Include lawyers in cybersecurity incident response planning, Forrester says

Organizations need to engage legal help to assist their CEOs to make smart decisions and improve breach responses, the research firm states.
By Bill Siwicki
10:12 AM

Healthcare and other organizations must engage legal help to aid their CEOs in making smart decisions and improving breach responses, according to a recent report by Forrester Research.

“The welfare of the business and the investment of its shareholders ultimately resides with the CEO,” the report stated. “As we have seen from recent board and regulatory actions as well as class-action lawsuits, CEOs are being held accountable for how their firm handles security breaches. According to Forrester’s data, 66 percent of global security technology decision makers at enterprises see improving their incident response capabilities as a high or critical priority.”

[Also: Women are scarce in cybersecurity workforce and still earning less than men]

According to that Forrester survey of 1,165 global security technology decision makers at organizations, including healthcare organizations, with 1,000 or more employees, 66 percent of respondents said improving incident response and forensics capabilities over the next 12 months is a high or critical priority, 27 percent said a moderate priority, 7 percent a low priority or not on the agenda, and 1 percent don’t know. The total does not add up to 100 percent due to rounding.

“For enterprise security teams consumed by day-to-day activities and fire drills, the maturity of incident response processes and playbooks suffers, setting up the firm for significant losses and reputational damage in the inevitable event of a breach,” the report said. “It also means the security team isn’t in a position to advise the CEO and other business leaders on the appropriate course of action when unexpected events unfold during a breach.”

[Also: Stolen laptop leads to breach notification for 20,000 Lifespan patients]

As a result, it is important that organizations immediately engage with legal counsel for incident response planning, Forrester Research said.

“The mission of an incident response team is to bring resilience to the organization when threats are realized,” the report said. “Security and risk pros need to make sure that they retain counsel with experience in the regions in which they do business, appraise them of the types of sensitive data the organization uses, and work with them to build a robust incident response capability.”

Specifically, Forrester Research recommends that an organization retains and informs outside counsel as part of incident response planning.

“Much as technology management professionals have different areas of expertise, lawyers focus on their own specializations,” the report stated. “Your general counsel may not be the best option and will likely only get involved if there has been a material breach. When selecting outside counsel, it’s critical to identify the regulations you are subject to and find a legal firm that has experience working in those regions. Money saved with less experienced counsel will end up as time spent on research during your breach crisis.”

Forrester also recommends that organizations define how escalation needs to happen ahead of time.

“Knowing when to escalate, and to whom, is a critical part of delineating roles within an incident response team,” the report said. “Engaging legal early – even before calling the investigators – will help blanket the investigation in privilege. Similarly, discuss with general counsel when they would like to be involved. Often, this will be only for confirmed, material breaches that are going to require executive attention. Understand the different types of lawyers you will be interacting with and when they need to be involved in defending the organization.”

Further, organizations need to negotiate third-party coverage with their cyber insurer, Forrester said.

 Learn more at the Privacy & Security Forum in San Francisco May 11-12, 2017. Register here.

“Breach costs can become exorbitant, and insurance companies have a business model that relies on not paying all claims,” the report said. “Beware insurers that abuse ‘best practice’ clauses – and, when shopping for cyber-insurance, investigate whether they have actually paid anything out. While many cyber-insurers will have lists of third-party vendors they will accept, you don’t have to settle if you find that the firm you want to work with isn’t on that list. Many times, you can have your preferred third parties approved by your cyber-insurer. Although you may end up paying the difference in rates, you will have the law firm or vendor you’ve selected working with you.”

And ultimately, organizations must develop and certify incident response playbooks, Forrester said.

Twitter: @SiwickiHealthIT
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn