Such preparedness is fundamental, the white paper argued, given that “consequences can range from disruption to IT systems to loss of business, reputational hits, legal issues, regulatory investigations and financial costs and losses”.

1. Data breach readiness

The risk of cyber breaches is far higher than risks from fire, flood or other causes that can disrupt and damage a business, Mimecast and NRF wrote, yet many businesses do not have risk management strategies in place for responding to cyber breaches.

“Some organisations purchase cyber security insurance to cover the often substantial costs of a cyber breach. Prudent organisations also have a data breach response plan,” the pair said.

“The Australian Privacy Commissioner advises that having a plan is the only realistic means by which organisations can respond to cyber breaches in a way that is efficient in time and resources, saves costs and reduces the damage suffered by the organisation and others.”

2. Prevention, remediation and investigation

Cyber breaches tend to occur without warning and with speed, the pair wrote.

VIEW ALL

“Organisations need to respond quickly in order to contain, prevent, remediate and investigate a cyber breach. It’s not easy. External threat actors cover their tracks,” the white paper read.

“Cyber breaches arising from internal accidents may be unreported or covered up. Having a clear and rehearsed data breach response plan will [help streamline] the management process.”

3. Avoid hasty actions

“Cyber breach incidents can be complex and the nature and scope of an incident may be unclear for days or weeks. This often means that executives and other decision-makers are faced with a need to take action based on incomplete or inadequate information,” the white paper said.

For example, Mimecast and NRF wrote, if a CEO reports the incident to the market too soon, it may turn out that incident may not be as bad as first thought and the business may suffer unnecessarily.

4. Appointment of experts

Independent IT forensic experts can play a vital role, Mimecast and NRF advised, depending on the incident.

“The independence of the expert avoids any suspicion that the organisation’s usual IT staff or consultants are downplaying the incident. Independence is also useful when making announcements to customers, regulators and others,” the pair wrote.

“In addition, where the incident is sizeable or there is any risk of legal claims, it is useful for the IT experts to be appointed by your external lawyers so that the reports of the IT experts can be protected by legal professional privilege against potential claimants.” 

5. Managing communications

Many cyber incidents give rise to an enormous management and communication projects, considerably disrupting business as-usual processes, the pair posited.

“Proper management of an incident frequently entails preparing multiple tailored communications to internal and external stakeholders such as employees, customers, C-suite executives, the board, shareholders, stock exchanges, media and regulators,” the pair said.

“In managing these communications, significant input is generally required from internal communications and business staff as well as external crisis public relations specialists and external legal counsel.”

6. Regulatory requirements

Governments are responding to the increased threat of cyber security incidents by passing new laws, the white paper read.

“For each incident, it is necessary to quickly determine what types of information have been affected, and which countries’ laws might apply. An organisation may well have customers in multiple countries and may be subject to multiple sets of laws.”

A typical example of a legal obligation, Mimecast and NRF mused, is an incident that involves the unauthorised access of personal information.

“Such incidents can trigger legal obligations under privacy laws to assess the incident and to notify affected individuals and regulators. Organisations may be required to make those notifications in multiple countries which can create significant cost and complexity,” they wrote.

7. Time limits on serious breaches affecting personal information

Changes to Australia’s Privacy Act and the introduction of the GDPR mean that organisations are subject to time limits, which apply to mandatory notifications of serious cyber incidents that affect personal information.

“Under the Privacy Act, organisations must notify immediately, but have up to 30 days to assess whether the incident is notifiable. Under the GDPR, notification of serious data breaches must be given within 72 hours. In order to meet those deadlines, a thorough investigation of each incident must be commenced as soon as the incident is detected,” Mimecast and NRF said.

“Particular industries are also subject to additional notification obligations. For example, Australian financial services organisations such as banks and insurers must notify APRA within 10 business days of serious information security incidents even if no personal information was involved.”

8. Review and learning from incidents

“It is said that we learn from our mistakes and this is especially true of cyber security incidents. A thorough investigation should determine the root cause of the incident and remedy it,” the pair wrote.

“However, once the incident has been managed, organisations should review the effectiveness of the data breach response plan, their security arrangements, the capabilities and responsibilities of key staff and advisers and any practices, processes and procedures that may assist in reducing the risks of future incidents.”

In the end, Mimecast and NRF continued, preparing for and managing cyber breaches require a multi-pronged strategy.

“A well-constructed strategy will involve a mixture of elements such as IT specialists, legal advice, cyber insurance, staff training, plans and policies, vetting of technology vendors and service providers, direct and regular reporting to senior executives and the board, as well a commitment from the board to ensuring that the strategy is supported by appropriate resources,” they wrote.

“In today’s fast-moving cyber threat environment, your strategy will also involve regular reviews and updates to ensure that your organisation can cope with whatever tomorrow may bring. A strong cyber security strategy cannot guarantee complete freedom from cyber incidents, but it can significantly reduce the chance of an incident occurring and the costs and other consequences of incidents.”