Who Needs to Be on the Cyber Breach Response Team

Picking Vendors to Help You Through a Data Breach

By Tom Kang
Here’s a common scenario:
A rash of customers gets hit with fraudulent credit card charges. Your technical team discovers suspicious activity on your network. Law enforcement is on the phone. The signs may be obvious or barely detectable, but when you follow the trail, the conclusion is irrefutable: you’ve been hacked.
A data breach calls for swift action. Hopefully you’ve planned ahead and have an incident response plan in place that spells out the steps your business needs to take when a breach is discovered. Equally important is an incident response team whose experience you can trust.
Most businesses don’t have all of the in-house security expertise necessary to respond to and recover from a data breach. Even when they do, they often enlist the aid of outside vendors who make data breach response and recovery their specialty. These vendors offer the benefit of guidance and expertise as well as an objective, neutral perspective that’s essential to a business in crisis and the customers it serves.
To help you form an incident response team to best meet your business needs, here are some guidelines you can follow.

Who Needs to Be on the Response Team?

Responding to a data breach requires a range of expertise:
  • A cyber security law firm provides legal advice, defense services for lawsuits, and ensures that your breach response complies with all state and federal requirements. Should you suffer a breach, you will rely on this critical partnership to guide your response at every step of the way and minimize the risk of litigation and fines.
  • A computer forensics firm will investigate the incident, piecing together the facts of what happened – including when the intrusion occurred, the information compromised and whether the attack is ongoing, – and They can compile results in a findings report that will determine next steps in the breach response process. Using the right computer forensics firm is essential as its report can be presented in a court of law.
  • If your clients or customers are impacted by a data breach, depending on federal and state requirements, notifications may be necessary. A notifications vendor can manage the entire process from helping you and your law firm draft compliant messaging to printing and mailing the letter and tracking and reporting on its status.
  • Call center support provides assistance to clients and customers with incident-related questions and concerns. You may also wish to offer credit and identity monitoring services to protect affected customers of activity related to their personal information.
  • A public relations firm will support your recovery by managing the messages that are disseminated to the public. Services include crisis communication planning, delivery, monitoring and follow-up.

How Should You Begin?

Don’t wait until you’re in the throes of a data breach before choosing a response team. Time will not be on your side at that point, and you may end up paying a premium for the last-minute emergency services you need. Be proactive and establish your relationships now.
If you have cyber insurance, your carrier may provide access to experienced breach response vendors for all of the above services. Some carriers require the insured to use only those vendors on their approved list. Others offer the list as an optional service, not a requirement. If this is the case for your coverage, you are free to use vendors that best suit the needs of your business and industry with your carrier’s prior approval. 
Before forming your response team, make sure you understand and meet the requirements of your insurance policy. You should carefully review your cyber insurance policy and work with your underwriter to maximize the coverage available under your policy. 

What Key Qualities Should You Look For?

Whatever the areas of expertise, evaluate potential vendors with these key qualities in mind:
  • Experience. Data breach response is complex and highly regulated. A vendor that lacks sufficient experience can compound the damage and expose you and your business to additional harm through mishandling. When interviewing potential vendors, ask how many breaches they’ve handled and in what industries. Also ask if they specialize and in what areas. Their response may influence your decision-making.
  • Single area of expertise. Avoid data breach response companies that offer a full suite of services under one umbrella. Those that promise everything (as opposed to those that specialize or sub-contract with external suppliers) may present a conflict of interest situation. For example, a forensics investigator may dig deep for evidence that drives business to the notification segment of the same company. Look for suppliers with specific expertise and without potential conflicts.
  • Reasonable rates. The best way to keep rates reasonable is engage your vendors in advance of an incident. Put them on retainer, if possible, so you won’t need to engage in a last-minute search should an incident occur. Your cyber insurance carrier may also provide vendor solutions at negotiated rates.
  • Availability. Explore multiple vendors in each area of specialty to ensure availability for a reasonable price. Your insurance carrier may assist you in this process. Another option is to choose a law firm or a data breach management vendor that will bring in vendors to supply the services you need at the appointed times.
  • Matches your company culture. If you value open communication with customers and the public but retain a law firm with a more cautious approach, you may not get the service you want and waste valuable time in the breach recovery process. Before a data breach occurs, take time to consider your relationship with your consumer, your company culture and how you’d want to respond. Choose a firm that understands that from the get-go to prevent bigger issues from arising later on.

About the Author

Tom Kang is product manager of cyber at The Hartford. He has over 10 years of experience in cyber, technology errors and omissions, and professional liability insurance. Tom can be reached at thomas.kang@thehartford.com.

Any product described in this document may be offered by one or more of the property and casualty insurance company subsidiaries of The Hartford Financial Services Group, Inc. All products may not be available in all states or to all businesses. Certain products may be provided on a surplus lines basis and require the use of a surplus lines broker. Surplus lines policies are generally not protected by state guaranty funds

The Hartford® is The Hartford Financial Services Group, Inc. and its subsidiaries.