How GCs And Boards Can Brace For The Cybersecurity Storm - Law360

Transcription

1 Page 1 of 6 Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY Phone: Fax: customerservice@law360.com How GCs And Boards Can Brace For The Cybersecurity Storm Law360, New York (March 17, 2015, 4:59 PM ET) -- America is awakening to a new era of cyber-risk and the need for hard cybersecurity. Cyberthreats pose significant risks to a company s reputation and competitive position, while creating substantial legal exposure. Therefore, cybersecurity should be a priority for companies of all sizes. Comprehensive cyberoversight from the board level down is essential to protect Corporate America s key asset intellectual property. Storm Warning In 2012, former Defense Secretary Leon Panetta warned of an advancing cyber-pearl Harbor. The president recently issued an executive order instructing U.S. businesses to heighten their degree of vigilance to safeguard against cyberattacks. And for good reason: Scott D. Marrs Those who manage Corporate America s critical control systems big and small know their organizations are unprepared for a sophisticated cyberattack. Lightning Strike The cyber-risk disconnect is troubling given the prominent cyberstrikes that have already occurred in various industry sectors. For example, in 2008, a Turkish oil pipeline caught fire after the security camera system s vulnerable software was purportedly used to enter the pipeline s control network and increase the pressure without setting off alarms. In 2011, hackers stole login credentials, industrial drawings and contracts from at least 10 oil and gas companies in Norway. In 2012, Saudi Aramco was attacked by a virus affecting thousands of its critical overseas facilities. In 2014, 300 energy companies were targeted by hackers in the largest ever coordinated cyber-attack in Norway. Recently, the highly publicized Sony Pictures Entertainment cyberattack involved substantial intellectual property, private s, and other sensitive and proprietary material allegedly stolen by North Korea s cyber warfare unit dubbed Bureau 121. In 2014 alone, numerous commercial and governmental entities have suffered significant cyberattacks on their systems including JP Morgan Chase, the U.S. Postal Service, Yahoo and the White House to name but a few. Forewarned is Forearmed

2 Page 2 of 6 Corporate America s boardroom is paying attention. The NACD Public Company Governance Survey reveals increasing dissatisfaction by board members regarding answers to their cyber-risk inquiries. Eighty-seven percent of respondents reported that their board s understanding of IT and cyber-risks needed improvement. This is not surprising. The average age of S&P 500 board members is 63 years old. Most were not introduced to the Internet until they were in their 40s. Unlike the generations that followed, they were not born with a keyboard in one hand and a smart phone in the other. It is evident that a board or management team that does not understand cybersecurity cannot effectively oversee the company s cybersecurity activities. This mitigates in favor of adding IT / cybersecurity and cyber legal expertise on the board or making such expertise available (via internal or external IT consultant presentations, independent advisers, cyber lawyers, and industry associations). High Connectivity, High Risk Corporate America s infrastructures are increasingly reliant upon remote management, operation and monitoring with interconnection via the Internet exponentially increasing vulnerability to attack. While the use of other connected services and devices make business more efficient, they further exacerbate the risk. The use of employee-owned devices and programs, 24/7 (and international) access to company systems, and the merging different corporate systems also magnify exposure. Cybercriminals are becoming more disruptive. Their motives are many. They are very focused on our cyber-vulnerabilities. We are not. In the not too distant future a precipitating event will put cybersecurity on your company s radar. Corporate America must engage in developing various levels of preventative and responsive plans to match the ever increasing sophistication of cyberattacks. Know Thy Enemy A 2012 Verizon Data Breach Investigations Report indicates from which direction most attacks occur: 98 percent stem from external agents 58 percent of all data theft is tied to activist groups 4 percent implicate internal employees 1 percent or less involves business partners The methods used are known as well: 81 percent of such breaches utilize hacking 69 percent utilize malware 10 percent involve physical attacks 7 percent employ social tactics 5 percent involve privilege misuse Verizon s report also reveals how avoidable most attacks are: 97 percent of the breaches were avoidable though simple controls 96 percent of attacks were not sophisticated 94 percent of all data compromised came from servers (although user devices are trending upward) 92 percent of attacks were discovered by a third party

3 Page 3 of 6 85 percent of breaches took weeks or months to discover (compared to only hours for the culprits to accomplish) 79 percent of victims were targets of opportunity These mostly avoidable attacks are costly. In 2012, a Ponemon Institute study indicated that the average cost of a data breach was $8.9 million, the most costly was $46 million, and the least costly was $1.4 million. Although the risks are known and can be mitigated, meaningful assessment and preventative measures have been slow in coming for most companies. The study also shows that only 17 percent of the 599 security executives at utility, oil, gas, energy and manufacturing companies surveyed had deployed the major IT initiatives needed to effectively fend off cyberattacks. Only 28 percent responded that cybersecurity was within their company s top five strategic priorities. There is a big disconnect between the C-suite and those actually conducting cybersecurity. The bad guys are getting more proficient, while we are just starting to wake up. It s time to get procyberactive. On the Radar There is an increased awareness and collaboration among the U.S. government, universities, industry and end users to advance research and development in cybersecurity. Their work in this area has provided Corporate America with the guidelines to develop cybersecurity protocols and programs. For example, Executive Order (Improving Critical Infrastructure Cybersecurity) issued in February 2013 directed the National Institute of Standards and Technology to work with industry to develop a voluntary framework to reduce cyber-risks to critical infrastructure. NIST released the first version of this framework in February It contains standards, guidelines and practices to protect critical infrastructure. The U.S. Department of Homeland Security has also issued helpful publications, together with suggested implementations of cybersecurity best practices for various industry sectors. The National Association of Corporate Directors has also developed a wealth of knowledge on cyber-education and best practices. The NACD, in association with AIG and the Internet Security Alliance, has identified five steps to enhance corporate oversight of cyber-risks, which include acknowledging cybersecurity as an enterprise-wide risk management issue, understanding the legal implications, adding cybersecurity discussions to board agendas and setting the expectation that a framework will be put in place to manage cyberattacks. Get Grounded There are a number of ways Corporate America can ensure that management is taking preventative steps to protect the company from a cyberattack: Build a Culture of Security Cybersecurity best practices should be developed and extensive training, education, and communication should be implemented. Boards and management should examine and map out their cyber DNA, data highways, vulnerabilities, and the larger ecosystems they are connected with. Measure, Monitor and Assess Cyber-Risks Tools should be developed to assess security postures in a way that accelerates the ability to mitigate potential risks at every level. General counsel, company management and the board should consider the following questions:

4 Page 4 of 6 1. Who is in charge of cybersecurity within the company? 2. Is there a system of checks and balances by having cyber and IT duties divided between relevant positions within the company? 3. What role does board oversight of cyber security issues play within the company and who takes the lead for information security? 4. Is IT/cybersecurity a function of the entire board or of the audit committee? 5. Has the company mapped our network against security functions and protections and identified the likely external and internal threats to the company? 6. For our industry, which threats are most common? 7. What incident patterns are we seeing that enable us to map out control recommendations? 8. Is the company adequately monitoring cybersecurity legislation and regulation? 9. Is our IT manager adequately and regularly assessing systems for vulnerabilities and intrusions and staying attuned to the latest cyber incidents in our industry to immediately react when necessary to prevent a disruptive event? 10. Has the company performed a penetration test or other external test or assessment of our cyber ecosystem(s)? If so, what were the results? 11. What physical and cyber security protocol and procedures are in place? Are they in writing? 12. Does the company allow its employees to use their own devices, download programs from the Internet, access or use cloud services, or access private or social networks from company computers? If so, what policies and safeguards are in place to compensate for the increased risk? 13. Have security vulnerabilities at single-point assets (stores, refineries, storage terminals and other buildings, as well as the networked features of other facilities and cyber systems) been evaluated? 14. How are other potential vulnerabilities, such as employee smart phone (and other device) access to company systems, remote desktops and the like, being assessed? 15. What is the company s incident response plan and how is it communicated internally? 16. Does the company have a systematic framework to assess and implement adequate cyber hygiene? See example 1 and example In what situations will law enforcement or other governmental entities be advised of a breach?

5 Page 5 of What is the reporting threshold and route of reporting when an incident or breach occurs? 19. What is the company s budget for its cybersecurity and protection plans? 20. What insurance coverage is currently in place for cyber-risks and data breaches? 21. What IT, legal and public relations professionals do we have on speed dial in the event of a breach / cyber event? 22. If our systems crash because of a breach or attack, how do we implement the incident plans and protocols and otherwise communicate internally and externally? 23. How will the company conduct an exercise of its cyber preparedness plan to assess its effectiveness before a real event occurs? 24. What constitutes a material cyber event and when/how will it be disclosed to others (such as investors)? Develop New Protective Measures to Reduce Risk System vulnerabilities can be revealed through rigorous research, development, and testing, while mitigation options should be identified to harden control systems. Detect Intrusion and Implement Cyber-Response Strategies Cyber intrusion detection, remediation, recovery and restoration capabilities should be enhanced. Companies should identify the nature of the breach and the source of the security lapse, identify the type of data implicated, convene incident response team members, put insurance carriers on notice, and immediately engage counsel experienced in data security issues. Maintain an Ongoing Program for Security Improvements Active partnerships should be developed, with critical security information sharing, to collectively build on experiences and improve cybersecurity. Educate General Counsel and Company Directors About the Legal Implications of Cyber-Risks Individual, class and shareholder derivative lawsuits have been filed against some companies and their boards alleging breach of fiduciary duties by failing to ensure that company data and customer information were adequately safeguarded. This risk also makes it important to document the board s consideration of cybersecurity issues. There are approximately 20 industry-specific data security laws, and hundreds of similar state laws. The SEC requires that certain information regarding cybersecurity risks and incidents be disclosed. Currently, 46 states require that individuals be notified of a security breach involving their name plus a sensitive data element such as a social security or credit card number, or other government ID number. Federal laws also require notification of data breaches for information from financial institutions, health care information, and breaches of government agency information.

6 Page 6 of 6 Conclusion When it comes to cybersecurity, a little education goes a long way. Intellectual property constitutes the crown jewels of your company. Most IP is now digital and accessible via the Internet. The likelihood of falling prey to a cyberattack exponentially increases each year. As stewards of the company s crown jewels, general counsel and the board must be educated about cyberthreats and how to best guide management to secure the company from such threats. By Scott D. Marrs and Martin D. Beirne, Beirne Maynard & Parsons LLP Scott Marrs is an attorney, arbitrator and partner at Beirne Maynard & Parsons in Houston who has trial and arbitration experience in domestic and international matters. He is a board member of the General Counsel Forum (Houston), an advisory board member of the Institute for Energy Law (IEL), and a member of the National Association of Corporate Directors and the Association of International Petroleum Negotiators. Martin Beirne is a founding partner of Beirne Maynard & Parsons. He has trial experience in complex business litigation, energy, intellectual property, market representation/ franchise and antitrust. He also provides advice and representation to corporations, corporate officials and other individuals in investigations initiated by various government authorities, as well as internal investigations. on behalf of corporations. Corporate Legal Times has named Mr. Beirne a Top Drawer Litigator on its list of Go To lawyers in the U.S. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice. All Content , Portfolio Media, Inc.