Wendy: Okay. All systems go. We're going to get started. My name is Wendy Wagner and I'm the lead of Gowling WLG's Canadian privacy and data protection practice and I'd like to welcome everyone to this session on Taking Charge of a Cyber Attack, jointly hosted by Accenture and Gowling WLG. It goes without saying that we're all trying to work and live in a really uncertain environment and one in which there's been a forced and really rapid uptake of digital technologies. As we're all aware, unfortunately this is and has been exploited by malicious actors, making the topic of preparing for and responding to a cyber attack one that has never been more relevant. So we're really happy to be joining you during Cyber Security Month, sure our knowledge and experience in this area. Just in the interest of time, each one of us is going to introduce ourselves as we get started and I'm going to hand it over to our moderator, Annette Honan, to start us off, let us know a little bit about the format of the session and begin the discussion. Annette.
Annette: Great. Thank you, Wendy. The Accenture team is also very excited to be here with everybody to discuss these absolutely relevant topics, especially here at the end of Cyber Security Awareness Month, as you've mentioned. Quick introduction. I'm Annette Honan and the legal lead for our Accenture security business. So small global team providing legal support and advice to our business that provides cyber security services to clients. Today, as Wendy mentioned, I'm your MC. One quick note before we get started, you can post questions in the Q&A function in Zoom, and we'll look to respond to those during or at the end of our discussion. If we don't have time to cover all of them we will reach out to you separately to respond. So, as noted in the invitation we wanted to gather to talk about several aspects of handling a cyber attack. As we know this is something top of mind for all of you and us as well. Whether you've been through it or not, whether you made plans and implemented measures, or not. More specifically we want to have a discussion including various points of view on trends we're seeing, steps to be taken, things to think about and expect if you have a suspected or actual attack or breach, the role of counsel, the role of security service providers and others investigating, containing and remediating that incident, and different approaches to working with those proprietors. So we have a lot of ground to cover so let's just jump right in. First, trends, and, Yaz, I'm going to turn to you first for this one. It seems we read every day about more and more cyber attacks of all shapes and sizes against all types of businesses and governments. Whether it's hospitality, retail, critical infrastructure, education, even hospitals unfortunately these days. Many of the audience are likely somewhat focused on their industry, or their region, what they're seeing there. All are probably also very interested in effects due to COVID and the shift to so many of us working from home or work from anywhere, as they say now. Can you comment on some notable trends that you and Cyber Threat Intelligence team at Accenture have been seeing and reporting on?
Yaz: Thanks, Annette. So, Yaz Alattia here. I lead the Accenture Security Canadian practice. I've spent a significant time in my career dealing with incidents, helping clients deal with incidents, but prior to that also managing my own incidents when I was in the industry. Happy to be hear and share some of those experiences. With respect to trends, every year we publish the Cyber Threat Scape Report that captures findings from cyber incident response teams, that we have globally, handling incidents and these teams deal first hand with breaches so have intimate visibility into what's known in the industry as tactics, techniques and procedures, or TTPs, that are employed by some of the most sophisticated cyber adversaries. We publish this report and prepare it and publish it so that everybody is obviously better prepared. I think when we reflect back into the past year securities strategies and practices and teams have been tested like never before. I think with the pandemic, obviously businesses globally, have experienced a lot cyber challenges. I think starting with phishing campaigns early on, and throughout the pandemic, and continue to peak with targeting people with vulnerabilities, business continuity plans have been stretched to operate under quarantine conditions for long periods of time, and there's a lot of financial constraints creating more challenges for organizations, but also more expectations and more challenges for security operation teams addressing not only the new threats, because of all the transformation that has happened and continues to happen, but because of the also backlog of risks that need to be mitigated. Attack surfaces are continuing to expand, I think, with adoption of Cloud, the push for digital transformation with more devices coming online such as operation and technology devices coming online, the attack surfaces have increased. Ransomware threat to actors, we have seen a lot of successes in 2020, and we see this continuing. Average payments have increased and some of their techniques have shifted a little bit, so instead of just focusing on locking up data, what we're seeing an increase of is ransomware attackers exfiltrating this data and then using name and shame websites to publish what they've done and threatening to release this to media organizations. This started off with the Maze Team, for example, but we're seeing other copycats following. Although law enforcement had traditionally advised against making ransom payments, or hasn't necessarily in some jurisdictions, hasn't been very clear on whether to pay or not to pay. Given the increase in these types of attacks, lack of recovery measures in place, insurance providers have been, and payment facilitators, have been advising to make payments. A few weeks ago, I think, more complexities introduced in this space with the US Treasury Office basically indicating that any organization making payments can face sanction violations and fines. Unless you're requesting sort of authorization in advance and the actor that you're dealing with is not on the list. So this also complicates incident management protocols, especially when a lot of these, typically when you're dealing with an incident it's very time sensitive.
