The regulatory and legal landscape surrounding the use of business data and its security is rapidly becoming more complex. As state and even individual city regulations and laws are being retooled, proposed, or enacted, a patchwork of regulations has cropped up. And these new rules bring with them federal guidance and enforcement and new industry standards — all for corporate compliance and legal departments to consider.
Indeed, the threat of cybersecurity damage to a business’s profitability or reputation does not wait, however, and the landscape keeps changing.
John Carlin, a former senior U.S. Justice Department official for national security who is now head of the risk and crisis management group at Morrison & Foerster, spoke with Thomson Reuters Regulatory Intelligence to discuss the challenges of achieving cyber resiliency.
You can listen to the full webinar, Achieving Cyber Resiliency here.
The webinar’s warning boiled down to this: The threat of being hacked is increasing in both size and scope and should be considered a top risk for all businesses. Carlin also had some anecdotes, notable numbers, and best practice pointers to share in the webinar.
Some Key Statistics
A Thomson Reuters survey this year of compliance officers and general counsels about their expectations of cybersecurity threats yielded these results:
- 50% of firms expect more compliance and general counsel involvement in assessing cyber resilience;
- 73% said senior managers receive briefings on information security either quarterly or annually;
- 33% said they receive such information monthly.
Furthermore, 24% of data breach incidents are caused by human error, says a jointly authored report from the Ponemon Institute and IBM. The report measured the impact of reported breaches between July 2018 and April 2019 at 507 organizations in 16 countries.
Data Held for Ransom & Intellectual Property Theft
In the webinar, Carlin used examples to describe the myriad purposes behind a cyber-attack; at times, it’s as straightforward as a hacker wanting a payment in Bitcoin for the return of stolen information, (and some companies feel compelled to pay, as there is no legal prohibition). In a case exemplifying another threat, one hacker stole U.S. government-held data on behalf of the Islamic State in what prosecutors called “an attempt to incite terrorist attacks.”
More worrisome, many organizations may not consider themselves subject to such risk.
Carlin also brought up the case of Sony Pictures, which in late 2014, canceled its plans to release a satirical movie that depicts the assassination of North Korea’s leader, Kim Jong Un, following threats from hackers of a violent attack against theaters. The United States called out North Korea for the attack; and Carlin, who advised the White House on the matter while at the Justice Department, noted three components to the cyber-breach to underscore his point about the multi-faceted risks that breaches pose to companies.
The North Koreans had deployed malware that made some of Sony’s systems inoperable, then stole some Sony movies and some emails that were embarrassing to top Sony executives. The hackers released the embarrassing communications, which Carlin called the most harmful part of the equation: The hackers simply used nontraditional media to get the information into the public sphere knowing the mainstream media — and social media — would amplify it.
Bad guys will get in, Carlin said. The challenge for firms is to make it harder for them to steal valuable resources once they do.
Best Practices for Cyber Resiliency
- Make sure there is a policy for every aspect of a cyber-breach incident. In a ransom-seeking attack, for example, making the demanded payment may not be completely off the table. The business needs to consider consequences, however, such as whether the business could be paying an entity under U.S. government sanctions.
- Different types of stolen data will justify varying responses and disclosure. This should be carefully considered before incidents arise.
- The incident response plan must suit the business and its risk profile and be consistently tested, Carlin said. Risks include regulatory risk, reputation risk, possible intellectual property loss, business disruption, loss of sales or customers, plus an almost inevitable rash of lawsuits from aggrieved parties.
- The business side and the information technology side of the business must come together to outline top threats, possibly by bringing in outside experts to aid with the assessment.
- It is essential to make an inventory of the business’s valuable information — the critical data that a bad actor could use against the business.
- Each department should outline its cybersecurity roles and top peoples for carrying them out — from IT, legal, compliance, and the business units.
- The Chief Information Security Officer is an increasingly popular role at businesses, and it is required by businesses regulated by the New York Department of Financial Services. No matter who this person reports to in the company, it is imperative that the person has unrestricted access to the board of directors, Carlin said.
Employees, including top managers, must appreciate communications between employees during and following the incident. Texted or emailed comments like, “I kept saying these systems were not well-protected!” can later be used by regulatory authorities, unless they are deemed privileged. Regulators will want to see that the business knows who has access to its systems, including third parties; how they were vetted, monitored and trained; and how the business has segmented its network so one breach does not create an enterprise-wide vulnerability.
Carlin recommends developing relationships with law enforcement authorities — local ones and the Federal Bureau of Investigations and the Secret Service. Such agencies often have programs to provide businesses with threat briefings, and they offer information that can be tailored to an individual business. Some state attorneys general are required by law to have their offices informed promptly of a cyber-breach.