Preparation Essential for Corporate Breach Response

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Oct. 27 — Having a prepared, educated response team is essential in dealing with a cybersecurity breach, members of an Oct. 27 cybersecurity desk top risk response exercise agreed.

Incident response to a cybersecurity beach is a “team response,” but there needs to be a leader heading the effort, Deputy Assistant Secretary Greg Touhill, Department of Homeland Security Office of Cybersecurity, said during a panel session following the table top exercise.

“There must be CEO buy-in,” Bloomberg BNA President of Legal David Perla said, noting that cybersecurity breach response should be an executive-level problem. Perla played the role of the general counsel for the fictional U.S.-based multinational Cartwright & Hamilton (C&H).

The public demonstration of a cybersecurity simulated incident C-suite response session was presented by Deloitte to expose members of the media and interested stakeholders to the role such a “Cyber Wargame” plays for corporations seeking to improve their cybersecurity preparedness. In the demonstration hypothetical, C&H, a company with over 80 product brands ranging from beauty products to foods and beverages, has particular concerns about how customers will react to being informed that the customer, employee and company data may have been compromised.

Know the Targets, Vulnerabilities, Risks

Advance planning to work out the kinks in a company's breach response through cybersecurity incident wargames is crucial. Speaking during the panel after the simulation exercise, Rep. Will Hurd (R-Tex.), chairman of the House Oversight and Government Reform Information Technology Subcommittee, said that it is important to ask, “What is the attacker trying to get?” In order to know what to protect, a company must first know the adversary's target, Hurd said.

It is essential to promote digital hygiene and identify employee vulnerabilities, such as careless workers, participants added. Team-building—identifying hiccups in communication and interpersonal relationships—is also important, as is identifying in advance where relationships with forensics, communications and other outside vendors may be necessary.

During the risk response simulation, Perla highlighted analyzing the value of business relationships with third party vendors. Even with due care and due diligence, one must still address third party risk, he said.

The first few hours after discovering a cyberattack are vital and how a business reacts has significant short and long term effects on a company's ability to effectively deal with shareholder, regulatory enforcer and customer scrutiny in the wake of a breach, the participants in the exercise agreed. Throughout the incident response, Perla said, the chief executive officer must be “the CEO of the company, not the CEO of the crisis.”

Joining Perla in the C-suite for the imaginary C&H were:

• Touhill as the chief information officer;

• Deloitte Cyber Risk Services U.S. Leader Ed Powers as the chief executive officer;

• Delotte LLP Vice Chairman and U.S. Consumer Products Leader Barb Renner as the chief operating officer;

• Verizon Enterprise Solutions Risk Team Managing Director Bryan Sartin as the chief information security officer;

• Deloitte Advisory Chief Marketing Officer Chris Patterson as the chief marketing officer;

• Deloitte LLP Chief Risk, Reputation and Crisis Officer Chuck Saia as the chief risk officer; and

• Deloitte Advsiory Federal Practice Cyber Leader Deborah Golden as the chief financial officer.



Long Term Response

In addition to exploring the immediate short-term response to the cyberattack as a team, mock-CMO Patterson said it's important to “think ahead, starting on day one.”

Perla said companies should “identify the long term costs of responding to a cybersecurity breach.”

Having a company's top lawyer involved from the start can go a long way towards minimizing the risk from litigation filed in the wake of a cyberattack, the participants said. Make sure to draft response statements with the company's general counsel, he said.

Where consumers are involved in a breach, there will certainly be class action complaints filed within days if not hours of the disclosure of the incident. In addition, shareholders will be scrutinizing carefully the company's actions in responding to the breach if the company's stock value declines. Employees of the company will want to know whether their information was also breached and also seeking reassurance about the company's future.

Following a cyberattack, protect the evidence trail and involve outside counsel as soon as possible, Perla advised. “Insulate risks as much as possible,” he said.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law: Privacy & Data Security