AmCham Hungary and Sándor Szegedi Szent-Ivány Komáromi Eversheds Sutherland Law Office in the framework of a morning seminar on April 20 discussed how companies can best navigate a cyberattack to mitigate the business interruption as well as the regulatory, litigation and reputational fall-out. Michael Bahar, Partner and Co-Lead of Global Cybersecurity and Data Privacy at Eversheds Sutherland (US) led an interactive discussion based on a simulated cyber-attack.
In addition to his insights, Dr. Gergely Dzsinich, LLM, CIPP/Europe introduced some comments, particularly from GDPR angle, and also discussed some best cybersecurity and data privacy practices.
The key takeaways of the seminar were the following:
- Hope is not a Plan. Instead, plan for the worst, hope for the best.:
It is advised to prepare a cybersecurity plan and policy, and to ensure it is kept up to date in light of the rapidly evolving threat and regulatory landscape. Cybersecurity insurance is also available for companies to help face potential damage, but in light of contracting coverage for state-sponsored attacks and rising premiums, company should carefully assess their insurance strategy. - In addition, careful planning should be completed with a comprehensive digital strategy expanding to all the systems the company uses.
- Information Security isn’t just about technology. Cybersecurity is an all-of-company endeavor that starts at the top and permeates to all levels. It is essential to educate the personnel on data security including business and personal data, as well as to educate them on how to safely engage on social media.
- Particularly in light of the elevated regulatory requirements, expectations and enforcement actions, in addition to the proliferation of litigation, governance and lawyers often make the difference between a bad day and a tragic year when it comes to effectively responding to a cyber attack.
- High tech problems can have low tech solutions: For example, keeping incident response plans and contact information in hard copy can help ensure they are available even when your company’s systems are unavailable (e.g., during a ransomware attack).
- Look out for single points of failure. Whether it is having personnel backing up the key Incident Response team, having hard copies of plans kept securely at home not just in the office, or have a secondary means of communication should the primary means be knocked out, resiliency has to be a shared goal alongside efficiency.
- When a breach occurs, avoid “kid football”, in other words, it is important that in a crisis, everyone plays their position and doesn’t all pursue the same tasks. The threat actors often count on drawing everyone’s attention in one direction only to launch their actual attack in the other direction.
- If you have to ask the question whether to notify, it is usually better to notify: Do not hesitate to turn to your supervisor, or regulatory authorities if you suspect to be victim of an attack or notice any anomaly in the functioning of your company’s system.
- You don’t have to outrun the bear, only the slowest camper. As difficult as cybersecurity and privacy are, especially across multiple global jurisdictions, it’s ultimately about being reasonable and creating a favorable record of reasonableness, which lawyers are particularly adept at.
- The plans may be useless, but the planning is essential: As important as it is to plan, it also critical to train, because attacks rarely follow the plan. Accordingly, it is best practice to run simulated cyber-attacks of the type today which are tailored to your organization at least once a year.
Photos about the event are available in the Gallery.