Did you see this blog post from Debevoise & Plimpton, the large law firm? http://www.debevoise.com/-/media/files/insights/publications/2024/06/incident-response-plans-are-now-accounting-control.pdf
The article starts:
“In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack.”
Our ACIRM+ is a robust cyber incident response system. Actually, what we did was add a Global Incident Intake Form in front of a special cyber version of our APM+, and did it in such a way so there are no end-user licenses involved. That way, anyone in the company that sees something can report it, at no cost. The person enters as much information as they can using the Global Incident Intake Form and clicks on Save. Automatically at network speed, a new project plan is generated in APM+ and assigned to the person responsible for managing that type of incident. Every step is logged in an audit log field automatically, which is a critical feature of the system. That’s what you want.
One of the major benefits is that the project plan was generated automatically. It’s there and the person responsible has to work it. Because of the automatic notifications built into APM+, if they don’t work the plan when they are supposed to (remember the SEC’s 4-day rule), leadership is automatically notified that nothing is happening on the project or a task in the project plan. We did this because of three things that happened, two long ago and one recently.
- Years before, we were hired by the CIO of Times Mirror Corp., owner of the LA Times, to do an audit of their Help Desk. The first day of the project arrived and at the Kickoff Meeting, we were told to start by talking with their best help desk analyst and we did. We were introduced to the analyst who brought us into her cubicle. I asked her: “When the phone rings, what do you do?” She said something to the affect: “If I cannot answer the question straight away, I take my pad of paper and write down as much as I can about the issue. Then I take the next call and the next one and the next one, each time doing the same thing. When I have a break, I look at all of my notes, decide which incidents to put into the system, and enter those incidents.” I said too directly: “So the metrics from the system are a waste of time.” She looked at me stunned. Of course, the leadership thought all of the incidents were being entered into the system and the data was accurate.
- Recently I talked with the CISO of a New York City-based company that had revenues of $22B the year before. I asked him who was responsible for managing incidents. He said: “No one. Incidents are handled by the technical teams.” Obviously, given the SEC’s new rules, if you are the CEO or a Board member, that is not the answer you want to hear. There were no controls.
- A friend of mine and I went for coffee one morning at local restaurant. The tables outside had not been cleared and no one was around. My friend said: “The owner doesn’t know about this.”
So, getting back to ACIRM+. For each type of incident, during implementation, someone has to be named as the responsible person. A project plan is generated for each incident, the responsible person is notified that he/she has to take action and if they don’t, leadership is notified. And all of this, every entry, is logged automatically in an “audit log” field so when the SEC visits, you can show them all of the detail. Just because the head of IT tells you that something is happening, that doesn’t mean that it is. This is how your people will hold themselves accountable.
