Cyber breaches come with their own financial and operational considerations. A cyber-attack can mean significant and costly interruptions to business. Here’s a multi-pronged strategy for developing an incident response plan in the increasingly likely event your station suffers a data breach/hack.
Be Prepared To Manage A Cyber Attack
It’s not surprising that the agenda for last week’s NAB Show included several sessions focused on protecting stations against cyber-attacks. As NAB speaker Steve Weisman, a lawyer and college professor at Bentley University, pointed out: “When it comes to cyber security and the dangers of being hacked and suffering data breaches, things are not as bad as you think — they are much worse.”
Weisman, who has authored nine books on the subject, warned his NAB session’s attendees: “A data breach can result in embarrassing emails and documents becoming public or it can be much worse, as where your financial accounts can be jeopardized and the personal information of your employees compromised, putting them in danger of identity theft.” Several media organizations can already attest to Weisman’s warnings from painful first-hand experiences.
The other cyber-security sessions at NAB provided a deeper dive into the likeliest cyber threats facing broadcasters. They include: DDoS (distributed denial of service) attacks and unauthorized access — or theft — of licensed digital media assets as well as hacks into digital broadcast studios and transmission facilities.
Last year a terrorist group blocked TV Monde’s broadcast and, just a few weeks ago, hacks into the audio streams of several radio stations and a content syndicator resulted in the podcasting of offensive material.
Cyber breaches come with their own financial and operational considerations. MFM will be addressing these at our upcoming conference May 23-25 in Denver. Included in the agenda for Media Finance Focus 2016 are a keynote address along with a series of in-depth panel discussions on the topic.
We have also been addressing cyber security in our Localism events and sharing the insights from our presenters through our online forums, including Distance Learning Seminars and the “Front Office” columns appearing here in TVNewsCheck.
A few weeks ago we were privileged to host a local event featuring Stephanie Yonekura and Clay James, partners at the Hogan Lovells law firm. Yonekura, whose background includes serving as Acting United States Attorney for the Central District of California, works in the law firm’s Investigations, White Collar and Fraud practice group and James’ litigation practice encompasses intellectual property issues and privacy and data security. The duo provided participants with a road map for developing an incident response plan for their organization that incorporates the following mileposts:
- Identify and prepare for the most likely incidents. This requires incorporating threat intelligence in a timely way in order to anticipate how you are most likely to be attacked and by whom. In addition to the types of hacks discussed at NAB, be sure to include the risk of ransomware attacks, which have also been on the rise.
- Identify your response team. It should have core team members (IT, operations) and extended team members (legal, finance, communications,) as well as the backup required for ensuring 24/7 coverage. Develop and maintain the 24/7 contact lists as well as a clearly delineated list of the roles and responsibilities for each team member.
- Document your response plan. The enterprise-wide plan can take the form of a core policy, one or more procedures, and a playbook. Individual functional groups including communications, legal and investor relations should develop playbooks to support the plan. Keep them short; a few pages are more likely to be read than a document that resembles War and Peace.
- Identify external resources. This includes vetting and arranging in advance the specialized and supplementary resources that will be required, such as forensics/ technical vendors, identity theft/credit monitoring services, legal services and public relations consulting.
- Rehearse the plan internally and externally. Regularly rehearse the enterprise-wide plan using real-life scenarios that would require the plan to be deployed. Organizations should also participate in industry-wide simulation exercises.
- Keep the plan current. Regularly update your plan to reflect new insights and requirements.
DURING THE ATTACK
- Contain and control the incident. Technical and other core members should lead the effort to isolate the breach and monitor and mitigate its impact. Rate the incident’s severity and escalate within organization as appropriate.
- Work with law enforcement. Establish or supplement relationships with key law enforcement players and ensure company activities avoid obstructing law enforcement operations. Information from law enforcement can aid your company’s response to the attack.
- Determine the scope and nature of the incident. Document how and when the incident occurred, including determining what information or systems may have been affected, and assess the risks and your remediation options.
- Deploy your remediation and recovery plan. Ensure coordinated and appropriate reports to the company’s senior management and board of directors.
- Assess your notification obligations. Review and analyze applicable regulatory notification requirements as well as requirements established by relevant contracts and other agreements. Review the agreements for the scope, nature, and timing of any breach notification obligations.
- Conduct the notification process, if necessary. This will involve drafting, reviewing and issuing internal announcements, customer notices and FAQs as well as letters to law enforcement, business partners, consumer reporting agencies, regulators, and other third parties. Organizations are also likely to need call center scripts, website notices and media releases.
- Coordinate the offering of remediation services. As soon as the organization knows how its customers or employees have been affected, required remediation may encompass offering credit monitoring and identity theft insurance.
Using information gathered during the attack, the organization can identify how it occurred; measures that can prevent its reoccurrence; and changes to the response plan that may be required. The pathology may also involve cooperation between the company’s forensics vendors and law enforcement.
Unfortunately, containing the attack and eliminating the intruder is only the beginning of the post-attack process. It can also entail responding to litigation from customers, shareholders or other stakeholders. As we have seen in larger incidents, there can also be congressional investigations and inquiries as well as potential fines or penalties from the FCC and other government and state agencies.
These aspects of cybercrimes underscore how costly they can become. The latest annual cyber security study by IBM and Ponemon reported the costs to corporations averaged $3.8 million, a 23% increase from 2013 to 2015. And while companies ranked cyber-attacks as one of their top-10 concerns for the first time this year, the 2016 Aon Global Risk study found only 25% of those purchasing cyber insurance were confident their limits complied with best practices and standards governing information security.
Closer to home, the data explain why the Chubb, the only commercial insurer endorsed by MFM, and a leading provider of property and causality insurance for TV stations, is sponsoring our conference breakfast keynote by cyber security expert Jim Prendergast. A partner at the Lewis Brisbois law firm, Prendergast has represented clients that experienced national-exposure data compromises and can share real world learning from these situations.
In his keynote at the NAB Innovation Series breakfast, Shelly Palmer recalled the assessment of cyber threats by FBI Director James Comey when he told 60 Minutes in his first interview: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”
Whether it’s a government-sponsored program, a foreign criminal syndicate or a home-grown hacker, the end result is the same. A cyber-attack can mean significant and costly interruptions to business. Ongoing attention to security protocols, incident response and risk management can mean the difference between an incident that is merely annoying and moderately expensive and one with long-term consequences along with attention-grabbing headlines.
Mary M. Collins is president and CEO of the Media Financial Management Association and its BCCA subsidiary. She can be reached at [email protected]. Her column appears in TVNewsCheck every other week. You can read her earlier columns here.