25 May has come and gone, so what can those tasked to respond in the new world expect to see? Now that the General Data Protection Regulation (GDPR) is in effect, incident and crisis managers will need to adapt to the changes that the regulation will bring to the process of responding. We have identified a few key changes that we can expect as the regulation comes into force.
1. Expect extortionists to exploit the GDPR to apply more pressure on victims
Control Risks’ cyber response team has found itself responding to an increasing number of cyber-related extortions where threat actors have demonstrated a level of contextual awareness relating to their victim’s operating environment. Notably, references to regulators, press, specific customers and other external stakeholders are being placed in communications in an attempt to put pressure on decision makers.
Given the general level of awareness and perceived fear around non-compliance with GDPR in the event of a breach, we should expect to see some extortionists try to apply further pressure on breached organisations to pay quickly and quietly by leveraging the new regulation. This may be embodied in direct messages to senior staff and shorter timeframes for payment, to suggest that a small ransom payment is nothing in comparison with a potential GDPR fine.
We should also expect to see an increase in fake extortions. Less capable threat groups will attempt to manipulate companies with unconfirmed threats of access to or possession of sensitive data. This will prove especially concerning for smaller businesses that don’t have a dedicated IT function that can rapidly identify whether or not data is at risk.
2. Expect over-notification
Nobody wants to be the first to be hit with a fine, mainly because no jurisprudence or baseline of expectation has been set and the potential impact is commonly agreed to be significant (up to EUR 20m or 4% of global turnover). As a result, we should expect internal and external legal advisers alike to favour prudent overreaction; notifying early, even if there is only a chance that the breach may have impacted citizens’ rights and freedoms.
This seems to be a sensible strategy to some extent, i.e. let’s not be penalised because we didn’t notify. In a crisis we can actually control how and when we notify but we can’t control how well the data at risk was protected or managed after the breach itself.
Over-notification will most probably remain as a trend until regulators demonstrate a consistent enforcement strategy. This will take some time, especially if we consider how long it has taken for other legislation or regulation to be enforced in the past. For example, it took the Serious Fraud Office over six months to convict anyone under the UK’s Bribery Act, which came into force in April 2011.
However, over-notification is a double-edged sword. Once a notification is made to a regulator, more information will need to be provided over time to show that the right remediation is taking place, putting more strain on internal teams to find answers. These answers will need to be detailed and will most likely be scrutinised to a high degree by the regulator. So, there is a balance to be struck between the virtues of notifying early and the incident response workload that comes with it.
3. Expect an even greater reliance on external responders
While the services and scope of work that third party organisations provide after a breach may not change after GDPR, an increase in notification from organisations without their own internal investigative capability is likely. This will most probably mean that technical support in the aftermath of a breach will be in demand now, more than ever.
Following any notification, senior management teams will need to have assurance that the original issue has been resolved and that the matter has or has not impacted personal data. Without some technical assurance to prove this, many organisations may find themselves lacking the evidence to close these incidents with their regulators and indeed internally.
4. Expect to revisit your response plan
Given the nature of changes that organisations face now that GDPR is in effect, there is no doubt that crisis management and incident response plans will need to be redesigned.
The topic of notification will need to be addressed as a priority in such plans, and teams will need to be drilled into understanding when the relevant thresholds for notification have been reached.
Not all attacks will need notification, so it is imperative that incident response and crisis management leads understand the variety of situations and thresholds that would trigger initial notification. This can be achieved by running through likely scenarios in desktop-based sessions so that response teams can map out exactly how notification may occur and what capabilities and tools they need to refine to react adequately when the worst happens.
What should organisations be doing to prepare themselves to respond effectively?
- Update response plans to include thresholds for notification to local regulators
- Run exercises with executive-level management to map out possible pros and cons of different approaches to responding
- Exercise technical response capabilities to identify and confirm the loss of data off the network at speed
- Obtain threat intelligence that keeps security teams one step ahead of major extortive campaigns
- Prioritise defences around critical assets including a focus on data impacted by GDPR