By: Jeff Kosseff, Counsel in Privacy and Cybersecurity practice group.
Companies, nonprofits, and other organizations should develop comprehensive plans to recover from cybersecurity incidents such as data breaches and ransomware, according to new guidance issued by the National Institute of Standards and Technology (NIST).
The Guide for Cybersecurity Event Recovery, NIST Special Publication 800-184, is not a legally binding requirement. However, organizations that follow the guidelines may reduce their legal risks after a data breach or other incident.
In recent years, NIST's cybersecurity guidelines have become increasingly influential, and companies frequently look to NIST publications for industry-standard cybersecurity principles. For instance, in 2014, NIST published a five-step Cybersecurity Framework for operators of critical infrastructure. Companies increasingly require service providers to adopt the framework. The Federal Trade Commission, which regulates data security, wrote in an August 2016 blog post that the NIST Cybersecurity Framework is consistent with the FTC's approach to data security.
Just as the Cybersecurity Framework has set a national precedent for critical infrastructure cybersecurity, NIST's new recovery guide could become a de facto standard. Although companies are not required to follow NIST's recovery planning framework, adoption of its main principles could reduce the likelihood that companies would face successful lawsuits or regulatory actions arising from data breaches and other cybersecurity incidents.
Below are some key take-aways from NIST's Guide for Cybersecurity Event Recovery:
- Recovery plans should identify managers who make key decisions about recovery from cybersecurity incidents. The plans also should identify contact information for all staffers who will implement the recovery plan, methods for communicating critical business information if systems or networks are slow or disabled, and the hardware, software, and other infrastructure that could be used during recovery.
- Plans should specify both the technical steps necessary to recover systems and data and the non-technical steps, such as changing business processes in response to a data breach.
- While recovering from an incident, companies must understand the "root cause" of the attack, including the adversary's objective and the technical mechanisms that the adversary used to achieve that objective (i.e., the attacker used ransomware to extort money from the target company).
- Organizations should plan to effectively communicate with service providers, victims, owners of the infrastructure used to launch the attack, and others. In particular, NIST warns that statements made quickly during the chaos of incident response could have significant legal ramifications.
- Organizations should continuously improve their recovery plans to account for changes to technology, personnel, and business processes.
- Regular "tabletop exercises" - simulations of data breaches and employees' responses to the incidents - help companies understand the weaknesses in their recovery plans. NIST did not specify a minimum frequency for these exercises, but instead said that organizations should conduct the exercises "at a frequency that makes sense for the organization, recording the results to help inform organizational cybersecurity activities."
- Organizations should develop recovery metrics to measure the strengths and weaknesses of their recovery plans. Among the metrics that organizations should consider are the costs of legal advice, remediation, business disruption, and brand damage; the number of incidents over time; frequency of tabletop exercises; the number of disruptions to the organization's operations due to cybersecurity incidents; and the success of restoration efforts after incidents.
- When developing recovery plans, organizations should consider both the tactical recovery phase and the strategic recovery phase. The tactical recovery phase focuses on planning for the steps taken immediately after an incident. Such planning includes tabletop exercises and identifying key information security employees. The strategic recovery phase focuses on using the lessons learned from an incident to reduce the likelihood of future attacks.
In light of the increasing influence of NIST publications in cybersecurity law, companies should consider consulting with legal counsel and cybersecurity technology professionals to develop recovery plans that follow NIST's guidance.
Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.