentially your customers, and your family to let them know it’s likely to be a long day.
All the above mandatory disclosure regulations are required within the first day or days of an incident being identified, while the incident is still under investigation and recovery is the business priority. The examples above are UK regulations, and the mandatory disclosure requirements in most countries are just as stringent. In some countries, it may even be required to disclose the incident publicly, such as filing the notification of a cyber incident to a stock exchange, who then publish the details to inform investors.
If you have a cyber risk insurance policy, the services provided under the policy may include legal services and regulatory filings. This is a service that should be taken advantage of, as lawyers specialized in making these mandatory disclosures will understand what information is needed and the process to file the notification. Timely filing with the right information may help avoid regulatory penalties. If no insurance policy is in place, I recommend having a specialized cyber incident lawyer on speed dial.
This blog is the fifth of a series looking into cyber insurance and its relevance in this increasingly digital era – see also parts 1, 2, 3, 4 and 5. Learn more about how organizations can improve their insurability in our latest whitepaper, Prevent, Protect. Insure.
Understanding regulatory obligations should be a vital part of cyber incident planning, which in itself rolls up under a wider cyber resilience plan. A recommended, and in my opinion, mandatory task, should be a cyber incident tabletop exercise. This helps identify who needs to be involved and refines the process of dealing with an incident should it happen.
Such preparation should be extensive and not just treated as a cybersecurity framework task. This output and postmortem are essential in preparing for a cyber-incident. Unlike other cybersecurity professionals, I do not believe that an incident is not an ‘if’ but a ‘when’. With good posture, processes, right solutions and team, it can still remain an ‘if’.
Another reporting point should be law enforcement. While this is not mandatory, it may assist in ways that are not obvious. Law enforcement may have access to information on the cybercrime group and have experience that can assist in recovery: they may even know if a decryptor is available without paying the demand. (If a cybersecurity vendor or other party has a decryptor, they often keep the knowledge quiet to avoid the cybercriminals changing their tactics.) Reporting incidents also informs law enforcement of the scope and volume of the incident, and allows the right level of resources to be assigned.
Be aware that the adversary may understand the reporting requirements. At the end of 2023, a ransomware group reported a publicly listed company who refused to pay an extortion demand and had failed to make a mandatory disclosure of a breach to the US SEC. This weaponization of a mandatory disclosure is yet another pressure point inflicted by the bad actor to get a company to pay the demand.
To conclude, disclosing any cyber incident is in the best interest of the organization impacted, whether that’s by avoiding fines and penalties, or by getting additional support through the notified legal and regulatory bodies. Cyber-insurers are extremely valuable in this case, not just financially, but also through other means such as making sure the right people are notified to ensure compliance and reduce overall damage.
What is needed for a successful cyber insurance model in the dynamic risk environment?
Hear Peter Warren discuss insights from Prof. Leslie Wilcox, Professor at London School of Economics; Lord Francis Maude, former Minister of State for Trade and Investment; Prof Keith Martin, Director of the EPSRC Centre for Doctoral Training in Cyber Security for the Everyday; Prof. Neil Barrett, former advisor of cybercrime to then Home Labour Secretary, Jack Straw; Martin Borrett, IBM Security’s UK Technical Director; David Chavez, Cyber Insurance Product Manager and Tushar Nandwana, Risk Control Technology Segment Manager at Intact Insurance Specialty Solutions, and Dr Constance Dierickx, Founder and President of CD Consulting Group.
Learn how cyber risk insurance and how cyber risk cover, combined with advanced cybersecurity solutions, can improve your chance of survival if, or when, a cyberattack occurs. Download our free whitepaper: Prevent. Protect Insure, here.