Alan Mak
Welcome back to our webinar series on Cyber Attack Prevention and Recovery. My name is Alan Mak. I'm a partner and the national leader of Forensic Disputes and Investigations here at BDO Canada.
Our last webinar focused on how organizations can mitigate the risk of cyber attacks and prepare for the inevitable cyber attack. Our on-demand webinar series is available to watch and revisit on our website at bdo.ca.
Our discussion today now turns to the aftermath of a cyber breach and how you can react and recover as quickly as possible while minimizing damage. We all know that cyber threats are getting more and more sophisticated. Virtually all organizations are at risk or are actively targeted. In this discussion, we'll dive into what you should do once you have been a victim of a cyber attack.
Joining me today is my colleague, Chetan Sehgal, a partner in BDO's forensic team; Rocco Galletto, partner and our national leader in cybersecurity; and our special guest, April Kosten, who was a partner at Dentons and specializes in privacy law and breaches.
Welcome, and thank you for joining us today. Let's get started.
This may be a silly question, but as I reflected on it, I think it's actually a question that makes a lot of sense. How do you know that you have been breached? And it occurred to me it's a silly question, but oftentimes you may not know because the bad guys don't actually knock on your door and say, "Here I am." They just come in and take whatever they want.
So how do you know you've been breached? Rocco Galletto, can you share your thoughts with us on that?
Rocco Galletto
Alan, it's not a silly question at all. In fact, if I rewind back to early in my career, it was quite often that organizations wouldn't know. They would be notified by a third party that they've been breached.
Now over the course of the last few years, to your point, threat actors have kind of changed their tactics. The types of attacks that are coming out and hitting organizations are those that are, I'll call, louder and very apparent. So it's quick to realize when you've been hit with ransomware because your systems are just inoperable.
But even today, what quite often happens is organizations are notified still externally, although internal teams are getting better at detecting these attacks in real time. So the detection capabilities are getting better, but it's still often notified by third party where it might be law enforcement that calls in a tip to say, "Hey, we've seen some data leave your environment or we've seen some ongoing persistent connections."
And usually, law enforcement would know about these because they're monitoring them as part of a broader campaign, and your organization may have been part of that campaign. So, you end up getting the tip call from law enforcement or government in some cases, and they've got amazing systems to be able to detect this type of activity across our infrastructure.
The other way that organizations are able to detect is through newer technology solutions that help identify threat behavior and also people who are providing security services, whether that's internally provided, or they rely on the third party, and they're able to detect anomalies and then quickly mobilize to try to mitigate any risk.
And then finally still, it's the smash-and-grab-type attacks where it's just so obvious. It's ransomware, our systems are inoperable, and at that stage is when panic usually sets in.
[Often through an external, third party. Through newer technology solutions and security services that identify threat behaviour and anomalies.]
Alan Mak
So, let's turn our mind to it happens, it happened. Your organization has been hit; you've been notified. You've discovered one way or another. Hopefully, it's not everything being frozen. What are the first steps that you should take?
I think each of you, from your different specializations and perspectives, will have something to offer, so why don't we start with April Kosten. What would be your advice to your clients once they've discovered that they've been the victim of a cyber attack?
April Kosten
I think the first thing you want to do is assemble your team and notify legal as quickly as possible. And the reason why I'm going to say...
Notify legal quickly. This is not self-serving but necessary to enable privilege over all subsequent actions taken in response to a cybersecurity event. Whether it’s engaging external third parties for the investigation, discussing risk mitigation strategies, or planning notifications to affected parties, you want as much of that communication and action covered by legal privilege. In order to achieve this, legal should be involved from the outset. Legal can act as a quarterback, coordinating the incident response process and helping to retain external experts. Once legal is engaged, any instructions they provide to third-party experts can also be covered by privilege.
Another important step is to quickly identify what has been taken, especially personal information. From a privacy perspective, it’s crucial to determine which personal data has been compromised. This is vital because there are obligations to report breaches to regulatory bodies as soon as possible, as well as to notify affected individuals so they can take the necessary steps to protect themselves. Identity theft is one of the most significant risks when personal information is exposed, and individuals need to be informed promptly to take protective actions.
Once the breach has occurred, it’s important to have someone familiar with the process, who specializes in cyber breach recovery, guiding the response. While you may have trusted business advisors or corporate lawyers, they may not have experience handling cyber breaches. The key is to have experts who can immediately provide a strategy and clear next steps.
When an organization is hit by a breach, they must ensure that external counsel is involved to preserve privilege across the investigation. This includes any discovery and root cause analysis. This ensures that sensitive information is protected not only for the organization but also for individuals who may be affected by the breach. Identifying what data has been taken is another critical step in the process. Understanding what was accessed and by whom helps in assessing the risks, including potential identity theft or exposure of corporate secrets. It's essential to meet regulatory obligations while managing the investigation, triage, and recovery efforts.
Additionally, having an external, independent party involved in the process helps provide a second set of eyes, ensuring the organization is viewed as responsible in its recovery actions. Even though the organization may be the victim, once the breach becomes public, it must demonstrate accountability and take the right steps in its response.
In terms of recovery, evidence preservation is key. Whether for insurance purposes or public image, documenting the breach is crucial. This includes noting what happened, when it happened, who was contacted, and the actions taken. Team members involved in the incident should keep detailed notes on their observations, reactions, and actions throughout the process. Proper documentation becomes important as insurance claims unfold, and understanding the cause of the breach helps ensure the organization is meeting its regulatory obligations while managing the recovery process.
As the organization works to stop the attack and plug the hole, it is easy to overlook the reasoning behind certain actions taken. For example, some expenses incurred during the response may be covered by the insurance policy, but others may be related to efforts to improve systems for future protection. Understanding the reason for each expenditure helps clarify what is necessary for the immediate response versus long-term business improvement.
Notify legal quickly. This is not self-serving but necessary to enable privilege over all subsequent actions taken in response to a cybersecurity event.
[Assemble your team.
Notify the legal team to enable privilege on all actions.
Identify what has been taken, especially personal information]
Alan Mak
Good advice, and it comes to mind that given the need to react quickly and for sound advice in terms of quarterbacking, as you say, figure what the next steps are, it’s important to keep in mind that you actually want someone who’s very familiar and comfortable with the process. You may well have a trusted business advisor who’s a corporate lawyer for your business, but that person may not be experienced in recovering from cyber breaches. And so you really want someone who specializes in this field so that there’s no learning curve, that someone can hit the ground running with ideas and a strategy right off the bat.
Rocco Galletto
Yeah, I couldn’t agree more, Alan, with what April described. The number of times that we get a call out of the blue from an organization and they haven’t engaged with external counsel to help support the investigation and make sure, to April’s point, that we’ve got privilege across the investigation, any of the discovery that we do, and even root cause analysis in many cases, you just want to keep that information tight so that you’re protecting not only the organization, but any individuals that might be impacted.
Chetan Sehgal
Back to the insurance angle, evidence preservation is huge. Whether it’s for insurance recovery perspective or other reasons such as public image, knowing what happened, when it happened, what was the cause of it will go to serve a long way. So from a biggest tip, document everything, document everything. Detailed narratives of what happened, who was contacted and when? What did we know when? Have people involved in the team take detailed notes of what they’re seeing, how they’re reacting, what they’re doing?
You are looking to replace them a year from now or something like that? Bucketing those costs into the right category will be very important for your insurance claim from a recovery perspective.
Now, thinking about the other impact on your business, many times cyber insurance policies neglect, to some degree, the sufficient coverage from a business interruption perspective or loss of profits, if you will. Documenting how the incident will impact your revenue generation, expenses that you may need to incur, all of that will be again, very important.
So again, coming back to documenting everything, creating perhaps specific general ledger or accounting codes to keep track of those costs will serve really well when it comes to actually pursuing your insurance claim.
Engage external counsel to support the investigation and ensure privilege across the investigation and discovery. Identify what has been taken to perform a proper risk assessment. Understand the potential harm from a privacy standpoint. Ensure regulatory obligations are met and perform responsible investigation, triage, and recovery steps. Demonstrate independence by having an external party guide the process.
Engage external counsel to support the investigation and ensure privilege across the investigation and discovery.
[Identify what has been taken to perform a proper risk assessment.
Understand the potential harm from a privacy standpoint.
Ensure regulatory obligations are met and perform responsible investigation, triage, and recovery steps.
Demonstrate independence by having an external party guide the process.]
Alan Mak
Very good, that's actually a lot of good advice, of course, but there's an element of again, knowing what to do when it happens as opposed to figuring it out, and that goes to understanding what you need to keep record of, how to document your expenses, how to categorize them. It's just having that game plan going forward. And I think there's a consistent theme throughout all of your advice about knowing what to do, when to do it, how to do it, and it all goes to timeliness I think because time is of the essence. When these things happen, you really cannot afford to learn as you go. You have to have your plan ready to execute, and it brings to mind one example that I can recall where, because a victim of a cyber attack had a plan, they actually had lawyers ready on standby, on retainer, ready to go. When they found out they had been hit and it resulted in some unauthorized transfers from their bank account, they were actually able to trace, freeze, and recover almost all the payments. It happened within two days, 48 hours. But because they were able to do that, because they had the plan of action ready, they were able to react very, very quickly, and that's probably one of the few really good news stories that I've been able to come across in this type of work.
Okay, so that's what you should do. Let's turn our mind to what you should not do. This may be a more interesting conversation. I think we've all seen some mistakes from our clients. Let's share some of the lessons that might have been learned. April Kosten, what are your thoughts on what should not be done by clients, by organizations if they've been hit?
April Kosten
Yeah, so I think one of the biggest things is that they need to take it seriously and not just pretend like nothing's happened. I think quite often something happens, people get scared, they don't know what to do, and they freeze. Take it seriously, I don't want to be a Negative Nelly but assume the worst and get people engaged quickly. Don't minimize what's going on. I mean, ideally, it's not a big problem, but if it is, it's gonna get to be a huge problem very quickly. So, I would say one of the big things that I unfortunately see clients do, especially when I'm engaged quite late in the game, is try to fix it themselves and think it's not a big deal, and you really don't want to do that. You're just gonna create a lot of issues going forward trying to remediate the problem.
