Your Incident Response Plan Doesn’t Cut It

No company is immune or fully protected from data breaches. Many businesses have accepted this fact, with cyber resiliency an increasing focus for security, privacy, and legal teams. However, most businesses continue to focus on high-level incident response plans and outside counsel—together, hypothetically providing readiness for a business to be able to deal with breaches when they occur.

The reality, however, is businesses are largely unprepared, mirrored by the fastest growing practices at most consultancy and legal firms worldwide: incident response. Companies must change their mindset from “my security team takes care of incident response” and “my legal team has this covered” and recognize they must integrate their approaches, or they will end up yet another news article and case study for what not to do to respond to an incident or data breach.

Most financial institutions have come to terms with the fact that they will face a major cybersecurity breach at some point. The 2021 Cost of a Data Breach Report from the Ponemon Institute indicates that a wide swath of organizations across multiple industries will experience a data breach in the next 12 months. For many years, there was hope that security technologies would prevent attacks and these events would be few and far between—like lightning rarely striking in the same place twice. However, as the report outlines, the global average total cost of a data breach, excluding mega breaches, is now $4.24M, a 10% increase from 2020, with “hot” emerging security approaches like zero trust reducing but not eliminating incidents and breaches. Security will not be able to completely solve this problem.

Today, organizations also face constant change in the form of regulations like GDPR and CCPA, directives, breach notification laws, contracts, policies. and more pending. Unfortunately, this landscape isn’t settled like traditional compliance areas–think HIPAA and SOX—but are in a state of continuous flux. From ubiquitous consumer and shareholder lawsuits, over 180 regulations and directives demanding rapid government notification in over 120 countries, and hundreds to thousands of contracts with discrete response terms on even faster timelines, this risk surface is expanding rapidly.

No really, your teams don’t have this covered….

Most business leaders think of incident response, and they think of security – identify the threat, contain it, eradicate it from the environment, remediate the vulnerability, and move on. It’s a crisis process in most organizations. Unfortunately, that process is only 30% of the cost of an incident, and the rest of the process, the “other” 70% of the cost, is woefully ignored by most organizations. 

The majority of costs from a data breach are from the majority of teams in businesses treating incident response as a break-glass process, with impacts both immediate and long-term. Immediate consequences from data breaches are usually swift and can be terrible (i.e., loss of customer data); however, longer-term consequences can take years to be apparent. The typical consequences and challenges that companies face from incidents and data breaches include:

• Operational disruption, such as teams spending time away from daily tasks while dealing with fallout
• Legal costs ranging from outside counsel fees to fines and penalties and class action lawsuits
• Other financial losses including the cost of breach investigation and restitution
• Loss of trust in executives and board members who end up getting removed or outright fired
• A sharp decline in stock price or business valuation/acquisition price
• Customer churn from reputational and brand damage

Most mature organizations have high-level incident response plans in place. Such plans typically include a list of who to involve internally and external contacts like outside counsel, law enforcement, forensic consultants, and cyber insurance firms. Plans in large organizations typically point to or include prepared holding statements and retained relationships with vendors to offer credit monitoring when needed.

What these plans don’t typically have, however, is what each team actually needs to do during an incident. Security has their own procedures, legal has their own processes, and communications another approach. It quickly becomes apparent during every incident that high-level plans don’t account for the dynamic nature of events that organizations face and the detailed steps needed for successful completion.

Further, given there are so many different types of incidents and breaches, the variety of regulatory and contractual obligations depending on geography, industry, and size, a company would need reams of paper plans of a much deeper nature to deal in earnest with each scenario, each kept up to date regularly. If you look under the hood at this “long tail,” you’ll find a manual series of processes to address this: reams of spreadsheets and documents, and inefficient group calls, with bodies increasingly thrown at the problem.  Unfortunately, the typical people-led approach to these plans makes that approach unrealistic if not impossible.

Companies need a new approach, one that integrates team efforts, unifies disparate processes, and ultimately makes incident response routine.

Build an integrated incident response program

The fastest risk reduction step businesses can take when it comes to incident response is integrating their response workflows. And while maybe it wouldn’t be prudent to actually burn your existing response plan, try at least ignoring it exists. Establish a cross-functional team and start by talking about the “seams”—the interactions between teams—in existing processes. How are these communications done in a way that doesn’t put privilege at risk? Are teams using business systems like a chat client, ticketing system, or GRC tool for incident response? If so, a number of court cases over the past few years have created precedent that those communications are unlikely to be deemed privileged.

From there, look at processes. Run a tabletop exercise–a simple cross-functional one will suffice to start, like a stolen laptop with customer data on it. How does each team know what to do? Are the processes documented? To what degree are parts of your process wholly outsourced to third parties like consultants and outside counsel? And finally, how long do you have to start dealing with your regulatory and contractual obligations?

At this point, your teams will begin to recognize that automation is the only approach that can truly address the complexity of so many moving parts across teams. Rather than one single high-level plan, a dynamic range of plans is required to connect the obligations you face—what you need to do and when to do it—with the details of each incident and tailored to your business.  With an automated approach like that offered by the BreachRx platform, these plans can be quickly created and customized, and can be updated automatically with every new regulation, contract change, or updated directive. The correct sequence of exact tasks can be generated for each specific type of incident and assigned automatically to the correct teams, along with “helper” tasks directing responders to find out more about the details of the incident itself, further enhancing the process.

Achieving proactive readiness for privacy and cybersecurity incidents ultimately requires organizations to keep tabs on new regulations and changes to existing ones, introduce clear response plans to meet the requirements in those regulations, assign responsibility for each step in the response plans, and continue to update those efforts as the regulatory environment evolves. The BreachRx platform helps accelerate, coordinate, and streamline this process. Proactive planning activities like these and others help organizations maintain readiness, reduce risk, and help return more rapidly to business as usual and better maintain customer trust following any incidents.

Companies in the news due to cyber incidents certainly aren’t there because they are more targeted or incident-prone than their average peer. They are simply an unlucky bellwether of the target-rich environment for attackers that is the Internet. As attacks continue to become more sophisticated and the exposed surface area for organizations increase, the frequency and variety of successful breaches will continue to rise. Given this threat environment and the variety and number of successful breaches large and small, organizations today are measured by their customers and the market on how they respond, and an integrated response is the only path to success.