Your network has been hacked.  What do you do?  Who do you call?  Who is in charge? These questions need to be answered quickly when your network is under siege by cybercriminals, but does your company know how to handle such a crisis on a weekend or during a holiday break when many cyberattacks are timed to occur so as to strike when your corporate defenses are at their weakest?

No organization is immune from cyberattacks.  As the last few years have demonstrated, it is not a matter of if your company will experience a cyberattack, but when.  Indeed, in 2022, 47% of private businesses experienced some form of a cyberattack and “76% of organizations were targeted by a ransomware attack.”^[1]  According to a 2022 report by Check Point Research, cyberattacks have increased worldwide by 38% compared to 2021 and the healthcare industry saw the biggest increase of 74%.  Many businesses have even experienced multiple data breaches in a single year.  Even more frightening, cyber threat actors often remain undetected on corporate networks for weeks or months exfiltrating confidential and proprietary data before being detected or making their presence known by demanding a ransom and encrypting the corporate victim’s data.  Cyberwarfare used against Ukraine also highlights new threats that could be directed against U.S. companies using data-wiping malware.

Even when companies have a CIRP, often employees are unaware of the basics of this plan when an attack happens.  For instance, ask yourself: where is your CIRP?  If it is only stored electronically on your network, you could lose vital time trying to recover it after your network has been hacked or your organization has suffered a data breach.  Your CIRP members should all have a hard copy with critical documents such as your cyber insurance policy and the mobile number for your legal counsel who will guide your company through the cyber incident response process.  The first 24 hours after you discover a data breach are critical to (1) restoring your network security, (2) obtaining and preserving evidence for the cyber investigation, and (3) complying with your legal and contractual obligations.

As the threat of cyberattacks has increased so too have the costs of data breaches.  According to IBM’s 2022 Cost of Data Breach Report, the average total cost of a data breach is $4.35 million, the cost of a ransomware attack (not including the cost of the ransom itself) is $4.54 million, and the most common cause of a data breach is the use of stolen or compromised credentials.  Significantly, the costs of data breaches are the highest in the healthcare and financial industries.  The average healthcare breach costs a whopping $10.10 million.

These numbers are staggering but your organization can significantly reduce the impact of a data breach or cybersecurity incident and also reduce the threat of both criminal and civil liability by implementing a CIRP and creating a culture of cyber resilience and preparedness. Companies that have a CIRP save on average $2.66 million in responding to a data breach. Companies that have a CIRP, have instituted comprehensive cybersecurity training, conduct table-top exercises of their CIRP, and employ endpoint detection and response security greatly reduce and minimize the damages resulting from cyberattacks or accidental/negligent cybersecurity incidents caused by corporate insiders or vendors.

Why Is A CIRP Critical Now?

Incorporating a CIRP into your cybersecurity practices has never been more important.  On March 2, 2023, the Biden Administration released the new National Cybersecurity Strategy, which clearly indicated that any business that operates in the broadly defined critical infrastructure sector will soon be required to report cyber incidents “within hours” of their discovery.  The Biden Administration is also calling for legislation to hold companies liable for failures to implement minimum cybersecurity standards.

If that is not enough reason to take action, 2023 has brought a flood of new regulations and the DOJ has made clear that they consider cybersecurity and data security compliance a top priority.  In October 2021, the DOJ announced the Civil Cyber-Fraud Initiative and its intent to use the False Claims Act to hold organizations accountable for cybersecurity noncompliance, including failing to report data breaches.  Further, based upon new DOJ corporate enforcement policies, the failure to implement a robust compliance policy that includes strong cybersecurity training, reasonable security safeguards, and a CIRP could prove detrimental in negotiations with the DOJ if any contractual violations or misconduct is found.

Defense contractors are required to comply with cybersecurity standards set forth in the “Safeguarding Covered Defense Information and Cyber Incident Reporting” clause at Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012 (“Section 7012”). Section 7012 requires that defense contractors “rapidly report” cyber incidents to the U.S. Department of Defense within 72 hours of their discovery.  Further, to demonstrate adequate security, defense contractors are required to implement the cybersecurity controls set forth in the National Institute of Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171.  Section 3.6 of NIST SP 800-171 Rev. 2 (2021) requires organizations to establish incident handling capabilities for all systems that includes “preparation, detection, analysis, containment, recovery, and user response activities.”  See also NIST SP 800-171 §§ 3.62 & 3.6.3 (requiring documentation, reporting internal and external reporting mechanisms, and testing of CIRP).

Additionally, the U.S. Securities and Exchange Commission (SEC) has proposed new rules that are scheduled to go into effect in April 2023 that would require public companies to report “material cybersecurity incidents” to the SEC within four business days of discovery.  By 2024, new rules being drafted by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will go into effect requiring any organization falling within critical infrastructure (defined broadly and including 16 different sectors and virtually every industry within the United States) to report material cybersecurity events to the government within 72 hours and report any ransomware payment within 24 hours.  Organizations that are subject to the EU privacy regulation, the General Data Protection Regulation, must make a notification to the appropriate oversight body within 72 hours.

Similarly, companies that maintain or have access to health information or personal information of individuals must also comply with federal and state privacy laws that require incident response policies and breach notification. The Health Insurance Portability and Accountability Act (HIPAA) already requires HIPAA covered entities and business associates, including healthcare providers, health insurance plans, and many of their vendors and partners that have access to protected health information to have policies and procedures for a data breach incident response.  See 45 C.F.R. §164.308(a)(6)(i).  HIPAA further requires that individuals affected by any data breach involving unsecured electronic protected health information be notified within 60 days and, if the breach affects more than 500 people notice must also be made to the media and the U.S. Department of Health and Human Services. See 45 C.F.R. §§ 164.404, 164.406, & 164.408.  Breach notifications under state privacy laws may also be required, with state breach notification deadlines ranging from “without undue delay” to 30 to 60 days after the data breach was discovered.  In 2023, new comprehensive privacy laws will be going into effect in five states (California, Colorado, Connecticut, Virginia, and Utah).  16 other states had proposed laws that incorporated far more protective laws of individual privacy in 2022 and at the time of this writing, three separate privacy bills have already been introduced in Massachusetts for 2023.  The tide therefore appears to be changing to give individuals more control over their data and broader private rights of action against companies for any perceived mishandling of their personal data.  Enforcement of privacy violations has become a priority for both federal and state agencies.

Contracts with business partners may also require notifications. Therefore, it is important to know the type of data your organization possesses and maintains on its network, what laws apply to this data, and able to quickly assess any legal obligations caused by the cybersecurity incident.

What is a Cybersecurity Incident?

Cybersecurity incidents that trigger the use of a CIRP range in size from security violations affecting the network security of an organization that do not involve the compromise of data to the exfiltration of terabytes of data and encryption of an organization’s network.  While not all cybersecurity incidents involve a data breach, that is, the unauthorized acquisition or access to unencrypted personal or confidential data, it often can take days, weeks, months, and even years in sophisticated state actor supply chain attacks (i.e., SolarWinds) to determine the full scope of a cyber incident.  Cyber actors typically delete user activity as well as network and event logs making the forensic investigations more difficult.  That is why it is imperative to retain independent cyber security and forensic experts to conduct these investigations under the direction of legal counsel so the investigation is protected by the attorney-client privilege and remains confidential.  These experts are equipped to handle all phases of cyber incident response to stop data loss, secure evidence, and prevent further harm.  Because threat actors often have established multiple persistent backdoor accesses into systems and networks, the eradication plan must continuously monitor for any signs of adversary re-entry or use of new access methods into an organization’s network.

Examples of cybersecurity incidents:

• Incidental, accidental, or intentional data loss;
• Lateral movement or credential access on organization’s network;
• Network intrusions involving one or more users or systems;
• Compromised administration accounts;
• Users clicking on phishing emails/attachments or smishing text messages resulting in a minor or major breach depending upon when detected;
• Major data breach and exfiltration of data resulting from ransomware, malware, etc., typically using unpatched vulnerabilities or compromised credentials to gain access.

Components of an Incident Response Plan

Preparation

Every organization should have a written CIRP that documents its policies and procedures for handling cyber incidents that is regularly updated and tested.  A CIRP should be developed with the needs of your organization in mind and should incorporate the following factors:

• How large is your organization?
• What is the nature of your business?
• How many employees do you have?
• Where are your employees and customers located?
• What type of data does your organization collect and maintain?
• Where is sensitive data stored on your network?
• What are your network’s most significant vulnerabilities?
• Where does an accurate picture of your organization’s infrastructure (systems, networks, cloud platforms, and contractor-hosted networks) reside?
• What systems are in place to monitor and detect threats to your entire network (antivirus software, endpoint detection, and response solutions, etc.)?
• What are your organization’s most critical assets/systems and how are they backed up?
• How does your organization protect your organization’s infrastructure (training, patching of critical vulnerabilities, review of cybersecurity alerts, etc.)?

Identify your Incident Response Team:  The CIRP should name a team of specific individuals, with defined roles in the incident response.  Because a cybersecurity incident will affect the entire company, not just its computers and IT infrastructure, this team should include representatives from key areas of your business including the executive, legal, risk management, information security or technology, and human resource teams.  Each individual or department should be aware of their immediate responsibilities following a cyber incident. It is wise to include and select experts and incident response partners in advance of a cyberattack, so as to not waste valuable time.  Even if you have internal legal counsel, you may want to call upon experienced breach response counsel. Similarly, your organization will likely need the services of forensic and cybersecurity experts to investigate the scope of the incident, preserve evidence, and assist in securing your network and stopping data loss.  Any experts should be retained by your legal counsel (in-house or outside counsel) to maintain confidentiality of the investigation and protect it using the attorney-client privilege.  Your organization’s cyber insurance carrier will likely need to be notified quickly after the discovery of a data breach or cybersecurity incident to ensure coverage.

