(844) 627-8267
(844) 627-8267

Cybersecurity Breach Response – Global Investigations Review | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


31.1 Introduction

The Information Age has brought unprecedented advantages for business: global connectivity, decentralisation of computing, the power of big data collection, automation and artificial intelligence. No matter the business, there is invariably some level of integration with digital tools and online services; however, technological advantages and efficiencies also create a level of risk.

Cybersecurity risks can pose an existential threat to businesses. Understanding the risk that comes with digital transformation and taking a proactive approach is crucial. For lawyers and professionals navigating this space, understanding cyber risk is not just about decoding technical jargon: it requires an in-depth understanding of what that risk means to the business, and what can be done to try to mitigate it.

This chapter looks at the threat landscape, highlights key legal frameworks, obligations and responsibilities relevant to affected businesses, and provides some practical guidance about how to navigate the unique challenges of a cyber incident or data breach. Given the complexity, this chapter does not attempt to identify all relevant considerations, challenges, concepts or legal regimes in play, but instead emphasises some of the more major issues that practitioners will encounter as they navigate incident response.

31.1.1 Central themes

Cyber incidents give rise to a particularly challenging form of investigation. They are inherently multifactorial, adversarial (involving many stakeholders and adversaries whose interests do not align with the victim business), technical and complex, and are very often undertaken in a state of emergency. Uniquely, incidents often play out in public because of leaks by malicious actor or the victim’s inability to do business, or because the victim is required to notify regulators or markets of the attack or its consequences.

At the outset, it is useful to identify a number of themes that are central to cyber incident and breach response and will help to illustrate the overall picture. Each of these themes will affect how professional advisers should approach their role.

31.1.2 The hidden cost

Beyond the immediate business interruption and the obvious financial consequences from extended operational downtime or service outage, an attack will often result in a cascade of financial risks. Remediation and recovery costs are not insignificant even in comparison with the potentially huge regulatory fines that may arise in cases where, for example, a business is found to be culpable for its insufficient security. Follow-on litigation (whether from affected business partners in supply chain attacks, or from individual data subjects whose data has been compromised) adds to the potential risk exposure that victim businesses face. Businesses may be unaware of the intangible but very real cost of reputational damage incurred by even fully recovered victims of a cyberattack – with some data indicating that victim companies will routinely underperform in the medium and long terms when compared with the market trends. According to Cybersecurity Ventures 2022 ‘Official Cybercrime Report’, the global cost of cybercrime is predicted to hit US$8 trillion in 2023 and will grow to US$10.5 trillion by 2025. The risk is not limited to the business alone. In recent US Federal Trade Commission (FTC) enforcement cases, we have seen ‘consent orders’ made against businesses and their senior executives (C-suite) personally, meaning the consent order will follow these individuals for the duration of the order and will continue to impose obligations on individual executives even if they move to a different organisation.

31.1.3 Digital arms race

At the heart of this threat landscape is a perpetual arms race. On one side are sophisticated cyber criminals, looking for a way to breach security and gain a foothold within an organisation. On the other side are the businesses and cybersecurity professionals that (in an ideal world) are constantly updating and fortifying their digital defences with detection and prevention technologies. It is a dynamic game in which the success of one side forces the other to innovate. The attackers or ‘threat actors’ can have a range of motivations (from financial to corporate espionage), but their fundamental goal is to identify the weakest link. While security technologies become more advanced and novel, one attack vector stays fairly consistent: the human element. We return later in the chapter to questions of resilience, tactical hardening, preparedness and to the unique challenges posed by social engineering, manipulation and poor cybersecurity practices.

31.1.4 Increasing frequency

Attackers are not just becoming more sophisticated; they are also increasing their activity. Why? As businesses increasingly shift to digital platforms and as our world becomes ever more interconnected, the avenues for potential attacks multiply. More connectivity means more vulnerability. In 2023, the UK Department for Science, Technology and Innovation, in partnership with the UK Home Office, produced a Cyber Security Breaches Survey of UK businesses, charities and education institutions as part of the UK National Cyber Security Programme. According to the survey, 32 per cent of all businesses and 24 per cent of charities reported having experienced a cybersecurity breach or attack in the previous 12 months. These figures are considerably worse for medium-sized and large businesses, with 59 per cent of medium-sized businesses, and 69 per cent of large businesses reporting a cyber incident in this time frame.

31.1.5 Beyond data privacy concerns

Although data privacy laws and large fines under the UK General Data Protection Regulation (UK GDPR) fines have previously dominated headlines in the United Kingdom, they represent just one piece of the legal and regulatory picture. Various jurisdictions have their own particular rules and expectations, especially around a nation’s critical infrastructure providers, and digital and financial services. Each business must understand its unique legal obligations as part of assessing its overall risk profile. Regulators and lawmakers continue to develop frameworks and standards that set the baseline for what is expected, in an attempt to respond to the rapidly developing technological environment and the magnified risk that comes with the huge volumes of data now held by these companies. But on the ground, in the midst of an attack, the immediate focus is always on recovering operations and ensuring the survival of the business. In existentially threatening circumstances, there is little time to reflect on what the obligations might be. Accordingly, businesses must understand them in advance, along with associated risks such as litigation and regulatory investigations, to ensure a strong response to the incident. Recovering from an incident is not just containing the threat: it means having a plan and a strategy to put the organisation in the best position for any consequences that follow.

