Cyber Threat – Why the Best Defenders are Often the Worst Responders

The firms with the best and most pro-active cyber defenses are often the worst responders if their defenses are actually breached. Why so? Because a breach is new to them and they are immediately thrown off-kilter by the attack, unless of course, they have rigorous and frequent table-top exercises to prepare for such situations.

So it’s ironic that the firms that respond best are probably those that had an attack in the last year – the imprint of the lessons learned are burnt hard into their response psyche.

At a recent conference I attended, we heard that the No.1 lesson that arose in the post-mortem/lessons-learned meeting after a cyber-attack was to call outside counsel (OC) as soon as a breach was suspected. So why call your OC? And why call them first?

  • If cyber breaches are new and rare to you, knowing exactly what to do and when may not come naturally. Your external counsel, on the other hand, is working with many of your peers, and they will have an immediate playbook that they bring to the table regarding how to respond.
  • Your General Counsel and CCO have natural conflicts that are difficult to steer around in periods of stress; it is precisely times like this that you need the calm, clear and unambiguous view of your OC and their plain-talking view on what needs to be done.
  • The OC can handle quite a few things that will free you up to do the essential and immediate work of understanding what happened, the full scope of the breach and the impact on clients. For example, the OC can immediately engage your insurance agents.
  • If appropriate, the OC can inform applicable law enforcement and state authorities. This is a critical benefit as your communications with the OC are privileged. This allows you to disclose in full all of your fears, which in turn allows the OC to make the correct and appropriate disclosures to the proper authorities within the legislative timelines mandated by the scope and geo-nature of the breach.
  • Your OC should also be able to recommend an excellent cyber-event forensic analysis firm to fully understand what happened and the full breadth of the attack.

So how does one prepare for the correct response to an attack, without actually experiencing one for real? Simple – you engage in regular table-top exercises and implement short/no-notice war games to prepare the broader team for the exact scenario you hope will never happen. Ideally, you will engage your OC in these exercises and work with them to develop a cyber war chest with call sheets and an immediate-actions plan for handling an event. Theory is great, but practice and experience beat it every day of the week!

Finally, after each table-top/war game exercise, ensure you hold a lessons-learned debrief session and a post-mortem on the exercise to identify weaknesses in the response and preparation.

You need good and proactive defenses – such as CSS Shield — but you also need to plan and be prepared for the worst-case scenario of a breach to ensure that your team is ready and not caught in the headlights like a startled rabbit.

Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Are Investment Managers Going to Have More KIDs?

Let us be clear…. we’re actually talking about the potential increase in production of point-of-investment disclosure documents for investment managers. The complications and stress of Brexit just got a whole lot more real for many UK- and EU-based investment management companies that are subject to rules requiring production of UCITS KIID (Key-Investor-Information-Document) and PRIIPs KID … Continued

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for … Continued

SEC’s New Committee Begins Review of Form CRS Filings

The SEC’s Divisional Standards of Conduct Implementation Committee launched its review of Form CRS from a cross section of RIAs and BDs to assess compliance with the content and format requirements. Initial observations from the Committee have identified examples of relationship summaries that may lack certain disclosures or could be clearer or otherwise improved. The … Continued