OpinionGot a cyber crisis? Meet the breach coach
Opinion
Got a cyber crisis? Meet the breach coach
Cyber crises should be approached quickly, but not rashly. Breach coaches - corporate lawyers joining forces with cyber crisis experts, provide a comprehensive solution that also enjoys attorney-client privilege
Joe Sullivan, former Uber CSO, was recently sentenced to three years' probation and 200 hours of community service. In 2016, he conspired with founder and then-CEO Travis Kalanick to bury a major breach of millions of customer and driver records by using the ride-hailing company’s bug bounty program for the hackers’ ransom and hush money. When the new CEO, Dara Khosrowshahi, got wind of the scheme, he came clean and threw Sullivan under the taxi, going so far as to testify against him. All this could have been avoided had the company handed the cyber crisis management over to a breach coach, rather than leave it to its infamously reckless chief.
Cyber crises are messy, as hackers wreak technological, financial, regulatory, operational, reputational, and other havoc. All hands are called on deck: CISOs try to find and plug the holes, Public Relations Officers scramble to answer press inquiries, CFOs are looking at expected costs and losses, COOs find alternative ways to continue business operations, Heads of Customer Service recruit extra temporary customer success managers to field the barrage of customer rage, and the CEO has to explain all this to their board of directors, a slew of regulators and the general public.
Simply charging ahead would lead to chaos, with separate teams working in different, sometimes conflicting directions, while neglecting other critical issues. Football and basketball players need a coach, planes and computer games need controllers, orchestras and trains need a conductor - and companies in a cyber crisis need a breach coach, a role that’s emerged in recent years, giving sound advice, a good word, and moral support. You know: Coach.
And as any coach knows, teams work best when they’ve had a chance to get to know each other, train and practice together. So rather than waiting for a crisis, good breach coaches prepare the client in advance, building internal and external crisis teams, training them, and practicing using tabletop exercises, or cyber crisis simulations, which allow them to dry-run a crisis that’s tailored to their business’ needs and probable risks.
Better call Saul
Who you gonna call? Insurance companies, who feel the brunt of the mushrooming cyber attack market, are deeply involved in their clients’ cyber crises. To minimize the crisis damages, and the subsequent juicy check from the claims department, the insurer recommends the client hire a breach coach. Corporate lawyers are a perfect fit for the coach job: they develop long lasting, sometimes personal, relations with their business clients, becoming confidants intimately involved in the company’s engagements, coordinating managers, even mediating and arbitrating between them, and finding and employing external experts for the business. Lawyers serving as breach coaches become cyber crisis management project managers, or showrunners, if you will. Another big advantage for the risk averse client is the warm security blanket called attorney-client privilege, covering coach-client discussions, and arguably extending to the other professionals employed or hired by the coach.
No two cyber crises are alike. They differ in the attack flavor (business disruption, corporate espionage, ransomware, data breach, hard-disk wiping, money theft, etc.), the hackers’ affiliation, motivation, and endgame, to name a few. Each kind of crisis requires different expertise, strategy, and tools. Teaming up with cyber crisis experts or firms, breach coaches can bolster their capabilities, integrating additional expertise into their services, including incident response, PR and communications, regulatory compliance, ransom negotiation, cyber forensic investigations, and more, taking a holistic approach to their client’s woes. Such a 360° service can ensure a comprehensive response for mitigating and recovering from a wide variety of cyber crises.
One important aspect is ensuring that the client’s third-party vendors have their own robust cybersecurity, and are able to offer alternatives in case of service interruptions. A breach coach can contribute in those contract negotiations, taking technical and business feedback from the cyber crisis firm and translating them to legalese. A cautionary tale is OKTA’s ‘22 breach, executed through the laptop of a contractor for third party vendor Sitel. Sitel commissioned an investigation from a forensic firm, and only shared a summary with OKTA two full months later. It took five more days, and the hackers going public with the breach, for Sitel to hand OKTA the full report.
In the event of a cybersecurity breach, swift and effective incident response is critical. A breach coach can alert the cyber crisis firm’s IR team, which swoops in to assess the situation, remove hackers and backdoors from the system, collect cyber forensic evidence, return to business as usual, and write-up a report detailing what exactly happened and what needs to be done to prevent it from happening again. The breach coach is integral to this, advising the company along the way how to avoid getting into legal trouble in the process, like how to internally communicate without misspeaking in a way that could later be misconstrued as admission of responsibility or guilt.
Besides being an operational pain, cyber crises tend to also be a huge public relations headache. Notifying the public of the incident and reporting it to the regulators is a tight-rope act of providing all mandatory information while not divulging trade secrets, private information and non-essential materials that could exacerbate the situation. Cyber crisis PR and communication experts assemble an all-encompassing PR strategy, conferring with the breach coach, who helps navigate the legal intricacies of notification requirements and breach disclosure obligations.
Cyber crisis crews include negotiation pros to talk directly with ransomware hackers, while the breach coach can work in the background, assessing the lawfulness of paying a ransom, checking the hacker’s connections to sanctioned organizations or nation-states, constructing the full terms of the deal, and forging the legal rationale for an insurance reimbursement for the ransom, in addition to the other damages and the cost of dealing with them.
One key area of current cyberattacks is data stolen, then sold or leaked, especially in light of stringent data protection regulations, like the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Professional cyber crisis firms can assist clients in aligning their practices with these regulations, conducting privacy impact assessments, implementing robust data protection measures, and dealing with data leaks. The breach coach may issue leaking platforms with cease and desist letters, and legal requests for information about the identity, location, and technical details of the hackers posting the data, as well as deal with the inevitable subsequent civil and class-action lawsuits.
Dr. Nimrod Kozlovski is Partner & Co-Founder, and Ido Kenan is VP Content, Cytactic