You've Been Hacked, Now What?
Cyberattacks are on the rise.
The total number of cyberattack-related data compromises was up 27% in 2021, and on average, a cyber-attack will cost your company over $200,000. The aftermath of a cyberattack can run much deeper than just financial costs. Here are the steps you should take in the first couple of weeks after an attack.
But first, let’s take a step back. As a starting point, you should have a response plan in place before an incident even occurs. If you do not have a response plan, you can download our checklist here.
Think you know about cyber liability insurance?
Your response to such an event can either contain or exacerbate an incident. Activating a comprehensive, coordinated plan following a cyberattack will limit lost time, money, and customers. Among these all, you limit reputational damage. Again, the key to surviving a cyberattack is having these components in place well before an attack.
Steps to take immediately following a cyberattack
When hit with a cyberattack – whether invasive code (think malware) or an outflow of data (a data breach) – there are steps you can take to minimize the damage, rectify the situation, and prevent further disruption. The following actions are necessary for organizations of every size.
Day One: Get the Facts
On day one, you need to get all your facts. Understand the severity, collect the information, and analyze the situation. Use your incident plan to help guide you. You are going to want to engage with your legal counsel and an independent cyber-security team.
Also, reach out to your insurance team immediately. Your insurance policy may have a limitation; coverage may be invalidated or denied if an incident isn’t reported within the required timeframe set out in the terms and conditions.
We know this can be scary with a financial loss, but you cannot do this alone. Please make sure you contact professionals to help you handle a cyberattack.
Days Two and Three: Eliminate the issue
On days two and three, your focus should be on eliminating the issue. To fully contain a cyber intrusion, you must quickly stop the spread of the attack and prevent further damage.
To do this, you will inevitably have to reduce, shut down or block operations. This could require you taking your systems offline or shutting down entire operating systems. If your main server is impacted, you will want to move to a backup server.
This action can sometimes have a negative impact on business workflows and services. It’s a tough decision to make, and it needs to be made based on how much risk your organization can tolerate and the type of cyberattack your company is dealing with. Running simulations or case studies as part of your cybersecurity program will help prepare you to respond rapidly and decisively.
Alongside elimination of the problem, you also need to report the incident to your regulator. Most U.S. states have statutes outlining the reporting requirements for a breach and the timeframe it must be done within. For instance, in Maryland, you must report any data breach. In West Virginia, you only need to report a data breach if its impacted more than 250 people. This timeframe is typically within 48- to 72-hours of an attack being identified.
Days Four and Five: Communicate
Days four and five require you to do some outreach. Determine if you need to communicate the issue to your employees or customers.
Alerting customers is something you want to do so quickly. It might be easy to want to jump at the chance to alert them, but make sure you have all the facts straight and know how they are impacted before reaching out.
If you establish that a customer or employee’s data has been compromised, you have an obligation to explain what has happened. Try to address any concerns they may have and outline how you are going to deal with the issue.
Be prepared to communicate the event and your response across all media, including social media, to assure stakeholders that the organization’s response is adequate. Management will need to respond to a high volume of requests from customers, business partners, vendors, regulators, law enforcement and the board of directors.
Management should also monitor and address the public’s reaction to the event, using a qualified public relations firm if necessary. Your insurance professional can help you find a cyber risk policy that offers media relations assistance as a side benefit.
Next Two Weeks: Identify & Investigate
The next two weeks following the attack are all about identifying the root cause of the issue. Start by reviewing your incident plan and determining how effective it was. Identify any key areas that you need to improve.
Find where there are holes in your security system and do what you need to do to fix them. The more holes in your security system, the more vulnerable you are.
It is recommended that you document how the incident came to light, who reported it, and how they were alerted. Also, interview IT staff and other relevant parties. According to Deloitte, your management should:
- Consider and research the possibility of insider involvement
- Identify affected systems and isolate them so no one attempts to fix, patch or alter the state of the systems
- Gather and analyze all available evidence to determine the cause, severity, and impact of the incident
30 Days and Beyond: Move Forward
In the next 30 days following a cyber event, your company should strengthen network security and enhance monitoring and other measures to mitigate future risk of similar incidents.
Make sure that you document proof of losses for business interruption claims, too. It is important to document these findings, report them to relevant stakeholders, and notify the appropriate regulatory bodies as required. Cyber-attacks will also impact future renewals, so you need to be in constant dialogue with your insurer or broker to let them know what steps you are taking to prevent further incidents.
Though a cyberattack can be stressful, having the right preparations in place can minimize the associated damage and costs. A planned and practiced response, along with proper cyber risk insurance, are crucial to your cyber defense.
Cyber liability insurance in action:
Your insurance team has access to numerous resources to help your company bolster its cyber defenses, so take advantage of that expertise as you build a comprehensive cyber risk management program.
If you need help or do not know if you have proper coverage, send us an email.