The ransomware hits. The company sky is falling. All hell breaks unfastened.
One day later, the board of administrators holds an emergency assembly. Let’s be clear: we will’t actually inform clients about this earlier than we do the general public disclosure, they are saying. If we do, we might be wrongfully passing alongside what would possibly properly be materials, inside details about our firm. And then too, we now have contracts with huge clients that dictate what and after we inform them. Oh, and by the way in which, considered one of our purchasers is the Department of Defense, and that one has a lot stricter necessities — no, I can’t bear in mind what these reqs are; I’ll verify tomorrow.
Sound acquainted? It ought to. These are the sort of discussions your organization goes to carry, ultimately, be it in tabletop incident response walkthroughs or in actual life (if your organization hasn’t been by means of it already, that is). At a ransomware walkthrough placed on final week at RSA 2022, presenters staged three board of administrators’ conferences: one representing what goes down a day after ransomware hits, one two days after and the third every week later.
Bringing the “what can we do now?” fingernail-chomping and people “woops, I suppose we should always have carried out that in another way” moments to life had been Glenn Gerstell, senior advisor for the Center for Strategic & International Studies and moderator of the panel; Preston Golson, director of critical-issues advising agency the Brunswick Group; Robert Huber, chief safety officer at Tenable Inc.; and Suzanne Spaulding, senior adviser for homeland safety and director of the Defending Democratic Institutions mission on the Center for Strategic and International Studies (CSIS), in addition to a member of the Cyberspace Solarium Commission.
How ready was that poor, stricken, fictional firm — let’s name it CYA Widgets — for the ransomware strike? Had they carried out tabletop workout routines? Were they proactive sufficient to have ready a press release for one of these state of affairs (as all organizations ought to, after all, given the excessive chance that we’re all going to get hit ultimately)?
As the Cybersecurity & Infrastructure Security Agency (CISA) put it in its Shields Up response to Russia’s invasion of Ukraine and associated cyberattacks, “Every group — massive and small — should be ready to reply to disruptive cyber incidents.”
Let’s be a part of the assembly of CYA Widgets’ board of administrators to learn how ready they had been for his or her ransomware hit, how they responded and what elements they needed to keep in mind of their responses.
Maybe we will choose up some ideas for what to do when our personal skies fall?
Ransomware hit, 1 day later: The timer begins
One factor that moderator Gerstell needed to make crystal clear: “We can’t actually inform clients in regards to the full nature of this earlier than we do the general public disclosure, as a result of then we’re going to be wrongfully passing alongside what would possibly properly be materials inside details about our firm.”
Customers have to attend to get a heads-up: First comes the notification to the Securities and Exchange Commission (SEC). Your firm’s board ought to already be accustomed to the chance elements portion of its annualized SEC stories: Form 10-Ok describes vulnerability to malicious cyber exercise and the way it would possibly have an effect on your organization. Your firm ought to have already got set out insurance policies and procedures as a part of its description of board oversight.
At this early stage, your organization won’t have whole certainty about simply what the penalties of this ransomware assault is likely to be, however Gerstell errs on the aspect of contemplating a difficulty like this to be materials. As it’s, your administrators, officers and different company insiders can’t commerce public firms securities whereas in possession of fabric nonpublic info, and that might properly embrace a cybersecurity incident like what you’re coping with now. It won’t even be prudent to commerce proper after the problem is made public, Gerstell mentioned. Appearances matter, so “We must be actual cautious.”
Bottom line: File an SEC disclosure as quickly as doable, even in case you don’t have all of the information and are nonetheless investigating.
“I feel we should always notify the FBI,” Gerstell prompt. “Tell them we’re going to do a public disclosure. We don’t wish to be able the place we’re sitting on the information, with some shareholder complaining to us.”
Takeaway: Victimized firms should strike a fragile steadiness between
Adhering to contracts with clients that stipulate that they learn of points that would possibly intervene along with your firm’s capability to carry out the contract in a well timed method, submitting with the SEC, and
Disclosure that dangers disclosing materials insider info.
Complication: Contracts differ. CYA Widgets, for instance, has a contract with the Department of Defense that has a lot stricter necessities than the corporate’s different clients. He’ll should doublecheck on simply what these necessities are, Gerstell mused, now that he thinks about it. “Again, we must be cautious in what we open up to clients, earlier than we’ve made this broader public disclosure,” he famous.
“I occur to be the fortunate stucky who evaluations a lot of the safety addendums for probably contracts, and it’ll actually require us to inform them, as soon as we affirm there’s been a breach, inside 48 hours,” mentioned Huber. “We do have to tell massive enterprise contracts. …
“And that timer simply began.”
Rev your PR engines!
Golson, taking part in the top of communications for the unlucky CYA Widgets, agreed that one of many first issues a focused firm has to do is to develop key messaging to stakeholders. It’s not nearly accountable disclosure, but in addition about limiting misconceptions in regards to the firm’s operations, he mentioned. “Saying that we’re working with regulation enforcement reveals that we’re being a accountable get together — and in addition implicitly reminds folks that we’re the victims of crime,” Golson mentioned.
Come up with a core set of key messages, he suggested — sort of just like the Rosetta Stone of messaging, to function a base for all stakeholder communications, whether or not that be to clients, staff, regulators or as response to the media.
What’s in your messaging toolkit?
Keep the messages as clear as doable, Golson really useful.
Don’t get too far in entrance of an investigation: You wish to present a common rationalization of who/what/when/the place occurred, however don’t apply timelines that get forward of the main points.
“We don’t wish to say issues we now have to take again later,” he cautioned, or “that will deliver down the belief.”
Preston Golson, director of critical-issues advising agency the Brunswick Group, stood in for no matter communications professional you huddle with (ASAP) post-incident.
Lay out timelines of what to say when, to verify that info disclosures are sequenced appropriately versus prematurely, which might entail authorized jeopardy.
Other greatest messaging practices:
If the problem leaks, you wish to purchase time. How will you go to the media if it occurs earlier than you’ve laid out the suitable issues to say?
Prepare a full Q&A doc that addresses the probably questions your organization will obtain, with defensible, correct solutions that have been accepted by Legal.
Take under consideration the very fact that staff will discover out in regards to the problem by means of the rumor mill. Recognize and handle their anxiousness.
Assume that something given to staff will develop into public.
Customers are critically essential. You’ll in all probability wish to start informing your organization’s greatest clients first, in addition to your clients’ chief info safety officers (CISOs), whose telephones will likely be ringing off the hook.
Prepare speaking factors for traders, acknowledging that it’s widespread for safety problem information to foment misconceptions in regards to the incident resulting in shortages or different disruptions in operations. Be ready to offer them with correct info.
Got a tiny communications workers? Plump it up. Consider bringing in an outdoor communications adviser staff.
“Well, you recognize, all of this sounded very cheap after we had been growing the playbook,” Spaulding commented. “And even after we did the train. Now, it appears overwhelming. We’ve bought every week’s value of labor to do.”
Yes, at the very least.
But wait, earlier than we adjourn: Did CYA Widgets find yourself being extorted by the attackers?
Yes.
CYA now has three days to reply.
2 days later: It’s backup time
Loads has occurred.
CYA employed an extortion companies agency. It wasn’t a part of the unique plan, however one of many firm’s cybersecurity distributors really useful the agency, and Huber checked it out with another CSOs, so it’s all good.
“You know, over the previous few years, some actually good specialised corporations have arisen that focus simply on this downside,” Gerstell mentioned. These corporations have expertise in negotiating with ransomware gangs and know methods to talk with them on the darkish internet — one thing that CYA, and sure most firms, don’t know methods to do.
“We don’t even should become involved,” Gerstell knowledgeable the board. Plus, in any negotiation, it’s good to have an agent within the center who should purchase you extra time, he mentioned. “It kind of will get us one step eliminated straight from coping with these legal folks. … [and] my sense is we now have a little bit little bit of respiration room.”
The CSO’s take: The safety operations middle (SOC) is making good progress, however the assault nonetheless isn’t fully contained from a lateral-movement perspective. More critically, CYA’s plant operations are functioning, however the logistics system is offline.
“What does that imply for us as a corporation?” Huber requested. “No shipments exit the door. We do have offline tape backups, however we have to have interaction with the logistics vendor to rebuild the system. It’s a legacy, unsupported system, so we will’t do that ourselves. … we’re recommending [that we move to] shut down plant operations, for security causes. Ensure that we now have no points throughout the plant itself, regardless that we don’t imagine it’s a reality at this level.”
