Improve your readiness for a high impact cyber incident

Every business is vulnerable to a cyber breach, and the way companies prepare and respond is critical. Small lapses in security can result in large data incidents. John Macpherson, Ashurst Risk Advisory's head of cyber advisory and international security expert; Rhiannon Webster, Ashurst's UK head of data protection and cyber security; Jon Gale, a dispute resolution partner with experience of handling major cyber-attacks and data breaches and related litigation, and Will Chalk, a partner specialising in corporate governance, share their 5 recommendations all executive teams and boards should take to maximise their chances of rapid recovery in the event of a worst case scenario.

1) Audit your data

You need to understand what data you have and why you have it. Webster comments: "In companies subject to the GDPR, the data storage limitation principle obliges businesses processing personal data to justify how long data is being kept and to delete it when it is no longer necessary." Many of the recent public breaches have exposed companies for having historic data with no justifiable need. Macpherson adds: "Doing an exercise now so that you really understand how data moves through your systems and whether you are holding onto data that you don’t need, can save you days or even weeks of investigations in the event of a cyberattack."

2) Practice decision dilemmas

Chalk advises: "Leadership teams and boards need to simulate a variety of crisis scenarios. Decisions will need to be made in a highly stressed environment where the difference in delaying by 30 minutes could have huge consequences." MacPherson adds: "often these are decisions which are made without the luxury of adequate time to investigate and assess the situation so you're operating in an information vacuum. Building muscle memory for dealing with these high impact events and decisions can prove invaluable."

3) Don’t assume that paying a ransom will guarantee the safe return of your data

Businesses often consider in advance whether they would pay a ransom if they were subject to a ransomware attack.

Gale adds: "We are often asked whether it is illegal to pay a ransom in the UK. The short answer is no. It is legal to pay a ransom in the UK provided that the payment does not amount to either a breach of sanctions or terrorist financing and appropriate due diligence is therefore critical. The legal position is however only one consideration in making the decision to pay a ransom, you will also need to consider the ethical, reputational and commercial consequences of making a decision to pay". MacPherson shares his experience that: "hackers are very good at encrypting your data but they are not so good at unencrypting it".

4) Take a risk based approach to cybersecurity

Being compliant doesn’t mean you are secure, advises Macpherson: "Companies need to take a risk based approach and consider their own risk profile when making decisions such as the amount to invest in cybersecurity and whether to purchase cyber insurance. Cyber insurance costs are on the increase and obtaining insurance now means handing over a lot of details about your systems and processes. This in itself presents a risk as insurance companies themselves are increasingly being targeted by criminals."

5) Communication is key

Whether it is with customers, shareholders, regulators, or the market, there are various stakeholders and third parties with whom you are either obliged or will need to communicate with during a data breach. Webster comments "that you are often juggling legal obligations and ticking regulatory timelines whilst still undertaking investigations to establish what data has been impacted". Macpherson advises: "One of the abiding lessons from the latest breaches is that companies need to get comfortable with communicating uncertainty with more clarity. You may need to manage customer expectations: they may think companies will be able to tell them exactly what has happened very quickly with high levels of confidence, but in reality, it can often take weeks to get any degree of certainty".