When addressing cyber risk and the threat of ransomware most of the time we focus on prevention and mitigation strategies. However, being prepared to respond quickly and efficiently when an event does occur is just as important to operations recovery, cyber event cost reduction, and brand/reputation protection. Having a well-defined, documented, and regularly tested Incident Response Plan (“IRP”) that aligns with your Disaster Recovery/Business Continuity Plan (“BCP”) can help your organization to recover from and remain operational during a cyber breach event.
The FBI report released in May 2016 provided sobering information on cyber-crime. In 2015 The Internet Crime Complaint Center (“IC3”) received 288,012 complaints totaling more than $1.07 billion in reported losses. $1.6 million of that total was due to ransomware. It is important to note that these numbers are based only on those incidents that were reported to the FBI. Let’s face it, Cyber Risk is real and cannot be ignored.
Despite your security measures and risk mitigation strategies, your organization has been breached. What now?
- Activate your Plans – Contact the plan administrators and assemble the teams. The organization’s IRP and BCP should help navigate through a cyber incident when stress levels are high and time is of the essence
- Contact your cyber insurer and report the incident/claim – Your Cyber Liability Insurance policy should have instructions on how to report a claim and will usually include contact information for the insurer’s cyber breach hotline
- Notify your IT department – IT should begin to determine the breadth of the breach and trigger the Business Continuity Plan to reestablish access to data, systems, and applications
- Restore corrupted or encrypted files from a local or offsite backup (If possible). If restoration from backup is not available during a ransomware event, consider paying the ransom to obtain the key to decrypt your files
- Do a Deep Dive on the breach to determine the cause and to learn where your vulnerabilities are. This will help prevent further breaches and perhaps most importantly, understand which files were viewed or stolen by hackers. Were any Personally Identifiable Information (“PII”) or Personal Health Information (“PHI”) stolen or made public?
- Determine notification responsibilities – Notification laws vary from state to state. We have recently published a blog on the subject, click here to read more. Refer to your state’s breach notification law as your organization may be required to notify parties whose information was impacted in the event.
The recent article “What to Do After a Ransomware Attack” from Risk Management Magazine discusses several of these points in greater depth.
If you need assistance developing a cyber risk mitigation strategy, documenting an Incident Response Plan or purchasing a cyber insurance policy please contact us for more information.
