When it comes to cyber security there is a great deal at stake

By Chris Wilson, Senior Associate at CMS

According to recent Government figures, 93% of large organisations and 87% of small businesses suffered at least one information security breach in the last year.

The total cost amounted to billions of pounds.  And the problem is only getting worse.  High profile cyber security breaches like those at Yahoo, Marriott International and even Mumsnet.com make headlines every week. In the UK the average cost of data breach has grown to nearly £2.7m according to IBM research and reputational damage can be incalculable.

With targeted cyber attacks increasing in their scale and frequency, managing cyber risk should no longer be seen as simply an IT issue.  There is a great deal at stake.  As well as direct theft of money or digital content, which may include intellectual property and confidential information as well as personal data, an organisation may suffer reputational damage, loss of clients and disruption to its operations as a result of a cyber attack.

And in the post GDPR environment, there is also the potential for regulatory action leading to fines and other penalties, criminal investigation or prosecution and legal claims from customers or employees.

As with other business-critical risks, prevention is better (and very considerably cheaper) than cure.

At CMS, we recommend proactive risk mitigation, to help guard your organisation against cyber attacks and ensure you are fully prepared if the worst does happen.  But incidents do and will occur and there are three key phases that require special attention:  breach preparation, immediate breach response and longer-term clean-up.  This article focuses on what you should do in the immediate aftermath of a breach happening.

The first 48 hours after a breach incident are critical.  How companies react in the first two days after a breach can have a significant effect on the overall impact the breach may have.

As a minimum, companies should:

• Focus on restoring business-critical services, identifying interim fixes/safeguards and implementing enhancing monitoring.
• Issue timely communications to customers and affected parties, being honest and clear on implications.
• Be consistent in messaging across all communications channels, but don’t be tempted to say more than you actually know.
• Implement your data breach response plan and make an assessment on whether or not personal data is involved.
• Talk with your legal advisors in order to maintain privilege in communications.
• Be clear on the triggers for reporting to the ICO or other authorities such as the Police and notifying potentially affected individuals.
• Ensure you have adequate resources in the right place to meet increase in alternative customer service demands and enquiries, and listen to what customers are telling you.
• Notify your insurer under any insurance policy.
• Keep a written record of key events and decisions.
• As more information becomes available, keep an open mind and be prepared to adjust your approach and messaging.

In the longer term, management will need to address a range of more mid-to-longer terms issues that will arise.  There may be a need to deal with any regulatory investigations into the company, for example, and – depending on the impact of the breach – a voluntary and proactive customer redress scheme might be prudent and appropriate.

Management will need to prepare for possible claims against the company, by customers who might have suffered financial loss or by individuals whose data has been compromised, and of course management will likely want to explore its own claims against third party suppliers who might have been at fault, or against potential bad actors responsible for the attack.

And, of course, management will need to focus on the immediate and longer-term reputational impact caused by such an incident.

Our experience, however, is that effectively managing the first 48 hours after an incident usually makes dealing with the longer-term issues significantly easier.