| Privacy Matters DLA Piper's Global Privacy and Data Protection Resource Tue, 22 Oct 2024 07:33:44 +0000 en-US hourly 1 https://wordpress.org/?v=6.8&lxb_maple_bar_source=lxb_maple_bar_source https://privacyblog.dlapiperblogs.com/wp-content/uploads/sites/32/2023/07/cropped-Favicon_512x512-32x32.gif | Privacy Matters 32 32 UK: NCSC issue guidance on how to communicate effectively in a cyber incident https://privacymatters.dlapiper.com/2024/10/uk-ncsc-issue-guidance-on-how-to-communicate-effectively-in-a-cyber-incident/ Tue, 22 Oct 2024 07:19:02 +0000 https://privacymatters.dlapiper.com/?p=7473 Continue Reading]]> Planning and developing an effective communications strategy is a critical step in preparing for a cyber security incident. Last week, the UK’s National Cyber Security Centre published guidance on communicating with stakeholders before, during and after a cyber security incident. The guidance is published with organisations of all sizes in mind, and sets out three core principles to follow.

  1. Prepare your communications strategy in advance

A cyber incident can hit any organisation, regardless of size, at any time. The NCSC therefore advocates a proactive strategy ready to be deployed when required, to lessen the impact of the incident.

Steps to consider include:

  • Identifying an official spokesperson for the organisation when communicating with stakeholders such as the media, customers and employees.
  • Identifying key stakeholders ahead of time. Who needs to be informed, and how will this be achieved (bearing in mind that usual channels may be unavailable)?  
  • Drafting and agreeing pre-approved templates for communications. Whilst no one size will fit all, this can include style media requests, internal updates to staff and notifications to customers, to be tailored as necessary. Drafting these templates ahead of time will save time and ensure the organisation is speaking with a unified voice.

The NCSC highlights the importance of regular testing of the strategy, through tabletop exercises and simulations, to ensure its effectiveness and identifying any areas for amendment or improvement.

  1. Communicate clearly and tailor your messaging where necessary

The NCSC states that communications should be ‘clear, consistent, authoritative, accessible and timely’. It is also important that any communications released before, during or after a cyber security incident inform stakeholders whilst also maintaining reputation and credibility. Factors to consider include:

  • Information to stakeholders needs to be clear, but balanced to ensure that information is not disclosed that may heighten any risk to the victim, or which runs the risk of requiring later retraction as the incident develops. It is essential to ensure the communication strategy suits key stakeholders, and that specific concerns of each group are addressed.
  • The impact of the incident should be reflected in communications to those who suffer consequences, with acknowledgment of the practical consequences as opposed to focussing solely on technical detail.
  • Development of a Q&A document should be an early priority in incident response: preparation of responses to common stakeholder queries in advance will enable consistency in response and provide assurances that communications address key and recurrent concerns.
  1. Manage the aftermath

Finally, NCSC guidance urges organisations to think about the long term. Whilst an immediate response in the aftermath of an incident will be the primary focus consider what the approach is going to be in the weeks and months after, depending on the recovery time. How regularly will you provide updates? How will any incident and subsequent responses be used to inform future preparedness and any lessons learned?

How can we help?

The NCSC guidance provides welcome direction on the expectations on organisations when preparing for and responding to cyber security incident. The key message – in keeping with any cyber resilience strategy is to prepare ahead of time. Increasingly, we are seeing regulators, customers, and other stakeholders taking interest in the controls and procedures that were in place prior to any cyber incident and their fitness for purpose.

Taking time long before the “white heat” of any incident to design, deploy and ensure the continued fitness for purpose of response plans, including communications, is time well spent.

Should you wish to discuss communications response plans, table top exercises, or any other aspects of cyber resilience planning, then please do not hesitate to contact us.

]]> Australia: Anti-scam measures and ransomware reporting on the agenda https://privacymatters.dlapiper.com/2024/09/australia-anti-scam-measures-and-ransomware-reporting-on-the-agenda/ Wed, 11 Sep 2024 13:16:06 +0000 https://privacymatters.dlapiper.com/?p=7427 Continue Reading]]> Cyber regulation is changing in Australia. As governments globally grapple with the everchanging and increasingly challenging cyber landscape, Australia is poised to implement new laws and update existing regulation in order to enhance Australia’s cyber security and resilience. These changes fall within the framework established by the 2023-2030 Australian Cyber Security Strategy, which aims to make Australia a world leader in cyber security by 2030.

Scam Code Act

In light of the 601,000 scams reported by Australians in 2023 accounting for an estimated $1.3 billion in losses, it has been reported this week that the Government will introducing a new Scam Code Act.

This will require digital communications platforms, telecommunications carriers and banks to report scams as soon as they are detected, or face fines of up to AUD 50 million. The Australian Consumer & Competition Commission will be granted powers to draft mandatory codes across the three sectors, and also for individual business and platforms. It is expected that the new regime will also include requirements for:

  • platforms to verify their advertisers;
  • banks to warn customers if they attempt to make a transfer to an account that is identified as fraudulent;
  • carriers to take certain measures to prevent scams being spread by SMS;
  • companies designated by the ACCC to establish internal dispute resolution processes to hear complaints from customers and consider refunds; and
  • all companies to maintain a “scams defence plan” to assist customers.

It is expected that the legislation will be tabled in parliament later this year, and we will keep you updated as more information is released about the proposed legislation.  

Other cyber security measures  

As a further rollout of the 2023-2030 Australian Cyber Security Strategy, the Australian Government has consulted on a range of proposed new cyber security legislation. In order to combat existing gaps in regulation, consultation was sought on the following proposed measures:

  • mandating a security standard for consumer-grade smart devices, to incorporate basic security features by design and help prevent cyber attacks on Australian consumers;
  • creating a no-fault, no-liability ransomware reporting obligation to improve collective understanding of ransomware incidents across Australia,in order to counteract the limited visibility over the amount of ransoms paid by Australian organisations. The laws are proposed to apply to businesses with an annual turnover of more than $3 million and include fines for failure to disclose;
  • creating a ‘limited use’ obligation to clarify how the Australian Signals Directorate and the Cyber Coordinator may use information voluntarily disclosed to them during a cyber incident, in order to encourage industry to collaborate with the Government as part of an incident response; and
  • establishing Cyber Incident Review Board to conduct no-fault incident reviews and share lessons learned to improve Australia’s national cyber resilience.

The Government received 130 submissions as part of the consultation, which closed on 1 March 2024. We will keep you updated on the outcome of the consultation.

]]>