Top Ten Cyber Crisis Management Tips

In 2004, the Department of Homeland Security and the National Cyber Security Alliance declared October as National Cybersecurity Awareness Month. During the month of October the public and private sectors come together to raise awareness about the importance of cybersecurity. Cyber risk has evolved and increased significantly in the last 20 years. The threat environment has become more pervasive, more sophisticated, and more extreme. Most cybersecurity experts will tell you; it is not a matter of “if” your organization will suffer a cyberattack, but rather, “when”, and how many.

Network security controls are, of course, a crucial part of protecting against the financial loss and reputational harm associated with a cyberattack. However, security controls are only one part of what should be, a much large Cyber Risk Management Strategy. Your organization’s level of preparedness for attack and its ability to respond quickly and efficiently will have a direct impact on the extent of financial loss and reputational harm your organization suffers. With that in mind, below are our top ten tips for cyber crisis management:

1. Conduct Holistic, Inter-departmental Tabletop Exercises Regularly: Conduct holistic tabletop exercises least two times per calendar year. Create multiple different “playbooks” based on the threat environment at the time (Ransomware, privacy breach, social engineering fraud, invoice manipulation fraud, etc.)
2. Remain Calm: It may seem obvious but, remaining calm in the face of the crisis is key. Your response in those initial hours of an attack will set the stage for the entire response. Think strategically, avoid being reactive. Conducting holistic, interdepartmental tabletop exercises on a regular basis will help you achieve this goal. The more prepared you are, the less reactive you will be.
3. Establish Out-of-Band (OOB) Communication in Advance: OOB Communication is a method of communication that occurs outside your organization’s primary network when your network is unavailable or compromised. This will enable your incident response team and other members of your organization to communicate securely during the event.
4. Consider use of a Crisis Code Word: Consider establishing a “crisis code word” within the organization or within the incident/crisis response team. Cybercriminals are known for exploiting the chaos that exists during a crisis. Generative AI is enhancing the effectiveness of deep fake audio and video scams. Having a “crisis code word” (one that is not somewhere within your system!) can help prevent ending up with a crisis within a crisis.
5. Prepare Crisis Communication Messaging Templates in Advance: Prepare messaging templates for both internal and external communications – in advance. The primary purpose of any crisis communication to inform on the 5Ws: “who, what, when, where, and why.” Keep your communications short, honest, direct and based solely on the facts as you know them. Do not speculate or make promises. Engage an independent legal or public relations firm to provide advice and guidance on all messaging. Having template wording will help you keep messaging top of mind and will save your team precious time during the incident.
6. Appoint a “Deadline and Data Privacy” Czar: Inevitably, at the time of an attack, there will likely be many individuals within your organization working on various time sensitive, deadline-based transactions, projects, assignments, etc. If your network is paralyzed by a system failure, malicious attack or by an attack on a dependent vendor, you will need someone to focus solely on identifying the immediately pressing deadlines and determining how to best manage them alongside the relevant internal and external stakeholders. Without a centralized and tight process around addressing deadlines, employees and/or executives may take matters into their own hands and begin communicating with internal personnel or clients, customers, business partners via personal devices and personal emails. Depending on what information is being exchanged, this could be a breach of ethical and/or statutory data privacy obligations. This, in turn, could increase the organization’s privacy regulatory exposure as well as third-party liability exposure.
7. Map and Manage your Contractual Obligations: Contractual obligation mapping is not for the faint of heart. The process of organizing and tracking the legal obligations that are outlined in various contracts the organization has with clients, vendors, business partners, and employees is an onerous task. However, having a central register of contractual obligations will be invaluable in the event of a cyber crisis.
8. Proactively Prepare for Business Interruption Loss: Today, the average downtime for an organization after a ransomware attack is 24 days. However, the actual downtime can vary significantly depending on the organization and the type of attack. Some organizations may be incapacitated for much longer. To make matters worse, business interruption claims require significant supporting documentation and involve complex evaluations. It could take a year or more before payment is issued. Organizations should proactively set forth a plan to track losses and extra expenses as a part of their incident response plans.
9. Incorporate Insurance: Incorporate insurance into your incident response plans and your tabletop exercises. This means your entire insurance portfolio, not simply your cyber insurance policy. A single cyber incident has the potential to trigger multiple different insurance products in addition to a Cyber policy, such as Professional Liability (E&O), Management Liability/Director & Officer Liability (D&O), Employment Practice Liability (EPL), Commercial Crime, Property, Commercial General Liability (CGL) etc. Work closely with your insurance broker to gain a full understanding of exactly where your cyber coverage sits.
10. To Pay or Not to Pay: Have the conversation about whether, and under what circumstances, your organization would pay a ransom. Have this conversation frequently with all relevant stakeholders and decision makers. This will never be an easy decision to make. However, the decision making will likely be less complicated and emotional if the key decision makers have round-tabled different scenarios in a non-crisis setting.