A cybersecurity event has occurred at your firm. Your team is deep into its incident response plan. Procedures that you put in place and have tested and improved over the years are flowing relatively smoothly to their conclusion. Forensics staff have been brought in to determine how the incident occurred, law enforcement has been contacted, and you are sharing information as necessary, both within and outside your organization. Excellent. Although it’s certainly scary, your diligent planning is guiding you through the incident smoothly. Now what? When the fire is out, the proverbial fire trucks will pack up and head home, leaving you alone. If you haven’t thought thoroughly about recovery, you will close out your incident and look up to discover that your firm is badly damaged. The incident is over, the attackers have been thwarted, but things are NOT what they were like before. What do you do now?
Recovery planning, according to the NIST Cybersecurity Framework, is broken down into three phases: planning, improving, and communicating. Each phase is unique to bringing a company back on-line in a considered manner. The planning phase could be compared to your disaster recovery plan (and indeed, some companies choose to incorporate incident recovery into their DR plans).
The recovery phase from a technology standpoint will largely be the realm of your IT department, but to be successful requires that the staff be ready for an incident that would trigger recovery. It is likely worth taking the time to ask if systems are being backed up on a weekly, or more frequent basis, if the data is tested on a regular basis, and if the backups are properly protected.The recovery phase assumes that, in line with the Council on CyberSecurity’s Critical Security Controls, your firm is automatically backing up systems on a weekly basis, and more often for sensitive operations. We recommend that you meet with your IT point person to determine this backup and restoration schedule, keeping in mind regulatory obligations under SEC Rule 204-2, Regulation S-P, and FINRA Rules 4510 and 3150.
While the technical controls surrounding backup and recovery are beyond the scope of this post, the next item should sound familiar to most readers by now: improvements. Every plan that you and your company put in place must be “alive” and able to easily incorporate changes and lessons learned. As part of your debrief every phase of your incident handling should be reviewed as well as your overall incident response plan. Deficiencies should be noted and either remediated or addressed with a compensating control. Similarly, you must review your recovery strategies as defined in the preceding paragraph with an eye towards improvement.
Finally, to close the loop on an incident, communications must be managed. The NIST framework notes in this category three distinct subcategories: public relations, reputation management, and recovery communications. Public Relations is necessary at some level for all firms that have an event that requires disclosure. Firms, regardless of size, should consider media communications policies for their staff (who can say what to whom?) and official responses, among other items. In short – as your firm returns to normal operations what is the picture that you present to the public, to your vendors, to your clients?
Reputation management is similar to public relations, but carries a longer-term connotation. One goal of a quality incident management plan and a corresponding recovery plan is to minimize the damage to the company’s reputation. In the communication phase of recovery the goal is to explain to your customers, critical third parties, and the public at large just what you have done to prevent such an incident from occurring, how you responded to the incident, and how you are going to close the vulnerability that allowed the incident to happen. It is this phase that can mean the difference between a successful incident close-out and a failure. To survive, your firm must present a pattern of behavior that has taken security into consideration every step of the way. By displaying your best efforts to protect your customers, your firm may be able to avoid the legal blowback experienced by several high-profile public companies. The important thing here is not that an incident occurred, it’s what you did to prevent the incident in the first place, how you addressed the incident, and what you will do going forward that really matters.
Finally, the activities that are being undertaken to recover the business back to a reasonable state of operation must be communicated to stakeholders and effected teams. Data owners and managers of departments that have been impacted by an incident need to know what steps are being taken to bring them back on line. They will need to know what has been impacted and how they may need to adjust their operations going forward. Finally, management and executives must be made aware of the incident and subsequent recovery. This is not only a general best practice, but it will help the high-level of the company to define strategy and resource allocation going forward. Most importantly, there is an explicit understanding that upper management and board-level members of a company are required to address cybersecurity.
Every company must address incident recovery if it wants to survive in the modern age. This does not need to be an insurmountable task. Indeed, we recommend that every company grappling with the issue address it in a manner that works effectively and takes into consideration its data security needs, size, and potential threats. A simple, well-thought-out plan is worth a thousand boiler-plate complex plans that do not consider specific risks. Most importantly, however, is the notion that your recovery plan be a living document that is regularly considered. Threats are changing on a daily basis, and technology continues to develop and an accelerating pace. By taking the time to consider recovery today, you may find yourself staring at a little easily-reparable smoke damage to your company when the fire trucks leave, instead of just a foundation and a few smoldering ashes.
Further Reading (Links will open in a new window):
 In Line with the Council on CyberSecurity’s Critical Security Controls for Effective Cyber Defense.
 Vis-à-vis Aguilar’s 2014 Speech “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus.