Cybersecurity

Consumer faith in cybersecurity is essential to establishing trust in the digital environment. But with cyber-attacks becoming increasingly common, how can companies ensure their preparation and response to a threat doesn’t negatively impact the level of trust placed in their organization? Below we provide a step-by-step guide to the first 24 hours of incident response. 

  • Download

Introduction

It’s 10:00 p.m. on a Friday night. You get a call from your IT department informing you that your organization has been hit by a ransomware attack that has significantly disrupted business operations. A wave of anxiety hits; you begin to feel overwhelmed. You know you need to act, but you don’t know where to start. What do you do? 

In today’s cyber threat landscape, situations like this are increasingly common. For most organizations, it’s no longer a question of if the organization will suffer a cyber-attack – it’s a question of when.  And, of course, the inevitable uncertainty of how you will fare in the face of it. As a result, it is critical to be prepared. 

Making thoughtful choices in the initial 24 hours following discovery of a cyber incident can determine how smoothly – or rocky – the next days, weeks, and months will go. Oftentimes, the negative fallout of an incident can either be significantly mitigated or greatly exacerbated in the immediate aftermath; it is imperative that legal teams know the appropriate steps to support their organization during this critical period.

Quote

For most organizations, it’s no longer a question of if the organization will suffer a cyber-attack – it’s a question of when.

Quote

Once a cybersecurity incident has been detected, it is important to quickly learn about what happened, where it came from, and the extent of compromise, while also confirming that the incident is contained, the attacker is eradicated, and damage is mitigated.

What are the critical steps that legal departments must take during the first 24 hours of cybersecurity incident response? 

 

Contact external legal counsel

For more significant cyber-attacks, one of the first steps that an organization should take, during the first 24 hours, is to engage their external cybersecurity counsel to advise on incident response strategy and to maximize the privilege that can be asserted over communications and documents relating to the incident. 

Outside counsel can guide you through every step of the process, helping your organization define and implement the various workstreams, timing, and risk considerations appropriate for the particular incident. The Hogan Lovells global incident response team has accumulated extensive experience across thousands of incidents, and can bring invaluable foresight that will help your organization avoid costly mistakes. It is vital to engage experienced external counsel to guide you through this critical 24-hour period and beyond. (And later in the process, outside counsel can help you identify contractual and legal notification obligations that may have been triggered by the incident and prepare notifications to regulators, customers, and individuals.)  

Launch a privileged forensic investigation 

Once a cybersecurity incident has been detected, it is important to quickly learn about what happened, where it came from, and the extent of compromise, while also confirming that the incident is contained, the attacker is eradicated, and damage is mitigated. 

For more significant incidents, your outside counsel should quickly engage third-party cybersecurity experts to conduct a forensic investigation under privilege. Having the investigation directed by external legal counsel will help to bolster claims that forensic findings, reports, and communications related to the incident are protected by the attorney-client privilege and work product doctrine, which will be critical if the incident results in litigation and also may be helpful for regulatory enforcement. 

Assess insurance coverage 

Cybersecurity incidents can be costly and some insurers require that you notify them of incidents quickly. Your organization will want to quickly identify any possible insurance policies that may provide coverage. Counsel can help you assess your policy and, if applicable coverage exists, notify your insurer of a potential incident. Throughout incident response, your insurer may request certain information, and external legal counsel can help you present the incident accurately in a way that minimizes exclusions. 

Develop a communications strategy 

Perhaps a cybersecurity incident has brought a business function to a screeching halt and your customers are asking questions. Or perhaps a threat actor has identified your organization as its victim or publicly leaked your data online. In these and many other scenarios, you will want to quickly develop a public relations and communications strategy to address inquiries from customers, employees, the media, and other interested parties. External legal counsel can help you do so in a way that addresses these parties’ concerns while helping you avoid making statements that could increase the risk of  litigation or regulatory enforcement actions down the line. 

Consider engaging a negotiation vendor 

In the event of a ransom demand, you may want to consider engaging a specialized negotiation firm.  Even if you do not want to pay, you should discuss options with outside counsel, as often the negotiation process can be a useful way to gain information or delay destructive actions by the threat actor.

Consider contacting law enforcement 

Consider contacting law enforcement to gain intelligence about your attacker.  In the case of ransomware, it can be especially helpful to contact law enforcement, as the large ransomware gangs typically have the full attention of dedicated law enforcement teams who can provide significant information and recommendations, and, in rare cases, can sometimes even assist in retrieving stolen data or cryptocurrency, or providing decryption tools.  In cases where an organization is considering paying a ransom, it is even more important, as working with law enforcement can mitigate risk that you may be paying a sanctioned party. In some cases, insurers may also require that the incident be reported, and regulators and consumers tend to regard this positively. 

So how can your organization best prepare to execute these steps when an incident occurs?

BE PREPARED. You can take steps today that will pay off down the road.

Key recommendations

1

Line up your outside vendors in advance

In the valuable time following an incident, don’t be stuck shopping for vendors you’re comfortable with and standing up new contracts. Establishing a relationship with outside counsel and other experts before an incident starts will allow your outside advisors to hit the ground running in the wake of an incident. 

2

Inventory contracts with customers and business partners

Identifying agreements with notification requirements in advance will make it easier to assess what contractual obligations may be triggered by a given incident. You might also identify VIP customers or business partners to help prioritize contract review and communications ahead of time.

3

Prepare, practice, and refine your incident response process

An effective, tailored, and current incident response plan will unite your organization’s internal functions to efficiently manage an incident and minimize damage. Outside advisors can help prepare the documents that will guide your internal stakeholders to properly execute their incident response roles and make sure the right decision points are raised and steps are taken at each juncture. Being confident that your incident response plan is effective in the face of an incident benefits from regular testing and refinement of the plan in advance of an incident. Hogan Lovells can assist with this preparation.

Key contacts

Nicola Fulford

Partner

vCard download

Nicola Fulford

Partner

Vassi Iliadis

Partner

vCard download

Vassi Iliadis

Partner

Paul Otto

Partner

LinkedId vCard download

Paul Otto

Partner

Nathan Salminen

Partner

LinkedId vCard download

Nathan Salminen

Partner

Morgan NG Perna

Senior Associate

vCard download

Morgan NG Perna

Senior Associate

A.J. Santiago

Associate

vCard download

A.J. Santiago

Associate

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG.  For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.