When a common company in the supply chain of a given industry is impacted by a cyber incident or cyber breach, such as was widely reported relating to the CTS breach in recent weeks, customers can experience significant disruption to services. When services are initially knocked offline and customers attempt to quickly switch back to paper-based systems to offer service continuity, further problems can arise, with delays in the completion of services not uncommon. This has the potential to cause reputational damage to those firms who are unable to adapt quickly or do not have business continuity plans to allow service backups to be deployed.

When a high-profile incident occurs and, in particular, when such incidents impact a large segment of a specific market or sector, initial disruption should swiftly be followed by incident review and process updates, both by those directly affected and those more fortunate to be watching from the sidelines. In this way, a disruptive incident can act as a catalyst to firms to conduct reviews of their service provision. This is critical to maintain business continuity, and to ensure that they have developed and tested incident response and back up service provisioning plans. Having such a plan in place is critical, but there may nevertheless still be delays in reestablishing services, highlighting what may be considered a disparity in the capability of some in the market to respond effectively in putting those plans into action. In terms of building resilience, the plan alone is not sufficient. Business continuity protocols must be stress-tested and rehearsed, with clear roles, responsibilities and timeframes mapped out to lessen the need for difficult decision-making in a live crisis. If actions have been adequately planned, tested and interrogated, cooler heads are likely to prevail when the heat is on.

Firms in the legal sector are attractive targets for threat actors due (among other things) to the large volume of confidential and sensitive information they hold. They also often operate with, and within, complex supply chains given the pivotal role that law firms play in the business world and wider society. It is therefore important to ensure supply chain resilience. Again,  the best-prepared organisations will not only have a well-developed cyber incident response plan, but also conduct regular exercises in order to test that plan to a point where employees are confident in knowing what to do. In other words, a complete cyber incident management would cover the ability to detect an incident, respond and recover from it, and include well-defined exercises to test the company’s resilience.

Another key learning from any incident is around the development and discussion of incident response capability as it relates to nodal points in a firm’s supply chain. It is not sufficient to merely ensure your own house is in order. Firms are only as strong as their weakest link, so developing good working relationships with suppliers and auditing key stakeholders’ incident response plans as part of any commercial engagement are key steps to take in building supply chain resilience. Conducting reviews of supply chain provider’s emergency response procedures and ensuring regulatory compliance will not only get suppliers to focus in on this critical capability, it will also allow firms to tailor their own response plans to ensure continuation of services in the case of a significant outage relating to critical service provision.

Incident response plans should not be seen as a fixed provision in order to achieve compliance, but as a vital component of ongoing employee education and, ultimately, as a key business enabler. Extending these preparedness activities to encompass key providers should also be a key provision of this activity to ensure that in the event of an incident, company resilience can be maintained. The inter-personal dynamics of incident response teams (both within a firm and extending to its wider network of suppliers and service providers) must not be overlooked, so familiarity and trust must be built up as part of these preparatory processes.

One of the most important cyber vulnerabilities nowadays comes from third parties and companies should have a clear methodology to understand the cyber risk related to those in their networks being targeted by threat actors, and then evaluate and properly manage it. Effective third-party risk management is now crucial.

As best practice, and particularly in the wake of an incident, firms should be reminded of these vulnerabilities and threats. Key questions for firms to ask themselves include: Do we have a comprehensive cyber risk management focusing on critical business assets, encompassing the extended enterprise and covering the life cycle of those assets and all the actors managing them? Do we regularly check the cyber posture and related risk of our key suppliers? Too often, companies are over-confident of their suppliers’ ability to manage cyber risk. While certain services can be outsourced, firms must not outsource responsibility for maintaining comprehensive cybersecurity protection, or they risk carrying the reputational can when threat actors strike. 

Lorenzo Grillo is a managing director in Alvarez & Marsal’s disputes and investigations practice.