Digital risks, regulatory pressures, and economic shifts have further complicated uncertainties for the corporate enterprise. Organizations are no strangers to crisis in recent years, with ripple effects from the pandemic and economic turmoil, to shifting geopolitics. General counsels and legal risk executives are well suited to lead preparedness and resiliency for future crises, uniting key stakeholders across the organization, because of the panoply of impacts they see while counseling a diversity of business units and compliance concerns.
Global corporates should prepare their entities to mitigate against three primary events: cyber-attacks; the possibility of reputational fallout from disclosure of sensitive information and operational shut-down; and the potential for follow-on regulatory inquiries. An invaluable partner in this process will be the legal team, likely headed by the general counsel. Strategic organizations should think about what would constitute a material event or impact their most critical assets and stakeholders. From there, they can plan preparedness exercises and prevention workflows around those potential risks.
Crises and uncertainty are inevitable forces in modern business, particularly in cyber and digital. The primary cause of the cyber uncertainty problem is the high value of technology and information assets combined with constant rapid evolution of digital risk. To address this constant shift, organizations should leverage a crisis management framework. Crisis management techniques, even when there is not a crisis, are essential to future preparation and prevention.
Situation Overview – The Five Considerations for Success
In order to maximize risk resiliency, general counsels are invaluable partners for CIOs and CISOs to lead teams across their organization in focusing on five core components:
- Evaluate the Organizational Response to the Digital Risk Problem
Many in the cyber crisis management discipline devolve the discussion to “effectively managing a cyber security incident before, during, and after it is discovered.” This reactionary posture is not enough. Crisis management in cyberspace should start with a forward leaning posture, implementing activities meant to deny crisis events from occurring.
Anticipate, predict, project, and envision should be the mindset when managing crisis risk. Identify, prioritize, and enable the program to act before it must react. By working closely with legal executives, technology leaders can also develop a more holistic understanding of an organization’s entire threat profile and create a program that addresses potential blind spots.
- Approaching Cyber Through a Preparedness Lens
Crisis management works effectively only when it includes cyclical reevaluation of prevention and preparedness, enabling plans to compensate for the myriad factors which constantly evolve. For example, it is commonly believed that the recent slowdown in ransomware incidents is due to the Russia and Ukraine conflict. It is also believed that the pendulum will swing back to a surge of incidents as the threat actor population regains its footing. While this is logical, cybercrime has not stopped, it is simply appearing in different forms. As a result, crisis preparedness strategies need to regularly be updated to stay one step ahead of the current threat landscape.
- Examine Internal Resources and Growth
Companies grow and evolve, and the technology, processes and talent they rely upon must grow and evolve in lockstep. This enables entities to successfully enact change and efficiently manage an organization: consider the threats faced by the organization, plan resources, and adapt processes to match the risk appetite. There must be an emphasis on the combination of both technology and talent; tools alone are not solutions to problems. Indeed, a support structure of people and process allows technology to reach its zenith.
Further, as companies grow and dynamics change, the crisis management policies that worked yesterday may not be as effective today. Continual assessment is key, and the GC will be critical in helping guide this process. Are there new stakeholders who should be involved in incident response processes? Is there a new business area that needs to be incorporated into disaster recovery plans? Sustaining a comprehensive crisis management strategy requires us to think of these processes as on-going, not as exercises of ticking boxes and moving on.
- Track External Factors, Cyber Attacks and Ransomware Evolution
Aside from the internal factors which cause shifts for crisis management plans, external factors can also play a role. For example, industry trends have suggested a movement away from cyber insurance providers covering incidents if the threat actor in question is a state sponsored entity. How does this change the way organizations should think about risk?
There has also been an increase in tech and data regulation over the years, mandating certain disclosures to government entities and the public when digital incidents occur. Is your organization prepared to make statements both internally and externally? Effective crisis management requires regular consideration of change and adjustments accordingly. These considerations are top of mind for the GC, who can help collaborate on striking the right balance.
Successful cybersecurity programs leverage intelligence detailing objectives and tactics of cyber threat actors who would benefit from exploiting the protected equities. In 2021 and into 2022, security teams with mature programs continuously worked to stay informed of threat actor tactics and sought to get answers to risk areas in order to stave off a crisis. If an organization’s answers to regularly exploited tactics exposes risk in the environment, the organization faces elevated chances of an event. Successful leaders continually assess how attractive a target the company is to threats, remain informed about the likelihood of threat actor success, and move beyond a reactionary posture to drive action that reduces the likelihood a crisis would occur.
- Exceed Regulatory Demands to Stay Ahead of Emerging Expectations
A lifecycle approach recognizes and accounts for the various shifts impacting and organization’s crisis management capability. This is increasingly relevant to cyber because of how fast the field moves. Regulations change, threat actors pivot to new techniques, and new tools emerge. Keeping an eye on the horizon and using newfound insights to improve and update procedures enables organizations to ensure crisis management strategies are effective regardless of landscape shift.
U.S. regulators are increasingly more prescriptive while still emphasizing risk-based considerations. This is a challenge. The modern legal advisor must champion enterprise agility and continuous adaptation to meet the evolving landscape of digital risks.
Action Overview – Building Certainty
To mitigate the risks that modern businesses are confronted with, companies should make dynamic changes to their strategy and tactics.
Sound crisis management strategies can extend into a preparedness and prevention posture that strives to anticipate risk issues as a means to prioritize resources. By partnering across technical, security, and legal functions, organizations can be better positioned to mitigate risk and drive value.