The elephant within the room: the problem of restoring from backups. It gained’t be straightforward. “We have rather a lot” to revive, Huber mentioned, as so many firms do.
Do a mock interview
It’s time to replace the important thing messages and Q&A, Golson mentioned, to mirror the newest state of play. The comms staff will sit down with the CSO for 15-20 minutes to run by means of a mock interview, with exterior advisors, to verify that he’s ready and ready to reply any questions he would possibly obtain from CISOs.
As far because the media goes, the incident is not a secret. “Thankfully, for patrons, we’ve turned our key messages into speaking factors and … messages for the client, and … backing that up with speaking factors for patrons that our relationship managers can use once they speak to them about what’s occurring,” Golson up to date the board.
“What we instructed them is that as quickly because the incident was found, we moved shortly to take steps to mitigate,” Golson continued. “We’ve enlisted a prime exterior forensics agency to assist us examine the matter. We’ve instructed them that the safety of our methods is of paramount significance. … We construct that belief. And we additionally dedicated to allow them to know in the event that they’ve been affected down the street. We’ll contact them till it’s sort of like nobody’s completely happy about that, per se, however there they’re. They recognize that we’re speaking.”
Meanwhile, the hackers have began to leak the knowledge to drive up the strain, the submitting with the SEC has been carried out, it’s time to unleash the press release, and the media has questions. How do you reply?
However works greatest for you, Golson mentioned.
“We don’t really feel obligated to reply each query that they offer us,” he prompt. “We shouldn’t … really feel obligated to elucidate all of the gory particulars about … what occurred. It’s not advisable to inform the world about safety vulnerabilities. And these reporters don’t count on us to do that anyhow, as a result of … committees don’t do that. We shouldn’t additionally talk about how the ransomware negotiations go, shouldn’t say something a couple of pay/no pay determination. … We’ll handle these questions that we wish to reply.”
1 week later: Did you stiff the SEC?!
Get ready for some heavy lifting. “We want to seek out out the place we’re. And we’re going to should make some huge selections, notably about whether or not to pay this ransom,” Spaulding mentioned in opening the third board assembly.
Suzanne Spaulding, senior adviser for homeland safety and director of the Defending Democratic Institutions mission on the Center for Strategic and International Studies (CSIS), warns the board that the third assembly post-attack will likely be intense.
Recovery goes properly: About 80 p.c of workstations are again up. There’s been no extra recognized lateral motion. The transport system will likely be again up in 72 hours, however Huber recommends conserving the plant shuttered, in an abundance of warning.
Meanwhile, CYA’s pals on the SEC weren’t too thrilled with the corporate’s “considerably skinny” submitting in regards to the incident, Gerstell famous. “As you recall, what we put out the opposite day was only a easy assertion saying that we’re evaluating the extent of the incident,” he recounted. “And that was proper, as a result of we didn’t have extra particulars on the time, we didn’t wish to speculate, and we indicated a number of the fundamentals, [and] that was the suitable name. The different was saying nothing.”
Glenn Gerstell, senior advisor for the Center for Strategic & International Studies, taking part in the a part of moderator for CYA’s board of administrators conferences.
Not surprisingly, the SEC workers at this level desires extra info, Gerstell instructed the board. It’s time to consider submitting supplemental materials as information develops. “This illustrates that we simply should be ready for a day-by-day analysis; we now have to be on prime of developments right here.”
You even have to determine methods to pay the ransom. And monitor the information to right any inaccuracies.
And oh, by the way in which, the White House will likely be calling. It’s determined to make an pressing cargo of medical provides associated to the pandemic to international locations in want, all the world over, and your organization occurs to be a main provider. Time to ramp up manufacturing — you’ve bought a number of days, tops.
Say, Bob, has manufacturing even been restarted?!
Conclusion
Think this text was lengthy? That properly could also be, however this solely skims the floor of CYA’s difficult, multi-part, fake ransomware response and what your individual enterprise might probably face.
TL;DR: Do you will have a press release ready?
No?
The time to behave was yesterday.
Call PR, name Legal and begin typing, bucko!
Lisa Vaas, Senior Content Marketing Manager, Contrast Security
Lisa Vaas is a content material machine, having spent years churning out reporting and evaluation on info safety and different flavors of know-how. She’s now conserving the content material engines revved to assist preserve safe code flowing at Contrast Security.
Subscribe to the Contrast Blog
By subscribing to our weblog you’ll keep on prime of all the newest appsec information and devops greatest practices. You will even learn of the newest Contrast product information and thrilling utility safety occasions.
The ransomware hits. The company sky is falling. All hell breaks unfastened.
One day later, the board of administrators holds an emergency assembly. Let’s be clear: we will’t actually inform clients about this earlier than we do the general public disclosure, they are saying. If we do, we might be wrongfully passing alongside what would possibly properly be materials, inside details about our firm. And then too, we now have contracts with huge clients that dictate what and after we inform them. Oh, and by the way in which, considered one of our purchasers is the Department of Defense, and that one has a lot stricter necessities — no, I can’t bear in mind what these reqs are; I’ll verify tomorrow.
Sound acquainted? It ought to. These are the sort of discussions your organization goes to carry, ultimately, be it in tabletop incident response walkthroughs or in actual life (if your organization hasn’t been by means of it already, that is). At a ransomware walkthrough placed on final week at RSA 2022, presenters staged three board of administrators’ conferences: one representing what goes down a day after ransomware hits, one two days after and the third every week later.
Bringing the “what can we do now?” fingernail-chomping and people “woops, I suppose we should always have carried out that in another way” moments to life had been Glenn Gerstell, senior advisor for the Center for Strategic & International Studies and moderator of the panel; Preston Golson, director of critical-issues advising agency the Brunswick Group; Robert Huber, chief safety officer at Tenable Inc.; and Suzanne Spaulding, senior adviser for homeland safety and director of the Defending Democratic Institutions mission on the Center for Strategic and International Studies (CSIS), in addition to a member of the Cyberspace Solarium Commission.
How ready was that poor, stricken, fictional firm — let’s name it CYA Widgets — for the ransomware strike? Had they carried out tabletop workout routines? Were they proactive sufficient to have ready a press release for one of these state of affairs (as all organizations ought to, after all, given the excessive chance that we’re all going to get hit ultimately)?
As the Cybersecurity & Infrastructure Security Agency (CISA) put it in its Shields Up response to Russia’s invasion of Ukraine and associated cyberattacks, “Every group — massive and small — should be ready to reply to disruptive cyber incidents.”
Let’s be a part of the assembly of CYA Widgets’ board of administrators to learn how ready they had been for his or her ransomware hit, how they responded and what elements they needed to keep in mind of their responses.
Maybe we will choose up some ideas for what to do when our personal skies fall?
Ransomware hit, 1 day later: The timer begins
One factor that moderator Gerstell needed to make crystal clear: “We can’t actually inform clients in regards to the full nature of this earlier than we do the general public disclosure, as a result of then we’re going to be wrongfully passing alongside what would possibly properly be materials inside details about our firm.”
Customers have to attend to get a heads-up: First comes the notification to the Securities and Exchange Commission (SEC). Your firm’s board ought to already be accustomed to the chance elements portion of its annualized SEC stories: Form 10-Ok describes vulnerability to malicious cyber exercise and the way it would possibly have an effect on your organization. Your firm ought to have already got set out insurance policies and procedures as a part of its description of board oversight.
At this early stage, your organization won’t have whole certainty about simply what the penalties of this ransomware assault is likely to be, however Gerstell errs on the aspect of contemplating a difficulty like this to be materials. As it’s, your administrators, officers and different company insiders can’t commerce public firms securities whereas in possession of fabric nonpublic info, and that might properly embrace a cybersecurity incident like what you’re coping with now. It won’t even be prudent to commerce proper after the problem is made public, Gerstell mentioned. Appearances matter, so “We must be actual cautious.”
Bottom line: File an SEC disclosure as quickly as doable, even in case you don’t have all of the information and are nonetheless investigating.
“I feel we should always notify the FBI,” Gerstell prompt. “Tell them we’re going to do a public disclosure. We don’t wish to be able the place we’re sitting on the information, with some shareholder complaining to us.”
Takeaway: Victimized firms should strike a fragile steadiness between
Adhering to contracts with clients that stipulate that they learn of points that would possibly intervene along with your firm’s capability to carry out the contract in a well timed method, submitting with the SEC, and
Disclosure that dangers disclosing materials insider info.
