Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Okay so thanks everyone for joining us today, welcome to our first Digital Fortress Webinar of 2024 and today we are going to provide some practical tips based on our real experiences across Mishcon de Reya. A bit of housekeeping first of all, if you’ve got any questions please put them in the Q&A function not the chat function and we’ll try and address them at the end and if you’ve got any technical difficulties please put them in the chat function. If you want to get in contact with any of us directly then click on the resources tab down below and you’ll be taken to our bios and contact details. There will be a recording at the end of this session for everyone who signed up so thanks for joining. In today’s webinar we are going to delve into the world of incident response and its pivotal role in preventing or minimising the impacts of cyber incidents. So in a world where cyber-attacks are becoming increasingly sophisticated and frequent having a good and robust incident response plan is more crucial than ever so we are going to explore some of the facets of incident response from readiness and response to post-incident activities and the role of threat intelligence and we’ll hear from experts across Mishcon de Reya who will share their insights on cyber incidents and discuss how incident response strategies are evolving to meet these challenges. Thank you for joining us. Right, so my name is Mark Tibbs, I’m one of the partners here at our complex investigations and cyber security practice. I’m going to turn to Francisco seeing as he’s our primary expert on incident response to introduce himself and the rest of the panel. Thank you for joining us.
Francisco Sanches
Director, Cyber Risk & Complex Investigations, Mishcon de Reya
Hi everybody, my name is Francisco Sanches and I am the cyber risk and complex investigations director in charge of our consulting digital forensic and incident response services. Emily?
Emily Francis
Lawyer, Data Protection, Mishcon de Reya
Hi everyone I am Emily Francis, I’m a lawyer in the data team at Mishcon working on all things data protection and including advising on ways to prevent breaches and taking action when the breach occurs.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
And last but not least, Joe.
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
Thank you very much Mark. Hi I’m Joe Hancock everyone. I’m a non lawyer partner on the team and I specialise in the crisis management and incident response side of our practice.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Great, thank you for joining us everybody, uh lots of experience in the room, in the virtual room. So let’s jump straight into it so Francisco can you just tell me about um the typical shortcomings observed in company’s cyber incident response plans and how these can be addressed?
Francisco Sanches
Director, Cyber Risk & Complex Investigations, Mishcon de Reya
Sure so common situations we’ve found with some of clients was they would have an incident response plan, some of them even quite drafted but they just never really tried to apply it to an incident or to use it and so people were either unprepared or the expectations of the plan were unrealistic for their organisation. Other situation common pitfalls would include that when activated incident response retainer like ourselves there would be a huge lack of understanding or documentation about the environment itself and that really delays the ability to respond because people just had all the knowledge in their heads and there was minimum, a lack of minimum set of documented information about their environment. Other bits was when incident response plans are drafted without aligning with known and recognised frameworks like 3.22. On top of that some of them would fail to link up with you know, regulatory bodies that have built and provided guidelines for organisations security and this is a loss of opportunity of making sure that they align with the compliance needs that those regulators put out there and they could have significant financial implications for not considering the development of incident response plans. Two others that come to mind would be drafting a more technical plan in isolation. You cannot isolation if you have for instance a managed sock supplier or another IT provider. You need to make sure your plan involves all the relevant parties and links up with them in a meaningful, actionable way so that it can be of use and can be acted quickly. Um it comes to mind, just what two months ago we had a client that faced an incident and called us to investigate. Now they detected the situation but the situation has happened roughly one month ago and they didn’t have an incident response plan and they did have rather good security in place however all their security log in with an adequate level of detail only gave them seven days back so that really restricted on how much we could understand and find out what was happening so.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Right so to sum it up it sounds like planning is really, really important in the incident response planning part of the process.
Francisco Sanches
Director, Cyber Risk & Complex Investigations, Mishcon de Reya
Definitely.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Yeah okay so thanks very much for that Francisco um, Emily how about, you’re one of our GDPR and data protection experts. So how about GDPR compliance you know, what can you talk us through how you’ve helped clients prepare during their incident response sort of planning um parts of their planning from a GDPR perspective?
