Ahhh…the jolting sound that sometimes interrupts our prime-time television programming: This is a test. For the next thirty seconds, this station will conduct a test of the Emergency Broadcast System. This is only a test.
Though they are prickly interruptions, we tolerate these tests because they are brief and, perhaps most importantly, we understand that should a real emergency occur, the Emergency Broadcasting System (EBS) would keep us informed. As it should, system testing takes place before an actual emergency to ensure that notifications function properly before the need is dire. In the same way, emergency preparedness for a cyberattack should occur before an attack happens. This blog will concentrate on testing your emergency plan in advance of an attack and analyzing your established insurance policies to see if you would be covered for inevitable financial costs associated with such an attack.
The EBS and its predecessor notification programs have been operating almost the same way since 1951. When we take a look at why, several underlying principles become apparent:
- It’s critical to anticipate a wide variety of potential disasters.
- It’s important to have plans in place to deal with such disasters before they occur.
- It’s critical that the plans can be implemented in a timely fashion to minimize loss.
- It’s crucial to get people’s attention, so the established plans are repeatedly tested.
Similar principles apply in the business world, where we are confronted with a wide variety of daily risks, including the threat of a cyberattack. A cyberattack could be a simple hack that slows down your network, an e-mail that results in misallocated funds, or a “ransomware attack” that encrypts your files until you send the hacker a specified bitcoin amount. Regardless of the specifics of the attack, a cyberattack is a disaster that could happen to anyone, on any day. In fact, conventional wisdom maintains that it’s not “if” a cyberattack will occur, but “when.” In an address at a major information security conference in 2012, then-director of the Federal Bureau of Investigation Robert Mueller put it this way: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
How to develop your own EBS tests
As noted in EBS principle #4, people should be aware of the possibility of a disaster. Each time an EBS test runs, it is preceded by that very specific sound, known as the Attention Signal. This Attention Signal was chosen due to its unpleasantness, which compels listeners to focus their attention on the source of this annoying sound. In preparation for a particular cyberattack incident, rather than deploying an annoying sound, you may require key management attendance at an equally unpleasant task, a “tabletop exercise” focused on a specific type of cyberattack. During this exercise, you would analyze your response to the unique set of circumstances surrounding a particular cyberattack.
The Department of Homeland Security provides a variety of disaster training approaches, from simple seminars to full-scale mock-ups with actors and simulations. A tabletop exercise is a relatively low-level disaster preparedness training, but a good starting point that provides great insight into the effectiveness of your response plan. By Homeland Security Exercise and Evaluation Program definition, a tabletop exercise “involves key personnel discussing simulated scenarios in an informal setting. [Tabletop exercises] can be used to assess plans, policies, and procedures.”
These exercises should be repeated often, monthly if you can spare the time, but at least quarterly. There are an infinite number of scenarios that can be developed, each of which leads participants to examine different parts of your operations and evaluate the protections afforded by insurance policies and operational contingency plans. By evaluating how you could react to, and recover from, these scenarios, you refine your data breach plans and take steps to eliminate data breach expenses through the use of insurance policies that provide coverage for the likely incurred losses.
To begin this process, the following are several “scenarios” that could be used for the first few tabletop exercises. They focus on the type of expenses likely incurred after a data breach, and require you to evaluate whether your current insurance coverage is applicable to specific types of losses. To complete the exercise, you need to pull your insurance policies and thoroughly read the coverage provisions, as well as the exclusions from coverage provisions, to evaluate whether a certain loss is covered or excluded. Through this exercise, you may determine that you need to request riders to your current policies or procure a separate cyber insurance policy. What you have, and what you need, may not be apparent until you read the exact language in each policy. For an excellent article about determining what coverage you need, and what exclusions may apply, read “Cyber Insurance for Law Firms” by Jeffrey A. Franklin, Esq., in the May/June 2016 issue of GPSolo, an American Bar Association publication. Studying this article ahead of the tabletop exercises will help you understand key phrases and discover the absence of important coverages you may have inadvertently “assumed” would be present.
Sample tabletop cyberattack scenarios
Use these fact patterns to closely examine your written policies and procedures and your current insurance policies. Remember, the best time to take a deep dive into insurance policy language is before a triggering event happens.
- One of your support staff lost his company-issued laptop that was password protected, but not encrypted, while meeting a client at Cracker Barrel. You have determined you need to send out a breach notification to all clients with data on that laptop. The cost of notification and one year’s credit monitoring for those clients is going to be $7,500. Can you recover those costs? Would it have made any difference if the laptop were stolen from your office? What if it were stolen from the staff person’s home? What if the hard drive had been encrypted? If you are going to offer credit monitoring, who would set it up?
- A valuable client has contacted your office and alleged that confidential information previously discussed with your firm was discovered to be in the hands of others, and the client maintains it was a result of a leak from your office. No suit has been filed, but the client demands proof that your system has not been hacked. Hiring an IT security firm to provide a report regarding the security of your system is going to cost $15,000. If you pay this fee, do you have any way to recover this payment? Does this make sense when the breach could have arisen from loss of paper files or conversations?
- Your office has been hit with a Ransomware attack. All of your firm files are encrypted, but the hacker informs you that you will receive the de-encryption code for $25,000 worth of untraceable bitcoins if you respond within 48 hours. Do you have any way to recover this payment? If you decide to pay, where do you secure bitcoins? Will it do any good to inform law enforcement?
- You have recently discovered a breach, and after paying an IT firm $38,000 to analyze your network to evaluate the compromised data, it is determined that client data has been extracted. You are faced with notifying 450 of your clients and offering each a year’s worth of credit monitoring. Further, you will likely lose a bank client that constitutes about 40% of your firm’s revenue. Can you recover your out-of-pocket costs and/or the loss of the revenue associated with the lost client relationship under your existing policies? What would your letter say?
- The third-party computer service company that managed your firm’s network just called to disclose that it was hacked and the passwords to its clients’ accounts stolen (including the password it used to access your firm’s network.) The third-party company advised you to immediately change all your system administrator and firm employee passwords. You do, but hire a new IT firm, at a cost of $25,000, to evaluate whether your clients’ data has been compromised. The new firm provides a report indicating your system was highly secure, but the firewalls and software patches used by your old third-party computer service company were not timely updated. What if you had a written contract with your old computer service company in which it provided assurances of adherence to system-related security? What if you had no written contract? What if you secured a copy of the old firm’s professional liability policy, but noted it had an exclusion for losses arising from the failure to timely install recommended patches?
A disciplined approach to tabletop exercises may not prevent a breach, but it will help you mitigate the risks if one was to occur. We hope you never experience a breach, but you may want to read our previous blogs “Whatcha Gonna Do When a Data Breach Happens to You” Part 1, Part 2, and Part 3.