Small Business Cyber Security Response and Recovery. Part V – Report the incident to the wider stakeholders
Part 5 – Report the incident to the wider stakeholders
After the cyber security incident has been resolved, the next step is to report its particulars to relevant internal and external stakeholders. In helping you with the reporting process answer these key questions:
What are our reporting requirements?
Each business will have its own reporting procedures outlined in their Incident Response Plan (or at least such plan should have a section dedicated to it) which will detail
In what instances do I need to report?
In the EU the Article 29 Working Party (WP29) (now the European Data Protection Board) guidance identifies three types of breach. Some breaches may engage all three elements:
- integrity breach – unauthorised or accidental alteration;
- availability breach – accidental or unauthorised loss of access to or destruction of data (e.g. by a power cut or systems failure).
- confidentiality breach – unauthorised or accidental disclosure of or access to personal data;
All breaches must be recorded alongside the decision-making process engaged to decide whether to report the breach. Only breaches that are likely to result in a risk to the rights and freedoms of data subjects must be reported to the Supervisory Authority (SA). The WP29 gives examples of breaches that are not reportable, for example, where encrypted data which remains secure is taken. However, it also suggests it is better to over-report than to under-report; there are no sanctions for reporting something which turns out to be low risk.
Who needs to know?
In the first instance, you will want to divide your stakeholders into internal and external, and the external stakeholders into business-related and those who you need to be informed by law.
Apart from the necessary communication to relevant persons/bodies within the business structure, it is important to keep your staff and customers informed of anything that might affect them. For example, you would need to contact customers and banks if payment data was compromised, suppliers if corporate accounts were attacked, and the ICO / DPA if personal customer data was stolen.
Make sure you contact your customers as soon as possible through the most appropriate channels. Combined with the good relationship you have built with your business partners over time it will help you to minimise reputational damage in the event of an incident.
Depending on the type of business you are running you will have to report to different Supervisory Authorities (SA) / Regulators.
If you have cyber security insurance, you will also have to notify your insurer if you would like to make claim on your policy. You might also want to consider seeking legal advice if the incident has had a significant impact on your business and/or customers.
(by) When do I need to report?
once more, this will depend on the type of business you are in, the severity of the incident, and the jurisdiction you are in. The more severe the potential consequences the quicker you should report the incident even if it hasn’t been fully resolved – usually between as soon as possible and 72 hours from discovering the incident.
What do I report?
The actual reporting itself should include:
- A realistic estimate of the financial cost of the incident, as well as other impacts on the business, such as in terms of damage to reputation, loss of management control, or impaired growth
- Recommendations regarding enhanced or additional controls required to prevent, detect, remediate, or recover from cyber security incidents more effectively
- A full description of the nature of the incident, its history, and what actions were taken to recover
In what format do I report?
Regulators want to make sure the right information and language are consistently provided in notifications. Templates for notification letters can provide that consistency if the templates are adapted to meet each jurisdiction’s content requirements.
What is the objective of reporting?
The important thing about cyber-crime is to report it as according to the NCSC many go unreported because of personal embarrassment. The more cybercrimes are reported, the more likely it is that those behind them will be arrested, charged, and convicted.
Do you require help with preparing for and dealing with cyber incidents?
If you have any questions or require help or advice on preparing for and dealing with cyber incidents, please contact us at SEQRED.
SEQRED specialises in all areas of cybersecurity including Critical Infrastructure Protection, Cloud Services Security, Audits or Threat Intelligence. For a full list of our services visit our website – www.seqred.pl
Stay safe rather than sorry!
About this guide
The idea for this guide is based on the Cyber Security Response and Recovery Guide for Small Business published by the National Cyber Security Centre, UK. You can access the guide here.
To read more about the GDPR cybersecurity and breach reporting requirements click here.
To access the CREST Cyber Security Incident Response Guide click here.
To find out about the 5 Steps of a Proactive Incidense Plan that Works click here.