Friday, March 5, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Mitigating Legal and Reputational Risk Post-Ransomware

Tips and Best Practices for Addressing a Data Breach

by Alan Brill and Brian Lapidus
January 28, 2021
in Cybersecurity, Featured
open padlock on red binary background

On Data Privacy Day, Kroll’s Alan Brill and Brian Lapidus share recommendations for companies who have fallen victim to ransomware attacks, emphasizing the importance of reporting a breach promptly and how to investigate an attack under the assumption that data has been stolen.

The Planning Imperative

When a ransomware attack includes data exfiltration, there’s a complex regulatory environment that organizations must pay attention to in order to determine if the attack constitutes a data breach. If the forensic investigation determines that data was indeed stolen as part of the attack, several clocks begin ticking. Based on different state and national laws, the time requirements for breach notification may be as tight as 24 hours, presenting a significant challenge for most organizations. There is significant benefit in undertaking fundamental planning steps, with considerations for tactical, operational and consumer impacts.

Time is of the Essence

While there is some room for interpretation in the definition of “discovery,” the reality is that it may take a significant amount of time to alert the right people within the organization – let alone communicate with customers and stakeholders – about a data compromise. Hoping that data wasn’t stolen or assuming it wasn’t because doing so is easier aren’t effective defenses for failing to report a breach to regulators.

Whether you are a part of a board, occupy a C-suite position or serve in a general counsel or compliance role, your fiduciary obligation is to find out what happened so that the organization can take the prescribed steps regarding notification if that turns out to be required. If you are not engaging in these steps, you are creating additional liability for the organization, impacting its future reputation and financial viability. The potential for multiple fines imposed by different states and nations becomes increasingly real as more jurisdictions enact data security and privacy laws.

The Data Tells a Story

Carrying out a forensic examination can be complicated or even blocked by ransomware. Data that a forensic investigator might look to in developing an understanding of an incident may itself be encrypted as part of the attack. In other cases, log files which could shed light on the incident were never activated by the company or had limitations, making them ineffective as sources of forensically sound data.

A recent analysis from Kroll’s cyber threat intelligence team showed 49 percent of ransomware incidents handled by Kroll investigators involved the theft of data for extortion. In layman’s terms, if ransomware is involved, there is a 50/50 chance that stolen client data could end up held for ransom, sold or released on the dark web. In cases involving state-sponsored attacks, the data could have been gathered for espionage purposes.

The best way to ensure that forensic data will be available when it is needed the most is to think about the need before the attack ever occurs – even in the design phase of the systems themselves. This type of planning – sometimes called “proactive forensics,” helps ensure log files are turned on, set for a reasonable retention period and stored somewhere inaccessible to a ransomware attack. Proactive forensics can also consider segmenting the network with protective devices that make it harder for attackers to spread the infection to adjacent segments, a common tactic in ransomware attacks.

These system modifications can reduce the vulnerability of the data to ransomware encryption and can often be accomplished quickly through a short consultation with experienced forensics and network security organizations. Equally important, our experience across hundreds of incidents demonstrates that in-house responders often inadvertently modify or destroy important forensic clues. Making sure that initial responders understand how to do their work without compromising forensically vital information should be part of every organization’s incident response training.

Charting Parallel Courses of Action

Given our findings that 49 percent of all ransomware attacks result in some form of data theft, when an attack occurs, a company should provisionally assume that data may have been stolen and take appropriate steps while the forensic analysis is carried out. While working in parallel may require additional effort, it allows the organization to pivot in line with results from the investigation.

Initial steps typically include victim notification and remediation, often with third-party experts. Preparing a notification campaign compliant with multiple laws can begin even as the forensic examiners are working. One example of parallel path for organizations seeking an efficient response involves securing the proper agreements for the establishment of a customer contact center that can confidently explain the nuances of the incident in the customer’s native language, which is critical to re-establishing customer confidence following a ransomware attack.

Practice Makes Perfect

One of the best ways an organization can help reduce the risk is to prepare and practice for the event before it ever happens. Like muscle memory, an organization that practices how it would handle a cyber event will respond more efficiently.

Practice can include full executive briefings or tabletop exercises where lawyers, forensic specialists, notification experts and PR mavens can help with crisis communication and possibly shareholder impact. One of the newer techniques that can be included in this practice is simulation training for the organization’s service operations center.

One of the principles to keep in mind when developing practice sessions is to expect the unexpected. Too many plans have failed when needed because there was an assumption that everyone who participated in the simulations would be available during a real incident. That doesn’t always happen. Good planning should include having a designated backup for each person who will have a key role in responding to an event. The designated alternate should be part of the simulations and should be kept up to date.

Facing Reality

Ransomware is a modern reality and mandates careful risk management to include technical, operational and personnel controls (security awareness training can be highly effective), but response and recovery processes cannot be overlooked.

As attacks evolved into even more dangerous territory involving data theft for extortion, organizations face costly financial, legal and regulatory risks. Prudent planning to develop and implement more secure technical controls, protect digital forensics data and build relationships with seasoned response and notification vendors establishes a strong foundation to handle every step of a ransomware attack. Once in place, strengthen this foundation by practicing various response scenarios to reach a point where organizational memory takes over in a crisis – your team will be in the best possible position to respond.


Tags: data breachransomwarereputation risk
Previous Post

EO Sets in Motion Ban on Transactions with Chinese App Developers and Owners

Next Post

FCA Compliance in an Era of Unprecedented Government Stimulus

Alan Brill and Brian Lapidus

Alan Brill is a Senior Managing Director in the cyber risk practice of Kroll, a Division of Duff & Phelps. He is also an adjunct professor at the Texas A&M University School of Law.
Brian Lapidus is the Practice Leader for Kroll’s Identity Theft and Breach Notification Practice. He has managed the response to thousands of data breaches over the past few years.

Related Posts

green and red location markers on map

FinCEN’s Registry Will Be a Game-Changer. It Will Also Place an Added Burden on Corporations.

March 5, 2021
illustration of man under giant gavel

BitPay’s $507K OFAC Sanctions Violations Settlement

March 4, 2021
The facade of the SEC in Washington, D.C.

Prepare Now to Comply with SEC’s Updated MD&A and Related Financial Disclosure Requirements

March 3, 2021
Illustration representing a facial recognition technology scan of a face.

Facial Recognition Technology in the Workplace: Employers Use It, Workers Hate It, Regulation Is Coming for It

March 3, 2021
Next Post
dollar bill, stimulus check, american flag

FCA Compliance in an Era of Unprecedented Government Stimulus

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights