Cybersecurity has become a top-tier risk for U.S. and multinational organizations. It is only a matter of time before a determined hacker will penetrate your organization’s system and successfully exfiltrate some data. (Indeed, this has most likely already happened, even if you are told it has not.) As Cisco CEO John Chambers recently predicted, the volume of cyberattacks, and ultimately, the number of successful penetrations, is likely to increase exponentially.
Attackers innovate rapidly at little expense, harnessing sophisticated cyberweapons, sharing techniques and “renting access” to corporate networks to less sophisticated cybercriminals. Hackers typically operate beyond the reach of developed world law enforcement and are almost never apprehended.
Cyberdefense, in contrast, is expensive and difficult to execute. Organizations not only have to deal with constantly evolving attack techniques but also need to defend an ever expanding landscape. Bring Your Own Device programs and remote employee access can provide hackers with many more potential attack vectors. The growth of Internet of Things devices operated remotely provides a further field of potential targets, as the FTC has warned repeatedly. Outsourcing of services and lengthening corporate supply chains create more opportunities for hackers to penetrate systems through vendor connections to corporate networks or backdoors built into components.
The stakes are high. Even where hacks pose little risk of actual harm to consumers, they can result in reputational harm, damage to good will, theft of trade secrets, class action lawsuits, regulatory investigations and forensic, legal and PR expenses. Attacks on critical infrastructure could be more serious – resulting in actual physical harm to individuals, disruption of markets or destruction of property.
Effective cyberdefense has evolved into a sophisticated risk-management task different from traditional compliance, pushing organizations to keep up with a rapidly changing threat landscape, rather than a checklist of regulatory requirements. (In fact, as the repeated hacks of PCI DSS-compliant merchants showed very clearly, hackers innovate around security compliance checklists.) Cyberdefense requires organizations to conduct clear-eyed and specific risk management decision making, to establish a robust governance program and to reach outside their own teams, exchanging information about new threats with peer organizations, consulting with experts and commissioning security reviews (which should be protected by attorney-client privilege). It is critical to establish a cross-departmental cyberdefense team headed by a senior manager that can enlist all employees in the mission of cyberdefense and can secure adequate budget.
AS YOU REVIEW YOUR COMPANY’S PROGRAM, HERE ARE QUESTIONS TO ASK YOURSELF AND YOUR TEAM:
1. Do you have a strong governance program in place?The NACD Cyber-Risk Oversight Handbook,which DLA Piper lawyers helped to draft, provides a helpful roadmap for demystifying cybersecurity and establishing a structure so that directors can meet their duty of care with regard to cybersecurity.
2. Do you have an incident response plan in place, and have you tested it?Incident response planning and testing is part of the NIST Cybersecurity Framework. Moreover, studies by the Ponemon Institute have shown that implementing an incident response plan for cyberincidents and conducting tabletop exercises to gauge how your organization acts on that plan are key countermeasures to reduce the costs flowing from a data breach. A sample incident response plan is available here.
3. Are you conducting periodic cybersecurity risk reviews?Cybersecurity risk is sufficiently serious that companies often need to conduct outside assessments to meet duties of care and to pass third-party cybersecurity audits required by customers. Note that unprivileged cybersecurity reviews conducted by accounting firms or security consultants can be used against the organization in plaintiff’s class actions or regulator enforcement actions.
4. Are you managing your supply chain risk?Addressing vendor and supply chain risk is an important part of cyber-risk management. One part of this effort involves managing vendor agreements to require, among other things, providing notice of suspected (not just actual) breaches, requiring third-party security audits and obtaining adequate indemnification. A related test for purchasers and suppliers is tracking agreements that need updating when open for renewal and mapping notification obligations in the event of a breach. It can also be important to obtain third-party security audits further down the supply chain of component suppliers.
5. How do you respond to a breach?When a breach occurs, it is critical to respond efficiently and strategically, conduct a thorough investigation and, wherever possible, provide notice at one time that is sufficiently specific to meet regulatory requirements and provide credit monitoring or other protection to customers where warranted. In the case of a payment card breach, it is important to upload affected card numbers through a merchant’s payment card processor so that the numbers are flagged for fraud monitoring to avoid potential card fraud.
6. Does your insurance adequately cover data breach risk?Insurance is a key part of risk management and can offer significant protection for monetary costs incurred from data breaches. Finding the right coverage for your organization’s risk posture is important.
7. Are you addressing cybersecurity risk in M&A transactions?Over the past decade, M&A transactions have resulted in some costly security liabilities. Cybersecurity risk has grown so important that it merits particular attention in the due diligence process. Furthermore, cybersecurity risk must be addressed during post-merger integration. Legacy systems are often vulnerable to attack and it is important, where possible, to implement post-merger security solutions reflecting best practices.
8. Keeping up with rapidly changing regulatory requirements.Cybersecurity and data
security are topics of great concern to policymakers. Requirements are changing rapidly around the world and enforcement is increasing. While compliance with regulatory requirements is no guarantee against a security incident, suffering a reportable security incident when out of compliance can significantly increase risk, penalties and adverse publicity. DLA Piper’s subsidiary, Blue Edge Lab, has teamed with the Internet Security Alliance to create an online cybersecurity tool that provides concise summaries of cybersecurity-related requirements in 23 key markets around the world, and assessments of enforcement risk and of the degree of activity in each country triggering enforcement risk. To find out more, visit www.BlueEdgeLab.com.