Emily Francis
Lawyer, Data Protection, Mishcon de Reya
Absolutely so one of the key things that the UK Regulator Data Protection who the ICO look forward is that you have a clear policy in place that covers what to do if a data protection breach happens. One of the most helpful parts of this policy that we see is to have a clear reporting procedure so normally most people in an organisation won’t be the go to for dealing with a breach so what they need to know is who to contact both internally their contacts like their IT team, legal teams if you’ve got in-house legal and also then who both those teams need to turn to externally so that could be providers if the breach was actually caused by a provider, insurers and also external legal counsel if you have them to hand. And then exactly as Francisco said about having, you might have a procedure in place but it might not actually be tested for a breach if it were to come up so one of the ways that we help clients to prepare from a more practical perspective is to run a kind of table top mock data breach training exercise which is very much designed to create a safe space for the team to test out how they can respond um to any issues and identify any gaps in reporting lines and that way if a breach does happen they know that they’ve had that space to test out and how they can respond confidently.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Tell me a little bit more about that Emily, is that sort of like simulated kind of desk top exercise where everyone gets a bit of information and it’s high pressure and you, you find out how people react under pressure to these kind of like you know, a developing situation?
Emily Francis
Lawyer, Data Protection, Mishcon de Reya
Yeah exactly that so we’ll set it up in something along the lines of at 10.00am you get a just a query from a customer saying maybe, ‘I can’t log into your platform’ or ‘I’ve received this odd email’ and then we can escalate it to say perhaps an hour later you actually get an email from a threat actor to say, ‘we’ve accessed your system’ and what we really looking for is that everyone within the business knows that you’re not jumping to say, ‘let the regulators know straight’ or ‘telling all customers’ but instead you’re contacting someone like your head of IT, like in-house legal if you’ve got in-house legal so that they can then make the decision of actually where are we with our knowledge, who do we need to reach out to and they can make that assessment about what to do next.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Yeah I understand, we’ve done a few of those ourselves and you know, it can be fun when you are practising, not so fun in real life is what I’ve worked out from that. Okay so moving on past the sort of planning stages of, of incident response. Let’s talk about, we’ve got Joe Hancock our partner in our complex investigations and cyber, cyber risk practice here who’s dealt with a lot of crisis um, you know incidents, cyber incidents in particular. Joe what level of communication should organisations prepare for and how when, when thinking about a um, an incident, a cyber incident?
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
Yeah thanks Mark. I mean the first point to make is that I, I always tend to defer these things to our reputation protection team who are you know, this is what they do day in, day out but um, I think Emily made a really good point which is that kind of you know, communication has to be planned managed and thought through, you don’t want a knee jerk reaction so you know, incident happens let’s notify everybody in the world that we’ve had a problem those kind of things you know it just could not actually be what it looks like on the tin. Incidents when you first get then are always kind of a bit grey, it’s a bit ambiguous you are not really quite sure what’s going on so there’s always a, there’s a tendency often people’s instinct is to over communicate especially with the information commission where they have this 72 hour clock ticking in the back of their minds because they’ve had a… been to an unhelpful presentation by someone that’s told them about that um, I am sure Emily can talk about that in a minute but the, the key thing being is making sure that communication is part of that plan and you know, we’re all going to say the same kind of things today which is plan, plan, plan, plan, plan because if you, you know fail to plan, plan to fail and all that. So there should be something in your plan on how you are going to communicate, both who’s going to make the decision, what you’re going to communicate and how you’re going to do it. That plan then needs to you know, really then be backed up by communications. Professionals, and by that I mean a plan needs to be backed up because you know, communications planning is to a certain degree its own art, you need to think about which groups you are going to communicate with and how they want to be communicated with. The classic example is everyone thinks that communicating with their customers and then sends a very dry legal customer notification which isn’t the same as how they normally communicate that causes people you know, they get all the right stuff they need from a compliance perspective but it feels a bit impersonal, they don’t like it.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
It seems conspicuous in the way that it’s kind of like presented and unusual to make people worry more almost.