31.1.6 A borderless world

As businesses operate in a global network, cyber threats become cross-jurisdictional issues. An attack might originate in one country, affect servers in another and affect customers in a third. This international tapestry turns both preventing and responding to attacks into a complex challenge with many overlapping legal frameworks, jurisdictionally based obligations and interested regulators. Navigating this terrain involves a complex legal analysis and a wide view across all potentially affected geographies.

31.1.7 Publicity, communications and reputation management

Amid the urgency to resolve technical issues, businesses must also strike a delicate balance between transparency and discretion. Sharing too little information can erode public trust and fuel speculation (with its own regulatory consequence in some cases), while revealing too much might compromise current investigations, give attackers undue advantage and perhaps unnecessarily increase regulatory scrutiny. Given the rapidly evolving nature of cyber incidents, early information is often incomplete or inaccurate, which raises the risk of miscommunication and loss of stakeholder confidence. Timely, accurate and confident public response is a central element of incident management.

31.2 Legal obligations, standards and pre-incident readiness

Fundamentally, controls around security standards, pre-incident readiness and preparedness involve the anticipation of potential cybersecurity threats, and taking proactive measures to prevent or mitigate their effects. A multitude of different sources of practice guidance, compliance standards and legal obligations exist, which businesses must consider in formulating their security controls and response procedures. The extent to which these apply will depend on the jurisdiction in which the business operates, as well as the industry sector or nature of the business.

In the United Kingdom, there is no comprehensive cybersecurity law. A patchwork of legislation and guidance exists, which, taken together, underpins the minimum expected standard. Those sources (including, among others, the UK GDPR, the Data Protection Act 2018 and the Network and Information Security Regulations 2018 (the NIS Regulations)) may apply differently to different businesses, especially if the business operates in regulated sectors such as financial services, telecommunications or critical infrastructure services. Although these laws require that businesses take steps towards establishing appropriate, sufficient and effective cybersecurity, they generally afford a degree of operational latitude in terms of precisely how businesses go about security and achieving compliance. This approach makes sense given the need to future-proof the legislation in the middle of the ‘cyber arms-race’, but it also creates ambiguity for organisations that want to know whether they have done enough.

As mentioned above, although the GDPR and UK GDPR do not create cybersecurity-specific obligations, they do create obligations on data controllers to protect personal data and to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. Failure to maintain appropriate security can carry the potential for heavy fines. On the basis that, functionally, all businesses deal with some volume of personal data (whether customers or simply employees), these regulations will require businesses to maintain a particular standard of security. The standard itself is not precisely defined but must be appropriate to the risk posed to the rights and freedoms of natural persons. The regulations give some indication of factors relevant for consideration, such as ‘state of the art, the costs of implementation and the nature, scope, context and purposes of processing’, as well as other factors such as pseudonymisation of data, the sensitivity (or ‘special category’ status) of data, and the ability to ensure resilience and to restore availability of the systems. Guidance provided by data protection regulators further indicates what may be deemed ‘appropriate technical and organisational measures’ but this is ultimately a largely fact-dependent question that may only be analytically tested in the event of a regulatory inquiry or litigation. Similarly, the NIS Regulations (applying variously to relevant digital service providers and operators of essential services) require ‘appropriate and proportionate’ security standards to protect network and information systems. In large measure, therefore, businesses often look to other industry standards and frameworks to benchmark their own security posture against an objective external metric.

The United Kingdom’s National Cyber Security Centre (NCSC) publishes guidance with respect to complying with the NIS Regulations, and also administers the Cyber Essentials scheme. Internationally, several recognised standards and frameworks offer helpful guidelines on cybersecurity and readiness. These include ISO/IEC 27001 and the NIST Cybersecurity Framework, but there are many other such standards, frameworks and benchmarks. Although the various sources of guidance and law are helpful indicators, they are not prescriptive and therefore do not set out specific measures that must be taken to reach required standards. Accordingly, it is always the company’s responsibility to assess the specific circumstances, the nature of the data it holds, the systems it operates and the particular risks it faces, and then to adopt a programme of security designed to address that risk. In practice, this might mean identifying what is defensible if challenged by a regulator.

Across these various laws and standards, the importance of a multi-layered approach to security, combining various types of control in tandem (often referred to as the defence in depth approach), is widely accepted. This layered approach ensures that if one control fails, others are in place to catch or prevent the security breach.

