What Businesses Need to Know Before and After a Cyber Incident
Cybersecurity threats are not limited to large business operations. Businesses of all sizes now face increasingly sophisticated cyber risks. A single cyber incident can expose sensitive data, disrupt operations, and trigger significant legal, regulatory, and business consequences. This article summarizes key steps businesses should take to prepare for a cyber incident, as well as best practices for responding effectively in its aftermath.
I. Reducing Risk Through Proactive Cybersecurity Measures
A. Data Mapping and Classification
Businesses should understand what confidential or sensitive data they collect, where it is stored, and how it flows across systems and third‑party platforms. Maintaining an accurate data inventory and classification framework enables faster incident assessment, supports compliance with notification obligations, and reduces uncertainty during incident response.
B. Implement Security Safeguards
Businesses should implement appropriate security safeguards to protect their data and systems from cyber threats. Key measures include documented data privacy procedures and a data protection program tailored to the organization’s operations and its data. Regular internal audits should be conducted to assess system vulnerabilities, evaluate security measures, and address identified gaps or weaknesses.
C. Adopt Cyberseucrity Provisions in Your Contracts
Businesses should incorporate contractual protections requiring their vendors and third‑party service providers to comply with data security and confidentiality obligations, to help safeguard sensitive information across the entire supply chain.
D. Prioritize Training
Businesses should prioritize data security training for employees as human error remains one of the most common sources of security incidents. Training should address how to identify and respond to potential cyber threats, including phishing links, suspicious attachments, and communications designed to install malware.
E. Establish an Incident Response Plan
Just as businesses maintain fire safety and evacuation plans to respond quickly to physical emergencies, they should also establish an incident response plan to address cybersecurity incidents. An incident response plan should provide a structured framework for responding promptly upon discovery of a security breach, helping businesses contain the incident and assess its scope. Delays in responding can lead to further data loss, operational disruption, and increased liability. In addition, some state laws impose strict deadlines for notifying affected parties of certain security breaches. Without a response plan in place, businesses may struggle to fulfill those statutory obligations. A complete plan will include clear governance and defined escalation pathways, and who will handle internal and external messaging.
F. Secure Appropriate Cybersecurity Insurance Coverage
In addition to technical and operational safeguards, businesses should evaluate whether they maintain appropriate cybersecurity insurance coverage to help mitigate financial risk associated with a cyber incident. Cyber insurance policies provide coverage for costs such as forensic investigations, data restoration, business interruption, regulatory defense, notification expenses, and credit monitoring for affected individuals. Coverage terms vary significantly, however, and policies often impose security prerequisites or prompt‑notice requirements following an incident. Businesses should review applicable policies carefully, ideally with legal counsel and insurance professionals, to ensure coverage aligns with the organization’s risk profile, data practices, and contractual obligations, and to avoid gaps that could limit recovery when an incident occurs.
II. Key Steps Following a Cybersecurity Incident
A. Immediate Containment and System Remediation
Upon discovering a cyber incident, businesses should take immediate action to contain the threat and prevent further damage. Initial responses may include isolating affected systems to stop data loss while preserving volatile forensic evidence, removing malware, and unauthorized accounts, and promptly resetting all user, administrative, and service account passwords, which should be presumed compromised. Further action will then be necessary to secure systems, address underlying vulnerabilities, and restore normal operations. Businesses should also promptly notify their cybersecurity insurer in accordance with policy requirements, as early notice may be necessary to preserve coverage and coordinate approved forensic, remediation, and response services.
B. Involve Legal Counsel Early
Businesses that experience a cyber incident should engage legal counsel early in the response process to help navigate the legal and regulatory risks and obligations that may arise from a data breach. Early involvement of counsel is critical to managing the heightened risk of lawsuits and regulatory investigation and enforcement. Legal counsel can assist with identifying and complying with applicable notification and reporting requirements, oversee forensic experts to ensure the investigation accurately determines the scope of the breach without creating unnecessary or discoverable documentation, and advise on risk‑mitigation strategies. Counsel can also help review and coordinate public statements and communications to affected parties to ensure legal compliance while minimizing potential legal exposure. Business decisions and investigative findings made during an incident may later be subject to regulatory or legal scrutiny. Careful documentation practices, guided by legal counsel, can help preserve privilege, minimize unnecessary risk, and create a defensible record of the organization’s response.
C. Determine the Impact
It is crucial for businesses to understand the full scope and impact of a security breach. This requires identifying the affected systems and determining what data may have been subject to unauthorized access and/or exfiltration, enabling the business to assess legal, operational, and notification obligations.
D. Assess Next Steps
An incident may trigger reporting or notice obligations to regulators, customers, contractual counterparties, or other parties or individuals. Businesses should evaluate applicable legal and contractual requirements early in the response process to ensure that all required notices are timely and complete.
Rather than responding reactively, businesses should take proactive steps by implementing safeguards, employee training, and incident response plans to address cyber risks. If a security incident does occur, having the right preparation and professional support in place can significantly reduce disruption and legal risk. Please don’t hesitate to contact Jennifer Puplava or April Li for any questions you may have regarding cybersecurity preparedness or incident response, or for advice tailored to your business.
