Surviving Contact with Reality Crisis exercises as a key element of cyber incident and crisis management response.

Transcription

1 Surviving Contact with Reality Crisis exercises as a key element of cyber incident and crisis management response.

2 What Happened to the Dinosaurs Avoiding the Extinction- Level Event Corporations occasionally face dramatic, even extinction-level crises that defy incident response plans housed in a single department, or present contingencies that have no prior planning. These events don t happen often, but when they do, they can damage share price, reputation, and careers from the Board, the C-Suite, and many other positions further down the corporate ladder. How does this happen? Research indicates that these risk events are typically complex, beyond the company s risk controls, and are often an outgrowth of increasing interconnectivity within a company across departments and geographies. However, all too frequently companies are unprepared and react reflexively, often failing to consider: who should be in the room making decisions; how emerging issues should be prioritized; and how to think strategically beyond the next 24 hours. A sluggish or clumsy response can escalate an incident into a crisis, and as recent headlines show, sometimes a poorly planned or executed solution can be more damaging than the crisis it is meant to solve. The past few years unquestionably demonstrate that a cybersecurity event is just such an example. Headlines read weekly of public disclosures of confidential data, theft of intellectual property by hackers or insiders, or large-scale cybercrime resulting in the loss of millions of consumers data. Immediate responses to cybersecurity incidents are often led by technicians in information technology (IT) group, often without an incident response plan that considers business risk. But as a handful of CEOs have found while under fire, an effective crisis response requires the skills, knowledge, and experience of a range of corporate functions working in concert: legal, human resources, media and public relations, communications, privacy counsel, audit and risk, finance, corporate security, regulatory and law enforcement relations, shareholder relations, as well as the front line business units and regional management. Many of these stakeholders are not part of the weekly information security meetings or are unaware of contingency plans; however in a true cybersecurity crisis, a non-technical stakeholder may be in the best position to lead, set priorities and make decisions that benefit the business and protect its brand and shareholder value. What sets companies apart these days is not whether they have been breached; breaches have never been more common or more public. However, companies avoid extinction based on how quickly and effectively they respond, set priorities, anticipate emerging issues, communicate, and get in front of a hack. Speed and information sharing are of the essence, and precious time and opportunities are often lost in the early days of a crisis getting organized rather than getting the issue resolved. Such delays can have a material impact on the bottom line: nearly 50% of companies that experience crisis see their share prices fall within a day i ; however, research shows that a well-prepared executive out in front of the crisis discussing it can help recover share price. ii As companies see their peers in the news and monitor their own networks, many are taking a proactive approach to preparing for this inevitable risk event, in the hopes of minimizing the impact and avoiding a protracted crisis. One mechanism by which companies better understand how they will function in a crisis is through crisis management exercises. A carefully-chosen crisis scenario, a cross-functional group of stakeholders, and objective facilitation through an exercise can highlight key corporate strengths, vulnerabilities, and a way forward to improve capabilities before a crisis hits. Regular exercises to test different responses or various parts of the company instill an awareness and cohesion amongst stakeholders that cannot be conveyed through paper plans alone. "If you are the leader of a business, you should know how strong your company s defenses are, you should know if there are response plans in place in case a significant security breach occurs, and you should be getting regular reports on cyber security threats and what your company is doing to respond to those threats." -Secretary of the Treasury Jacob Lew, July 16, 2014 PwC 1

3 Plans are nothing; Planning is everything Exercises are a highly effective tool in incident response and crisis management, and companies should build regular exercises and testing into their cybersecurity programs. However, companies often make the error of compiling multiple plans driven by different scenarios, and testing these specific plans. To be sure, those who plan against specific scenarios will be highly trained for those scenarios. However, to paraphrase a Prussian general, plans do not survive first contact with reality. Reality tends to present incident responders and crisis managers with unforeseen circumstances. The process the plan for a plan that comes of a regular exercise program is far more valuable than the TIME IMPACT plans it produces. It generates muscle memory for incident response, making the process, the environment, and the decision-making construct second-nature to the stakeholders who will be under pressure in a crisis, so they can focus on solving the issue at hand. Exercise programs with sessions ranging from small table-tops to large-scale drills can help provide a number of benefits that can strengthen a company s cybersecurity preparedness and incident response capability. An exercise program establishes and familiarizes the cadre of stakeholders who would be involved in a crisis, typically around a small skeleton crew who will be present to facilitate activities and logistics. However, different crises call for a different mix of skills and information. An exercise program establishes a process to identify and quickly bring to bear the roles, skills, and experience needed, based on limited information. Exercise programs in which the company is tested in a safe environment can produce a number of additional benefits: a more robust process for setting priorities and making decisions among complex and competing demands; an adaptive ability to focus on urgent issues while anticipating what might lie over the horizon; building trust among cross-functional leadership; and finally, creating a compelling platform for Board and C-Suite awareness of the corporation s resilience writ large. The findings of an exercise provide an excellent snapshot, not just of the company s response capabilities, but the issues that might confront corporate executive leadership and the roles they may have to play. Crisis Event Damage to Financial Results, Reputation and Key Relationships With Crisis Management Without Crisis Management Lost Time/Productivity PwC 2

