First 24 Hours : Effectively Responding to a Cyber Attack

Responding to a cyber attack can be challenging for any organization. It can be particularly devastating for a law firm given the confidential nature of the data it holds about its clients. While the operational, financial and legal impacts flowing from a cyber attack can be quantified, the reputational impact is more difficult to ascertain and arguably, more pronounced for a law firm given the “trust” relationship lawyers have with their clients.

Hackers are smart, motivated and constantly evolving their attack techniques to target organizations. There is no organization that is guaranteed not to be a victim of a cyber attack. That said, law firms that are victims of an attack will be judged not by the fact they experienced an incident, but rather, how they responded to it.

There is a direct correlation between being prepared and good outcomes. We provide below steps law firms should take in the first 24 hours to ensure they are effectively responding to a cyber attack.

1. Initiate Your Cyber Incident Response Plan (CIRP). This document will be your guide. It outlines what steps need to be taken, when and by whom. It will list the partners you will need to call and contains other useful information at your fingertips.

2. Notify Your Insurer. Cyber insurance is a tool developed by the insurance industry and typically covers direct vendor costs (e.g., breach counsel, forensics, crisis communications, etc.), extortion payments, business interruption and third-party claims flowing from the incident. Each policy is different so make sure you understand how it works, what it covers and how to trigger it. CLIA members can report an incident by email (cyberclaims@clia.ca) or by phone (1-833-383-1488) and advising that you are experiencing an incident, a brief overview of the incident and whether your IT service provider is assisting.

3. Call Your Breach Coach. The breach coach is a lawyer specializing in cybersecurity and privacy matters. The lawyer will retain the necessary vendors (see below) and assert legal privilege (where appropriate and applicable) on the overall investigation into the incident. The breach coach under the CLIA program will assist in assessing the scope of the situation and identify the next steps to be implemented. Specifically, the breach coach will assist with the steps outlined below to ensure best practices are followed.

   Costs for the breach coach’s time are typically covered under the CLIA policy, subject to your deductible and limit.

4. Assemble Your Response Team. This includes internal and external vendors.  Depending on the type of incident, this should include your internal IT team (or third-party Managed Service Provider), breach coach, forensic firm, possibly a ransom negotiator, crisis communications firm, etc.  The breach coach will typically retain these firms to ensure legal privilege can be asserted on relevant work product(s).

5. Prepare Communications. This includes messaging to staff and clients (e.g., who contractually require notice of a security incident be provided within 24 hours). Have a reactive media holding statement and FAQs (for inbound questions) that can be rolled out quickly, if needed.

6. Reporting. Notify the law society and report the incident to law enforcement. Breach counsel can assist with process and the types of information to be shared.

7. Set Up Recurring Calls. To ensure everything is moving in the right direction, set up daily calls to track the various workstreams. It is critical any issues be identified and quickly dealt with to ensure the response process (including containment, restoration and investigation) is moving along smoothly. At the beginning, multiple calls a day may be required.  As time goes on and a work rhythm is achieved, calls may be less frequent or may be replaced with emails.

The above is not an exhaustive list but rather, a high-level gameplan to be minimally implemented in the first 12 to 24 hours. It is important to adjust to facts as they evolve and not be too scripted when dealing with a cyber attack.

Where in doubt, lean on your experts, such as your breach coach, forensic firm and ransom negotiator.  Getting through the first 24 hours effectively will set the firm up for a positive outcome.

* Imran Ahmad is Partner and Co-Chair of Cybersecurity & Privacy at Norton Rose Fulbright Canada LLP. He has dealt with thousands of security and privacy breaches and is the author of several books on the topic. He is also an adjust professor at the University of Toronto, Faculty of Law where he teaches cybersecurity law.

Greg Markell is President and CEO of Ridge Canada Cyber Solutions (RCCS). Ridge Canada is a managing general agent, focused on providing insurance solutions for clients’ cyber and privacy needs.

For more information, see the recorded webinar, Cyber Scams and Breach Coaching, presented by Greg Markell and Imran Ahmad at the CLIA Peace of Mind Virtual Conference (October 24th, 2024).