Navigating the Digital Age: the Definitive Cybersecurity Guide For

Home , Palo Alto Networks, Scroogled, Snowden effect, The Audience (2013 play)

THE DIGITAL AGE

THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS NAVIGATING THE DIGITAL AGE: The Defi nitive Cybersecurity Guide for Directors and Offi cers

Published by

Navigating the Digital Age: The Deﬁ nitive Cybersecurity Guide for Directors and Ofﬁ cers

Publisher: Tim Dempsey

Editor: Matt Rosenquist

Design and Composition: Graphic World, Inc.

Printing and Binding: Transcontinental Printing

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers is published by: Caxton Business & Legal, Inc. 27 North Wacker Drive, Suite 601 Chicago, IL 60606 Phone: +1 312 361 0821 Email: [email protected]

First published: 2015 ISBN: 978-0-9964982-0-3

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers © October 2015

Cover illustration by Tim Heraldo

DISCLAIMER

Navigating the Digital Age: The Defi nitive Cybersecurity Guide for Directors and Offi cers (the Guide) contains summary information about legal and regulatory aspects of cybersecurity governance and is current as of the date of its initial publication (October 2015). Although the Guide may be revised and updated at some time in the future, the publishers and authors do not have a duty to update the information contained in the Guide, and will not be liable for any failure to update such information. The publishers and authors make no representation as to the completeness or accuracy of any information contained in the Guide.

This guide is written as a general guide only. It should not be relied upon as a substitute for specifi c professional advice. Professional advice should always be sought before taking any action based on the information provided. Every effort has been made to ensure that the information in this guide is correct at the time of publication. The views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility to verify any information contained in the Guide before relying upon it.

SecurityRoundtable.org Introduction New York Stock Exchange – Tom Farley, President

No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk. With the ability to shatter a company’s reputation with their customers and draw criticism from shareholders, lawsuits from affected parties, and attention from the media, the threat of cyber risk is ubiquitous and insidious. No company, region, or industry is immune, which makes the responsibility to oversee, manage, and mitigate cyber risk a top-down priority in every organization. The New York Stock Exchange has long advocated that exemplary governance and risk oversight is fundamental to the health of individual companies, as well as to the sound operation of our capital markets. In other words, we too take the threat very seriously. Today, managing cybersecurity risk has expanded far beyond the realm of IT; it has become a business continuity necessity to ensure shareholder value remains intact and that privacy and corporate intellectual property is protected. Accordingly, those responsibilities are weighing heavily on corporate executives and directors, making it vital for them to better understand and prepare for the evolving cybersecurity landscape. Cyber risk ultimately poses a threat to confi dence, a foundational aspect of U.S. corporate issuers and markets. We are taking a leadership role on many fronts, such as reducing market fragmentation and complexity, as well as increasing effi ciency through the highest levels of intelligence, analytics, and technology. Confi dence in the integrity and security of our assets is concurrent with our success—as it is for every other company operating in the public markets today. Moreover, because the public markets have become increasingly reliant on interdependent technology systems, the threat looms even larger. As we witnessed during the 2008 fi nancial crisis, rarely does any failure happen in a vacuum; therefore, the threat of systemic disruption has taken on an even higher level of prominence and concern among regulators and policymakers worldwide. It is important that companies remain vigilant, taking steps to proactively and intelligently address cybersecurity

iii ■ INTRODUCTION

risk within their organizations. Beyond the technological solutions developed to defend and combat breaches, we can accomplish even more through better training, awareness, and insight on human behavior. Confi dence, after all, is not a measure of technological systems, but of the people who are entrusted to manage them. With insights from the preeminent authorities on cybersecurity today, this groundbreaking, practical guide to cybersecurity has been developed to refl ect a body of knowledge that is unsurpassed on this topic. At the heart of effective risk management must be a thorough understanding of the risks as well as pragmatic solutions. Thank you for your continued partnership with the New York Stock Exchange, and we look forward to continuing to support your requirements in this dynamic landscape.

■ iv Foreword Visa Inc. – Charles W. Scharf, CEO

For years, cybersecurity was an issue that consumers, executive management, and boards of directors took for granted. They were able to do so because the technologists did not. The technologists worked every day to protect their systems from attack, and they were quite effective for many years. We sit here today in a very different position. The threats are bigger than ever before and growing in frequency and severity every day. Cybersecurity is now something everyone needs to think about, whether it’s in your personal or professional life. What worked in the past is not enough to protect us in the present and future. So what has changed? First of all, the technology platforms of today are bigger targets than ever given the breadth and criticality of items they control. Second, the amount and value of the data that we all produce and store has grown exponentially. The data is a gold mine for criminals. Third, the interconnectedness of the world just makes it easier for more people—regardless of geography—to be able to steal or disrupt. And fourth, the perpetrators are more sophisticated, better organized, better funded, and harder to bring to justice than ever before. So the problem is different, and what we all do about it is different. This is not simply an IT issue. It is a business problem of the highest level. Protecting our data and our systems is core to business today. And that means that having an outstanding cybersecurity program also can’t detract from our objectives around innovation, speed, and performance. Security has been a top priority at Visa for decades. It is foundational to delivering our brand promise. To be the best way to pay and be paid, we must be the most secure way to pay and be paid. We cannot ask people to use our products unless they believe that we are just that. Thus we must guard carefully both the security of our own network and company and the security of the broader payments ecosystem.

v ■ FOREWORD

There are several elements that we have accounts had been compromised—a pivotal found to be critical to ensuring an effective moment for our industry. security program at Visa. The losses experienced by our clients, combined with the impact on consumer con- Be open and honest about the effectiveness fi dence, galvanized our industry to take of your security program and regularly actions that, we believe, will have a mean- share an honest assessment of your security ingful and lasting effect on how the world posture with the executive team and board. manages sensitive consumer data—not just payments. We use a data-driven approach that scores We are taking action as an ecosystem, to our program across fi ve categories: risk collaborate and share information across intelligence, malware prevention, vulner- industries and with law enforcement and ability management, identity and access governments and to develop new technolo- management, and detection and response. gies that will allow us to prevent attacks and Scores move up and down not only as our respond to threats in the future. defenses improve or new vulnerabilities are discovered but also as threats change. Protect payments at physical retailers. The capabilities of the adversaries are Fraudsters have targeted the point-of- growing, and you need a dynamic sale environment at leading U.S. retailers, approach to measurement. capturing consumer account information and forcing the reissuance of millions Invest in security before investing of payment cards. As an industry we elsewhere. A well-controlled environment are rapidly introducing EMV (Europay, gives you the license to do other things. MasterCard, and Visa) chip payment Great and innovative products and technology in the United States. Chip- services will only help you win if you enabled payment cards and terminals have a well-protected business. work in concert to generate dynamic Don’t leave the details to others. Active, data with each transaction, rendering the hands-on engagement by the executive transaction data useless to fraudsters. team and the board is required. The risk Protect online payments. Consumer is existential. Nothing is more important. purchases online and with mobile devices Your involvement will produce better are growing at a signifi cant rate. In order results as well as make sure the whole to prevent cyberattacks and fraudulent organization understands just how use of consumer accounts online, Visa and important the issue is. the global payments industry adopted Never think you’ve done enough. The a new payment standard for online bad guys are smart and getting smarter. payments. The new standard replaces the They aren’t resting, and they have more 16-digit account number with a digital resources than ever. Assume they will token that is used to process online attack. payments without exposing consumer account information. Defending against cyberthreats is not some- Collaborate and share information. thing that we can solve for our company in a Sharing threat intelligence is a necessity vacuum. At Visa, we must protect not only rather than a “nice to have,” allowing our own network but the whole payments merchants, fi nancial institutions, and ecosystem. This came to life for us in late payment networks like Visa to rapidly 2013 when some of the largest U.S. retailers detect and respond to cyberattacks. and fi nancial institutions in the U.S. reported Public and private partnerships are data breaches. Tens of millions of consumer also critical to creating the most robust

■ vi FOREWORD

community of threat intelligence, so we also work closely with law enforcement and governments. At the heart of Visa’s security strategy is the concept of “cyber fusion,” which is centered on the principle of shared intelligence—a framework to collect, analyze, and leverage cyberthreat intelligence, internally and externally, to build a better defense for the whole ecosystem.

Championing security is one of Visa’s six strategic goals. This is an area where there are no grades—it is pass or fail, and pass is the only option. Cybersecurity needs to be part of the fabric of every company and every industry, integrated into every business process and every employee action. And it begins and ends at the top. It is job number one.

vii ■ TABLE OF CONTENTS

TABLE OF CONTENTS

iii INTRODUCTION New York Stock Exchange — Tom Farley, President

v FOREWORD Visa Inc. — Charles W. Scharf, CEO

Introductions — The cyberthreat in the digital age

3 1. PREVENTION: CAN IT BE DONE? Palo Alto Networks Inc. — Mark McLaughlin, CEO

9 2. THE THREE Ts OF THE CYBER ECONOMY The Chertoff Group — Michael Chertoff, Executive Chairman and Former United States Secretary of Homeland Security and Jim Pfl aging, Principal

17 3. CYBER GOVERNANCE BEST PRACTICES Georgia Institute of Technology, Institute for Information Security & Privacy — Jody R. Westby, Esq., Adjunct Professor

27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS Institutional Shareholder Services Inc. — Patrick McGurn, ISS Special Counsel and Martha Carter, ISS Global Head of Research

33 5. TOWARD CYBER RISKS MEASUREMENT World Economic Forum — Elena Kvochko, co-author of Towards the Quantifi cation of Cyber Threats report and Danil Kerimi, Director, Center for Global Industries

37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT Internet Security Alliance — Larry Clinton, CEO

43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH Former CIO of The United States Department of Energy — Robert F. Brese

I. Cyber risk and the board of directors

51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner

■ viii TABLE OF CONTENTS

57 9. WHERE CYBERSECURITY MEETS CORPORATE SECURITIES: THE SEC’S PUSH TO REGULATE PUBLIC COMPANIES’ CYBER DEFENSES AND DISCLOSURES Fish & Richardson P.C. — Gus P. Coldebella, Principal and Caroline K. Simons, Associate

65 10. A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS Internet Security Alliance and National Association of Corporate Directors — Larry Clinton, CEO of ISA and Ken Daly, President and CEO of NACD

71 11. ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing Director

79 12. DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS Dell SecureWorks — Mike Cote, CEO

II. Cyber risk corporate structure

87 13. THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT QUESTIONS Palo Alto Networks Inc. — Davis Hake, Director of Cybersecurity Strategy

91 14. ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM Coalfi re — Larry Jones, CEO and Rick Dakin, CEO (2001-2015)

III. Cybersecurity legal and regulatory considerations

101 15. SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA Booz Allen Hamilton — Bill Stewart, Executive Vice President; Dean Forbes, Senior Associate, Agatha O'Malley, Senior Associate, Jaqueline Cooney, Lead Associate and Waiching Wong, Associate

107 16. OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES Data Risk Solutions: BuckleySandler LLP & Treliant Risk Advisors LLC — Elizabeth McGinn, Partner; Rena Mears, Managing Director; Stephen Ruckman, Senior Associate; Tihomir Yankov, Associate; and Daniel Goldstein, Senior Director

ix ■ TABLE OF CONTENTS

115 17. RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS Baker & McKenzie — David Lashway, Partner; John Woods, Partner; Nadia Banno, Counsel, Dispute Resolution; and Brandon H. Graves, Associate

121 18. LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE K&L Gates LLP — Roberta D. Anderson, Partner

129 19. CONSUMER PROTECTION: WHAT IS IT? Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa Ventrone, Partner and Lindsay Nickle, Partner

137 20. PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE Fish & Richardson P.C. — Gus P. Coldebella, Principal

143 21. CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS Latham & Watkins LLP — Jennifer Archie, Partner

151 22. INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD Kaye Scholer LLP — Adam Golodner, Partner

157 23. MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT Pillsbury Winthrop Shaw Pittman LLP — Brian Finch, Partner

163 24. COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES Littler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group

IV: Comprehensive approach to cybersecurity

171 25. DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT Booz Allen Hamilton — Bill Stewart, Executive Vice President; Sedar LaBarre, Vice President; Matt Doan, Senior Associate; and Denis Cosgrove, Senior Associate

177 26. DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES Booz Allen Hamilton — Bill Stewart, Executive Vice President; Jason Escaravage, Vice President; and Christian Paredes, Associate

■ x TABLE OF CONTENTS

V. Design best practices

187 27. WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT Intercontinental Exchange & New York Stock Exchange — Jerry Perullo, CISO

193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION Palo Alto Networks Inc.

VI. Cybersecurity beyond your network

207 29. SUPPLY CHAIN AS AN ATTACK CHAIN Booz Allen Hamilton — Bill Stewart, Executive Vice President; Tony Gaidhane, Senior Associate; and Laura Eise, Lead Associate

213 30. MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING Covington & Burling LLP — David N. Fagan, Partner; Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H. Canter, Associate; and Patrick Redmon, Summer Associate

219 31. A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER Delta Risk LLC — Thomas Fuhrman, President

229 32. THE INTERNET OF THINGS The Chertoff Group — Mark Weatherford, Principal

VII. Incident response

237 33. WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS U.S. Department of Justice — CCIPS Cybersecurity Unit

243 34. PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE Booz Allen Hamilton — Jason Escaravage, Vice President; Anthony Harris, Senior Associate; James Perry, Senior Associate; and Katie Stefanich, Lead Associate

249 35. DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist

255 36. FORENSIC REMEDIATION Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist and Ryan Vela, Regional Director, Northeastern North America Cybersecurity Services

xi ■ TABLE OF CONTENTS

261 37. LESSONS LEARNED—CONTAINMENT AND ERADICATION Rackspace Inc. — Brian Kelly, Chief Security Offi cer

267 38. CYBER INCIDENT RESPONSE BakerHostetler — Theodore J. Kobus, Partner and Co-Leader, Privacy and Data Protection; Craig A. Hoffman, Partner; and F. Paul Pittman, Associate

275 39. COMMUNICATING AFTER A CYBER INCIDENT Sard Verbinnen & Co — Scott Lindlaw, Principal

VIII. Cyber risk management investment decisions

283 40. OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE Axio Global, LLC — Scott Kannry, CEO and David White, Chief Knowledge Offi cer

289 41. INVESTMENT IN CYBER INSURANCE Lockton Companies Inc. — Ben Beeson, Senior Vice President, Cybersecurity Practice

IX. Cyber risk and workforce development

297 42. CYBER EDUCATION: A JOB NEVER FINISHED NYSE Governance Services — Adam Sodowick, President

301 43. COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES Wells Fargo & Company — Rich Baich, CISO

307 44. CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT Booz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez, Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew Smallwood, Lead Associate

313 45. BUILDING A CYBER-SAVVY BOARD Korn Ferry — Jamey Cummings, Senior Client Partner; Joe Griesedieck, Vice Chairman and Co-Leader, Board and CEO Services; and Aileen Alexander, Senior Client Partner

319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE Egon Zehnder — Kal Bittianda, Selena Loh LaCroix, and Chris Patrick

325 CONTRIBUTOR PROFILES

■ xii Introductions — The cyberthreat in the digital age

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Prevention: Can it be done? Palo Alto Networks Inc. – Mark McLaughlin, CEO

Frequent headlines announcing the latest cyber breach of a major company, government agency, or organization are the norm today, begging the questions of why and will it ever end? The reason cybersecurity is ingrained in news cycles, and receives extraordinary investments and focus from businesses and governments around the world, is the growing realization that these breaches are putting our very digital lifestyle at risk. This is not hyperbole. More and more, we live in the digital age, in which things that used to be real and tangible are now machine-generated or only exist as bits and bytes. Consider your bank account and total absence of tangible money or legal tender that underlies it; you trust that the assets exist because you can “see” them when you log in to your account on the fi nancial institution’s website. Or the expectation you have that light, water, electricity, and other utility services will work on command, despite your having little to no idea of how the command actually results in the outcome. Or the comfort in assuming that of the 100,000 planes traversing the globe on an average day, all will fl y past each other at safe distances and take off and land at proper intervals. Now, imagine that this trust, reliance, and comfort could not be taken for granted any longer and the total chaos that would ensue. This is the digital age; and with all the effi - ciencies and productivity that has come with it, more and more we trust that it will just “work.” This reliance on digital systems is why the tempo of concern due to cyberattacks is rising so rapidly. Business leaders, government leaders, education leaders, and military leaders know that there is a very fi ne line separating the smoothly functioning digital society built on trust and the chaotic breakdown in society resulting from the erosion of that trust. And it is eroding quickly. Why is that, and do we have any analogies? And, more importantly, can it be fi xed?

3 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ Machine vs. human attack, responses are highly manual in At the heart of the cybersecurity battle is a nature. Unfortunately, humans facing off math problem. It is relatively simple to against machines have little to no leverage, understand, but hard to correct. One of the and cyber expertise is increasingly hard to negative offshoots of the ever-decreasing come by in the battle for talent. Flipping the cost of computing power is the ability for cost curve on its head with automation and cyber criminals and adversaries to launch a next-generation, natively integrated secu- increasingly numerous and sophisticated rity platform is required if there is any hope attacks at lower and lower costs. Today, of reducing the “breach du jour” headlines. bad actors without the capability to develop (See Figure 2.) their own tools can use existing malware It is unlikely that the number of attacks and exploits that are often free or inex- will abate over time. On the contrary, there is pensive to obtain online. Similarly, every reason to expect that their number will advanced hackers, criminal organizations, continue to grow. In fact, we can also expect and nation-states are able to use these that the “attack surface” and potential tar- widely available tools to launch successful gets will also continue to grow as we con- intrusions and obscure their identity. These stantly increase the connections of various sophisticated adversaries are also develop- things to the Internet. ing and selectively using unique tools that An understandable but untenable could cause even greater harm. This all response to this daunting threat environ- adds up to tremendous leverage for the ment is to assume that prevention is impos- attackers. (See Figure 1.) sible, so we must simply detect and respond In the face of this increasing onslaught in to all intrusions. The fundamental problem the sheer number of attacks and levels of with this approach is that without signifi cant sophistication, the defender is generally prevention no combination of people, pro- relying on decades-old core security tech- cess, and technology can prioritize and nology, often cobbled together in multiple respond to every intrusion that could signifi - layers of point products; there is no true cantly impact a network and those who rely visibility of the situation, nor are the point on it. The math problem is simply insur- products designed to communicate with mountable. Quite simply, detection and each other. As a result, to the extent attacks response should be supplements to, instead are detected or lessons are learned from an of substitutes for, prevention.

FIGURE As computing power becomes less expensive,the cost for launching automated attacks decreases. This allows the number of attacks to increase at a given cost.

The attack math Number of successful attacks

Cost of launching a successsful attack

■ 4 PREVENTION: CAN IT BE DONE?

FIGURE Harnessing automation and integrated intelligence can continually raise the cost of making an attack successful, eventually decreasing the number of successful attacks.

The attack math Cost of launching a successsful attack

Number of successsful attacks

So, the strategy must be to signifi cantly U.S. Suddenly, the very way of life in the decrease the likelihood, and increase the Western world was deemed, appropriately cost, required for an attacker to perform a so, at risk. The comfort and confi dence of successful attack. To be more specifi c, we living in a well-protected and prosperous should not assume that attacks are going environment was shattered as citizens lost away or that all attacks can be stopped. trust in their ability to follow their daily rou- However, we should assume, and be very tines and way of life. It appeared as though diligent in ensuring, that the cost of a suc- there was an insurmountable technological cessful attack can be dramatically increased lead, and everywhere people turned there to the point where the incidence of a success- was anxiety and cascading bad news. ful attack will sharply decline. In the years immediately following When this point is reached, and it will not Sputnik, the main focus was on how to sur- come overnight, then we will be able to vive a post–nuclear-war world. Items like quantify and compartmentalize the risk to backyard bomb shelters and nonperishable something acceptable and understood. It’s at food items were in great demand, and that point that cyber risks will be real and schools were teaching duck-and-cover drills. persistent but that they will leave the head- In other words, people were assuming lines and fade into the background of every- attacks could not be prevented and were day life, commerce, communications, and preparing for remediation of their society interaction. This should be our goal. Not to post-attack. eliminate all risk, but to reduce it to some- However, this fatalistic view was tempo- thing that can be compartmentalized. There rary. America relied on diplomacy and tradi- is a historical analogy to this problem and an tional forms of deterrence while devoting approach to solve it. technological innovation and ingenuity to breakthroughs such as NASA’s Mercury ■ Sputnik analogy program. While it took a decade of resourc- The analogy, which is imperfect but helpful, es, collaboration, trial, and effort, eventually is the space race. In 1957 the Soviet Union the Mercury program and succeeding efforts launched Sputnik. The result was panic at changed the leverage in the equation. The the prospect that this technology provided space-based attack risk was not eliminated, the Soviets with an overwhelming advan- but it was compartmentalized to the point of tage to deliver a nuclear attack across the fading into the background as a possible but

5 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

not probable event. It was at this stage that it is an imperative that cost leverage is the panic and confusion receded from the gained in the cyber battle. This leverage can headlines and daily reporting. We will know be attained by managing the cyber risk to an we are in good shape in the cyber battle organization through the continual improve- when we have reached this point. So, how ment and coordination of several key ele- do we get there? ments: technology, process and people, and As with all things in life, ideas and phi- intelligence sharing. losophy matter. This is true because if you do not know what you are trying to get Technology done, it’s unlikely that you will get it done. It is very apparent that traditional or legacy In the space race analogy, the philosophy security technology is failing at an alarming shifted over time from one that primarily rate. There are three primary reasons for this: assumed an attack was imminent and unstoppable with the majority of planning The fi rst is that networks have been and resources geared toward life in the post- built up over a long period of time and attack world, to one of prevention where the often are very complicated in nature, majority of resources and planning were consisting of security technology that geared to reduce the probability and effec- has been developed and deployed in a tiveness of an attack. point product, siloed approach. In other Importantly, the risk of an attack was not words, a security “solution” in traditional eliminated, but the probability of occurrence network architecture of any size consists and success was reduced by vastly increas- of multiple point products from many ing the cost of a successful attack. It was different vendors all designed to do one previously noted that no analogy is perfect, specifi c task, having no ability to inform so the analogy of “cost” here for space-based or collaborate with other products. This attacks and cyberattacks is, of course, meas- means that the security posture of the ured in different ways. Most notably, network is only as “smart” overall as the cyberthreats are not the sole purview of least smart device or offering. Also, to the superpower nations, and the technological extent that any of the thousands of daily innovation most likely to reverse the cost of threats is successfully detected, protection successful attacks is most likely to come is highly manual in nature because there is from industry, not governments. However, no capability to automatically coordinate the principle is the same in that a prevention or communicate with other capabilities in philosophy is much more likely to result in the network, let alone with other networks prevention capabilities being developed, uti- not in your organization. That’s a real lized, and continually refi ned over time. problem because defenders are relying more and more on the least leverageable ■ Is prevention possible? resource they have—people—to fi ght The obvious question then is whether pre- machine-generated attacks. vention is possible. I think that most security Second, these multiple point solutions are professionals and practitioners would agree often based on decades-old technology, that total prevention is not possible. This is like stateful inspection, which was useful disheartening but also no different from any in the late 1990s but is totally incapable of other major risk factor that we have ever providing security capabilities for today’s dealt with over time. So, the real question is attack landscape. whether prevention is possible to the point And third, the concept of a “network” where the incidence of successful attacks is has morphed continues to do so at a reduced to something manageable from a rapid pace into something amorphous risk perspective. I believe that this is possible in nature: the advent of software as a over time. In order to achieve this outcome, service (SaaS) providers, cloud computing,

■ 6 PREVENTION: CAN IT BE DONE?

mobility, the Internet of Things, and other successful leaders understand the need to macrotechnology trends that have the assess organizational risk and to allocate impact of security professionals having resources and effort based on prioritized less and less control over data. competing needs. Given the current threat environment and the math behind success- In the face of these challenges, it is critical ful attacks, leaders need to understand both that a few things are true in the security the value and vulnerabilities residing on architecture of the future: their networks and prioritize prevention and response efforts accordingly. First is that advanced security systems Under executive leadership, it is also designed on defi nitive knowledge of very important that there is continued what and who is using the network be improvement in processes used to manage deployed. In other words, no guessing. the security of organizations. People must Second is that these capabilities be as be continually trained on how to identify natively integrated as possible into cyberattacks and on the appropriate steps to a platform such that any action by take in the event of an attack. Many of the any capability results in an automatic attacks that are being reported today start or reprogramming of the other capabilities. end with poor processes or human error. For Third is that this platform must also example, with so much personal informa- be part of a larger, global ecosystem tion being readily shared on social network- that enables a constant and near-real-time ing, it is simple for hackers to assemble very sharing of attack information that can be accurate profi les of individuals and their used to immediately apply protections positions in companies and launch socially preventing other organizations in the engineered attacks or campaigns. These ecosystem from falling victim to the same attacks can be hard to spot in the absence of or similar attacks. proper training for individuals, and diffi cult Last is that the security posture is to control in the absence of good processes consistent regardless of where data and procedures regardless of how good the resides or the deployment model of the technology is that is deployed to protect an “network.” For example, the advanced organization. integrated security and automated A common attack on organizations to outcomes must be the same whether the defraud large amounts of money via wire network is on premise, in the cloud, or has transfers counts on busy people being poor- data stored off the network in third-party ly trained and implementing spotty pro- applications. Any inconsistency in the cesses. In such an attack, the attacker uses security is a vulnerability point as a general publicly available personal information matter. And, as a matter of productivity, gleaned off social networking sites to iden- security should not be holding back high- tify an individual who has the authority to productivity deployment scenarios based issue a wire transfer in a company. Then the on the cloud, virtualization, SDN, NFV, attacker uses a phishing attack, a carefully and other models of the future. constructed improper email address that looks accurate on a cursory glance, seem- Process and people ingly from this person’s manager at the Technology alone is not going to solve the company telling the person to send a wire problem. It is incumbent upon an executive transfer right away to the following coordi- team to ensure their technical experts are nates. If the employee is not trained to look managing cybersecurity risk to the organi- for proper email address confi guration, or zation. Most of today’s top executives did the company does not have a good process not attain their position due to technological in place to validate wire transfer requests, and cybersecurity profi ciency. However, all like requiring two approvals, then this attack

7 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

often succeeds. It is important that technol- The network effect of defense is why ogy, process, and people are coordinated, there is such a focus and attention on threat and that training is done on a regular basis. intelligence information sharing. It is early days on this front, but all progress is good Intelligence sharing progress, and, importantly, organizations are Given the increasing number and sophistica- now using automated systems to share tion of cyberattacks, it is diffi cult to imagine threat intelligence. At the same time, analyti- that any one company or organization will cal capabilities are being rapidly developed have enough threat intelligence at any one to make use and sense of all the intelligence time to be able to defeat the vast majority of in ways that will result in advanced plat- attacks. However, it is not hard to imagine forms being able to reprogram prevention that if multiple organizations were sharing capabilities in rapid fashion such that con- what they are seeing from an attack perspec- nected networks will be constantly updating tive with each other in close to real time, that threat capabilities in an ever-increasing eco- the combined intelligence would limit suc- system. This provides immense leverage in cessful attacks to a small number of the the cybersecurity battle. attempted attacks. This is the outcome we should strive for, as getting to this point ■ Conclusion would mean that the attackers would need There is understandable concern and atten- to design and develop unique attacks every tion on the ever-increasing incidence of single time they want to attack an organiza- cyberattacks. However, if we take a longer tion, as opposed to today where they can use view of the threat and adopt a prevention- variants of an attack again and again against fi rst mindset, the combination of next- multiple targets. Having to design unique generation technology, improvements in attacks every time would signifi cantly drive processes and training, and real-time shar- up the cost of a successful attack and force ing of threat information with platforms attackers to aggregate resources in terms of that can automatically reconfi gure the secu- people and money, which would make them rity posture, can vastly reduce the number more prone to be visible to defenders, law of successful attacks and restore the digital enforcement, and governments. trust we all require for our global economy.

■ 8 SecurityRoundtable.org The three Ts of the cyber economy The Chertoff Group — Michael Chertoff, Executive Chairman and Former United States Secretary of Homeland Security, and Jim Pfl aging, Principal

Thanks to rapid advances in technology and thinking, over the last decade we have seen entire industries and countries reinvented in large part because of the power of the Internet and related innovations. Naturally, these developments created new opportunities and risks, and none is greater than cybersecurity. Today, business leaders, academics, small business owners, and school kids know about hackers, phishing, identify theft, and even “bad actors.” In late 2014, the Sony Pictures Entertainment breach led to debates over data security, free speech, and corporate management as well as the details of celebrity feuds and paychecks. The idea of cybersecurity is rising to the fore of our collective consciousness. Notable cybersecurity breaches, including those at Target, Anthem BlueCross, and the U.S. Offi ce of Personnel Management, have demonstrated that no organization or individual is immune to cyberthreat. In short, the cybersecurity environment has changed dramatically over the past several years, and many of us have struggled to keep up. Many fi rms now fi nd themselves in an environment where one of their greatest business risks is cyber risk, a risk that has rapidly risen from an afterthought to primary focus. How do we create more opportunity and a safer world while protecting privacy in an interconnected world? This question is not just for policy makers in government and leaders of global Fortune 500 businesses. It affects the neighborhood small business, the academic community, investors and, of course, our children. Answering that question requires an understanding of the three Ts—technology, threat, and trust. Why? Because these are big interrelated ideas that have a signifi cant effect on business strategy, policy, and public opinion. For starters, you need to know about the three Ts, think about

9 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

them, and decide how you are going to technology and are thriving. Still, the advan- embrace the fi rst, deal with the second, and tage lies with the fi rms who not only shape the last. embraced the Internet but also built their entire business around it: Amazon, Google, ■ Technology and Uber. Finally, there is Apple, which Today we live in a golden age of innovation came of age with the Internet and morphed driven by technologies that dominate into a wildly successful global leader with headlines—cloud computing, mobility, big the introduction of the iPhone. data, social media, open source software, vir- There have been applications for these tualization, and, most recently, the Internet of technologies, with signifi cant impact, in a Things. These tectonic shifts allow individu- variety of industries. In transportation, Uber als, government, and companies to innovate is a great example of transforming a perva- and reinvent how they interact with each sive but sedentary sector into a newly reimag- other. These forces mandate that we redefi ne ined market. Uber used emerging technolo- what, how, and where we manage any busi- gies to disrupt seemingly distinct segments ness. We need to challenge core assumptions such as auto rental and even automotive about markets, company culture, and the art manufacturing. In the electrical sector, smart of the possible. The winners will be those meters, transformers, and switches have who leverage these innovations to reduce given utilities greater control over their distri- costs and deliver better, lower-priced prod- bution networks while their customers have ucts. Take Table 1 below, for example: gained greater control of their consumption. However, the golden age of innovation has a dark side. A new class of "bad guys" TABLETABLE Market capitalization has emerged and is taking advantage of (or private estimates, USD "holes" in these new technologies and our A goodin reputationmillions) online behavior to create new risks. This leads us to the second T—Threat. 3/31/2005 3/31/2015 ■ Threat Amazon $13,362 $207,275 Lifecycle It is almost cliché to talk about the pervasive- Apple $30,580 $752,160 ness and escalating impact of cybersecurity Google $64,180 $378,892 attacks. However, it is useful to provide a map that can help us better understand Uber N/A $41,000 where we may be heading to help us prepare and to develop more lasting defenses. AT&T $78,027 $175,108 Using a simple x-y graph, we can create an instructive map, in which x represents the Citigroup $244,346 $165,488 severity of the impact and y the "actor" or General perpetrator. Impact can be divided into the $388,007 $274,771 Electric following stages: embarrassment, theft, destruction to a target fi rm or asset, and wide- Kodak $6,067 $794 spread destruction. The actors also can be grouped into four escalating stages: individu- Sources: Capital IQ, Fortune als, hacktivists, cyber organized crime, and nation-states. See Figure 1. Given the impor- It is easy to see the relationship between tance of understanding threat, business lead- innovation and valuation. Some companies, ers should understand how the map applies such as Kodak, did not react fast enough to their business. To aid in this understand- and lost their market as a result. Others, ing, it is useful to cover a few examples that such as AT&T, have invested heavily in new illustrate various stages of these threats.

