Cyber & IT Supervisory Forum - November 2023

The next steps in the process address those procedures and incident response plan considera Ɵ ons that typically come into play a Ō er the ini Ɵ al incident has been iden Ɵ fi ed and contained. These steps include: k. Implemen Ɵ ng escala Ɵ on procedures, as necessary, to ac Ɵ vate the organiza Ɵ on’s business con Ɵ nuity and disaster recovery plans. Very o Ō en, ransomware incidents, in par Ɵ cular, can lead to signi fi cant down Ɵ me that can a ff ect the day ‐ to ‐ day opera Ɵ ons of the organiza Ɵ on. The organiza Ɵ on must be prepared to recognize when that situa Ɵ on occurs so that overall con Ɵ nuity of opera Ɵ ons can be maintained in the absence of certain cri Ɵ cal systems or business units. Ideally, there will be iden Ɵ fi ed triggers for ac Ɵ va Ɵ ng these plans or, alterna Ɵ vely, sound judgement from senior management and the Board to recognize when a situa Ɵ on arises to this level of severity. In this speci fi c instance, it appears that (a.) the organiza Ɵ on is largely inoperable at the moment and may be for some Ɵ me, and (b.) the organiza Ɵ on’s centralized framework may also mean that satellite o ffi ces may also be “dead in the water” for some Ɵ me as well. Ac Ɵ va Ɵ on may be likely for this organiza Ɵ on based on those factors, as well as the schedule ‐ oriented, low fl exibility nature of the organiza Ɵ on’s business (i.e., very low tolerance for documenta Ɵ on unavailability, closing delays, etc.). l. Monitoring tradi Ɵ onal social media and hyper ‐ local social media for public awareness and discussions of the incident. We will discuss the importance of this in the next por Ɵ on of this exercise. m. Follow established procedures regarding the prospect of paying ransoms to bad actors . The Board, senior management, and any applicable commi Ʃ ees should be formally consulted if payment of ransom is considered. This is par Ɵ cularly important due to poten Ɵ al OFAC compliance issues. Payment of ransoms also helps to encourage addi Ɵ onal e ff orts from threat actor group. Moreover, there is absolutely no assurance that the threat actors will provide decryp Ɵ on keys as promised and threat actors may actually view a willingness to pay as an opportunity to extort the company further or in the future. There is very li Ʃ le, if any, honor among thieves. n. Follow established procedures to ensure that forensic informa Ɵ on and audit logs are properly preserved before any restora Ɵ on is performed. o. Begin restora Ɵ on of systems and data, as necessary . There are several important considera Ɵ ons associated with this process, including the iden Ɵ fi ca Ɵ on and priori Ɵ za Ɵ on of interdependent or mission cri Ɵ cal systems. Ideally, the organiza Ɵ on’s incident response plan will reference a mapping of this “cri Ɵ cal path” for restora Ɵ on to ensure that systems are restored and brought online in a logical order. In addi Ɵ on, there should be procedures to ensure that any backup data is sani Ɵ zed and free from any contamina Ɵ on. But as we have men Ɵ oned, it is essen Ɵ al that these processes and procedures are thought ‐ out and documented prior to any incident occurring.

16