Is Your Company’s Crisis Communications Plan Prepared for Cybersecurity Incidents?

A well-written and consistently updated crisis communication plan ensures that a company has the infrastructure in place to respond to a range of natural or man-made crises. While many companies have a crisis communication plan in place, not all plans are equipped to handle cybersecurity-related incidents. Below are six key elements to ensure that your crisis communication plan is prepared to effectively handle cybersecurity incidents.

  1. The plan is comprehensible, short, and flexible.

One of the most common mistakes that a company can make when creating a crisis communication plan is attempting to cover every “what if” situation and making the document too complicated for an employee to comprehend. Especially during times of crisis, making a plan overly complex can paralyze the employee in charge and cause additional confusion. In certain circumstances, this lack of action or unnecessary delay can make a company susceptible to allegations of misconduct or negligence.

  1. One individual should be designated as the spokesperson.

One individual should be designated as the primary spokesperson to represent the company and answer media questions throughout the crisis. Allowing one individual to be designated as a spokesperson ensures the company is able to control its message and prevents the public and its employees from receiving information that may be untrue or potentially misleading. In addition, a company’s employees should be instructed to refrain from making any comments until directed by the company. In order to prevent rumors from spreading, the company may want to consider creating an FAQ of pre-approved questions and answers once detailed information about the breach has been gathered. This could be used on a public website, or to respond to media or consumer inquiries about the cybersecurity incident.

  1. A legal representative should be involved in the crisis communication process.

A company’s in-house counsel or outside counsel should be involved in the crisis communication process by discussing, reviewing, and approving all external messages. Obtaining feedback from counsel reduces the risk that confidential attorney-client information is inadvertently released, or that misleading statements are inadvertently made about the incident. Releasing confidential information and providing false or misleading statements may damage the company’s chances of prevailing in potential litigation, and injure the company’s reputation.

  1. The plan provides proper and clear guidance to the public.

Many crisis communication plans take an obligatory, proactive approach to notifying the public with a statement like the following: “The company is aware of the crisis and is responding rapidly and responsibly.” While this approach may be appropriate for an earthquake or an active shooter, it may not be the right approach for a cybersecurity incident. Unlike crisis situations where the details of an event are usually known and then released in a matter of hours, data security incidents are often extremely complex and accurate information about a breach may not be known for days or even weeks.

Furthermore, a company may not want to issue a public statement prior to understanding whether a breach actually occurred or the magnitude of the breach. A premature public statement about an incident that turns out to be false can have serious ramifications for the company’s data subjects. These data subjects may be subjected to unnecessary worry, cost, and inconvenience, or attempt to mitigate a harm that may never materialize or exist.

  1. The plan does not conflict with other corporate plans or policies.

A company’s communication plan for a cybersecurity event is typically used in conjunction with an incident response plan. The crisis communication plan must be reviewed and vetted against the company’s incident response plan and with consideration for other policies to ensure that there are no conflicts between policies. Any discrepancies or conflicts between these policies may create delay, confusion, or inaction, and could have serious legal and economic ramifications for both the company and the individuals impacted by the security incident. Discrepancies and conflicts between various plans may also make a company susceptible to allegations of misconduct.

  1. The plan is tested on a yearly basis.

An incident response plan should be tested on a yearly basis. During the annual test, it is important not to neglect a company’s crisis communication plan. Conducting a walkthrough or tabletop exercise will allow a company to address any performance issues or policy gaps that may arise during the testing process. Testing the policy also allows company counsel to effectively train employees on how to handle a real crisis.

Incident Response Plans: A How-To Guide

Incident Response Plans: A How-To Guide

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan. …


Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

Incident Response Plans: A Comparison of US Law, EU Law and Soon-To-Be EU Law

The best way to handle any emergency is to be prepared. When it comes to data breaches incident response plans are the first step organizations take to prepare. In the United States, incident response plans are commonplace. Since 2005, the federal banking agencies have interpreted the Gramm-Leach-Bliley Act as requiring financial institutions to create procedures for handling data security incidents.1 Although there is no federal statute that requires the majority of other types of organizations to create an incident response plan, state data safeguards and data breach notification statutes provide incentives for many other organizations to craft response plans. …

Response plans

How to Avoid Being the Weakest Link in Your Company’s Cybersecurity Efforts

Everyone has been in a movie theatre when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking, “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door? Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

“Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”

“My good friend, the one who sends me those emails asking me to pass them along to three of my closest friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”

“Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”

“My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to double check, I’m sure his email is legitimate.”

If you were in the movie theatre you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit the keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the login ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.

This is exactly what occurred in February of 2016 in Bangladesh. Criminals were able to place the blob in the form of malware on to the computers for the central bank of Bangladesh. Reports indicate that part of the malware included a keylogger which was used to memorize passwords and other login credentials to the system created by the Society for Worldwide Interbank Financial Telecommunication (“Swift”) used by banks to initiate funds transfers. In the end, $81 million was wired through the bank’s accounts at the NY Federal Reserve, apparently to a casino in the Philippines where it was converted into untraceable gambling chips.

It is not clear yet exactly how the criminals inserted the malware into the central bank’s computers, but the situation underscores what we have been telling clients about cybersecurity. You are only as strong as your weakest link, and the weakest link is usually someone who clicks on an attachment or picks up the thumb drive found on the floor. It is human nature to be curious, and it takes constant training and reminders to personnel to remind them about appropriate responses. Financial institutions are constantly hiring new employees, and each of them brings their own personal history of computer hygiene with them. Each of them must be taught immediately about the importance of not opening suspicious emails or attachments. Spam and malware filters hopefully block most of the incoming criminally engineered emails, but the criminals are resourceful and continue to innovate.

As we have noted previously, federal banking regulators have higher expectations concerning preparedness for cyberattacks. The Cybersecurity Assessment Tool released in 2015 by the FFIEC provides specific standards by which an institution can be judged when undergoing regulatory examinations.

At Bryan Cave, our Data Privacy and Security Team can assist you by conducting a data risk assessment, including reviewing your cyberattack insurance coverage. That analysis, coupled with our Banking Group’s ability to navigate the bank regulatory gauntlet will better prepare you for upcoming IT and cyberattack exams.

No matter how good a company’s security is, data security events are unavoidable. When a security breach does occur, preventing liability often means analyzing facts, identifying legal obligations, and taking steps to prevent or mitigate harm within the first minutes and hours of becoming aware of a breach. That’s why an attorney from our Data Privacy and Security Team is on-call for clients whenever and wherever a breach occurs: 24 hours a day, 7 days a week. For more information, visit our Bryan Cave Data Breach Hotline web page.

Bryan Cave Data Breach Hotline
+1 202 508 6136 (international)
+1 844 8BREACH (844-827-3224 toll free — US only)

How to Draft an Effective Incident Response Plan (2016)

The best way to handle any emergency is to be prepared. When it comes to data breaches, incident response plans are the first step organizations take to prepare. Furthermore, many organizations are required to maintain one. For example, any organization that accepts payment cards is most likely contractually required to adopt an incident response plan….