The NIST Cybersecurity Framework 2.0 gives a helpful summary of the core objectives underpinning any cyber resilience programme, split into discrete ‘functions’ of which there are six: Govern, Identify, Protect, Detect, Respond and Recover. Each of these functions affects and informs the others, and in conjunction comprise a holistic approach to resilience.

Security controls are often organised into categories so as to provide a structured approach to security design. In general, cybersecurity controls can be broadly categorised as follows:

  • Preventative controls: designed to prevent potential security incidents. Examples include firewalls, access controls, security training and awareness programmes, security patches and strong password policies.
  • Detective controls: helping to identify aberrant activity and react to security incidents. Examples include intrusion detection systems, end-point detection and response tools, log monitoring, security information and event management systems, and antivirus and anti-malware software that alerts users to malicious activity.
  • Corrective controls: put into action during or after a security incident to mitigate potential damage and restore system operations. Examples include backup and data restoration solutions, incident response plans (IRPs), and antivirus and anti-malware tools that can quarantine or remove malicious files.
  • Physical controls: to secure physical resources and environments in which information assets are stored and accessed. Examples include security guards, door locks, CCTV surveillance, restricted access, secure data centres and protected hardware storage areas.
  • Administrative controls (or procedural controls): these focus on procedures and policies concerning the management of the organisation and its people. Examples include security policies, device and technology use policies, technical security audits, hiring practices (such as background checks), security training programmes, crisis response table-top exercises, incident response procedures and comprehensive cyber incident insurance.
  • Technical controls (or logical controls): technology-based solutions used to protect systems and data. Examples include encryption, data anonymisation or pseudonymisation, multi-factor authentication, access control lists and network segmentation.
  • Recovery controls: used to help with restoring and validating system performance for operations after a security incident. Examples include air-gapped and offline backups, restoration and recovery tools, fault-tolerant systems and high-availability configurations.

31.3 Threat landscape

The term ‘cyber incident’ is generic and covers an extremely broad range of fact patterns, including simple unauthorised access to a network or an email sent to an incorrect recipient, all the way up to complex and tightly orchestrated ransomware attacks.

Among the various definitions of ‘cyber incident’, the concept of a ‘breach of security’ or ‘security incident’ appears repeatedly. This will resonate in the minds of data privacy practitioners given that breach of security is a necessary feature of a personal data breach, as defined under Article 4(12) of the GDPR and UK GDPR (see further, below, about the treatment of personal data breaches under the UK GDPR and other privacy frameworks); however, it is relevant to clarify at this stage that, although cyber incidents and personal data breaches often coincide, the two are not synonymous. While considerable overlap exists in practice, it is important to understand that not all cyber incidents are personal data breaches and not all personal data breaches are cyber incidents. A personal data breach is a special class of incident that meets a set of legal criteria, namely that a breach of security occurred that has led to some impact or consequence for personal data. The occurrence of a cyber incident or cyberattack does not inherently imply anything about the existence of a personal data breach, and in fact an important objective for the investigation that follows an incident will involve determining the answer to this question.

31.3.1 External threats

In the context of an attack, information about the perpetrator’s identity can be important for a number of reasons. This is known as attribution. Most importantly, understanding the adversary will provide intelligence about the likely objectives, incentives and known methods of the perpetrator, which will inform strategic decision-making. For the purposes of this chapter, we consider three broad categories of external threat actor: cybercriminals, state-sponsored attackers and hacktivists.

Cybercriminals primarily focus on financial gain, usually through extortion. Their strategies generally range from deploying ransomware to encrypting information technology (IT) systems and disrupting a business’s day-to-day operations, to stealing sensitive personal data from an organisation for onward sale (or at least threatening to do so). The more prolific cybercriminal groups have a recognisable modus operandi that commonly involves a combination of systems or data encryption and data exfiltration. This enables the threat actor to demand financial payment using a two-pronged threat leveraging: (1) the permanent loss of encrypted systems and data (which could itself pose existential threat to the business if recovery is not otherwise possible); and (2) publication of exfiltrated data (which could precipitate irrevocable reputational damage and heavy regulatory fines). Responding to incidents caused by cybercriminals requires a focus on understanding the nature and extent of the systems and data affected or exfiltrated, the ability of the business to recover its systems from backup, and the financial and regulatory implications of engaging in any ransom negotiation or payment.

State-sponsored attackers are backed (whether openly or covertly) by national governments and conduct cyber operations for geopolitical aims. Although they might pose as cybercriminals, seeking financial reward to disguise their identity, their objectives often include espionage, disruption of critical infrastructure or causing economic damage to their international adversaries. They are typically well-funded and can deploy highly sophisticated, long-term attacks, often remaining undetected for months, if not years. Depending on the facts, engaging with national defence or intelligence agencies in response to incidents that appear to be perpetrated by nation-state actors may be appropriate.