Annette: Thanks, Yaz. Ransomware seems to be rampant, if you will, and as you say for years experts advise against it but because so many are paying I think the industry has grown. As you've mentioned Treasury, both Acts specifically came out with this advisory to kick off Cyber Security Awareness Month, I guess. It's certainly gotten a lot of attention. For a couple of reasons OFAC doesn't usually comment publicly. It's not often. To be clear, the law hasn't actually changed but it seems to signal some potential for increased enforcement of the sanction violations. Likely and should give people a bit more pause to take some time reassess and refresh and practice their IR plans to avoid the situation as best as possible.
Yaz: That's right.
Annette: Yeah. So let's turn to the attorneys a bit. Wendy, from your perspective, what sorts of trends are you seeing? Specifically can you comment on changes in the legal or regulatory environment?
Wendy: Sure. Yeah, I mean depending on the industry sector you're in you're going to be experiencing a lot of changes. Not just in the realm of privacy laws but also in terms of industry standards and industry specific rules for cyber and security as well. I just wanted to touch on, because they're a more broad application, I just wanted to touch on a few of the developments in privacy. It's an interesting debate. I was on a call with some folks the other day and they were saying, "Well, I think this has gotten as far as it can in terms of privacy laws and adding to the obligations." I don't know. It doesn't seem to be the case. I think maybe that's wishful thinking. In Quebec there's been new legislation proposed, Bill C-64, that would mandate breach notification and reporting similar to what we've seen under PIPEDA, but an interesting development there is that their proposing GDPR like penalties. So administration monetary penalties in the amounts of ten million dollars or 2% of annual revenue, if greater than that. That puts a lot of teeth behind it and something that we haven't seen in Canada to date. There were also consultations held for a new private sector privacy law for Ontario as well. That's at too early a stage to know if breach reporting and notification will be a part of that but it certainly wouldn't be surprising because that's really the trend. It's getting, as more and more jurisdictions not only in Canada but globally pass these types of laws with these requirements, it's getting to be a real jurisdictional morass and there's a lot of uncertainty for companies around what requirements they're actually subject to. The jurisdictional question is really complex. Even if you look at it from the perspective of PIPEDA our jurisdiction for PIPEDA is based on real and substantial connection to Canada. That may arise even if the breach doesn't implicate the data of Canadian residents, if you're a company who's subject to PIPEDA. Then you look at GDPR and that's more of a residency based requirement, EEA resident, but when you have EEA residents affected by a breach you also have to pause and look at whether you're an organization that's actually subject to GDPR, because you may not want to go ahead and report a breach without knowing if you've taken the position, organizationally, that you are subject to the jurisdiction of the GDPR because you may or may not be compliant with the law in other respects. So you don't want to kind of accede to that jurisdiction when you haven't taken that position all along. We're going to get into the whole issue of breach preparedness but it's something that you don't want to be thinking about at the time that a breach occurs. You want to try and figure that out in advance.
Annette: Right, and not so easy in the world of privacy laws, as you say. Globally, folks are trying to figure out that morass, as you've called it, and similarly here in the States we have a patchwork. 50 States have breach notification requirements. We don't have a comprehensive regulation like GDPR though California has headed that way. People are not saying we'll see a national privacy law soon. We're all still focused on GDPR. You've mentioned that one and we're waiting to see what effect Brexit might have on the UK law. Continuing to wait to see what comes out for regs as part of the China Cyber Security law. That's another big one that people are watching. We could do another session, right, on the state of privacy law. I don't think it's settled as you mentioned. But let's turn from that and go toward the incident protocols. Let's talk about the first actions an organization, ... or inside counsel or others should take when they suspect or it becomes apparent that their company's suffering an attack. Mark, do you want to get us started on this topic with kind of a first actions folks should be taking?
Mark: Yeah, happy to. Hello, everyone. My name's Mark Raeburn. I came into Accenture in March of this year. Having been the Founder and CEO of a company called Context Information Security that was bought by Accenture at the beginning of the year. I've changed my role. I'm now the global head of incident response for Accenture, so I had a track record in my previous existence of dealing with incident response of all shapes and sizes, and I've now got a large team of really smart guys and girls across the world where we deal with incident response. I think the first thing I'd say is the day to learn to dance is not the day of the ball. In terms of what you need to do, for incident response, don't leave it until it starts. Get a head start on what you need to do because you'll find that there are many things that you won't be able to do after the starting gunners has been fired. Prevention being better than cure. The things to focus on before an incident occurs is what are your assets? I think things that people perhaps don't think about too well is what am I actually trying to protect? If you look at those things from two different lenses, the first one being what's important to you in your business? What can you afford not to lose and what must be protected at all costs? But one of the interesting things to also consider is what do other people think your assets are? You might have a set of things that are really important to keep your business going but you may also be sitting on information or assets that the attackers would like to get their hands on. You need to think about your data and your infrastructures in that sense as well. So, the way to understand what the attackers are after is to read the papers. We get reminded every day of the problem set but use your best intelligence. Get yourself access to good intelligence so you understand what groups are doing to which sectors and what are they after. Particularly make yourself interested in the what are they going are and what are they doing with it when they've got it. Then turn that mirror onto your own organization and think about how that works for you. It's very easy then to build playbooks where you can learn from other people's experiences and examine how that would work for you. Those are some of the things I think are really important to do before hand and actually the real test is actually do the thing to yourself before someone else does it. So it goes by lots of names. Red teaming, adversity simulation. They're all really the concept that actually if you attack yourself, or have an organization attack you, in a similar way to that that you're worried about. It gives you a change to practice in anger without having the exercise very public and very damaging at the end of the day. So testing those things is really good. But when it happens the first thing I would suggest everyone does is keep calm. Many, many years and many, many hundreds, in fact thousands of investigations, the first thing you need to tell everyone, keep calm. You're in good company. There are many other organizations who've been through this exercise and many others who don't even know they should be going through this exercise so they don't actually recognize the fact that they've got a problem. But you must keep calm. The first thing not do is to delete things. I know there's a temptation for people to delete what they've seen as bad and then get back to normal. That really is a generally a bad practice. Not least but if it's a complex compromise that you've suffered, and increasingly they tend to be these days, you're just deleting the piece of string you need to pull to unravel what's going on in the environment. So you might find that there's an attacker in your infrastructure, and you delete the piece of string that would have let you understand what had happened and what was going on, and therefore how to remediate it. So don't jump to the conclusion that it's just a bit of malware. Let me delete it. Be careful. Be thoughtful and be diligent about how you guys preserve logs and preserve everything you can as soon as you realize that there is potentially something wrong. These things are never binary. You'll never know from the start that you have actually got an incident. When does an event become an incident? We can spend the rest of the time debating that which I better not because I'll take up too much time. But when does an event become an incident and always err on the side of caution. Always assume the worst and then you can be pleasantly surprised when it's not so bad. Get people involved at the early stage. Get the right folk involved at the start to figure out what you're dealing with. I'll talk more about the rest of it later but I think that's probably enough from me now.
Annette: That's great. Get the right people and stay calm which may be easier said than done, I think, sometimes. But good advice. I know, Wendy, when we were discussing earlier you also had some comments on breach preparedness and what sorts of things do you discuss with clients? Who are all those right people? Can you comment on that?
Wendy: Yeah, yeah. I just wanted to pick up on that team incident and one thing, I mean I know we've all been hearing a lot about and I think we're going to be talking a little bit about litigation risk as well in this session, and it goes without saying that security incidents are now a C-suite level issue. I don't think we've seen it yet but there's been talk of directors and officers liability for breach incident if an appropriate standard of care is not followed to prevent and manage a breach. It's definitely a CEO level, executive leadership team responsibility and I know we have seen, certainly with large breaches, resignation of CEOs. This has to start right at the top and I think that message is starting to get through, increasingly, as this takes on a heightened importance. But of course it's one of the hard things about managing a security incident is the breadth of people within the organization who have to be part of that response. So of course your IT team is sort of a natural part of that but you do have to one organizational lead for the incident response. So whether that's your data protection officer, your DPO, or often called a privacy officer in Canada, or your CIO or your CSO, that has to be sort of a point person who can liaise with executive leadership team and top management. Then beyond that you of course have IT. If you have internal legal you're going to involve internal legal and they're going to have a really central role and we're going to be talking a little bit more about legal privilege issues. Depending on your jurisdiction you may have privilege associated with what your internal legal counsel do. That's not across the board in every jurisdiction. Certainly the case in Canada but that is jurisdictionally dependent or will vary. So you're going to want to understand that too because that may affect how you bring in external legal as well and at what stage and how comfortable you feel from a legal privilege standpoint. Then there is members of the team that I think aren't often considered as often but are integral. If you have a public relations group they will be important to involve. Your customer relations, your sales and marketing, the people who actually have the connection to your clients, whether it's business clients or individual consumers, who may need to be notified and have a good sense and a good handle on what data would be impacted of those clients or customers. Also there's oftentimes employee data can be impacted. So that brings in your HR team who will know what systems you're using for employee data and have a sense of how you maintain and protect employee data. Then that's just internal. Then we turn to external and who do you use as external providers. We're going to be speaking more about retainer agreements for external providers but of course there's external legal. There's your friends like investigation team. You may have external communications and we have sort of a growing industry for data breach services as well. There are companies that offer, for example, call centers or services involving mass notifications. That can be really helpful as well. You want to think about who you're going to have in place or who are you going to turn to for all those different services. I think I'll stop there.
Annette: Thanks, Wendy. I'm not sure if you mentioned insurance providers. Probably you did. Brent, I think you had some comments on insurance companies.
Brent: Sure. Happy to talk about that. I should say by way of introduction, like Wendy I'm a breach coach and I advise on cyber, and to a lesser extent, privacy issues but I'm also a litigator by training so one of the things I do is defend cyber breach class actions and regular actions. So everything looks like a law suit to me and that's how I view a lot of the things that we're talking about including the insurance aspect. So when someone like Wendy or I get the call you hope you get the call right at the beginning of the process. Often that's not the case. Often we get brought in after the client's tried to do something about it themselves or after they've already contacted a cyber forensics vendor to come in and try to plug the holes. That can cause some complications. One of them is you can sometimes find yourself in the situation where you, as the victim of the cyber attack, have started taking actions not realizing that you already had insurance coverage for this, that actually dictates what you're supposed to do about it and who you're supposed to call. Just by way of example I had a case of a credit union that contacted last year. They had been dealing with the incident with their forensics vendor a couple of days and then they brought us in which was the first mistake. Second mistake was the people who were in charge of the breach response weren't talking to the people who arranged for the credit union's insurance coverage, so they didn't know that they had this cyber security policy, and they also didn't know that the cyber policy said specifically which lawyers and which forensics vendors they were supposed to use and they weren't the ones that they'd contacted and started working on the problem with. The thing you need to worry about with insurance is that if the claim is big enough the insurance company's first question to itself is how do we get out of paying this? Apologies to any insurers in the audience but that's just good business, if you're the insurance company, so you need to be careful that your breach response takes into account the insurance portion of this so that you're calling the right people and you don't void your coverage. So the coordination is key. The other aspect is, from a litigator's perspective I would add is that, you really should get the coverage. If you're a smaller entity and you're struggling with this, I remember once I was giving a panel on this and the smaller company said, "I've got x dollars for cyber security. Do I hire another person on my staff to deal with the IT side of cyber or do I get insurance?" As a lawyer I have to answer, "Both." Because whether or not you are skeptical about what the coverage is going to cover, and the next 10 years are going to be 10 years of litigating, fighting out what the policy's covered. What the exceptions exclude and accept. But courts expect you to have it. So if I'm defending a law suit and I want to show the judge that my client did every thing reasonable to prepare for the possibility of an attack, one of those expectations is going to be that they got the insurance, even if they turn out to be off the coverage for whatever reason or beyond the scope of the coverage. So those are things, from a litigation perspective, those are some things you want to keep a good eye on. In terms of how all this is structured, as I said before the insurance will often have a preferred panel of counsel and/or the forensics vendors, so sometimes depending on how big your coverage, how big the entity is you may get a say in that. You may have a bit of flexibility. Or if your coverage amount is small enough the insurance company may not care who you use. They just want to have the opportunity to say, "Yes that's fine.", once they're satisfied that whoever you want to use has the experience that they need and the right price range I guess for the amount that they coverage is going to come to. So those are some of things that you have to keep an eye on. It means that we as lawyers don't always have the control over the process that lawyers like to have over every process, because it may mean that we're going to be paired with the insurance company's chosen vendor, who may or may not be the ones we're used to dealing with. But that coordination is still going to be key. You got to find ways to work it. I've never had an experience with a vendor that wasn't positive. Every company I've dealt with in this space has been very professional and knew what they were doing. I'm sure that's not the case for all of them but I haven't run into the ones that don't yet, happily.
Annette: Great. I think collaboration and coordination are some things we'll keep hearing today. But let's talk a little bit more about lining up those external providers. Can and should you determine that before hand or is it okay to wait until your in the situation to agree to those contracts? Yaz, I know you had some thoughts on this that you wanted to share, specifically.
Yaz: Yeah. Definitely don't wait. I think, like my colleagues mentioned, the best way here is to deal with these cyber incidents is to prepare in advance because there's quite a bit to do during an incident. So you want to try and minimize all the activities that you're doing during an incident and try to practice as much as possible. I think in terms of determining what retainers you need and what relationships you need to have in place, I think it's important to understand your full requirements and some of that is driven from regulations. Some of it is industry. Privacy, we kind of talked about sort of privacy recording and legal counsel, getting external legal counsel in place. I think when we look at cyber incident retainers I think it's important to, as Brent shared, that understanding what's covered in your cyber insurance. A lot of times even discussing this with your cyber insurance provider there is opportunities to add other providers to the coverage beyond what they have in place today. I think from an industry perspective I think there's PCI, for example, the Payment Card Industry requires organizations to have a specific incident retainers that are focused purely on credit card data and focused on providing reports back to the credit card organizations, as opposed to you handling the complete incident life cycle. So that's also another consideration that needs to be incorporated. We kind of spoke about having incident retainers with a communications company if you don't necessarily the internal teams to handle all the crisis management communications which is pretty significant, I think, in terms of effort. Having ready templates that are reviewed by legal to actually use during a breach. Having potentially access to call centers or access to what's know as a dark site, a website dedicated to communicate guidelines on sort of when a breach happens to communicate to external providers. Contractual requirements are also very important. Organizations today have contracts in place with partners, with suppliers and obviously with their clients. A lot of times within these contracts are clauses that specifically stipulate who you contact and when you contact them. So understanding those clauses also will help to determine what incident protocols and incident retainers that you do need to have in place. I think with respect to having cyber incident retainers we've seen instances when multiple organizations within an industry are attacked by the same threat actor at the same time has introduced sometimes some capacity issues with incident response providers. So an incident provider supporting both of those organizations may struggle to provide their services during an incident. So one trend that we're also seeing is getting a backup incident retainer as well in situations where you actually need multiple providers. With respect to cyber incident retainers, agreements, you could have what's known as zero dollar retainer which costs nothing for organizations. Provide some level of comfort but doesn't necessarily provide guarantees in terms of service level agreements. The other option is having a paid retainer in place which provides some guarantees and is obviously recommended so it guarantees some service level agreements in place. So those are some of the considerations I think organizations need to keep in mind when determining who to engage with and what incident retainers need to be in place.
Annette: Great. Thanks, Yaz. I think you answered a question that came in the chat. Should external communication be engaged in breach preparedness. I think that the point the group is trying to make is there could be quite a bit of communications needed in the midst of an incident, so if you don't have an internal function that's ready to handle it, it's a good idea to talk to and possibly engage an external firm. Just a couple of other quick observations in contracting for IR services from a provider point of view. We have seen clients do both things. Either have a retainer or come to us in the midst of an incident. A couple of things that are interesting, that are a little bit different, because sometimes these situations are quite sensitive, a security incident that may be a breach situation. We've seen clients try to keep the circle very small of who's involved even with contracting those services so not going through normal procurement channels. We see the scope and deliverable sections of these agreements be a little bit different in that a lot of things are sort of TBD because, as Mark has said, you won't know exactly what you're getting into until you're there and so things can take different paths and you may want certain deliverables written, you may not. That's a little different, and finally, we more often than not these days we will see clients bring in their external counsel as a party to the agreement in efforts to assert privilege over communications and reports. We're definitely going to circle back to that last point on privilege but after we get into a little bit of detail about the investigation itself. So, I'm going to turn back to Mark and I'd like to hear more about what specifically happens during an investigation. So when they victim organization comes to your team. What's entailed in that work?
Mark: I think there's no two incidents the same, so it varies every time, but I think there are some common themes that I would go through. I'll just remind us, before we head off down that road, the preparation work is so important and the technology you've got is great and necessary, but it's not going to fix your problems either. You do need good people, right to the get go, to help you use the technology you've got. We talked about the importance of having those plans. The first thing to do, it might sound very obvious, but get the plan out that you've rehearsed many times and you've got well drilled and start using the plan that you've put together, because that's kind of the point of having it. However, don't follow it slavishly. There are plenty of things that might take you in a different direction and be mindful that that's an important element. I think the biggest danger is to assume. In every investigation we deal with there are often mistakes made where an assumption about what's going on has actually been made and actually that is something to be very careful of. Look for corroborative evidence when you're doing your investigation and make the assumption that maybe the assumption over here is wrong. The attacking groups have got far better at diversionary tactics. So you might be seeing something over here on your left and actually it's the thing that's going on quietly on the right, that's the thing you should really be worried about. Be careful of assuming that you're dealing with A and it's actually B. Always keep the business focus through the investigations. So the most important thing is your business and you need to be mindful of how you need to continue to keep doing business and not get dragged into stopping your business while you do the incident response. So that's really important. Understand what's happened has got to be the most important thing you need to do first. You need to gather all the evidence you can find to get a clear picture of what you're looking at and then, wherever possible, try and corroborate the things that you know with other bits of information that allow you to be sure so that you don't end up with an assumption. Or if you do end up with assumptions, that's fine. Remember that they are assumptions though. The difference between organized criminal gangs that you might be trying to deal with and nation-states are very marked. Although they use very similar techniques, for the most part, nation-states tend to be parasitic. So they tend to have a preference for getting into an organization, and having access to the data in the organization, but surreptitiously so that they can take it out and continue to take it out over long periods of time. Which in itself means that you may not even be aware that that's going on. Criminals are generally after money and the one truism is if they go after money you'll probably notice it when you've lost it. The criminal organizations are going to be more obvious to you but it doesn't mean that there is no nation-state activity, that you also need to think about, and the one thing that I will say that is really ..., and this is a common mistake, is the absence of evidence is not the evidence of absence. So, what I mean by that is if you haven't seen them it doesn't mean they're not there. Some of the better actors that we deal with are very, very good at clearing up after themselves. I can show you, and we can use forensic techniques on the machines that they've been on, that they've tidied up so well that any event afterwards would show that there'd been no visit at all and no activity because they've diligently tidied up their footprints. So be careful that you are not going to assume, having investigated something, that actually there isn't something that you've missed in that process. I think that's an important thing and, pardon me for saying it, I guess I have to, but bring in experts. Bring in the right people to support you. If you've got your own teams inhouse, that's fantastic, but even your teams are not going to have the benefit of the wider purview and the sense of what's going on elsewhere. We talked earlier on and I mentioned some of the issues around repeat victimization of a sector. We see particular groups going after individual sectors at the same time. You will often find that there's lessons to be learnt from others. If you've got working groups, or alliances around a particular industry sector, that could be really, really useful. If your finding problems with something, then if you've got a trust agreement with people that you can use and turn to, you can often find that there's actually more experience with the same problem. If you can pool your knowledge you can generally get ahead of the problem in a much more effective way. I think the summary, as far as I'm concerned, is never assume, always be alive to changing situations because they will change all the time, and have the right people throughout the investigation. You may need to change them because you may find yourself with a different technical problem that you started with. So make sure that the people that are actually driving the process forward and providing you with the advice have got the right skills to do so. I hope that's helpful, Annette.
Annette: Yes, great. Thanks. Mark. Yaz, I see you nodding a bit. Can you add some comments on challenges as teams are navigating their way through an investigation?
Yaz: Yeah, I think during an incident, and it depends on the type of incident that you're going through, I think there are multiple risks that an organization is dealing with. So if there's personal information obviously you're dealing with privacy risk. There's the legal risk. There's the cyber risk. If there's an operational impact then obviously there's a business disruption risk. Part of dealing with an incident you've got to manage all these risks and all the associated processes to manage a lot of these activities. One challenge that I typically find is around communications. I think we kind of touched on that earlier. From a legal perspective I think when you're engaging legal counsel they're hyper focused on the legal risk and there are sometimes concerns, as they should be, and there are sometimes concerns on some of the communications and how things are documented or how things are being captured, because there's a concern that if something is misstated or it may inadvertently lead to some litigation exposure. On the other hand you have teams, various teams, across the organization that are super focused on trying to mitigate the risk and address the actual incident. That is very difficult to be done verbally. You do need to communicate. You do need to sometimes email and collaborate and put things down as you're trying to contain an incident or remediate an incident. So it's very important for the teams that are driving incident response across the organization to be clear on the guardrails and the communication protocols. The best way to do that is to prepare in advance and to discuss these activities. Understand sort of what channels are going to be used during an incident. What are sort of the guidelines, the dos and don'ts from a communication perspective? What are the roles? We kind of touched on that a little bit in terms of who's communicating what? A lot of times, especially from a client perspective, is it your operations teams? Is it your sales teams? Is it your relationship management team? Is it a message from the CEO? So understanding clearly who's on point from a communication perspective is also important. So those are some of the things that I think are important to sort of flush out and test. I think a lot of times a lot of organizations have developed playbooks, technical and security playbooks, to deal with incidents. But not a lot of focus on building business breach playbooks so that the leaders and the various clients of business are also ready to address and tackle some of their responsibilities during a breach.
Annette: Thanks, Yaz. I think, and this is another theme I think we're trying to get across is, plans, comprehensive plans and practicing those plans. So, thank you. Now we're going to come back to that topic of privilege and, Brent, I'm going to turn to you here. The recent Capital One case where the court found that Mandiant's IR report was discoverable in litigation has gotten quite a lot of attention. It by no means was the first case deciding on this issue and cases have come down on both sides of the question, protecting and not protecting, but nonetheless this one's gotten a lot of attention. Can you talk a little bit about that case and the state of the case law, generally, on this topic of privilege and incident response?
Brent: Sure. Part of why it's gotten so much attention is that in a lot of jurisdictions, Canada being one of them, there isn't a lot of law on this so we read the tea leaves based on what's going on in America and this case is providing some. Canadian judges, in the absence of precedence here, will look to what's been done in other jurisdictions. So we expect this case to have an impact here as breach cases in Canada evolve. So the overall concept, let me just back up for a second, is that you want to be able to maintain lawyer/client privilege or litigation, possibly, depending on the circumstances over the work product of the cyber security vendors, if you can. Some people think of lawyer/client privilege as a sort of a magic sort of pixie dust. You just bring your lawyer in and they sprinkle it over whatever you're talking about and, boom, it's protected. That's not how it works. There's pretty specific circumstances into which things will stay privileged. You may not want everything to be privileged. You may want to be able to, for instance, share a forensics vendor's report about what you did to stop the bleeding. Because part of the reporting to the privacy commissioners, and even your notification to affected individuals, is going to be able to say we found a problem. Here's what we did to fix the problem. So you want to be able to show that because you're showing yourself to have been responsible, and you need to satisfy the privacy commissioners where there's reporting obligation, that you've done what needed to be done. What you probably don't want to share, until or unless you have to, is where were the holes that should have been plugged? Maybe there aren't any. Maybe you were completely reasonable in the protections you had in place and you just dealt with a very sophisticated actor that had the time to get through. That can happen. But if you've got obvious gaps in your cyber security posture you don't want to have to hand that over at the same time you're showing the privacy commissioner what you did. So you may want to have separate retainers and separate streams so that you can decide what you're willing to share and decide what you manage to keep under your hat. It can be a tricky balance though and this is why we have to be very careful about what we say and what we share. The Capital One case, there were some lessons that were important for us. One, and this should be obvious, but the counsel should retain the vendor first. So if it's a situation where, and it's fine if this was organized in advance but, what you don't want to have is what you had in that situation where the company's longstanding cyber security vendors are then retained, they're already on the site, they were already doing their investigation and then they're retained by the lawyers, ostensibly for the purpose of litigation opinion. You want that channel to be set up through the lawyers to begin with. Second of all, make very clear that the papering around this, the retainer agreement or the proposal from the vendor to the lawyer if that's how it's going to start off, is very clear as to the purpose of this investigation is for the purpose of providing legal advice from the legal team. So that purpose needs to be clear and set out because, if it's the kind of report you were just going to be generating anyway, it's much harder to make the case that this is for litigation or this is for the purpose of delivering legal advice. So the paperwork needs to be clear on that. In that case the court actually reads down far enough to say, "Where did the money come from, from the client, to pay for this?" Because in this event incident it came out of the, I think it was the, the business budget as opposed to the legal budget. It's harder to make the case that this is a report being generated for legal purposes if the big institution is not paying out of pocket from the legal department. So those are the kinds of things you want to think about in advance and things you want to have structured in advance so that a court looking at this is going to find it credible. But this is what the purpose of the forensic report and advice is. That's how I would want to structure it.
Annette: Great. Thanks, Brent. Wendy, did you have something you wanted to add on this topic?
Wendy: Yeah, I just want to be brief, but I just wanted to add that people often only think of retention, or legal privilege issues, when you're retaining forensics providers. But the same is true for any providers that you're going to retain and possibly share legal advice with. One of the obvious ones is PR, public relations, so we've had circumstances where clients will share their legal advice with their PR providers. That will be problematic from a privilege perspective unless, again, you try to structure the retainer. Again, the case law is fairly uncertain in this area but we have had cases in Canada where there is privilege over communications or sharing of legal advice with PR companies, but only in the event where they, essentially, need to be involved in the process in order for the client to obtain legal advice and instruct counsel and an integral part of that process. You'd also want to be mindful of the same types of considerations that Brent has already discussed, in the context of those retainers, so obviously having legal counsel retain the provider, limited access to only what's needed. The return of those documents, marking those documents avoid privilege, all of those practical considerations.
Annette: Thanks, Wendy, and we're going to change the subject but I'm going to stick with you on the next one as we talk a little bit more about the role of legal counsel and these incident responses. It's been mentioned, regardless of the type attack, likely you need counsel involved. Many organizations are global enterprises and have operations in multiple jurisdictions. Can you give us some thoughts appropriately preparing and managing for those incidents that impact multiple jurisdictions?
Wendy: Yeah, sure. I mean it's not easy depending how large your global footprint is. Our firm, for example, is I think in 10 countries, 19 offices. So we've got pretty broad coverage. But we're also working with legal providers that we know and have relationships with in advance so that we know who to call on, in jurisdictions that we're not present, so that we can quickly obtain that advice. As an organization you're going to want to do the same thing. Either you're relying on a legal provider who has that type of coverage or you've got your local counsel figured out in advance. Whichever way you want to structure that. But basically it comes back to where we started and that's in the preparedness for all this. Most of you have probably seen matrix. There's a lot of them used in the US that set out State by State breach reporting requirements. Those kind of things are a good start but pretty much where you have to start is with the data mapping exercise that Mark has already referred to. So you have to figure out what your assets are and then flow from there. What laws are you subject to? Depending on the data that could be impacted and what are the requirements under those laws? Then that whole contractual piece. Especially if you're a service provider organization. That's going to become more central to you then the actual laws that are in place because oftentimes it's not your responsibility to report an incident anyway. It's your responsibility to let your client know about the incident and they will have the reporting obligations. But again, it all comes down to figuring all that out in advance. As much as you can.
Annette: As much as you can. That's part of the key. Wendy, can I ask you a question that seems related that's coming from the audience? This is from Sharon. I don't know if you saw it. What happens at a practical level when there is personal data involved in a breach? What role does government have in Canada and how are they involved on the ground? How is this coordinated?
Wendy: Right. So, incident response is up to the organization. So shutting down, everything that we've been talking about, about shutting down the incident, containing the threat. That's all up to the organization. Where regulatory authorities are involved in Canada is in the fact that there are laws that require breaches to be reported if personal information is impacted and if the harm reaches a certain threshold depending on the jurisdiction. So under PIPEDA we have mandatory breach reporting and notification in the event for real risk of significant harm. There's also mandatory recording in Alberta and that's all just private sector. Then depending on what sector you're operating in, health sector has Provincial laws based on your jurisdiction and there's sectoral laws as well. Yeah, there's a lot of regulatory involvement but not so much in assisting you to contain the breach but rather imposing the requirements on you after the breach.
Brent: Can I add one point to that? I agree with all that's been said. One other area that gets overlooked, because it's a relatively new role for government, is that we're also seeing some proactive guidance and assistance for people in the form of the Canadian Center for Cyber Security. It's rolled out in the last 4 years, I think, and it's been expanding the services that it has. It plays a real role in public education and helping small businesses understand what the risks and what they can do to protect themselves. It also will proactively help victims of an attack. I had an incident this year where a client was hit with a ransomware attack and within 2 days the Canadian Center for Cyber Security said an operative in another organization we deal with detected this breach. Where you aware of it? Can we help? So they're out there in a proactive and helpful role as well. The other think I think needs to be looked to is that the guidance that they are putting out for businesses is going to start to form part of the circumstances that courts look at when they're evaluating whether or not somebody was acting reasonably to prepare for a breach. Because after a few years of this, when all this was starting with ransomware little was expected in terms of knowledge the clients would have, but as all of this public awareness improves and increases it's going to be much harder to be able to say I didn't know about this stuff. There's no way I could have prepared for it because this is probably available information.
Annette: Right. Since you brought up ransomware, Brent, we did have a couple of questions in the chat about ransoms. I think Kevin's question came early when we were talking about breach reporting and that was about breach reporting but you ask about reporting and paying ransom. And Russ has also asked can we speak a bit more about impediments to paying ransom. So, just a couple of comments from me. As far as the legality we mentioned the OFAC advisory and that was really to say, "Hey. You need to be thinking about before paying ransom, amongst the other things you're thinking about, getting your systems back up. Whether you're going to be named and shamed and who are you paying and is that threat actor a sanction then to your operating from a sanctioned country?" Although it might be almost impossible to know actually who is behind that persona, the advisory is talking about doing what you can and having a compliance program in place. So are you checking the persona name in the wallet against the OFAC list and make a large point that I think Yaz mentioned, about notifying law enforcement early. I think, Brent, you were saying that as well. Those are some of things to think about and many things to think about. I'm sure all of you has another comment to make on this. Maybe from the technical side if Mark or Yaz you want to comment. Whether or not to pay ransom and things folks should be thinking about.
Mark: I'm going to talk about when not being a lawyer.
Brent: Yeah, as a pure practical matter let me give you an example. This year, within a week of each other, I had two clients hit by what would appear to be the same threat actor with the same strand of ransomware. In one instance the client was completely crippled by backups encrypted, the whole story, and the threat was we will publish all of this, here's proof we have it. We will publish this on the dark web unless you respond. They made the business decision to pay and the consequence of that was they got their decryption key, they got their data back, their customers data. So far as we can tell, and that's the difficult part, isn't on the dark web or at least if it is the threat actors aren't advertising it. The other client hit by the same strain brought in some IT professionals who don't have cyber security experience, weren't expecting the concept and this is somewhat recent, of a strain of ransomware that would extricate data and then encrypt. Looked at the logs around the timing of the encryption and said, "I don't see any exfiltration. I think it's a bluff. Don't worry about it." They didn't pay, and we're not engaged at this point, they didn't pay and by the time I get the call from the client, their client data is on the dark web in a way that's very easy to find. So, should you do it, from a legal perspective? You're in an impossible position until we get a direction saying you shouldn't do it and you mustn't do it. Because on the one hand, giving the advice and we give the advice you shouldn't pay, is the same as saying, "Give up on your business because it's completely beyond rescue and take the risk on behalf of your clients that don't know it yet. Or your customers that don't know it yet that their data is going to be accessible." That's the game we're still playing now. But I absolutely agree to the extent that you can manage to figure out who you're paying to. Get some comfort that it's not North Korea or some other actor.
Wendy: To bring that back to the reporting questions that were asked there's oftentimes a question as to whether ransomware needs to be reported to the privacy commissioners because the intention, well, it's changing but the intention didn't used to be to exfiltrate personal information. But generally speaking they will have access to your system so depending on which systems they have access to and whether personal information resides on it. We usually do things but there's a reporting obligation that's always on a case by case basis. But it's a common question.
Annette: Great. Thank you. There's quite a few more questions and I think we'll have to take some of them afterwards. There are two specifically privileged. Can this be accomplished with inhouse counsel? Is it available in the UK? I guess the overarching answer to those questions is will depend on jurisdiction and the circumstances in both of those instances. Just to let everyone know, I think we're going to start wrapping up. We did have to skip part of the discussion so I apologize for that but wanted to get to some of those questions as well. So, just quickly I wanted to recap a couple of the key take aways that hopefully you've all heard and enjoyed the discussion. First, the landscape continues to change. Both the threat landscape, who the attackers are, the types of things they're doing, what the attacks are and how they're molding to different things. As well as the legal and regulatory environment that we're all working in is changing. Planning ahead is critical. Developing plans, including government's communications plans and practicing those. Possibly through table tops. Possibly some red teaming exercises that Mark mentioned. You need to understand who all the stakeholders and inputters are. How various service providers can be engaged. How all of those people need to work together so collaboration and with all the stakeholders, preparation, documentation these are all key. It's important to remember why we're doing all of this. Really it's to work to build your resilience and mitigate the consequences is likely inevitable incident. So, with that I'm going to turn quickly to Yaz and Wendy to close us out today.
Yaz: Thanks, Annette and thanks everybody for attending and thanks to the my colleagues here. I think if you do need a retainer or place you want to develop an overall incident management strategy that incorporates all your various requirements, or building and testing those playbooks and running simulations to test your defenses, Accenture Security can help. Organizations are in tremendous pressure right now to undertake digital journeys and quickly adopt Cloud solutions and cyber security teams have cyber talent shortage. That's a global issue. So as you embark on some of those digital transformations we have both the Cloud and security teams there to make sure that you're doing it safely and securely. Thank you.
Wendy: I just wanted to mention this session is being recorded. I saw that question come up a lot. So it will be available on our website. From a legal perspective, I'll just go back to the jurisdictional issues. So figure out what laws you're subject to so that we can determine what you're going to do and who you're going to report to in the event of a breach. If a breach happens give us a call. You know, we may not end up being your legal counsel in the end but we'll figure that out, and we're always a good first stop. Hopefully it never happens, but if it comes to a regulatory investigation or litigation, as you've heard we're able to ...
Annette: Okay. Thanks everyone. Enjoy the rest of the day.
Yaz: Goodbye.