Most financial institutions have come to terms with the fact that they will face a major cybersecurity breach at some point. A 2019 Cost of a Data Breach Report from IBM and the Ponemon Institute indicates that a full 29% of organizations will experience a significant data breach in the next 24 months. For a while, there was hope that such events would be few and far between—like lightning rarely striking in the same place twice. However, Capital One’s most recent data breach marks the third major incident for the company in the past five years.
This certainly isn’t because they are more incident-prone than the average bank. They are simply an unlucky bellwether in an industry that provides a target-rich environment for hackers. As attacks become more sophisticated and the exposed surface area for organizations increases, the frequency and variety of successful breaches will continue to rise. Today, organizations are facing new threats along with constant changes in regulations, policies, controls, and more. Crisis response must evolve in turn.
Gaps Become Apparent When Planning Meets Reality
Mature organizations have plans in place at a high level that deal with Day One triage. Such plans may include a list of who to contact including outside counsel, FBI, forensic consultant, cyber insurance firm, etc. Large organizations typically also have pre-made holding statements and vendors in place to offer credit monitoring.
However, even the largest organizations are grappling with unforeseen problems when they put data breach response plans into action. When those organizations actually experience events, it becomes apparent that such high-level plans don’t account for the dynamic nature of the scenarios that organizations face and the detailed steps that include Day 2 through completion.
What needs to change for organizations to face future threats with more certainty?
Incident Response Plans Should Be Living Documents
The threat landscape is constantly shifting in cybersecurity. Data theft or accidental exposure caused by employees is a recurring theme in the most widely publicized breaches. But it’s far from the only scenario financial institutions encounter. Today, ransomware is one of the most pressing emerging threats for banks. And it’s not just the nature of the attacks that keeps changing.
Data breach response plans involve a variety of factors including regulations, controls, policies, and even contracts with outside vendors. A change in any of these areas impacts the appropriate steps to take for incident response. Thus, most plans become outdated soon after they are written.
Best practices can be mapped out at a high level, but when it comes down to the details there is no “one-size-fits-all” response. For example, different preparation is required for ransomware vs. compliance with the new California CCPA regulation. Similarly, the response required by the European Union’s General Data Protection Regulation (GDPR) is different than the response required by the New York Department of Financial Services (NYDFS) or the Securities Exchange Commission (SEC).
Each category of incident needs its own plan—and even different geographic regions come with their own consumer data privacy requirements. If there are multiple plans, each one must be kept up to date. This includes determining which incident response actions to take, who is assigned internally to handle each task, and how outside experts will be looped in and given access to appropriate information.
When dealing with so many moving parts, it makes sense to create a modular plan structure rather than one single ‘master plan’ that cannot possibly cover every eventuality. With a dynamic plug-and-play approach, key components can be updated automatically for every sub-plan and the correct sequence of response tasks can be activated in the event of a specific type of breach. More streamlined processes will result in faster and more effective incident response.
Cybersecurity Response Preparation Must Extend Beyond “Breach Day”
Most data breach plans focus on immediate crisis management. This is not surprising considering the increasing demand by legislators and consumers for a swift response. Organizations like Yahoo and Uber have faced harsh criticism along with plummeting stock prices for failure to disclose and address data breaches in a timely manner. No organization wants to find itself in that position. Yet breach response plans aren’t just about what happens in the first 24-48 hours. Ongoing disruption can take time away from other important tasks for weeks or months after an incident. A comprehensive response plan includes all the activities (such as compliance reporting) that are required to return the organization to normal business operation.
After experiencing a breach and responding to it, company’s need to be able to look back at all the actions they took and determine how to improve for the next time. If an organization is regulated by the SEC or the New York Department of Financial Services, it also must report on the actions taken and identify what the company is doing to improve before the next event. If a company is working in silos, reporting can be difficult. Incident response teams can spend hours of time looking through calendars, emails, notes, or fuzzy memories to determine what actions were taken in the response effort.
Fortunately, the same best practices and technology that support a rapid response also aid in handling this aftermath. Keeping all data breach response plans and information on a single platform allows stakeholders and incident response teams to collaborate, carry out their assigned tasks, and document the actions taken.
Data Breach Response Should Become a Routine Business Process
Data breaches are now a recurring and unavoidable problem. However, this cloud does have one silver lining. For organizations that are willing to accept the reality and prepare to weather the storm, a breach no longer has to be treated as a catastrophe. If companies can approach this issue from the perspective of turning breach response into a routine business process, the organization becomes profoundly more resilient. BreachRx, allows companies to operationalize breach response plans and transform the crisis into a routine business process.
