Reducing Cyber and Data Risk through Incident Readiness and a Culture of Compliance

Organisations in Latin America are under tremendous pressure owing to a widening risk landscape and an array of new operational challenges. According to an FTI Consulting global study, ‘The Most Valuable, Vulnerable Commodity: Data Establishes a New Era of Digital Insights & Risk Management’^[2] – which included participants in Latin America, 90 per cent of whom were senior or executive level leaders – 68 per cent ranked data privacy as a top-three concern for their organisation. The other leading concerns rated in the top three included information security and data breaches (59 per cent), data quality (37 per cent) and regulatory compliance and inquiries (25 per cent).^[3]

In particular, the frequency and severity of data breaches and cyber incidents are steadily rising. Cyber actors are ramping up their efforts and evolving their tactics to take advantage of unprepared organisations. Attack surfaces are expanding owing to remote workforces, internet of things (IoT) device usage and vendor reliance. In the same FTI Consulting survey, 45 per cent of respondents said that remote and hybrid work has increased the potential breach and attack surface. Globally, the average cost of a data breach has risen to US$4.35 million and, in Latin America, that figure rose by 9 per cent between 2021 and 2022, including a 27.8 per cent increase in Brazil, the ‘largest relative cost increase’ of any country.^[4]

Research from Ponemon Institute found that, in Latin America in 2022, 32 per cent of cyber attacks were ransomware, which was the top attack method, followed by deployment of backdoors (16 per cent) and business email compromise (BEC) or email thread hijacking (11 per cent each). Although attacks to the retail and wholesale industry were relatively low globally at 8.7 per cent, this was the most attacked industry in Latin America at 28 per cent. This discrepancy suggests that cyber actors view this industry in Latin America as lagging in resilience compared to the rest of the world, and therefore a target for exploit.

The impacts of hybrid working also continue to be felt among organisations in Latin America. Initially, the shift to remote work drastically increased the attack surface available to threat actors by introducing additional access points to exploit. For instance, employees working from home and connecting their laptops, full of potentially sensitive information, to unsecure WiFi networks introduced the potential for unwitting, easy entry for persistent cyber actors.

The same cybersecurity threats presented by remote working are also introduced by increased use of IoT devices. These items, such as mobile phones and smart speakers, are generally less secure than ‘rigid’ devices that sit within an organisation’s network and infrastructure. The connectivity that IoT devices allow, for example, changing the temperature on a smart thermostat from a mobile phone, also grant cyber actors that same ability to move from device to device.^[5] This creates significant business risk, as unauthorised access to a doorbell camera can potentially lead to malware being downloaded on an employee’s work laptop, and eventually ransomware hitting the organisation’s network where the individual is employed, as the threat actor advances their attack.

Separately, outsourcing entire business units (accounting) or strategic initiatives (marketing campaigns) was a popular practice pre-pandemic. After the workforce went remote, vendor reliance, versus employing dedicated teams for specific functions, gained increasing traction, especially in the IT outsourcing space.^[6] While outsourcing can often increase efficiencies or streamline resources, it also carries potential risk. Third parties may be routinely granted network access to conduct their hired task; however, many organisations overlook the process of rigorous third-party risk assessments. This has often led to third-party vendors lacking sufficient cybersecurity programmes and processes gaining access, or an entry point, to sensitive company data. Just as cyber actors can exploit IoT devices to gain entry to larger systems and networks, they can do so via connected entities.

In parallel, data protection and privacy regulation are gaining heightened attention and enforcement across the globe, alongside rising public demand and expectations for organisations to protect customer information. In addition to Brazil’s General Data Protection Law (LGPD), China’s Personal Information Protection Law (PIPL), the United States’ Civil Cyber-Fraud Initiative and Europe’s Data Governance Act (DGA) are several of many examples of regulation aimed at protecting individuals and personal data.

Consequently, organisations that do not implement strong programmes across cybersecurity, privacy, protection of other sensitive information, crisis communications and transparency may face strict regulatory (e.g., hefty fines), financial (e.g., operational disruptions and costs associated with investigations and litigation) and reputational (e.g., loss of customer trust) penalties. Amid this array of intensifying implications for cybersecurity, privacy, regulatory compliance and reputational resiliency, in-house legal, compliance and data security teams must strengthen their incident readiness and response plans to protect business viability. These are now board-level issues for organisations of all industries and regions and require adequate planning and investment to establish proper protections and response capabilities.

Escalating data protection enforcement in Latin America

In unison with global momentum for data protection enforcement, regulation in Latin America is also ramping up. For example, the LGPD, which aims to ‘protect the fundamental rights of liberty and privacy’ regarding personal data, went into force in September of 2020 with enforcement taking effect in August 2021.^[7] Fines for violating the regulation can reach up to 2 per cent of annual revenue for a single organisation and up to 50 million reais for every incident.^[8] While the extent to which the Brazilian authorities will enforce LGPD is still yet to be seen, there have already been penalties handed down. In 2021, a financial services institution in Brazil was fined more than US$750,000 under LGPD for using personal customer data improperly and committing financial fraud.^[9] And last year, Brazil’s National Consumer Secretariat fined a US social media company more than US$1.2 million for sharing personal data of Brazilian citizens unlawfully.^[10] Civil suits for breach of privacy are also permitted under LGPD, and the first such case was filed within months of the law’s passage.^[11]

Colombia’s laws are also viewed as leading the region in data protection regulation. First enacted in 2008, Statutory Law 1266 outlined collection and sharing restrictions for financial data. The law has been amended several times since to keep pace with the changing threat landscape, including in 2021 with Law 2157, which expanded data subject rights and introduced the concept of accountability when processing financial information. Further, Colombia’s Statutory Law 1581 of 2012 governs data processing activities and states that data controllers and processors must guarantee that personal data ‘is maintained pursuant to strict security measures and confidentiality standards, will not be modified or disclosed without the data subject’s consent, and will only be used for purposes identified in a privacy policy or notice’.^[12] Authorities have issued multiple fines for compliance failures under these laws.

Several other countries in the region are following suit, instituting regulations that in many ways emulate the European Union’s General Data Protection Regulation (GDPR), largely considered the gold standard of data protection legislation.^[13] Panama filed an Executive Decree in 2021, which ‘establishes principles, rights, obligations and procedures to regulate the protection of personal data’,^[14] and, also in 2021, Costa Rica passed a bill to improve its existing data protection law.^[15] Perhaps a precursor for future regulation, in May 2022, Mexico’s National Institute for Access to Information and Protection of Personal Data released recommendations for the ‘Processing of Personal Data derived from the Use of Artificial Intelligence.’^[16] Chile, Argentina, Paraguay, Uruguay and other jurisdictions in the region have introduced a series of laws or guidelines to enforce cybersecurity and data privacy for organisations that collect, process, store, sell, share or utilise personal data.^[17]

Data breach and privacy violation reporting requirements for each country vary. For instance, a breach in Colombia requires notification to the proper authorities within 15 days of the incident,^[18] while Costa Rica requires a more stringent notification period of only five days.^[19] The LGPD does not include a specified breach notification period; however, the National Authority has issued guidance that notifications must be made within two business days.

In general, the process of breach notification is often misjudged as being more straightforward than it tends to be in practice. Conducting effective breach notifications to regulators and data subjects requires not only a legal team to have a deep understanding of the risk and individual impacts imposed by the breach – including a clear inventory of which data was exposed and to what extent, but also an assessment of what the different stakeholders expect from the company in such an event. Often, companies prioritise the legal aspect and limit their efforts to what must be done from a regulatory standpoint, which does not necessarily correspond to what is expected to be done. The difference is tenuous, but proactively going beyond legal requirements in terms of notification may prevent reputational impact.

An ounce of prevention

The prominence and rigour of data protection and data privacy regulation emerging globally and in Latin America have created an environment in which data privacy practices, cybersecurity and compliance are inextricably linked. With preparedness, in the form of strong cybersecurity and data privacy programmes and a culture of compliance, privacy and security, organisations can reduce their risk exposure. Legal and compliance teams can bolster their readiness and plan across two key categories: proactively addressing gaps in security, policy and process to reduce the risk and impact of an incident; and establishing robust response processes in advance of an incident. These efforts should be backed by a broader change management strategy that is endorsed and supported from the board and executive level. With executive buy-in, preparedness programmes will have more visibility, credibility and engagement throughout the organisation.

Organisations should start with an audit of their existing information governance, data privacy and security programmes, policies and procedures. Hand-in hand with updated policies and programmes is development of an effective cybersecurity security framework that encompasses incident response planning. Technical and administrative policies and controls should be updated to account for emerging or rising threats such as ransomware, so attacks can be detected and addressed quickly.

Sophisticated technology, people and processes to enable a strong defensive stance against threats is also essential. This should include external threat intelligence, up-to-date tooling and multi-tier patching strategies. A bench of trusted experts and advisers should be at the ready to help bridge security gaps and lead investigatory and communications efforts if an incident occurs. Implementing data mapping and prioritisation, with a detailed inventory that documents internal system architecture, data flows and sensitive data footprint, will help the team prioritise back-ups, disaster recovery plans and data protection controls. These collective resources will support business continuity and recovery to ensure operations can be quickly reinstated from scratch if a cyber attack paralyses existing systems and information.

A data breach or privacy violation will often trigger numerous investigations activities that span fact-finding about what happened, which data was compromised, the extent of exposure pertaining to various laws, responding to regulatory inquiries and private rights of action or class action suits and considering how best to prevent recurrence. These are high-stakes, fast-moving matters, and failure to respond quickly, accurately and defensibly can lead to increased exposure, sanctions, business disruption and other adverse consequences. Our teams have encountered numerous investigations in which counsel or other stakeholders have been dismissed because regulators disagreed with how an investigation was scoped, or the information produced was not sufficient or defensible. Organisations can minimise compliance risk by establishing repeatable approaches and resources that ensure their investigations methodology is capable of untangling cybersecurity attribution and is ready to deploy the moment an incident is identified. Investigations processes should also include advanced analytics tools and the support of experts who understand how to leverage technology in a way that uncovers key information quickly, even when the matter involves searching across large, complex data sets.

Preparedness cannot be considered complete without a robust communications, training and awareness plan. Technology, policies and processes will ultimately be ineffective if they are not supported throughout the entire organisation. Strategic communications experts can help legal and compliance teams set the tone for a culture of trust, as well as develop awareness campaigns and training programmes that continually reinforce the overall programme. Likewise, with a pre-established crisis communications plan, organisations will be better equipped to demonstrate transparency, protect trust and reputation and mitigate public scrutiny in the event of an incident.

Incident response planning

The foundation of incident response best practices is implementing programmes and processes before a breach occurs. Despite an acute awareness of the extent of their risks, many organisations continue to grapple with shortcomings in their incident response plans. In the FTI Consulting report mentioned earlier, respondents discussed their use of technology to support response to data breaches, data subject access requests and other privacy compliance monitoring activities. More than a third (38 per cent) said they regularly use artificial intelligence or similar tools for these purposes, and an additional 43 per cent said they occasionally do. Fast and comprehensive response to privacy and security incidents is critical to minimising the impact and reinstating trust. Technology, in the form of advanced analytics and automation, is an important pillar in the overall strength of an incident response program.

To ensure time is not wasted making decisions about how to respond in the midst of an attack, teams can establish strong incident response workflows proactively. These include the following.

Response planning

Cybersecurity or data privacy incidents often infiltrate all information on the networks and databases they access, which includes back-up data. Combating the various and ever-changing types of threats requires both a tested business continuity plan and risk mitigation processes. A strong incident response plan should account for cyber readiness, incident detection and analysis, containment and eradication, e-discovery and investigations, remediation, crisis management and strategic communications.

Table-top exercises

Properly conducted table-top exercises should be customised to the organisation and designed to test an organisation’s ability to respond to a live incident, using real-world examples. The focus of these simulations should be on assessing functionality of teams, providing technical observations and recommendations and evaluating overall response efforts. The result will help reduce the possibility of a successful incident and lessen the impact if one occurs.

Detection

Residual risk will inevitably persist after controls are implemented. Early steps to identify, detect and analyse threats are key to developing effective containment and eradication strategies.

Containment, eradication and recovery

This phase of incident response seeks to prohibit data from leaving networks and prevent further damage. Eradication is the removal of malicious code, actor accounts or unnecessary access, as well as repairing vulnerabilities that may be the root cause of the incident. Once the incident has been contained and eradicated, recovery can begin.

Reporting

When reporting an incident or breach to regulators and data subjects, several factors must be considered, including the impact on and risk to affected parties, and the corresponding compliance requirements. A significant challenge is handling the delicate balance needed in customer communications, which often involves handling a flood of messages from concerned or angry customers looking for clarification on what information was stolen, if they are affected and what steps are being implemented to prevent a similar incident from happening in the future.

