top of page


Understanding the Need for a Chain of Custody After a Cybersecurity Incident

Cybersecurity issues remain a persistent concern as the world continues to digitize. Even as software experts stay on top of program and security vulnerabilities, cybercriminals continue to become more sophisticated in their attacks. In fact, as of 2023, even federal agencies are not immune, with the Office of Personnel Management (OPM) recently falling victim to ransomware. Among private companies, Duke University has determined that about 80% of all firms have experienced a breach. This is why global cybercrime expenses are expected to reach $10.5 trillion by 2025. That said, proper cybersecurity protocols are not just about actively fighting off attacks but also about correctly responding to any incidents. One of the most critical means of doing the latter is via a chain of custody.

What is a chain of custody?

A chain of custody is the chronological documentation that accounts for the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence. For cybersecurity incidents, a chain of custody would entail the chronological documentation of the handling and movement of digital evidence from the moment of collection until an investigation. This process is vital in establishing a clear record of who had access to the evidence and prevents unauthorized tampering with information that can help with legal proceedings. The collection process of evidence is the crux of any investigation, which is why it must be done by the right professionals. Qualified forensic analysts are employed for this task as they know how to document chain of custody in these situations. Specifically, they understand the intricacies and challenges associated with identifying, collecting, and preserving information after a cybersecurity incident. When done properly, the chain of custody can help companies more proactively understand and tailor their cybersecurity strategies while also preparing for any legal action or investigation.

What happens when a chain of custody is broken?

On the flip side, a broken chain of custody can significantly hinder ongoing investigations since it is more difficult to trace the sequence of information accurately. In extreme cases, it can even significantly damage the integrity and admissibility of any evidence. In the event of a cybersecurity incident, opposing parties can even use the broken chain of custody as a basis for legal challenges. They may argue that since the evidence has been mishandled, there are grounds to suspect the accuracy of the evidence against them, especially since digital paper trails can still be doctored. This is especially crucial given that, as per surveys from Nationwide, the average business takes almost 300 days and up to $15 million to recover from a cyber incident. A recent example of the consequences of poor documentation is the SolarWinds Hack that happened in 2020. Despite multiple cybersecurity experts discovering the breach, the evidence was essentially bookmarked and filed but not shared across the wider network. These data silos led to the broader hack rolling out with little to no resistance. Apart from over 18,000 private entities, big names like Deloitte and Cisco were also affected by the attack. Fortunately, after the offending code Sunburst was identified, a proper chain of custody and forensic cyber examination was put into place. This is why SolarWinds has been on the road to recovery since 2021. In closing, the inevitability of cyber risk is difficult to curb, even with the best security features and programs. This is why, in order to reduce exploitation, companies need to start recognizing their vulnerability by preparing complete response plans. By doing so, they are a step closer to building cyber resilience against any risks and developing the right cybersecurity programs to bounce back from any potentially damaging incidents.

25 views0 comments
bottom of page