When a cyber attack occurs in most organizations, the top priority is to address the urgent technical needs- lockdown systems, limit proliferation, and deal with any ransomware or potential data exfiltration.
Security teams go into battle mode, focusing on the task at hand, often discussing theories, insight, suggestions, root cause analysis, and potential solutions across a wide variety of channels—email, instant messaging, phone calls, etc. They've trained, practiced, and prepared to meet an attack head on, and now it's "go time."
Unfortunately, one critical component is often overlooked in the chaos: legal impact.
From European GDPR breach reporting to new Securities and Exchange Commission (SEC) disclosure requirements, US OFAC's sanctions on ransomware payments to potential class action claims, cyber incidents have become a legal minefield. In the midst of fighting the fire, unless you've considered, trained, and simulated the legal aspects of your digital forensics and incident response (DFIR) protocols, you could be putting your organization at risk of turning one incident into another.
Joining cyber and legal
To avoid compounding the problem with another crisis, here are six reasons why joining cyber and legal is so important:
1. Assume you will end up in court.
Regardless of whether attackers are ever brought to justice (which is highly unlikely), law enforcement may be involved. Unfortunately, cyber attacks fall into the type of crime in which the victim (the company attacked) is named and shamed. It's such a unique situation that even the FBI has issued a statement assuring cybercrime victims that they'll be treated fairly and respectfully.
Aside from reporting, there are also disclosure requirements. For example, in the case of publicly traded companies in the US or matters related to personal data in Europe, you are legally required to disclose the attack.
This means that, as part of your DFIR planning, it's imperative to consider the legal ramifications of a cyber attack. So, start by bringing your legal team to the table and working backward from a potential case to identify and remediate any gaps in your protocols.
2. Everything is discoverable.
You may have heard of the Miranda rights: if you've ever been arrested, anything you say can and will be used against you. The same goes for cyber incidents, as SolarWinds has learned the hard way. Anything your team says before, during, or after a breach —whether in draft form, verbal, email, brainstorming, or even taken out of context— can be discoverable in a legal action.
That's why it's essential to develop communication protocols with a legal mindset and train your staff on how to use them.
Organizational awareness is critical. Teams must understand the discoverability and potential risk of assertions- even if informal- around security governance and in your actual disclosures. Any third parties who are part of your incident response or investigation are also on the hook. An experienced DFIR provider should know the difference between facts and opinions.
3. Personal liability is on the line.
It's not just the organization that's at risk. In the event of an attack, the CISO and anyone suspected of obfuscating or misrepresenting security posture, protocols, or response can be called to the stand and held personally accountable. While the fate of SolarWinds' CISO remains uncertain, Uber CISO Joseph Sullivan was prosecuted but spared jail time and instead sentenced to three years of probation for his role in covering up their 2016 data breach.
Obviously, these cases and the now-mandated SEC disclosure requirement underscore the need for transparency, but they also up the ante on the potential legal risks in the event of an attack.
4. Historical data matters.
If you're under the microscope due to a cyber attack, an adequately maintained incident response log may be critical evidence. That said, records from prior incidents or information about your security controls may be examined as part of an investigation.
Therefore, risk registers, issue logs, and incident remediation plans should never be treated lightly. Audit reports, for example, have been regularly used as key evidence in several cases highlighting weaknesses in internal controls, including security.
So, ask yourself: How many overdue security remediation actions do you currently have? What does that say about your security posture?
5. Criminals are taking advantage of mandatory disclosure.
As if it wasn't bad enough that attackers can inflict massive damage very quickly and often get away with it, some are taking it further.
Taking advantage of the new SEC disclosure rules, cybercriminals now have the audacity to review their victim's filings and report omissions, adding further pressure to pay ransom demands.
This means that aside from the double-extortion scheme, that is, pay for the key to decrypt, or we'll leak your data or DDoS you, we now have a quadruple-extortion technique. Don't fall victim to this - be sure to have a mandatory reporting strategy in place with critical discoverable data ready for disclosure.
6. External assurance can help.
Having a defensible position has never been more important. Conducting your own risk or compliance assessments, attesting your security controls, and exercising your incident response plan all align with good practices.
However, objectivity and independence are valuable attributes only a third party can bring. Working in partnership with a reputable cyber security service provider, in any capacity, helps you demonstrate due diligence in your decision-making process. It may also prove critical during a contentious situation after a breach.
Innovate your approach to incident response planning.
Embrace the attacker mindset.
Thinking like an attacker extends beyond just how they might infiltrate and move through your IT environment and organization– but also how they might implicate you personally and your wider organization through exposure of the incident or your compliance regime.
Attack Path Mapping is an innovative example in which NCC Group helps clients identify exploitable weaknesses based on real case attack scenarios. This approach enhances your risk and compliance assessment.
Test your plans.
It's not about lawyering up; it's about legal proofing your incident plans proactively.
Experienced DFIR practitioners are used to working with internal and external legal counsel, helping to assess the forensic readiness of IR protocols and, where needed, working to remediate technical gaps.
They can help you simulate attacks to attest to your preparedness, often in tandem with legal, to manage any risks effectively.
Protect incident data.
At NCC Group, we understand the importance of discretion and confidentiality. We work with your team to agree on communication protocols, including requirements for operating under legal privilege with your legal counsel.
The legal ramifications of an incident can linger for years to come. Unfortunately, preserving digital evidence is not always a priority during a crisis. We have the tools and experience necessary to help you secure the chain of custody across multiple jurisdictions following guidance from legal counsel.
Global Head of Digital Forensics and Incident Response, NCC Group
Alejandro has over two decades of experience advising private and public entities on technology and cyber risks. Before joining NCC Group, Alejandro was a Forensic Partner at KPMG, where he also led their DFIR services, acting as an Expert Witness on several cases. Buckingham Palace has recognized him for his collaboration with the UK Government in improving cyber risk awareness of boards across the FTSE350.
Alejandro specializes in digital investigations ranging from external cyber attacks and internal investigations to technology litigation and commercial disputes. He is responsible for NCC Group's DFIR capabilities, leading a global team of practitioners assisting clients to prepare for and respond to digital threats.
Become ready for anything.
Contact one of our experts today to discuss your incident planning and legal strategy.