To have a cyber crisis management process has become an essential element for the resilience of all organizations, public and private. It is their ability to ensure their operation during a computer incident, and to return to normal thereafter. Every structure is today faced with a more or less significant risk of cyberattack.
To reiterate, the ANSSI defines a cyberattack as an attack consisting of “inflicting damage on one or more information systems in order to satisfy malicious interests”1.
To ensure the continuity of its services and preserve its reputation, it is essential to have the appropriate reflexes to limit the impact of the cyberattack, restore critical services within a rapid timeframe, and inform and reassure all stakeholders of the organization.
This article aims to present these best practices in the event of a cyberattack, by describing the key steps in crisis management.
1. Assemble a crisis management team
As soon as a cyberattack is detected, assembling a crisis management team, in accordance with the structure’s established procedures, is one of the first crucial steps to take. The purpose of this team is to coordinate and organize the management of the cyberattack’s impacts. It directs the actions of the various departments involved (human resources, legal, finance, technical, marketing, etc.), while ensuring an effective connection between crisis management — led by business operations — and incident response — handled by technical teams.
The crisis management team must draft a reaction and defense plan based on both technical and business requirements.
Following the team’s initial meeting, a permanent point of contact will be appointed within the operational, decision-making, and business teams.
2. Conduct investigations
In the context of a cyber incident, it is essential to identify the scope of compromise, that is, the entire range of actions undertaken by the attacker to gain entry and propagate within the organization’s information system. These investigations, carried out by the technical teams (cyber and IT), must enable the detection of vulnerabilities exploited, in accordance with the actions designated as being prioritized by the strategic bodies within the crisis team. In the interest of efficiency and speed, the investigations are carried out based on the mapping of the information system and its peripherals, previously carried out by the organization, which reports, in particular, the entire range of applications, critical services and their interconnections.
The technical teams must exercise vigilance in the event of outsourcing all or part of the company’s digital services. In this case, it is necessary to quickly contact the service providers to analyze the source of the compromise.
The investigations require, furthermore, the use of disconnected digital tools, without connection to the scope of compromise.
3. Notifications and communications
According to the legal and regulatory obligations to which the organization is subject, it is necessary to notify the competent authorities (ANSSI, CNIL, judicial authorities), which may, in certain cases, offer technical and legal support to the victimized structure following the cyberattack.
According to its status and size – Essential Entity (EE) or Important Entity (IE) (formerly essential services operators under NIS Directive 1) – NIS Directive 22 imposes specific obligations related to the management of a cyber attack.
The entities – public or private – that are essential and important must submit an early warning, without unjustified delay, to its CSIRT (computer incident response centre), or, where applicable, to its competent authority, of any incident having a significant impact on its service provision3. The information transmitted must then be updated within 72 hours. A final report presenting the details of the incident and the mitigation measures applied and ongoing must also be submitted to the CSIRT one month after notification.
In the context of a large-scale international cyberattack, it will be necessary to notify the local authorities of the incident in accordance with applicable law, which requires significant coordination efforts, typically initiated by legal teams and/or the company’s counsel.
4. Filing of a criminal complaint
In close consultation with the legal department or the organization’s counsel, it is important to consider filing a complaint, which must be made at a police station, gendarmerie, or directly with the competent public prosecutor (the latter option being recommended to ensure the rapid processing of the criminal complaint).
Filing a complaint – within 72 hours of the incident being detected – is also a legal obligation to assert insurance warranties and obtain insurance coverage, as mandated by the Code des assurances4, in the event of a violation of a Data Processing Automated System (“DPAS”)5. The concept of a DPAS is not defined by legal texts, such that its scope is intentionally very broad and it will be readily possible to mobilize one or more allegations under the penal code in the event of a cyberattack. In practice, a DPAS may encompass all physical and software means used for data processing, as well as the networks ensuring communication between the various elements of an information system.
Accessing or remaining, fraudulently – that is to say, without authorization or right – in any part of a STAD system is punishable by three years imprisonment and a fine of 100,000 euros. This penalty is aggravated if there is deletion or modification of data or if the functioning of this system is altered.
Furthermore, it is possible to report any illicit content on the internet via the Pharos platform (Platform for Harmonization, Analysis, Re-matching and Referral of Reports). Similarly, the cybermalveillance.gouv.fr website offers an online assistance service for victims of cyber harassment.
5. Contact the green number of your cyber insurance.
To request coverage for the consequences of the cyberattack (where the affected entity has such insurance), it is necessary to quickly contact one’s cyber insurance. Cyber insurance policies generally have a toll-free number to contact an expert within the shortest possible time.
