Tips for surviving the first 24 to 48 hours after an incident | Orrick, Herrington & Sutcliffe LLP
As cybersecurity incidents become more and more complex, your initial response to a potential cybersecurity crisis matters. The decisions you make within the first 24 to 48 hours of a potential cybersecurity incident can have a lasting financial, reputation and legal impact on your business.
Building on our experience gained working on some of the largest and most complex incidents in history, including nation-state attacks with national security implications, network-wide network intrusions business, malicious and careless insiders, business email compromises, ransomware attacks and everything in between. we have prepared this high level list of Dos and Don’ts in the first 24-48 hours of a cybersecurity incident.
Make: Take steps to keep your network safe as long as your internal resources have the capacity to do so.
Make: Immediately engage legal counsel to help determine the legal obligations that flow from the incident (for example, when and how to notify), manage the crisis response and investigation, and assert and preserve the privilege over it.
Make: Identify and convene your internal incident response team which should include members of the Information Technology (IT), Legal and Public Relations (PR) and Communications team to lead the response in the event of an incident.
Make: Activate any incident response plans and business continuity plans you have in place.
DO: Take into account the need to bring in specialized third parties, including forensic firms and communications experts, where appropriate.
Do: Find out if you have cyber insurance and work with your lawyers to activate your policy.
Make: Establish a regular cadence of calls to keep all relevant stakeholders informed of developments.
Make: Consider removing communications from the corporate domain (consider a secure Teams site or similar) if the threat actor could still be in the system.
Make: Create a “real-time” factual log of all decisions made and activities carried out.
TO DO: Stick to simple expectation statements to allow you to provide a cohesive and consistent response to any immediate questions received from third parties as you develop a communications strategy.
Not: Treat every incident as a crisis. Instead, determine the organization’s level of risk and respond appropriately.
Not: Notify regulators or affected persons immediately, as you usually have more time than you think to gather the facts and determine your legal obligations. Acting hastily often results in over-notification and increased risk.
Not: Post responsive or proactive communications. Publishing incomplete or worse, inaccurate information can significantly increase legal and reputational risk.
Not: Engage directly with the threat actor without engaging specialists to determine the best way to engage and, if applicable, how to respond to any ransom demand.
Not: Notify third parties directly, including security / forensics specialists, without first engaging legal counsel, as this can lead to unnecessary chains of correspondence, documents or reports that may need to be disclosed to third parties , law enforcement and regulators at a later stage.
Not: Delete all files or correspondence as it is important to keep all documents and evidence in the event of future litigation or law enforcement.
Not: Create damaging documents. In a crisis, even the coldest heads can panic, so avoid putting things in writing with blame or disaster as these documents can and will be used against you later.