Hacktivists are motivated by ideology. Their primary aim is to further a particular political or social cause, rather than seek financial reward. Hacktivist methods might include defacing websites, launching denial-of-service attacks or revealing sensitive information to the public. When responding to hacktivist-led incidents, organisations must be conscious not only of the technical aspects of the incident but also of the underlying issues that the activists are seeking to highlight. The roles of public relations and stakeholder communications are vital in these cases.

31.3.2 Insider threats

Insider threats represent another category of cyber incident perpetrators and cover individuals within an organisation who have insider information concerning its security practices, data and computer systems. These can be employees, contractors or business partners. They pose unique challenges because of their authorised access to the organisation’s internal resources. There are generally two types of insider threats: innocent and malicious.

Innocent insiders are employees or partners who unintentionally cause harm, often because of a lack of awareness, training or a simple mistake; for example, they might fall for a phishing scam or accidentally leak personal data. The vast majority of personal data breaches that are reported to privacy regulators involve incidents of this kind.

Malicious insiders deliberately attempt to compromise an organisation’s security, whether for personal gain, revenge or some other motive. This might involve stealing proprietary information and valuable intellectual property, sabotaging systems or selling access to external threat actors. Responding to insider threats requires a different approach from that used for external threats. It is essential to strike a balance between ensuring security and maintaining trust within the organisation. Methods such as continuous monitoring, user behaviour analytics and regular training sessions can be effective. Moreover, incident response plans must incorporate strategies for legal, human resources and organisational ramifications when dealing with insiders.

31.4 Incident response

When a cyber incident occurs, time is of the essence and the situation can be chaotic. Success requires swift coordination, communication and action. The best responders have practised their response at regular intervals and already have a good understanding of who should do what, and why: there is little time for debate during a live incident. Although simple data breaches may require only a small-scale response effort, with minimal investigation or remediation, larger cyberattacks are likely to require a carefully managed and sophisticated response; however, it is not always easy to tell whether you are dealing with a small or large attack at the outset. The broad objectives of incident response will involve (1) threat containment, (2) investigation, (3) risk mitigation and (4) recovery and remediation. Each of these objectives must be pursued immediately and alongside one another, which requires management, vigilance and precise allocation of resources. We now provide an overview of the typical challenges in a cyber incident scenario and offer some guidance, from the moment of the attack onwards, for practitioners to build into their own response plan.

31.4.1 Operational command

Managing crisis response, especially in the case of a serious cyber incident or attack, requires a single, centralised command structure capable of making swift and informed decisions. A core incident response team should be rapidly put in place to serve as ‘operational command’, bringing clarity and structure to the decision-making process. In high-pressure scenarios, the singular authority and organisational direction from such an operational command is crucial to an efficient and effective response to the evolving situation. The constitution of this leadership team will ideally have been clearly defined in the company’s IRP, but even if they exist, predefined processes often need to be adapted to some incidents. The role of the centralised command unit is to aggregate the most reliable and up-to-date information flowing from all relevant sources (investigations, news media, internally from employees, etc.) and to facilitate robust decision-making in a timely manner at the highest level of the organisation. Building this team is about having the right people in the room to make these difficult decisions. Accordingly, operational command will commonly be composed of core business leadership; experts from the organisation’s information security, technology or operations teams; project management officers; human resource or employee liaison; communications or public relations officers; and other key roles as the circumstances may require. Alongside these in-house capabilities, operational command will also include in-house or external legal counsel (or both). Retaining and including expert cybersecurity lawyers who understand the challenges and risks is especially crucial in serious, complex and high-stakes circumstances.

The role of an expert legal adviser is sometimes unclear to those who may not have dealt with a cyber incident, often because of a misunderstanding around the nature of the challenge itself. As set out above, cyber incidents are not merely an IT or technical issue. To treat them as such is to expose the organisation to significant legal, regulatory and reputational risk. Any sophisticated response to an incident must be fully cognisant of the future consequences of each action in the wake of an attack, even as early as ‘day zero’ and before. In smaller incidents, with limited effects or operational downtime, it may be sufficient for in-house information security personnel to investigate and remediate, with lawyers (whether in-house or external counsel) providing minimal oversight and light-touch advice about legal obligations flowing from the incident; however, in many attacks (certainly those affecting organisations of appreciable scale), the legal team will be central to the crisis management and incident response team. External legal experts will need to slot seamlessly into the crisis response structure (which is ideally defined in the IRP) and perform multiple functions, ranging from strategic oversight, workflow coordination and leadership, risk mitigation and stakeholder liaison. Expert legal advisers will be able to collaborate with other expert teams, instructing and directing forensic investigation, negotiation, remediation and communication efforts – all of which involve highly sensitive information and difficult decision-making. The role of the expert legal adviser will need to adapt to meet the requirements of each case, but will routinely involve leading the investigation and response directly, and integrating with business leadership as one centralised decision-making unit. From this central position, legal advisers are able to anticipate and identify risk and to recommend mitigating action that is appropriate to the overall risk that the business faces.