Complication: Contracts differ. CYA Widgets, for instance, has a contract with the Department of Defense that has a lot stricter necessities than the corporate’s different clients. He’ll should doublecheck on simply what these necessities are, Gerstell mused, now that he thinks about it. “Again, we must be cautious in what we open up to clients, earlier than we’ve made this broader public disclosure,” he famous.
“I occur to be the fortunate stucky who evaluations a lot of the safety addendums for probably contracts, and it’ll actually require us to inform them, as soon as we affirm there’s been a breach, inside 48 hours,” mentioned Huber. “We do have to tell massive enterprise contracts. …
“And that timer simply began.”
Rev your PR engines!
Golson, taking part in the top of communications for the unlucky CYA Widgets, agreed that one of many first issues a focused firm has to do is to develop key messaging to stakeholders. It’s not nearly accountable disclosure, but in addition about limiting misconceptions in regards to the firm’s operations, he mentioned. “Saying that we’re working with regulation enforcement reveals that we’re being a accountable get together — and in addition implicitly reminds folks that we’re the victims of crime,” Golson mentioned.
Come up with a core set of key messages, he suggested — sort of just like the Rosetta Stone of messaging, to function a base for all stakeholder communications, whether or not that be to clients, staff, regulators or as response to the media.
What’s in your messaging toolkit?
Keep the messages as clear as doable, Golson really useful.
Don’t get too far in entrance of an investigation: You wish to present a common rationalization of who/what/when/the place occurred, however don’t apply timelines that get forward of the main points.
“We don’t wish to say issues we now have to take again later,” he cautioned, or “that will deliver down the belief.”
Preston Golson, director of critical-issues advising agency the Brunswick Group, stood in for no matter communications professional you huddle with (ASAP) post-incident.
Lay out timelines of what to say when, to verify that info disclosures are sequenced appropriately versus prematurely, which might entail authorized jeopardy.
Other greatest messaging practices:
If the problem leaks, you wish to purchase time. How will you go to the media if it occurs earlier than you’ve laid out the suitable issues to say?
Prepare a full Q&A doc that addresses the probably questions your organization will obtain, with defensible, correct solutions that have been accepted by Legal.
Take under consideration the very fact that staff will discover out in regards to the problem by means of the rumor mill. Recognize and handle their anxiousness.
Assume that something given to staff will develop into public.
Customers are critically essential. You’ll in all probability wish to start informing your organization’s greatest clients first, in addition to your clients’ chief info safety officers (CISOs), whose telephones will likely be ringing off the hook.
Prepare speaking factors for traders, acknowledging that it’s widespread for safety problem information to foment misconceptions in regards to the incident resulting in shortages or different disruptions in operations. Be ready to offer them with correct info.
Got a tiny communications workers? Plump it up. Consider bringing in an outdoor communications adviser staff.
“Well, you recognize, all of this sounded very cheap after we had been growing the playbook,” Spaulding commented. “And even after we did the train. Now, it appears overwhelming. We’ve bought every week’s value of labor to do.”
Yes, at the very least.
But wait, earlier than we adjourn: Did CYA Widgets find yourself being extorted by the attackers?
Yes.
CYA now has three days to reply.
2 days later: It’s backup time
Loads has occurred.
CYA employed an extortion companies agency. It wasn’t a part of the unique plan, however one of many firm’s cybersecurity distributors really useful the agency, and Huber checked it out with another CSOs, so it’s all good.
“You know, over the previous few years, some actually good specialised corporations have arisen that focus simply on this downside,” Gerstell mentioned. These corporations have expertise in negotiating with ransomware gangs and know methods to talk with them on the darkish internet — one thing that CYA, and sure most firms, don’t know methods to do.
“We don’t even should become involved,” Gerstell knowledgeable the board. Plus, in any negotiation, it’s good to have an agent within the center who should purchase you extra time, he mentioned. “It kind of will get us one step eliminated straight from coping with these legal folks. … [and] my sense is we now have a little bit little bit of respiration room.”
The CSO’s take: The safety operations middle (SOC) is making good progress, however the assault nonetheless isn’t fully contained from a lateral-movement perspective. More critically, CYA’s plant operations are functioning, however the logistics system is offline.
“What does that imply for us as a corporation?” Huber requested. “No shipments exit the door. We do have offline tape backups, however we have to have interaction with the logistics vendor to rebuild the system. It’s a legacy, unsupported system, so we will’t do that ourselves. … we’re recommending [that we move to] shut down plant operations, for security causes. Ensure that we now have no points throughout the plant itself, regardless that we don’t imagine it’s a reality at this level.”