Develop a communication strategy:  A critical and often overlooked piece of the CIRP is your internal and external communication plans to affected individuals and entities — employees, investors/shareholders, business partners, and customers.  Your organization may wish to engage a public relations team to help inform various stakeholders about the status of the incident and how the organization is handling it.  Even if your customers’ information was not compromised, your business may not be able to meet its contractual or manufacturing production deadlines or your email network may not be secure or operational.  Making prompt and timely disclosures may mitigate losses and reduce potential liability.  Additionally, a lack of transparency about a data breach could cause permanent and substantial reputational harm.  To demonstrate this point, compare the communications made by Reddit to that made by LastPass, a global password and identity management security company.  Within days of detecting one of its employees was a victim of a phishing attack, Reddit’s Chief Technology Officer posted about the incident and suggested users should apply multifactor authentication to their accounts.  In comparison, after LastPass had a data breach in August 2022, it initially assured customers their data was safe and there was no need to take any action, but these disclosures were updated several times and each time they became more alarming.  Indeed, in December 2022, LastPass revealed that the hackers did access customer data and two class action lawsuits have been brought by LastPass customers.  In addition to alleging LastPass had “lax security,” the January 2023 complaint filed in the District of Massachusetts criticizes LastPass for its handling of the data breach and failure to promptly and accurately notify its customers of the true scope of the breach and the risks to its customers leading one customer to lose $53,000 in bitcoin when his private keys to his bitcoin wallet were allegedly stolen from his LastPass customer vault.  See John Doe v. LastPass US LP, Case No. 23-cv-10004, filed January 3, 2023 D. Mass.  LastPass is still trying to recover from its public relations mistakes and its CEO admitted on March 1, 2023 in a blog post that LastPass made disclosure mistakes and pledged that it would improve its communications moving forward.

Detection and Analysis

Determining whether a cybersecurity incident has occurred and if so, the type, extent, and magnitude of the compromise within an organization’s infrastructure and network is often the most challenging aspect of the incident response process.  In some instances, such as where the cyber actors encrypt data or send a ransom note, the organization has clear notice that the network was compromised but others are not as clear.

Once an organization has determined there has been unauthorized access or a compromise to its network, it should conduct an investigation that answers these key questions:

• What was the initial attack vector?
• How is the adversary accessing the environment?
• Is the adversary exploiting vulnerabilities to achieve access or privilege?
• How is the adversary maintaining command and control?
• Does the threat actor have persistence on the network or device?
• What is the method of persistence?
• What accounts have been compromised and at what privilege level?
• What method is being used for reconnaissance?
• What files and data were accessed by the threat actor(s)?
• Has data been exfiltrated and, if so, what kind and via what mechanism?

See Cybersecurity and Infrastructure Security Agency’s Cybersecurity Incident and Vulnerability Response Playbooks at 12 (Nov. 2021). The failure to conduct a thorough investigation after a data breach or cyberattack may be considered an unfair and/or deceptive trade practice.

While the investigation is being conducted, the incident response team working with legal counsel and the organization’s decision makers should identify and determine what legal and contractual notifications are required.  It is important to remember that your organization may be required by applicable laws and regulations to provide notice to governmental entities, affected individuals, and in some cases, the media and credit reporting agencies. Your contracts may also require notice to your business partners, government agencies, and vendors.

Containment, Eradication, and Recovery

During this phase, your organization moves to the return of normal operations by mitigating vulnerabilities and other conditions that were exploited by the threat actors and restoring systems.  Eradication involves remediating all infected IT environments, reimaging or rebuilding affected systems, replacing compromised files, installing patches, resetting passwords on compromised accounts, and monitoring for any signs of adversary response to containment activities.

Post-Incident Evaluation of Lessons Learned

After any cyber incident has occurred involving data compromise or unauthorized access to an organization’s infrastructure, an evaluation of the incident should be conducted, and analysis of the lessons learned to harden the organization’s environment and prevent similar security incidents in the future.

Best Practices

No matter how strong your cybersecurity ecosystem, it is likely your network will be breached as a result of the ever-expanding threat landscape.  When a breach occurs, it is imperative to have a well-designed CIRP to help guide your organization through a stressful situation with step-by-step instructions rather than having your business go into panic mode.  A CIRP will increase your organization’s agility and nimbleness in responding to a cyber incident so that you can minimize losses, fix vulnerabilities, restore operations, and strengthen your security to prevent similar cyberattacks in the future.  As highlighted above, when a breach occurs, your business will need to quickly determine whether personal or sensitive data has been compromised and make legal and contractual notifications within required time frames. An organization’s failure to do this may result in substantial, and avoidable, liability and penalties.

A thoughtful CIRP that is regularly updated and tested is an asset to any organization and will be invaluable in the event of a cybersecurity incident. Hinckley Allen lawyers are here to assist you in developing and testing your plan.

[1]See The 2022 Hiscox Cyber Readiness Report; Shweta Sharma, “New Cyberattack Tactics Rise Up As Ransomware Payouts Increase,” CSO Online,  Feb. 28, 2023, available at www.csoonline.com/article/3689014/new-cyberattack-tactics-rise-up-as-ransomware-payouts-increase.html.