Alan Mak
Yeah, for sure, and I'm thinking about that in terms of if an organization's been hit, they might have lost some money already, they've got resources that are compromised, they may not be thinking about spending more money. They're trying to save money where they can. But in the long run, that could end up costing you more because again, going back to even though you're victims, you also have responsibilities to your stakeholders. And if you don't act properly to mitigate and close off the gaps, then you're opening yourselves up to more liability later on.
Take it seriously; do not pretend like nothing happened. Avoid trying to fix the problem yourself. Engage professionals quickly.
[Take it seriously; do not pretend like nothing happened.
Avoid trying to fix the problem yourself.
Engage professionals quickly.]
Alan Mak
Okay, let's go back to what we did in our last session and I'll ask for your top tip then of what insights might you be able to share? From your past experience as professionals, as experts in this field, what would be your most important tip or insight that you would want to leave with our audience?
Chetan Sehgal
Yes, absolutely, Alan. I'll go back to the example I wanted to mention around a client experience. We had a client who had a large-scale attack, a multi-jurisdictional international organization. All their systems went down simultaneously, and there was a ransom request of close to $50 million US. And ultimately it was sort of negotiated, and again, Roc can probably talk about this better and how it was negotiated with the people, the fraudsters, but the insurance company advisors were able to negotiate that down to I think about $5 million and get the data back, but the client never recovered the way they were previously.
What was important for us was they had all sorts of insurance coverage to perform incident response, perform recovery analysis, and even business interruption coverage, but what they didn't have was sufficient professional fee coverage. So they had to incur, they needed the help, it’s a large-scale attack, so they had to hire all these professionals, but they didn't have sufficient coverage, so they had to pay out of their pocket. So that's sort of a lesson learned for the future. When you are looking at policies, make sure you have sufficient coverage. Engage with good insurance advisors.
The second thing is, this happened a few years ago, and the claim is still being discussed, and this goes to my point earlier about documenting everything. And why that's still going on is because we have all these expenses that were incurred by various consulting firms, tens of millions of dollars really, but some was spent to plug the hole, the incident response, some was spent to future-proof, and some was actually improving their systems going forward.
So now they had a fight with the insurance company to say, well, what is it really that we give you insurance for and what should we pay for? And now we don't have the people to respond to because it's been going on for years and there's been a turnover of people, of personnel. This is where again, documenting everything comes into place. So I just wanted to bring that home with an example.
Alan Mak
Thank you, that's very helpful. And actually, earlier in your comments, you were talking about professional free coverage. I wanted to comment earlier because you mentioned the interplay between cyber insurance, but also business interruption. It's a very good reminder to have good discussions with your insurance broker to make sure that you have the coverage that you need. Insurance is not necessarily a one-stop shop. It often isn't, so it's important to understand what your risks are, what your potential losses are, and making sure that you have the coverage that you need. Rocco, what would you like to share about your lessons learned or your insights from helping clients react to breaches?
Rocco Galletto
The biggest maybe two lessons learned, one is prepare for the worst, always have a plan, and then the other piece, and April talked about this, around just making sure that you're not going at it alone. I've seen from time to time where organizations rush through. They don't have a plan that they're following, they don't hire external experts to help, and they rush through what they believe is a containment of the incident and then a recovery of their business, only to find out later on that perhaps some things were left open and adversaries might still have access, or they just didn't really put enough controls around the environment so it leads to a subsequent attack later on. So the big thing is making sure you're preserving the evidence, you're not going at it on your own, and just doing quick recoveries and hoping for the best. It's truly about a pragmatic approach to making sure that you look at each of your information technology systems and making sure that what is happening across those systems is expected behavior, and that you are safe and secure before you continue to operate at full recovered state.
Alan Mak
Thank you, yeah, that's some good tips. Not something you wanna tackle on your own for sure, April?
April Kosten
Yeah, so I think I completely agree with everything that's been said already. Another one I think is really important, it goes to something Rocco said earlier about setting you up for success so that there's no perceived biases happening. It's really important that everyone on your response team has no preconceived notions as to what's gonna happen and what the outcome of your investigation is gonna be. Unfortunately, often, whether through negligence or intentional, part of the cause of an event is going to be an employee or someone that you have a friendship with or respect or a colleague, right? And that's why it's so good and important to engage those third-party individuals to actually conduct the investigation so there is no bias and that everyone's kind of going in expecting the unexpected and addressing those concerns without blinders on.
[Have a plan in place.
Preserve evidence.
Engage external experts.
Ensure sufficient insurance coverage.
Document everything for future reference]
Alan Mak
So, thank you, April, Rocco, and Chetan, for joining us today and sharing some of your insights. Fortunately, there are professionals who are available to assist. Whether they be us at BDO or at Dentons or whoever your trusted advisors are, I think that the lesson to take away is that it's important to rely on those who know what they're doing to help you get out of an unfortunate, but likely inevitable situation. Thank you for joining us.