A company’s first response to a cyber attack, hopefully fine-tuned in advance, is critical to its reputation – but as the dust settles, legal considerations and incident reviews loom large

Cyber fraud

What to do when the worst happens is a vital part of any risk management plan. Despite the best efforts of risk managers, the likelihood of an attack is ever-increasing, so it is important for businesses to be ready when one does happen. “The important aspect of this is that you have to be prepared for attack,” says Fifth Step chief executive Darren Wray. “Most organisations will suffer a data loss, a data breach or a hacking incident. Therefore you need to have an incident response plan.”

Experts agree that a firm’s immediate response to a cyber attack is what will minimise the damage to both brand and reputation. Airmic board member Tracey Skinner agrees: “I think this is probably one of the most important points in the whole issue in terms of what happens next. This is where there will be clear differences between organisations who have placed cyber risk high up on the agenda. They have gone through exercises and have a full, detailed contingency plan in place which has all the operational pieces – IT, HR, communications, C-suites – clicked in together with a plan. The organisations that have not placed cyber high on the risk agenda are those who may attempt to deal with a breach as a traditional risk. From those companies, you may not see so much connectivity to other parts of the group and there could be delays in communication which will impact the company as as a result.”

Immediate action

“You’ve got to have a good incident response plan,” says Wray. “You’ve got be able to shut down that access as quickly as possible. You’ve got to be able to have a good communication plan in place to keep stakeholders informed. They may be internal stakeholders. They may be shareholders or individual investors. They may be clients and customers that you need to identify and inform. You’ve got to have a good communication plan in there so that the right information is released. Preparing an incident report plan right now, before you know you need to use it, is absolutely imperative for all organisations because you never know when one of these attacks is going to strike.”

As well as saying the right thing when a breach occurs, it is important to know when to address an issue publicly. DAC Beachcroft partner Hans Allnutt says: “There is an argument to say if you have these incidents, you don’t need to tell anyone about it. That is changing. People are voluntarily notifying now, which they didn’t before. No longer can you stick your head in the sand. As a legal obligation, we’re having to tell regulators and affected people of serious breaches.”

It isn’t simply about financial penalties, which could be claimed on insurance. Future insurance policies could also be affected by changes in the law regarding unnecessary data. Allnutt says: “A big thing that firms miss in terms of the legal aspects of cyber risk is businesses think it’s all about security and getting fines, penalties and being sued when you lose data. Absolutely, that is a key aspect of it – but actually, the liabilities and the questions in the years to come will be about what the company was doing with the data and whether they were holding it lawfully.

“Security breaches are now often highlighting these questions which need to be answered. People are purely focusing on securing data and not losing it, but the question now is once you’ve secured it or take the steps to secure it, at the same time you’ve got to be making sure you are holding the data lawfully.”

Swiss Re Corporate Solutions claims expert Catherine Lyle says businesses can never take their eye off the ball. “Criminals are forever changing and they’re forever evolving. They’re staying one step ahead. You also have to keep in mind that a response plan is just that, a response plan. It is meant to respond to an event. It is created with the expectation of its use. So it is not a prevention plan or a wall. Following a cyber event or each quarter moving forward, risk managers should review the incidents that they’re seeing and make changes where changes should occur with the input of each of the stakeholders. As these criminal hackers evolve, so should a company’s response plan.”