By: John Cleary, Shareholder, and Kayleigh Shuler, Associate, Polsinelli PC, Tech Transactions and Data Privacy Practice Group
Recent years have seen companies large and small continue to grapple with the much-feared cyber incident. Yet surprisingly few have meaningful and up-to-date incident response plans (IRPs) in place to manage and mitigate this threat. Such plans, if properly designed and updated, can spell the difference between strong mitigation and recovery from an incident and prolonged, crisis-driven recovery or no recovery at all.
With 20 or more practitioners in this space, and over 1,500 cyber and data privacy incidents addressed and resolved to date for our clients, the Tech Transactions and Data Privacy Practice Group at Polsinelli PC has seen the positive role played by IRPs and the proactive corporate culture exemplified by IRPs in the cyber and data privacy sphere. This blog entry, jointly with Bernstein Crisis Management, will share some of those experiences and best practices.
There is no mystery as to where IRPs come from. They are a natural outgrowth of crisis management imperatives at the C-Suite level of well-run companies, often addressing such non-cyber subjects as product recalls, natural disasters and workplace violence. Cyber incidents bring their own set of challenges, but the need for advance planning and coordination, teamwork and practice in the cyber realm is every bit as important as other realms. Further, to put the matter beyond doubt, IRPs for cyber risk are required by law in certain states (such as the New York Department of Financial Services framework) and industry sectors (such as health care).
This brings us to the first challenge. If an IRP is just another policy or procedure, there should be little hesitation or burden involved in enacting an IRP and making it official company policy. Or in outsourcing the creation of an IRP to an outside consultant. But, quite obviously, a meaningful IRP is far more than a document or policy. It is a change of perspective and priority across an organization, fully embedded in the C-Suite and prioritized by company leadership. It is not an exaggeration to say that a meaningful IRP is a “living document,” which must steadily grow and evolve to keep pace with the cyber threat environment and as the company’s cyber defenses deepen and mature.
A second challenge is to ensure that the IRP empowers and drives a well-led team of responders across multiple company departments, disciplines and areas of expertise. The competing imperatives here are self-evident. The IRP must be comprehensive while at the same time adaptable to various types of cyber incidents. The IRP must be known, understood and practiced by key players at the company while sometimes requiring limited “need to know” circulation given some of the potential sensitivities involved. At its best, an effective IRP will recognize the multiple disciplines within an organization that must be mobilized and swiftly brought into alignment in a crisis situation. This includes technical team members of course, but also legal, human resources and public relations experts, as well as the executive or executives with authority to act quickly and decisively in an emergency. Each aspect of the IRP must be considered in conjunction with the plan as a whole such that a single, cohesive plan remains in place over time. Collecting input from all stakeholders while developing the IRP (and again throughout its life) is key to ensuring that, if and when a crisis hits, everyone understands their responsibilities and who is in charge of what.
The third challenge in creating an effective IRP is that, even though it is an evolving plan and is reflective of many voices (as described above), it must also be concise and clear. The IRP is not the place for excessive technical or IT jargon and lengthy lists of job responsibilities, skill sets and “how to” information about various computer system parameters and capabilities. Instead, the IRP should assume that the key players come to their roles with an understanding of how to do their jobs in a non-crisis atmosphere and should adapt those capabilities to working effectively and collaboratively in a crisis. The bottom line: to be useful to your business in a time of high stakes and high stress, the IRP must be targeted and readable.
In short, creating or updating an IRP for cyber incidents can be a daunting task. Putting in the effort upfront, however, puts you and your team in a much better position to address and resolve such incidents in an efficient and effective manner.
We are pleased to join with Bernstein Crisis Management to bring these points to your attention. Your comments and feedback would be most welcome.
Polsinelli provides this material for informational purposes only. This material is not intended to provide legal advice and should not be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues and considerations. Receipt or review of this material does not establish an attorney-client relationship. This material may be considered attorney advertising under the rules of certain jurisdictions. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements.