Forecast: Ransomware, Data Breaches Will (and Have) Happened Here; Prepare Now

Everyone knows that Minnesota is susceptible to severe weather events such as hail, high winds, floods and tornadoes. The impacts of such storms may vary, but the severity is often lessened because organizations took steps to be prepared to respond effectively.

Too often members think of cyber-related crimes as being similar to earthquakes, hurricanes and typhoons: They will not happen here. Unfortunately, cyber-breaches and ransomware claims among MCIT members and other Minnesota public entities in 2023 has shown otherwise:

• In February, a St. Paul Public Schools data security incident may have resulted in an unauthorized third party accessing and acquiring student information.
• In July, an unauthorized party claimed to possess sensitive data allegedly taken from the University of Minnesota’s systems. This includes a database containing 7 million Social Security numbers going back to the 1980s.
• In August, a small Minnesota county experienced a ransomware attack, which locked staff out of the computer system, as well as created a private data release exposure. The ransom demanded to release the system was in the multimillions of dollars, only a fraction of which is potentially covered by insurance.

The full repercussions of these specific incidents are still unknown; however, similar past events have shown that data compromise issues are:

• Time consuming for staff in both response and recovery efforts, especially if response and business continuity plans are not in place.
• Costly, particularly in the event of a noncovered or underinsured loss.
• Interruptive in the delivery of services, including potentially critical ones to citizens.
• Damaging to the organization’s reputation.

Preparation for Response Is Key

Clearly, loss prevention efforts such as use of current antivirus/malware software, multifactor authentication, secure off-site data backups, proper vendor controls and contracts, establishing and implementing data policies and ongoing employee training are critical. But, efforts also need to be made in anticipation of a data breach so they can be addressed in a timely, organized manner.

Breach preparedness is best accomplished with the development of both a formal incident response plan and a business continuity plan.

Elements of Response Plan

A key element in an incident response plan is to assign an individual to report incidents promptly to and work with MCIT.

Not only will this help in the potential claim process, but more important, it initiates a timely process of assistance from a team of breach coaches and information technology (IT) professionals, which is included for all MCIT covered claims. This may include investigation (forensics), threat/vulnerability removal and recovery and third-party notification.

Other important parts of an incident response plan include:

• Formally assigned staff responsibilities for all aspects of a loss.
• Established internal incident identification processes and communication procedures.
• Updated inventory of all hardware and software.
• An annual budget for emergency cyber-response issues.

Keep Operations Functioning

A business continuity plan is also essential to keep operations functioning while recovering from a cyber-incident. A business continuity plan should include in part:

• An inventory of vital operations.
• An inventory of IT hardware and software essential operations.
• Identification of third parties, vendors or other organizations or agreements to carry out the business continuity plan.
• Well-documented agreements with clear responsibilities in place with noted parties.

MCIT offers no-cost resources to assist members in cyber-incident response planning. Members are also encouraged to contact their MCIT risk management consultant at 1.866.547.6516 for assistance.