■ 10 THE THREE TS OF THE CYBER ECONOMY

FIGURE

Nation- ?? states Sony Saudi Aramco

Cyber JPMorganChase organized crime Target A C T O R

Hacktivist HBGary

Individual

Embarrass Steal Disrupt Destroy Widespread customer operations and business and disruption info destroy property future earnings and destruction

INTENT & IMPACT

In 2011, a high-profi le attack was under- work of criminals operating in Eastern taken by Anonymous, the prominent Europe, netted 40 million credit and debit “hacktivist” collective, in which it attacked card numbers and 70 million customer the security services fi rm HBGary Federal. records and was largely responsible for the The attack was precipitated by HBGary’s company’s 46 percent drop in profi t in Q4 of CEO, Aaron Barr, claiming in a Financial 2013 when compared to 2012.2 The attack Times article that his fi rm had uncovered also resulted in a serious decline in the com- the identities of Anonymous leaders and pany’s stock price and led the company’s planned on releasing these fi ndings at a board to fi re their CEO. The attack is esti- security conference in San Francisco the fol- mated to have netted its perpetrators lowing week.1 Anonymous responded by approximately $54 million in profi t from the hacking into HBGary’s networks, eventually sale of stolen card details on black market posting archives of company executives’ sites—quite the motivation for a criminal emails on fi le-sharing websites, releasing a enterprise. list of the company’s customers, and taking Another high-profi le attack, directed over the fi rm’s website. Although the attack against Sony Pictures Entertainment, is did affect HBGary fi nancially, Anonymous’ alleged to have been the work of hackers sup- primary motivation was to embarrass ported by the government of North Korea. Aaron Barr and HBGary. The attackers managed to secure not only a More recent attacks have been perpetrat- copy of The Interview, which had offended ed by better-organized criminal gangs and and motivated the North Korean state, but have had a greater impact. For instance, the also a vast trove of data from the corporate Target breach, believed to have been the network, including the personal and salary

11 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

details of tens of thousands of employees, ■ Trust internal email traffi c, and other highly sensi- One of the greatest casualties in the ever- tive information. The attack led the company increasing torrent of cyberthreats is trust— to delay the release of its big-budget fi lm, and specifi cally, the trust consumers have in it generated weeks of headlines. The attack business, the trust citizens and business also forced the company to take a variety of have in government, and the trust govern- computer systems offl ine. Although the long- ment has in business. This should be trou- term impact of the attack is unclear, it has had bling for all corporate executives and gov- a dramatic impact on the studio’s reputation, ernment leaders because trust is precious to stock price, and earnings. all relationships and is critical to effective What is next? In the future, we can expect workings of commerce and government. As a continued rise in the severity of cyberthreats. we know, it takes years to build, but it is easy Well-fi nanced criminal gangs and well- to lose. For instance, a single data breach can resourced nation-states appear to be increas- undo years of effort and cause immediate ingly capable and willing to engage in attacks and lasting reputation loss. that cause signifi cant damage. Measuring trust Boards and risk Recent consumer surveys suggest that con- After the initial shock of “how is this possi- sumers are tired of dealing with fraudulent ble,” every business leader has to consider charges and are raising their expectations for what it means for his or her business. Just a how their favorite brands and websites pro- few years ago, many viewed cybersecurity tect consumer data and personally identifi a- threats as a technical problem best left to the ble information. In May 2015, Pew Research company CIO or CISO. Increasingly, CEOs released a study in which 74 percent of and boards are coming to the realization Americans said it was “very important” to cybersecurity threats are a business risk that be “in control of who can get info about demands C-level and board scrutiny. you.” Edelman, one of the world’s largest Corporate boards have begun to look at public relations fi rms, does an annual study cybersecurity risk in much the same way called The Trust Barometer. The 2015 edition they would look at other risks to their busi- of this survey showed a huge jump in the ness, applying risk management frame- importance consumers place in privacy of works while evaluating the likelihood and their personal data. The study revealed that impact of cyber risk. Boards also have begun 80 percent of consumers, across dozens of to look at ways to transfer their risk, leading countries and industries, listed this as a top insurance companies to offer cybersecurity issue in evaluating brands they trust. Finally, insurance products. In their evaluation of HyTrust, an emerging technology company, cyber risk, companies are also taking a hard published a study on the impact of a cyber look at the second order effects of a cyberat- breach on customer loyalty and trust. Of the tack, notably the ability for a successful 2,000 consumers surveyed, 52 percent said a attack to undermine customers’ trust in the breach would cause them to take their busi- company. A successful attack often leads to ness elsewhere.3 What business can afford to the revelation of sensitive, personally identi- lose 50 percent of its customers? fi able information on customers, eroding What these numbers make clear is that con- consumer confi dence in the fi rm. Many of sumers are paying attention to cybersecurity the commonly understood risk management issues and that failure to address these con- frameworks and related insurance products cerns comes at a company’s own risk. Recent now being used recognize this and make it attacks have served as learning moments for clear that corporate boards must have a thor- many companies and consumers, allowing ough understanding of the third T, Trust. them to gain a fi rmer understanding of just

■ 12 THE THREE TS OF THE CYBER ECONOMY

how damaging such an attack can be. However, develop cyber risk mitigation products. Many with this knowledge comes increased expecta- of the insurance industry’s largest players, tions for how companies safeguard their data including Allstate, Travelers, Marsh, and and that of their consumers. Tennant, have moved to offer companies cyber insurance products, although the imma- Role of industry turity of the market has created complications Fortunately, industry is moving in this direc- for insurers and potential customers. Insurers tion, and many companies have begun to have had a hard time calculating their risk and consider cyber risk in their corporate plan- thus appropriate premiums for potential cus- ning. In 2014, the National Association of tomers, while customers have sometimes Corporate Directors issued a call to action, found their insurance quotes too expensive. which included fi ve steps that its members Fortunately, time and the accompanying set- should take to ensure their enterprises prop- tling of industry standards and actuarial data erly address cyber risk. These include the will help to mature and grow this market. following: Role of government Treating cyber risk as an enterprise risk Effective risk management—for govern- Understanding the legal implications of ments or private enterprises—starts with an cyber risks honest understanding of the situation and Discussion of cyber risk at board recognition that information sharing with meetings, giving cyber risk equal footing partners is essential. Information sharing, of with other risks course, starts with agreeing on common val- Requiring management to have a ues, and then trusting vetted, capable, and measureable cybersecurity plan reliable partners. Information sharing can be, The development of a plan at the board and must be, something that takes place at level on how to address cyber risks, and across all levels. The Constitution charg- including which risks should be avoided, es the federal government with the responsi- accepted, mitigated, or transferred via bility of providing for the defense of the insurance. nation while protecting the privacy and civil liberties of our citizens, a diffi cult balance Although this guidance is an excellent start, that requires trust in the government and we at The Chertoff Group believe that indus- processes by which we reach that balance. try has to go further and move toward a As we discuss the role of government in common cyber risk management framework information sharing and building trust, we that allows everyone to understand the have to acknowledge the impact the cyber risks to a business and how the com- Snowden revelations have had on public pany intends to address them. This model trust in government. Fundamentally, we would be a corollary to the General Accepted have to determine what we want the role of Accounting Principles (GAAP), the standard government to be and engage in legal accounting guidelines and framework that reforms that refl ect that role. Laws such as underlies the fi nancials and planning of the Computer Fraud and Abuse Act, enacted almost any business. The emergence of in 1986 and amended fi ve times since then, GAAP in the 1950s made it signifi cantly and the Electronic Controls Privacy Act easier for investors, regulators, and other (ECPA), which dates to 1986, have to be stakeholders to gain a clear understanding updated to refl ect the signifi cant changes in of a business and its fi nancials, allowing for technology and practice that have occurred comparisons across industries and sectors. since they were envisioned. In parallel, banks, insurers, and other pro- Beyond these efforts, we need to establish viders of risk mitigation are scrambling to or reinforce agreed-upon rules and programs

13 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

for government data collection on citizens Information Sharing and Analysis Centers and the legal frameworks that manage the (ISACs) was a Clinton Administration initia- transfer of that data between governments tive to build PPPs across critical infrastruc- for judicial and law enforcement purposes. ture sectors. These sector-by-sector ISACs Importantly, this initiative must provide for have proven to be models of trust. The mutual accountability for all participants. Financial Services ISAC has truly epito- These initiatives have to lay out clearly the mized these ideas and is considered by roles of all participants and, in our opinion, many to be the leading ISAC in sharing reinforce and strengthen the role for NSA in threat information. This model has been rep- helping this nation deal with the adversaries licated in other industries and led President that are using information technology to Obama to call for an expansion of the infor- harm us. mation sharing model to smaller groups of On the international front, in response to companies through Information Sharing and mounting concerns over data privacy, data Analysis Organizations (ISAOs). Another security and the rise of online surveillance, example is a U.S. government-industry ini- governments around the world have been tiative to combat botnets, in which the gov- seeking to pass new data protection rules. ernment is working with the Industry Botnet Several governments, including Germany, Group to identify botnets and minimize Indonesia, and Brazil, have considered their impacts on personal computers. enacting “data localization” laws that would require the storage, analysis, and processing ■ Technology, threat, and trust in the of citizen and corporate data to occur only boardroom within their borders. What do the three Ts of the cyber economy However, many of these proposals are mean for you? Here are just a few of the likely to impose economic harm and sow questions every leader has to consider: seeds of distrust. For example, several of the proposals under consideration would force Are we using technology for competitive companies to build servers in locations advantage? where the high price of local energy and the Are we secure? How do you know? Do we lack of trained engineers could translate into have a framework, a GAAP-equivalent higher costs and reduced effi ciencies. for cyber risk, that gives me the tools to Furthermore, requiring that data reside in a understand and measure risk? server based in Germany instead of one in Are we a good steward of the data we Ireland will do little to prevent spies from collect about our customers? accessing that data if they are determined and capable. Each of us needs answers to these questions. So, what should we do? It is critical that Your response will have a big impact on the policymakers and technology providers future of your organization. work together to develop solutions that keep A few years ago, there was a common online services available to all who rely on story in security circles about two types of them. We must develop principles that can companies: those who knew they had been serve as a framework for coordinated multi- hacked and those who had been hacked but lateral action between states and across the did not know it. Going forward, we will talk public and private sectors. We must be pre- about companies in terms of who cares pared to lead abroad and at home with effec- about cybersecurity: in some companies, it tive ideas. will be the entire executive suite; in others, Public private partnerships (PPPs) are it will just be the CISO or CIO. Your com- important pieces of the solution and are pany doesn’t want to fall into the latter cat- good models of trust that we should lever- egory. Use the three Ts to help your organi- age going forward. First, the formation of zation manage cyber risk and leverage the

■ 14 THE THREE TS OF THE CYBER ECONOMY

fantastic opportunities in this golden age of target-profit-falls-46-on-credit-card- innovation. breach-and-says-the-hits-could-keep- on-coming/. Works Cited 3. See “Consumers Increasingly Hold 1. See Joseph Menn, “Cyberactivists warned Companies Responsible for Loss of of arrest,” The Financial Times, February Confi dential Information, HyTrust Poll 5, 2011, Available at http://www.ft.com/ Shows,” HyTrust, October 1, 2014, Available cms/s/0/87dc140e-3099-11e0-9de3- at http://www.hytrust.com/company/ 00144feabdc0.html#axzz3cg7emYx4. news/press-releases/consumers- 2. See Maggie McGrath, “Target Profi t Falls increasingly-hold-companies-responsible- 46% On Credit Card Breach And The Hits loss-confi dential-info, Additional survey Could Keep On Coming,” Forbes, February data available at http://www.hytrust. 26, 2014, Available at http://www.forbes. com/sites/default/files/HyTrust_ com/sites/maggiemcgrath/2014/02/26/ consumer_poll_results_with_charts2.pdf.

SecurityRoundtable.org 15 ■

Cyber governance best practices Georgia Institute of Technology, Institute for Information Security & Privacy – Jody R. Westby, Esq., Adjunct Professor

■ The evolution of cybersecurity governance Corporate governance has evolved as a means of protecting investors through regulation, disclosure, and best practices. The United Nations Guidance on Good Practices in Corporate Governance Disclosure noted:

Where there is a local code on corporate governance, enterprises should follow a “comply or explain” rule whereby they disclose the extent to which they followed the local code’s recommendations and explain any deviations. Where there is no local code on corporate governance, companies should follow recognized international good practices.1

The Business Roundtable (BRT), one of America’s most prominent business associations, has promoted the use of best practices as a governance tool since it published its fi rst Principles of Corporate Governance in 2002. In its 2012 update, BRT noted:

Business Roundtable continues to believe, as we noted in Principles of Corporate Governance (2005), that the United States has the best corporate governance, fi nancial reporting and securities markets systems in the world. These systems work because of the adoption of best practices by public companies within a framework of laws and regulations that establish minimum requirements while affording companies the ability to develop individualized practices that are appropriate for them. Even in the challenging times posed by the ongoing diffi cult economic environment, corporations have continued to work proactively to refi ne their governance practices, and develop new practices, as conditions change and “best practices” continue to evolve.2

17 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

Increases in cybercrime and attacks on corpo- 17799 and then ISO/IEC 27001.8 ISO/IEC rate systems and data have propelled discus- 27001 is the most accepted cybersecurity sions regarding governance of cyber risks standard globally. and what exactly boards and senior execu- Today, the ISO/IEC 27000 series of infor- tives should be doing to properly manage mation security standards is comprised of this new risk environment and protect corpo- nearly 30 standards. ISO, of which the rate assets. The topic reached a crescendo in American National Standards Institute May 2014 when the Institutional Shareholder (ANSI) is the member body representing U.S. Service (ISS) called for seven of the ten Target interests for the development of international board members not to be re-elected on the standards, has additional information secu- grounds that the failure of the board’s audit rity standards outside of the 27000 series.9 and corporate responsibility committees “to ISO information security standards cover a ensure appropriate management of these range of topics, such as security controls, risk risks set the stage for the data breach, which management, the protection of personally has resulted in signifi cant losses to the com- identifi able information (PII) in clouds, and pany and its shareholders.”3 control systems. Additional security stand- Over the past decade, the concept of cyber- ards also have been developed for fi nancial security governance has evolved from infor- services, business continuity, network secu- mation technology (IT) governance and rity, supplier relationships, digital evidence, cybersecurity best practices. The Information and incident response.10 Systems Audit and Control Association The U.S. National Institute of Standards (ISACA) has been a frontrunner in IT govern- and Technology (NIST) has developed a ance best practices with the COBIT (Control comprehensive set of cybersecurity guid- Objectives for Information and Related ance and Federal Information Processing Technology)4 framework. ISACA founded the Standards (FIPS),11 including a Framework IT Governance Institute (ITGI) in 1998 to for Improving Critical Infrastructure advance the governance and management of Cybersecurity (Framework).12 The NIST enterprise IT. The ITGI defi nes IT governance: guidance and standards are world-class materials that are publicly available at no IT governance is the responsibility of the charge. NIST recognized existing standards board of directors and executive manage- and best practices by mapping the ment. It is an integral part of enterprise Framework to ISO/IEC 27001 and COBIT. governance and consists of the leadership Other respected cybersecurity standards and organisational structures and pro- have been developed for particular purpos- cesses that ensure that the organisation’s es, such as the protection of credit card data IT sustains and extends the organisation’s and electrical grids. The good news is that strategies and objectives.5 cybersecurity best practices and standards are harmonized and requirements can be Gartner has a similar defi nition.6 mapped. This is particularly important because as companies buy and sell operating ■ Cybersecurity program standards and best units or subsidiaries or merge, they may practices7 have IT systems and documentation based As IT systems became vulnerable through upon several standards or best practices. networking and Internet connectivity, secur- Thus, the harmonization of standards ena- ing these systems became an essential ele- bles companies to blend IT departments and ment of IT governance. The fi rst cybersecu- security programs and continue to measure rity standard was developed by the British maturity. Standards Institute in 1995 as BS 7799. Over Some companies may need to align with time, this comprehensive standard proved multiple standards. For example, electric its worth and ultimately evolved into ISO transmission and distribution companies

■ 18 CYBER GOVERNANCE BEST PRACTICES

will need to meet the North American important to understand the breadth and Electric Reliability Corporation Critical reach of the standard and to choose one that Infrastructure Protection (NERC-CIP) stand- meets the organization’s security and compli- ards, as well as the Payment Card Industry ance needs. Data Security Standard (PCI DSS) if they ISO/IEC 27001, which can be obtained take credit cards, and some other broad from ANSI at http://webstore.ansi.org, is a security program standard, such as ISO/IEC comprehensive standard and a good choice 27001 or NIST for their corporate operations. for any size of organization because it is Even with harmonization, it is important respected globally and is the one most that companies choose at least one standard to commonly mapped against other stand- align their cybersecurity program with so pro- ards. One should not make the mistake of gress and security maturity can be measured. believing that all standards contain a full In determining which standard to use as a set of requirements for an enterprise secu- corporate guidepost, organizations should rity program; they do not. Some standards, consider the comprehensiveness of the stand- such as NERC-CIP or PCI, set forth security ard. Although standards requirements may be requirements for a particular purpose but mapped, each standard does not contain the are not adequate for a full corporate secu- same or equivalent requirements. Thus, it is rity program.

Leading cybersecurity standards and best practices include: The International Organization for Standardization (ISO), the information security series, http://www.iso.org/iso/home/search.htm?qt=information+security&published=on& active_tab=standards&sort_by=rel (also available from ANSI at http://www.ansi.org) The American National Standards Institute (ANSI)—the U.S. member body to ISO. Copies of all ISO standards can be purchased from ANSI at http://webstore.ansi.org/ National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800) series and Federal Information Processing Standards (FIPS), http://csrc.nist.gov/ publications/index.html Information Technology Infrastructure Library (ITIL), http://www.itlibrary.org/. International Society of Automation (ISA), https://www.isa.org/templates/two- column.aspx?pageid=131422 Information Systems Audit and Control Association (ISACA), the Control Objectives for Information and Related Technology (COBIT), http://www.isaca.org/cobit/pages/ default.aspx Payment Card Industry Security Standards Council (PCI SSC), https://www. pcisecuritystandards.org/ Information Security Forum (ISF) Standard of Good Practice for Information Security, https://www.securityforum.org/shop/p-71-173 Carnegie Mellon University’s Software Engineering Institute, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), http://www.cert.org/resilience/ products-services/octave/ Health Insurance Portability and Accountability Act (HIPAA) regulations for security programs, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/ index.html North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP), http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs for Nuclear Facilities, https://scp.nrc.gov/slo/regguide571.pdf

19 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

Some information security standards, necessarily extends this duty to include the such as NERC-CIP, U.S. Nuclear Regulatory protection of the organization’s digital assets cybersecurity requirements, PCI standards (data, networks, and software). As a conse- for credit card data, and HIPAA security quence, the governance of cyber risks has requirements are mandatory. Portions of become increasingly important for boards of NIST guidance are mandatory for federal directors and senior management. This government contractors and U.S. govern- includes exercising good risk management, ment agencies and departments. The remain- validating the effectiveness of controls, and der of the standards listed are voluntary. ensuring compliance requirements are met. In addition to the leading cybersecurity An increase in shareholder derivative standards listed in the shaded box, additional suits against D&Os for failure to protect standards have been developed for certain against breaches also has heightened atten- industry sectors because they require height- tion on cybersecurity at the board and senior ened security protections. For example, ISO/ management level. Target was hit with share- IEC 27015 was developed as additional secu- holder derivative suits for failure to protect rity requirements for fi nancial organizations; the company and its data from a breach,13 as ISO/IEC 27799 was developed for informa- was Wyndham Hotels on similar grounds.14 tion security in health systems using ISO/IEC In addition, cybersecurity has become an 27002 (the controls portion of ISO/IEC 27001); important compliance issue that carries the 27011 was developed for telecommunications risk of headlines concerning enforcement systems using ISO/IEC 27002; and ISO/IEC actions, investigations, and breaches of per- 27019 was developed for industrial control sonally identifi able information. Several state system security for the energy utility industry. and federal laws impose privacy and securi- The value of using a standard as a guide- ty requirements on targeted industry sec- post for the development, maintenance, and tors and types of data. For example, the maturity of a security program is that it sets Gramm-Leach-Bliley Act (GLBA), the Health forth best practices for cybersecurity and is Insurance Portability and Accountability Act updated as required to meet changing (HIPAA), the Health Information Technology threats, technological innovation, and com- for Economic and Clinical Health Act pliance requirements. Standards also enable (HITECH Act), and state breach laws impose boards and senior executives to understand specifi c requirements pertaining to the secu- how comprehensive their organization’s rity and privacy of data and networks. security program is and provide an objective So, what does cyber governance mean? basis for audits and cybersecurity assess- What actions should board members be tak- ments. Evaluating a cybersecurity program ing? Who should be involved—the entire against a leading standard enables an organ- board or just certain committees? Cyber gov- ization to measure progress, assess the effec- ernance means more than D&Os periodically tiveness of controls, identify gaps and defi - asking interesting questions or receiving ciencies, and measure program maturity. reports regarding the company’s cybersecurity program. There is now an international ■ Cyber governance standards and best practices standard, ISO/IEC 27014, on the governance Cyber governance standards and best prac- of information security, which sets out roles tices have evolved over the past 20 years as and responsibilities for executive manage- companies have increased connectivity to the ment and boards of directors and is applica- Internet and networks and as cyberattacks ble to all types and sizes of organizations. have continued to rise. Directors and offi cers The standard notes: (D&Os) have a fi duciary duty to protect the organization’s assets and the value of the cor- [G]overnance of information security poration. The increased dependence on IT provides a powerful link between an systems and data in corporate operations organization’s governing body, executive

■ 20 CYBER GOVERNANCE BEST PRACTICES

management and those responsible for and compliance obligations, reputational implementing and operating an informa- risks, business interruption, and fi nancial tion security management system. It pro- losses; allocate the resources needed for the vides the mandate essential for driving risk-based approach. information security initiatives through- 3. “Set the direction of investment decisions”: 15 out the organization. establish an information security investment strategy that meets business The objectives of the standard are to align and security requirements; integrate security program and business objectives security considerations into existing and strategies, deliver value to stakeholders business and investment processes. and the board, and ensure information risks 4. “Ensure conformance with internal and 16 are adequately managed. external requirements”: ensure policies The difference between IT governance and procedures incorporate legal, and information security governance is that regulatory, and contractual obligations; the latter is focused on the confi dentiality, routinely audit such compliance. integrity, and availability of information, 5. “Foster a security-positive environment”: whereas governance of IT is focused on the accommodate human behavior and resources required to acquire, process, store, the needs of users; promote a positive 17 and disseminate information. ISO/IEC information security environment through 27014 sets forth six principles as foundation training and tone from the top. for information security governance: 6. “Review performance in relation to business outcomes”: ensure the security 1. “Establish organization-wide information program supports business requirements, security”: information security activities review impact of security on business as should encompass the entire organization well as controls.18 and consider the business, information security, physical and logical security, and ISO/IEC 27014 sets forth separate roles and other relevant issues. responsibilities for the board and executive 2. “Adopt a risk-based approach”: management within fi ve processes: Evaluate, governance decisions should be based on Direct, Monitor, Communicate, and Assure. the risk thresholds of a company, taking These are set forth in abbreviated form in the into account competitiveness issues, legal following table.19

Board of directors Executive management Evaluate Ensure business initiatives take information Ensure information security supports security into consideration business objectives Review reports on information security Submit new security projects with performance, initiate prioritized actions signifi cant impact for board review Direct Establish risk thresholds of organization Ensure security and business objectives are aligned Approve security strategy and overarching Develop security strategy and overarching policy policy Allocate adequate resources for security Establish a positive culture of cybersecurity program Continued

21 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

Board of directors Executive management Monitor Assess effectiveness of security program Determine appropriate metrics for security program Ensure compliance and legal obligations Provide input to board on security are met performance results, impacts on organization Evaluate changes to operations, legal Keep board apprised of new developments frameworks, and impact on information affecting information security security Communicate Report to investors/shareholders on Inform board of security issues that require whether information security is adequate their attention for business Provide results of external audits or reviews Ensure board’s actions and decisions and identifi ed actions to executive team regarding security are acted upon Recognize compliance obligations, business needs, and expectations for information security Assure Order independent reviews/audits of Support reviews/audits commissioned by security program board

■ Beyond ISO/IEC 27014: Other best practices is IT-focused, however, and does not men- and guidance tion the roles and responsibilities of chief At present, the only guidance NIST has information security offi cers (CISOs). The developed that addresses information secu- separation of the role of the chief informa- rity governance is its 2006 Special Publication tion security offi cer from the chief informa- 800-100, Information Security Handbook: A tion offi cer (CIO) (in other words, not having Guide for Managers. This publication, how- the CISO report to the CIO), is a best practice ever, is written for a federal audience and is that the Board Briefi ng ignores. It assigns all more technical than other materials directed responsibilities to the CIO, IT Strategy toward boards and senior executives. Committee, IT Steering Committee, IT ISACA’s IT Governance Institute updated Architecture Review Board, and Technology its Board Briefi ng on IT Governance in 2014,20 Council. Nevertheless, it is a valuable which sets forth an approach similar to ISO/ resource for boards and executive teams IEC 27014, but is based on ISACA’s COBIT seeking to implement good cyber govern- best practices. The Board Briefi ng includes ance practices. questions board members should ask and Finally, Carnegie Mellon University’s also checklists, tool kits, roles and responsi- Software Engineering Institute developed the bilities, and other helpful materials. The Governing for Enterprise Security Implementation Board Briefi ng focuses on fi ve activity areas: Guide in 2007 as a guide for boards and execu- Strategic Alignment, Value Delivery, Risk tives on governing enterprise security pro- Management, Resource Management, and grams.21 It is still quite instructive and includes Performance Measurement. The publication a model organizational structure for cyber

■ 22 CYBER GOVERNANCE BEST PRACTICES

governance; composition of a cross- members to become inundated in technical organizational privacy/security committee; data and issues and lose sight of the major sample mission, goals, and objectives for a risks that must be managed. In part, CIOs board Risk Committee; and an explanation of and CISOs need to develop better executive the critical activities in an enterprise security and board communication skills when program, including who should lead and be reporting on cybersecurity program activi- involved in them, and the outputs (artifacts) ties and incidents. Outside experts can also to be developed. It indicates where the board help separate which cybersecurity govern- has a role for governance oversight and sets ance issues should be directed to the execu- forth roles and responsibilities for the critical tive management team and which are for players, as well as shared responsibilities, for board consideration. the following: Once the critical vulnerabilities that require board and executive attention have chief security offi cer/chief information been identifi ed, the next step is to deter- security offi cer mine the information fl ows that are needed chief privacy offi cer to keep the board and senior management chief information offi cer informed and enable informed decision- chief fi nancial offi cer making. These two steps—identifi cation of general counsel cyber-related vulnerabilities and associ- business line executives ated information flows—should be fol- human resources lowed by an analysis of the board’s and public relations senior management’s roles in incident business managers response and business continuity/disaster procurement recovery. operational personnel The Target breach revealed how disas- asset owners trous it can be when a company’s executive certifi cation authority. team and board are not prepared to manage a major cybersecurity incident. The breach ■ Additional considerations in cybersecurity was clever but not terribly diffi cult to recov- governance er from; as ISS pointed out so clearly, it was Board structure plays a signifi cant role in Target’s executive team and board who cybersecurity governance. A Risk Committee failed to protect the company’s data and is the best choice for governance of cybersecu- ensure a robust incident response plan was rity because IT risks must be managed as in place that involved their participation. enterprise risks and integrated into enterprise Cybersecurity governance is an area risk management and planning. Many compa- where an independent adviser can provide nies place all oversight for cybersecurity in the valuable guidance to a board and executive board Audit Committee, which can substan- team by reviewing available reports and tially increase the workload of that committee. assessing the current state of the security Placing cyber governance with the Audit program, identifying key vulnerabilities Committee also creates segregation of duties and associated information fl ows that issues at the board level because the Audit should be directed to the board, advising on Committee is auditing the security program, the threat environment, and establishing determining remediation measures, and then the proper organizational structures for auditing this work the following year. effective cybersecurity governance. These One of the most important aspects of activities should be undertaken in a collab- cybersecurity governance is the identifi ca- orative fashion with IT and security leaders tion of vulnerabilities that could have a and in the spirit of helping them gain visi- material impact on corporate operations bility and support for security program and/or bottom line. It is easy for board initiatives.

23 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

■ Dutiful dozen 12. Evaluate the adequacy of cyber There are some actions that boards can take insurance against loss valuations and to ensure they are managing cyber risks ensure adequate risk strategies are in and meeting their fi duciary duty. Following place for cyber risks. is a list of a dozen actions that are within best practices, which can be used as a start- Many organizations also are struggling ing point and checklist for governance with how to integrate cybersecurity into activities: their enterprise risk management process. Most business operations today are A dozen best practices for cyber governance dependent upon IT systems and the confi - 1. Establish a governance structure with dentiality, availability, and integrity of their a board Risk Committee and a cross- data. Following are another dozen guiding organizational internal team. points on integrating cyber risks into enter- 2. Identify the key cyber vulnerabilities prise risk management.: associated with the organization’s operations. A dozen best practices for integrating cybersecurity into 3. Identify the security program activities enterprise risk management over which boards and executives 1. Understand the business’s strategies, should exercise oversight, and identify objectives, and needs for IT and data. the key information fl ows and reports 2. Inventory assets (data, applications, that will inform board and executives on hardware), assign ownership, the management of cyber vulnerabilities classifi cation, and risk categorization. and security program activities. 3. Map legal requirements to data for all 4. Identify legal compliance and fi nancial jurisdictions. exposures from IT systems and data. 4. Evaluate the security of vendors, business 5. Set the tone from top that privacy and partners, and supply chain linkages. security are high priorities for the 5. Align the cybersecurity program with organization, and approve top-level best practices and standards. policies on acceptable use of technology 6. Ensure controls are determined and and compliance with privacy and metrics identifi ed. security policies and procedures. 7. Conduct a risk assessment to establish a 6. Review the roles and the responsibilities baseline for cyber risk management. of lead privacy and security personnel, 8. Develop cyber risk strategies (block the and ensure there is segregation of duties risk, cyber insurance, other compensating between IT and security functions. controls, all of these). 7. Ensure that privacy and security 9. Design system architecture to responsibilities are shared, enterprise accommodate business goals and issues that apply to all personnel. objectives, meet security and legal 9. Review and approve annual budgets for requirements, and detect or prevent security programs. unauthorized usage. 10. Review annual risk assessments, the 10. Use technical tools and services to maturity of the security program, and provide integrated data on threats and support continual improvement. attacks. 11. Retain a trusted adviser to independently 11. Make cyber training and security inform the board on changes in the compliance part of annual performance threat environment, provide assistance reviews for all personnel. on governance issues, and advise on 12. Stay abreast of innovation and changes response issues in the event of a major in the threat environment as well as cyber incident. changing operational requirements.

■ 24 CYBER GOVERNANCE BEST PRACTICES

■ Conclusion management of enterprise IT is available Best practices and standards now require at http://www.isaca.org/cobit/pages/ boards and senior management to exercise default.aspx. governance over cybersecurity programs and 5. Board Briefi ng on IT Governance, IT associated risks. Laws such as Gramm-Leach- Governance Institute, 2nd ed., 2014 at Bliley, the Health Insurance Portability and 10, http://www.isaca.org/restricted/ Accountability Act, and the Federal Documents/26904_Board_Briefing_ Information Security Management Act all fi nal.pdf. require executive oversight of security pro- 6. Gartner, IT Glossary, “IT Governance,” grams. Each organization’s operations, system http://www.gartner.com/it-glossary/ architecture, policies and procedures, and it-governance. culture vary, thus, cyber risk management has 7. The term “cybersecurity best practice” to be tailored to the organization. Boards may be used interchangeably with should know what standards/best practices “standard” in the cybersecurity context, their organization is using to implement their as the standards embody best practices. security program and determine an approach The term “standard” is commonly used for their own governance activities. Checklists to refer to mandatory requirements. and the use of ISO/IEC 27014, the ISACA With respect to cybersecurity programs, Board Briefi ng on IT Governance, and the however, there is no bright line between Carnegie Mellon University’s Governing for best practices and standards. Some Enterprise Security Implementation Guide are all standards, such as NERC-CIP and useful resources that will help ensure boards HIPAA, are mandatory for certain are meeting their fi duciary duty and protect- organizations, while other standards, ing the assets of the organization. such as ISO/IEC, are voluntary. Other standards, such as the Federal References Information Processing Standards (FIPS) 1. Guidance on Good Practices in Corporate and NIST guidance (the 800 Special Governance Disclosure, United Nations Publication series) are voluntary for Conference on Trade and Development some entities and mandatory for others. (UNCTAD), New York & Geneva, 2006, 8. Wikipedia, “BS 7799,” https://en. http://unctad.org/en/docs/iteteb20063_ wikipedia.org/wiki/BS_7799. en.pdf. 9. International Organization for 2. Principles of Corporate Governance 2012, Standardization, Information Security, Harvard Law School Forum on Corporate http://www.iso.org/iso/home/search. Governance and Financial Regulation, htm?qt=information+security&publis Aug. 17, 2012, http://corpgov.law. hed=on&active_tab=standards&sort_ harvard.edu/2012/08/17/principles-of- by=rel. corporate-governance-2012/. 10. Id. 4. Elizabeth A. Harris, “Advisory Group 11. National Institute of Standards and Opposes Re-election of Most of Target’s Technology, Computer Security Division, Board,” The New York Times, May 28, Computer Security Resource Center, 2014, http://www.nytimes.com/ http://csrc.nist.gov/publications/ 2014/05/29/business/advisory-group- PubsSPs.html. opposes-re-election-of-most-of-targets- 12. Framework for Improving Critical board.html?_r=0 (quoting ISS report). Infrastructure Cybersecurity, National 4. COBIT is an acronym for Control Institute of Standards and Technology, Objectives for Information and Related Version 1.0, Feb. 12, 2014, http://www. Technology. Information on the COBIT nist.gov/cyberframework/upload/ 5 framework for the governance and cybersecurity-framework-021214.pdf.

25 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

13. See, e.g., Kevin LaCroix, “Target Directors 16. Id. at 4.2. “Objectives.” and Offi cers Hit with Derivative Suits 17. Id. at 4.4. “Relationship.” Based on Data Breach,” Feb. 3, 2014, 18. Id. at 5.2. “Principles.” http://www.dandodiary.com/2014/02/ 19. Id. at 5.3. “Processes.” The full articles/cyber-liability/target-directors- requirements of the standard should be and-officers-hit-with-derivative-suits- reviewed prior to use by an organization; based-on-data-breach/. ISO 27014 is available at http://www.iso. 14. See, e.g., Jon Talotta, Michelle Kisloff, & org/iso/home/search.htm?qt=27014& Christopher Pickens, “Data Breaches Hit sort=rel&type=simple&published=on. the Board Room: How to Address Claims 20. Board Briefi ng on IT Governance, IT Against Directors & Offi cers,” Hogan & Governance Institute, 2nd ed., 2014, Lovells, Chronicle of Data Protection, Jan. http://www.isaca.org/restricted/ 23, 2015, http://www.hldataprotection. Documents/26904_Board_Briefing_ com/2015/01/articles/cybersecurity- fi nal.pdf. data-breaches/data-breaches-hit-the- 21. Jody R. Westby & Julia H. Allen, Governing board-room/. for Enterprise Implementation Guide, 15. ISO/IEC 27014 (2013), Governance Carnegie Mellon University, Software of Information Security, “Summary,” Engineering Institute, 2007, http:// http://www.iso.org/iso/home/search. globalcyberrisk.com/wp-content/ htm?qt=27014&sort=rel&type=simple& uploads/2012/08/Governing-for- published=on. Enterprise-Sec-Impl-Guide.pdf.

■ 26 SecurityRoundtable.org Investors’ perspectives on cyber risks: Implications for boards Institutional Shareholder Services Inc. – Patrick McGurn, ISS Special Counsel and Martha Carter, ISS Global Head of Research

Although pundits proclaimed 2014 as the “Year of the Data Breach” and a signifi cant “no” vote at Target’s annual meeting put directors on notice that shareholders want to know about potential risks, few 2015 corporate disclosure documents provide evidence that boards increased transparency with respect to cyber oversight. Despite prodding from top regulators and investors’ calls for greater transparency, companies continue to fall short on disclosure in their key governance disclosure documents of cybersecurity risks and their board’s oversight of them. Equally concerning is the limited information regarding cyber risk oversight provided by boards at a handful of fi rms that were the targets of 2014’s most widely publicized breaches. Boards would benefi t from an understanding of investors’ perspectives and adoption of best practices in disclosure on cyber risks.

■ Target’s breach led to boardroom backlash Target’s high-profi le data breach made headlines worldwide. Despite this, neither Target’s 2014 proxy statement nor the company’s initial annual meeting-related engagement materials discussed in a meaningful way the massive data theft or the board’s responses to it. As part of its research process leading up to the annual meeting, Institutional Shareholder Services (ISS) engaged with members of the Target board to learn more about the directors’ oversight of cyber risks before and after the breach. In the end, ISS opined in its 2014 annual meeting report on Target that the members of the board’s Audit and Corporate Responsibility committees had “failed to provide suffi cient oversight of the risks facing the company that potentially led to the data

27 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

breach.” Accordingly, ISS recommended lack of sharp, downward stock movements votes against the members of those two in the wake of disclosures of hacks or other board oversight panels. ISS acknowledged data breaches (or quick rebounds from such the board’s actions in the wake of the price drops when they occur) with share- breach but found that the committees holders’ apathy over cybersecurity prob- “failed to appropriately implement a risk lems. In a recent Harvard Business Review assessment structure that could have better article (Why Data Breaches Don’t Hurt Stock prepared the company for a data breach.” Prices, March 31, 2015), cybersecurity strate- After investors’ concerns emerged before gist Elena Kvochko and New York Times the meeting, the company engaged in a solic- Chief Technology Offi cer Rajiv Pant dismiss itation effort to defend the board’s response this easy explanation. They argue that muted to the breach. When the votes were tallied, stock price reactions to data breaches refl ect none of the members of Target’s audit and the absence of timely information and qual- governance panels received support from ity tools to price cyber risk: “Shareholders more than 81 percent of the votes cast. Target still don’t have good metrics, tools, and lead director James A. Johnson received the approaches to measure the impact of cyber lowest support—62.9 percent of the votes attacks on businesses and translate that into cast. According to ISS’ Voting Analytics data- a dollar value . . . The long and mid-term base of institutional investors’ voting records, effects of lost intellectual property, disclo- governance professionals at funds connected sure of sensitive data, and loss of customer to nearly half of Target’s top 10 largest inves- confi dence may result in loss of market tors cast votes against one or more of the share, but these effects are diffi cult to quan- company’s directors. tify.” Faced with this information vacuum, In the direct wake of the 2014 data Kvochko and Pant note that “shareholders breach issues and the dearth of proxy- only react to breach news when it has direct related disclosure on those matters, SEC impact on business operations, such as Commissioner Luis A. Aguilar fi red a shot litigation charges (for example, in the case of across the bow of boards that lack disclo- Target) or results in immediate changes to a sure. In a June 10, 2014, speech (“Boards of company’s expected profi tability.” Directors, Corporate Governance and Cyber Indeed, stock prices may not tell the Risks: Sharpening the Focus”) delivered at whole story. Contrary to the conventional a New York Stock Exchange (NYSE)–hosted wisdom, recent survey data show investors cybersecurity conference, Aguilar said, understand the long-term risks stemming “[B]oard oversight of cyber-risk manage- from hacks and they may actually shy ment is critical to ensuring that companies away from investing in companies with are taking adequate steps to prevent, and multiple breaches. A recent survey— prepare for, the harms that can result from conducted by FTI Consulting on behalf of such attacks. There is no substitution for consulting giant KPMG LLP—of more than proper preparation, deliberation, and 130 global institutional investors with an engagement on cybersecurity issues.” estimated $3 trillion under management Noting the wide damage crater caused by found that cyber events may affect inves- cyber events, Aguilar noted that the board- tors’ confi dence in the board and demand room plan should include “whether, and for the affected companies’ shares. how, the cyber-attack will need to be dis- Investors opined that less than half of closed internally and externally (both to boards of the companies that they currently customers and to investors).” invest in have adequate skills to manage rising cyberthreats. They also believe that ■ Shareholders care about breaches 43 percent of board members have “unac- Are shareholders apathetic about data ceptable skills and knowledge to manage breaches? Some media reports equate the innovation and risk in the digital world.”

■ 28 INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS

More ominously for boards, four of fi ve ■ ISS policy respondents indicate a disclosure investor respondents (79 percent) suggest- framework ed that they may blacklist stocks of hacked What level of detail do investors expect to fi rms. As for a remedy, 86 percent of the see about these issues in disclosures regard- surveyed investors told KPMG and FTI ing cyberthreats? In 2014, as part of ISS’ that they want to see increases in the time 2015 policy-formulation process, we asked boards spend on addressing cyber risk. institutional investors to weigh the factors they assess in reviewing boardroom over- ■ Investors raise the bar for disclosure sight of risk, including cyberthreats. A Insights on the gap between investors’ majority of the shareholder respondents expectations and boardroom practices were indicated that the following are all either gleaned from PwC’s juxtaposition of two “very” or “somewhat” important to their surveys that it conducted in the summer of voting decisions on individual directors 2014, one of 863 directors in PwC’s 2014 elections: Annual Corporate Directors Survey, and the other of institutional investors with more role of the company’s relevant risk than $11 trillion in aggregate assets under oversight committee(s) management in PwC’s 2014 Investor Survey. the board’s risk oversight policies and procedures Nearly three quarters (74 percent) of directors’ oversight actions prior to and investors told PwC that they believe subsequent to the incident(s) it is important for directors to discuss changes in senior management. their company’s crisis response plan in the event of a major security breach. Notably, shareholders do not appear to be Only about half of directors (52 percent) looking for scapegoats. Disclosures about reported having such discussions. boardroom oversight action subsequent to Roughly three out of four (74 percent) an incident drew more demand than fi r- investors urged boards to boost cyber ings. An eye-popping 85 percent of the risk disclosures in response to the SEC’s respondents cited such crisis management guidance, but only 38 percent of directors and “lessons learned” disclosures as “very reported discussing the topic. important.” In contrast, only 46 percent of Similarly, 68 percent of investors believe it is the shareholders indicated that changes in important for directors to discuss engaging senior management are “very important” to an outside cybersecurity expert, but only them when it came time to vote on director 42 percent of directors had done so. oversight. Fifty-fi ve percent of investors said it was important for boards to consider ■ 2015 disclosures provide few insights designating a chief information security Despite prodding by the SEC and numerous offi cer, if their companies did not indications from investors, many boards have one in place. Only half as many continue to lack disclosure of cyberthreats directors (26 percent) reported that such in their fl agship documents—the proxy a personnel move had been discussed in statement and the 10-K. Only a handful of the boardroom. the companies that drew widespread cover- Finally, 45 percent of investors believe age of their data breaches during 2014 men- it is important for directors to discuss tion the events in their proxy statements, the National Institute of Standards and many cite materiality concerns to avoid and Technology (NIST)/ Department discussing the data breaches in detail in of Homeland Security cybersecurity their 10-Ks. framework, but only 21 percent of directors In sharp contrast to the absence of infor- reported their boards had done so. mation in Target’s 2014 proxy statement,

29 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

however, another big box retailer provided and management process to the full investors with a window into the board’s Board.” role in cyber risk oversight in its 2015 proxy materials. Home Depot addressed its Next, the Home Depot disclosure provides 2014 data breach, which affected up to some color on the board’s risk oversight 56 million customers who shopped at the policies and procedures: company’s stores between April 2014 and September 2014, with a concise (roughly For a number of years, IT and data secu- 1000-word) explanation of the steps taken rity risks have been included in the risks by the board before and after the company’s reviewed on a quarterly basis by the ERC breach. and the Audit Committee and in the The proxy statement disclosures include a annual report to the Board on risk assess- brief summary of the depth and duration of ment and management. In the last few the breach, an explanation of the board’s years, the Audit Committee and/or the delegation of oversight responsibility to the full Board have also regularly received audit committee, and an outline of remedial detailed reports on IT and data security steps that the board took in response to the matters from senior members of our IT event. and internal audit departments. These Notably, Home Depot’s disclosures gen- reports were given at every quarterly erally align with all the pillars identifi ed by Audit Committee meeting in fi scal 2014, investors in their responses to the ISS policy including an additional half-day Audit survey: Committee session devoted exclusively to First, Home Depot’s board details the these matters that was held prior to the delegation of risk oversight to the audit com- discovery of the Data Breach. The topics mittee and describes the directors’ relation- covered by these reports included risk ship with the company’s internal audit and management strategies, consumer data compliance team: security, the Company’s ongoing risk mitigation activities, and cyber security strat- The Audit Committee . . . has primary egy and governance structure. . . . responsibility for overseeing risks related To further support our IT and data to information technology and data pri- security efforts, in 2013 the Company vacy and security. . . . The Audit enhanced and expanded the Incident Committee stays apprised of signifi cant Response Team (“IRT”) formed several actual and potential risks faced by the years earlier. The IRT is charged with Company in part through review of quar- developing action plans for and respond- terly reports from our Enterprise Risk ing rapidly to data security situations. . . . Council (the “ERC”). The quarterly ERC The IRT provided daily updates to the reports not only identify the risks faced Company’s senior leadership team, who by the Company, but also identify wheth- in turn periodically apprised the Lead er primary oversight of each risk resides Director, the Audit Committee and the with a particular Board committee or the full Board, as necessary. full Board . . . The chair of the ERC, who is also our Vice President of Internal The Home Depot board also highlights its Audit and Corporate Compliance, reports cyber-risk oversight actions prior to the the ERC’s risk analyses to senior manage- incident: ment regularly and attends each Audit Committee meeting. The chair of the ERC Under the Board’s and the Audit also provides a detailed annual report Committee’s leadership and oversight, regarding the Company’s risk assessment the Company had taken signifi cant steps

■ 30 INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS

to address evolving privacy and cyber Privacy Governance Committee, security risks before we became aware of to provide further enterprise-wide the Data Breach: oversight and governance over data security. This committee reports Prior to the Data Breach and in part quarterly to the Audit Committee. in reaction to breaches experienced We are in the process of further by other companies, we augmented augmenting our IT security team, our existing security activities by including by adding an offi cer level launching a multi-work stream effort Chief Information Security Offi cer and to review and further harden our hiring additional associates focused on IT and data security processes and IT and data security. systems. This effort included working We are reviewing and enhancing all extensively with third-party experts of our training relating to privacy and and security fi rms and has been data security, and we intend to provide subsequently modifi ed and enhanced additional annual data security based on our learnings from the Data training for all of our associates before Breach experience. the end of Fiscal 2015. In January 2014, as part of the efforts Our Board, the Audit Committee, and described above, we began a major a special committee of the Board have payment security project to provide received regular updates regarding the enhanced encryption of payment card Data Breach. In addition to the IT data at the point of sale in all of our U.S. and data security initiatives described stores. . . . Upon discovery of the Data above, the Board, supported by Breach, we accelerated completion the work of its Audit and Finance of the project to September 2014, Committees, has reviewed and offering signifi cant new protection for authorized the expenditures associated customers. The new security protection with a series of capital intensive takes raw payment card information projects designed to further harden and scrambles it to make it unreadable our IT security environment against to unauthorized users. . . . evolving data security threats. We are rolling out EMV “chip-and-PIN” technology in our U.S. stores, which ■ Boards would benefi t from engagement adds extra layers of payment card and disclosure protection for customers who use EMV Although the good news is that cybersecu- chip-and-PIN enabled cards. . . . rity has seemingly come to the forefront for many directors, the bad news is that share- Finally, the Home Depot board discusses the holders are not yet getting the transparency boardroom oversight actions taken subse- they need to assess the quality of boardroom quent to the incident including changes in oversight. The signifi cant “no” vote against senior management: the Target board at its 2014 annual meeting, coupled with survey data, show that share- Following discovery of the Data Breach, holders are far from apathetic when it comes in addition to continuing the efforts to assessing cyber risk oversight. described above, the Company and the Board took a number of additional ■ Target’s lessons learned actions: In the wake of its challenging 2014 annual meeting, Target hosted calls or held meet- We formed an internal executive ings with shareholders representing approx- committee, the Data Security and imately 41% of shares voted. The majority of

31 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

these conversations were led by Director responsibilities among the committees, most Anne Mulcahy. In light of this feedback and notably by elevating the risk oversight role with the assistance of a third-party strategy of the corporate risk & responsibility com- and risk management and regulatory committee (formerly known as the corporate pliance consultant, the board “embarked on responsibility committee). a comprehensive review” of risk oversight Examples such as Home Depot and the at the management, board, and committee Target board’s 2015 disclosures provide levels. As a result of this comprehensive more transparency on risk oversight and are review, in January 2015, the Target board a good framework for other boards to follow. “clarifi ed and enhanced” its practices to pro- Boards would be wise to raise their games vide more transparency about how risk by disclosing more details of their board oversight is exercised at the board and com- oversight efforts and engaging with inves- mittee levels. As part of this revamp, the tors when cyber incidents occur, or they may board reallocated and clarifi ed risk oversight run the risk of a loss of investor confi dence.

■ 32 SecurityRoundtable.org Toward cyber risks measurement Elena Kvochko, Author, Towards the Quantifi cation of Cyber Threats report; and Danil Kerimi, Director, Center for Global Industries, World Economic Forum

As most companies in the U.S. already use some form of cloud-based solutions, the digital footprint of enterprises is growing, and so are the risks. Technological solutions have always focused on convenience, transparency, and an ever-increasing ability to share information and collaborate, while built-in security hasn’t been a priority until recently. Now enterprises are shifting away from this model. Growing privacy and security concerns affect customer perception. According to Deloitte, 80% of customers are aware of recent cyber breaches, and 50% of them are ready to switch brands if they feel their information may be compromised. Experian reported that now cyber breaches are as devastating for the reputation of organizations as environmental disasters and poor customer service. Most executives recognize that cyber risks are no longer on the horizon but are an imminent cost of doing business. Companies are actively looking for effective mitigation actions. Recent surveys show that cybersecurity is already part of the agenda of 80% of corporate boards (up from around 30% 4 years ago). Companies are adjusting their enterprise risk management frameworks and including cyber risks and accompanying controls as part of the necessary risk management actions. Traditional controls introduced for in-house infrastructure no longer work, as more and more operations are performed in the cloud. Just as in any healthy ecosystem, these environments present great opportunities for stakeholders to interact with each other and with the content, but they also carry inherent risks. Risk mitigation approaches and technologies lag behind the sophistication of the threat. In fact, our earlier research with the World Economic Forum and McKinsey showed that 90% of executives feel they only

33 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

have “nascent” and “developing” capabili- fi nancial services industry and describes the ties to combat cyberthreats. In this situa- risk appetite and potential losses for a port- tion when cyber breaches have become an folio that an institution will incur over a inevitable reality of doing business, execu- defi ned period of time and is expressed in a tives ask themselves, “What does it mean probability to insure the loss. for my business, how probable is it that a In the cyber value-at-risk, we introduced devastating breach will happen to us, and three major pillars, according to which com- how much could it cost us?” Still, very few panies can model their risk exposure: exist- organizations have developed ways to ing vulnerabilities, value of the assets, and assess their cyber risk exposure and to profi le of an attacker. A complete cyber value- quantify them. at-risk allows us to answer the question: In this chapter, we discuss the cyber “Given a successful cyberattack, a company value-at-risk framework introduced by the will lose not more than X amount of money Partnering for Cyber Resilience initiative of over period of time with 95% accuracy.” The the World Economic Forum and released at application of these models will depend on the Annual Summit in Davos in 2015. More particular industries, companies, and avail- than 50 organizations, including Wipro, able data and should be built for an organi- Deloitte (project advisor), and Aon, have zation. We discussed specifi c indicators that contributed to this effort. The framework can potentially be used to populate the laid the foundations for modeling cyber model. Mathematically, these components risks and encouraged organizations to take can be brought together and used to build a a quantitative approach toward assessing stochastic model. For example, vulnerabili- their cyber risks exposure, which could ties can be measured in the number of exist- also help make appropriate investment ing unpatched vulnerabilities, not up-to- decisions. date software, number of successful compro- We were delighted to see many spin-off mises, or results of internal and external projects and initiatives that were initiated as audits. They can be benchmarked against part of this work and hope they will contrib- the maturity of existing controls and security ute to better risk management tools. Our of networks, applications, data, etc. The research showed that the aggregate impact maturity of defending systems has to be of cybercrime on the global economy can benchmarked against the threat environ- amount to $3 trillion in terms of slow down ment, hence the profi le of an attacker com- in digitization and growth and result in the ponent becomes important. In this model, it slower adoption of innovation. Multiple would be important to look into their moti- other studies showed signifi cant negative vations (e.g., fi nancial gain, destruction of impact of cyber breaches. CSIS established assets, espionage), the tools they are using, that the annual cost of economic espionage and the innovative approaches. Because reaches $445 billion. Target's breach cost the cyber breaches are criminal activity, nontech- company more than $140 million, a large nical factors, such as behavioral motivations, portion of which went to cover litigation are to be considered. The component of the costs. Interestingly, however, Aon research value of assets of many organizations is dif- shows that more than 80% of breaches cost fi cult to establish. This includes tangible the companies less than $1 million. assets, such as fi nancial fl ows, infrastructure, and products, and intangible assets, primarily ■ Value-at-risk data assets (customer and employee data, How can companies defi ne their risk expo- business strategies, intellectual property), sure and the level of investments, as well as brand, reputation, and trust of stakeholders. priority areas for these investments? To Although cost of business interruption can answer this question, we turned to the value- be qualifi ed easier, the impact on intangible at-risk concept. The concept goes back to the assets is still subject to approximation. The

■ 34 TOWARD CYBER RISKS MEASUREMENT

impact of losing these assets can be unno- breach probability distribution”); hacker ticed in the short term but may hurt long- model (mapping out motivations of adver- term profi tability and market leadership of saries in relation to the organization); attack an organization. model (attack types and characteristics); The cyber value-at-risk model has a num- asset and loss model (potential loss given a ber of limitations, including availability of successful attack); security model (describ- data, diffi culties in calculating probabilities, ing organizations’ security posture), and and applicability across various industries, company model (modeling organizations’ but it presents a fi rst step and incentives for attractiveness as a target). Cyberpoint’s organizations to move toward quantitative Cy-var models looks at “time-dependent risk management. By publishing the model, valuation of assets” while taking into we aimed to encourage more industry stake- account an organization’s security posture holders to develop comprehensive quantita- and includes variables such as the values of tive approaches to cyber risks measurement intellectual property assets, IT security con- and management. For further examples and trols in place to protect those assets and information, please refer to Wipro’s use of other related risks, infrastructure risks, a cyber value-at-risk for its clients, Deloitte’s time horizon, and a probability of an attack. continuous development cyber value-at- At the same time, all stakeholders came to risk, Rod Becktom’s cybervar model, and agreement that quantifying risks is a chal- CXOWare’s Cyber Risk application model. lenging task. In a workshop organized togeth- The Institute of Risk Management (IRM) er with Deloitte, the World Economic Forum announced that it will release a cyber risk Partnering for Cyber Resilience members quantifi cation framework to help companies defi ned the attributes of an ideal model of assess their cyber risks exposure. The call to cyber risks quantifi cation: applicability across action from the Partnering for Cyber various industries; ease of interpretation by Resilience effort was that to develop a uni- experts and executives alike; association with fi ed framework that can be used by indus- real data and measurable security events; tries to reduce uncertainty around cyber risks scalability across organizations or even implications on businesses in the absence of across the industry; at the same, not relying dominant models and frameworks. Aon has on data that are currently absent within most defi ned important ways in which quantifi ca- organizations. tion of cyberthreats can lead to better busi- Although the cyber value-at-risk frame- ness decisions. First, as the conversation has work doesn’t specify how to calculate the shifted from technology and information fi nal number, it presents core components security departments to boardrooms, the and gives examples of how these compo- question of costs and risks becomes ever nents can be quantifi ed. This complete more prevalent. It helps show the scale and model, however, could be characterized by the impact that cyberthreats can have on general applicability across various indus- fi nancial targets and overall competitiveness tries. For it to be effective, it has to be vali- of organizations; helps defi ne and narrow dated by the industry stakeholders. Cyber down the investments required to mitigate value-at-risk aimed to bring together “tech- those threats; makes it easy to paint compel- nical, behavioral and economic factors from ling pictures, build scenarios, and make busi- both internal (enterprise) and external (sys- ness cases; and helps make a determination temic) perspectives.” As a next step, it would whether any parts of the risk can be trans- be important to understand dependencies ferred. Deloitte has put together a compre- between various components in the frame- hensive model for modular approach to work and ways to incorporate these models cyber risk measurement introducing the into existing enterprise risk frameworks. It is following components: probability model important to remember that organizations (“attractiveness and resilience determine should be wary of new emerging risks and

35 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

consider cyber risks in addition to broader their attackers and threats. The most signifi - technology or operational risks. cant challenge so far is the absence of input Overall, the goal was to help raise aware- variables, quality of existing datasets and, ness of cyber risks as a standing and regular following these, no standardized measures cost of doing business and help fi nd a way to assess cyber risk exposures. Building such to measure and mitigate those risks. This a model would require efforts in data classi- can be done through standardization of fi cation, encourage a strong organization various risk factors and indicators into a leadership, process improvement and col- normal distribution. laboration, as well improve decision making The components that we looked at in this across various business areas. For example, chapter help bring together various risk fac- the car industry, mortgage industry, or most tors via “measures of risk likelihood and insurances have agreed on a standardized impact.” To achieve a more granular level of metrics and data collection; the same should sophistication, quantifi cation and standardi- happen for cyber risks measurement. zation metrics must mature. Some of the Understanding dependencies between these main cited obstacles are availability of data variables and what they mean for various to build models, lack of standardized met- industries should be a subject for cross- rics and tools, lack of visibility within enter- industry collaboration so that input varia- prise, and inability to collect data and bles are unifi ed. The main benefi ts of this dubbed models internally. The variables and approach are seen in the ability to support components of the model can be brought decision-making processes, quantify the together into a stochastic model, which will damage at a more granular level, and defi ne show the maximum loss given a certain appropriate investments. This would help probability over a given period of time. It stimulate the development of risk transfer was discussed that close to real-time sharing markets and emergence of secondary risk of data between organizations could address transfer products to mitigate and distribute some of the main challenges of datasets' the risks. For organizations, the focus will availability and provide enough data to shift from an attacker to assets and how to build models. secure them in such a distributed digital Although a silver bullet to achieve cyber ecosystem, where everything is vulnerable. resilience doesn’t exist, organizations con- As more robust quantitative cyber risks sider comprehensive frameworks for quanti- models emerge and the industries are mov- fying and mitigating risk factors, including ing toward a standardized recognizable cyber risks. Following this model, compa- model, the confi dence of digital ecosystems nies will assess their assets and existing stakeholders and their ability to make effec- controls, quantify vulnerabilities, and know tive decisions will also rise.

Based on Towards the Quantifi cation of Cyber Threats report.

■ 36 SecurityRoundtable.org The evolving cyberthreat and an architecture for addressing it Internet Security Alliance – Larry Clinton, CEO

According to the Pentagon’s 2015 Annual Report, “The military’s computer networks can be compromised by low to meddling skilled attacks. Military systems do not have a suffi ciently robust security posture to repel sustained attacks. The development of advanced cyber techniques makes it likely that a determined adversary can acquire a foothold in most DOD systems and be in a position to degrade DOD missions when and if they choose.” If the cyber systems of the world’s most sophisticated and best funded armed forces can be compromised by “low to meddling skilled attacks,” how safe can we expect discount retailers, movie studios, or any other corporate or public systems to be? That is not even the bad news.

■ Things are getting much worse: Three reasons 1. The system is getting weaker. The bad news is that the cyber systems that have become the underpinning of virtually all of aspects of life in the digital age are becoming increasing less secure. There are multiple reasons for this distressing trend. First, the system is getting technologically weaker. Virtually no one writes code or develops “apps” from scratch. We are still relying on many of the core protocols designed in the 1970s and 80s. These protocols were designed to be “open,” not secure. Now the attacking community is going back through these core elements of the Internet and discovering still new vulnerabilities. So as new func- tionalities come online, their own vulnerabilities are simply added to the existing and expanding vulnerabilities they are built upon. The reality is that the fabric of the Internet is riddled with holes, and as we continue to stretch that fabric, it is becoming increasingly less secure. Additionally, vulnerabilities in many open source codes, widely in use for years, are becoming increasingly apparent and being exploited by modern “zero-day”

37 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

attacks, and the patching system we have new access points to large amounts of data relied on to remediate the system can’t keep resulting from the explosion in the number of pace. Huge vulnerabilities such as mobile devices vastly increases the challeng- Heartbleed and Shellshock have existed es to securing cyberspace. within open source code for years only to However, the rise in use of mobile devices be revealed recently when scrutinized by pales in comparison to the coming Internet fresh eyes. of Things (IoT). The IoT, embedded comput- Within hours of the Heartbleed vulnerabil- ing devices with Internet connections, ity becoming public in 2014, there was a surge embraces a wide range of devices, including of attackers stepping up to exploit it. The home security systems, cars, smart TVs, and attackers exploiting the vulnerability were security cameras. Like the bring-your-own- much faster than the vendors could patch it. device (BYOD) phenomenon, the coming of This is a growing trend. In 2014 it took the IoT further undermines the overall secu- 204 days, 22 days, and 52 days to patch the top rity of the system by dramatically increasing three zero-day vulnerabilities. In 2013 it took the vectors, making every new employee’s only four days for patches to arrive. Even internet-connected device, upon upgrade, a more disturbing is that the top fi ve zero-day potential threat vector. attacks in 2014 were actively used for a combined 295 days before patches were available. 2. The bad guys are getting better. Moreover, because almost no one builds Just after the turn of the century, the NSA from scratch anymore, the rate of adoption coined a new term, the “APT,” which stood for open source programming as a core com- for the advanced persistent threat. The APT ponent of new software greatly exceeds the referred to ultrasophisticated cyberattack vetting process for many applications. As methods being practiced by advanced the code gets altered into new apps, the risks nation-state actors. These attacks were char- continue to multiply. In 2015 Symantec esti- acterized by their targeted nature, often mates there are now more than a million focused on specifi c people instead of malicious apps in existence. In fast-moving, networks, their continued and evolving early stage industry, developers have a nature, and their clever social engineering strong incentive to offer new functionality tactics. These were not “hackers” and “script and features, but data protection and priva- kiddies.” These were pros for whom cyberat- cy policies tend to be a lesser priority. tacks were their day job. The risks created by the core of the system They were also characterized by their becoming intrinsically weaker is being fur- ability to compromise virtually any target ther magnifi ed by the explosion of access they selected. APTs routinely compromised points to the system, many with little or no all anti-virus intrusion detection and best security built into their development. Some practices. They made perimeter defense analysts are already asserting that there are obsolete. more mobile devices than there are people Now these same attack methods, once on the earth. If that is not yet literally true, it practiced only by sophisticated nation-states, will shortly be. are widely in use by common criminals. It is now common for individuals to have Whereas a few years ago these attacks were multiple mobile devices and use them inter- confi ned to nations and the Defense Industrial changeably for work and leisure often with- Complex, they now permeate virtually all out substantial security settings. Although economic sectors. this certainly poses a risk of data being stolen The APT now stands for the average persis- directly from smartphones, the greater content threat. cern is that mobile devices are increasingly The increasing professionalism and conduits to the cloud, which holds increasing sophistication of the attack community is amounts of valuable data. The number of fueled by the enormous profi ts cyberattacks

■ 38 THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT

are generating—routinely estimated in the corporate growth, innovation, and profi ta- hundreds of billions of dollars and growing. bility also undermine cybersecurity. It is now apparent that attackers are not Technologies such as VOIP or cloud com- going to rely on reusing the same old meth- puting bring tremendous cost effi ciencies but ods. Instead, like any smart, successful, and dramatically complicate security. Effi cient, growing enterprise, they are investing in even necessary, business practices such as the R&D and personnel acquisition. They are use of long supply chains and BYOD are also seeking to grow their business, including economically attractive but extremely prob- fi nding new vulnerabilities in older infra- lematic from a security perspective. structures and thus widening the surface Corporate boards are faced with the available for attack. conundrum of needing to use technology to grow and maintain their enterprises without 3. The economics of cybersecurity favor the attackers. risking the corporate crown jewels or hard- Cyberattacks are relatively cheap and easy to won public faith in the bargain. In addition, access. Virtually anyone can do an Internet the fears and potential losses from cyber search and fi nd vendors to purchase attack events tend to be speculative and future ori- methods for a comparatively small invest- ented, whereas most corporate leaders (as ment. The attacker’s business plans are well as the citizen investors who have their expansive with extremely generous profi t 401(k)s tied up in the stock market) tend to margins. Multiple reports suggest hundreds make their decisions with an eye toward the of billions of dollars in criminal cyber reve- next quarter or two. nue each year. They can use virtually identical attack methods against multiple targets. The national security equation The vast interconnection of the system Finally, from the national security perspec- allows attackers to exploit weaker links who tive, Internet economics are also complicated. have permitted access to more attractive This economic puzzle is important to solve targets, and their “market” is accessible to because multiple independent studies indi- them worldwide. cate that the number one problem with Meanwhile, cyber defense tends to be securing critical infrastructure from cyberat- almost inherently a generation behind the tack is economic. As the 2014 National attackers, as anticipating the method and Infrastructure Protection Plan makes clear, point of attack is extremely diffi cult. From a the public and private sectors have aligned, business investment perspective it is hard but not identical, perspective on cybersecu- to show return on investment (ROI) to rity based on their differing, and legally attacks that are prevented, making ade- mandated, roles and obligations. quate funding a challenge. Moreover, law The private sector is legally required to enforcement is almost nonexistent—we invest to maximize shareholder value. successfully prosecute less than 2% of cyber Although shareholder value is enhanced to criminals, so there is little to discourage the some degree by security investment, gener- attackers from being bold. Furthermore, as ally security is considered a cost center in we have already illustrated, notwithstand- the corporate world. As with most corporate ing consumers tend to prefer utility and investments, security is a mater of cost ben- function over security, which provides a efi t for the private sector. What this trans- disincentive for investors to enhance devic- lates to is that the private sector may legiti- es with added security, which often slows mately judge that there is a level of security or limits utility. that goes beyond their commercial interest This little-understood imbalance of the and hence their legally mandated obligation economic incentives is exacerbated by the to their shareholders. An example is the fact that many of the technologies and busi- common case of pilfering in many retail ness practices that have recently driven stores, wherein the owner may be aware

39 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

that 5% of his inventory is “walking out the the Department of Homeland Security back door” every month. The reason he (DHS) be given authority to set minimum doesn’t hire more guards or put up more standards for cybersecurity over the private cameras or other security measures is that sector. Subsequently two bills were offered the cost benefi t presumably suggests it will in the Senate, one by the Chairman of the cost him 6% to do so, and hence the better Senate Commerce Committee, Senator Jay business decision is to tolerate this level of Rockefeller (D-WV) with Senator Olympia insecurity. Snow (R-ME) and separately by Senate Government doesn’t have that luxury. Homeland Security Chairman Joe Lieberman The government is charged with providing (D-CN) and Senator Susan Collins (R-ME). for the common defense. Surely, they have Both bills largely followed the Obama para- economic considerations with respect to digm of DHS setting regulatory mandates security; however, they are also mandated to for the private sector with substantial penal- a higher level of security largely irrespective ties available for noncompliance. of cost to provide for national security, con- Despite strong backing from the Senate sumer protection, privacy, and other non- Majority Leader Harry Reid and much of the economic considerations. military establishment, the bills could not In the Internet space, government and get out of committee. Even though Reid industry are using the same networks. This exercised his parliamentary power to control means the two users of the systems have dif- the Senate agenda, there was not enough fering security requirements—both legiti- support to even get the bills to the fl oor for mate and backed by lawful authority. consideration, let alone vote on it. Moreover, requiring greater cybersecurity There was certainly industry opposition to spending, beyond commercial interest as these bills, but what killed them was the suggested by some, could run afoul of other bipartisan realization that the traditional reg- government interests such as promoting ulatory model was an ill fi t for cybersecurity. innovation, competitiveness, and job growth Government agencies’ ability to craft regula- in a world economy (presumably not follow- tions that could keep up with cyberthreats ing U.S.-based requirements). was highly questionable. Early efforts to Finally, the presumption that requiring apply traditional regulation to cyberspace, increased security spending by commercial such as HIPAA in the health-care industry, entities up to the government risk tolerance had not generated success. Indeed health is in the corporate self-interest is complicat- care is widely considered one of the least ed by the data that have emerged after cyber secure of all critical infrastructures. highly publicized cyber breaches. One year However, with cyber systems becoming after the Target breach, which would pre- increasingly ubiquitous and insecure threat- sumably damage the company’s image prof- ening economic development and national itability and reputation, Target’s stock price security, there was obvious need for an was up 22%, suggesting such predictions affi rmative and effective approach. The non- were incorrect. Similarly, 6 months after the regulatory, collaborative model selected high-profi le cyberattacks on Sony (the sec- largely followed the “social contract” para- ond high-profi le cyberattack for Sony in a digm previously promoted by industry gov- few years), Sony’s stock price was up 26%. ernment analysts.

■ Some good news: Enlightened policy working The social contract approach in partnership In 2013 President Obama reversed course Traditional regulatory efforts fail 180 degrees. In an executive order on In 2012 President Obama offered a legisla- cybersecurity the president abandoned the tive proposal to Congress suggesting that government-centric regulatory approach

■ 40 THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT

embodied in his previous legislative pro- telephone service at affordable rates, govern- posals and the Senate bills. Instead, he sug- ment would guarantee the investment pri- gested a public private partnership—a vate industry would make in building and social contract—that would address the providing the service. This agreement technical as well as economic issues that are ensured enough funds to build, maintain, precluding the development of a cyber sys- and upgrade the system plus make a reason- tem that can become sustainably secure. In able rate of return on the investment. Thus this new partnership, industry and govern- were born the privately owned public utili- ment would work together to identify a ties and the rate of return regulation system. framework of standards and practices wor- The result was that the U.S. quickly built thy of industry based on cyber risk assess- out the electric and communications systems ments conducted by the companies. The for the expanding nation, which were gener- president ordered that the framework be ally considered the best in the world. Some voluntary, prioritized, and cost effective. If have argued this decision was foundational there were an economic gap between what to the U.S.'s rapid expansion and develop- ought to be done and what would be ment, which turned it from a relatively accomplished through normal market minor power in the early part of the twenti- mechanisms, a set of market incentives eth century to the world’s dominant super- would be developed to promote voluntary power less than a generation later. adoption of the framework. Although Although the Obama social contract industry that operates under regulatory approach to cybersecurity has different systems would remain subject to regulatory terms than that of previous infrastructure authority, no new regulatory authority for development, the paradigm is similar. cybersecurity would be part of the system. Similar modifi cations of the incentive model Instead, a partnership system based on vol- are also in use in other areas of the economy, untary use of consensus standards and such as environment, agriculture, and trans- practices and reinforced through market portation, but this is the fi rst application in incentives would be built. the cybersecurity fi eld. The cyber social contract model has sub- Although it is in its formative stages, at stantial precedent in the history of infra- this point early indications for the social con- structure development in the United States. tract approach are positive. The cybersecuri- In the early twentieth century the innovative ty framework development process conduct- technologies were telephony and electricity ed by the National Institute of Standards and transport. Initially the private companies Technology (NIST) has been completed and that provided these technologies, because of received virtually unanimous praise. In an natural economies, served primarily high- exceedingly rare development, the Obama density and affl uent markets. Policy makers approach to cybersecurity closely tracks with of the era quickly realized that there was a that outlined by the House Republican Task broader social good that would be served by Force on Cyber Security. Bipartisan bills having universal service of these services using liability incentives, instead of govern- but also realized that building out that infra- ment mandates, are moving through structure would be costly and uneconomic Congress, and additional incentive programs either for industry or government. are under development. Instead of government taking over the process or mandating that industry make ■ Conclusion uneconomic investment, the policy makers The cybersecurity problem is extremely designed a modern social contract with serious and becoming more so. An inher- industry. If industry would build out the ently insecure system is becoming weaker. networks and provide universal electric and The attack community is becoming more

41 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

sophisticated and enjoys massive economic seems to have developed a consensus strat- incentives over the defender community. egy to better leverage public and private Traditional government methods to fi ght resources to combat cyberthreats without criminal activity have not matured to excessively compromising other critical address the threat and may be inappropri- social needs. Although there are some ini- ate to meet the dynamic nature of this tial signs of progress, the road to creating a uniquely twenty-fi rst century problem. sustainably secure cyber system will be Fortunately, at least the U.S. government long and diffi cult.

■ 42 SecurityRoundtable.org Effective cyber risk management: An integrated approach Former CIO of the U.S. Department of Energy – Robert F. Brese

In its 2015 Data Breach Report, Verizon found that in 60% of the nearly 80,000 security incidents reviewed, including more than 2,000 confi rmed data breaches, cyber attackers were able to compromise an organization within minutes. Alarmingly, only about one third of the compromises were discovered within days of their occurrence. This is not good news for C-suites and boardrooms. Data breaches, compromises in which data loss is unknown, denial of service attacks, destructive malware, and other types of cybersecurity incidents can lead to lost revenue, reputation damage, and even lawsuits, as well as short- and long-term liabilities affecting a company’s future. Although “getting hacked” may seem, or even be, inevitable, the good news is that by taking an integrated approach to risk management, cybersecurity risk can be effectively managed. But who is responsible for this integrated approach, and what does it include? Although often the case, managing cybersecurity risk should not be left solely to the chief information offi cer (CIO) and chief information security offi cer (CISO). Even though these professionals are capable, only an integrated information (i.e., data), information technology, and business approach will enable a company to effectively manage cybersecurity risk as a component of an organization’s overarching enterprise risk program. There is also a movement for board-level involvement and reporting, resulting in a risk to board members’ tenure if they are not considered to be suffi - ciently engaged in the oversight of cybersecurity risk management and incident response. As an example, in 2014, Institutional Shareholders Services (ISS) recommended that shareholders of Target stock vote against all seven of the directors that were on the board at the time of the highly publicized 2013 breach. Although somewhat shocking, it should be inherently obvious that effective

43 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

cybersecurity risk management is key to collaboration. They also predict that the digi- meeting the fi duciary responsibilities of cor- tal industrial economy, and the Internet of porate offi cers and the board. Things (IoT), will result in even greater diffi - To ensure success, managing cybersecu- culty. However, attempting to scale cyberse- rity risk must be an ongoing and iterative curity risk management in isolation from an process, not a one-time, infrequent, or check- organization’s enterprise risk program only the-box activity. This area of risk manage- exposes the organization to greater risk by ment must grow with the company and creating a gap in risk oversight. change with ever-evolving cyber threats. Nearly every company has established Data holdings and information technology processes to manage enterprise risk. Larger (IT) systems, and the Internet-connected companies often have a chief risk offi cer environment in which they operate, change (CRO) or equivalent individual who is inde- at a pace that is more rapid than many of the pendent of the business units and is given other variables affecting enterprise risk. Not the authority and responsibility to manage only must the right stakeholders be engaged the enterprise risk processes. Incorporating at the right levels within an organization, cybersecurity into the mix of corporately but also the right automated tools and managed risks should be a priority. Some processes must be in place to support risk may argue that cybersecurity is too different decision making and monitoring. from the other risks a company faces, such as market risk, credit risk, currency risk, or ■ Perfect security is a myth physical security risk, to be managed in a As in physical security, there is no such thing similar manner. However, although cyberse- as perfect IT (cyber) security. All the fi re- curity may seem more “technical,” the walls, encryption, passwords, and patches desired outcome of the treatment is the available cannot create a zone of absolute same, that is to eliminate, mitigate, transfer, safety that enables a company to operate or accept risk affecting the company’s future. unimpeded and free of concern regarding One thing is certain: not all cybersecurity the cybersecurity threat. However, perfect risk can be eliminated through controls or security is not required, or even desired. The transferred through insurance, so residual effects of too little security are fairly obvious. risk must accepted. Making good decisions However, too much security unnecessarily requires an integrated, formal approach. constricts the business’ ability to operate by reducing the effectiveness and effi ciency of a ■ The cybersecurity risk management process customer’s access to the company’s products There are several key steps that should be and services and unnecessarily constraining taken to effectively integrate cybersecurity internal and business-to-business (B2B) risk management into the company’s enter- interactions. Effective risk management prise risk management process. This chapter fi nds the balance between the needs of the doesn’t attempt to explain the details of any business to operate and the needs and cost of particular process but instead focuses on com- security. In fi nding this balance, the company mon attributes that should be used, including will be able to compete successfully in its risk framing and assessment, controls assess- market while protecting the critical informa- ment, risk decision-making, residual risk sign- tion and assets on which its success relies. off, risk monitoring, and accountability. Figure 1 provides a visual of the process. For addi- ■ Enterprise risk management tional details on approaches to cybersecurity Gartner, Inc., the world’s leading IT research risk management, the National Institute of and advisory company, has found that cyber- Standards and Technology (NIST) Computer security risk management programs have Security Resource Center (CSRC), interna- experienced trouble in scaling with corporate tional standards organizations, and other initiatives in mobility, cloud, big data, and industry sources may be consulted.

■ 44 EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

FIGURE

The cybersecurity risk management process

Accountability

Risk Risk Controls Residual Risk Framing & Decision Assessment Risk Sign-off Monitoring Assessment Making

Risk Framing and Assessment: The ini- a company has to avoid, mitigate, share, tial activities in risk management include transfer, or accept risk. This means that cor- risk framing and assessment and controls porate structure, training and awareness assessment. CIOs and CISOs have been programs, physical security, and other assessing the risk to IT systems for many options should be considered in addition to years and are well informed on the range of traditional IT controls. Cyber insurance may cybersecurity threats and vulnerabilities also be considered. Again, the CIO and that affect corporate risk. However, the con- CISO cannot do this alone, and there should sequences (i.e., business impact) may or be active engagement across all the various may not be well understood, depending on business lines, business support, and IT how close the relationship between IT and organizations that can contribute to identi- the line of business leaders has been in the fying potential controls and the impact they past. The engagement between IT and the may have on cybersecurity risk. line of business owners is crucial and must Risk Decision Making: A crucial element result in clarity about the type and amount of risk response is the decision-making proof risk the business is willing to accept with cess. Decisions are made regarding what will respect to the be done and what will not be done in response to each risk. A balance must be confi dentiality (preventing unauthorized struck between protecting systems and disclosure); information and the need to effectively run the business that relies on them. Other fac- integrity (preventing unauthorized modifi ca- tors that should be considered include the tion or destruction); and amount of risk reduction related to implementation and maintenance costs and the availability (ensuring data and systems are impacts on employee training and certifi ca- operational when needed) tion requirements. An acceptable course of action is identi- of the information and systems on which fi ed and agreed to by the business, and then the business relies. Once IT understands the controls are implemented and initially eval- business owner’s risk threshold, the CIO uated for effectiveness. If the controls per- and CISO can begin planning, implement- form acceptably, then the sign-off and moni- ing, and assessing the appropriate security toring processes can begin. If not, then a controls. new course of action must be developed, Controls Assessment: Preparing an which may require further controls assess- appropriate response to risk requires the ment to respond to the risk or even addi- assessment of potential controls. Controls tional framing and assessment to adjust the include all of the tools, tactics, and processes risk tolerance.

45 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

Residual Risk Sign-Off: The sign-off of treatment plan and/or the accepted level of residual risk closes the decision-making pro- residual risk may require revision. If so, the cess. This should be the role of the business previous process steps should be revisited. because it is the operational customer of the The frequency of review should be in rela- risk management process. Additionally, this tion to the likelihood and severity of the risk. should be a formal, documented activity. Because most companies have a large num- The decisions on how each risk will be ber of systems, each with their own risk treated and/or accepted must be articulated register, an automated system is typically in a manner such that the signatory and used to aid monitoring and review. reviewers (i.e., regulators, etc.) can clearly Accountability: Last and most important, understand the risk treatment plan and the we have to consider accountability. residual risk being accepted. Once the resid- Accountability is not about who to blame ual risk is formally accepted, the system is when something goes wrong. As stated earli- typically placed into operation. The formal er, the likelihood of something going wrong is recognition of the residual risk also helps high. Accountability ensures a formal risk build a culture of risk awareness in the busi- management process is followed and that ness units. effective decision-making is occurring. One Risk Monitoring: Monitoring risk is an person should be accountable for the risk ongoing process. Each monitoring activity is management process; however, numerous designed with a purpose, type, and frequen- individuals will be cy of monitoring. Typically, a risk register responsible or has been developed during the risk framing accountable for A responsibility assign- ment matrix (RAM), also and assessment phase and leveraged the various steps, known as RACI matrix/ throughout all steps of the risk management and many more 'reisi:/ or ARCI matrix process. The register also serves as a refer- will be consulted or linear responsibility ence for auditors. The register should con- and informed chart (LRC), describes tain the risks that matter most and be rou- along the way. the participation by var- tinely updated and reviewed with the busi- One option to ious roles in completing ness over time. If the likelihood or severity ensure roles and tasks or deliverables for of consequences changes, or if other physical responsibilities are a project or business or IT environmental factors change, the clearly articulated process.

TABLE

Process Step CIO CISO LOB CRO CEO Board Risk Framing and AR C CCC Assessment

Controls Assessment AR C I II

Risk Decision-Making CR A CII

Residual Risk Sign-Off CR A I II

Risk Monitoring AR C C II

Accountability RC C ACC

■ 46 EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH

is by using a RACI matrix (see insert) to iden- conduct user acceptance testing or experi- tify which person or organization is responsi- ence surveys as well. ble, accountable, consulted, or informed. Table 1 provides an example but should be adjusted ■ Evaluating maturity of an organization’s to align to the enterprise risk management cybersecurity risk management program and governance processes of the company. Cybersecurity risk management programs aren’t born effective and are not immedi- ■ Information supporting cybersecurity risk ately prepared to scale with the business. management Equally important as making effective risk No risk management is a precise science, management decisions and accepting resid- including cybersecurity risk management. ual risk is the continuous evaluation of the Throughout the risk management process, process itself. Numerous IT, cybersecurity, the information required for success has to be and business consultants, as well as trade “good enough” to recognize and understand associations have published guidance, risks to the level necessary to support effec- checklists, and suggested questions for tive decision-making. Although complex board members. Although there are many mathematical models may work to manage ways for the C-suite and board to stay some risks the company faces, forcibly creat- engaged, a company’s cybersecurity risk ing objectivity when little or none exists can management program must continuously actually result in poor or ineffective decisions mature to ensure future success. To under- by creating a focus on the numbers rather stand a program’s growing maturity, ques- than on the meaning of the risk analysis. So, tions should be focused on evaluating using big bucket approach categories such as improvements in how well risk is under- low, moderate, and high or unlikely, likely, stood and treated, the effectiveness of busi- and very likely may be adequate. ness leader and general employee participation, how responsive the risk management ■ Stakeholder engagement process is to change, and the capability to A key success factor of ensuring that fi duci- effectively respond to an incident. ary responsibilities are fulfi lled in a compa- How consistent is the understanding of ny’s cybersecurity risk management pro- the company’s tolerance for cybersecurity gram is the right level of stakeholder engage- risk across the C-suite and senior managers? ment. Leaving the program to the CRO or How deep in the organization does this the CIO alone should not be considered due understanding go? diligence. Framing and assessing risk How well do line of business owners requires a clear understanding of corporate understand the cybersecurity risks associat- risk tolerance. The line of business lead ed with their business? Are sound and effec- should have the responsibility to sign off on tive risk management and acceptance deci- the residual risk, but to make good risk decisions being made in a timely manner to meet sions, the perspectives of other individuals business needs? and organizations in the company must be How clearly are roles and responsibilities consulted and taken into consideration. understood, and how well do role owners Depending on the system(s) for which risk is adhere to and fulfi ll their responsibilities? being evaluated, some potential stakehold- Do employees report cybersecurity issues ers include the CIO, CISO, chief fi nancial and are they incorporated into the risk mon- offi cer (CFO), legal counsel, and other line of itoring process? business owners and external partners with When threats, vulnerabilities, or other con- supporting or dependent relationships. If ditions change, does the risk management there is signifi cant potential to affect the cus- process respond and, when necessary, make tomer experience, there may be a need to sustainable changes to the risk treatment plan?

47 ■ INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE

How effective is the cyber incident decision-making as well as lead to coopera- response plan? Is it regularly exercised and tive approaches to mitigating risk. are lessons learned from exercises and prior Cybersecurity risks also exist in the supply incidents leveraged to improve the plan? chain, and communicating cybersecurity requirements and vetting suppliers for cer- ■ Effective communications tain critical components or services can effec- Long-term effectiveness in cybersecurity risk tively reduce risk. Had Target, Home Depot, management requires all employees to fulfi ll and certain other high-profi le cyberattack their responsibilities of the security of the victims built stronger cybersecurity relation- organization for which they work. Creating ships with external partners, their risk of a company culture of cybersecurity risk becoming a victim may have been reduced. awareness is critical and is fostered through effective communications. Leadership must ■ Conclusion understand how risk is being measured C-suites and boards should not fear cyberse- across the enterprise, articulate what level is curity. By integrating cybersecurity risk man- acceptable, and balance the cost they are will- agement into the enterprise risk management ing incur for this level of security. Employees process and by effectively engaging IT and must understand the basics of the various business executives, cybersecurity risk can be cybersecurity threats and vulnerabilities and understood and managed. Building a risk- the importance of their daily decisions and aware culture is important to ensuring the actions as they go about their business. quality of the ongoing risk monitoring pro- Regular training and awareness activities are cess. When cyberthreats and vulnerabilities essential and can be similar to the “see some- are regularly evaluated, employees are thing, say something” campaigns related to empowered to report issues and business physical security. Additionally, employees executives are aware of potential impacts to must be empowered and rewarded for iden- their operations, the company’s cybersecuri- tifying cybersecurity issues. ty defenses become more agile and respon- Communications are also important to sive and the overall risk remains under con- build strong relationships, not only through trol. Finally, continuous evaluation of the risk customer assurances but also with external management process, including its effective- partners and suppliers. Communicating ness and responsiveness to change and to cybersecurity requirements and expecta- incidents, is necessary to ensure effectiveness tions to business partners can improve risk is sustained.

■ 48 SecurityRoundtable.org Cyber risk and the board of directors

Electronic version of this guide and additional content available at: SecurityRoundtable.org

The risks to boards of directors and board member obligations Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner; Aravind Swaminathan, Partner; and Daniel Dunne, Partner

As cyberattacks and data breaches continue to accelerate in number and frequency, boards of directors are focusing increasingly on the oversight and management of corporate cybersecurity risks. Directors are not the only ones. An array of federal and state enforcement agencies and regulators, most notably the Department of Justice (DOJ), Department of Homeland Security (DHS), Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and state Attorneys General, among others, identify board involvement in enterprise-wide cybersecurity risk management as a crucial factor in companies’ ability to appropriately establish priorities, facilitate adequate resource allocation, and effectively respond to cyberthreats and incidents. As SEC Commissioner Luis A. Aguilar recently noted, “Boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”1 Indeed, even apart from the regulators, aggressive plaintiffs’ lawyers, and activist shareholders are similarly demanding that boards be held accountable for cybersecurity. Shareholder derivative actions and activist investor campaigns to oust directors are becoming the norm in high-profi le security breaches. Directors have clearly gotten the message. A survey by the NYSE Governance Services (in partnership with a leading cybersecurity fi rm) found that cybersecurity is discussed at 80% of all board meetings. However, the same survey revealed that only 34% of boards are confi dent about their respective companies’ ability to defend themselves against a cyberattack. More troubling, a June 2015 study by the National Association of Corporate Directors found that only 11% of respondents believed their boards possessed a high level of understanding of the risks associated with cybersecurity.2 This is a diffi cult position to be in: aware of the magnitude of the risks at hand but struggling

51 ■ CYBER RISK AND THE BOARD OF DIRECTORS

to understand and fi nd solutions to address action or inaction. To maximize their per- and mitigate them. sonal protection, directors must ensure that, In this chapter, we explore the legal obli- if the unthinkable happens and their corpo- gations of boards of directors, the risks that ration falls victim to a cybersecurity disaster, boards face in the current cybersecurity they have already taken the steps necessary landscape, and strategies that boards may to preserve this critical defense to personal consider in mitigating that risk to strengthen liability. the corporation and their standing as dutiful In the realm of cybersecurity, the board of directors. directors has “risk oversight” responsibility: the board does not itself manage cybersecurity I. Obligations of Board Members risks; instead, the board oversees the corporate systems that ensure that management is The term “cybersecurity” generally refers to doing so effectively. Generally, directors will the technical, physical, administrative, and be protected by the business judgment rule organizational safeguards that a corporation and will not be liable for a failure of oversight implements to protect, among other things, unless there is a “sustained or systemic fail- “personal information,”3 trade secrets and ure of the board to exercise oversight—such other intellectual property, the network and as an utter failure to attempt to assure a rea- associated assets, or as applicable, “critical sonable information and reporting system infrastructure.”4 This defi nition alone should exists.” This is known as the Caremark test,5 leave no doubt that a board of directors’ role and there are two recognized ways to fall in protecting the corporation’s “crown jew- short: fi rst, the directors intentionally and els” is essential to maximizing the interests of entirely fail to put any reporting and control the corporation’s shareholders. system in place; or second, if there is a report- Generally, directors owe their corporation ing and control system, the directors refuse to fi duciary duties of good faith, care, and loy- monitor it or fail to act on warnings they alty, as well as a duty to avoid corporate receive from the system. waste.3 The specifi c contours of these duties The risk that directors will face personal are controlled by the laws of the state in liability is especially high where the board which the company is incorporated, but the has not engaged in any oversight of their basic principles apply broadly across most corporations’ cybersecurity risk. This is a jurisdictions (with Delaware corporations rare case, but other risks are more prevalent. law often leading the way). More specifi cal- For example, a director may fail to exercise ly, directors are obligated to discharge their due care if he or she makes a decision to duties in good faith, with the care an ordi- discontinue funding an IT security project narily prudent person would exercise in the without getting any briefi ng about current conduct of his or her own business under cyberthreats the corporation is facing, or similar circumstances, and in a manner that worse, after being advised that termination the director reasonably believes to be in the of the project may expose the company to best interests of the corporation. To encour- serious threats. If an entirely uninformed or age individuals to serve as directors and to reckless decision to de-fund renders the cor- free corporate decision making from judicial poration vulnerable to known or anticipated second-guessing, courts apply the “business risks that lead to a breach, the members of judgment rule.” In short, courts presume the board of directors could be individually that directors have acted in good faith and liable for breaching their Caremark duties. with reasonable care after obtaining all material information, unless proved otherwise; a II. The Personal Liability Risk to Directors powerful presumption that is diffi cult for plaintiffs to overcome, and has led to dis- Boards of directors face increasing litigation missal of many legal challenges to board risk in connection with their responsibilities

■ 52 THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS

for cybersecurity oversight, particularly in by failing to act in the face of a reasonably the form of shareholder derivative litigation, known cybersecurity threat. Recent cases where shareholders sue for breaches of have included allegations that directors: directors’ fi duciary duties to the corporation. The rise in shareholder derivative suits coin- failed to implement and monitor an cides with a 2013 Supreme Court decision effective cybersecurity program; limiting the viability of class actions that fail failed to protect company assets and to allege a nonspeculative theory of con- business by recklessly disregarding sumer injury resulting from identity theft.6 cyberattack risks and ignoring red fl ags; Because of a lack of success in consumer failed to implement and maintain class actions, plaintiffs’ lawyers have been internal controls to protect customers’ pivoting to shareholder derivative litigation or employees’ personal or fi nancial as another opportunity to profi t from mas- information; sive data breaches. failed to take reasonable steps to timely In the last fi ve years, plaintiffs’ lawyers notify individuals that the company’s have initiated shareholder derivative litiga- information security system had been tion against the directors of four corpora- breached; tions that suffered prominent data breaches: caused or allowed the company to Target Corporation, Wyndham Worldwide disseminate materially false and Corporation, TJX Companies, Inc., and misleading statements to shareholders (in Heartland Payment Systems, Inc. Target, some instances, in company fi lings). Heartland, and TJX each were the victims of signifi cant cyberattacks that resulted in the Board members may not be protected from theft of approximately 110, 130, and 45 million liability by the exculpation clauses in their credit cards, respectively. The Wyndham corporate charters. Although virtually all matter, on the other hand, involved the theft corporate charters exculpate board mem- of only approximately 600,000 customer bers from personal liability to the fullest records; however, unlike the other three extent of the law, Delaware law, for exam- companies, it was Wyndham’s third data ple, prohibits exculpation for breaches of breach in approximately 24 months that got the duty of loyalty, or breaches of the duty the company and its directors in hot water. of good faith involving “intentional mis- The signs point to Home Depot, Inc., being conduct” or “knowing violations of law.” next in line. A Home Depot shareholder As a result, because the Delaware Supreme recently brought suit in Delaware seeking to Court has characterized a Caremark viola- inspect certain corporate books and records. tion as a breach of the duty of loyalty,7 A “books and records demand” is a common exculpation of directors for Caremark predicate for a shareholder derivative action, breaches may be prohibited. In addition, and this particular shareholder has already with the myriad of federal and state laws indicated that the purpose of her request is that touch on privacy and security, directors to determine whether Home Depot’s man- may also lose their immunity based on agement breached fi duciary duties by failing “knowing violations of law.” Given the to adequately secure payment information nature of shareholder allegations in deriva- on its data systems, allegedly leading to the tive litigation, these are important consid- exposure of up to 56 million customers’ pay- erations, and importantly, vary depending ment card information. on the state of incorporation. Although there is some variation in the Directors should also be mindful of stand- derivative claims brought to date, most have ard securities fraud claims that can be focused on two allegations: that the directors brought against companies in the wake of a breached their fi duciary duties by making a data breach. Securities laws generally pro- decision that was ill-advised or negligent, or hibit public companies from making material

53 ■ CYBER RISK AND THE BOARD OF DIRECTORS

statements of fact that are false or mislead- III. Protecting Boards of Directors ing. As companies are being asked more and more questions about data collection and From a litigation perspective, boards of protection practices, directors (and offi cers) directors can best protect themselves from should be careful about statements that are shareholder derivative claims accusing them made regarding the company’s cybersecurity of breaching their fi duciary duties by dili- posture and should focus on tailoring cyber- gently overseeing the company’s cybersecu- security-related risk disclosures in SEC fi l- rity program and thereby laying the founda- ings to address the specifi c threats that the tion for invoking the business judgment company faces. rule. Business judgment rule protection is Cybersecurity disclosures are of keen strengthened by ensuring that board mem- interest to the SEC, among others. Very bers receive periodic briefi ngs on cybersecu- recently, the SEC warned companies to use rity risk and have access to cyber experts care in making disclosures about data secu- whose expertise and experience the board rity and breaches and has launched inquiries members can rely on in making decisions to examine companies’ practices in these about what to do (or not to do) to address areas. The SEC also has begun to demand cybersecurity risks. Most importantly, direc- that directors (and boards) take a more tors cannot recklessly ignore the information active role in cybersecurity risk oversight. they receive, but must ensure that manage- Litigation is not the only risk that direc- ment is acting reasonably in response to tors face. Activist shareholders—who are reported information the board receives also customers/clients of corporations— about risks and vulnerabilities. and proxy advisors are challenging the re- Operationally, a board can exercise its election of directors when they perceive that oversight in a number of ways, including by the board did not do enough to protect the (a) devoting board meeting time to presenta- corporation from a cyberattack. The most tions from management responsible for prominent example took place in connection cybersecurity and discussions on the subject, with Target’s data breach. In May 2014, just to help the board become better acquainted weeks after Target released its CEO, with the company’s cybersecurity posture Institutional Shareholder Services (ISS), a and risk landscape; (b) directing manage- leading proxy advisory fi rm, urged Target ment to implement a cybersecurity plan that shareholders to seek ouster of seven of incentivizes management to comply and Target’s ten directors for “not doing enough holds it accountable for violations or non- to ensure Target’s systems were fortifi ed compliance; (c) monitoring the effectiveness against security threats” and for “failure to of such plan through internal and/or exter- provide suffi cient risk oversight” over nal controls; and (d) allocating adequate cybersecurity. resources to address and remediate identi- Thoughtful, well-planned director fi ed risks. Boards should invest effort in involvement in cybersecurity oversight, as these actions, on a repeated and consistent explained below, is a critical part of a com- basis, and make sure that these actions are prehensive program, including indemnifi ca- clearly documented in board and committee tion and insurance, to protect directors packets, minutes, and reports. against personal liability for breaches. (a) Awareness. Boards should consider Moreover, it can also assist in creating a com- appointing a chief information security pelling narrative that is important in brand offi cer (CISO), or similar offi cer, and and reputation management (as well as liti- meet regularly with that individual gation defense) that the corporation acted and other experts to understand the responsibly and reasonably (or even more company’s risk landscape, threat so) in the face of cybersecurity threats. actors, and strategies to address

■ 54 THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS

that risk. Appointing a CISO has an details of any cybersecurity risk additional benefi t. Reports suggest that management plan should differ from companies that have a dedicated CISO company to company, the CISO and detected more security incidents and management should prepare a plan reported lower average fi nancial losses that includes proactive cybersecurity per incident.8 assessments of the company’s network Boards should also task a committee and systems, builds employee or subcommittee with responsibility awareness of cybersecurity risk and for cybersecurity oversight, and devote requires periodic training, manages time to getting updates and reports engagements with third parties that on cybersecurity from the CISO on are granted access to the company’s a periodic basis. As with audit network and information, builds an committees and accountants, boards incident response plan, and conducts can improve oversight by recruiting simulations or “tabletop” exercises to a board member with aptitude for practice and refi ne that plan. The board the technical issues that cybersecurity should further consider incentivizing presents, and placing that individual on the CISO and management for company the committee/subcommittee tasked compliance with cybersecurity policies with responsibility for cybersecurity and procedures (e.g., bonus allocations oversight. Cybersecurity presentations, for meeting certain benchmarks) and however, need not be overly technical. create mechanisms for holding them Management should use established responsible for noncompliance. analytical risk frameworks, such as the (c) Monitor compliance. With an National Institute for Standards and enterprise-wide cybersecurity risk Technology “Framework for Improving management plan fi rmly in place, Critical Infrastructure Cybersecurity,” boards of directors should direct (usually referred to as the “NIST that management create internal and Cybersecurity Framework”) to assess external controls to ensure compliance and measure the corporation’s current and adherence to that plan. Similar cybersecurity posture. These kinds to internal fi nancial controls, boards of frameworks are critical tools that should direct management to test and have an important role in bridging certify compliance with cybersecurity the communication and expertise gaps policies and procedures. For example, between directors and information assuming that management establishes security professionals and can also a policy that software patches be help translate cybersecurity program installed within 30 days of release, maturity into metrics and relative management would conduct a patch relationship models that directors are audit, confi rm that all patches have accustomed to using to make informed been implemented, and have the decisions about risk. It is principally CISO certify the results. Alternatively, through their use that directors can boards can also retain independent become sufficiently informed to cybersecurity fi rms that could be exercise good business judgment. engaged by the board to conduct an (b) Plan implementation and audit, or validate compliance with enforcement. Boards should require that cybersecurity policies and procedures, management implement an enterprise- just as they would validate fi nancial wide cybersecurity risk management results in a fi nancial audit. plan and align management’s incentives (d) Adequate resource allocation. With to meet those goals. Although the information in hand about what the

55 ■ CYBER RISK AND THE BOARD OF DIRECTORS

company’s cybersecurity risks are, other government-issued identifi cation; and an analysis of its current posture, (c) fi nancial or credit/debit account boards should allocate adequate number plus any security code necessary resources to address those risks so that to access the account; or (d) health or management is appropriately armed medical information. and funded to protect the company. 4. Critical infrastructure refers to systems, assets, or services that are so critical As criminals continue to escalate the cyber- that a cyberattack could cause serious war, boards of directors will increasingly fi nd harm to our way of life. Presidential themselves on the frontlines of regulatory, Policy Directive 21 (PPD-21) identifi es class plaintiff, and shareholder scrutiny. the following 16 critical infrastructure Directors are well-advised to proactively ful- sectors: chemicals, commercial facilities, fi ll their risk oversight functions by driving communications, critical manufacturing, senior management toward a well-developed dams, defense industrial base, emergency and resilient cybersecurity program. In so services, energy, fi nancial services, food doing, board members will not only better and agriculture, government facilities, protect themselves against claims that they healthcare and public health, information failed to discharge their fi duciary duties, but technology, nuclear, transportation, waste, will strengthen their respective organizations’ and wastewater. See Critical Infrastructure ability to detect, respond, and recover from Sectors, Department of Homeland cybersecurity crises. Security, available at http://www.dhs. gov/critical-infrastructure-sector. Endnotes 5. For Delaware corporations, directors’ 1. SEC Commissioner Luis A. Aguilar, compliance with their oversight function Remarks at the N.Y. Stock Exchange, is analyzed under the test set out in In re Boards of Directors, Corporate Governance Caremark Int’l, Inc. Derivative Litig., 698 A.2d and Cyber-Risks: Sharpening the Focus 959 (Del. Ch. 1996). (June 10, 2014). 6. See Clapper v. Amnesty Int’l USA, 133 S. Ct. 2. Press Release, Nat’l Assoc. of Corp. 1138 (2013). Consistent with Clapper, most Dir., Only 11% of Corporate Directors data breach consumer class actions have Say Boards Have High Level of Cyber- been dismissed for lack of “standing”: Risk Understanding (June 22, 2015) the requirement that a plaintiff has https://www.nacdonline.org/AboutUs/ suffered a cognizable injury as a result PressRelease.cfm?ItemNumber=15879. of the defendant’s conduct. That has 3. Personal information is defi ned under a proven challenging for plaintiffs because variety of federal and state laws, as well consumers are generally indemnifi ed as industry guidelines, but is generally by banks against fraudulent charges on understood to refer to data that may be stolen credit cards, and many courts have used to identify a person. For example, rejected generalized claims of injury in the state breach notifi cation laws in the U.S. form of emotional distress or exposure to defi ne personal information, in general, heighted risk of ID theft or fraud. as including fi rst name (or fi rst initial) 7. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). and last name, in combination with 8. Ponemon Inst., 2015 Cost of Data Breach any of the following: (a) social security Study: Global Analysis (May 2015), http:// number; (b) driver’s license number or www-03.ibm.com/security/data-breach/.

■ 56 SecurityRoundtable.org Where cybersecurity meets corporate securities: The SEC’s push to regulate public companies’ cyber defenses and disclosures Fish & Richardson P.C. – Gus P. Coldebella, Principal and Caroline K. Simons, Associate

The risks associated with cyberattacks are a large and growing concern for American companies, no matter the size or the industry. If a company is publicly traded, however, there’s a signifi cant additional impetus for executives’ cyber focus: the ever-increasing attention the U.S. Securities and Exchange Commission (SEC) pays to cybersecurity issues. The SEC, as one of the newest government players in the cybersecurity space, is fl exing its regulatory muscles—including by mandating and scruti- nizing cybersecurity risk disclosures, prodding companies to disclose additional information, and launching investigations after a breach comes to light. This chapter explores the SEC’s expanding role as cyber regulator and the growing nexus between cybersecurity and corporate securities. It gives companies a primer on the background and sources of the SEC’s cyber authority, discusses tricky disclosure and securities regulation-related issues, and provides a potential framework for companies to think about whether, how, and when they should publicly disclose cybersecurity risks, and— when the inevitable happens—cyberattacks.

■ The SEC’s authority to regulate cybersecurity Generally, a company’s duty to disclose material information under U.S. securities laws arises only when a statute or SEC rule requires it, and currently, no existing laws or rules explicitly refer to disclosure of cyber risks or incidents. Even so, the SEC has made it clear that it will use authorities already on the books to promote cybersecurity in public companies. During the SEC’s March 2014 “Cybersecurity Roundtable,” Chairman Mary Jo White said that, although the SEC’s “formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information, it is

57 ■ CYBER RISK AND THE BOARD OF DIRECTORS

incumbent on every government agency to ■ Contours of the SEC’s staff guidance be informed on the full range of cybersecu- Taking its cues from Regulation S-K, the rity risks and actively engage to combat Guidance details the key places where cyber- those risks in our respective spheres of security disclosures may appear in a com- responsibility.” In other words—formal pany’s 10-Ks and 10-Qs. The main focuses jurisdiction notwithstanding—the SEC are as follows: will use every tool it has to combat cyber risks. Risk factors. The company’s risk factors To divine the SEC’s position on cyberse- are the central place for cyber disclosure. curity, companies and experienced counsel If cybersecurity is among the most may look to a patchwork of non-binding staff signifi cant factors making investment guidance, SEC offi cials’ speeches, and espe- in the company risky, the risk factor cially staff comment letters on companies’ disclosure should take into account public fi lings. Given that cyber disclosures “all available relevant information” from can have an effect on corporate reputations past attacks, the probability of future and stock price, give would-be attackers attacks occurring, the magnitude of information about vulnerabilities, and trig- the risks—including third-party risk, ger shareholder and other litigation and and the risk of undetected attacks— government investigations, companies and the costs of those risks coming anguish over exactly when, what, and how to pass, including the potential costs much to disclose. To answer these questions, and consequences resulting from it is crucial to understand the background misappropriation of IP assets, corruption and contours of existing requirements and of data, or operational disruption. The the SEC’s expectations. risk factor should also describe relevant insurance coverage. ■ History and background of the SEC’s MD&A. If the costs or other consequences cybersecurity oversight of a cyberattack represent a material In May 2011, Senator Jay Rockefeller sent a trend, demand, or uncertainty “that is letter to then-SEC Chairman Mary Schapiro reasonably likely to have a material effect urging the SEC to “develop and publish on the registrant’s results of operations, interpretive guidance clarifying existing liquidity, or fi nancial condition or would disclosure requirements pertaining to infor- cause reported fi nancial information mation security risk.” Rockefeller, frustrated not to be necessarily indicative of future with Congress’s inability to pass cybersecu- operating results or fi nancial condition,” rity legislation, identifi ed the SEC’s control the company should address cybersecurity over corporate public disclosure as a vehicle risks and cyber incidents in its to promote security in the absence of legisla- Management’s Discussion and Analysis tion. Five months after the Rockefeller letter, of Financial Condition and Results of in October 2011, the Division of Corporation Operations (MD&A). Finance (the “Division”) issued CF Disclosure Description of business. If one or more Guidance: Topic No. 2 (the “Guidance”). Even cyber incidents materially affected the though it’s not an SEC rule itself, the company’s products, services, customer Guidance announced the Division’s view or supplier relationships, or competitive that—”although no existing disclosure conditions, the Guidance suggests requirement explicitly refers to cybersecurity disclosure in the “Description of Business” risks and cyber incidents”—existing SEC section. rules, such as Regulation S-K, “may impose” Legal proceedings. If any litigation arose as obligations to disclose cybersecurity and cyber a result of a cyber incident, the Guidance events in a company’s periodic reporting. suggests disclosure if material.

■ 58 WHERE CYBERSECURITY MEETS CORPORATE SECURITIES

Financial statements. If signifi cant costs staff comments have consistently urged are associated with cyber preparedness companies to disclose past data breaches or remediation, they should appear in the that are not material, even in the face of company’s fi nancial statements. companies’ well-reasoned positions to the contrary. For instance, Amazon resisted ■ SEC post-guidance practice disclosing a past cyberattack at its subsidi- Of course, guidance is just guidance unless ary Zappos because it said the entire the SEC, through its actions, gives it teeth. Zappos operation was not material to And the SEC has. Under Sarbanes-Oxley, Amazon’s consolidated revenues. SEC the Division reviews every public compa- staff pushed Amazon to disclose it any- ny’s reports at least once every three years, way, to place the risk factor “in appropri- and the Division has focused intensely ate context.” A version of this comment on cyber disclosures since the Guidance— appears in letter after letter. By fi rst man- especially risk factor disclosures. dating cybersecurity risk factors via the Responding to a follow-up letter from Guidance, and then urging even non- Senator Rockefeller requesting that material incidents to be included in those the SEC enshrine the Guidance as a formal risk factors for “context,” the staff appears SEC rule, Schapiro’s successor Mary Jo to be pushing for disclosure of past cyber White took pains to stress that active staff events notwithstanding materiality. review of cybersecurity—using existing Trend 2: Staff will research cyber incidents— disclosure rules—was an SEC priority. and ask about them. Division staff is inde- In her May 1, 2013 letter, White revealed pendently monitoring breaches and com- that the Division had already issued paring them with company disclosures. approximately 50 cyber-related comment When a breach has been reported by a letters. And many more have been sent company or in the press, but there is no since then. Google, Amazon, AIG, Quest concomitant disclosure in the company’s Diagnostics, and Citigroup are just some of fi lings—especially where the company has the scores of public companies that already acknowledged susceptibility to received letters from staff urging enhanced attack as a risk factor—the staff will likely disclosures of their cyber risks. The lessons notice. Citigroup discovered this when the we can learn from those exchanges are staff referred to press reports about a 2011 detailed below. breach that supposedly affected 360,000 credit card accounts and asked why no ■ Tips for preparing 10-K and 10-Q cyber 10-Q disclosure was made. The staff’s disclosures practice is to ask for analysis supporting According to a recent survey by Willis, the conclusion that no further disclosure is 87% of Fortune 500 companies claim to necessary, including a discussion of mate- have complied with the Guidance. The riality from a fi nancial and reputational SEC’s “enforcement” of it through com- risk standpoint. Moreover, when a compa- ment letters has given it the muscle and ny discloses that a particular kind of imprimatur of a rule. Certain noteworthy potential breach may be material, the trends that emerge from these letters staff’s comment letter almost always asks follow: the company to disclose whether that kind Trend 1: Staff pushes for all cyber incidents of breach has already occurred—and if it to be disclosed—material or not. Materiality has, to disclose it, material or not (see is the touchstone of disclosure. Even so, Trend 1). Taken together, these trends sug- and even though the Guidance calls for gest that the SEC may be using its author- disclosure of “cyber incidents... that are ity to make up for the lack of a federal individually, or in the aggregate, material,” breach notifi cation law.

59 ■ CYBER RISK AND THE BOARD OF DIRECTORS

Trend 3: Staff is interested not only in the enumerated material corporate events, such disclosure, but the pre-disclosure process. As as termination of executive offi cers or chang- Chairman White has stated, even with the es in auditors, must be reported on a “current absence of a direct law or regulation directly basis” on Form 8-K. However, no currently- compelling companies to adopt strict existing securities law or rule expressly cybersecurity measure, the SEC is exercis- requires cyberattacks—material or other- ing its power to indirectly prod companies wise—to be reported on Form 8-K. Generally, to analyze and strengthen their cybersecu- reporting cyber events is entirely voluntary. rity programs through issuing disclosure Companies that do so use Form 8-K’s Item guidance and bringing investigations, 8.01, “Other Events,” which is used to volun- enforcement actions, and litigation against tarily report events that the company consid- companies that fall short. In this way the ers to be of importance to investors. Public SEC has taken on a larger mission than companies must navigate issues such as simply requiring disclosure—it is using its materiality, selective disclosure, trading, and existing authorities to steer companies to effect on stock price, all in an environment engage in a deep, searching process to where disclosure of a cyber event is almost evaluate cyber risk. Whether or not you sure to draw a lawsuit, a government investi- think the SEC is the appropriate regulator gation, or other unwanted scrutiny. No one- of this area, such a searching analysis is size-fi ts-all answer exists—it is almost always important to securing a company’s digital a judgment call. In this section, we detail assets. Management should engage in and some of the questions and analysis that com- document its analysis of the effects of cyber panies should consider regarding whether to incidents on the company’s operations, disclose an attack on Form 8-K, and if so, with special attention to probability of when. One way to think about these ques- various types of attacks and their potential tions is outlined in the decision tree on the cost, from a quantitative and qualitative next page (Figure 1). standpoint. It should do so not just to Why consider disclosure if you don’t have weather the storm of a possible SEC inquiry, to? Even if no rule mandates disclosure, but because such an analysis brings neces- companies and experienced counsel know sary executive-level oversight to a crucial that there are frequently upsides to disclo- area of enterprise risk. sure—especially in a world where securi- Trend 4: Third-party risk is on the staff’s mind. ties litigation, derivative suits, and enforce- Staff is encouraging companies to look ment actions are lurking. Instead of pro- beyond their four walls to the cyber risk voking shareholder litigation, might an posed by the use of vendors. Staff will ask announcement ward it off? Can an 8-K whether the company’s vendors have experi- eliminate a plaintiff’s or regulator’s argu- enced cyberattacks, and request assessment— ment that an insider traded on the basis on and disclosure—if a breach at a third-party material non-public information? The chart vendor could have a material effect on the on the next page (Table 1) lays out some of company. The SEC likely believes that if the possible advantages—along with the public companies are required to disclose more well-known disadvantages—that com- risks in their supply chain in addition to their panies should consider. own, third-party cybersecurity will improve Is the cyberattack material? The determina- as a result. tion of whether a cyber event is material is not clear-cut. First, the Supreme Court has ■ In the heat of battle: 8-K disclosure rejected a bright-line, quantitative rule for questions during an attack materiality—instead reaffi rming Basic v. Of course, 10-Ks and 10-Qs are not the only Levinson’s formulation that any nonpublic reports public companies produce—certain information that signifi cantly alters the total

■ 60 WHERE CYBERSECURITY MEETS CORPORATE SECURITIES

FIGURE

Fish & Richardson 8-k Disclosure Decision Tree

Is it material? Yes Yes Maybe not No Is there a separate ? No ? ? obligation to disclose Yes Really Are you sure (state PII laws, trading rules)? Yes Will you disclose No Not sure anyway via website, Will insiders trade Yes to third parties, etc.? Yes No while in possession of No this information? Is discovery of the breach (by the gov't or public) Does it make prior Yes No likely or inevitable? statement misleading? No Does the cost and No Yes Yes Is there a potential consequence of the breach Regulation FD issue? substantially affect you or your ﬁnancial outlook? Yes Will the disclosure itself No harm the company?

Not sure LEAN AGAINST Yes Will it compromise 8-K DISCLOSURE security? No Yes Will it trigger securities or other litigation LEAN TOWARD or investigations? No 8-K DISCLOSURE

TABLE

Pros Cons 1. May eliminate potential class 1. If incident is truly not material and plaintiffs’ argument that was not going to be discovered, information was not known could needlessly cause reputational to the market or was not harm and draw litigation and other adequately disclosed, cutting unwanted scrutiny off potential securities claims 2. May be seen as concession that to the date of the 8-K incident was material (although 2. May counter allegations that companies frequently disavow insiders were trading on materiality in 8-K), and even if not basis of material nonpublic material, may make incident seem Fish & Richardson information about the breach bigger than it is

8-K Pros and Cons Matrix (so long as insider trades happen after 8-K issued)

Continued

61 ■ CYBER RISK AND THE BOARD OF DIRECTORS

TABLE

Pros Cons 3. Can eliminate a potential Reg 3. May trigger stock price drop—and if FD selective disclosure issue if so, likely to draw shareholder litigation company has to reveal incident claiming that pre-8-K disclosures were to employees, third parties, materially misleading others 4. Even if no stock price drop, may 4. Quick, full disclosure may stave draw other types of litigation and off regulatory scrutiny (but see regulatory scrutiny “Cons”) 5. Could draw other hackers to test 5. Allows company to own the company’s defenses Fish & Richardson Fish & Richardson Fish & Richardson Fish & Richardson Fish & Richardson Fish & Richardson Fish & Richardson Fish & Richardson Fish & Richardson message, rather than giving control of the message to 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix 8-K Pros and Cons Matrix someone else

mix of information available to shareholders operations affected by a cyberattack, and the could well be material. Second, even when statements were inaccurate or misleading the scope of an attack has come into focus, when made, the company has an obligation the effects of cyberthefts are frequently hard to correct the statements—even if it only to quantify. Although it is relatively easy for learned of the inaccuracy afterwards. Failure a company to decide to announce a breach of to comply with this “duty to correct” can pro- customer personal information (because the vide plaintiffs’ lawyers with fodder for breach will likely have to be disclosed under a suit alleging that purchasers or sellers relied state law and because remediation costs may on the inaccurate statement to their detri- be signifi cant), what should a company do ment. Moreover, even if the company’s for- about, for example, theft of trade secrets, ward-looking statements were accurate when such as source code for a big-selling software made, some courts have found a “duty to product? Without more (such as the thieves’ update” when circumstances change (such as development and marketing of a competing when an attack happens), and the forward- product), such a theft may not have a mate- looking statement becomes inaccurate. rial effect on the company’s fi nancial state- Do you have another legal obligation to dis- ments. Adding to the diffi cult nature of this close? Other disclosure requirements may be inquiry: companies must be aware that an at play, such as any state notifi cation laws that initial determination that the event is not require companies to inform affected individ- material—if the event later becomes public— uals if their personally identifi able informa- is likely to be critically reexamined with tion (PII) was stolen during an attack. If the 20/20 hindsight, months or years after the company is listed on an exchange such as event, by shareholders, plaintiffs’ lawyers, NYSE or NASDAQ, the trading markets regulators, and the press. So careful analysis themselves may also have rules requiring and documentation of the company’s deter- timely notifi cation of material events. Frankly, mination are important. it is easier for a company to decide to announce Is there a duty to correct or to update? If the a data breach on Form 8-K—and to accrue the company made public statements about its benefi ts to fi ling an 8-K—if it is going to dis- information systems or other aspects of its close for another reason, or already has.

■ 62 WHERE CYBERSECURITY MEETS CORPORATE SECURITIES

Are you going to disclose anyway? Is the window for insiders. Even after the inci- incident likely to become widely known? Absent dent’s details are known, if the company is a mandatory disclosure requirement, a leaning against declaring the incident company may still have reasons to disclose material, the question is whether to dis- the attack to stakeholders. There may be close the incident—material or not—on contractual obligations to customers or Form 8-K, so no later allegation of insider other third parties to communicate about trading can stick. (Of course, if the incident breaches involving their information. Even is material, no trading by insiders should without a contractual obligation, a breach occur until information about the incident may affect a company’s vendors, suppliers, is made public.) or partners, and the company may choose When to disclose? The decision to disclose to disclose the incident to them. A sound is only half of the 8-K equation—another operating assumption is that once the com- question is, when? Target took two months pany discloses an incident to even a single after the world knew of its massive data third party, it is likely to become widely breach to issue an 8-K; Morningstar, which known. Thus, the company should have releases an 8-K regularly on the fi rst Friday a coordinated, unifi ed disclosure strategy of every month, disclosed its 2012 breach a to ensure that all interested parties are little more than one month after becoming informed in a consistent manner, and very aware of it. Some companies, such as health close in time. Companies can use affi rma- insurer Anthem, choose instead to wait tive disclosure to mitigate any reputational until the next periodic report. A challenge harm or embarrassment that could arise facing a victim company is to balance the from having the narrative created on your benefi ts of prompt disclosure against the behalf by the media, security researchers, potential downsides. Because a disclosure hackivists, or worse. should be accurate and not misleading Any such disclosure raises potential issues when made, a company should grasp the under the SEC’s Regulation Fair Disclosure, scope of the cyber incident before disclos- or Reg FD. Reg FD prohibits companies from ing. In a typical breach, however, it is rare selectively disclosing material non-public for an entity to be able to immediately information to analysts, institutional inves- assess the attack’s scope—investigations tors, and certain others without concurrently take time. Therefore, a factor to consider in making widespread public disclosure. Many deciding when to disclose is the pace and companies that communicate with third progress of the post-breach investigation, parties—as did J.P. Morgan after its October which will allow the company to under- 2014 breach—will issue a Form 8-K to make stand the extent of the attack. A company sure their communications do not violate confronts an unenviable disclosure dilem- Reg FD. It is worth considering whether dis- ma: disclose based on the state of the world closures on a company’s website, or other- as you know it right now, and later be wise to customers, vendors, or other parties, accused of not telling the whole story? Or trigger a Reg FD requirement. disclose when you have a better grasp of What to do about trading? Another reason what actually happened, but face accusa- that the materiality determination is a tions of allowing earlier (and potentially tricky one is that insiders in possession of rosier) cybersecurity disclosures to persist material nonpublic information may not uncorrected? Generally, companies should trade while in possession of that informa- resist falling into the immediate disclosure tion. If there is even a chance that the cyber trap, because in our experience a cyber incident may be material, an early call that incident looks very different at the end of a public company general counsel must the fi rst week than it does at the end of the make is whether to close the trading fi rst day. Furthermore, the company will

63 ■ CYBER RISK AND THE BOARD OF DIRECTORS

not want to have to correct itself after mak- revealed that the SEC was among the gov- ing its cyber disclosure—it will want to get ernment agencies investigating the 2013 it right the fi rst time. data breach, including “how it occurred, its consequences, and our responses.” ■ SEC cybersecurity enforcement With the growing threat of cyberattacks The SEC has not yet brought an enforce- and mounting pressure from Congress and ment action against a public company the public, future regulatory and enforce- related to its cybersecurity disclosures. It ment actions are almost assured. Companies has, however, opened investigations look- should be prepared for additional scrutiny, ing not only into whether companies ade- review their existing disclosures in light of quately prepared for and responded to the Guidance and the SEC’s stated priori- cyber incidents but also as to the suffi ciency ties, and apply these principles to the pub- of their disclosures relating to the breaches. lic disclosure and related questions that Target’s February 2014 Form 8-K fi ling will arise post-breach.

■ 64 SecurityRoundtable.org A cybersecurity action plan for corporate boards Internet Security Alliance, NACD – Larry Clinton, CEO of ISA and Ken Daly, President and CEO of NACD

With the majority of cyber networks in the hands of the private sector, and the threats to these systems apparent and growing, organizations need to create an effective method to govern and manage the cyber threat. This responsibility ultimately falls to the corporate board of directors. In fact, the word cyber is derived from the same Greek word, kybernan, from which the word govern also derives.

■ How is cyber risk different from other corporate risks? Although corporate boards have a long history of managing risks, the digital age may create some unique challenges. To begin with, the nature of corporate asset value has changed signifi cantly in the last 20 years. Eighty percent of the value of Fortune 500 companies now consists of intellectual property (IP) and other intangibles. With this rapidly expanding “digitalization” of assets comes a corresponding digitalization of corporate risk. However, many of the traditional assumptions and understandings about physical security don’t apply to securing digital assets. First, unlike many corporate risks, such as natural disasters, cybersecurity risks are the product of conscious and often better-resourced attackers, including nation states and state affi liates. This means that the attack methods, like the technology, will change constantly, responding to defensive techniques and often in a highly strategic fashion. This characteristic of cyberattacks means that the risk management system must be a dynamic 24/7/365 fl exible process—a full team sport— requiring participation from all corners of the organization rather than being the primary responsibility of any one particular entity. Second, with many traditional human-based corporate risks, such as criminal activity, companies can plug into a

65 ■ CYBER RISK AND THE BOARD OF DIRECTORS

well-defi ned legal superstructure including However, many digital technologies and enforcement power, which can greatly assist business processes that drive business econ- the organization in defending itself. omies come with major cybersecurity risks, Unfortunately, in the cyber world this sys- which as discussed elsewhere (see Chapter 6), tem is dramatically underdeveloped. In can put the corporation at a long-term cata- addition to the major problem of many strophic risk. attackers actually receiving state support, This means that cyber risk must be con- the international criminal legal system has sidered not as an addendum to a business not evolved to the point where there is any- process or asset, but as a central feature of thing close to the cooperation and coordina- the business process. In the modern world, tion generally available in the physical cybersecurity is as central to business world. As a result, current estimates are that decisions as legal and financial considera- law enforcement is able to apprehend and tions. Thus, a board’s consideration of convict less than 2% of cyber criminals. fundamental business decisions such as Third, corporate cybersecurity is not con- mergers, acquisitions, new product devel- fi ned to traditional corporate boundaries. opment, partnerships, and marketing Whereas in the physical world a particularly must include cybersecurity. conscientious organization might be able defend itself by having an especially strong ■ Are corporate boards concerned about security perimeter, the cyber world is essen- cybersecurity? tially borderless. A fundamental characteristic Although some critics have assumed that the of cyber systems is that they are interconnect- publicity from high-profi le corporate breaches ed with other, independent systems. For is prima facie evidence of corporate inatten- example, the highly publicized breach of tion to cybersecurity, the evidence does not Target was accomplished by exploiting vul- support that proposition. nerabilities in Target’s air conditioner vendor. Corporate spending on cybersecurity has In another well-publicized case, a well- doubled over the past few years and now defended energy installation was compro- totals more than $100 billion a year. By com- mised by malware placed on the online menu parison, the total annual budget for the U.S. of a Chinese restaurant popular with employ- Department of Homeland Security is only ees who used it to order lunch. This means about $60 billion—including TSA and that a board must consider not only their immigration—with only $1 billion for cyber- “own” security but that of all the entities with security. Total U.S. government spending on whom they interconnect, including vendors, cybersecurity is generally estimated to be customers, partners, and affi liates. near $16 billion. Moreover, recent surveys Fourth, unlike many physical risks, in indicate cybersecurity now tops the list of which the security effort is to create a perim- issues corporate boards must face—replacing eter around an asset, so many modern corpo- leadership succession, and two thirds of rate assets are in fact digital. Cyber risk board members are seeking even more time must be considered as an integral part of the and attention paid to cybersecurity. business process. A good deal of modern Although the data seems to show conclu- corporate growth, innovation, and profi ta- sively that corporate boards are aware of bility is inherently tied to digital technology. and becoming ever more interested in cyber- Rare is the entity that has by now not built security, the novelty and complexity of the the benefi ts of digitalization into their busi- issue has led to a fair amount of uncertainty ness plan in many different ways, including as to how to approach it. online marketing, remote business produc- One recent survey found that despite the tion, employee use of personal mobile “spotlight on cyber security getting bright- devices, cloud computing, big data, out- er” that nearly half of directors had not dis- sourced process, and off-site employment. cussed the company’s crisis response plan

■ 66 A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS

in the event of a breach, 67% had not dis- free, even as a goal. The goal is to keep your cussed the company’s cyber insurance cov- system healthy enough so that you can fi ght erage, nearly 60% had not discussed engag- off the germs that will inevitably attack it. ing an outside cybersecurity expert, more When you do get sick, as we all eventually than 60% had not discussed risk disclosures do, you detect and understand the infection in response to SEC guidance, and slightly promptly and accurately and get access to more than 20% had discussed the National the appropriate expertise and treatment so Institute of Standards and Technology that you can return to your normal routine as (NIST) cybersecurity framework. soon as possible—ideally wiser and stronger. Thinking of cybersecurity narrowly as an ■ A corporate board action plan IT issue to be addressed simply with techni- for cybersecurity cal solutions is a fl awed strategy. The single In an effort to fi ll the gap between awareness biggest vulnerability in cyber systems is and targeted action, The National Association people. Insiders, whether they are poorly of Corporate Directors (NACD), in conjunc- trained, distracted, angry, or corrupted, can tion with AIG and the Internet Security compromise many of the most effective tech- Alliance, published their fi rst Cyber Risk nical solutions. Oversight Handbook for corporate boards in Building on the NACD model, the Institute June 2014. The handbook was the fi rst pri- of Internal Auditors (IIA) extended NACD’s vate sector document endorsed by the U.S. principle 1 by commenting that the board Department of Homeland Security as well as should receive an internal annual health the International Audit Foundation and is check of the organization’s cybersecurity available free of charge either through DHS program that covers all domains of the or NACD. It identifi ed fi ve core principles organization’s cybersecurity, including an for corporate boards to enhance their cyber assessment of if the enterprise risk levels risk oversight. have improved or deteriorated from year to The fi ve principles can be conceptualized year, and comments specifically that into two categories. Principles 1, 2, and 3 deal “Sarbanes-Oxley compliance provides little with board operations. The fi nal two princi- assurance of an effective security program ples deal with how the board should handle to manage cyber risks.” the senior management. 2. Directors must understand the legal 1. Understand that cybersecurity is an implications of cyber risk. enterprise-wide risk management issue. The legal situation with respect to cyberse- The board has to oversee management in curity is unsettled and quickly evolving. setting the overall cyber strategy for the Boards should be mindful of the potential organization, including how cybersecurity is legal risks posed to the corporation and understood in terms of the business. It is potentially to the directors on an individual critical that the board not approach the topic or collective basis. For example, high-profi le simply by thinking, “What if we have a attacks may spawn lawsuits, including breach?” Virtually every organization will be shareholder derivative suits alleging that the successfully breached. The board has to organization’s board neglected its fi duciary understand the issue is how to manage the duty by failing to take steps to confi rm the risks caused by breaches, not to focus solely adequacy of the company’s protections on how to prevent them. against breaches of customer data. To date One useful metaphor is to think of corpo- juries have tended not to fi nd for the plain- rate cybersecurity in a similar fashion to how tiffs in these cases, but that could change we think of our own personal health. with time and boards need to be aware of the Obviously, it is impractical to be totally germ risk of court suits.

67 ■ CYBER RISK AND THE BOARD OF DIRECTORS

Prudent steps for directors to take include some boards are now recruiting cyber pro- maintaining records of discussions related to fessionals for board seats to assist in analyz- cyber risks at the board and key committee ing and judging staff reports. Another tech- meetings. These records may include updates nique is to schedule periodic “deep-dives” about specifi c risk as well as reports about for the full board. Many organizations have the company’s overall security program and delegated the task to a special committee— how it is addressing these risks. Evidence often audit but sometimes a risk or even that board members have sought out special- technology committee—although no one ized training to educate themselves about approach has been demonstrated clearly cyber risk may also be helpful in showing superior. A proliferation of committees can due diligence. exacerbate the board time problem, and due No one standard applies, especially for care must be paid to overload any one com- organizations who do business in multiple mittee, such as audit, with issues that are not jurisdictions. Some countries, including the inherently in their expertise lane. U.S. have received specifi c guidance from Still another technique is to empower the securities regulators. Many countries have board with the right questions to ask and passed a variety of laws, some of which may require that the outside or internal experts be confusing or confl icting with mandates in answer the questions in understandable ter- other countries. It is critical that organiza- minology. The NACD Cyber Risk Handbook tions systematically track the evolving laws provides lists of 5 to 10 simple and direct and regulations in their markets and analyze questions for board members covering the their legal standing. key issues such as strategy and operation Again, building on the NACD model, IIA readiness, situational awareness, incident emphasizes that this legal analysis must be response, and overall board “cyber literacy.” extended to third parties and recommends At minimum, boards can take advantage that the board get a report of all the critical of the company's ongoing relationships data that are being managed by third-party with law enforcement agencies and regu- providers and be sure the organization has larly make adequate time for cybersecurity appropriate agreements in place, including at board meetings. This may be through audits of these providers. The board ought interaction with CISOs or as part of the to communicate that a “chain of trust” is audit or similar committee reports. More expected with these third-party providers appropriately, boards, as discussed above, that they have similar agreements with their should integrate these questions into gen- down-stream relationships. eral business discussions. The fi nal two principles offered by NACD 3. Board members need adequate access to focus on how boards should deal with senior cybersecurity expertise. management:

Most board meetings are incredibly pressed 4. Directors need to set an expectation that for time, and often there are multiple issues management have an enterprise-wide and people who feel they need more board cyber risk management framework in time. Add to this the fact that most acknowl- place. edge that directors lack the needed expertise to evaluate cyber risk, and the board is left It is important that someone be thinking with the conundrum of how to get enough about cybersecurity, from an enterprise-wide time to become properly educated to address perspective (i.e., not just IT) every day. this serious issue. Corporations have introduced a variety of One answer is to increase the use of out- models, chief risk offi cer, chief fi nancial side experts working directly with the board offi cer, chief operating offi cer as well as the to provide independent assessments. Indeed, more traditional CIO and CISO models. The

■ 68 A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS

important aspect to ensure, however, is that At the people level, it is important to follow the risk management is truly organization leading practices for managing personnel, wide, including the following steps: especially with respect to hiring and fi ring. Ongoing cybersecurity training is similarly establish leadership with an individual important and most effective if cybersecurity with cross-departmental expertise metrics are fully integrated into employee appoint a cross-organization cyber risk evaluation and compensation methods. management team including all relevant Of special attention is the inclusion of stakeholders (e.g., IT, HR, compliance, senior and other executive level personnel GC, fi nance, risk) who, research has shown, are highly valued meet regularly and report directly to the targets and often uniquely lax in following board through on security protocols. develop an organization-wide cyber The asset management process then can risk management plan with periodic be considered in light of the business prac- tests reports and refi nements. At a tices that may create liabilities. more technical level, the Cyber Security For example, the expansion of the number Framework developed by the National of access points brought on by the explosion Institute of Standards and Technologies in mobile devices and the emerging “Internet (NIST) is a useful model. of Things” (connecting cars, security camer- develop an independent and adequate as, refrigerators, etc. to the Internet) really budget for the cyber risk management increases vulnerability (see Chapter 6). team. Still a different type of vulnerability can occur in the merger and acquisition process. One mechanism to implement the frame- Here management may feel pressure to gen- work is to create a “cybersecurity balance erate value through the merging of highly sheet” that identifi es, at a high level, the complex and technical information systems company’s cyber assets and liabilities and on accelerated pace. In discussions with can provide a scorecard for thinking through management, the board must carefully management progress in implementing the weigh the economics of the IT effi ciencies security system. The balance sheet may the company seeks with the potential to miss begin with identifying the organization’s or create vulnerability by accessing a system “crown jewels.” This is an important exer- that is not well enough understood or had its cise because it is simply not cost effi cient to defi ciencies mitigated. protect all data at the maximum level. However, the organization’s most valued 5. Based on the plan, management needs to data must be identifi ed (e.g., IP, patient data, have a method to assess the damage of a credit card data). Other corporate data can cyber event. They need to identify which be similarly categorized as to its relative risks can be avoided, mitigated, accepted, security needs. or transferred through insurance. The next step is to discuss the strategy for securing data at each level. This strategy Organizations must identify for the board generally involves a consideration of people, which data, and how much, the organization process, and technology. is willing to lose or have compromised. Risk At the technology process levels there are mitigation budgets then must be allocated a range of options available with good appropriately between defending against research indicating cost-effective methods to basic and advanced risks. secure lower-level data and thus reserving This principle highlights the need for the deployment of more sophisticated, and “full-team” approach to cybersecurity hence costly, measures to be reserved for the advocated under principle 4. For example, higher valued data. the marketing department may determine

69 ■ CYBER RISK AND THE BOARD OF DIRECTORS

that a particular third-party vendor is ideal This is an example of the process pro- for a new product. The CISO may determine ceeding appropriately, wherein cyber risk that this vendor does not have adequate is integrated into business decisions con- security. Marketing may, nevertheless, sistent and managed on the front end con- decide it is worth the risk to fulfi ll the busi- sistent with the organization’s business ness plan and presumably senior manage- plan. ment may support marketing, but condition If an organization follows these princi- approval on the ability to transfer some of ples, it should be well on its way to estab- this additional risk with the purchase of lishing a sustainably secure cyber risk man- additional insurance. agement system.

■ 70 SecurityRoundtable.org Establishing a board-level cybersecurity review blueprint Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing Director

Over the last two years cybersecurity has leaped to the top of the boardroom agenda. If you’re like most board members, though, you haven’t had enough time to fi gure out how to think about cybersecurity as part of your fi duciary responsibility, and you’re not quite certain yet what questions to ask of management. You may even harbor a secret hope that, like many technology-related issues, cyberthreats will soon be rendered obsolete by relentless advancement. Don’t count on it. Cybersecurity is taking its place among the catalog of enterprise risks that demand boardroom attention for the long term. It comes along with the digital transformation that is sweeping through virtually all industries in the global economy. As businesses “digitize” all aspects of their operations, from customer interactions to partner relationships in their supply chains, entire corporations become electronically exposed—and vulnerable to cyberattack. Cybersecurity risk is not new. However, in the last two years multiple high-profi le attacks have hit brands we all trusted with our personal information, making for big headlines in the media and signifi cant reputational and fi nancial damage for many of the victimized companies. What’s more, corporate heads have rolled: CIOs and even CEOs have departed as a direct result of breaches. The ripple effect continues. Cybersecurity legislation is a per- ennial agenda item for governments and regulators around the world, and shareholder derivative lawsuits have struck the boards of companies hit by high-profi le cyberattacks. Although directors have added cybersecurity enterprise risk to their agendas, there is no standard way for boards to think about cybersecurity, much less time-tested guidelines to help them navigate the issue. This chapter’s goal is to help directors evolve their mindsets for thinking

71 ■ CYBER RISK AND THE BOARD OF DIRECTORS

about the enterprise risk associated with expressed through the following three high- cybersecurity and provide a simple blue- level questions: print to help directors incorporate cybersecurity into the board’s overall enterprise risk 1. Has your organization appropriately strategy. assessed all its cybersecurity-related risks? What reasonable steps have you ■ Establishing the right blueprint for taken to evaluate those risks? boardroom cybersecurity review 2. Have you appropriately prioritized your For boards, cybersecurity is an issue of enter- cybersecurity risks, from most critical to prise risk. As with all enterprise risks, the noncritical? Are these priorities properly key focus is mitigation, not prevention. This aligned with corporate strategy, other universally understood enterprise risk business requirements, and a customized guideline is especially helpful in the context assessment of your organization’s cyber of cybersecurity because no one can prevent all vulnerabilities? cyber breaches. Every company is a target, and 3. What actions are you taking to mitigate a suffi ciently motivated and well-resourced cybersecurity risks? Do you have a regularly adversary can and will get into a company’s tested, resilience-inspired incident response network. plan with which to address cyberthreats? Consequently, terms like “cyber defense” are insuffi cient descriptors of an effective Naturally, these questions are proxies for the posture because they evoke the image that industry-specifi c and/or situation-specifi c corporations can establish an invincible questions particular to each organization perimeter around their networks to prevent that will result in that organization’s most access by bad actors. Today, it’s more accu- productive cybersecurity review. The key to rate to think of the board-level cybersecurity formulating the relevant questions for your review goal as “cyber resilience.” The idea organization is to fi nd the right balance behind the cyber resilience mindset is that, between asking enough to achieve the assur- because you know network breaches will ance appropriate to board oversight, but not happen, it is more important to focus on so much that management ends up spinning preparing to meet cyberthreats as rapidly as wheels unnecessarily. possible and on mitigating the associated The rest of this chapter is a guide to fram- risks. ing board-level cybersecurity review issues Also important to a board member’s for your organization by exploring meaning- cybersecurity mindset is to be free from fear ful ways to apply these high-level questions of the technology. Remember, the issue is in a variety of circumstances and industries. enterprise risk—not technical solutions. Just The next step is yours, or your board’s: use as you need not understand internal com- this blueprint to drive cybersecurity enter- bustion engine technology to write rules for prise risk discussions with management, safe driving, you need not be excluded from critical stakeholders, and external experts. the cybersecurity risk discussion based on Doing so will help achieve cyber resilience lack of technology acumen. Although this is for your organization. liberating, in a sense, there is also a price: directors cannot deny their fi duciary respon- ■ The board’s cyber resilience blueprint sibility to oversee cybersecurity risk based Boards are very comfortable managing fi nan- on lack of technology acumen. cial issues and risks. They have audit Given a focus on enterprise risk (not tech- committees, they have compensation com- nology) and risk mitigation (not attack mittees, their members include former CFOs prevention), the correct blueprint for cyber- (to populate those committees), and they security review at the board level can best be have plenty of experience reviewing fi nancial

■ 72 ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT

statements and analyzing profi t and loss. The review process, and that these discussions knowns are known and the unknowns are take place regularly—preferably at every few, if any. meeting of the board. It is useful to juxtapose this stable, com- A committee responsible for studying fortable picture with the state of board-level cybersecurity risk can cover both of these cybersecurity discussion—that is, you may aspects of participation. With such a not yet be certain what questions to ask, or committee, someone on the board (i.e., the know what to expect from management’s committee chair) becomes the stakeholder responses. To help accelerate you toward the charged with becoming educated about cyber- same level of stability and comfort you have security risk and educating the broader group. managing fi nancial issues, the following Although the board will never need to know board-level cybersecurity review blueprint is how to confi gure a fi rewall, there is much to organized into six areas: learn about the nature of cybersecurity risks, their potential impacts on your organization, 1. Inclusive board-level discussion: and successful mitigation approaches. It may empowering all directors to be accountable also be appropriate to appoint a director with for cybersecurity cybersecurity expertise for this purpose. 2. Proactive cyber risk management: Establishing such a committee also fulfi lls incorporating cybersecurity into all early the goal of consistent cybersecurity discus- stage business decisions sion. The chair can give a report, arrange for 3. Risk-oriented prioritization: differentiating reports from the CIO or CISO, or facilitate assets for varying levels of cyber protection talks by outside experts on issues around 4. Investment in human defenses: ensuring which additional subject matter expertise the organization’s cybersecurity investment proves useful. Threat intelligence is an exam- goes beyond technical to include awareness, ple of an excellent topic for an outside expert education, and training programs for because it’s not a specialty most organiza- employees tions have in house or that can be justifi ably 5. Assessments of third-party relationships: developed. A person or organization steeped limiting cyber exposure through business in analyzing the tools, approaches, and partners behaviors of threat actors can look at your 6. Incident response policies and organization’s profi le and provide custom- procedures: mitigating potential risks ized insight that accelerates the board’s when breaches occur. cybersecurity education. To empower all directors to engage in 1. Inclusive board-level discussion cybersecurity review, board-level discus- Given the rapidly growing threat posed by sions should address issues in the enterprise cybercrime and the potentially devastating risk language with which boards are already consequences of a major breach, it is critical familiar. One requisite, therefore, is that that every director have enough of an under- boards not stand for technical jargon. Even standing of cyber risk to be able to take an reports from the CIO should be delivered in active part in the board’s cybersecurity plain language free of specialized terms.

Active inclusion, in sum: ᭿ Establish a cybersecurity risk committee, or add the subject to an existing enterprise risk committee. ᭿ Discuss cybersecurity risk at every board meeting. ᭿ Empower all directors to become educated and comfortable discussing cybersecurity risk.

73 ■ CYBER RISK AND THE BOARD OF DIRECTORS

2. Proactive cyber risk management cybersecurity analysis of the target to their It is important to incorporate discussion of diligence process; protecting their M&A cybersecurity risk in all business decisions, process from cyber breaches; and potential from the beginning, because it is much cyber exposure resulting from post-deal harder and far less effective to consider integration. cybersecurity after the fact. Whether a deci- In both of these examples, it should be sion has to do with corporate strategy, new clear how challenging it would be to address product launches, facilities, customer inter- cybersecurity concerns after the initiative action, M&A, legal or fi nancial issues, man- gets underway. agement should always proactively consider cybersecurity risk. 3. Risk-based prioritization As an example, take the white-hot omni- Everyone’s resources are limited. Because channel marketing trend, which has retailers there are an infi nite number of cybersecurity using mobile technology to collect data from measures in which a company can invest, their customers, and then exploiting that the trick is to prioritize such measures based knowledge to better target marketing and on a customized assessment of the most seri- promotions—sometimes, at the moment a ous threats facing your organization. Such customer walks into the store. Obviously, assessments should be approached along such retailers are gathering more informa- two primary dimensions: your organization about their customers than ever before. tion’s most valuable assets and its greatest How will they protect it? Do the mobile cyber vulnerabilities. applications that make these approaches Often, your most critical assets are obvi- possible expose their organizations to new ous: payment card data for a retailer, the vulnerabilities? No matter how exciting the script of an upcoming franchise sequel for revenue-driving opportunity, these are ques- a movie studio, the source code at the tions that retail boards should be asking heart of a software company’s bestselling management as part of the decision to pur- product. Every board’s cybersecurity sue such initiatives. Management should review must ask management what meas- respond with some variation of, “Our soft- ures are being taken to protect a compa- ware vendor says their security is `X, and in ny’s most critical assets, beginning with addition, we’re doing our own testing to see development and on through production how vulnerable the software may be before and distribution. Beyond the most critical we introduce it to our customers.” are other assets that require differentiated Boards should extrapolate the thinking in gradations of protection. Identifying and the above example to all aspects of their prioritizing those assets is an information business decision-making. To apply proac- governance challenge, so the board also tive thinking to cyber strategy, consider has to understand the organization’s infor- growth through M&A. Boards should think mation governance policy and have a through M&A cybersecurity risks in multi- sense for the quality of its execution. Has ple dimensions. To name three: adding the company identifi ed what are sensitive

Proactive cyber risk management, in sum: ᭿ Think about potential cybersecurity risk from the outset of all business initiatives from corporate strategy to new types of customer interaction. ᭿ Think particularly about new kinds of risk associated with emerging digital business initiatives.

■ 74 ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT

data and where they are being held? What awareness. Furthermore, investments in data are not sensitive and where are they human defenses should be aligned to the being held? Are your retention policies insights from customized threat intelli- ensuring you keep the information that is gence so they are focused on the ‘most important and throw away everything valuable/most vulnerable’ prioritization else? We’ve all read headlines about discussed in the previous section. breaches that could have been less sensa- When looking at cybersecurity invest- tional if the victims had better retention ment, board reviews should include classic practices. IT spending on systems that authenticate The second dimension—your compa- user identity and manage access, as well as ny’s cyber vulnerabilities—is where cus- compliance with applicable laws and regula- tomized threat intelligence plays a role. tions. However, that’s just the baseline. Analyzing your network for weaknesses, Boards need to think further, to issues such as learning where sensitive information is the following: stored and how it is protected, and assessing your environment: the competitiveness How well does our IT knowledge/expertise of your industry (e.g., how valuable your align with the kind of challenges suggested by intellectual property is to others) and the our threat intelligence reports? way information fl ows in concert with business processes (e.g. whether or how Are we appropriately augmenting our inter- you store sensitive information about con- nal staff with outside expertise? sumers or clients, what countries you do business in, and what that implies for your Should we hire “white hat” hackers to attack security). our networks in search of gaps? The board’s cybersecurity review should include discussion of both dimensions, and Should we test our employees’ anti-phishing the issues should be discussed often—these awareness/ability? risks are not static. They can vary signifi - cantly over time and depend on evolving No matter how well your security technol- Internet connectivity and infrastructure ogy works, hackers can always go after the complexity. weakest link—humans—through a combination of tactics known as social engineer- 4. Investment in human defenses ing and spear phishing. The only defense Cyber defense and cyber resilience are as against these phenomena is enterprise- much human matters as they are matters wide education. Ongoing education and of products and technology confi gura- awareness programs, such as spear phish- tions. Although security technologies for ing training, should be part of the cyberse- protection and response are indeed neces- curity investment. Boards should ask sary, boards should also ask about enter- about, support, and ensure these programs prise-wide cybersecurity education and are aligned with business requirements.

Risk-based prioritization, in sum: ᭿ Optimize limited resources by prioritizing along two dimensions: what’s most valuable and what’s most vulnerable. ᭿ Ensure the quality of policies and practices around the organization’s approach to information governance so that all assets are protected appropriately.

75 ■ CYBER RISK AND THE BOARD OF DIRECTORS

Human investment, in sum: Supplement appropriate investment in information security products with continuous enterprise-wide cybersecurity awareness, education, and training programs.

5. Assessments of third-party relationships practices? Do they respond to your security Those of us paying close attention to the questionnaires? Do you have the right to stories behind 2014’s cyber breach headlines conduct on-site validations/audits? know that in many cases the so-called “attack Boards also should require IT involve- vectors” came through third-party relation- ment early in the development of new ships. Bad actors breached a business part- business partner relationships. That way, ner (that likely had weaker security than the information access can be better tuned to intended target) and then used that part- the business requirements of the partner- ner’s access credentials to break into the tar- ship. An HR vendor, for example, may get company. need access to your employee data, but that But this is only one way in which third- access may not need to be around the clock. party relationships create security vulnera- Perhaps it can be controlled and limited to bilities. As business collaboration surges, for certain times of the month and/or hours of example, the amount of confi dential, trade the day to limit risk exposure and enable secret, and intellectual property information fi nely tuned security monitoring. that is being shared among employees of business partners skyrockets. This electronic 6. Incident response policies and procedures fl ow of mission critical information, often Armed with the knowledge that perfect secu- across the open Internet, creates an environ- rity isn’t achievable and breaches are there- ment ready-made for economic espionage. It fore inevitable, boards must ensure their used to be such cases were a particular thorn organizations have well-honed policies for in the side of only a few sectors, such as cyber incident response, and must test these defense, energy, and technology. Today, all plans with regular simulation exercises. kinds of industries are targeted. Good incident response plans defi ne the A board’s cybersecurity review should roles and responsibilities of the response include an understanding of how the organ- team (including crisis communications, ization conducts cyber due diligence on human resources, legal, IT, etc.) and estab- third parties. Boards need a clear under- lish clear initial action items, including noti- standing of the third parties their organiza- fi cations to internal and external resources tions do business with and must prioritize who will lead an investigation or manage those relationships in terms of high, medi- communications. Remember, preparing for um, and low risk. Once a partner is identi- the worst is not an admission of a weak or fi ed as high risk (e.g., they have access to vulnerable network. On the other hand, a your corporate network), that partner’s own delayed, bumbling response to a security security posture must be understood. How breach is what often leads to increased data much visibility does your organization have loss, exposure to regulatory action, and into your vendors’ security policies and reputational damage.

Assessments of third-party relationships, in sum: Review all business partner relationships for potential cybersecurity vulnerabilities. Empower IT’s involvement earlier in the development of business relationships.

■ 76 ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT

Two key thoughts boards should keep in our risk in a way that is consistent with most mind when reviewing incident response likely attacks? plans were noted previously, albeit in a different context. First, it is critical to engage the ■ Conclusion: No surprises! entire enterprise in your incident response No one likes unpleasant surprises, least of all plan. IT security professionals can only do so corporate boards. The goal of a board’s much if an employee clicks on a spear phish- cybersecurity review is to avoid being unpre- er’s link, creating a hole in your network. pared for a cyber incident. Unfortunately, Employees can be educated to avoid those experience so far suggests that the only com- clicks and incented to be fi rst responders—or, panies with truly top-grade, board-level at least, to notice these attempts to breach cybersecurity plans are those that have expe- your company’s defenses. Employees are on rienced an unpleasant surprise in the form of the front lines of cybersecurity; prompt notice a bad breach. They felt the pain once and of a breach from an alert employee can often don’t ever want to go through it again. signifi cantly mitigate damage. Second, your If you follow the board-level cybersecu- organization’s cybersecurity risk environ- rity review thinking and principles dis- ment is a dynamic, ever-changing thing. Your cussed in this chapter, and partner with incident response plan must be kept up to external experts that bring domain-specifi c date and rehearsed continually, taking evolv- knowledge and skills you may not have in- ing threat intelligence into account. house, you can avoid surprises and be pre- Appropriate board-level review questions pared to meet risk head on. The review include the following: approach described in this chapter will enable you to lead your organization’s shift What are the organization’s policies and pro- from a paradigm of discomfort and uncer- cedures to rapidly identify breaches? tainty in the cybersecurity risk realm to one of assurance and comprehensive answers, How are all employees empowered to monitor facilitated by the board’s regular cyber risk and report/respond? discussions; from simple perimeter protection to around-the-clock monitoring and How are we triaging/escalating once an inci- universally understood incident response; dent is detected? from lack of cyber risk awareness to enterprise-wide awareness led by top-down How is incident response integrated into IT C-suite messaging and incentivized operations? employee behavior. The blueprint presented in this chapter What are we doing to align our cyber respons- can help ensure you truly have your eye on es to business requirements and to ensure that the cyber risk ball. Obviously, that doesn’t all parts of the business understand their roles mean your company won’t be breached. in the response plan? But if—or when—you are, you will be able to handle the event with clear-eyed confi - How does our response plan match up with dence that the risks have been properly our threat intelligence? Are we characterizing managed.

Incident response, in sum: ᭿ Because breaches will happen, board review must ensure fi rst-class incident response. ᭿ All enterprise employees should be part of the incident response plan. ᭿ Incident response must continually evolve—because threats do.

77 ■ CYBER RISK AND THE BOARD OF DIRECTORS

CYBER REVIEW blueprint

Inclusive Board-Level Discussion

Proactive Cyber Risk Management

Risk-Oriented Prioritization

THE BOARD’S Investment in Human Defenses

Assessment of Third-Party Relationships

Incident Response Policies and Procedures

■ 78 SecurityRoundtable.org Demystifying cybersecurity strategy and reporting: How boards can test assumptions Dell SecureWorks – Mike Cote, CEO

Cybersecurity is one of those issues that justify the statement, “It’s what you don’t know that can hurt you.” Although board engagement in cybersecurity risk is on the rise, corporate directors continue to struggle with the complexity of the subject matter, making it more diffi cult for them to assess whether the company’s strategy is effective. As one public company director recently stated, “I understand the magnitude of the risk, and I know we have signifi cant resources decked against it, but as a board member how will I know if management has the right measures in place to keep us from being the next story in the news?” This chapter does not explain how to eliminate the risk of a data breach. In fact, one requirement for being resilient against cyberthreats is to accept that breaches will happen. Nor does this chapter strive to make an expert of the reader. After all, the board’s job is to provide reasonable oversight of the risk, not manage it. What this chapter does do is provide boards with a framework of inquiry—elements of a mature security strategy in plain language—to help directors have discussions with management about the company’s overall resilience against the threats. By understanding these concepts, directors will have a better context for testing assumptions when management reports on metrics such as the effectiveness of breach prevention, breach frequency, and response time.

■ Background: Who is behind hacking, and why do they do it? Before delving into the right strategy for cybersecurity, it is helpful for boards to fi rst understand the nature of the threat. Hacking has become a burgeoning global industry that generates billions of dollars in illicit trade annually. It’s fueled by a strong reseller’s market in which hackers sell stolen data to others who possess the desire but not

79 ■ CYBER RISK AND THE BOARD OF DIRECTORS

the tools to harvest valuable intellectual ■ Elements of a mature security strategy . . . in property. It’s funded by organized crime and plain language actors within nation-states that not only 1. Determine what needs protecting and who operate beyond any jurisdiction but also holds the keys. have access to billions of dollars of capital to invest in these criminal operations. Companies begin their journey to resiliency The robust cyber black market offers sto- by identifying and prioritizing the assets they len goods—from credit cards to personal must protect. What do cyber criminals want identities—in large quantities at reasonable that they can get from us and why? Do cost. Sellers also offer money-back guaran- employees handle intellectual property that tees on the quality of their goods. Buyers can could make or break us competitively? Do obtain tutorials for hacking or for using sto- we collect personally identifi able informa- len data, and they can even hire subcontrac- tion that cyber criminals could sell to iden- tors to do the dirty work. tity thieves? Do we store customer account It’s not always about the money. From information? How would someone take attacks based on sectarian hate between command and control of our infrastructure nation-states to sabotage from a bitter, laid- or systems? off employee, motivations for hacking run It is equally important to know where deep and wide. Anger about environmental those coveted assets are located. Many policies and resentment against the excesses boards are surprised to learn that the infor- of Wall Street are among other examples. mation security team is fending off hackers Whatever their reasons, hackers are focused across the entire enterprise, even outside it: on stealing, disrupting, or destroying data for example, in a supplier’s network, on a every moment of every day. There are thou- home computer, or on an employee’s iPad, sands of cyber criminals around the globe. where he or she just reviewed a proprietary They work around the clock, for free or for schematic. Hackers are capable of scanning hire, on speculation or with a known pur- for vulnerabilities wherever someone con- pose, trying to invent new ways to steal or nects to the Internet, and business leaders harm a company. They have the funding and must operate under the assumption that technology to be not only persistent but also even they are a target. highly adaptable, and the barrier to replicat- As with sensitive fi nancial information, ing their cyber weapons is low in contrast to only those who need access to the assets the physical world. They have the luxury of should have it, and policies should be in place always being anonymous, always on offense, to ensure stringent controls. Administrator and seldom prosecuted. passwords are gold to cybercriminals, and Companies, on the other hand, are highly increasing the number of people with access visible, and by virtue of being connected to to them effectively multiplies the ways that the Internet must operate in an environment hackers can attack. where being attacked by hackers is the norm. Companies must prevent, detect, 2. Prevention is not an endgame. defend against, and take on the threat without the luxury of knowing when they’ll be It’s tempting to think that we can eliminate attacked, by whom, or on what front. breaches if we just put more effort into pre- A mature cybersecurity strategy prepares vention at the front end, but information for and responds to this challenging envi- security professionals know that eliminating ronment. Breaking that strategy down into the possibility of a breach is an unrealistic its core elements provides boards with a use- goal in today’s environment. Preventative ful framework for discussing risk assump- tools such as fi rewalls play an essential role tions with the chief information security because they provide the fi rst layer of offi cer. defense: they ‘recognize’ and stop the threats

■ 80 DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS

we already know about. As we already 4. Stay a step ahead: The future won’t look like established, however, hackers are highly the past. adaptive. No one piece of technology can provide a complete defense. A good security To stay one step ahead of the threat, an infor- program assumes that at some point preven- mation security program should also be able tion will fail and the business will have to to predict what the adversary will do next. deal with threats in its network. To make fi nancial predictions, business lead- Detection then becomes the focus. ers apply internal and environmental intel- Companies need the right technology, pro- ligence to test assumptions. In the case of cesses, programs, and staff to help them cybersecurity, security teams should apply detect what has happened so that they can “threat intelligence,” which tells them the fi nd the threat and respond more quickly intent and capabilities of current, real-world to contain and eradicate it. The question is hackers who may want to harm them. not if the hackers will get in but when. Gathered from a company’s own environ- Board members may test this assumption ment and often supplemented with much by asking their security team, “Do we broader environmental intelligence from a know if hackers are inside our defenses third party, threat intelligence can be applied right now? How do we know when they to cybersecurity technologies and human get in?” procedures. As a result, the enterprise is able to anticipate the nature of forthcoming 3. You can’t defend with your eyes closed. attacks and more effectively allocate limited resources to stop them. No one wants to be blindsided. If a compa- Companies with the ability to predict can ny’s security team can’t “see” what is hap- also defend earlier with less effort and recov- pening on the network and across all of the er faster when a breach occurs. When boards endpoints such as work stations, point-of- and management discuss metrics like breach sale terminals, and mobile devices, then the frequency, response time, and potential company will have little chance to detect or impact, it’s helpful to know if the security respond quickly to an attack when preven- team is applying threat intelligence to help tion fails. Visibility across the enterprise is an them make their assumptions. essential attribute of the cybersecurity strategy because it helps companies respond to 5. Educate and train vigilant employees. unusual activity more quickly, reducing down time and related costs. One of the most important defenses against Business leaders should know that hav- cyberattack is an informed, vigilant employing visibility means collecting large amounts ee population. Employees and executives are of data from all of those places. Unfortunately often targeted with carefully crafted emails those data are useless if the security team designed to be relevant to the employee’s doesn’t have the bandwidth to analyze and personal or work life. In reality, these phish- act on it. The information security industry ing emails are often loaded with malicious has responded to this problem, and services code. One click by a less careful individual are available to manage the data, do the can deploy a cyber weapon into the compa- heavy lifting, and sort out what is actionable. ny’s network and execute various actions The actionable data can then be fed back to that shut down critical business functions or the information security team to more effi - steal information and accounts. Similar tac- ciently zero in on the threats that need their tics may be used over the phone to get immediate attention. Boards may ask if their employees to divulge confi dential informa- security team is managing all the data itself, tion such as client lists, which can then be and, if so, does it still have the bandwidth to paired with other stolen data to complete a focus on the actual threats. set of stolen identities.

81 ■ CYBER RISK AND THE BOARD OF DIRECTORS

The bottom line is that human behavior 7. Measure effectiveness, not compliance. is equally as important as security technologies in defending against the threat. It is impossible for a company to know how Boards should know whether employee effective its security program is against real- awareness and training programs are in world attackers unless it conducts real-world place and how effective they are. The best exercises to test its defenses. Compliance programs will simulate how hackers may frameworks can improve rigor in many trick an employee and provide on-the-spot areas of cybersecurity, but it is folly to training if the employee falls victim. An assume that following a compliance man- open dialog in these cases helps employees date (or even passing a compliance inspec- and the organization as a whole learn from tion) is commensurate with resilience. No mistakes. It also builds a culture of security matter how well architected a security pro- awareness. gram is against recommended standards, no two companies’ environments are alike. 6. Organize information security teams for That’s why it is so important to battle-test success. one’s own environment. Network security testing emulates actual hackers using real- Defending and responding effectively life tactics such as phishing to validate how against cyber adversaries also depends on well defenses work against simulated manpower and expertise. Technologies attacks. By learning how hackers penetrate cannot be used to full advantage without security defenses, companies can determine highly skilled people to correlate, analyze, actual risk and resource cybersecurity opera- prioritize, and turn the data into actiona- tions accordingly. Testing also helps compa- ble intelligence that can be used to increase nies meet compliance mandates. Compliance resilience. A properly organized and should be a by-product of an effective secu- staffed security team needs people with rity program, not the other way around. many different types of expertise and skills. It requires people to deploy the 8. Emphasize process as much as technology. technologies, understand what the threats are, determine what hackers are doing, fix Technology is only half the solution to mak- system and software vulnerabilities, and ing a company resilient. Breaches can occur counter active threats. Although these as the result of human and process errors professional capabilities are interdepend- throughout the enterprise. Take the example ent, they are not all interchangeable, of recent high-profi le cases in which weak- requiring different training and certifica- nesses in a supply chain or a business part- tions. Information security leaders also ner’s security allowed hackers to access the need the management skills to put the parent company’s network and do signifi - right governance processes and proce- cant damage. Leading practice today is for dures in place, advocate for security companies to insist, by contract, that their requirements, and communicate risk to business partners meet the same security senior management. requirements. Boards are encouraged to inquire as to However, what if a business line leader whether the security team has the band- fails to insist on contract requirements in the width and manpower to be able to respond interest of going to market quickly? What and remediate a crisis, as well as to handle happens when business enablement trumps day-to-day operations. Security teams security in the far reaches of the business, should be organized to focus on what mat- where people think, “No harm done”? ters most—immediate threats—and other Adequate checks and balances should be in resources should be considered where there place to ensure that IT security and business are gaps. procedures are being executed, and policies

■ 82 DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS

should hold relevant business leaders and element of cybersecurity, but it is a by-product employees accountable for implementation. of a good program, not the measure of effec- How do you know when procedure isn’t fol- tiveness. Nor is it a guarantee of security, as lowed? Real world testing confi rms not only illustrated by many recent high-profi le the effectiveness of your defenses but also breaches in which companies had already the process, policies, and procedures that met the requirements for one compliance keep those defenses in place, operational mandate or another. and optimized for resilience. Diffi cult decisions about funding can be made more easily by discussing how exist- ■ Summary: A framework for oversight ing resources are allocated. Many business By the very nature of being connected to leaders fear that “we’ll never spend enough,” the Internet, companies are targeted 24/7, but experience shows that a pragmatic 365 days a year by anonymous, sophisti- approach to funding the security program is cated hackers who strive to steal from or to focus on effectiveness and prioritization: harm the business and its employees. That ongoing challenge is taking place across Determine actual vulnerabilities by the entire enterprise, not just on the net- regularly testing defenses. work, so it’s important to remember that Detect the perpetrators more quickly by we all play a role in managing the risk: increasing visibility. employees, business partners, and even Predict and mitigate risks more quickly and board members. There is no silver bullet effi ciently by applying threat intelligence. piece of technology that will eliminate all Apply time, attention, and funding danger, and being resilient is just as accordingly. dependent on people and process as it is on technology. A cybersecurity ‘win’ in this Companies may also want to consider third- environment is defi ned as how effectively party providers to monitor, correlate, and and effi ciently the company fi nds and analyze the massive quantity of data that a removes threats from its environment and mature security program generates. This whether it remains fully operational in the allows valuable, and sometimes scarce, process. human resources to focus on the actual Cybersecurity risk is an enterprise risk, threats. A reputable third party can also pro- not a function of IT. For boards to provide vide the testing that determines effectiveness reasonable oversight they’ll have to under- and be a helpful validator of the program. stand what the company is protecting, Armed with an understanding of what a inquire about how well the company is mature security program looks like and how organized to defend those assets, and explore it plays out across the entire enterprise, whether it has the manpower and capabili- boards will be better equipped to discuss the ties to respond and remediate in the event company’s current strategy and inquire of a breach. Compliance is an important about assumptions in the metrics.

SecurityRoundtable.org 83 ■

Cyber risk corporate structure

Electronic version of this guide and additional content available at: SecurityRoundtable.org

The CEO’s guide to driving better security by asking the right questions Palo Alto Networks Inc. – Davis Hake, Director of Cybersecurity Strategy

I recently met with a chief information offi cer (CIO) whose chief executive offi cer (CEO) had just taken a strik- ing and dramatic interest in cybersecurity. He had read an article in the paper about cyberthreats to major corporations and wanted to know what his own company was doing to solve the specifi c problem described in the article. The CIO was incensed, because the question would inevitably force him to shift priorities for his already overworked team to an issue that had little to no effect on their actual security efforts. There is an old saying in the disaster response community that you shouldn’t exchange business cards during an emergency. In essence, you need to familiarize yourself with the risks and relevant people before an emergency so security teams are not blown in different directions depending on the new security scare of the day. Similarly, CEOs cannot familiarize themselves with cybersecurity narrowly through the lens of a single incident that occurs on their network or with one of their competitors. The danger in responding to a singular event or threat in isolation—or daily incidents we read about in the press—is that this is a reactive approach rather than a holistic, risk-based approach. Cybersecurity is the poster child for this phenomenon. Executives know that there is a newfound focus on cybersecurity at the boardroom level—incidents like Target’s 2013 data breach have been a wake-up call for many—but there is often still a severe lack of understanding about the real risks behind the headlines. The statistics also back up the magnitude of these anecdotes. A recent New York Stock Exchange (NYSE) and Veracode survey looking at boardroom attention to cybersecurity found 80 percent of participants said it is discussed in most or every boardroom meeting. They noted specifi cally that “responsibility for attacks is being seen as

87 ■ CYBER RISK CORPORATE STRUCTURE

a broader business issue, signaling a shift common problems such as a lack of invest- AWAY from the chief information security ment, absence of high-level strategy, and offi cer (CISO) and the IT security team.” failure to integrate into business operations Where is this shift moving to? “When a still plagued many organizations struggling breach does occur, boards are increasingly to address cyberthreats. Seeing this tension looking to the CEO and other members of in many of the organizations they were brief- the executive team to step up and take ing on cyberthreats, the U.S. Department of responsibility,” said the authors. Homeland Security worked with current Yet despite this shift in perceived respon- and former executives to help capture fi ve sibility to the executive level, there does not simple questions that a CEO could ask his or appear to be the same drive to connect tech- her technical team, which would also drive nical teams to the board-level focus on con- better security practices. They are: cerns about cybersecurity risk. A 2015 Raytheon and Ponemon Institute study of 1. What is the current level and business those with the day-to-day technical respon- impact of cyber risks to our company? sibility for cybersecurity, CIOs, CISOs, and What is our plan to address identifi ed senior IT leaders, found that 66 percent of risks? respondents believe senior leaders don’t 2. How is our executive leadership informed perceive cybersecurity as a priority. What about the current level and business this means is that while CEOs are increas- impact of cyber risks to our company? ingly on the hook from their boards for being 3. How does our cybersecurity program savvy about cyber risks, many are not yet apply industry standards and best engaging with the necessary parts of their practices? organization to address cybersecurity issues. 4. How many and what types of cyber Our hope is that this guide can prime you incidents do we detect in a normal week? to ask productive questions that drive better What is the threshold for notifying our people, processes, and technological change executive leadership? to reduce the risk of successful breaches of 5. How comprehensive is our cyber incident your organization. As the CEO, it is your job response plan? How often is the plan to balance risk and reward within your com- tested? pany. Cyberthreats are not magic, hackers are not wizards, and the risks to your spe- The team that coordinated the Cybersecurity cifi c organization from a breach can be man- Framework also provided key recommenda- aged just like any other risks that you make tions to leadership, to align their cyber risk decisions about every day. In fact, these risks policies with these questions. First and fore- can even be turned into opportunities for most, it is critical for CEOs to lead incor- new innovation. poration of their cyber risks into existing risk But where to begin? You want to avoid management efforts. Forget the checklist causing unnecessary work, but you are approach; only you know the specifi c risk- required to participate, and often lead, the reward balance for your business, so only conversation around addressing cyber risks. you can understand what is most important When the U.S. Government began working to your company. It seems simple, but with with members of the IT and critical infra- cybersecurity, the default practice tends to structure industry on a Cybersecurity be for organizations to silo considerations Framework for improving critical infrastruc- about risks into a separate category apart ture cybersecurity, a key point that arose was from thinking about their valuable assets. the need for nontechnical tools that could be You have to start by identifying what is most used at an executive level. Technical best critical to protect and work out from there. practices have existed in international stand- The process of aligning your core value with ards and government agencies for years, but your top IT concerns is a journey and is not

■ 88 THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT QUESTIONS

something that can be solved in one lump not having a cybersecurity background, you investment or board meeting. Just like any will certainly be able to make valuable con- risk analysis, it requires serious considera- tributions about which cyber risks are tion and thought about what is most impor- acceptable. You will fi nd situations where tant to your core business practices. the operational priorities that you are Which brings me to the second recom- responsible for as CEO, outweigh cybersecu- mendation to come out of the Cybersecurity rity risks. Your perspective on these matters Framework effort: don’t begin your journey is what makes you core to leading cyberse- alone! Bring your leadership team, especially curity efforts in your organization. your CIO, chief security offi cer (CSO), and Finally, as with any risk management CISO, into the conversation from the start, to effort, you must plan for the best but prepare help determine how your IT priorities match for the worst. Cyberthreats are very real, and to your business goals. Building a diverse advanced hacking tools once available only team that includes other leaders, such as to nation-states are regularly sold on the your head of human resources, will help online black market. There are technical foster a culture that views cyberthreats not architectures that can prevent and limit as “someone else’s problem” but as chal- damage done by cyberattacks (see Palo Alto lenges that should be addressed and dealt Network’s other chapter, “Designing for with as an entire organization. For example, breach prevention”), but no solution is ever cyber criminals still continue to successfully 100 percent. Developing an incident response use fake emails as a primary method for plan that is coordinated across your enter- gaining access to a company’s network. prise and regularly tested is vital for even Stopping these attacks requires not just a the most well-defended organizations. Use technical solution but also strong training, your existing risk management practices and which is often the responsibility of human your leadership team to identify your most resources and not your IT security team. important assets; then plan for what would As more signifi cant challenges arise, and happen to your company if those assets were they will do so often and unexpectedly, lean shut off or inaccessible for a sustained peri- on your leadership team to evaluate prob- od of time. Similar to fi re drills, regular prac- lems in relation to the impact to your other tice also helps you stay aware of cybersecu- business risks. Then let your team address rity’s constantly changing environment and them based on your existing business goals. shows a personal interest that will signal the For example, if you experience a cyber issue’s importance throughout your compa- breach or accidental disclosure of sensitive ny. There are also excellent chapters in this information, a diverse leadership team is book to get you started in setting up an inci- incredibly helpful at not just responding to dent response plan, and there are many the technical problems but also ensuring good companies that specialize in the sticky other areas such as public image, legal problems of rebuilding your network when ramifi cations, and revenue impact are taken you need to call in the cavalry. into consideration in any mitigation and While risk management is a strong remediation efforts. It is your job to help approach to tackling the challenges of frame the problem for your team and pro- cybersecurity, the bottom line is that it will vide oversight and guidance, not microman- often require some investment in new peo- age a crisis. ple, processes, or technology. A common As with normal business operations, you myth is that security must be a cost center should also be asking your team to assist for every organization. This view has plagued you in day-to-day requirements of your IT security experts for years, as their efforts cybersecurity, such as reviewing IT budgets are viewed as drains on resources that would and personnel security policies. None of this otherwise be bringing in revenue. But as is surprising, and you will fi nd that despite you start to lay out cybersecurity from a

89 ■ CYBER RISK CORPORATE STRUCTURE

risk management perspective, you will know these as web-based email or online be forced to identify your most valuable storage services. They are incredibly popular assets, pressing vulnerabilities, and core for their low cost, fl exibility, and availability motivations. This introspective approach across multiple platforms, but they also exist can also drive new ideas applicable to your on servers outside your control and can pre- core business lines. It is imperative that sent a huge risk from users accidentally you recognize these innovations and make making company resources available to the right investments to reap both the external parties. There are now innovative benefi ts of better security and new business solutions that can manage these programs opportunities. just like any normal application that lives on For example, take a company that wants your network and even block their use for to enable its sales staff to securely meet with only malicious purposes. customers face to face away from the offi ce True leadership in any issue doesn’t for consultations. Using mobile devices and involve simply throwing more money at the phones to access internal company data, problem; you must always balance the risks such as customer accounts, from the fi eld and rewards of your decisions and invest- can open serious cyber risks. In this case you ments into a coherent strategy. Cybersecurity could ensure that when purchasing a mobile is no different. Unfortunately, today’s reality platform, you also choose a security vendor is such that cyberthreats will remain an issue that can provide mobile device management of fear for boardrooms in the foreseeable capabilities. This allows your IT department future, leading to default knee-jerk reactions to secure lost or stolen devices and limit as new threats evolve. Ultimately, we must malicious software that could be accidental- get to a place where cybersecurity is a nor- ly downloaded by employees (or often their mal part of any business’s operational plan. kids), limiting cyber risks and enabling fl ex- With cool-headed, rational leadership, you ibility of your sales team. have the unique ability to help transform Another great example is the use of soft- this issue in your company from a crisis to ware as a service (SaaS) products. You may an opportunity for real innovation.

■ 90 SecurityRoundtable.org Establishing the structure, authority, and processes to create an effective program Coalfi re – Larry Jones, CEO and Rick Dakin, CEO (2001-2015)

Cybersecurity program oversight is currently an unsettling process for many C-suites and boardrooms. Establishing structure, authority, and program oversight should be aligned to existing management processes and structure for other critical programs. However, cybersecurity programs remain unsettling. Why? Simply put, cybersecurity programs address a different type of risk. Typically, the risk that is being addressed includes sophisticated attacks that are intended to interrupt operations or steal sensitive data. In either case, organizations fi nd themselves under attack. In the case of Sony, a nation-state attacked the company for the sole purpose of disrupting the distribution of media. In the case of JP Morgan Chase, a highly sophisticated adversary launched a denial of service attack against the service delivery platform to disrupt the fl ow of transactions. Both cases provide business justifi cation to manage cybersecurity initiatives as a bet-your-business type of risk management program. The connection between the boardroom and those managing the technical infrastructure is critical. However, no board or C-Suite has the skills or knowledge of the threat landscape or technologies involved in cybersecurity programs to fl atten the management structure for top to bottom direct management. Each level of the organization must participate in an integrated and collaborative fashion. The structure and risk management responsibilities have been documented many times by well-respected cybersecurity organizations such as the National Institute of Standards and Technology (NIST) in a series of special publications. Coalfi re has specifi cally supported the local adoption and application of these general principles for the electric utility, fi nancial services, health-care, and retail sectors. As a result, this chapter leverages the lessons learned from those previous engagements to provide a condensed but effective approach to

91 ■ CYBER RISK CORPORATE STRUCTURE

cyber risk management and cybersecurity program creation and oversight. FIGURE First, the nature of the threat landscape is Cybersecurity Program evolving, while the underlying technology Benchmarks platforms that hold sensitive data are also changing. In this fl uid environment, management must create a nimble program of active cyber defenses informed by an iterative risk management process. For the fore- Adjust Plan seeable future, cybersecurity program oversight will not be one that can be reduced to an annual review process. When cyberattacks go undetected for months and then bring a company to its knees overnight, the Respond Protect level of vigilance and communication is heightened. To be effective, the structure has to be distributed throughout the organization, and risk thresholds have to be set that Detect cause unplanned alerts to drive management action on a regularly scheduled review and ad hoc incident-response basis. Often the primary risks to cyber assets is a 1. Plan cyberattack. The sophistication and determi- i. Cyber asset inventory and environment nation of known threat actors drives the exec- characterization utive team to put on war paint and respond in ii. Risk assessment and risk management kind. Unlike other enterprise risks that can be strategy managed with traditional controls, cybersecu- iii. Governance and organization structure rity requires the mindset of a warrior. Think in 2. Protect terms of Sun Tzu’s guiding principles pub- i. Program control design, control lished in 473 BC, The Art of War: “we must selection, and implementation know ourselves and our enemies and select a ii. Training strategy to positively infl uence the outcome of iii. Maintenance battle. There is no reason to fear the attack but 3. Detect there is reason to be concerned about our i. Threat and program effectiveness readiness to defend ourselves from the attack monitoring and reporting and respond appropriately.” ii. Incident alerting and response The most common approach for creating planning and maintaining an enterprise cybersecurity 4. Respond program follows a fi ve-step risk manage- i. Event analysis and escalation ment process. The process is iterative and ii. Containment, eradication, and recovery constantly informed by new information. 5. Adjust I am often asked, “When will the cybersecu- i. Lessons learned and program rity program be completed?” Unfortunately, adjustment the answer is never. Cybersecurity has to be ii. Communications viewed as a process and not an end point, the proverbial marathon versus sprint. The rest of the chapter addresses each step of Each of the steps in the process requires the cybersecurity program development participation at multiple levels across an process and highlights responsibilities for organization. stakeholders throughout the organization.

■ 92 ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM

■ Plan many times that it is more realistic to expect Cyber asset inventory and environment characterization that vendors have done little to inherently In accordance with the principles of Sun Tzu, protect systems or data in the native design “know thyself.” When cybersecurity proof their systems. In many cases, unless grams are managed at only a technical level, deployed appropriately, new cloud and the focus of the program is at risk of being mobile applications can actually decrease misdirected. Sensitive data hosted on an inex- the level of cybersecurity already deployed pensive platform may bely the true value to on legacy systems. It is the responsibility of the organization. Only senior executives and each executive to fully defi ne his or her business unit managers understand the rela- operating environment and include critical tive importance of specifi c operations or data. third parties in the assessment. Simple cybersecurity program designs Although lack of cybersecurity integration often include some level of network and data by vendors is not universal, we’re seeing some segmentation, encryption, or levels of access. enlightenment in a few security-focused ser- As a senior executive, one of the things you vice providers. However, it remains a serious should be asking is if your most important concern for the majority of new system acqui- systems and most sensitive data are properly sition and support processes, and cybersecurity deployed in the protected zones within your typically shifts to an add-on feature after pro- system architecture. However, the IT team will curement of a major new system in many never know how to answer that question if cases. In short, the process of identifying criti- senior management (specifi cally business unit cal cyber assets and the systems that support management) does not specifi cally provide those assets will remain a key part of the cyber- guidance on the relative importance of busi- security program oversight function for the ness functions and their associated systems. long term. The process of ‘knowing thyself’ The new generation CIOs and CISOs has been expanded to knowing your partners understand this principle completely, and and vendors and where your sensitive data the best of them have structured the operat- has been shared or managed by third parties. ing environment and security programs to The following is a quick test: focus on the most important cyber assets. However, to assume all CIOs or CISOs What are your top 3 most important understand this principle of critical asset business processes, and what systems classifi cation and environment characteriza- support those functions? tion is dangerous, because many do not. The Does the way your CIO answers most important part of this discussion is, the previous question match your “Does every business unit manager under- understanding of critical systems? stand what his or her most critical cyber assets are and where they are deployed?” Risk assessment and risk management strategy Even if the CIO and CISO understand the After a solid understanding of the battlefi eld relative priorities, senior executives cannot is established and executives appreciate the effectively participate in either cyber risk critical cyber assets being protected, an management or cybersecurity program over- assessment of risk to those cyber assets is sight without fi rst understanding the extent critical to the design of the cybersecurity proof the environment being protected. gram. The ability to adjust the program to As a quick warning, many of my clients meet the evolving threat landscape and tech- have the false expectation that cybersecurity nology architecture shifts is an important has become a critical part of the design for component of organizational security matu- new or more modern platforms being pur- rity. Responsibilities for conducting an effec- chased from large vendors and hosting pro- tive cyber risk assessment are distributed at viders. This expectation has proven false so three levels, as shown in Figure 2.

93 ■ CYBER RISK CORPORATE STRUCTURE

FIGURE Cyber Risk Organizational Structure and Responsibilities

TIER 1: Executive • Corporate strategy Leadership • Policy

• Results of monitoring • • TIER 2: Actionable policy Feedback Business and procedures Management • Guidance and constraints

• Results of monitoring TIER 3: • Feedback Systems Management

The primary objective for a risk assess- increasingly popular means of transferring ment is to drive selection of adequate and risk but comes with the requirement that rational controls and then assign responsi- you understand risk in ways that may not bilities to manage those controls. During the have been previously considered. It is impor- process the environment will be character- tant that the business units and security staff ized to bring context and the existing system are able to communicate the constraints as vulnerabilities, and weaknesses will be well as the risk mitigation alternatives for evaluated to select controls to offset the senior executives to make reasonable deci- probability of compromise during an attack. sions on risk management strategies. A comprehensive cybersecurity program addresses administrative, physical, and Governance and organization structure technical controls as an integrated suite. The risk assessment management duties and Once the inherent threats and vulnerabili- responsibilities are typically allocated in ties are understood within the context of the accordance with Table 1. impact they could have on the organization, its clients, and partners, senior executives ■ Protect must approve the risk management strategy. Program design and implementation Many executives want to see all risk either The outcome for any cybersecurity program mitigated or transferred. However, the bulk is the expectation that an organization can of companies in critical infrastructure indus- defend its critical cyber assets from irrepara- tries end up accepting some level of risk in ble damage resulting from a cyberattack. their strategy. Cost, continuity of operations, The impact of cyberattack is different for or other concerns may drive the formation of every organization. As a result, the cyberse- the cybersecurity program to mitigate what curity strategy and associated program is reasonable and accept the residual risk. must be considered against the potential Cybersecurity insurance is becoming an impact.

■ 94 ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM

TABLE Levels of Authority and Responsibility

Executive Business Unit Systems Management Prioritize critical assets Defi ne boundaries Recommend technical Establish risk appetite Design use case and physical controls Approve risk scenarios to understand Identify threats and Management strategy impact from system system vulnerabilities Mitigate the risk attack and compromise Evaluate the likelihood Transfer the risk Identify constraints for and probability of Accept the risk mitigating all risk impact for each threat Approve the program Develop a justifi ed risk and vulnerability and policies management strategy Estimate the impact on Assign responsibilities Identify all required systems and operations Provide oversight users of systems or from a fi nancial, delegates to receive data legal, and regulatory on a “need to know” perspective basis

Although security programs are different the security solutions selected. Rather, the for every company, the principles for devel- magic is in the ability of the organization to oping the program are fairly consistent. NIST manage those solutions to mitigate risks. Special Publication 800-53 has done a good Because the security skills available in the job in describing the selection of controls for industry today are low and growing increas- high-, medium-, and low-level impacts. ingly rare, companies should expect to spend Every organization needs access controls, but a disproportionate amount of training dol- only those that result in national security lars on cybersecurity. impact are realistic candidates for deploying the high-level version of that control. Many Maintenance executives are “sold” a package of controls Anyone working in forensic response will tell because they are used by the NSA, but the you that system compromise and data breach question to ask is, “How does the NSA are rarely the result of some sophisticated mission relate to our operations?” attack that no one has ever been seen before. As discussed in the risk assessment seg- The bulk of effective attacks use vulnerabili- ment, executives have to defi ne their risk ties that have been known for years. Cross- appetite. This is hard during the early days site scripting, shell or SQL injection, shared of cybersecurity program development administrator accounts, lack of patching, and because most of the C-suites have an inher- other standard security hygiene issues are ently low risk appetite and do not yet under- normally the culprits. There are two signifi - stand the impact of lowering the threshold cant operations that go dramatically under- for control selection. As a result, cybersecu- funded in most organizations: maintenance rity programs are often a work in process for of systems and security controls, which leaves several years. organizations vulnerable to attack.

