Proactive cybersecurity measures may prevent attacks and scams, but what actions should you take in the event of a cybersecurity incident?

Google reported that in a single week in April, it prevented millions of malicious coronavirus-related emails from reaching Gmail users¹. Further, both the FBI and the Federal Trade Commission have issued warnings to raise awareness of fraudulent email scams related to the coronavirus pandemic.²

These cybersecurity scams and attacks appear in many forms. Fraudsters send “phishing” emails where the sender, appearing as a trusted government entity or financial institution, requests confidential financial or personal information. Sometimes, these individuals “spoof” email addresses to appear as an employee’s colleague or boss, like the CEO or President of the company, and request wire transfers to fraudulent accounts. Or, under the disguise of a person of authority, hackers post links asking unsuspecting employees to review documents containing malware, which then allows access into the business’s network.

Good, proactive cybersecurity measures may prevent these attacks and scams. But, especially during this time when many employees are working from home, hackers persist in attempting to locate the weak link within companies. Accordingly, businesses should prepare for when (not if) a cybersecurity breach occurs. Companies should consider the following actions in the event of a cybersecurity incident:

Upon suspicion of a cybersecurity incident, companies should gather the key decision makers and their IT team to investigate the cybersecurity incident and develop a prompt strategy in responding to the particular incident. The first step must be to determine the nature of the incident, quarantine the threat or malware, and remove the malware and/or prevent future access to the company’s network and data that was breached. Hackers have returned to a compromised company years later to find their malware still exists on the company’s network. The business may need to engage a cyber-forensic investigator to determine the scope of the breach and to ensure the prevention of future access.

a. Outside Attorneys: With any cybersecurity incident, attorneys should be retained to determine whether any applicable statutory and regulatory laws require specific immediate disclosures to those impacted and other actions taken by a company. Many states have their own requirements for when and who a company must notify about a cybersecurity incident. Further, certain types of data, such as protected health or biometric information, require compliance with separate statutory notification procedures. Often, these notices must occur within a few weeks of the breach. Failure to comply with any applicable data breach notification laws can result in serious penalties and liability.

b. Insurance Providers: Companies should immediately review all insurance policies before any incidents to make sure they are covered in the event of a cyberattack. Sometimes, more than one policy may cover the costs and losses. For example, one insurer may cover the costs to retain the third parties who act to address and remedy the incident while another may cover the actual monetary loss resulting from the incident. Companies should submit claims to their insurers as soon as possible. Similar to the notification laws, insurance policies mandate a company’s timeliness in submitting a claim.

c. Law Enforcement: Informing law enforcement about a cybersecurity incident is critical because they can provide resources toward the investigation of the breach and the recovery of stolen information or funds. For example, in the event of a fraudulent wire transfer, the agencies will contact the banking institutions directly in an effort to recover the stolen funds. Law enforcement may even provide knowledge regarding a particular hacker, which can inform companies on how the hacker gained access or whether a ransom threat is credible. Some insurers may require reporting the incident to law enforcement as well.

Once the IT team or forensic investigator identifies what occurred, the company should restore the integrity of its technological systems, including repairing its network, changing employees’ access controls and passwords, and replacing corrupted versions of certain data. At the same time, the company should document its efforts to identify, mitigate and resolve the incident, and preserve all evidence of the cybersecurity event, including any access, theft or fraud. Following the incident, executives should maintain daily audit calls to manage any fallout or to ensure the hacker does not regain access.

Tardy reporting by an employee and poor responses by the company’s executives often exacerbates the harm caused by a cybersecurity incident. Accordingly, companies should maintain a written incident response plan and conduct regular training of employees on cybersecurity measures. On an annual basis, businesses should review and assess their current cybersecurity measures and determine whether such measures should be increased or changed. Implementing proactive measures may also demonstrate a company’s reasonable efforts in attempting to prevent cybersecurity incidents if legal disputes and regulatory action arise from an incident.

²Federal Trade Commission, Coronavirus: What the FTC is Doing, https://www.consumer.ftc.gov/features/coronavirus-scams-what-ftc-doing; Federal Bureau of Investigations, FBI Urges Vigilance During COV-ID19 Pandemic https://www.fbi.gov/coronavirus.