With the increased risks to cyber security posed by the switch to remote working necessitated by the Covid-19 pandemic, and the ICO this month levying the highest GDPR-related fine to date for last summer’s British Airways personal data breach, cyber incident response and recovery (CIRR) is as topical as ever. Whilst no organisation can ever completely eliminate the risk of such incidents occurring, there are practical steps organisations can take to ensure they are prepared so that when the risk materialises, the response is as swift, joined-up and effective as possible.
The Financial Stability Board (FSB) released a CIRR toolkit on Monday 19 October, containing a suite of effective practices which serves as a helpful framework for companies looking to ensure that they are as well-prepared as they need to be. The FSB is an international organisation, whose remit is to promote the stability of the global financial system (with UK members including the Bank of England, the FCA and HM Treasury). The toolkit will therefore be of particular relevance to banks, insurers, and other regulated entities operating within the financial services sector. However, its recommendations are applicable to any organisation seeking to ensure that it is ready to deal with cyber incidents as and when they arise, and it provides a helpful summary of best practice in CIRR that will be of interest to board members and senior management across a broad range of industry contexts.
The FSB toolkit is divided into seven components, each of which contains several specific recommendations. A high-level summary is set out below. Key themes include the need to put in place and document detailed policies and plans covering technical response, recovery measures, and communication strategies. Organisations should consider carefully in advance which stakeholders, both internal (IT, legal, communications, risk, compliance) and external (IT security experts, PR advisors, external counsel, insurers) need to be involved and at what point of the process. Co-ordination and effective communication between stakeholders is key. Perhaps the most salient points emerging from the practices set out in the FSB toolkit are the strong emphases placed firstly on governance and secondly on preparedness. It is clear that in the FSB’s view, active engagement with CIRR strategy at board level is expected and simply signing off on plans prepared by the relevant business functions will not be sufficient, a point we have discussed with clients at length over the last few years.
The FSB recommends a risk-based approach, with organisations implementing those recommendations which are appropriate taking into account their size and the potential effects of an incident on stakeholders.
- While roles and responsibilities for CIRR should be clearly defined, with an individual or team appointed to act as incident coordinator and objectives communicated throughout the organisation, ultimately responsibility for CIRR strategy and priorities sits at board level and the directors need to engage with the topic. It is vital that the board views CIRR not simply as a cost to be borne but as an investment to achieve a competitive edge. Organisations also need to foster a culture that encourages staff to report and escalate cyber incidents.
- Planning and preparation
- As one might expect, the toolkit places particular emphasis on preparedness. Companies should establish policies to set out the involvement of different business functions in the CIRR process, as well as detailed technical plans and communication strategies for dealing with external stakeholders, engaging with experts where necessary. The FSB also recommends diversifying infrastructure and ensuring agreements with third party service providers contain appropriate SLAs and recovery objectives, as well as appointing alternative service providers where necessary.
- The use of a pre-defined taxonomy to classify incidents by type, severity and likely repercussions is recommended, with the necessary information stored in appropriately secure logs to enable swift access for root cause analysis.
- Companies may need to make a claim on cyber insurance policies to help cover the cost of necessary services including forensic analysis and PR services. Business continuity measures will need to be pre-defined, and organisations should consider whether to isolate elements of their systems bearing in mind the business impact of this.
- Restoration and recovery
- The FSB emphasises the importance of regularly testing back-up data which organisations should consider keeping in a segregated system with additional layers of protection. A pre-approved restoration plan including milestones should be followed, with all restored assets validated before the resumption of normal business activities.
- Coordination and communication
- Timely and accurate communication during a cyber incident is vital, and the FSB recommends that organisations develop written internal guidelines around communication with relevant authorities and other stakeholders according to the severity level of the incident. If necessary a media engagement strategy should also be considered in advance.
- The toolkit recommends information sharing through industry initiatives, post-incident analysis, regular tests and drills, and evaluating lessons learned with internal and external stakeholders.
During the Covid-19 pandemic Macfarlanes has seen a noticeable rise in clients affected by a wide range of digital crises ranging from personal data breaches to ransomware attacks. What is clear from current trends is that increased remote working practices and rapid uptake of new technologies mean that most organisations will need to take a fresh look at CIRR and ensure their current arrangements are fit for purpose. The framework provided by the FSB toolkit offers a helpful starting point.