The document discusses cybersecurity crisis management and preparedness. It provides examples of data breaches that occurred in early 2018 exposing millions of consumer records. It outlines key steps organizations can take to prepare for a cybersecurity crisis including: 1) Involving executive leadership and creating a crisis management plan; 2) Conducting breach simulations; 3) Engaging a third-party forensics firm; and 4) Educating executives on their roles and responsibilities. Templates for a response team matrix, breach scenarios, and notification letters are also provided.

1. Shamoun Siddiqui, PhD, CISSP
CISO, Neiman Marcus Group

3. Breaches – Two Weeks in 2018
April 3, 2018 – registration information for up to 7 million consumers
who created an account on Panerabread.com was exposed
April 1, 2018 – hackers store payments information from 5 million
consumers via store payments systems; 125,000 card numbers
found for sale on the Dark Web
March 29.2018 – MyFitnessPal app is breached and registration
info on up to 150 million users is hacked
Late March 2018 – [24]7.ai, a customers services operations
company, reported a breach that occurred in Sept/Oct 2017 resulted in
the access of payments information from its client companies
Source: First Data Corporation

4. ◦ In 2017 there were 1579 data breaches that were reported and recorded with an estimated 179
million records exposed
◦ The number of data breaches represented a 44% increase over the number reported in 2016 and the
number of records lost was up by 400%!
◦ As of the week of April 16, 2018
◦ Number of reported data breaches = 319
◦ Number of data records lost/stolen = 11 million +
Source: Identity Theft Resource Center

6.  For organizations that store, process or transmit sensitive information, a data breach is an
eventuality. A data breach represents a “cybersecurity crisis”!
 No organization can achieve complete and total cybersecurity
 Avoiding a cyber crisis comes down to:
◦ Managing the incident before, during and after it unfolds
◦ Ensuring that a cyber incident is not seen as purely an IT issue by company execs
◦ Ensuring the multiple functions across the company are aware and prepared to deal with a cyber crisis
◦ Realizing that a poor response can exacerbate a crisis

7.  A computer incident could refer to day-to-day security incidents such as malware infections, application or
network disruptions involving limited information disclosure. Incidents are handled routinely as per the
Incident Response Procedure and limited visibility may be provided to the CIO and other executives
 A cybersecurity crisis refers to a more serious situation that has the potential to cause significant financial,
reputation or brand damage to the company. Examples include a major denial of service attack, known or
suspected infiltration by bad actors or loss of large amounts of sensitive data. The company’s C-suite
needs to be notified and typically stays engaged until closure
A computer incident can quickly escalate into a cybersecurity crisis

8. Source: Deloitte - Cyber crisis management Readiness, response, and recovery

9.  Company’s executive leadership lacks sufficient understanding of their roles or what information they
will need in order to make decisions during a cybersecurity crisis
 Information security team practices incident response in isolation from the executives and business
leaders
 No playbook exists defining actions and/or decision points for responders
 If processes have been defined, they are rarely tested for effectiveness
 Triggers to escalate an incident to senior management are not clearly defined
 Communication protocols are not defined and templates do not exist
 There are no clearly defined guidelines on when to engage law enforcement, internal/external
counsel or when to notify affected parties or customers
 Cyber security insurance coverage either does not exist or is unclear

10.  An organization must be ready to:
◦ Respond quickly and effectively
◦ Provide information to a multitude of internal and external stakeholders
◦ Update or change existing agreements / arrangements with business partners
◦ Respond to legal or regulatory requirements
◦ Engage in proactive communications to public and media
◦ Monitor social media channels and respond accordingly

11.  Home Depot
◦ Responded within hours of breach confirmation
◦ Took full responsibility and apologized
◦ CEO personally apologized in a well written letter
◦ Set up a call center to handle 50,000 call per day
◦ Within 2 weeks updated their technology
 Anthem
◦ Self discovered the breach and announced immediately
◦ WSJ called it a textbook case in effective crisis management
◦ Anthem created a dedicated website to provide updates on the breach
◦ Website clearly identifies who was affected and exactly what was lost

12.  Uber
◦ The company concealed the breach
◦ Paid hackers $100K to keep it quiet and delete the data
◦ No apologies and no statements from the CEO early on
 Equifax
◦ Took more than a month to disclose
◦ Completely ignored the significance of the emotional connection between company and consumers
◦ Created a website that was not on the corp domain resulting in numerous phishing messaged
◦ Required more personal data and provided vague response
◦ Credit protection agreement included a clause that excluded consumer from a class action