To this end, it is recommended to resort to an insurance firm located in the European Union. Indeed, most American insurers insert into their cyber insurance policy provisions relating to the CLOUD Act, a federal US law adopted in 20186. Pursuant to these provisions, US agencies may then request access to data, hosted in the cloud, of individuals and companies located outside the United States, during investigations.
Finally, when the entity is the victim of ransomware (“ransomware” in English), it is absolutely discouraged to pay the ransom to the cybercriminals. On the one hand, the payment of the ransom does not guarantee that the cybercriminal will provide the decryption keys for the data and that the entity will thus be able to recover its data. On the other hand, the payment by the victim of the ransom often constitutes an exclusion clause regarding insurance coverage, and will therefore not be reimbursed.
6. Remediation and crisis management
To rebuild a core of trust within the organization, it is necessary to implement remediation measures and engage a rebuilding strategy. It is necessary to ensure beforehand that the attacked system has been corrected of its vulnerabilities and that no threat remains.
Remediation actions are determined based on the findings of previously conducted and recorded investigations by the crisis management team. The business continuity plan (BCP) allows detailing the strategy and all measures planned to ensure the organization’s resumption and continuity of its activities following the cyber incident. It must enable the organization to respond to its essential external obligations (legislative, regulatory or contractual) or internal obligations (organization of services). As a complement, the active recovery plan (ARP) ensures the reconstruction of the digital infrastructure and the restoration of the organization’s strategic applications.
7. Collection of evidence
The evidence of compromise (of servers and data) must be retained in the event of legal action, as well as for the insurer’s claim payment in the event of activation of the dedicated insurance policy.
It is a good reflex to disconnect all infected computers as well as compromised external hard drives in order to stop the spread, but it must not be done to switch off the terminals. Indeed, this generates a risk of deleting evidence of the cyberattack.
The evidence collected may be diverse (screen captures, copies of hard drives of infected devices). In the event of legal proceedings, a specialist bailiff is requested to establish the record, which strengthens the evidentiary value of the collected evidence.
8. Registration in the register of data breaches
If the cyberattack results in a breach of personal data involving a risk to the rights and freedoms of the affected individuals, the data controller of the organization victim of the cyberattack must notify the CNIL of this breach, as soon as possible and within a maximum period of 72 hours7. In the event of a high risk to these same rights and freedoms, the data controller must also inform the affected individuals of the nature and likely consequences of this breach, the remedial measures taken and the contact details of the person to contact (generally, the Data Protection Officer or “DPO”).
The data controller shall thus detail precisely the facts concerning the data breach, its effects (for example, the number of persons affected) and the measures taken to remedy it. In all cases (including in the absence of notification to the CNIL and the affected individuals), this information must be recorded within the data breach register maintained by the organization.
9. Establish and maintain a Cyber Threat Intelligence (CTI) program.
Cyber Threat Intelligence (CTI) is a critical field of cybersecurity that refers to the entire range of activities related to the collection, analysis, and dissemination of information on current and potential cyber threats, in order to better understand the behaviors and methods of cyber attackers. CTI essentially encompasses a tactical element (examination of the techniques of cyber attackers) and a strategic element (organization of cyber threats over the long term).
The SOC (Security Operations Center) can utilize an artificial intelligence tool in order to proactively detect cyberattacks.
A Computer-Threat Intelligence (CTI) monitoring system allows for both the detection and response to cyber attacks.
10. Prohibition of cyber-retaliation
No cyber-response (or “hack-back” in English) is authorized for private actors. This prohibition is particularly clear under international law: only state actors can respond to cyberattacks attributable to States.
On the legal/criminal level, according to domestic law, an organization that suffers a cyberattack and decides to cyber-respond risks having its action fall under the offense of damaging a STAD. The only possibility is that of self-defense. The affected organization must therefore exercise vigilance and proportionality when implementing its remediation and containment measures.
In light of the increase in cyberattacks and the potentially devastating consequences for information systems, it is therefore necessary for organizations to address these issues, regardless of their size or legal form, accompanied by specialized legal advice if needed.
Specialists in data protection, Aumans Avocats offers its expertise to secure your projects and support you effectively in the event of a cyberattack. Turn to our firm for tailored advice and move forward with confidence in your digital development.
- CyberDico, National Cybersecurity Agency (ANSSI), July 15, 2024. ↩︎
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures intended to ensure a high level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (CSRD) (Text presents interest for the EEA) ↩︎
- Article 23 NIS 2 ↩︎
- Article L.12-10-1 of the Code of Insurance ↩︎
- Articles 323-1 to 323-8 of the Penal Code ↩︎
- Clarifying Lawful Overseas Use of Data Act ↩︎
- Article 33 and 34 of the GDPR ↩︎
To read also on this subject : all of our articles on the RGPD
