In the realm of cybersecurity incidents, there are often unexpected concerns that arise, catching incident responders off guard and potentially impacting legal liability. As a seasoned cyber-incident breach attorney who has dealt with numerous ransomware incidents, I have identified four surprising post-incident considerations that security professionals should keep in mind.
The first consideration revolves around the review of pre-incident security controls by cyber insurance providers. If an organization has cyber insurance and reports the incident to their carrier, they may face probing questions about the security measures that were in place before the breach occurred. Insurance companies will meticulously examine what failed and the root cause of the incident. It is crucial for organizations to accurately and truthfully describe their security controls during the insurance application and underwriting process. In recent times, insurance carriers have been known to deny claims based on misstatements made during the application process. Failing to be truthful at the onset can result in severe financial consequences later on. It is advisable for organizations to collaborate with their risk management team, insurance broker, and legal counsel beforehand to ensure that the controls in place are accurately portrayed and well-documented.
The second consideration pertains to auditor investigations. Regardless of whether an organization is public or private, they are often subjected to CPA audits and reviews. These audits do not come to a halt after a cybersecurity incident. In fact, auditors tend to have numerous questions about the incident. To navigate the complexities of such inquiries, engaging specialized cyber-incident counsel is highly recommended. It is important to note that any information shared with a CPA is unlikely to be considered confidential or protected by privilege. Therefore, any statements made about the incident can potentially be used against the organization in future lawsuits. Consistency in the information shared with auditors, as well as with employees, customers, and the media, is essential.
The third consideration involves banks halting ransomware payments. When an organization decides to make a ransomware payment, legal concerns can arise, especially when racing against the threat actor’s timeline to leak sensitive information. While many security professionals are familiar with the process of clearing a ransom payment through the US Treasury Department’s Office of Foreign Asset Control (OFAC) to ensure it does not end up in the hands of a malicious actor, banks are now increasingly hesitant to process wires to known threat negotiation firms. This is because organizations involved in the ransom payment’s chain could potentially be held responsible for an improper payment to a sanctioned entity under OFAC regulations. To overcome this challenge, organizations should be prepared to navigate OFAC requirements both for their own purposes and for the financial institution involved. Having a report ready to quickly share information with the financial institution can facilitate the clearance of the transaction.
The fourth consideration revolves around the importance of knowing which customers require immediate notice in the event of an incident. If an organization serves other businesses or acts as a subcontractor for governmental entities, there may be contractual or statutory obligations to provide notification in the event of a cybersecurity incident. To ensure compliance with these requirements, it is advisable to create a spreadsheet that tracks each notification timeline before an incident occurs. Failure to meet notification obligations can result in a breach of contract, potentially leading to significant penalties.
Ultimately, being prepared is the best approach to incident response. Even the most comprehensive tabletop exercises and incident response plans may need to be adaptable to the evolving circumstances of an incident. Having a well-prepared strategy in place to address the multiple stakeholders who may be involved post-incident is crucial in effectively managing the unknown. By considering these unexpected factors, organizations can enhance their response capabilities and reduce potential legal liabilities in the aftermath of a cybersecurity incident.