Data identification

Data breaches can have long-lasting effects if they are not properly remediated. During and after an incident, extensive reviews of all impacted systems must be conducted to identify all impacted data and support remediation, compliance and accurate document preparation for any regulatory reporting and subsequent legal matters.

Communication management

Messaging to key stakeholders – such as internal teams, customers and the board – must be carefully crafted to ensure the details of the incident are clearly communicated (which in turn supports transparency and prevents confusion or misinformation). Legal and compliance teams will need to work with communications professionals to draft holding statements, issue press releases, monitor media coverage and inquiries and, in some cases, establish a dedicated call centre. Depending on the location of the incident, organisations may need to follow very specific notification requirements, such as sending letters via snail mail instead of via a single email blast.

Use of third-party consultants

There are several key considerations to address post-incident, including re-­evaluating existing policies and procedures, analysing network infrastructure, identifying critical assets, determining integral roles and responsibilities and implementing necessary technical, operational and organisation changes. An independent assessment provided by cyber, privacy and IT experts offers an unbiased evaluation of vulnerabilities and how to address them. With this, an organisation can better understand its unique risk profile and ultimately implement a more mature readiness and response posture.

Preparing for litigation

Even when an incident has been swiftly and sufficiently addressed, it is possible that the affected organisation will face litigation. In anticipation of potential legal actions, organisations can take several proactive steps before a suit is filed. This should include evidence preservation, collection, handling and analysis and partnering with expert testifying witnesses to verify results and findings. These elements help translate sophisticated artefacts into material that is easily understandable for deciding parties involved in litigation.

Real-world risks

The risks of not having a comprehensive incident response framework that includes cybersecurity, information governance, privacy, investigations and communications are too significant to ignore. Without dedicated attention, a data breach or other privacy or security incident may cause significant and lasting fallout, which can span depletion of shareholder value, reputational harm, loss of customer loyalty, breakdown of partner trust, operational disruption and inability to attract top talent.

Our teams at FTI Consulting have advised numerous clients through recovering from such issues. In one case, a large multinational fashion retailer experienced a security breach affecting millions of customers across borders. Owing to insufficient detection capabilities, a cyber attack on the company’s network was not initially discovered, allowing threat actors to move freely throughout systems and exploit sensitive information for more than two months. Customer data was stolen, posted on the dark web and auctioned for sale.

Another example involved a large technology company that was facing intense media and government scrutiny due to its user data-sharing policies. It developed a platform that allowed for the collection and sharing of user information, but without adequate data protection controls, ultimately putting the organisation at odds with data privacy regulations in numerous jurisdictions. Owing to media and regulatory scrutiny, the organisation announced its intent to engage an independent third party to investigate its data-sharing policies and vendor data access to assess whether any connected entities violated policy by misusing collected user data.

Preventing determined threat actors from achieving their goal is challenging, even with a robust cybersecurity programme in place. For example, a sophisticated spear phishing campaign against a specific employee – which are notoriously difficult to detect and combat – led to a data breach at a global cryptocurrency trading firm. Once the target was compromised, the threat actor deployed malware that granted administrative control over the employee’s personal machine. Using this access, the threat actor captured credentials, accessed internal systems, conducted reconnaissance and moved laterally throughout the environment, further propagating the original malware. While preventing this advanced and targeted attack may not have been possible, robust cyber readiness and incident response could have enabled faster and more effective containment and minimisation of the total volume of data exposed.

Conclusion

Legal and compliance leaders have come to fully understand the extent of their cybersecurity and data privacy risk. In the FTI Consulting Resilience Barometer, less than 5 per cent of respondents in Latin America said they are not concerned about cybersecurity risk and they ranked data privacy among the top threats to their organisation for the year ahead. With awareness, business leaders must take targeted action to strengthen their organisation against an ever-evolving landscape of threats.

In FTI Consulting and Relativity’s The General Counsel Report 2023,^[20] global legal department leaders expressed confidence about their readiness for cybersecurity and data privacy regulation and risks. 93 per cent assigned a preparedness rating of three or higher (on a scale of one, not at all prepared, to five, very prepared) to each. Still, the respondents acknowledged the ambiguity that remains, and thus the need for ongoing vigilance. As legal and compliance teams invest in cybersecurity, privacy and compliance programmes, it will be essential to think holistically about incident preparedness and response – across all fronts discussed in this chapter – to reduce risk and build resilience for additional threats on the horizon.

Footnotes