4 What Corporations Should Do Corporations should integrate a program for regular crisis management exercises as a central element of their cybersecurity and incident response strategy. This program would convene regular table-top exercises examining specific scenarios and pressure-testing incident response plans, identifying gaps and shortfalls in the plans. However, the outcome of such a program is more than a set of plans: this program produces benefits across three key areas: People. An established, trained, and familiar cadre of cyber incident responders drawn from the complete set of stakeholders technical and non-technical who would be called upon across the company in the event of a major cyber breach; Process. A safe environment to identify, explore, and understand how unexpected issues might confront the company, accelerate and escalate in the event of a major cyber breach, so stakeholders can learn the right questions to ask and the right experts to convene; Continuous improvement. A strategy to practice and pressure-test incident response policies and procedures, identify gaps and shortfalls, share leading practices, and improve on the company s information sharing and preparedness for major cybersecurity events. Corporate cybersecurity leaders whether in the IT department or Audit committee can evaluate the effectiveness of such a program these and other metrics that indicate evolving states of preparedness: Subject matter expert identification: knowing how to determine, often with very few facts, who should be in the room, from both a technical and business perspective. Realistic yet extreme scenarios: constructing and exploring scenarios are that are plausible, yet designed to push the company to a breaking point in order to determine how people and processes hold up under pressure Policy and process use: identifying and deploying the right policies, processes, and technology that may be relevant in a crisis, including operational, safety, regulatory, legal, brand, communications and media, international, etc.; Communications: examining how the stakeholders, and by extension the company, choose to communicate across the company and to external stakeholders, including customers, partners, vendors, and of course, employees. Crisis management exercises and the learning that results are valuable for C-Suites and Boards seeking to understand the true risk profile of the companies to which they have a fiduciary responsibility to manage risk, be they around the cyber security issues that populate today s headlines or the threats yet to emerge. By bringing together key decision makers from across the company and simulating a realistic but expansive hypothetical scenario that pushes participants beyond their daily roles, the corporation better understands how it must work in concert during a real-world crisis when shareholder value and company priorities are at stake. A regular exercise cadence may help ensure lessons are not lost and reinforces the message that management understands what is at risk in today s market, and is prepared to respond. PwC 3

5 How PwC Can Help PwC assists companies in many facets of cybersecurity strategy and execution, including integrating crisis management exercises into your program. Our technical, investigative, and crisis management specialists in Cybercrime and Strategic Threat Management are actively helping companies develop, implement and test their incident response and crisis management programs, with a view towards a regular testing regime with results reported to the Board. PwC s specialists leverage our Threat Intelligence Fusion Center and Strategic Threat Management experience to evaluate your existing plans against real-world threats, use technical threat intelligence to create realistic scenarios that identify how cyber threats can impact business areas, and facilitate small and large groups of executives and staff through a range of exercises, from small group discussions to live-fire drills and technical tests. We combine this with our subject-matter expertise in your regulatory environment, our industryspecific experience and our knowledge of your values, priorities, and challenges in your industry and the markets you serve. Our exercise reports highlight key strengths and vulnerabilities, create awareness among corporate executives, and provide tangible recommendations so you can begin to improve your response capabilities immediately. PwC 4

6 To have a deeper conversation, please contact: Neal Pollard Director neal.a.pollard@us.pwc.com Marissa Michel Director marissa.o.michel@us.pwc.com David Burg Principal, US and Global Cybersecurity Leader david.b.burg@us.pwc.com George Prokop Managing Director, Strategic Threat Management George.prokop@us.pwc.com Shane Sims Principal, Cybersecurity shane.sims@us.pwc.com Glenn Ware Principal, Corporate Intelligence glenn.t.ware@us.pwc.com i Freshfields Bruckhaus Deringer, Knowing the Risks, Protecting Your Business, Nov On the web at ii Precise UK. The Story of a Crisis, June/July On the web at PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details.