Cyber breach? How to survive a Hack

#advicethatsticks #TRREGSUMMITS

This is part 1 of a 3 part series, that covers the highlights from the Cyber breach simulation delivered at the Thomson Reuters 2nd ASEAN Regulatory Summit in Singapore on the 1st September 2016. Part 1 covers the breach, Part 2 covers the ransom and Part 3 covers managing the fallout.

As Chief Reputation Risk Officer and Managing Partner, RL Expert Group, I had the opportunity to collaborate with Ernst & Young Lead Partner Cybersecurity Asia Pacific, Paul O'Rourke, Counter-espionage Expert and Managing Director of Jayde Consulting, Julian Claxton, and Thomson Reuters Senior Editor, Patrick Fok.

The event triggered robust debate among the audience of senior governance, risk and compliance practitioners, and leaders from across the region. Given that this breach scenario is relatively common today, we thought it useful to share the simulation and challenge your thinking.

What would you do?

Context: You are the Chief Risk Officer at ABC Bank. You discover that someone has hacked into your servers. The perpetrators have stolen your customer information and financial records and published them online. What would you do?

Question 1: What do you think is the most important first action to take? 

1. Notify the relevant authorities
2. Assess the reputational damage that is at stake
3. Find out if the attack is on-going or has been contained?
4. Activate the crisis management team & inform senior management
5.  Do nothing

---

The results: Given the regulatory regimes on consumer data and the fact that this information has been leaked into the public domain, 65% of the audience agreed that they would activate the crisis management team and inform senior management, 20% said that they would find out if the attack is on-going or has been contained, 10% said they would notify the relevant authorities and 0% said they would do nothing.

The average time to detection (TTD) in Asia is more than 520 days (TRT World). Data has already been leaked to the public. Damage has already been done.

Making a decision as to whether or not it is time to activate the crisis management team will be dependent on the company's risk appetite and tolerance and the context of local/global regulations and stakeholder expectations.

A designated chain of command is imperative. While decentralised organisational structures work well across the region for market adaptation and innovation, crisis demands a rapid and "centralised" response with a very clear line of command, and the ability to shift into "war mode" rapidly. Clear triggers should be understood to move from "normal" to "war mode" as well as to activate specific response modules e.g. data loss. There also has to be a clearly articulated set of "all clear" signals that shift the company back to its normal operating mode. If the company fails here, the risk is the organisation response is "incoherent or inconsistent".

This is also a crime scene. Evidence is critical.

Expect the public to seek confirmation of facts, to assess the impact, gauge implications, compare this event to others and speculate on who is responsible. How a company manages this phase is critical. This is the stage for "reputation forming".

Key takeouts from Paul O'Rourke, Lead Partner, Cyber Security Asia Pacific at Ernst and Young:

1. Where to invest? - As there is a high inevitably regarding cyber compromises, organisations need to be adequately prepared to respond in the event of a breach There needs to be a rebalancing of investment from prevention, to detection, containment, and response.
2. Where to focus? - Critical to improving an organization's cyber resilience is a focus on culture, education, and awareness, with a top-down culture essential.
3. What to change? - Organisations should consider implementing or adapting a cyber risk appetite, which will help define the level of cyber risk they are prepared to accept.

If you enjoyed reading this post, see part 2 of this 3 part Series where we explore the challenge of cyber ransoms. Hear Julian Claxton's expert perspectives and learn how other Companies across Asia would deal with the challenge.

We will continue the discussion on practical strategies for managing cybercrime and privacy at the Pan-Asian Regulatory Summit that is taking place on 8 & 9 November 2016 at the Grand Hyatt Hong Kong. For the full agenda and details on how to register, please visit the website.

---

I appreciate that you are reading my post. Here, at LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

If you learned something from reading this post, please click the thumbs up icon above and let me know. If you would like to read my regular posts then please click 'Follow' (at the top of the page). If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.

If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group. Read more on strategies for effective reputation risk management on our blog.

For more on this topic, check out my other recent LinkedIn Influencer posts on the Reputation Risk Management agenda:

• 5 challenges of managing Cybercrime
• 10 steps for future proofing reputation
• Make sure your boss get's the message
• Most risk managers don't understand reputation risk
• Can you explain in one minute?
• Financials hidden in plain sight - Ask "Why?"
• 5 steps to take if your supply chain is morally corrupt
• Getting boards into reputation risk management
• Carmakers python - a matter of outrage and trust
• Social License to Operate Risks Matter in Mining
• Facts Everyone Should Know about Child Labor
• Reputation Risk in Banking
• Addressing McDonald's $39B Reputation Risk Challenge
• Challenges for CxO's with APAC's top 10 Risks
• Reinventing Risk for an Asian Century
• New weapon of choice for complex global supply chains?
• 5 steps for effective due diligence in Asia

About Leesa Soulodre: 

Managing Partner and Director of RL Expert Group, an international reputation risk management think tank and consulting practice and Asia Associate of the Reputation Institute. An Innovation Advisor to the European Commission and to the University of Illinois Urbana Champaign Advanced Digital Science Centre, Singapore. Board Advisor to Belgian PR Software firm, Prezly, Korean Fashion Analytics firm FashionMatch, and the US Sports Analytics firm, Autoscout.

Leesa has worked for 20 years on the cutting edge of strategy, communications, technology, cyber security and risk consulting. Specialised in reputation risk management, she has advised more than 400+ multinationals and their start-ups in 19 sectors across Europe, Asia Pacific and the Americas. As a serial en/intrepreneur, she has led companies with turnovers from $4M to $14B USD into new markets and has shared the exhilaration of one IPO, numerous exits and the hard knocks of lessons learned.

Connect: Leesa Soulodre, Managing Partner RL Expert Group