Skip to main content
← All controls
RC.CO-3 / IR-8 NIST Cybersecurity Framework v1.1

Have you pre-identified legal counsel and PR support for a ransomware incident (notification obligations, regulator engagement, customer comms)?

Demonstrate that the organization has pre-identified, contracted, and briefed external legal counsel and public relations support capable of immediate activation during a ransomware incident to meet notification obligations, manage regulator engagement, and coordinate customer communications.

Description

What this control does

This control requires the organization to maintain pre-established relationships and retainer agreements with specialized legal counsel experienced in cyber incident response, data breach notification laws, and regulatory compliance, as well as crisis communications or public relations firms trained in ransomware incident messaging. These resources must be documented, contactable 24/7, and briefed on the organization's environment, regulatory obligations (GDPR, HIPAA, state breach laws), and stakeholder landscape before an incident occurs. Pre-identification enables rapid activation during the critical first hours of a ransomware event when notification deadlines, ransom negotiation decisions, and public disclosure strategies must be coordinated under extreme time pressure.

Control objective

What auditing this proves

Demonstrate that the organization has pre-identified, contracted, and briefed external legal counsel and public relations support capable of immediate activation during a ransomware incident to meet notification obligations, manage regulator engagement, and coordinate customer communications.

Associated risks

Risks this control addresses

  • Missed statutory breach notification deadlines (e.g., 72-hour GDPR requirement) due to delays in identifying qualified legal counsel during an active incident
  • Regulatory penalties or enforcement actions resulting from improper or untimely engagement with data protection authorities, state attorneys general, or sector regulators
  • Reputational damage and customer attrition caused by inconsistent, delayed, or legally problematic public communications about the ransomware incident
  • Inadvertent waiver of attorney-client privilege by involving unvetted or non-specialized counsel in incident response communications
  • Operational paralysis during ransom negotiation or data exfiltration scenarios due to lack of pre-briefed legal guidance on payment legality, sanctions compliance, and contractual obligations
  • Disclosure of sensitive incident details or compromise of investigation integrity through uncoordinated statements to media, customers, or partners
  • Increased litigation exposure from premature admissions, inaccurate victim counts, or mischaracterization of data exposure in external communications

Testing procedure

How an auditor verifies this control

  1. Request the incident response plan and identify sections documenting pre-identified legal counsel and PR/communications support for ransomware incidents
  2. Obtain copies of active retainer agreements or engagement letters with cyber-focused law firms and crisis communications firms, verifying coverage for breach notification, regulatory engagement, and ransomware-specific scenarios
  3. Review contact rosters for external counsel and PR firms, confirming 24/7 emergency contact numbers, escalation paths, and backup contacts are documented and current (verified within last 90 days)
  4. Interview the incident response manager or general counsel to confirm legal and PR vendors have been briefed on the organization's regulatory environment, data holdings, customer base, and notification obligations prior to any incident
  5. Examine records of tabletop exercises or simulations from the past 12 months, verifying external legal counsel and PR representatives participated in ransomware scenario walkthroughs
  6. Validate that external counsel contact information is included in incident response playbooks, war room checklists, and on-call runbooks accessible to the security operations and executive teams
  7. Review documentation showing legal counsel has provided written guidance on jurisdiction-specific notification timelines, regulator contact protocols, and ransom payment legal considerations applicable to the organization
  8. Confirm the existence of pre-drafted communication templates (regulatory notifications, customer breach letters, media statements) developed collaboratively with legal and PR teams and approved by counsel for ransomware scenarios
Evidence required Collect retainer agreements or master service agreements with law firms and PR agencies dated prior to the audit period, annotated contact lists with 24/7 phone numbers and last-verified dates, tabletop exercise after-action reports showing external counsel participation, incident response plan excerpts listing legal and PR escalation procedures, and pre-approved communication templates with attorney review stamps or approval metadata.
Pass criteria The organization maintains active retainer or engagement agreements with specialized legal counsel and PR support, documents 24/7 contact information verified within 90 days, demonstrates counsel has been briefed on regulatory obligations, and shows evidence of integrated participation in incident simulations within the past 12 months.