However the team is ultimately constituted, there should be clear decision-making procedures and mechanisms for facilitating the inflow of information into operational command, and the outflow of instructions back to the various satellite teams driving specific areas of the IRP (developed further, below). It is likely to be necessary to establish a regular cadence of updates whereby operational command convenes, shares the latest intelligence and developments, makes decisions on action and instructs sub-teams accordingly.

31.4.2 Engagement of experts and legal privilege

In complex cases, victim companies are likely to need to rely on various external expert service providers. It will be the role of in-house or external legal counsel to instruct and lead these expert services providers, not least so that their work, communications and output are covered by legal privilege to the fullest extent possible. Investigations by regulators or third-party litigation are often likely consequences of cyber incidents. Tripartite arrangements are commonly used to structure the engagements between company, legal adviser and expert vendor, with lawyers instructing the expert vendor on behalf of their client and for the purpose of delivering legal advice or in anticipation of litigation. Experts of all kinds, including forensic investigators, IT recovery specialists, ransomware negotiators, public relations experts and communications or call-centre service providers may all be instructed in relation to complex cyber incident response matters. Managing these relationships and ensuring seamless communication, collaboration and integration with the incident response team is a task often led by expert legal counsel. Protocols should be established and circulated that set out guardrails for how all relevant parties (including the victim business, legal advisers and expert vendors) communicate with one another, so that legal privilege can be defensibly maintained and so that confidentiality and discretion is afforded to the most sensitive correspondence. Lawyers will draft a communications protocol with which third-party providers will be required to comply when communicating about the incident, conducting their investigation, storing evidence within their own systems and sharing information with the incident response team.

31.5 Forensic investigation, recovery and impacts analysis

Under the protection of legal privilege, specialist cyber incident forensic investigators are instructed by lawyers acting for the victim business and engaged to drive the technical, ‘boots on the ground’ investigation of the affected network and systems of the victim business. This workflow commences on ‘day zero’ as a matter of urgency and will be critical for subsequent objectives, ranging from containment and remediation, risk mapping, ransom negotiation and public communications. All actions are informed by the facts and evidence as discovered by the forensic investigation, and accordingly this phase of work is central to immediate response efforts. Working with in-house IT and information security teams, the forensic investigator’s primary role is to uncover the who, what, when, where and how of the incident, all while collaborating seamlessly with business continuity and recovery efforts, and feeding developments back to the operational command team for swift decision-making. This process is multifaceted and requires a meticulous approach, often with very limited time available. Although the forensic investigation will look different in each case, the following broad objectives are typically part of the investigator’s mandate:

  • Containment and business recovery: The priority will always be to contain any active threat and create a forensically clean environment, and to identify business functions that need recovering. Often this work will be split between recovery specialists and forensic investigators (because the core goals are slightly different and must run in parallel) but the providers may be the same organisation. Containment involves rapidly identifying compromised attack surfaces, systems, networks and endpoints, isolating them to prevent further damage, and removing the threat actor’s presence. The key here is to strike a balance between halting the attacker and preserving evidence for investigation. While the forensic process is progressing, there is also a pressing need to restore regular business operations. This might involve cleaning and restoring backups, rebuilding compromised systems or even migrating to new platforms. The aim is to ensure business continuity with minimal disruption, all while bolstering defences against future attacks.
  • Determining the root cause, vulnerability exploited or initial compromise: It is crucial to identify the attacker’s method of intrusion and how access was gained so as to remediate any weakness in the security perimeter, but also to start to trace the attacker’s activity through the corporate network and systems. A threat actor might use different methodologies to gain initial access to a network: phishing attacks, watering-hole attacks, ‘zero-day’ exploits, supply chain attacks, credential-stuffing or use of leaked passwords. By pinpointing the breach’s origin, organisations can not only patch the specific vulnerability but also refine their broader security protocols.
  • Mapping lateral movement and threat actor activity: Once the immediate threat is contained, the investigator traces the attacker’s path within the system. This involves identifying which systems were accessed, any administrator-level accounts that were compromised or access privileges that were escalated and any other malicious activities. Once initial network intrusion has been achieved, threat actors will typically attempt to maintain a foothold and persistence in the network, erase activity logging to cover their tracks and establish remote access with command and control servers. By mapping this movement, looking for indicators of compromise and suspicious beaconing, investigators can understand the full scope of the breach and identify other potential vulnerabilities.
  • Analysis of impacted systems and data: This involves a comprehensive review of all systems and data accessed by the threat actor. The goal is to determine the extent of the damage, any alterations or unauthorised access to data and any malware or ‘back doors’ left behind. In the case of ransomware, the investigator will be seeking to map out the extent of encrypted systems and data so that the business can understand what it might have lost, what could be recovered and, therefore, precisely how much harm has been inflicted.
  • Data staging and exfiltration: Threat actors often compile (or stage) the data they intend to steal in specific locations before extracting it within a compromised network, often hidden among regular network traffic. Identifying these staging areas and monitoring inbound and outbound traffic as well as data compression activity can provide insights into the scale and nature of the data exposed. Understanding precisely what data has been accessed and exfiltrated will be relevant to the nature of any regulatory obligations, as well as litigation, contractual or reputational risk analysis.
  • Information flow and reporting: Expert investigators will keep operational command up to date with all discoveries and developments, often through a regular cadence of updates supplemented by immediate circulation of critical findings. This information flow is crucial to the agile decision-making of operation command. The investigation will collaborate closely with expert legal advisers to maintain a ‘single source of truth’ or evidential record of the investigation. This centralised repository of information, typically drafted by lawyers and held under legal privilege, will document what has been determined and when, what is being investigated, and what decisions are being made. The forensic investigators may ultimately be required to produce a report of their findings, detailing the technical output of their investigation. This report may be useful in many ways, such as in regulatory engagement or future due diligence exercises as proof of a robust and complete response effort. Furthermore, the report may helpfully inform any programme of remediations and improvements by identifying shortfalls or lessons learned as a result of the incident.

