Most financial institutions have come to terms with the fact that they will face a major cybersecurity breach at some point. A 2019 cybersecurity report from IBM and the Ponemon Institute indicates that a full 29% of organizations will experience a significant data breach in the next 24 months. For a while, there was hope that such events would be few and far between—like lightning rarely striking in the same place twice. However, Capital One’s most recent data breach marks the third major incident for the company in the past five years.
This certainly isn’t because they are more incident-prone than the average bank. They are simply an unlucky bellwether in an industry that provides a target-rich environment for hackers. As attacks become more sophisticated and the exposed surface area for organizations increases, the frequency and variety of successful breaches will continue to rise. Today, organizations are facing new threats along with constant changes in regulations, policies, controls, and more. Crisis response must evolve in turn.
Gaps Become Apparent When Planning Meets Reality
Mature organizations have plans in place at a high level that deal with Day One triage. Such plans may include a list of who to contact including outside counsel, FBI, forensic consultant, cyber insurance firm, etc. Large organizations typically also have pre-made holding statements and vendors in place to offer credit monitoring.
However, Anderson Lunsford, CEO of BreachRX, says even the largest organizations are grappling with unforeseen problems when they put data breach response plans into action. “When those organizations actually experience events, it becomes apparent that such high-level plans have not been enough. Traditional breach response preparation doesn’t account for the dynamic nature of the scenarios that organizations face and the detailed steps that include Day 2 through completion.”
What needs to change for organizations to face future threats with more certainty?
Incident Response Plans Should Be Living Documents
The threat landscape is constantly shifting in cybersecurity. Data theft or accidental exposure caused by employees is a recurring theme in the most widely publicized breaches. But it’s far from the only scenario financial institutions encounter. Today, ransomware is one of the most pressing emerging threats for banks. And it’s not just the nature of the attacks that keeps changing.
According to Lunsford, “Data breach response plans involve a variety of factors including regulations, controls, policies, and even contracts with outside vendors. A change in any of these areas impacts the appropriate steps to take for incident response. It’s no wonder most plans become outdated soon after they are written.”
Best practices can be mapped out at a high level, but when it comes down to the details there is no “one-size-fits-all” response. For example, different preparation is required for ransomware vs. compliance with the new California CCPA regulation. Similarly, the response required by the European Union’s General Data Protection Regulation (GDPR) is different than the response required by the New York Department of Financial Services (NYDFS) or the Securities Exchange Commission (SEC).
Each category of incident needs its own plan—and even different geographic regions come with their own consumer data privacy requirements. If there are multiple plans, each one must be kept up to date. This includes determining which incident response actions to take, who is assigned internally to handle each task, and how outside experts will be looped in and given access to appropriate information.
“When you are dealing with so many moving parts, it makes sense to create a modular plan structure rather than one single ‘master plan’ that can’t possibly cover every eventuality. With a dynamic plug-and-play approach, key components can be updated automatically for every sub-plan and the correct sequence of response tasks can be activated in the event of a specific type of breach. The more streamlined these processes are, the faster and more effective incident response will be.”
Cybersecurity Response Preparation Must Extend Beyond “Breach Day”
Most data breach plans focus on immediate crisis management. This is not surprising considering the increasing demand by legislators and consumers for a swift response. Organizations like Yahoo and Uber have faced harsh criticism along with plummeting stock prices for failure to disclose and address data breaches in a timely manner. No organization wants to find itself in that position. Yet breach response plans aren’t just about what happens in the first 24-48 hours. Ongoing disruption can take time away from other important tasks for weeks or months after an incident. A comprehensive response plan includes all the activities (such as compliance reporting) that are required to return the organization to normal business operation.
Lunsford points out a number of key benefits of end-to-end breach response planning, “After you’ve experienced an event and responded to it, you need to be able to look back at all the actions you took and what you can do to improve the next time. If your organization is regulated by the SEC or the New York Department of Financial Services, you also owe them a report on what you did and what you are going to do to improve. When you are working in silos, this is difficult. Incident response teams can spend hours of time looking through calendars, emails and notes. Or, they may be relying on fuzzy memories of who did what when.”
Fortunately, the same best practices and technology that support a rapid response also aid in handling this aftermath. Keeping all data breach response plans and information on a single platform allows stakeholders and incident response teams to collaborate, carry out their assigned tasks, and document the actions taken.
Data Breach Response Should Become a Routine Business Process
Data breaches are now a recurring and unavoidable problem. However, this cloud does have one silver lining. For organizations that are willing to accept the reality and prepare to weather the storm, a breach no longer has to be treated as a catastrophe. In Lunsford’s words “When you can approach this issue from the perspective of turning breach response into a routine business process, your organization becomes profoundly more resilient. At BreachRX, our goal is to operationalize breach response plans and help our clients take the crisis out of the equation.”