In-House Legal: Preparing for a Cyberattack
Why Invest in a Strong Incident Response Plan, Training, and Supply Chain Risk Management
Cyber criminals have been on a roll:
CheckPoint Research reported a spike in cyberattack volume in the first half of 2023, with an 8% increase in global weekly attacks – notching the highest volume in two years.
In its data breach report, IBM says the average cost of a breach hit $4.45 million, up 15% over three years.
And ransomware costs are soaring, with the median cost per attack more than doubling over the past two years, according to Verizon.
Public companies also face new disclosure requirements. The SEC in December ramped up enforcement with new rules that mandate disclosure of material cyberattacks within four days, along with annual cyber-risk reporting.
Between the pressures of more sophisticated threats and stronger regulations, organizations are increasingly turning to their in-house legal departments for guidance. Because no business can expect to prevent every cyberattack, companies must focus not only on prevention, but on detecting and responding to active breaches.
As a baseline, in-house legal teams need to create a ready-to-go incident response plan, put in place good data governance strategies, and practice savvy supply chain risk management.
Being Proactive: Create and Test an Incident Response Plan
Enough can't be said for preparation. In its Cost of a Data Breach Report 2023 report, IBM notes that half of organizations (51%) plan to ramp up security investments, including incident response planning and testing, only after a data breach has occurred. That, as IBM points out, can be costly.
A better, and more strategic approach, is for legal teams to work with cybersecurity teams proactively to create an incident response plan – before a cyberattack. A good plan outlines ways the organization will handle and recover from an incident. Actionable and tailored to the company needs, it covers the full lifecycle of a cyberattack or breach, from detection, monitoring and response, to reporting. As security analysts work on the technical response to an active attack, legal teams must have a plan for timely and accurate communications with those affected by a cyber incident, including senior leadership, customers and regulators.
Once created, the plan should be regularly stress tested through various exercises and simulations of real-world scenarios, such as vulnerability scanning, tabletop exercises, and cyber fire drills. These help evaluate the readiness of the team, identify weaknesses, and improve coordination. As soon as an event unfolds, the team has a playbook to guide decisions and process.
No one wants to make it up as they go in the depths of crisis, as systems are being encrypted by hackers or after a wire transfer has disappeared. Best to plan ahead.
The global average cost of a data breach in 2023 was $4.45 million, a 15% increase over 3 years.
– IBM Security
Social Engineering Attacks: Train Leaders and Employees
In any information architecture, humans are the weakest link.
People are the point of failure in three out of four breaches, according to Verizon’s 2023 Data Breach Investigations Report. Social engineering – which involves tactics like phishing that deceive people into sharing confidential information – continues to be the leading means by which hackers break into computer systems. Verizon reports that the frequency and cost of social engineering attacks has skyrocketed.
Security awareness training, including phishing simulations, should happen regularly and include all staff levels. Leadership should run through tabletop exercises to clarify different types of breaches and roles and responsibilities during an emergency.
Following best practices for password management techniques helps protect company data and assets. Effective tactics include using password manager software to securely store and generate passwords, using multi-factor authentication (MFA), which requires users to provide more than one method of identity verification, and regular password updates.
Ransomeware Attacks: Establish Good Data Governance and Backups
Ransomware attacks represent one of every four data breaches, according to the 2023 Data Breach Investigations Report by Verizon.
Here again, preparation pays off. A company should invest in good data governance – managing data as a strategic asset – and keep data retention policies up-to-date. Deleting data the company doesn't need anymore reduces the amount of sensitive information that could be compromised. Knowing what data is where will also help with threat assessment because the company will know whether a threat actor truly has the most sensitive information, or if they're bluffing.
To further dilute the impact of an attack, teams also need to routinely back up data in a separate location that is unconnected to the network – and regularly test that the backups are successful.
Access management techniques also help reduce risk by limiting permissions by role, need, and authorization. Since human error, including stolen credentials, is a main entry point for attackers, every employee should only have access to the data necessary to their job.
These steps help build the resilience a company needs to recover more quickly and with less damage from a ransomware attack.
Mind Third-Party Risk: Protect Against Supply Chain Attacks
No cyber plan would be complete without vendor risk management. In recent years, supply chain attacks, in which cyber criminals exploit vulnerabilities among a company’s vendors or suppliers, have made international headlines.
A company may protect its systems and train its employees, and still leave an open door to cyber threats if it doesn't also do its due diligence when onboarding its vendors and then monitoring their security posture regularly. Legal teams should verify the vendor’s security compliance, where and how data will be stored, and other parties the vendor works with that may gain access to company data.
Outside counsel are also increasingly cyber threat targets. Law firms should develop comprehensive cybersecurity policies to protect their clients’ and their own data.
Using a zero-trust model is a best practice that calls for erring on the side of caution. Never assume a vendor is trustworthy. Using strict access controls, encryption, and verification strategies will limit exposure to vendors. Vendors should also be required to report any incidents or breaches without delay.
Vendor and supplier obligations and expectations in the event of a breach should be outlined in the company incident response plan.
Legal teams play a valuable role in ensuring that vendor and service provider contracts include airtight security clauses, data protections, and liability provisions.
Applying a Cross-functional Approach to an Organizational Issue
Cybersecurity is no longer just an IT issue, it's an organizational one. In-house legal teams play a crucial and growing role by providing legal guidance, ensuring regulatory compliance, and managing the legal aspects of cyber incidents.
Organizations can't prevent all cyberattacks from happening, but there are ways to reduce damage with early detection and prompt response. A solid incident response plan, proper data governance, and vendor risk management create a strong foundation for protecting a company’s assets and reputation.
Learn about how to secure your ediscovery workflows. Download your copy of Everlaw’s guide to Cybersecurity in the World of Ediscovery.