31.6 Communications

Cyberattacks can badly affect a company’s reputation. Even if the company is a victim and bears no obvious fault, there are significant risks of adverse publicity or a loss of trust with customers, suppliers or other third parties. The threat actor’s goal is sometimes to cause irreparable reputational harm to a business or organisation; for example, when perpetrated by hacktivists. Communications must be carefully managed to tread a path between preservation of sensitive facts and details, and the openness expected by the public, the regulators and the markets. Serious cyberattacks rarely go unnoticed by the world at large. For online businesses, there may be very obvious service outages, but even businesses without a significant online presence are likely to need to deal with adverse public scrutiny and media enquiries. This attention is occasionally driven by threat actors hoping to increase the pressure on the victim to respond to a ransom demand.

Companies will often instruct public relations experts who know how to handle crises and can help reduce this damage. These experts will work alongside the organisation’s own communications team, expert cybersecurity lawyers and the incident response team to carefully curate information released by the business. Outward messaging is critically important for positioning the victim business appropriately and mitigating legal risk. Further, there are clear consequences for poor or misleading communication. These experts should be onboarded quickly because media attention focuses on the immediate aftermath of the attack, when business is likely to be reeling from the impact and the facts are still elusive.

Communication challenges are not limited to external messaging, and it is similarly important to take care of all information shared internally within the victim organisation, whether to employees, shareholders or board-level executives. Cyberattacks can be extremely disruptive, so to avoid wild and unhelpful speculation, as well as to treat employees with respect and transparency, sharing curated updates within the organisation may be appropriate. The potential audiences are markedly different, and so businesses must be careful to provide information that is tailored and appropriate for the recipients. Communications offer a strategic opportunity for victim businesses to control the narrative, demonstrate transparency, reassure customers and signal to regulators that they are appropriately managing the incident.

Given the immediacy of communication requirements following an incident, one of the first deliverables from communications professionals (working with legal advisers) will be a ‘comms pack’, covering pre-approved information, holding statements, FAQ responses and other communications tailored for different audiences. Having this comms pack available rapidly can serve to alleviate pressure on company spokespeople and avoid critical misstatements. It may also be important to set up a system whereby external enquiries can be addressed via a single channel, perhaps through a dedicated call centre or enquiries inbox. Inbound communications should be equally carefully monitored, as any potentially affected and aggrieved parties may often seek to obtain information through existing communication channels, which they may then seek to leverage to their own benefit. In particular, in the wake of a widely publicised data breach, organisations commonly receive ‘data subject access requests’ from individuals seeking to understand whether and how their personal data may have been affected in the incident. Response to these requests should be carefully managed, but it is equally important not to miss any such requests in the ensuing chaos of an attack, given that failure to respond within statutory time limits may precipitate further unwanted regulatory scrutiny or litigation.

31.7 Ransom negotiation

Ransomware attacks have surged in the past few years, emerging as one of the top cybersecurity threats. Given the economic incentives, new threat actor groups continue to emerge and escalate persistent attacks against infrastructure and business organisations. Accordingly, ransomware is a key risk for all organisations of a significant scale.

According to the UK government’s ‘Cyber Security Breaches Survey 2023’, 57 per cent of businesses have a stated rule or policy to not pay ransom; however, if a victim has no ability to restore operations from backups or otherwise recover its lost data, and especially when the alternative might mean a complete system overhaul, significant data loss or the public release of sensitive data stolen by the attacker, the company will be faced with a simple question: pay the ransom or lose the business. The question of whether or not to pay a ransom is fraught with uncertainty and legal risk. It must be carefully considered, with the benefit of expert advice, and deliberated only in extremely clandestine circles. In the United Kingdom, the United States and the European Union, paying a ransom is not illegal in principle, but businesses must carefully assess the application of anti-terrorist financing, anti-money laundering and sanctions rules.

