How Engaging Legal Counsel Can Improve Your Cybersecurity Strategy

Cyber is no longer just an IT issue; it’s also a legal and business concern.  What other risks might cause leaders to go to bed feeling confident about their company and wake up to news that systems are down and work is disrupted?  Cyber attacks that can happen with the push of a button are a real concern in the 21st century.

Many cyber incidents involve hostile actors who aim to cause harm in different ways.  These “threat actors” can be individuals or groups—like hackers, cybercriminals, or state-sponsored entities—who exploit systems through “brute-force” attacks or by taking advantage of zero-day exploits, with the goal of stealing data or disrupting operations. On the other hand, most cyber incidents are caused by human error, meaning non-malicious activity.  Falling for phishing schemes, using weak or reused passwords, misconfiguring security settings, and mishandling sensitive data all create vulnerabilities that attackers can exploit to access systems and data.

Aside from ransomware incidents, another common cause of loss in both frequency and severity is incidents stemming from Business Email Compromise (BEC) that lead to Funds Transfer Fraud (FTF).  These often start with phishing attacks, compromised accounts, or network intrusions, and frequently involve social engineering to trick employees into revealing login details. Third-party cyber risk is also a concern when organizations work with vendors, suppliers, or service providers who have access to their systems or data.  These risks can lead to data breaches, operational disruptions, reputational damage, or financial loss.

Using legal help before a cyber incident happens

Incident response plans and tabletop exercises

To help protect a business’s reputation and finances, creating and regularly testing an incident response plan (IRP) is a useful step in improving a company’s cyber response. After setting up the IRP, it should be reviewed and tested regularly. Through MMA’s Cyber Resiliency Network, clients have access to a curated network of trusted legal partners who can assist with developing and updating IRPs for companies of any size.

What is an IRP, and who should be on the team?

An IRP is a document that outlines steps to detect, respond to, contain, and recover from a cyber incident. It also helps limit the damage an incident can cause. The IRP serves as a guide for staff to manage security incidents, covering activities in each phase of the incident cycle—from discovery to handling third-party claims.

People from different parts of your organization, who have the authority to make decisions, should be part of your incident response team. The team should include members from across your organization, like people from the C-suite, risk management, PR, and marketing, among others.

Your legal team, including those specializing in cyber and data privacy, can provide guidance during an incident and handle vendor communications. The law firm—also called “breach counsel”—will coordinate with a third-party digital forensic and incident response (DFIR) vendor on your behalf. This vendor should be considered part of the IRP team and your cyber insurance claim contact for notice and consent issues. The more prepared a business is, the better it will handle an incident.

What is a tabletop exercise (TTE)?

A TTE is a discussion-based activity where participants role-play how they would respond to a cyber incident of different levels that could affect the organization.  It brings together various teams and departments to work through hypothetical scenarios in a safe space, helping them practice their roles and identify any gaps in plans or procedures. The same people listed in the IR plan should also take part in a TTE.

Who are the legal partners within MMA’s Cyber Resiliency Network, and how can they help?

MMA’s Cyber Resiliency Network (CRN) law firm partners work with clients of all sizes and industries to develop data privacy and cybersecurity programs. They also help manage risk through vendor management, incident response planning, and data privacy advice.  These law firms are on most cyber insurance carrier approved vendor lists and can offer both free and discounted services to MMA clients.

Knowing a carrier’s approved law firm panel before an incident can help build relationships and allow for pre-vetting. This can make the process smoother and ensure a good fit for the client’s business. It also provides counsel with background on the organization and insight into what matters most.

Tips for preserving attorney-client privilege during cybersecurity incidents

For any organization, understanding how to protect attorney-client privilege has become important, especially during incidents. Protecting privilege during an incident requires care, particularly during the response and investigation phases. With ransomware attacks on the rise, companies also face the challenge of defending against lawsuits from affected individuals and class-action claims seeking damages.

Maintaining this privilege is key to protecting sensitive communications between clients and their attorneys.

How to do it?

• Engage counsel as soon as the incident happens: This will help ensure all agreements, communications, and discussions are protected. Including attorneys in incident response meetings helps keep conversations legally privileged and focused on a potential defense.
• Define the scope of forensic investigations: Your legal team will draft and review all agreements with third parties to specify the purpose of the investigation. This helps protect privilege, especially when working with vendors handling the response.
• Limit information sharing: Share sensitive details only on a need-to-know basis. When discussing causes, findings, or recommendations, consider sharing this information verbally to reduce the risk of waiving privilege.