Cyberattack Response SOP

1. Preparation

1. Cybersecurity Response Team (CSIRT): Identify team members, including the Incident Response Manager (IRM) provided by your cyber insurance.
2. Contact Readiness: Ensure all team members have quick access to the IRM’s contact details and the cyber insurance hotline.
3. Communication Plan: Predefine a clear communication protocol, detailing who communicates with whom during a breach, both internally and externally.

2. Detection and Assessment

1. Identify and Validate the Incident: Detect signs of an attack and confirm the breach using monitoring tools.
2. Contact the IRM Immediately: Notify the IRM as soon as a breach is identified. They will guide on containment, forensic analysis, and communication strategies.
3. Assess the Damage: Work with the IRM and forensic experts to determine affected systems, compromised data, and potential regulatory implications.

3. Containment

1. Isolate Impacted Systems: Disconnect infected systems from the network.
2. Secure Communication: Use an unaffected channel to coordinate responses (e.g., separate email or phones).
3. Preserve Evidence: Avoid deleting or altering affected systems; this data is vital for forensics.
4. Follow IRM Guidance: The IRM will outline specific containment steps, including securing backups and limiting further access.

4. Eradication

1. Analyze the Root Cause: The IRM, along with forensic experts, will identify how the breach occurred.
2. Remove Threats: Implement updates, remove malware, and address vulnerabilities as directed.
3. Coordinate with Insurance: Ensure all remediation actions are documented for insurance claims.

5. Recovery

1. Restore Operations: Rebuild systems using clean backups and ensure security updates are in place.
2. Monitoring: Continuously monitor systems for signs of lingering threats.
3. IRM Oversight: Follow the IRM’s guidance to resume operations in phases and reduce risks of re-infection.

6. Communication

1. Internal Updates: Keep employees informed of progress and next steps via secure channels.
2. Customer Notifications: If customer data is impacted, follow the IRM’s protocol for breach notification requirements.
3. Media Management: Collaborate with the IRM and PR team to release clear, factual statements to maintain trust.

7. Post-Incident Review

1. Debrief: Conduct a full review with the IRM to evaluate the response.
2. Documentation: Prepare a detailed report, including timelines, actions taken, and lessons learned.
3. Policy Updates: Strengthen cybersecurity measures and incident response plans based on findings.

Cyber Insurance-Specific Actions

• Immediate Contact: Notify your insurer and IRM within the required time frame to activate support services.
• Collaborate: Work closely with the IRM for steps like containment, forensic analysis, legal guidance, and communication strategies.
• Claim Submission: Provide required documentation to expedite coverage for costs such as system recovery, business interruption, and PR support.

This detailed approach ensures minimal disruption and maximizes support during a cyber incident.