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
Totally. Totally and I’ve also seen the other side of it where you get what’s a marketing email disguised as a breach notification. You don’t want to do that either. The one that everyone seems to forget about is telling their staff internally you know, especially if you’ve got a widespread availability based system where people can’t work you know, you need to be communicating with people. People are going to worry, people are going to worry about their jobs, people are going to worry about what’s going on. People are then going to go and talk to their friends and that’s how stuff kind of, kind of moves around so think about those different stakeholder communities, how you’re going to communicate with them in the right way, making sure you bring comms, marketing, PR the people who normally communicate with your customers into the room to do those communications but then manage it within a framework. We did some research um a while ago now that they said the two things people were really, really wanting to know in a breach notification were you know, what’s the impact going to me, means for me and what am I going to lose financially, so you know, as long as you are kind of ticking those boxes off along with all the stuff you have to tell people, you are normally in a good place but you want that to be delivered in the right way.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
So the, the take home message here is, is carefully manage your communications, plan them but then obviously what is it they say, what was it Mike Tyson said?
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
Everyone…
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Everyone has a plan until you’re punched in the face.
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
Er yes which is um, where most incident response plans immediately go out the window, I mean we fail more people in exercises in the first five minutes and restart them because we’ll run an exercise, no one gets the plan out, everyone just starts making decisions and shooting from the hip.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Yeah. Um okay so moving on Joe, I think it’s you again but just because of your background and experience um in insurance but um I’ve got a question for you around cyber insurance and incident response because um we hear a lot of different things from our clients and sometimes I think there’s some sort of myths or misconceptions about cyber insurance and what it can and can’t provide so could you just um shed some light on the myths about cyber insurance and incident response?
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
Yeah, no happy to and it is interesting because cyber insurance over the years has um, everyone has thoughts on cyber insurance, very few people have ever dealt with it. It doesn’t stop people commenting you know and you hear, the first I’d say myth that I hear is cyber insurance never pays out and that’s often because people are you know, have had not great experiences with consumer insurance products. They’ve tried to claim the home insurance, they’ve been in an accident and tried to claim their car insurance and frankly that ain’t a great experience but in the commercial insurance world you don’t exist very long as an insurer if you don’t pay claims and if you don’t pay claims people litigate, they don’t just kind of write it off and move to somebody else next year and so you know, insurers will pay valid claims. Now you know, they might not pay everything you want and there might be an argument around what’s in and what’s out and that kind of stuff but ultimately insurances are going to pay a claim but the key thing is it is you know, I often think if the other myth is that you’re covered for everything um, you know you do have to read and understand your policy. I mean your broker and your insurer will want to work with you to help you do that, your broker’s job in particular and often so you know we need to make sure does the coverage you have actually match the incidents you think you are likely to see um you know, insurance isn’t there to pay out based on every incident that you have, you need a level of fortuity and, and also a level there of sizeable impact or something, it’s there for those large events that you perhaps wouldn’t take major risk mitigation steps round, you know black swans or however you want to call them and so you know, an example would be you know you put good risk management in place to stop ransomware happening in the first place, incident response plan to deal with the immediate aftermath of it but if your whole business is locked down because of a ransomware attack, that’s what insurance is for. So therefore if that is one of your scenarios make sure your policy and coverage will respond to that. Also try to quantify that risk and make sure it will respond to the right kind of level. You don’t want to have worked out that your likely exposure to ransomware is 5 mil and only have a policy for 1 million. You need to think about it kind of fiscally and often the problems I see where you get that kind of tension around the not paying out is because actually somebody, what someone thought they were covered for is different from what they are covered for or they are under insured. The converse of that is you can also be over insured and be therefore paying a premium for something that you don’t need so always, always involved your broker, they are there to help you, they you know have good cyber expertise, your insurer will also want to help as well and the final point is when you have a table top exercise for your plan which I always recommend is make sure that you involve your insurers in that you know, test whether they would respond to those scenarios. Insurers aren’t a kind of black box who will only talk to you in the event of a claim; they are a good open community and will be happy to help.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
So what I am hearing from you there Joe is the sort of bottom line is engage with your insurer, make sure that that’s part of your planning process as we’ve been talking about a lot in this, in this webinar. Right thank you very much. So moving on we are going to talk about the regulator Emily and you’re in the firing line for that I’m afraid given your background. So could you just tell, let us know a little bit more about um you know, contacting the ICO and give us some examples of when you’ve done this before and how, how this has gone?
