Business security
Proper disclosure of a cyber incident can help protect your business from further financial and reputational damage, and cyber insurers can step in to help
September 18, 2024
•
,
4 minutes reading
‘Shop Legal Advice’, this has to be my top recommendation if you have experienced a cyber incident that could be considered material, involving personally identifiable information, or if your business is classified as critical infrastructure.
Cybersecurity teams around the world are on the front lines of defending against cyber attacks and securing corporate assets. At the same time, they are also on the front lines of dealing with regulators and avoiding fines. For example, in the UK, a security breach may need to be reported to the Information Commissioner’s Office (ICO), where reporting an incident has several options:
- UK GDPR personal data breach (DPA 2018)
- Breach of trusted service providers (eIDAS),
- Security Breach of Communications Services (PECR)
- Incident reporting via digital service providers (NIS)
If you are a financial organisation, you may also need to report the incident to the Financial Conduct Authority (FCA). Other obligations apply to critical infrastructure and services; For example, operators of essential transport services must report incidents to the Ministry of Transport. Then, of course, you should contact your cyber insurer and inform them of the incident, not forgetting the board, the investors, the bank, business partners, possibly your customers and your family, to let them know that it is likely a going to be a long day. .
All of the above mandatory disclosure rules are required within the first day or days after an incident is identified, while the incident is still under investigation and the business priority is recovery. The examples above are UK regulations and the mandatory disclosure requirements in most countries are equally strict. In some countries, it may even be necessary to make the incident public, for example by filing the cyber incident report with an exchange, which then publishes the details to inform investors.
If you have a cyber risk insurance policy, the services provided under the policy may include legal services and registration filings. This is a service that should be utilized because attorneys who specialize in making these mandatory disclosures will understand what information is needed and how to file the notice. Submitting the correct information in a timely manner can help avoid fines by regulators. If insurance is not in place, I recommend engaging a specialist cyber incident lawyer on speed dial.
This blog is the sixth in a series on cyber insurance and its relevance in this increasingly digital age – see also parts 1, 2, 3, 4 and 5. Read more about how organizations can improve their insurability in our latest whitepaper, Prevent, protect. Insure.
Understanding legal obligations should be an essential part of cyber incident planning, which is itself part of a broader cyber resilience plan. A recommended and in my opinion mandatory task should be a tabletop exercise on cyber incidents. This helps identify who needs to be involved and refines the process of dealing with an incident should it occur.
Such preparation should be comprehensive and not treated solely as a task of the cybersecurity framework. These outputs and post-mortems are essential when preparing for a cyber incident. Unlike other cybersecurity professionals, I don’t believe that an incident is not an ‘if’, but a ‘when’. With a good attitude, processes, right solutions and team, it can still remain an ‘if’.
Another hotline should be law enforcement. While this isn’t required, it can help in ways that aren’t obvious. Law enforcement agencies may have access to information about the cybercrime group and have experience that can help with recovery: they may even know if a decryptor is available without paying the demand. (If a cybersecurity vendor or other party has a decryptor, they often keep this knowledge quiet to prevent cybercriminals from changing their tactics.) Incident reporting also informs law enforcement of the scope and volume of the incident, and ensures that the right level of resources can be deployed. are assigned.
Keep in mind that the adversary may understand the reporting requirements. At the end of 2023, a ransomware group emerged reported a listed company who refused to pay an extortion demand and failed to make a mandatory breach disclosure to the US SEC. This weaponization of a mandatory disclosure is yet another pressure point applied by the bad actor to get a company to pay the demand.
In conclusion, disclosing any cyber incident is in the best interests of the organization involved, whether that is by avoiding fines and sanctions, or by obtaining additional support through notified legal and regulatory authorities. Cyber insurers are extremely valuable in this case, not only financially, but in other ways, such as ensuring that the right people are notified to ensure compliance and reduce overall damage.
What is needed for a successful cyber insurance model in the dynamic risk environment? Listen to Peter Warren discuss insights from:
- Prof. Leslie Wilcox, professor at the London School of Economics
- Lord Francis Maude, former Minister of State for Trade and Investment
- Prof. Keith Martin, director of the EPSRC Center for Doctoral Training in Cyber Security for the Everyday
- Prof. Neil Barrett, former cybercrime adviser to the then Home Secretary
- Jack Straw; Martin Borrett, technical director of IBM Security in the United Kingdom
- David Chavez, cyber insurance product manager
- Tushar Nandwana, Risk Control Technology Segment Manager at Intact Insurance Specialty Solutions, and
- Dr. Constance Dierickx, founder and chairman of CD Consulting Group
Learn more about how cyber risk insurance, combined with advanced cybersecurity solutions, can improve your chances of survival if or when a cyber attack occurs. Download our free whitepaper: Prevention. Protect Insure, here.
