Over the past few years, data breaches have become a reality in today’s digital age, affecting companies of all sizes.

They have become so common that data leaks involving tens of millions of records almost feel unsurprising and unremarkable. What’s worse, even with the most advanced cybersecurity encryption systems, it is near impossible to circumvent every cyber threat.

This is especially challenging for payment companies, as they store a vast database of customer information. While it is necessary to have a policy and plan in place to ensure that risks are mitigated at every juncture, it is equally important to have a ready-to-go incident response plan in the event of a cyberattack.

Below are the top four responses payments companies should consider in the event of a cyberattack:

Lock down immediately. In the event of a data leak, many companies often jump directly to course-correcting. Yet, in reality, the absolute first thing to do is to lock down immediately, preserve all records, bring in experts to understand exactly what the issue is and why it happened, and terminate the leak immediately (unless advised by experts not to do so to identify the source of the breach). It is prudent to secure counsel at this stage to advise the company appropriately on legal risks related to actions taken now and document preservation protocols to protect the company later on.

Assess the exposure. Once the leak has been terminated, it is critical to review the damage and then determine what assets were compromised. From there, a decision must be made on what data, assets and services warrant the most critical attention. It is also important to assess the nature and scope of the incident – whether it was a malicious act or a technological glitch. This assessment will allow the company to determine the required course of action.

Contact regulators and law enforcement. Companies can sometimes be reluctant to contact law enforcement following a breach due to concerns of additional investigations that might affect the business. However, keeping these agencies informed when a breach occurs can help ensure that information harmful to the company’s interests is not disclosed in statements made by authorities.

Communicate the breach. It is essential to be upfront and prudent with affected customers, including outlining a plan of action that demonstrates reassurance to customers that the company is doing everything it can to minimize risks associated with the breach. While a breach can compromise customer loyalty, it can also cause devastating reputational damage if not handled correctly.

While it may seem odd that remediation is not listed last among the top company responses to a data breach, the reality is that all of the preceding steps are necessary to form and inform an effective remediation strategy for the company and its customers (including its customers’ customers). And this takes time.

An understanding of the nature, impact and assessment of a leak is critical, and input/feedback from experts, consultants, regulators and customers will ensure an effective, appropriately measured, and complete remediation response that addresses both damage incurred and prevention of future harm based on lessons learned.

Since the cybersecurity landscape continues to evolve at a rapid pace, it is important for companies to be armed with both reactive and proactive approaches in the event of an attack.

Companies today should also be aware of new vulnerabilities and exchange information with industry peers on up-and-coming threat levels. Is there an up-spike in risky activity? Is this something that is unique to your institution or is it an industry-wide phenomenon?

Sharing of risk information between institutions can also be a way to ensure that risks are mitigated on all levels. Companies of all sizes and industries are vulnerable to potential attacks, but it is ultimately up to the company to take the appropriate actions and have the right controls to ensure that risks are minimized.

Kevin  Petrasic

Kevin Petrasic

Kevin Petrasic is head of White & Case LLP's financial institution advisory practice