The consequences of cybersecurity incidents are not limited to an organization’s financial standing. In the past decade, we have witnessed viral social media posts that tarnish corporate reputation, cyber attacks that stall operations for months at a time and relationships with shareholders, creditors and third parties that spiral uncontrollably with irreversible effects. Executing a plan approved by the appropriate stakeholders, including the general counsel (“GC”), and rehearsed prior to an incident, will improve response time during these stressful events, where time is critical in limiting damages.
Mitigating damages requires a plan and active involvement from an organization’s GC, whose overall responsibility is managing risk; therefore, incident response planning and leading a cybersecurity crisis should be under the office of the GC. Cybersecurity crises are organization-specific. There is no universal method for planning and responding to a variety of threats, from ransomware to acquiring an ‘infected’ company to insider threats. The GC can start with understanding their firm’s risk profile and conducting a vulnerability assessment to identify gaps, then formulating a cohesive strategy.
This strategy relies on collaboration to succeed. “In the complex realm of cybersecurity, unity is paramount, and collaboration ensures success,” according to a GC at a Fortune 500 electronics company. “I picture an orchestra when thinking about this issue. Addressing a cyber attack demands a collective effort rather than a solo performance. The GC is uniquely positioned to serve the role as conductor, taking the baton, directing the collective efforts of stakeholders, and ensuring relevant functions work in unison. Like a well-coordinated symphony, the left hand must synchronize with the right, understanding and supporting each other. Without this collaboration, the company’s response to a cybersecurity event is destined for failure.”
Identifying a Cybersecurity Crisis
An important exercise that the GC should lead is identifying what constitutes a crisis and what a potential crisis looks like for their organization; this could be a ransomware attack, information theft, data breaches, financial fraud or a denial-of-service attack. Once identified, the GC should align with leadership and stakeholders regarding the incident response process.
For publicly traded companies, reporting ‘material’ cybersecurity incidents is expected to be mandatory under the proposed Securities and Exchange Commission’s (“SEC”) Cybersecurity Rules.1 Impacted organizations will need to clearly define what constitutes a material event. For organizations in a regulated industry, the SEC’s rules will only be a part of their reporting requirements. Determining what constitutes a crisis is dependent on each organization. What may be considered a crisis for one organization may be a common occurrence for another. For this reason, identifying the most vital assets an organization possesses should happen before determining what is considered a crisis. Generally, if critical assets are impacted, it is a crisis.
Preparing for a Cybersecurity Crisis
The crisis preparedness process depends on the maturity of an organization’s incident response program. Some organizations will start from scratch, while those who are more mature will focus on tweaking and updating to keep pace with evolving threats. For many organizations, creating a business continuity or disaster recovery plan is required, e.g., those that fall under the New York Department of Financial Services’ jurisdiction.2
The preparation phase involves establishing (or confirming) a dedicated incident response team, training the team thoroughly on existing plans and materials and determining and acquiring the tools needed by this team for appropriate incident response. Once the GC and other key stakeholders identify the incident response team, the leads from specific teams should be appointed to handle different phases of an attack (e.g., communications, outside counsel, vendors, cybersecurity experts, etc.). From there, testing the crisis response plan on a regular basis is essential; this allows participants to develop an understanding of their roles, and testing will identify weaknesses in the plan.
Based on the potential cybersecurity crisis, the GC can determine what processes to implement. Crises are unpredictable and thus more effectively managed with a flexible process, versus following a checklist. The crisis response determination should involve assessing the governance structure, analyzing internal controls and leveraging experience with past crises for lessons learned.
The GC should ensure the communications, media relations, investor relations and government affairs teams are included in the crisis management plan to manage the narrative, corporate reputation and engagement with shareholders and authorities. In addition, the GC should have a firm grasp of limitations within their incident response plan and bring in expertise for functions unavailable at their organization, such as cybersecurity.
It is critical that the GC educate and prepare internal stakeholders in advance, as they may be called upon during a crisis. These expectations should be communicated and trained ahead of an incident. This is especially true for executives, who could be held personally responsible for faults or missteps in both preparation and response.
Responding to a Cybersecurity Crisis
How do you ensure the firm’s incident response plan functions accordingly during a crisis? Cybersecurity crisis teams, with oversight from the GC, should work to integrate across the enterprise. An effective response to a crisis relies on reacting quickly yet strategically, assuring customers and stakeholders through timely and transparent communications, managing the narrative and being available to impacted parties.
The GC can work to ensure established plans are followed accurately, while leaving space for creative solutions; this may include blending crisis management with internal and external communication to create an effective and impactful response. GCs can achieve a successful response by deploying a tested communications strategy, which maps stakeholders so that corresponding messaging and materials can be developed. Key messages should be conveyed to priority stakeholders, maintaining loyalty and trust.
During a crisis, the GC is responsible for conducting and managing regulatory outreach. Cybersecurity regulations include stringent reporting deadlines and submitting requested information. While the technical response during a crisis is ongoing, the GC can coordinate with external counsel to determine what is required of their organization.
Putting It All Together
Following a cybersecurity crisis, organizations often face increased scrutiny surrounding the incident, which, if not properly managed, can result in lengthy litigation and significant damage to reputation and valuation. The risk and stress can be mitigated with careful and tailored cybersecurity crisis planning led by the office of the GC. A well-planned and executed incident response strategy can turn a crisis into an opportunity for organizations. By demonstrating poise, competence and an effective response, GCs can help position organizations to achieve long-term success following a significant corporate event.