In an environment where cyberbreaches just keep happening, the two 2022 cyberbreaches at LastPass, one of the leading password security storage providers, shouldn’t be a surprise.
Cybercriminals accessed LastPass’s cloud-based storage, obtaining customer end-user names, billing addresses, email addresses, and other personal data in December and August 2022.
The incidents at LastPass are one of many, as cybercriminals grow ever more sophisticated. In fact, the cost of a data breach incident in 2022 increased 2.6% from 2021 to $4.35 million. The largest 2022 data breach hit Medibank Private Ltd., one of the largest Australian health insurers. As part of that breach, data belonging to 9.7 million customers, including 1.8 million international customers, was accessed by cybercriminals. After Medibank refused to pay the $10 million ransom, the cybercriminals behind the attack disclosed they posted the customer data on the dark web.
As you probably already know, a cyber or data breach is an exposure or theft of sensitive, confidential, or proprietary information, either intentionally by an attacker or accidentally by poor security practices. Not only is the news full of accounts of data breaches, but corporate security insiders are fully aware of the potential for cyberbreaches in their organization. A survey found that 82% of chief information officers surveyed estimated that their software supply chains are vulnerable to cyberattacks. What exactly does that mean? It signifies that the executive responsible for overseeing a company’s information base and infrastructure has fundamental doubts about their ability to protect said information.
Expecting a cyberbreach as a likely consequence of operating a business in the digital age means that no part of the post-breach process will be a surprise. That’s the good news—because once a breach occurs, you are obligated to follow a specific series of steps. Following this blueprint ensures that you abide by the tenets of your cybersecurity policy as well as state and federal law. This article outlines these steps so that you can avoid compounding the original problem.
Step 1: Determine the Extent of the Breach. As soon as your organization is aware of the breach, you need to determine the extent of that breach. Because that type of investigation can take time, you may need to notify customers and clients before it is complete.
While it varies depending on the state(s) law that the company operates under, if customer and/or patient data has been affected, it is nearly certain that the affected individuals have a right to be notified within a reasonable period of time, usually days, of what kind of data was stolen and what steps are being taken to both ensure this will not happen again and what services and protections the company is offering to protect the long-term security of its customers, which may include credit monitoring services and dark web scanning alerts.
Then begins the work of documentation and possibly expanding the scope of the investigation if the event was not isolated. You’ll also need to embark on containing the breach through internal control and communication with executives and interested parties within the organization. An obvious action step involves shutting down the breached system temporarily—where possible. In healthcare this will not always or even often be possible, but if you can mitigate additional risk during an ongoing breach without risking life or livelihood by disabling remote access and removing any possible connections from the system that could be the source of the breach, that is ideal.
These steps can include changing all passwords for critical accounts and temporarily disabling access to non-critical accounts, isolating communications between different sets of hardware and disabling as many externally administered applications as possible, quarantining and documenting any malware identified, and taking note of all network and firewall settings for posterity: essentially isolating and preserving the entire environment that allowed the breach to take place without allowing the breach to continue.
During this period, most of these actions and decisions should be executed by an internal response team designated in the company’s official response plan for cyberbreaches. Once the internal team has been engaged and is in action, key senior management and decision makers should be notified so they may sign off and oversee the execution of the plan. Just as important, the insured must negotiate the contracts with the insurer panel counsel vendor list to implement a number of steps including procedures, policies, and vendors relating the cyberbreach. Besides a cyberbreach coach, you may need to hire other vendors. You may also need to provide notification, offer loss mitigation, and set up a call center.
Identifying the source of the breach is the obvious next priority. Regardless of whether the internal team can or cannot locate the source of the breach, outside consultants should be brought in to investigate. With the breach source now located, assessing the scope of the breach will dictate the rest of the necessary response.
Step 2: Document the Cyberbreach Incident. From this point on, documentation is critical, including when the breach was first discovered, confirmed, and all of the steps taken to seal off the network from continuous exposure. Security incidents such as cyberbreaches require documentation as part of compliance efforts.
Such documentation is the responsibility of the chief information security officer (CISO). A cybersecurity incident report should include the following information:
- CISO contact information
- Description of incident
- Impact and potential impact of the incident
- Sensitivity of the information breached
- Notification
- Details of the incident
- Mitigation
- CISO signature
In addition to the report, the CISO and security staff should add this information to the security incident log. The report and logs should be retained for at least six years.
Step 3: Contact Cyber Insurer: Contacting your cyber insurer is not mandatory. The decision to notify should be analyzed by the incident response team and insurer cyberbreach coach. Not every breach is significant enough to notify the insurer. If the incident response team believes the breach is significant, notifying the insurer of the incident as soon as possible with details associated with the breach is required. While coverages vary, your policy will likely provide at least some coverage for responding to, investigating, defending against, and mitigating cyberattacks. You’ll want to collaborate closely with your insurer as you work to recover from a cyberattack incident.
Your insurer will have a protocol that you can follow, so it makes sense to stay in close touch with your cyberbreach panel vendors. Checking all of the boxes here is critical, but at the same time most of this workflow should be known prior to a breach. The details of all of this work should come down to an already established plan, one dictated by the laws governing the jurisdiction the company operates in and the dictates of the cyber insurance plan held to protect the company.
Step 4: Notify Legal and Regulatory Authorities: Who, how, and when you must notify when a cyberbreach occurs is constantly shifting. On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 within the Consolidated Appropriations Act of 2022. This law requires that entities in 16 critical infrastructure areas including financial services, healthcare and public health, and information technology must report cyberattacks within 72 hours of the breach occurring to the U.S. Cybersecurity and Infrastructure Security Agency.
Many states and state regulators require incident reporting; your cyber insurer can help you identify those entities. You’ll also want to inform law enforcement agencies as cybercrime is crime. Engaging both internal and external counsel to determine the appropriate path forward in this regard prior to a breach event is heavily recommended. Your insurer, along with their cyber panel counsel, can handle the notification process for you. The insurer claims analyst role is limited versus the insurer vendors handling the service. The insurer claims analyst oversees the vendors.
Step 5: Engage Data Breach Services: After taking those initial steps, engaging data breach services to assess and repair the information technology infrastructure of the company will round out the internal work required. Your cyberattack response plan should already have identified possible providers of services for the kinds of breaches that could occur. The insurer loss-mitigation panel vendor will guide you through this process including remediation and implementation of further security protocols to reduce possible future breaches.
These services range from simply assessing and patching one weakness to a near wholesale overhaul of the department and infrastructure. It is critical that expectations are flexible here so that the same issue does not take place in the future. Simply assuming that a weakness in a firewall is contained and it will not require any changes internally can be harmful to the long-term safety of the company and its consumers.
Step 6: Perform Remediation and Recovery: The external work that remains to be completed at this point would include attempting data recovery and remediation. Depending on the type of data and the data breach service provider that is contracted, this may be possible to do under the same umbrella as the internal fix.
However, it can be better to choose the right tool for the right job, and hiring different firms to investigate the possibility of recovering data, as well as separately performing remediation with consumers and the public, is often the best approach.
Remain Prepared
A cyberbreach is no time to panic, to improvise, to reinvent the wheel. Preparation and calm execution are the only traits necessary to recover from a data breach.