Being a victim of a cyber attack…
… can cause two immediate – yet conflicting – sets of emotions:
You feel like you need to do something. Anything.
You’re drawing a blank.
You don’t know what to do, or what you even can do.
No matter how you feel right now
This is a race against the clock
Here is a list of things you should do immediately upon discovering that you’ve been hacked.
… You have one, right?
If you’ve been following the advice of your IT personnel, and anyone else (*cough*) who has given advice about cyber security, you have one of these in place.
Among the details will be the first steps to take in the event of an attack. The very first should be informing or empowering a Cyber Attack Response Manager to coordinate your overall response.
DO THIS IMMEDIATELY.
That’s right, this is another thing you’re supposed to do immediately.
In fact, steps 1 and 2 should really be considered steps 1 and 1(a), because notifying your insurance carrier should be at the very top of your checklist.
Even if you don’t have a separate cyber liability insurance policy (you should get one, but we’re already here so…), your CGL policy is likely to have at least a couple of helpful provisions.
Your insurance carrier likely has several IT companies that it can recommend for your emergency-response team, if you don’t have a dedicated team in place. They also often have connections with the other experts you might end up needing.
Another key benefit most insurance companies provide is legal assistance should you need it – either in the form of a “duty to defend” – meaning they pick the attorney – or a “duty to reimburse” – meaning they pay the attorney you choose (often with some restrictions).
That’s pretty critical, considering that your next task is…
… one who knows cyber security.
As a business, you have certain legal obligations to your clients and customers.
Those obligations are multiplied by an order of magnitude if you operate in a regulated industry or routinely store personal information in your systems.
Your attorney will become your primary communication conduit, through which you deal with a lot of different people – including any state or federal regulators.
Remember, even though you may not have committed the crime that caused all of this doesn’t mean that your actions – either before or after the attack itself occurred – won’t bring the full weight of regulatory investigation and hearing down on your business.
Those regulators tend to carry a pretty big stick – the ability to shut your business down entirely. Make sure you have an attorney who can effectively represent your business.
Cyber security law is new, and there aren’t that many of us who focus on it. Of the ones that do, there are far fewer who are even remotely affordable to most people.
Oh, and now you really should…
… and Make sure to file a report.
It might not seem all that important at the time – particularly when you find out exactly how little that your local police department cares about cyber attacks that don’t involve child pornography – but this is an important first step.
In addition to being one of the items that will make any future discussions with insurance companies, credit reporting agencies, and responsible parties, filing your police report will, through the power of statistics, help your local police understand how frequent these events are.
Possibly even leading to local police actually taking them seriously!
You can’t stop there, though, next you need to…
… to put a hold on your accounts.
All your accounts. I’d be sure to move especially quick if there’s any possibility of money being wire transferred out of your accounts.
If you have Wells Fargo, even the accounts you never knew about or asked to be opened!
Even if you’ve only been hit with Ransomware, and have no evidence that any of your personal information was taken, do you really want to take that chance?
Your credit cards most likely offer some form of fraud protection, but your other accounts might not. A hacker with access to your company’s bank accounts has the ability to wreak financial havoc, but also has access to a whole new set of information – people with whom you’ve paid or been paid by.
That information is valuable.
There are plenty of additional things you’ll likely need to do, based on your particular business. We can help…