Defining a Cyber Breach Workflow Is Key, and Expensive

Financial executives facing a cyber breach will find themselves in a spiral of legal, technical and public relations landmines, but a workflow can be put in place to manage even the most catastrophic events, said John Reed Stark, keynote speaker at Financial Executive International’s Current Financial Reporting Issues conference in New York.

For many companies it’s not a question of if a cyber breach will occur, but when.

“There are two types of data breaches,” Stark told the CFRI audience. “The ones that you know about and ones that you don’t know about.”

Given that inevitably, Stark explained that defining a workflow around a cyber incident is key because multiple constituencies will be involved as soon as a security breach is identified.

“Personal identifiable information, for example, is regulated by each state in different way, and if you work across state lines, they will all be coming after you,” he said. “And when you are a company representative, nobody thinks of you as a victim. You are not treated that way. You are treated as the perpetrator.”

Some of the workflow that Stark suggested financial executives consider:

  • Preservation: “This becomes one of the largest tasks and it kicks into high gear just after the data breach happens,” Stark said. This means preserving physical property, such as all the computers and systems that are relevant as well as digital artifacts and fragments of the breach for possible litigation.
  • Digital forensic analysis: This involves analysis that identifies any possible indicator of compromise. “It’s this rinse/repeat system of digital forensics,” Stark explained. “And it’s expensive. A typical digital forensic person will cost you $400 an hour.”
  • Logging analysis: Stark pointed out system logs can record events that occur in an operating system, and they will need to be reviewed carefully to avoid destroying important evidence. “You want to talk to your IT people to see what critical logs are in your system and how they can be preserved.”
  • Malware reverse engineering: Malware is often misunderstood and, as Stark explained, should be viewed as “the tool they used to break into your house. You’ve essentially got to figure out why all these bad files are here and what did this preparation do,” he said. “And you rarely find these skills in house.”
  • Surveillance: Once a company experiences a cyber-attack, it must “stop the bleeding.” Stark said. “That begins with the installation of surveillance tools. “You are going to do all these things because they will be expected by your customers, your partners and your vendors.”
  • Remediation: This begins right after the attack, and involves steps ranging from replacing people and laptops. Your insurance coverage may not cover remediation, so it the costs may come down to a battle between you and your insurance company.
CFOs and other financial executives facing a cyber breach cannot be timid in their post-attack approach, Stark said, because the stakes remain high and the chance of it happening are only increasing.

“You don’t only need to know what happens after a data breach, but you need  to understand the costs,” he added.