13. Source: Deloitte - Cyber crisis management Readiness, response, and recovery

14.  Team composition
 Staff training
 Periodic testing
 Communication plans

15.  Executive involvement
 Executive training
 Critical third parties
 Communication channels

16.  Tools and technologies in portfolio
 Forensic capabilities
 Threat intelligence utilization
 Incident response plans

17.  Critical business applications and processes
 Business limitations and acceptable risk
 RTO and RPO requirements
 Resource requirements for recovery

18.  State and federal notification requirements
 Law enforcement engagement
 Effect on compliance mandates
 Obligations to affected parties and stakeholders

19.  Root cause analysis
 Cleanup
 Lessons learned database
 Additional people, process and technologies
More reading: https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Risk/gx-cm-cyber-pov.pdf

20. Step – 1: Involve Your Executive Leadership Team
This includes the C-suite, i.e CEO, COO, CFO, CIO, CCO
This includes business unit leaders, i.e EVPs, SVPs
This includes representatives or delegates from Legal, HR, Corporate Communications and
Marketing
These leaders and representatives must be familiar with their role and responsibilities
during a crisis

21. Step – 2: Create a Cyber Security Crisis Management Plan
Ideally, the crisis management plan should be a separate document, with the following
essential elements:
• Structure of the crisis management team
• Responsibility matrix with names of the specific individuals
• Threat matrix with severity levels and associated response protocols
• Communication templates for customers, business partners, media and external agencies
• Procedures to inform authorities and affected parties and to provide identity and credit
protection services

22. Step – 3: Conduct Breach Simulations
• Breach simulation is a table top exercise in your boardroom
• All the key executives need to participate
• A hypothetical breach scenario is created and the participants are asked to respond
• Guidance is provided by the moderators
• The executive team becomes familiar with the process and the sources of information

23. Step – 4: Engage a Third Party
• Breach can stay undetected for years but once they are detected there is extreme urgency
to investigate
• Finding the right forensics partner can be a challenge
• Companies have no choice but to rush into a contract often overlooking critical provisions
• Legal and compliance teams need to be involved in the review of all contractual language
• Internal or external legal counsel should be used to engage the third party forensic
company and attorney client privileges should be protected in the contract language

24. • Data breaches are inevitable. Therefore, an organization MUST be prepared to handle one
• The information security team MUST take the lead in building and socializing a crisis
management program
• The information security team MUST build partnerships with Legal, Compliance, Corporate
Communication and Privacy teams of the company
• A detailed crisis management plan MUST be created and maintained
• Periodic simulations MUST be conducted
• The executives of the company MUST be educated and must fully understand their roles
and responsibilities

25. THANK
YOU

26. Appendix
Sample Templates

28. If data loss is confirmed, the State Attorney Generals must be notified in accordance with the State’s privacy
directives. 47 states and 3 U.S. territories all have their own data breach laws, enforced by state attorneys
general.
Breach notification letters must be sent to the individuals whose personal information was lost or
compromised.
Some States like California, Massachusetts, New York, North Carolina, Illinois, West Virginia and Maryland have
specific formats that must be followed. All other states do not have any constraints.
Create and maintain a repository of breach notification letters for all the states where your customers reside

29. DEPARTMENT / TEAM REPRESENTATIVE TITLE RESPONSIBILITY
EXEC LEADERSHIP BRIAN WILLIAMS CEO Inform Board of Directors on the
status of breach investigations etc
EXEC LEDERSHIP PETER ALEXANDER CFO Determine cost of breach and data
loss
COPORATE COMMUNICATIONS HALEY JACKSON SVP Ensure consistent and timeline
communications to media and
authorities
HR MANU RAJU EVP Determine impact on employees
CUSTOMER RELATIONS KRISTEN WELKER DIRECTOR Establish and maintain
communications with customers
LEGAL CHUCK TODD CORPORATE COUNSEL Engage internal and external legal
teams to ensure compliance with
laws

30. INCIDENT SCOPE SEVERITY ACTION
DENIAL OF SERVICE ATTACK Limited to no impact on business apps LOW Monitor traffic
Fine tune DDoS appliances to eliminate noise
Inform ISP
Crtical business application performance impacted MEDIUM Initiate incident response protocol
Engage ISP
Perform RCA
Provide updtes to affected parties
Internet access down. Business apps offline HIGH Initiate crisis management protocol
Inform executives and business leaders
Craft and send communications to customers
and other parties
POTENTIAL DATA LOSS Limited data exposed by CSR LOW Send apology letters
Provide credit protection to affected
individuals
Inform State AGs
Moderate amount of data lost or exposed MEDIUM Initiate incident response protocol
Suspected data breach HIGH Initiate crisis management protocol
Consult with corporate counsel, privacy and
compliance officers
Inform Board of Directors
Update communication templates for media,
customers, investors and authorities
Engage forensics teams
Engage external counsel

