1. Third Annual CICMA – CIAA – CDL – Joint Seminar
November 14, 2017
Toronto
Cyber Insurance
and Incident
Response Practice
2. Third Annual CICMA – CIAA – CDL – Joint Seminar
November 14, 2017
Toronto
Not like any other
Monday
3. A hello from pr1m4 donn4
You’re the CAO of a mid-sized law firm. You’ve let your mail
build-up over the weekend and are working though your
inbox. There it is.
Someone identifying herself as “pr1m4 d0nn4” says she’s got
2TB of the firm’s information. She’s attached a spreadsheet
that shows all employee salaries. You quickly check and it
matches what you have exactly. pr1m4 donn4 says that you
have seven days pay 20 bitcoin (about $183,000) or your
information will be released on the dark web.
4. A. The managing partner
B. The police
C. Your broker
D. Your breach coach
E. You mommy
Who do you call first?
5. Congrats! You have an IRP
Shortly after breaking the bad news to the managing partner,
you consult your incident response policy. It identifies the
response team as involving the managing partner, the CIO,
the CFO (who is responsible for risk management) as
members of the lean and mean incident response team.
You call a breach coach from the firm of Bourk-Juneau-
Michaluk – one of three pre-vetted firms listed in your
policy.
6. A. Order a global password reset
B. E-mail all partners to see if they have had any
suspicious contact that might be the cause
C. Assess network vulnerabilities
D. Hire an IT forensic provider
E. Hire a crises management communicator
What’s the 1st thing the coach tells
you to do?
7. At this point, what first party costs
can you expect bear?
8. And the investigation shows…
You’ve had a stellar response from your forensic IT provider.
It’s only three days in and the vendor has confirmed that,
indeed, 2TB of information was “exfiltrated” from an HR
shared drive, a drive containing a wide range of employee
personal information (including salary info by year, SIN
numbers, DOB). The problem arose based on a phishing
attack that exploited an un-patched sever vulnerability.
The vendor has given its qualified opinion that the network
is now secure and that no other information was likely
taken by pr1ma4 donn4.
9. How do you deal with the hacker?
A. Ask her some questions and try to buy time
B. Bargain a reduction in price
C. Pay the ransom
D. Don’t pay the ransom
E. Wait for contact and don’t reach out
10. And the investigation shows…
You’ve decided not to pay the ransom or talk to the
hacker at all. That gives you a whole four days before
the information could be dumped on the dark web.
11. What do you do in anticipation of the
deadline?
13. Angry Bob…
Well done. Your response went over very well with the employees
(and the Law Society). You had a series of town halls and the
messaging was very forthright and clear. Now six months post
incident no employees have reported any identity problems to
you. Employee surveys show your employees trust you and are
grateful for your approach to the incident.
Unfortunately, a former employee (Angry Bob) had an outstanding
wrongful dismissal against the firm has amended and sued for
“breach of privacy”. He’s also threatened to “go public”.