Rising from the Ashes
How Lessons Learned from a Cybersecurity Incident Drive Ongoing Program Enhancements
-
2024年10月31日
-
It is crucial that organizations understand how to properly assess the impact of cybersecurity incidents and privacy breaches. A best-in-class privacy risk assessment can enable continuous improvement across organizational privacy and cybersecurity programs, especially when these assessments are completed following actual incidents or breaches. This understanding will help identify programmatic gaps, allowing for the implementation of robust risk mitigation controls and better align cybersecurity and privacy protections to the current threat environment.
Ensuring a post-incident privacy risk assessment program is comprehensive and identifies potential gaps requires organizations to preemptively evaluate, identify, and mitigate risks associated with covered incidents. The term “Covered Incident” typically refers to a significant cyber incident that impacts the availability of information systems, or involves the unauthorized access of personal consumer information, requiring notification obligations under various cybersecurity and privacy laws. For reference, the Cybersecurity and Infrastructure Security Agency (“CISA”) released examples of covered cyber incidents.1
Developing a comprehensive post-incident privacy risk assessment model will enable organizations to hone in on the root cause and limit impacts from repeat incidents. A common trend in recent enforcement by the Federal Trade Commission (“FTC”) is to require Covered Incident Privacy Risk Assessments following a major cybersecurity incident or data breach.2 However, whether required by a regulatory agency or not, conducting a risk assessment following an incident involving personal information is the optimal approach to identifying and implementing enhancements to privacy and cybersecurity programs.
Identification and Intake of Potential Incidents
It is essential for organizations to identify potential cybersecurity and data privacy incidents quickly to allow for timely incident response and reporting. The most effective way to ensure incidents are discovered as quickly as possible is to implement separate channels for incident identification. These channels can include:
- Automated and manual detection for improper internal or external access. Threat detection systems and processes can alert organizations of anomalous activity, allowing teams to investigate if alerts resulted from a breach.
- Reporting channels for internal personnel and third-party vendors. Provide employees and third parties with a clear process for reporting potential incidents. Additionally, conduct regular compliance checks of the cybersecurity programs of third parties to ensure they are sound.
- Review of open-source and dark web marketplaces for breach evidence. Regular scans of open-source material and the dark web for organizational information can alert an organization of an internal or third-party breach that resulted in compromised data.
- White hat and bug bounty programs. These programs reward ethical hackers for identifying vulnerabilities, allowing an organization to be notified of an issue prior to an actual exploit or breach occurring.
Following the identification of a potential incident through one of these channels, an efficient intake and investigation process must be in place to ensure timely triage and confirmation of covered incidents. These processes and procedures should be detailed in a well-maintained and regularly updated incident response plan.
Breach Confirmation and Reporting
Once an incident investigation has identified that user data may have been impacted during a breach, relevant privacy and legal teams should be engaged to determine if the incident rises to the level of a breach, where sensitive information was actually accessed or exfiltrated.
Comprehensive Risk Assessments
After an incident classification is confirmed and the necessary reporting steps are taken, organizations can begin conducting a comprehensive risk assessment. These assessments should identify materialized risks based on a review and outcome of the investigation. This also covers impacted risk, which are risks that were not fully mitigated following the incident. The maturity level of all risks that materialized during the incident need to be documented and reflected within a risk register.
Remediation and Resolution
Remediation will vary based on the specific incident and incident type, but at a high level should include the identification and mitigation of the root cause to ensure additional sensitive information is not compromised. For third-party incidents, verification that the root cause was identified and assurance that remediation occurred effectively are required.
Resolution can be defined as actions taken to mitigate the recurrence risk of the incident and occurs after remediation. Should an assessment reveal controls are not properly mitigating mapped risks, the controls need to be updated. For third parties, this should include reassessment and reinforcement of third-party compliance with security requirements and potential end-of-data sharing agreements, if deemed necessary.
Post-Remediation Testing
After a thorough risk assessment is complete and remediation occurs, testing should be conducted for all newly implemented controls, and for controls which failed to mitigate the mapped risks, to ensure potential gaps have been closed.
A comprehensive post-incident assessment allows an organization to turn a cyber incident or data breach into a valuable learning experience. Identifying the root cause and implementing controls to mitigate this risk and any others identified improves cybersecurity maturity and better positions an organization to handle future incidents.
Footnotes:
1: “What Would Be A Covered Cyber Incident Under CIRCIA As Proposed In 6 CFR § 226.1?,” Cybersecurity and Infrastructure Security Agency (April 2024).
2: “FTC Safeguards Rule: What Your Business Needs to Know,” Federal Trade Commission (May 2022).
发布于
2024年10月31日
主要联络人
董事总经理