4 Legal Surprises You May Encounter After a Cybersecurity Incident

Most security professionals know the parade of problems that emerges after an incident, from data breach notifications to looming Securities and Exchange Commission materiality filings for public companies.

However, there are unexpected concerns that may surprise the average incident responder, and each has a potential impact on legal liability. As a cyber-incident breach attorney with experience handling dozens of ransomware incidents, these are my top four surprising post-incident considerations.

1. Cyber Insurance Review of Pre-Incident Security Controls

If you have cyber insurance and notify your carrier, there may come a time during the insurance reimbursement process when the carrier asks pointed questions about what security controls were in place before the incident. The carrier will also dive deep into what failed and the incident's root cause.

Take care to truthfully and accurately describe the controls you have in place on any insurance application and during the underwriting process. Recently, insurance carriers have sought to deny claims based on application misstatements. Therefore, not being truthful during the application process can have millions of dollars of consequences later. Work with your risk management team, insurance broker, and outside counsel — before an incident occurs — to make sure that the company's controls are accurately described and documented.

2. Auditor Investigations

Public companies, public bodies, and even small companies have CPA audits and reviews. Those reviews do not stop after a cybersecurity incident, and many auditors have questions about an incident. Engage specialized cyber-incident counsel to assist in navigating the responses to these questions. Any information shared with a CPA is unlikely to be considered confidential or covered by privilege, so any statement made about an incident could be used in a later lawsuit. Therefore, make sure that all statements are consistent with what was shared in notification letters and with employees, customers, and the media.

3. Banks Halting Ransomware Payments

After an organization has made the painstaking decision to make a ransomware payment, a series of legal concerns can arise while racing against a threat actor's timeline to leak information.

Many security professionals are familiar with the US Treasury Department's Office of Foreign Asset Control (OFAC) process for clearing a ransom payment and ensuring it does not get into the hands of a bad actor. Yet banks are increasingly hesitant to process wires to known threat negotiation firms. This is because organizations in the ransom payment's chain could, in theory, be held liable for an improper payment to a sanctioned entity under OFAC. Organizations should be prepared to navigate OFAC for their own and their financial institution's purposes. Be ready with a report to share information quickly with a financial organization so that it can clear the transaction.

4. Failing to Know Which Customers Need Immediate Notice

If your organization serves other businesses or is a subcontractor to governmental entities, you likely have agreed to certain incident-response notification requirements in contract or by statute. Create a spreadsheet tracking each notification timeline before you have an incident so that you can respond rapidly and comply with notification requirements. Otherwise, it could take a team of lawyers rapidly reviewing contracts to meet notification requirements. Failing to meet a notification requirement could make your organization in breach of a contract, and some contracts have large penalties for failure to provide notice.

Preparation Is the Best Incident Response Plan

Even the best tabletop exercise and incident response plan may have to be flexible to the changing circumstances of an incident. Being prepared to respond to the various constituencies that come knocking after an incident is a great first step to help manage the unknown.