DISCLAIMER: This case study depicts a fictional cyber incident based on real-life scenarios described by expert interviewees, media reports, and other publicly available resources. While the details surrounding the characters, company, and ransomware attack are imagined, the business concerns and legal issues raised are plausible and based on actual cases.

It’s half past 7 a.m. The chief executive (CEO) of Vulnerable Electric (VE) has just finished a workout in her home gym when she hears the persistent trill of her cell phone in her sweatshirt pocket. She’s used to hearing her phone go off at all hours (she has teenage daughters), but it’s a bit unorthodox for her general counsel to be calling this early. Curious, she picks up.

He tells her what’s happened without preamble. The news has traveled a circuitous route in under 20 minutes. An employee named Betsy reported a suspicious splash screen to the vice president of human resources, who in turn alerted the managed security service provider (MSSP).

VE uses an MSSP as its first line of defense. The MSSP provides outsourced monitoring and management of security devices and systems, including intrusion detection, vulnerability scanning, and incident response as a service. The general counsel reports the MSSP conducted an initial investigation and declared a cyber incident—specifically, a ransomware attack.

“Has the CIRT steering committee confirmed it?” asks the CEO. Her tone suggests the question is a foregone conclusion. CIRT is an acronym for cyber incident response team, and the steering committee includes senior executives like the chief information security officer (CISO) and general counsel, to whom she’s speaking. The fact he is calling her suggests the incident has already been declared significant.