Many victims will seek expert guidance from ransomware negotiation specialists. These experts have extensive experience in dealing with various threat actor groups. They will be acutely aware of their behavioural patterns, their propensity to make good on their promises if paid, and relationships or affiliations with various other threat actor groups or nation states. The expert negotiators will be aware of which threat actor groups may be subject to sanctions, and which pose a very real risk in circumstances where many ransomware threat actor groups have links with sanctioned entities, individuals or nations.

Upon detecting a ransomware attack, the victim commonly finds a ransom note left by the attackers that, typically, will have been propagated through all encrypted systems and devices. This note generally provides instructions about how to communicate with the threat actor and a demand for payment in return for a decryption key or in return for a promise from the threat actor group not to publish exfiltrated data. Ransom demands are often accelerated with a threat that the company will be ‘named and shamed’ by the threat actor on a public forum, which would increase pressure and accelerate any reputational damage to be suffered.

If the victim business decides to negotiate with the threat actor, negotiation experts will reach out to the threat actor group via the method of communication prescribed in the ransom note. This is commonly done through the dark web to access particular chat sites or message boards. The negotiator will typically engage the threat actor covertly, representing themselves as a low-level employee of the victim business, and may use other tactics to extract valuable intelligence from the threat actor, such as the method of entry or the data obtained. In general, the primary goals are to buy time for the investigation and recovery efforts, and to negotiate a lower ransom demand. Much of this negotiation depends on what the threat actor was able to achieve through encryption or exfiltration of data – neither of which may be clear in the initial negotiation.

The negotiator will communicate with the threat actor to obtain important information about what the threat actor wants and is willing to give in return. The negotiator will seek evidence from the threat actor group that they do actually have a functional decryptor that can reverse the encryption, and that the threat actor has exfiltrated the data, as it claims to have done. The negotiator is seeking ‘proof of life’, a process that often involves the threat actor providing a ‘file tree’ from which the business will select a number of sample files for review. Once the threat actor has appropriately demonstrated that it can decrypt the selected files, thus proving it has a functioning decryptor, the business will need to assess its options and consider the relative risks of paying the ransom.

Cryptocurrencies are the mode of payment preferred by ransomware attackers primarily because of the anonymity, the lack of third-party financial institutions involved (such as banks) and the ease with which funds can be dispersed and made untraceable. Payment may sometimes be made through intermediaries on behalf of the victim business. Once payment has been effected, decryption keys are released and can be circulated throughout the organisation for deployment on affected systems and devices.

31.8 Legal risk analysis and reporting obligations

The investigation into the incident aims to determine the various legal risks to the organisation, beyond the immediate risk of containing the incident and recovering from it. The factors that play into that analysis vary by incident and victim, and evolve hour by hour as the incident progresses. Aside from the type of attack (see above), the key factors that influence the risk analysis fall into three broad categories: (1) the nature of the victim business; (2) the jurisdictions affected, whether directly or indirectly; and (3) the systems, capabilities or data that the incident affected.

31.8.1 Nature of the business

Publicly traded companies, those that operate in regulated sectors or those that provide critical infrastructure or digital services will be subject to different (albeit often overlapping) legal and regulatory regimes. As described above, regulated financial service entities are subject to additional security and governance obligations that can relate to cybersecurity and may create additional legal obligations in the event of an incident. Likewise, the United Kingdom’s Product Security and Telecommunications Infrastructure Act 2022 (once fully implemented) will place cybersecurity and reporting requirements on manufacturers and distributors of internet-connected consumer products. Many jurisdictions have specific reporting requirements for the providers of critical infrastructure services. Understanding the full suite of industry-specific or sector-specific laws with which the victim business must comply will define the possible range of notifications and obligations that might conceivably arise in the case of a cyber incident or data breach.

31.8.2 Affected jurisdictions

Given the deeply interconnected digital world in which businesses operate and cyber incidents occur, incidents are very likely to implicate more than one legal jurisdiction. Determining all relevant geographies, whether by virtue of the physical location of systems or devices, or by location of affected individuals, will be important in mapping the laws that apply and the extent of legal risk. Expert legal advisers may need to provide specific local law advice in relevant jurisdictions. With multiple sets of applicable laws and regulations, this risk analysis can become very complex.

31.8.3 Specific impacts to systems or data

Depending on the discoveries in the forensic investigation, a deeper data-mining analysis may be required to fully understand the type of data that the threat actor may have illegally accessed, destroyed or obtained. The data-mining exercise is typically led by external legal experts and will involve use of a document review platform to ingest, process and filter large quantities of information to understand what was contained in any files or folders impacted in the attack. The data-mining exercise will be looking primarily to identify any personal data or commercially sensitive information. In the United States, for example, it may be necessary to consider whether affected systems or data included health information, which could trigger reporting obligations under the Health Insurance Portability and Accountability Act of 1996. In addition, it will be important to determine whether data belonging to third parties was affected as that may give rise to regulatory or contractual notification obligations.

