ÀÏ˾»úÎçÒ¹¸£Àû

When it comes to cybersecurity, it is not a question of ‘if’ but ‘when’ a cyberattack will happen. So how can an organisation best protect itself? On 21 June 2016, the ÀÏ˾»úÎçÒ¹¸£Àû In-house Advisory Board met to discuss the challenges of cybersecurity and the role of education and communication in helping to prepare against a threat.

The session, facilitated by Marc Dautlich, partner in the TMT group and Head of the Information Law team at Pinsent Masons, opened with an exploration of how cybersecurity attacks range in scale and how that affects an organisation’s response. It is crucial to be able to deal with any attack in such a way that financial and reputational damage is kept to a minimum.

Education and communication

The Board members discussed the importance of running simulations and awareness campaigns to educate employees as the first line of defence. Such initiatives help the organisation prepare as much as possible for a cyberattack, and can include, for example, sending fake phishing emails to ascertain employees’ responses. Can they detect a threat? Do they know what to do and who to report it to?

Privilege

Organisations often commission a report to fully understand a cyberattack. The Board considered whether the cloak of legal privilege should be thrown over such commissioned reports in terms of their vulnerability to future disclosure to third parties. Privilege is a huge issue and needs to be considered early on. This can be a problem as the underlying facts and extent of an incident aren’t always known in the very early stages.

Preparing for a cyberattack

Many elements of a response plan can be pre-prepared. The main recommendation discussed by the Board was to run simulations for the executive response team. Knowing what to expect and how people react allows an organisation to formulate more effective communication and reporting processes. In many cases, a cyberattack involves an organisation’s supply chain and it is important to understand the implications of this. It is one of the most vulnerable channels and presents significant risks.

Public relations

PR responses can be written in advance, but there still needs to be a response plan to deal with situations as they develop. It was recommended that organisations consider the question ‘What do you want your customers to do in response to notification of the problem?’. Is there an action they should take (for example, change their password) or is it the case that they just need to be informed?

It is possible to make a much more credible PR statement if the organisation can show that it had not been careless and had taken the appropriate precautions (eg by ensuring it has a compliant culture, the right policies and training).

Conclusions

The overwhelming takeaway from the Advisory Board meeting was that organisations can never rehearse or prepare too much for a cyberattack. The most important measures to set in place include:

• Identifying key stakeholders
• Identifying an overall decision maker/lead
• Creating a risk register
• Ascertaining legal liability of third parties (for breach of contract and/or negligence)
• Making time to assess the situation and your organisation’s response
• Being custodians of reputation.

 Read a full summary of the ÀÏ˾»úÎçÒ¹¸£Àû In-house Advisory Board meeting here.