- Ensure each member of the response team and their back-up know their respective role.
- Anticipate that the response team may not have access to the company’s systems.
- Check if your company’s VPN and other critical systems are still supported.
- Make sure external communications are coordinated, to avoid increased exposure.
Cyber-attacks are not used only to steal personal data. Hackers also infiltrate organizations’ systems to damage a country’s infrastructure. Attackers have targeted US companies to shut down critical infrastructure, such as during the May 2021 shutdown of Colonial Pipeline, a large gas supplier. Cyber-attacks can involve employees and external stakeholders, such as suppliers, contractors and consultants.
The context of the COVID-19 pandemic has increased the risk of cyber-incidents, as employees work remotely, use online tools, and experience higher levels of stress and emotion. In-house counsel are well positioned to help their company prevent and address such threats.
The list below is mainly based on the ACC Webcast “Crisis control: Effectively managing teams and protecting organizations in the era of COVID-19 cyber-attacks and insider threats” (June 16, 2021) delivered by Michael Bahar, Eversheds Sutherland, and John Buckley, former in-house counsel.
1. Common threat examples:
o Phishing attempts use e-mails targeting employees. The email appears legitimate and typically invites the employee to click on a malicious link, or to open an attachment that includes malware. Attackers sometimes are already in a company’s computer system and appear to be sending internal communications, such as a request to update a human resources file.
o Malicious websites and apps attempt to lure unsuspecting people and play on their emotional state, for example by prompting them to click on links about alleged cures for COVID-19. The site might pose as a state welfare provider and bait people to click on links regarding benefits.
o Physical devices. Employees might insert a thumb drive or CD that they find in the office, thus unknowingly infecting the company’s computer system.
o Internal threats by employees. Employees planning to leave the company, or worried about layoffs or furloughs, may extract valuable information from the company’s systems. Changes in employees’ connection patterns may indicate an issue – for example, someone suddenly connecting at odd hours, or downloading an unusually large number of company files.
2. In-house counsel have a key role to play, especially through the following phases:
o The planning, discussion, or execution of cybersecurity and IP protections;
o Identifying, managing, and mitigating risk;
o Providing options and solutions to management;
o Helping to reduce the uncertainly and complexity of the situation;
o Keeping on top of changes in privacy laws, which helps to select the response to a crisis; and
o Instilling order in a chaotic crisis situation, by ensuring that team members adhere to their role instead of running duplicative or inconsistent courses of action.
3. Every company should have a cyber-attack response plan, and check the following:
o Is the plan adapted to your workforce? Factor in telework and a reduced workforce.
o Who will respond? Identify who is on the response team, and who serves as their backups.
o Does everyone know their role? Ensure members of the response team know their responsibilities, including the back-up responders.
o How will they be contacted? Check that the response plan lists the team members and includes how to contact them if there is no access to the company’s phone lines or computer system.
o Will they be able to access the plan? Ensure management and members of the response team each have a hard copy of the plan at the company’s premises and at their home office, in the event the computer’s systems or premises are locked up by malware.
o What obligations apply? Determine if the plan includes an understanding of the company’s regulatory obligations, and if contractual obligations require that certain parties be informed of a breach. Keep track of notification requirements, and/or know who to call to check quickly.
o What to notify? Know what information to include in notifications of data breaches.
o What’s your cyber-insurance? Review the company’s coverage, ensure it covers what is needed.
o Which advisors and experts can you engage to respond? Know which external advisors and forensic companies are pre-cleared to assist under your insurance coverage. Before engaging a non-approved advisor, check with the insurance company.
o How will you maintain privilege? Plan how to maintain attorney-client privilege, including of draft reports from such advisors and forensic experts.
o Are employees trained? Ensure they are trained often to identify threats and act accordingly.
o Do employees know to report promptly? Communicate the importance of reporting incidents promptly, such if they inadvertently click on malicious link.
o What security is used at home offices? Ask employees working from home to use adequate cyber security, such as having an antivirus and the latest security patches.
o Are secure channels still supported? Check with IT if your VPN is still supported. Systems that go into unsupported mode may not be protected. Budget may be needed for a replacement.
o Are data and systems backed up offsite? Only relying on a cloud solution may not be enough.
4. Tips for responding to a breach:
o Don’t ignore the problem. When it happens, take action to stop the attack and the damage.
o Promptly deliver the bad news to management, together with proposed options and solutions. No one likes to deliver bad news, but as counsel it is part of your responsibilities.
o Act promptly. Cyber-incidents create pressure, but you have an opportunity to act.
o Check notification requirements. Not every attack requires notification.
o Know what to say to shareholders, regulators, and courts. Make sure your internal stakeholders’ external communications are coordinated, to avoid damaging or inconsistent statements that may increase the company’s liability exposure.
5. What if the company doesn’t have a plan for responding to a cyber breach?
o Get started now.
o Don’t focus on perfection. Addressing urgent business needs may require temporary solutions, such as allowing the use of certain apps for telework with cautionary notes.
o As time goes by, you may roll out more comprehensive solutions to address the issues - for example, to better address employee’s privacy rights in the use of remote working tools.
o Take incremental steps. For example, to increase security, you may wish to require that employees update their passwords at pre-set intervals, then impose password complexity requirements, then introduce multi-factor authentication. Another starting step: make sure that the company has revoked the credentials of former employees or contractors.
Watch the ACC on-demand program “Latest Developments in Cybersecurity” (August 30, 2021), by the ACC IT Privacy and eCommerce Network and Fieldfisher
Read “The Next Step in Cyber Risk Readiness,” by Steve Walker and Christopher Hetner, ACC Docket, September 2019, pp. 44-48, Association of Corporate Counsel
Read “Ten Steps to Protect Privilege in the Event of a Data Breach,” by Pat Linden and Christopher C. Combs, ACC Docket, December 2018, pp. 50-55, Association of Corporate Counsel
Read the 2021 State of Cybersecurity Report of the ACC Foundation
Not an ACC member yet? Join ACC today and connect with peers