31. Create generic communication templates for the various possible scenarios and have them vetted and approved by corporate
communication, privacy and legal
Sample Communication-1
We are currently investigating a Denial of Service attack on our website that is resulting in degraded performance. At this time,
we have confirmed that no customer data is impacted. We are working closely with our ISP and our IT service provider to
restore services.
As more information become available, we will be sure to provide you with regular updates.
Sample Communication-2
As of approximately 11:00 am CST, we have become aware of a potential compromise of our network and systems. At this
time, we are unable to confirm the extent of the compromise and whether sensitive data could have been lost. We are
working closely with the authorities and with internal and external cyber security experts to determine the nature and extent
of compromise.
We will provide regular updates on our website at www.abccompany.com and will conduct media briefing as necessary

32. Sample Communication-3
Over the course the past 24 hours we have been able to obtain further details of the incident that affected
[our network, website, systems]. We have confirmed that [nature of the incident, how many people were
affected, what data was lost]. We are still investigating [the cause of the incident, the people/event behind
the incident, extent of the incident].
We have engaged[law enforcement, cyber forensics etc]. We have also enlisted the help of [additional
resources brought in to assist with the incident] to assist us in immediately mitigating the incident.
We will continue to provide you with updates as new information become available. We recommend that
you monitor our website at [insert website address] for the latest information.

33. Borrower’s Name Date:____________
Street Address
City, Zip Code
Dear Mr. ___________
We are writing to inform you of an incident involving your personal information. On (INSERT INCIDENT DATE), an incident occurred
where your non-public information may have been viewed by a third-party.
While we do not believe your information will be misused, out of an abundance of caution we are notifying you so you may take steps
to protect yourself against misuse of your information. Always remember to carefully review your statements every month to identify
any unauthorized transactions. If you see any items on your statement you believe are not yours, please contact us immediately.
Remain vigilant over the next 12 to 24 months and promptly report incidents of suspected identity theft or unauthorized activity to us
and the appropriate law enforcement agency.
To help protect your identity, we are offering a complimentary one (1) year membership of Experian’s ProtectMyIDTM Elite. This
product helps detect possible misuse of your personal information and provides you with superior identity protection services focused
on immediate identification and resolution of identity theft.
Activate ProtectMyID Now in Three Easy Steps:
ENSURE That You Enroll By: INSERT ENROLLMENT DATE
Visit ProtectMyID Web Site: www.protectmyid.com/enroll or call 877-441-6943 to enroll
Your Activation Code (INSERT CODE)
.
.

34. T0
A reputable cyber security blogger has published information on his website indicating that ABC Company may have been affected
by a recent well publicized hack in which customer’s sensitive data was exposed.
The blogger speculates that connection between ABC Company and the publicized hack and provides some evidence that ABC
Company’s account and password information is available on the dark web.
Customers and the media begin to call the company wanting to know if their personal information has been compromised. Media
outlets want to know if the company has an official statement.
Questions for the team
• What is the first course of action?
• What are the immediate priorities?
• What type of communication should be issued?

35. T0 + 7
ABC Company’s CISO receives a call from the FBI who indicate that based on their investigations, they believe that the
compromise of ABC Company’s information systems occurred over 3 months ago. They have reason to believe that large amounts
of customer sensitive data, including credit card numbers may have been exposed.
In the meantime, media attention has steadily increased and newspapers articles and television stories being published. ABC
Company’s employees are being approached by local media outlets for exclusive interviews.
Traffic to the company website has increased and performance has been affected. Customer service calls are creating a backlog
with long wait times.
The Board of Directors is getting inquiries from the media and is asking for urgent updates
Questions for the team
• How does your response to the incident change based on these development
• Have the priorities changed?
• How would you update the communications?
• Who would you engage at this stage?

36. T0 + 21
Media and public response is harsh despite continued PR efforts. There is now open talk of suing the company and authorities
have launched inquiries. The PCI council is involved and insisting on bringing in their their own forensics company.
Forensics teams have found evidence of the hack going back 14 months and traces of ongoing activities. A Chinese organization
dubbed Deep Panda is likely to be involved based on the hash signatures of the Derusbi command and control software.
The Board of Directors is becoming increasingly inpatient and insisting on a comprehensive plan to remediate the current
situation and prevent this scenario from happening again.
ABC Company begins to quantify cost of the breach and determine how much of their investigative efforts and expenditures will
be covered by their cyber insurance policy.
Questions for the team
• How does your response to the incident change based on these development
• Have the priorities changed?
• How would you update the communications?
• Who would you engage at this stage?