Incident Primer: pre-briefing the board at the start of a major incident

In today's rapidly evolving digital realm, the looming threat of cyberattacks casts a long shadow over both public and private sectors. Time and again, history has underscored a stark reality: it's less a question of if, but rather when an organisation will confront a cyber breach. Yet, an essential insight emerges: building resilience against these breaches requires not just proactive defences, but also a strategic readiness. Central to this readiness is the imperative of equipping an organisation's board—ensuring they're not just informed, but also primed to act swiftly and decisively during an incident. Waiting for adequate information to engage the board can potentially be devastating for business. However, to mitigate risk, there's an initial step that must precede this: preparing the board for action. The fast and efficient method is to organize a stakeholder pre-briefing with the objective to refresh the board and validate key decision thresholds. This pre-briefing is common in many other fields that deal with crisis.

Pre-briefings are customary across various situations to ensure preparedness. In the medical field, teams might convene briefly ahead of complex surgeries or potential mass casualties, aligning procedures even if patient details remain elusive. First responders, when confronted with emergencies like fires, chemical spills, or large-scale public disturbances, often initiate a swift briefing to confirm everyone's safety and clarify immediate roles and responsibilities. In the military, pre-mission briefings are conducted to set baseline expectations, objectives, and risks, even when the operation's specifics are not yet crystallised. Similarly, the airline industry adheres to the well-established pilot's pre-flight briefing, addressing general concerns such as weather or potential hazards, irrespective of the flight's unique challenges.

A pre-briefing for a board at the start of a major incident should include four key elements. These encompass:

• a refresher on relevant terminology and definitions,
• establishing clear thresholds for decision-making,
• equipping them with essential questions to critically assess the information presented, and
• revisiting regulatory and contractual obligations tied to vital assets and data.

1. Standard language refresh

In times of crisis, the familiarity with terminologies and set standards can provide invaluable clarity.  As the first and easiest item to cover, a key list of terminology and a list of concepts should be defined.    

The list of terminology and concepts should include:

• Vulnerability, threats, and risks
• The term used for threat actor(s)
• Incident response lifecycle, at a high level
• Relevant incident types explained (ransomware, BEC, phishing)
• Priority and severity levels (ITIL)
• Workstreams
• Key items to accomplish in the first 72 hours

2. Key decisions and thresholds

The board serves as a cornerstone in establishing an organisation's responsiveness during crises. Their role should extend beyond that of mere bystanders; they must actively participate in shaping and endorsing the metrics and guidelines driving the organisation's response. Such a hands-on approach not only facilitates timely actions but also instills a strategic purpose behind each move, thereby reducing the chances of rushed or ill-advised decisions. The following aspects warrant close review and potential updates during the initial briefing:

•  Incident severity as it impacts operations: while discerning between minor and critical incidents is typically clear-cut, certain decisions, such as the contemplation of ransom payments, require more nuanced considerations. The board should define and align on a specific threshold for when ransom payments might be deemed acceptable, if at all.
• Decision-making hierarchies: while an organisation's existing hierarchical structure often remains in place during incidents, two potential challenges may arise:
  • Availability of key personnel: there could be constraints on the availability of key staff members. Suitable stand-ins should be pre-identified and authorised to act in lieu of standard leadership roles.
  • Subject matter expertise: specific crises may necessitate expertise from unique business areas or even external consultants. The board must ensure that a clear and adaptable decision-making pathway exists, and that crucial decision-makers are readily available.
• Engagement with legal and PR teams: established protocols on when to involve these teams must be defined for clarity. Especially in cases where PR is tasked with commandeering both internal and external communications, there needs to be a lucid directive on the circumstances and manner of their engagement.
• Customer outreach when customer data or services are compromised, the emphasis should be on transparency and maintaining trust. To achieve this, there should be well-defined guidelines detailing the timing and modality of communications with customers.

Communication turnaround: especially in major incidents, stakeholders, employees, and potentially even the public, will need to be informed. The board should have a default set of clear timeframes, ensuring that all relevant parties receive accurate updates as swiftly as possible and identify a qualified spokesperson. Additionally, the messaging should be provided by a recognised leader from the organisation. This individual should have media training to sufficiently address the situation and instil confidence that the organisation is taking all necessary actions to mitigate the impact of the incident.

3. Management questions defined

When presented with their initial incident briefing, the board should develop specific questions to ask during the incident to ensure clarity and direction. Having a ‘cheat sheet’ of these questions, to assist as ‘keys to exit’ a briefing, can set the tone and content of briefings during the incident.  

• What are the current objectives and how can we achieve them?
• How confident are we in the current information presented?
• What key details are we missing, and what's crucial for our understanding?
• How long before we have a comprehensive picture?
• Are there any resources we currently lack, and if so, what?
• Can we estimate the likelihood or confidence level of the given answers?

By seeking answers to these questions, the board ensures it has a firm grip on the situation, even when details are sparse.

4. Regulatory and contractual obligations

Having a clear picture of regulatory requirements and contractual commitments can streamline crisis management, while assisting in prioritisation of tasks with limited resources and yet to be defined constraints. Contractual commitments also have various flavours, for example, requirements to fulfill if customer data is compromised, SLAs from incident response consultants, and penalties for missing contractual deliverables.

Regulatory and contractual requirements

•  Reporting mandates for vital data or assets.
• Penalties in missing contractual reporting requirements
• Penalties for regulatory violations in reporting requirements

Impacts

• Penalties for delays in customer fulfillment
• Be aware of costs of outages in delivery to current customers

Response

• Understand SLAs with:
  • public relations agencies to manage communications
  • external counsel
  • DFIR consultants
• Know the turnaround times with IT recovery services
• Account for hardware procurement contracts in case of infrastructure damage
• Ensure knowledge of overflow staffing agreements for a potential rebuild

In the modern cyber ecosystem, an organisation's agility and resilience in the face of a breach are just as crucial as its defences. A board that's primed, prepared, and proactive doesn't just manage a crisis — it navigates the organisation through it, minimising harm and ensuring rapid recovery. And in closing, practicing this type of pre-briefing in the semi/annual training will refine and improve the pace at which this can be conducted.