When any organisation is faced with a cyber-attack, confident, timely and laser-focused decision-making is key.  

During this Cyber Security Awareness Month, Melanie Hart – a Partner at the law firm Kingsley Napley specialising in Cyber-Response work – reflects on what a day in the life of a Cyber-Response lawyer looks like and why it is important that diverse voices are present in any Cyber-Response team.

The Emergency call

Cyber-attacks can happen at any time of the day, particularly in a global organisation, but often begin outside typical working hours as threat actors seek to capitalise on the ‘human factor’ in any Cyber-Response plan being unavailable.   As a lawyer, I am alerted when either our clients contact us directly or we are brought in via Cyber-Response insurers/brokers to provide assistance.  An urgent call with key stakeholders is immediately convened and any existing Business Continuity/Cyber-Response plans are dusted off.  My number one tip to my clients is, to make sure your Business Continuity plans are accessible from many different sources!  There is no point in having a carefully crafted and practiced plan only to find that the one individual who has it is on holiday or that it is saved on a part of your system which has been compromised!  

The four Rs of response

The advice which clients need varies depending on the exact nature of the attack, which systems/data have been impacted and the sophistication/preparedness of the organisation.  During the first few hours and days following an attack, I will typically be advising and guiding my clients through;

Recovery (and ransoms) what exactly has happened and how can it be recovered?  Clients are often surprised that ‘the techies’ will not have immediate answers to these questions.  It will typically take days, rather than hours, to really get to the bottom of how the attack occurred and how, if at all, recovery will be possible.  In complex attacks, answers are sometimes not available for weeks. Whilst ransom demands do not occur in all cyber-attacks, when they do the legal, regulatory, financial and practical implications of paying, or not, must be carefully worked through.

Right team, right timewho needs to be involved? I will work with the client to understand what capabilities they already have in place and what needs to be galvanised. Typically, an attack response needs technological, legal, communications, and leadership expertise. Key stakeholders in the organisation need to be involved and I recommend forming a small ‘red team’ from across the relevant stakeholder groups so that informed but quick decision-making can occur. It is also important to work out who does not need to be involved.  A ‘too many cooks’ scenario can quickly develop leading to slow decision making which can be fatal.  Equally, if the attack is such that the business, or parts of it, can continue unaffected then it is critical that those parts of the business, and those that manage them, are freed to be able to continue servicing that work.  Organisational gridlock can otherwise set in.  

Regulatory response when and who to notify? I will consider with my clients any regulators who will need to be notified.  If personal data has been compromised then notification to the Information Commissioner’s Office (ICO) in the UK – and any local equivalents depending on where the business and the data are based – will be necessary.  This must be done ‘without undue delay’ and no later than 72 hours after becoming aware.  Other regulators may also need to be notified depending on the nature of the client’s business, the impact the attack has had on operations, and whose data (staff, customers, regulated individuals, third parties) is impacted.  

Reputation management who to tell, what, and when?  During the first phase of any response, when the picture is often still unclear, it is important to communicate clearly to both internal and external stakeholders.  Even if the technological and logistical issues can be dealt with relatively quickly, if the communications piece is not front and centre of any plan, the detrimental effects – amongst staff, amongst customers, amongst markets – can be devastating.  

Diverse voices in crisis response

At its core, Cyber-Response work is crisis management at its most intense.  It requires good-communication, problem-solving, flexibility and agility. Genuinely diverse teams, which ultimately produce diversity of thought, are critical in navigating any crisis where the impact of each minute by minute decision made by an organisation can determine ultimate success or failure in terms of recovery.  Whilst women are typically poorly represented in technical cyber-security roles (although that is changing, slowly), the fact that any Cyber-Response team should involve organisational leaders, lawyers, communications professionals, insurers and technical experts means that there is plenty of opportunity for a Cyber-Response team to have diversity of thought and approach.  

Planning and preparedness

An increasingly large part of my workload is helping organisations to build Cyber-Response plans and periodically testing them via ‘cyber-exercises’.  A key component of building ‘cyber-resilience’ is being prepared in the event that something does go wrong.  Every organisation should operate from the assumption that it will be the victim of a successful cyber-attack in the near future. The chances of successfully recovering from an attack are infinitely increased if an organisation has planned for such an event and practiced its response logistics.


Read more of our articles here.