31.8.4 Legal obligations

The largest and most impactful cyber incidents reported in the media almost always have some component involving adverse effects on personal data or personally identifiable information. Multiple laws aim to protect these types of data, including the GDPR in the European Union and the UK GDPR, and the California Consumer Privacy Act (and various other state and federal laws in the United States). These laws carry particular obligations with respect to notifications and disclosures required from affected companies in certain circumstances.

31.8.5 Data breach reporting under GDPR and UK GDPR

Considering whether a personal data breach has occurred is important in the event of a cyber incident or cyberattack because some element of security has almost certainly been compromised. Given the strict statutory timelines for reporting a personal data breach to relevant regulators and individuals, the investigation should focus on understanding the involvement of any personal data and the extent to which it may have been affected in the incident. This can often be laborious and difficult, particularly if systems have been affected by the attack, but privacy regulators will expect to see meaningful effort. As detailed above, a core pillar of the investigation, and the data mining exercise, focuses on mapping these effects to data for the primary purpose of understanding and discharging legal and regulatory obligations. The central questions for this element of the investigation are: what personal data has been affected, and how?

Under the UK GDPR and GDPR, a ‘personal data breach’ means a ‘breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. What constitutes a breach of security has been the subject of much academic debate, but for the purposes of this chapter, it is most relevant to consider the possible effects on personal data. According to the European Data Protection Board’s (EDPB) Guidelines 9/2022, breaches can be conceptualised under three broad categories: confidentiality breach, which involves an unauthorised or accidental disclosure of, or access to, personal data; integrity breach, which involves an unauthorised or accidental alteration of personal data; and availability breach, which involves an accidental or unauthorised loss of access to, or destruction of, personal data.

The test for a personal data breach is likely to be met in a cyber incident or cyberattack when the business holds personal data or personally identifiable data that the threat actor has accessed, manipulated in some manner, encrypted (and rendered inaccessible), exfiltrated or deleted.

The UK GDPR requires that, in the case of a personal data breach, the data controller must notify the data protection regulator ‘unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’. Accordingly, the threshold for notification to the regulator is very low since it does not consider the relative severity of risk, and merely requires that there be a risk that is not unlikely. In the case of a cyber incident or cyberattack that affects personal data (especially given the involvement of a threat actor), data protection regulators are likely to consider there to be a risk. When there is a ‘high risk to the rights and freedoms of natural persons’, the data controller must also notify affected data subjects.

Once the threshold test for a personal data breach is met, the data controller must notify the regulator of the breach ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it’. These provisions of the UK GDPR have often caused considerable pressure and panic within affected organisations, who perceive that they are immediately placed under incredible time pressures in the event of a cyber incident or breach. This pressure is commonly to blame for premature and hurried notifications, in circumstances in which the facts are unsubstantiated and subject to change. Notification of regulators without a proper grip of the facts can bring unwanted scrutiny, increase pressure on the business under attack and produce misstatements that lead to coordination and communication failures between the victim company and the regulator. The EDPB has stated that it considers a controller has become aware when that controller has a ‘reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised’. Since investigation, data mining and analysis can all take considerable time to progress and reach any defensible conclusion, the EDPB accepts that ‘it may take some time to establish if personal data have been compromised’. As such, controllers pursuing a reasonable and expeditious investigation are afforded some degree of latitude, but this will depend on the size of the breach and the type of data affected.

Victim businesses should carefully consider the progress of their investigation and the degree of factual understanding when calculating statutory deadlines and determining whether the statutory clock has started to tick. To avoid exposure to retrospective criticism from regulators for failure to notify when required, businesses should fully document the investigative findings and decisions, frequently revisiting the analysis to determine whether relevant statutory thresholds have been met on the facts now available.

31.8.6 Other notification obligations

Other non-European jurisdictions are likely to have their own data protection or information security law, which should be examined as the circumstances require. In the United States, a patchwork of state and federal laws may apply in certain circumstances, requiring a complex legal analysis. Commonly, US state attorneys general must be notified of a data breach that affects certain categories of data, the rules for which vary from state to state. The Securities and Exchange Commission now requires disclosure of information within four days of discovering a material cybersecurity incident in the new Form 8K or Form 6K. Regulated industries, such as financial services, pension funds, critical infrastructure and telecommunications, may also be subject to particular requirements under specific regulatory frameworks governing those industries. Given the complex picture across these jurisdictions and regulatory frameworks, businesses should fully map out the landscape of potentially relevant rules so that the particular requirements can be anticipated and monitored as the investigation develops.

Aside from regulatory notifications, businesses must assess any contractual responsibilities with vendors, service providers, partners or customers that require notification about the incident or attack. Recent examples of serious supply chain cyberattacks have shown how security failures in one organisation can lead to a cascade of effects downstream. Contractual obligations requiring prompt disclosure of information in the aftermath of an incident typically reflect the regulatory requirements on each of the parties. Affected businesses commonly hold data that is controlled or owned by other organisations and process that data on their behalf.


Footnotes

——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW