How Government Contractors Can Manage the Challenges of Rapid Reporting of Cyber Incidents

Elizabeth Ferrell
Bradley Arant Boult Cummings LLP
Contact
LinkedIn
Facebook
X
Send
Embed

In the past few years, the Department of Defense’s (DoD) regulations have mandated that DoD contractors and subcontractors rapidly report cyber incidents to the government. That trend continues and may spread to civilian agencies in the future.

To facilitate a coordinated and expedited response and to comply with regulatory and contractual requirements, every company should have a well thought out cyber incident response plan, so that the incident response team can focus on executing the response plan rather than trying to address the incident on an ad hoc basis.

Here are some tips to follow:

Tip #1:  When developing a plan, companies should first consider what types of cyber incidents should trigger a response. Limiting a cyber “incident” solely to instances where the IT department has determined that there was an actual exfiltration of .data may be imprudent. The DoD may consider the definition of cyber “incident” to be broader

Tip #2:  The plan should also identify the incident response team (such as  head of IT, CIO, general counsel, risk manager), the roles/responsibilities of each and their levels of authority. For example, who has authority to shut down servers or share incident information with outsiders? The incident response team should be broad enough to include all resources that might be needed, such as outside legal counsel experienced in breach response, human resources (needed if the incident involves identifiable personal information or an insider is involved in improper activity), outside forensic experts, and media consultants.

Tip #3:  The plan should also include policies for internal reporting (e.g., when should the CEO or Board be notified?).

Tip #4:  The plan should be specific enough to guide the team through the processes and protocols for analyzing the incident, documenting the investigation, gathering and preserving evidence (such as using forensic imaging), involving law enforcement, remediating the problem, recovering from the incident, and external reporting, such as to the federal government and to your insurance carrier. Without a detailed plan, there are risks; for example, a well-meaning IT person might delay reporting up the chain of command until the incident is “handled,” or might take steps to remove malware without preserving evidence.

Tip #5:  The plan must identify a single spokesperson to address any public inquiry from the press or any other outside questioner.

Tip #6:  Make sure that all employees know who in the company to notify in the event they discover or suspect that an incident has occurred.

For more information on the challenges of rapid reporting of cyber incidents, see my interview in PubKCyber.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP
Bradley Arant Boult Cummings LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide