In the last 12 months we have completed training for one of largest U.S. national bar associations, including more than 100 board members and C-level executives from Fortune 500 corporations to small businesses. Exposure to these individuals, along with our collective experience as expert witnesses and advisers to legal professionals including litigators, federal judges and others, has made one thing abundantly clear: cybersecurity is now a top concern in the legal profession. This article attempts to address why cyber issues are relevant to general counsel and allows for some reasonable assessments about how to manage risk.
First and foremost, it’s important to understand the context of today’s rampant “cyber-insecurity.” Cyber concerns are symptomatic of a much larger dynamic—that the digital world is becoming more mature and consequently more integral to organizations of all sizes. Imagine the digital infrastructure as analogous to the country’s plumbing infrastructure, where water is used and then repurposed by way of purification and redistribution.
“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” (Mark Twain)
Now imagine there are little or no consistent standards for all of that plumbing (infrastructure), cleansing and transport of water (data). Lastly, consider that a multitude of parties is altering the pipes (digital infrastructure) and methods for cleansing and transport of water (data protection) simultaneously every day. It should be clear why we are experiencing so many leaks (breaches)—large, small, expected, unexpected, and every other variant imaginable. The bottom line: this problem is not going away because every person, business and government is now in a race to exploit the latest technology to his or her respective benefits. This introduces high velocity change at so many intersections that unintended consequences pour up and down the information supply chain—all with legal implications.
Rather than get lost in the myriad types of attack (botnets, denial of service, script, ram scrapping, advanced persistent threats) or the means of exploitation (phishing, social engineering, brute force, web, network, zero-day), it’s easiest to think of cyber compromises in this simple way: How did the compromise happen, and what is its impact?
How did the compromise happen?
There are fundamentally only two ways a compromise and/or breach happens:
- Device infection (network, device or applications they run are exploited) or;
- People, primarily via social media attack (reputational) or phishing, when a person clicks on an infected attachment or link and their credentials are hijacked.
Every cybersecurity issue is a result of one or both of those two categories—devices and/or people. The details surrounding what happened often dictate who is held accountable.
What is the impact on the organization?
Impact falls into several categories, including:
- Personal impact, such as ransoms, identity theft, (e.g. personal information or personally identifiable information that is stolen).
- Compliance/regulation impact (e.g. health care information records or point of sale transactional information is stolen).
- Device impact, when networks, computers, mobile phones or other devices are damaged, hijacked or borrowed for criminal purposes.
- Financial impact, such as when bank accounts are depleted with accurate, but stolen credentials. In more sophisticated attacks, this could involve insider trading or money-laundering via Bitcoin digital currency.
- Reputational/social impact, such as when social media is exploited to cause brand or personal reputational damage or for the purposes of blackmail or intimidation.
If your cybersecurity advisers are not explaining how the breach occurred or what the impact is based on the above categories, then you are likely the victim of intentional and unnecessary “black-box” complexity. And yes, there is a lot of that going on. The simple approach will allow you to frame and measure exposure, and to decide whether to transfer, tolerate, avoid, allocate or mitigate the associated cyberrisk. In an era of board- and C-level accountability, the consequences are too high to allow your information technology department to independently own and define this risk for your organization in isolation.
In this simplified context, what are the unforeseen surprises (gotchas) we see general counsel and their organizations falling victim to? Here is a summary:
- The blind are leading the blind. Increasingly we see consultants, law firms and general counsel with limited experience regarding cyberbreach litigation, remediation, negotiated settlements or advising organizations on enterprise cyberrisk. Moreover, there just isn’t enough case precedent for existing law to protect companies from cyberthreats. In cases related to cyber (breach/notification/ reasonableness/fines/responsibility/privacy/failures) it’s the negotiation with an experienced cyber enterprise risk management expert that will provide the greatest protection.
- Response matters. When, how and if you respond to cyber compromises, notifications of compromises, breaches and the infection of others, does matter. Don’t get caught doing nothing. There are consequences.
- Evidence of your cyber failures is transparent. Gone are the days when evidence could be obfuscated or a culture of laissez faire was acceptable, even for smaller companies. The reason? The evidence trails surrounding your infected devices, how long they’ve been infected and who in your organization is compromised, are easy to track. This evidence exists not only in the dark web but it is also becoming more accessible as public information for those with refined cyberskills. Furthermore, savvy shareholders, consumers, partners and other interested parties (e.g. law enforcement) can access this evidence without touching your network, as it is part of the public domain, albeit difficult to uncover. (By the way, it is our belief that this is the single biggest factor impacting corporate valuation that no one is talking about).
- Knowledge about accountability is limited. There appears to be a general lack of awareness that the private sector (including non-public companies) has been fined by the Federal Trade Commission repeatedly for “inadequate cybersecurity” and that there are expectations being enforced by the FTC and other regulatory organizations (e.g. FCC, SEC), as well as shareholders and third-party partners that go beyond existing compliance standards. Knowing how to enact simple policies that provide organizational guidance against risk is fundamental to your organization’s protection.
- Not sharing threat intelligence can be expensive. The Cybersecurity Act of 2015 is now law and provides a unique opportunity for private-sector companies to be released from certain liabilities if they are sharing information about cyber compromises that concern privacy information. Take advantage of this opportunity.
Many senior executives still subscribe to the “just drive it until it breaks” philosophy. When it comes to cybersecurity, digital assets, protecting reputation and ultimately valuation, this is a dangerous business principle. As Mark Twain says so well, “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” Take the time talk to an experienced professional in cyber enterprise risk management; just 30 minutes can save you millions of dollars, and your reputation.
Israel Martinez is president and CEO of Axon Global, a cyber-counterintelligence company recognized by the Department of Homeland Security as a leader in its field. He is certified by the DHS in cyber-counterterrorism and defense, and has more than 20 years of experience in cyber enterprise risk management and governance.
Richard Schroth, Ph.D., is managing director for the The Newport Board Group’s global cyberpractice. He actively leads world-class teams of cyberprofessionals and board-level advisers seeking to minimize cyberrisk with public boards and private equity firms. Additionally, Schroth is a senior adviser to the CEO of ACG for cybersecurity and serves as the executive director of American University’s Kogod School of Business Cyber Governance Center in Washington, D.C.