The elephant within the room: the problem of restoring from backups. It gained’t be straightforward. “We have rather a lot” to revive, Huber mentioned, as so many firms do.
Do a mock interview
It’s time to replace the important thing messages and Q&A, Golson mentioned, to mirror the newest state of play. The comms staff will sit down with the CSO for 15-20 minutes to run by means of a mock interview, with exterior advisors, to verify that he’s ready and ready to reply any questions he would possibly obtain from CISOs.
As far because the media goes, the incident is not a secret. “Thankfully, for patrons, we’ve turned our key messages into speaking factors and … messages for the client, and … backing that up with speaking factors for patrons that our relationship managers can use once they speak to them about what’s occurring,” Golson up to date the board.
“What we instructed them is that as quickly because the incident was found, we moved shortly to take steps to mitigate,” Golson continued. “We’ve enlisted a prime exterior forensics agency to assist us examine the matter. We’ve instructed them that the safety of our methods is of paramount significance. … We construct that belief. And we additionally dedicated to allow them to know in the event that they’ve been affected down the street. We’ll contact them till it’s sort of like nobody’s completely happy about that, per se, however there they’re. They recognize that we’re speaking.”
Meanwhile, the hackers have began to leak the knowledge to drive up the strain, the submitting with the SEC has been carried out, it’s time to unleash the press release, and the media has questions. How do you reply?
However works greatest for you, Golson mentioned.
“We don’t really feel obligated to reply each query that they offer us,” he prompt. “We shouldn’t … really feel obligated to elucidate all of the gory particulars about … what occurred. It’s not advisable to inform the world about safety vulnerabilities. And these reporters don’t count on us to do that anyhow, as a result of … committees don’t do that. We shouldn’t additionally talk about how the ransomware negotiations go, shouldn’t say something a couple of pay/no pay determination. … We’ll handle these questions that we wish to reply.”
1 week later: Did you stiff the SEC?!
Get ready for some heavy lifting. “We want to seek out out the place we’re. And we’re going to should make some huge selections, notably about whether or not to pay this ransom,” Spaulding mentioned in opening the third board assembly.
Suzanne Spaulding, senior adviser for homeland safety and director of the Defending Democratic Institutions mission on the Center for Strategic and International Studies (CSIS), warns the board that the third assembly post-attack will likely be intense.
Recovery goes properly: About 80 p.c of workstations are again up. There’s been no extra recognized lateral motion. The transport system will likely be again up in 72 hours, however Huber recommends conserving the plant shuttered, in an abundance of warning.
Meanwhile, CYA’s pals on the SEC weren’t too thrilled with the corporate’s “considerably skinny” submitting in regards to the incident, Gerstell famous. “As you recall, what we put out the opposite day was only a easy assertion saying that we’re evaluating the extent of the incident,” he recounted. “And that was proper, as a result of we didn’t have extra particulars on the time, we didn’t wish to speculate, and we indicated a number of the fundamentals, [and] that was the suitable name. The different was saying nothing.”
Glenn Gerstell, senior advisor for the Center for Strategic & International Studies, taking part in the a part of moderator for CYA’s board of administrators conferences.
Not surprisingly, the SEC workers at this level desires extra info, Gerstell instructed the board. It’s time to consider submitting supplemental materials as information develops. “This illustrates that we simply should be ready for a day-by-day analysis; we now have to be on prime of developments right here.”
You even have to determine methods to pay the ransom. And monitor the information to right any inaccuracies.
And oh, by the way in which, the White House will likely be calling. It’s determined to make an pressing cargo of medical provides associated to the pandemic to international locations in want, all the world over, and your organization occurs to be a main provider. Time to ramp up manufacturing — you’ve bought a number of days, tops.
Say, Bob, has manufacturing even been restarted?!
Conclusion
Think this text was lengthy? That properly could also be, however this solely skims the floor of CYA’s difficult, multi-part, fake ransomware response and what your individual enterprise might probably face.
TL;DR: Do you will have a press release ready?
No?
The time to behave was yesterday.
Call PR, name Legal and begin typing, bucko!
https://securityboulevard.com/2022/06/get-that-weve-been-hacked-press-release-ready-now/
