By Kim Peretti and Jason Wool, Alston & Bird LLP, and Kiersten Todt and Roger Cressey, Liberty Group Ventures, LLC
It is often said that a cyber-attack is a matter of “when,” not “if,” for companies ranging from Fortune 500 powerhouses to mom-and-pop establishments. While this statement provides a dose of dark reality, it offers no practical guidance. Anyone on the receiving end of this advice may be wondering how to take effective action in light of the inevitability of network intrusions, data breaches, data theft and the emerging threat of data manipulation. Does this mean that companies should simply accept that the risk exists? More importantly, does it mean that executives and boards of directors should ignore cyber-security to avoid legal liability after an attack?
Of course, the answer to these questions is a resounding “no.” Instead, since network intrusions may be nearly impossible to avoid means that organizations must develop cyber-risk management strategies that are agile and can adapt to evolving threats. Cyber-attacks are a risk that must be managed like any other enterprise risk. Companies must determine their cyber-risk appetite, the resources that they are willing to dedicate towards reducing that risk, whether to transfer a portion of the risk, and even whether to accept some of it. These decisions must be part of a cycle that is repeated with regularity.
Faced with potentially large liability from cyber-attacks, companies are advised to take proactive steps to ensure they are prepared to respond effectively to mitigate the impact of a cyber-attack.
The time to invest in cyber-security is before an attack. If cyber-attacks are inevitable, then resiliency is imperative. One of the primary measures of determining the effectiveness of a company’s security practices is the ability of that company to contain and minimize the damage from an event and resume normal operations as quickly as possible or, preferably, maintain continuity of operations in the wake of a breach.
Here are five risk-management steps your company can take now to better manage cyber-risk and reduce its liability exposure after a breach occurs.
Change corporate culture and shift company mindset.
Similar to cultural shifts that occurred around workplace safety and seatbelts, an evolution is necessary in corporate culture to incorporate cyber-security into every level of the enterprise. This shift includes identifying, with input from the highest levels of the company, critical assets, such as intellectual property, and sensitive data, such as personal information, and ensuring that corporate cyber-security policies prioritize the protection of those assets and data. But cyber risk management cannot be top-down only–it must simultaneously be bottom-up, meaning that IT security operations personnel actively participate in program design and management to ensure that practices and policies are aligned.
A change in corporate culture requires a substantial commitment to conducting regular educational outreach, including meaningful awareness campaigns and useful training for employees and senior executives. Such initiatives could include:
*Educating senior executives and board members on cyber-security and the risks associated with it, some of which are equal to, if not greater than, many of the traditional risks over which a board oversees management. Educational opportunities might include briefings by subject matter experts on evolving cyber-threats and their relevance to the enterprise;
*Conducting annual (or more frequent) cyber-training for employees, focusing on applicable corporate policies and procedures, as well as on relevant cyber-threats and vulnerabilities;
*Conducting corporatewide cyber-awareness campaigns to address common malicious actions (e.g., targeted social engineering, phishing, watering hole attacks);
*Ensuring cyber-security education is a component of on-boarding/new employee training; and,
*Conducting corporatewide tabletop exercises that incorporate cyber-attack scenarios into the exercise design.
Connect the IT/Information Security and Legal departments within the company.
Similar to senior executives and the board, general counsels and other legal personnel must understand their responsibility for cyber risk management and their role in cyber-security preparedness and incident response. Similarly, IT and security practitioners must be aware of the legal issues and other risks associated with network security and corporate data. Central to this two-way connection is both groups meeting half-way on knowledge and communication: counsel must develop a general familiarity of IT and security issues, and IT and security practitioners must learn to communicate without over-use of technical jargon. It is also essential that counsel communicate and non-legal personnel understand and embrace the general framework for attorney-client privilege and work-product protection in the context of internal investigations. Regular and easy communication between these groups is critical. Counsel must be especially clear with security practitioners that their primary goal is to protect the company from harm, not to interfere with security decision-making. Security personnel must also recognize that their jobs have a direct impact on the business’ core missions.
Companies can also engage outside counsel and security consultants to provide information on the legal and policy landscape, an overview of current threats, and an assessment of whether the organization’s practices are in line with regulator expectations and reasonable security practices. As with many services provided by counsel, companies may be able to cloak legal assessments in the attorney-client privilege, which should incentivize them to engage in these types of investigations.
Use the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The NIST Cybersecurity Framework is now being used by large and small companies in multiple industry sectors. It can be used to create a common language within an enterprise and among partners and vendors for its cyber risk management activities. It can also be used to identify how the company currently manages cyber-risk, whether there are any gaps in its current program, and how it would like to improve its risk management policies. Companies can also use the framework as a cyber-risk dashboard tool to facilitate cyber risk management and oversight by senior executives and board members, respectively.
Ensure cyber-security is a priority in the company’s negotiations with vendors and partners.
Supply chain risk management has emerged as an essential cyber risk management practice, as contracting and procurement can create significant security vulnerabilities if not appropriately overseen. Companies must understand that high-profile breaches can and have occurred because of supply chain and vendor vulnerabilities, including stolen vendor credentials, third-party remote access to corporate systems and backdoors in purchased solutions, which provide attackers with direct access to corporate networks. Companies must therefore be sure to conduct thorough vendor due diligence and include counsel and security personnel in negotiations, as necessary.
Plan for the inevitable.
Although cyber-attacks may be inevitable, companies have a choice regarding how resilient they are in response to them. Companies must have incident response plans in place that cover the technical and business sides of responding to a security incident. Beyond merely having a plan in place, they must also embrace the mantra of “test, test, test.” By regularly performing tabletop exercises and simulations, especially after game changers in the cyber threat landscape, companies ensure their plans are agile, flexible and suited to respond to the current threat landscape as effectively as possible.
Such tabletops and simulations should test both the technical and business sides of the response (though not necessarily in the same exercise), and should involve senior management and their specific roles in incident response. Companies should also integrate their existing crisis management processes and business continuity plans into their breach response planning efforts–significant security incidents are crisis events.
Finally, companies should be sure to improve upon their plans following exercises and report findings to senior management and the board. Part of their job descriptions is to understand how prepared the company is for a data breach or significant cyber-event. As a result, a reporting structure for this information should be developed or incorporated into an existing one.
Conclusion
All of these steps share one essential characteristic – they are about people and policies, not technology. Technology is undoubtedly an essential component of any information security program, but it is not sufficient in and of itself. Companies need to educate, and develop policies that are implemented by their employees. Technology can support the implementation of those policies but it is not the solution alone. As cyber-security breaches become more common, preparatory and response activities, as designed in corporate policies, conducted by employees and other personnel, may be what make a company’s practices reasonable. In addition, although cyber-attacks may be inevitable, there are concrete steps companies can take to reduce the opportunities for severe disruption. Even the most sophisticated attacks often begin with an employee clicking on a link, opening an attachment, or using a weak password. Focusing on people and policies is an essential means of reducing cyber-risk and ensuring corporate resiliency, even in the face of the inevitable.