Emily Francis
Lawyer, Data Protection, Mishcon de Reya
Absolutely yeah, everyone, everyone’s favourite um regulator contact. So a key thing to be aware of is the ICO only needs to be notified if the incident meets the threshold to be reported um and just very briefly those are that if there is a risk to data subjects rights for reporting to the regulator and then the threshold for reporting to the subjects themselves is actually even higher so it’s where there is a high risk to their rights um and then exactly as Joe said earlier, in many cases it can seem that an incident is serious um but actually when we look into it further it doesn’t meet the threshold to report so one example of a matter that I worked on recently is that someone unfortunately accidentally sent a spreadsheet of 20,000 exam taker’s information to another student. The concerning part of that being that the sheet included reasons why extra time was required and therefore disclosed health data including information about students’ disabilities. So at first this could seem really serious, it’s a high volume of data and it includes sensitive records but once we dug into it a bit further we could see that actually our client had good reasons to believe the student records were sent to could be trusted not to send it any further and they’d also confirmed that they had deleted the document so there is always a risk that they could turn around and misuse it but actually at that stage we decided it didn’t meet the threshold to report, there wasn’t a realistic risk to the individuals rights at that time.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Right so, so and um tell us more about the, what I am hearing there from you Emily is actually maybe people are um slightly more sensitive to the, what they perceive as being the regulations than perhaps the regulator perceives.
Emily Francis
Lawyer, Data Protection, Mishcon de Reya
Yeah exactly that so the ICO are actually discourages over reporting to data subjects, their thinking being that if every single incident were reported then we’d all get reporting fatigue so if you get a message saying, ‘there’s been a breach you need to change your passwords’ or ‘keep an eye out for any forwarding your bank accounts’ if you are getting those like every week you are going to stop noticing it, you are going to stop taking action so the ICO’s messaging is actually only report when it’s necessary and when it meets those thresholds.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Great, very interesting thank you.
Francisco Sanches
Director, Cyber Risk & Complex Investigations, Mishcon de Reya
Right can I bring the threat intelligence and investigations angle into the loop here, so Mark is our complex investigations specialist, can you share with us some examples of how you know, threat intelligence in investigations teams can support instant response?
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Sure as we are going through the webinar I realise there’s, there’s input for you know, value for threat intelligence throughout this, this process and I know that anyway but there is sort of in, in, in general there’s three ways that threat intelligence and for those of you that are not aware of what threat intelligence means, it’s basically understanding the adversaries so looking at the attackers and how they do things to you know help your incident response or help your planning. So, and the team at Mishcon here do a lot of that work as part of our incident response procedures but there’s three ways in general that, that threat intelligence can help with the incident response um process. So it’s preparation, so it’s understanding how threat actors operate um prior to you know, prior to an incident, this is part of your planning process, you are looking at your, your threat model to see you know, what’s the sector I’m in, what’s the geography I’m in, what are the realistic threats against me, what do I have to care about so you know, for example some small businesses that have got a lot of intellectual property might be more concerned around sort of cyber espionage and then some financial institutions might be more concerned about um financial fraud for example and they will be looking at those kind of threat actors who are um, to protect against them. So there is that first stage, preparation. Then there’s this sort of consuming of threat intelligence, like strategic threat intelligence like what are the big threats that the world faces, you know, what do we have to consider in that space and then also sort of like tactical things like you know, has this piece of malware been spotted and how do I defend against it, is there a new phishing campaign that I can you know, put on some detection rules to understand you know, to find these threats in my, in my network. So that’s the kind of detection stage of it and there’s the actual incident response phase of it which our team are regularly employed to do that kind of work and what I mean by that is you know, as an incident is, is progressing we might be getting fed information from our forensics team to say we found this certain artefact, this I don’t know, piece of software or in some cases you know, evidence footprints, digital footprints that an attack has been somewhere and then we will be looking to see can we identify who that belongs to, you know is this the hallmarks of a certain group and then what can we do about that to help our incident responders find the um evidence they need or work out what’s happened so they can help our clients you know recover. I’ll give you an example of that, essentially we had one case where we found, it was a ransomware case, we found a note. The note itself wasn’t familiar, the group that had signed off the note weren’t familiar to, you know, wasn’t, wasn’t very available but by searching that note against a repository, a library of, of notes we were able to find it was actually linked to a ransomware group that had changed their name so we were able to see some of their former kind of activities, their former TTPs and tactic techniques and procedures like how they operate and then help our, you know, brief our incident response team to understand what to do about, about that and that’s the kind of, that’s the value in threat intelligence, it just speeds up your incident response, speeds up everything basically so you’re focussing on the priorities that’s what I’d say.
Right I think, I think that brings us to the end of our session actually, it’s a flash webinar which is incredibly quick so thank you very much for everybody, for, for joining in. I’ll just see if we’ve got any, any questions in our Q&A, one sec. We’ve got one, one question here for the, for the panel, I think we’ve just about just a little bit of time to do that. So someone is asking, ‘are ransomware payments legal in the UK’ so I don’t know if anyone on the panel wants to take that one?
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
I can, go on Francisco, if you want to jump in?
Francisco Sanches
Director, Cyber Risk & Complex Investigations, Mishcon de Reya
I was going to say that first and foremost I’m a non lawyer so it’s not a legal response but in essence the payment in itself, it, it’s not illegal however there are many considerations to be had before moving in that direction that should be considered make sure you make an informed decision and I think Joe can detail on that?
Joe Hancock
Partner, Crisis Management and Incident Response, Mishcon de Reya
Yeah I mean the, I can’t comment on the kind of direct legality of paying in the UK itself but the one thing I can say is that you know the, the US in particular have taken quite clear steps to sanction in particular the ransomware groups um and there’s, I think there’s a direction of travel there which is, which is you know, you, you shouldn’t be, you’d be very buyer beware when you’re paying those groups you know, you need to be very careful. Some particular addresses are sanctioned but the group’s overall are as well so if you suspect that you know through marks good fret intelligence that’s one of the groups you are dealing with you definitely need to be aware. I worry about payments more broadly, I cast no judgment as to whether people pay or not, I think in some cases it’s a good commercial decision, in other cases it’s not. What I do worry about is the industry around paying ransoms. When you’re paying, when someone is charging you a commission to make a ransomware payment or to negotiate, that doesn’t feel like the alignment of incentives to me, that feels a little bit dodgy and I worry about the connection between our industry and those groups in that case so the payment process and unpacking it, def take it, if you want to take legal advice, you want to take advice on the actual mechanism of payment and really think through how you’re going to go about doing that negotiation if payment is what you want to do. We do a whole webinar on the pay decision.
Mark Tibbs
Partner, Complex Investigations and Cyber Security Practice, Mishcon de Reya
Yeah, it’s, there’s some risks aren’t there basically so sanctions risks, there’s terrorist financing risks and just AML risks as well so if you’re making that payment you do need to check out who you are making it to and obviously sometimes that’s not very clear.
Right okay I think that brings us to a close so thank you very much to the panel, thank you very much to everyone who’s joined us. If you’ve got any outstanding questions you can send them to us and we’ll answer them by email. There will be a recording to all those who signed up so thank’s very much and again just a reminder, if you want to get in contact with us, the speakers directly, please click on the resources tab down below and you will be taken to their bios and contact details. Thanks very much everybody.
Mishcon de Reya