Training ■ Detect The best cybersecurity programs are the Program monitoring and reporting ones that staff and partners will actually The days of ‘acquire, deploy, and forget’ are execute. Contrary to what many vendors over. For years, senior executives did not and partners will tell you, the magic is not in have to participate in cybersecurity program

95 ■ CYBER RISK CORPORATE STRUCTURE

oversight, because a combination of fi re- response is to take systems off line. Without walls, malware protection, and light access executive and business unit involvement, a controls were adequate to defend against poor decision could be made. previous generations of relatively static cyberattacks. Today, continuous monitoring ■ Respond is critical to see the evolving threat and tech- Response capabilities vary after discovery of a nology landscape. cybersecurity incident, and organizations are Cybersecurity programs have moved from typically faced with two unappealing options: a period of static defenses to active defenses, and we must become more nimble to success- 1. Pull up the drawbridge and stop the fully protect critical systems and sensitive hoards from overrunning the castle. data. From a military perspective, think of 2. Keep the drawbridge down while trying this shift as moving from multiple armored to fi gure out where the bad guy is. divisions with signifi cant force and fi repower protecting cities or regions to the more recent The most immediate, and some say rational, Special Forces mindset, in which quick detec- response is to “pull up the drawbridge” to tion and reaction are the key to success. eliminate whatever access hackers have. In the previous section, we mentioned Unfortunately, this alerts the bad guy that you two areas for increased investment. The sec- know he’s inside, so whatever systems and ond area is to develop cybersecurity pro- accounts he may have compromised or what- grams with a much higher focus on threat ever backdoors he’s created will be unknown. intelligence, monitoring, and alerting. This On the other hand, if a company decides to requires new security solutions and specially take option two, to play it low-key and con- trained security professionals. The old line tinue with business as usual to determine the of fi rewalls, malware protection, and access scope of the problem, the organization can controls are still required, but much more determine what systems have been compro- active system patching, vulnerability man- mised, what new privileged accounts have agement, and monitoring are driving mod- been created, and what back doors may exist. ern security programs. This will give the company a better chance of To avoid the perception of negligence, long-term success in eliminating the breach senior executives often reinforce old line and repairing lost or damaged information. security controls that are audited for regula- One response is not necessarily better tory compliance. However, focusing only on than the other, because situations vary. compliance will not secure an organization. However, these critical decisions must be Cyberthreats are ongoing, while compliance made almost immediately. is a point-in-time review. What is needed to address increasing cyberthreats is a nimble ■ Adjust program that can suffer an intrusion but No program is ever perfect. Continuous repel the intruder and recover operations monitoring and reporting will enable all quickly. Just like a good boxer needs to be three tiers of responsibility to constantly able to take a punch and stay in the ring, adjust the program and inform the other companies today must be able to absorb a tiers of actions. cyber punch and keep operating while at the same time mitigating and recovering. ■ Summary Effective cybersecurity program develop- Incident alerting and escalation ment and oversight requires executives Identifying a potential attack is only half the to implement and manage a distributed solution. Cybersecurity programs must alert process at three levels within an organiza- the technology teams and business units tion: executive level; business unit level; to respond appropriately. One potential and operational level (Table 2).

■ 96 ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM

TABLE Levels of Authority and Responsibility

Executive Business Unit Systems Management Plan Prioritize systems Inventory critical Select justifi ed and functions for systems controls protection Risk assessment Develop an Establish risk architecture to appetite integrate controls Provide periodic updates to executives to help them understand context for the program

Protect Approve Train users Design, deploy, and cybersecurity Enforce controls manage technical program strategy Design and controls Approve standards manage physical and metrics for and logical control oversight controls Approve policies

Detect Receive periodic Incident and Operate system and threat briefi ngs event reporting control monitoring and controls form staff, Actively participate effectiveness partners and in threat intelligence reports third parties functions Receive periodic education on changes to the threat landscape and emerging controls

Respond Lead Incident Participate in the Containment Response Team Incident Response Recovery Team

Adjust Allocate resources Deploy enhanced Provide advice for program training for control enhancements Deploy updated enhancements administrative and physical controls

If Sun Tzu lived today, he would clearly have to take a warrior’s attitude in develop- see the nature of current cybersecurity pro- ing strategies and programs to be successful grams and responsibilities and recognize that in combatting the cybersecurity challenges criticality of executive level management. We we face today.

SecurityRoundtable.org 97 ■

Cybersecurity legal and regulatory considerations

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Securing privacy and profi t in the era of hyperconnectivity and big data Booz Allen Hamilton – Bill Stewart, Executive Vice President; Dean Forbes, Senior Associate; Agatha O'Malley, Senior Associate; Jaqueline Cooney, Lead Associate; and Waiching Wong, Associate

Companies increasingly use consumer data, including personal information, to stay competitive; this includes the capability to analyze their customers’ demographics and buying habits, predict future behaviors and business trends, and collect and sell data to third-parties. Consumers’ willingness to share their data centers on trust, however, and 91% of adults believe that they have lost control over how their personal information is collected and used (2014 Pew Research Center). So how do companies effectively manage consumer data while simultaneously building trust? It has been said that you cannot have good privacy without good security. A fi rst step is to build an effective security program while also better understanding what privacy means and how it can be a strategic business enabler in our era of hyper-connectivity and “big data”.

■ Why does this matter? The data economy The power and insights driven by consumer data has changed the corporate landscape. This has created the

91%

of adults “agree” or “strongly agree” that consumers have lost control over how their personal information is collected and used by companies

101 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

data economy—the exchange of digitized ■ Privacy defi nitions vary information for the purpose of creating “Privacy” may have different meanings to insights and value. Companies are building stakeholders due to factors such as the con- entire businesses around consumer infor- text, prevailing societal norms, and geo- mation, including building data-driven graphical location. There is no consensus products and monetizing data streams. This defi nition of privacy, which makes it chal- is a supply-driven push made possible by lenging to discuss, and act upon, a need for widespread digitization, ubiquitous data privacy. However, an important central storage, powerful analytics, mobile technol- concept regarding privacy recurs, which is, ogy that feeds ever more information into the appropriate collection, use, and sharing the system, and the Internet of Things. This of personal information to accomplish busi- also has a demand-driven effect as more ness tasks. Determining what appropriate consumers expect their products to be and limited means for your customer is key “smart” and their experiences to be target- to gaining trust and unlocking the potential ed to delight them on an individual basis. of the data economy. The data economy goes beyond the tech industry. For example, many supermarkets ■ What is personal data? now record what customers buy across their Personal information comes in variations stores and track the purchasing history of such as: (1) self-reported data, or information loyalty-card members. The most competitive people volunteer about themselves, such as companies will sift through this data for their email addresses, work and educational trends and then, through a joint venture, sell history, and age and gender; (2) digital the information to the vendors who stock exhaust, such as location data and browsing their shelves. Consumer product makers are history, which is created when using mobile often willing to purchase this data in order to devices, web services, or other connected make more informed decisions about prod- technologies; and (3) profi ling data, or per- uct placement, marketing, and branding. sonal profi les used to make predictions about The enabler of the data economy is data individuals’ interests and behaviors, which itself. Individuals generate data. They do are derived by combining self-reported, digi- this every time they “check in” to a location tal exhaust, and other data. According to through a mobile app, when they use a loy- research, people value self-reported data the alty card, when they purchase items online, least and profi ling data the most (2015 and when they are tracked through their Harvard Business Review). For many compa- Internet searches. Companies gain consum- nies, it is that third category of data, used to ers’ trust and confi dence through transpar- make predictions about consumer needs, that ency about the personal information that truly provides the ability to create exciting, they gather, providing consumers control thrilling products and experiences. However, over uses and sharing of such information, that same information is what consumers and offer fair value in return. value the most and seek to protect.

Every minute

Facebook users share nearly 2.5 million pieces of content.

Twitter users tweet nearly 300,000 times.

YouTube users upload 72 hours of new video content.

Amazon generates over $80,000 in online sales.

■ 102 SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA

Privacy is very often confl ated with security. While privacy is about the appropriate collection, use, and sharing of personal information, security is about protecting such information from loss, or unintended or unauthorized access, use, or sharing.

■ Privacy and security intersect through Gmail service scans emails in order to target breaches and tailor advertising to the user. In 2013 Although privacy and security are two sepa- Microsoft ran TV ads that claim that “your rate concepts, the importance of these two privacy is [Microsoft’s] priority.” ideas intersect for the consumer if personal Companies are also competing to be pri- information is not safeguarded. In a nut- vacy champions against government surveil- shell, consumers are more likely to buy from lance. For the last few years, the Electronic companies they believe protect their privacy. Frontier Foundation has published the “Who Large-scale security breaches, such as the Has Your Back” list—highlighting compa- recent theft of credit card information of nies with strong privacy best practices, par- 56 million Home Depot consumers (2015) ticularly regarding disclosure of consumer and 40 million Target shoppers (2013), pro- information to the government. vide consumers with plenty to worry about. Breach-weary consumers need to know who ■ Challenges and trends to trust with their personal information, to Maintaining compliance ensure that only the company that they pro- Beyond the moneymaker of the data econo- vided the information to can use it. Risk my, there is also a need to comply with a management for data privacy and security swirl of confl icting regulations on privacy. of that data should guard against external For global companies, this task is made more malicious breaches and inadvertent internal diffi cult as privacy regulations vary by region breaches and third-party partner breaches. and country. Although international accords often serve as the basis of national laws ■ Privacy is linked to trust—differentiate and policy frameworks,1 the local variations with it complicate compliance. For example, the Trust, and the data that it allows companies May 2014 ruling of the European Court of to have access to, is a critical strategic asset. Justice on the “right to be forgotten” set a Privacy issues that erode trust can disman- precedent for removing information from tle the goodwill that a brand has spent dec- search results that are deemed to be no ades building with consumers. Forward- longer relevant or not in the public interest leaning companies are already moving by affi rming a ruling by the Spanish Data toward proactively gaining the trust of their Protection Agency. Countries across Europe customers and using that as a differentiator. have applied the ruling at a national level, Learning from its issues with the lack of which means that they are not exactly the security on iCloud, Apple now markets all same.2 Compliance with this decision has yet of the privacy features of their products and to be fully understood. Google has fi elded apps. With an eye toward the desires of its about 120,000 requests for deletions and customers, the iPhone’s iOS 8 is encrypted granted approximately half of them.3 by default. This makes all “private” infor- Compliance is costly and complicated. mation such as photos, messages, contacts, Beyond technical issues (which were easier reminders, and call history inaccessible to solve), Google’s main issue with compli- without a four-digit PIN and numeric pass- ance was administrative—forms needed to word. In 2012 Microsoft launched its “Don’t be created in many languages, and dozens get Scroogled” campaign as a direct attack of lawyers, paralegals, and staff needed to on its rival, Google, by highlighting that its be assembled to review the requests. Issues

103 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

remain, such as the possibility of removing conduct, along with a clearly defi ned means links from Google.com as well as from of enforcement. Externally, this means country-specifi c search engines. building privacy considerations into the Compliance with established laws in the products and services offered to customers. U.S. is often topic- and industry-specifi c. For Some of the ways to do this include the example, Congress has passed laws prohib- following. iting the disclosure of medical information (the Health Insurance Portability and Create easy-to-understand consumer-facing policies Accountability Act), educational records The average website privacy policy averages (the Buckley Amendment), and video-store more than 2,400 words, takes 10 minutes to rentals (a law passed in response to revela- read, and is written at a university-student tions about Robert Bork’s rentals when he reading level.6 No wonder half of online was nominated to the Supreme Court).4 Americans are not even sure what a privacy policy is.7 Writing clear, easy-to-understand Growing data = growing target for hackers consumer-facing policies can help you As data availability increases, the attractive- increase the number of people who will ness of datasets for hackers increases as well. actually read them, and you will gain the Companies in all sectors—health care, retail, trust of your consumers. No company has a fi nance, government—all have datasets that perfect solution, but many organizations are attractive to hackers. Just a few of the con- have come closer. Facebook has recently fi rmed cyberattacks that targeted consumer rewritten its privacy policy for simplicity information in 2014 include: eBay, Montana and included step-by-step directions for Health Department, P.F. Chang’s, Evernote, users.8 To increase trust, privacy policies Feedly, and Domino’s Pizza.5 should clearly state the following:

Beyond personal information 1. the personal information that you will Personal information (PI) is described in collect privacy and information security circles as 2. why data is collected and how it will information that can be used on its own or be used and shared with other information to identify, contact or 3. how you will protect the data locate a single person, or to identify an indi- 4. explanation of consumer benefi t from the vidual in context. With the advent of rich collection, use, sharing, and analysis of geolocation data, and powerful associative their data. analysis, such as facial recognition, the extent of PI is greatly expanded. Regulations Additionally, companies should give a clear are struggling to keep up with the changes, and easy opt-out at every stage and only use and companies can maintain consumer con- data in the ways stated. To ensure that the fi dence by collecting, using, and sharing data is used in the ways stated, develop clear consumer data with privacy in mind. internal data use and retention guidelines across the entire enterprise, limit internal ■ What to do? Build consumer trust access to databases, create a procedure for To unlock the data economy, companies will cyberattacks, and link it directly to the con- need to tune in to their customer’s needs sumer privacy policy. and move quickly to earn and retain customer trust. Privacy can be a competitive Go “privacy by design” differentiator for your business—and this The concept of “privacy by design” is inte- goes beyond lip service. Appropriate privacy grating and promoting privacy require- policies are needed internally, this means ments and/or best practices into systems, building privacy considerations into busi- services, products, and business processes ness operations and expected employee at the planning, design, development, and

■ 104 SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA

implementation stages, to ensure that busi- Building consumer trust includes keeping nesses meets their customer and employee information safe from hackers, creating easy- privacy expectations, and policy and regula- to-understand consumer-facing policies, tory requirements. The approach is a market and applying the principle of “privacy by differentiator that is intended to reduce default”. Companies that reframe these privacy and security risks and cost by actions as business enablers instead of busi- embedding relevant company policies into ness costs will thrive—and fi nd it easier to such designs. As such, privacy settings are comply with an increasingly complex web of automatically applied to devices and ser- regulations. Finally, communicating your vices. Privacy by design and default is good work to consumers will elevate the recognized by the U.S. Federal Trade profi le of your organization as a trusted part- Commission as a recommended practice for ner, and pave the way for future gains. protecting online privacy, and is considered for inclusion in the European Union’s Data References Protection Regulation, and was developed 1. https://www.eff.org/issues/international- by an Ontario Information and Privacy privacy-standards. Commissioner. 2. http://www.hitc.com/en-gb/2015/07/ 07/facebook-questions-use-of-right-to-be- Communicate your good work forgotten-ruling/. Privacy policies and actions are more than 3. http://www.newyorker.com/magazine/ legal disclosure; they are marketing tools. 2014/09/29/solace-oblivion. All the actions you take to protect consum- 4. http://www.newyorker.com/magazine/ ers’ privacy should be communicated so 2014/09/29/solace-oblivion. they know you can be trusted. The Alliance 5. http://www.forbes.com/sites/ of Automobile Manufacturers, representing jaymcgregor/2014/07/28/the-top-5-most- companies such as Chrysler, Ford, General brutal-cyber-attacks-of-2014-so-far/. Motors, and Toyota, publicly pledged more 6. http://www.computerworld.com/ transparency about how they will safe- article/2491132/data-privacy/new- guard data generated by autonomous vehi- software-targets-hard-to-understand- cle technologies. Many groups have pub- privacy-policies.html. lished data principles that communicate 7. http://www.pewresearch.org/fact-tank/ how data is gathered, protected, and 2014/12/04/half-of-americans-dont- shared.9 know-what-a-privacy-policy-is/. 8. https://www.washingtonpost.com/ ■ Conclusion blogs/the-switch/wp/2014/11/13/ Our current data economy brings exciting facebook-rewrites-its-privacy-policy-so- opportunities for companies to grow by that-humans-can-understand-it/. enhancing their products and services. These 9. https://fortunedotcom.files.wordpress innovations rely on consumers to trust your .com/2014/11/privacyandsecurity organization with their personal information. principlesforfarmdata.pdf.

SecurityRoundtable.org 105 ■

Oversight of compliance and control responsibilities Data Risk Solutions: BuckleySandler LLP & Treliant Risk Advisors LLC – Elizabeth McGinn, Partner; Rena Mears, Managing Director; Stephen Ruckman, Senior Associate; Tihomir Yankov, Associate; and Daniel Goldstein, Senior Director

For too long, cybersecurity has been considered the realm of the Information Technology (IT) Department, with corporate executives assuming that the goal of cybersecurity is simply to make sure IT is secure enough to allow the company to use data reliably to do its business. In today’s economy, however, data are not only a tool for doing business but also a core asset of the business itself. The collection, analysis, and sale of rich data about one’s products and customers inform decision-making and business strategy and provide a key revenue generator for many companies. Because data are now so valuable, the increasingly pervasive and debilitating nature of cyberthreats poses an existential threat to the company’s success. Data’s value to cyber criminals also has the attention of federal and state regulators concerned with consumer privacy and safety, posing new legal and compliance challenges. This is why companies can no longer afford to approach the oversight of cybersecurity as an IT issue. Simply because a cyberthreat’s mode of attack usually exploits vulnerabilities in a company’s IT infrastructure does not mean that oversight should rest purely with the team that maintains and repairs that infrastructure. Certainly, a secured IT infrastructure is crucial and an important fi rst line of defense. However, the enterprise risk created by cyberthreats requires a holistic approach that considers the management of an entire array of impacts—from reputational to regulatory to fi nancial—that transcend core IT competencies and functions. Because securing today’s data is central to securing the company’s future, effective

107 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

oversight of cybersecurity compliance and encompasses the risks of fi nancial loss; busi- controls requires leadership from the C-suite ness or operational disruption; loss or com- and the boardroom. promise of assets and information; failure to Critically, this leadership must be coordi- comply with legal, regulatory, or contractual nated. For a company’s cybersecurity com- requirements; or damage to the reputation of pliance and control programs to be effective, an organization because of the unauthorized efforts must be structured in ways that ensure access to or exploitation of data assets. the board and senior management, including Cybersecurity is the protection of data assets the C-suite, work together to achieve its risk from unauthorized electronic access or objectives. Each has distinct cybersecurity exploitation risks through processes responsibilities: senior management is designed to prevent, detect, and respond to responsible for determining relevant cyber- these risks.1 Effective oversight of cybersecu- related risks and implementing a compliance rity is therefore essential to a company’s program that incorporates appropriate pro- oversight of risk management. cesses and controls to mitigate them, whereas Two core components of the company’s the board is responsible for overseeing the cybersecurity program must be overseen at risk identifi cation process and independently the highest levels of management: compli- evaluating whether the program is designed, ance and controls. Compliance here means implemented, and operating effectively to the company’s program for ensuring actual meet the company’s cybersecurity risk miti- adherence to internal cybersecurity policies gation objectives. Meeting these responsibili- as well as external privacy and data protec- ties well requires a formalized integrated tion laws and regulations in the jurisdictions approach to cybersecurity risk evaluation, where the company operates. Controls mean defi ned roles and responsibilities, implemen- the company’s systems and processes for tation of a program that is supported by the protecting its data infrastructure and carry- board, clearly articulated by the C-suite, and ing out incident response. These components effectively implemented by operational should be overseen actively to confi rm that resources. Disconnect between the board, compliance and controls are going beyond C-suite, and operations poses as much of a mechanical application of generic cybersecu- challenge to corporate cybersecurity as rity rules and standards, which may just cyberthreats themselves. establish a regulatory fl oor for corporate practices, not a set of industry-leading prac- ■ Cybersecurity oversight is risk management tices, and which may not be appropriate or oversight relevant to the threat landscape and unique To understand why coordinated C-suite and regulatory requirements for the company’s board oversight of cybersecurity is essential, industry. Moreover, even industry-leading one must understand cybersecurity as a practices quickly may become dated, because means of managing and responding to cor- regulators’ views on “reasonable” cybersecu- porate risk. The purpose of risk management rity are changing all the time.2 The legal risks in general is to identify and mitigate the from inattentive oversight are limited only risks a company faces to a level acceptable to by plaintiffs’ imagination and regulators’ the enterprise as determined by the board, a zeal, and the practical risks are limited only level known as a company’s “risk appetite.” by hackers’ ambition and creativity. The strategies and objectives for managing From a risk management perspective, the risks and responding to threats are articu- key inquiry revolves around the value of lated in the policies, procedures, and con- each data asset. For example, data assets trols of the organization and are the respon- whose business usefulness has long passed sibility of senior management. may still be rich in information that may be One signifi cant and growing area of risk embarrassing to the organization if released for most companies is data risk. Data risk publicly. So in a way, cybersecurity risks are

■ 108 OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES

partially an extension of data retention of the organization’s risk management risks, for what the organization does not efforts. have (and has no obligation to keep) cannot The board also has to be sure to engage in be hacked. oversight of cybersecurity compliance and Thus, the board and senior management controls at all phases of the company’s data must approach the oversight of cybersecuri- risk management “lifecycle.” See Figure 1. ty compliance and control from a broader The lifecycle involves, fi rst, identifi cation— risk management vantage point: one that looking at the company’s cybersecurity risk weighs the value of the data as an asset class profi le, identifying the key data assets that to the organization, the value that may be have to be protected (the “crown jewels”), assigned by the threat actors who may seek and determining the applicable laws and the asset, and the broader impact and costs— regulations governing their protection; next, including but not limited to legal and com- design and implementation—creating and pliance costs—stemming from the potential implementing operational controls and com- compromise of data. pliance processes to manage the risks to those In this vein, perhaps the board’s most data assets; next, monitoring—actively over- critical inquiry to senior management is seeing the compliance processes and controls; whether the organization has adopted suffi - next, evaluation—evaluating the effectiveness cient processes to inventory and value its and management of the controls and compli- various data assets. From a cybersecurity ance processes implemented; and fi nally perspective, senior management should reporting and reassessment—documenting how then weigh under what circumstances, the controls and compliance processes are through what channels, and on what plat- working, and reassessing to the extent that forms the organization’s most critically val- there are gaps. The last phase of the lifecycle ued data assets should be made accessible. involves internal reporting on capabilities to respond to threats, external reporting on ■ Board of directors’ role in oversight those capabilities to stakeholders (e.g., SOC 2 of compliance and controls reporting), and adjusting management to Too often, boards have exercised limited respond to internal drivers (e.g., business oversight of cybersecurity, yet monitoring changes) and external drivers (e.g., con- the management of data risk associated with stantly evolving regulatory requirements cybersecurity is part of the board’s fi duciary and guidance). Strong C-suite supervision duty to the corporation. The time for the and board oversight are needed at every board to begin to play an oversight role is not phase. the moment when data actually are put at The oversight and compliance need not risk, through a breach or corporate theft; the rest on the entire board—a standing commit- board must build cybersecurity oversight tee comprising knowledgeable board mem- into its general strategy for overseeing risk bers, armed with outside expertise where management from day one. appropriate, often can provide a more Managing the risks associated with focused and better informed oversight. cybersecurity compliance and control However, whatever oversight activities are involves determining one’s risk appetite in a undertaken must be documented so that the variety of areas and requires senior manage- board can show that it is carrying out its ment to make fundamental judgment calls fi duciary duties. about the design of the control environment, the scope and depth of the compliance ■ Building blocks of effective oversight program, and the resource allocation for of cybersecurity compliance each. The board must be well informed of An organization’s cybersecurity compliance how the corporate leadership is managing efforts must support the company’s busi- these risks and able to assess the adequacy ness units and management in their efforts

109 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

FIGURE

Data risk management lifecycle

Report & Identify Reassess

Design Evaluate & Implement

Monitor

to achieve compliance with government obtaining outside review for defi ciencies or rules and regulations as well as the organi- improvements. A mechanism for periodic zation’s internal policies and procedures by updates to the Plan should be included in (1) identifying risks; (2) preventing risks the Plan; many companies get into trouble through the design and implementation of with regulators for failing to update their controls; (3) monitoring and reporting on the cybersecurity approach as their business effectiveness of those controls; (4) resolving model changes or as regulations or enforce- compliance diffi culties as they occur; and ment strategies change. (5) advising and training.3 If the company is operating in the United There are several steps the board and States, the Plan must be neither aspiration- C-suite should take to provide effective al nor hyper-specifi c. An aspirational oversight of the cybersecurity compliance plan—one that sets out where the organiza- program’s execution of all of these functions. tion envisions its cybersecurity program to First and most important, the C-suite should be at some point in the future—may end up implement an enterprise-wide approach to causing the company to look like it is fall- compliance risk management. As part of this ing short if regulators come calling. approach, the organization should create a Similarly, a hyper-specifi c Plan may put the formalized Cybersecurity Risk Management company at risk of technical noncompli- Plan that is reviewed by the board. If the ance. In short, the Cybersecurity Risk Plan is developed internally by the corporate Management Plan should match what the leadership, the board should consider company actually does.

■ 110 OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES

Second, the C-suite should extend the well-developed monitoring and assessment enterprise-wide approach to compliance processes that encourage timely internal risk management to the company’s entire communication of potential risks to the ecosystem—its vendors and other third-party compliance team. partners (e.g., cloud services providers, out- Fourth, consistent with the risk manage- side data processors). This means ensuring ment lifecycle, the C-suite should make sure that oversight is robust for the corporate vet- it has effective means to test compliance in ting of cybersecurity practices at third par- practice and communicate the results to the ties and that the contractual relationships board. It is critical for updates to cybersecu- with third parties allow for monitoring and rity compliance policies to translate actually oversight. Many technological innovations into updated implementation, and the board are leading companies to outsource aspects must be able to see—and where needed of their business involving data, but this spur—this implementation. (See the next comes with risks of the partners not securing section). The C-suite also has to be able to data to the degree the company is. test to see that cybersecurity compliance is Third, the C-suite should ensure—and taking root across the company’s operations the board should monitor—the independ- and prevent ‘siloing’ within business lines ence of the cybersecurity compliance team or cost centers. from the company’s IT and business units. Fifth and fi nally, the board should make Given silos that frequently develop around cybersecurity compliance a priority, plain the compliance, IT, and business teams, the and simple. None of the above measures will C-suite ought to ensure that the compliance be prioritized at the senior management team has the resources and skills to inde- level and below unless they are also the pendently evaluate the suffi ciency of the board’s priority. company’s cybersecurity program. If the compliance team is not equipped to under- ■ Building blocks of effective oversight stand what technological steps the IT team is of cybersecurity controls or should be taking to advance the organiza- Board and C-suite oversight of cybersecurity tion’s cybersecurity, and so defers entirely to controls relates to the control of associated their judgment, it may fail to apprehend the enterprise risks: legal, fi nancial, regulatory, compliance implications of the steps ulti- and reputational, to name a few. None of mately taken. these risks can be fully avoided, but effective Of course, independence should not controls can reduce their impact on the mean isolation. It is critical that these teams organization, and effective oversight can can and do speak to each other regularly: ensure that these controls are thorough. compliance risks arise in the IT and busi- One step a board can take to provide ness lines, and the compliance team must effective oversight of cybersecurity controls be involved in assessing those risks. For is to ensure that the controls implemented example, if a new business line involves by the C-suite contain prevention, detection, collection of new pieces of customer data, and rapid remediation components. Many failure to ensure that data are properly companies focus on prevention and detec- secured and kept private from the start cre- tion, but not remediation, and then are ates compliance risks. Likewise, the IT caught off guard when they learn of an Department’s failure to patch software in a intrusion requiring immediate remediation timely manner creates compliance risks. that went undetected. Prevention measures The compliance team must be suffi ciently in include data inventorying, data loss preven- the loop to ensure steps are being taken to tion planning, strong perimeter and internal prevent these failures, without being opera- defenses, and processes for timely patching tionally involved in the actual prevention core software to plug security holes. Many of efforts. This can be achieved through these are IT measures, but prevention is not

111 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

limited to IT and includes building a corpo- As with cybersecurity compliance, for the rate culture that is mindful of data risk, as is above measures to be prioritized, they must discussed more below. be a board priority. In this vein, the board Detection measures include analysis of should check to see that cybersecurity con- operational data and anomaly detection as trols are appropriately funded; none of these well as systems for logging, monitoring, and controls can be prioritized without adequate testing data moving into and out of the corpo- funding. rate IT environment and across various devices (e.g., from computer to cloud service or ■ Implementation challenges external storage devices), where legally per- Even the best designed data security initia- missible. Rapid remediation measures include tives are prone to failure if not implemented incident response plans that are rehearsed, correctly. A common problem that can occur implementation of forensic recovery tools, even after apparently successful program and measures to quickly restore failed sys- implementation is a disconnect between tems from back-ups. Boards should recom- appropriately drafted policies and proce- mend appointment of a permanent incident dures on the one hand, and operational response team—comprising senior manage- practices and technology infrastructure on ment from IT, legal, compliance, vendor man- the other (in-house and third party-management, PR, investor relations, and business aged), and a failure of the board to notice. lines—to lead the incident response efforts, Cybersecurity policies and procedures report incidents and remediation plans to the are effective only if they are tailored to the C-suite and the board, and notify external company’s unique business environment, regulators and customers when necessary. applicable regulatory requirements, and In line with the previous point, a key step known security risks. However, too often, the C-suite should take is to oversee lines of boards and C-suite leadership oversee the communication among the various parts of development and adoption of boilerplate the company that either manage or make use policies and procedures that, although per- of the company’s cybersecurity controls. If a haps built on generally appropriate founda- business line is experiencing occasional bugs tions, are either insuffi ciently customized or in its online customer order processing, for implemented inappropriately. The resulting example, and IT is not informed of the issue disconnects may lead not only to damaging in a timely manner, malware may go unde- data breaches and unauthorized disclosure tected. If an employee with database access of personal information but also to scrutiny quits and HR does not timely inform IT, then from regulators and actions from the plain- user credentials may remain active long after tiffs’ bar. For example, the Federal Trade they should. Commission (FTC) currently views the dis- Another key step the C-suite can take is to connects between cybersecurity policies prioritize regular training of employees—at and procedures and their actual implemen- a minimum annually—on cybersecurity tation as unfair or deceptive trade practices threats and how to avoid them. A surprising under Section 5 of the FTC Act, and this is a number of threats can be thwarted by trend that senior executives should expect employee education about suspicious to continue. emails, strong password practices, and cau- It is critical to the success of a cybersecu- tious use of personal devices. The more rity program that the operational uptake employees at every level learn to treat data of—and ongoing adherence to—program as a valuable asset, the more careful they will requirements are measured effectively. be. Conversely, no matter how strong a com- Monitoring of the program not only enables pany’s cybersecurity controls, it only takes effective reporting up to the board but also, one employee mistake to expose sensitive more importantly, identifi es vulnerabilities company data. in the program and areas for improved

■ 112 OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES

security. Although evaluating the effective- business asset is clearly established; its value ness of a cybersecurity program would is verifi ed on a daily basis by those who seek appear to be a core component of any suc- to gain access to business networks and cessful implementation, many organizations view, remove, or otherwise exploit the data fail to adequately address this need, often residing there. However, resources allocated leading to exploited weaknesses, data to cybersecurity are still frequently an IT line breaches, and programmatic failure. item, rather than an enterprise-wide issue. Effective metrics for evaluation can be Businesses operating in this environment of broken down into several categories to ena- perpetually evolving digital risks must rec- ble more targeted application across the ognize that data security is no longer a cost enterprise. Programmatic metrics measure of doing business; it is a core component of the progress of various organizational com- remaining in business. As such, budgets ponents of the information protection pro- must be allocated appropriately to meet the gram, such as overall program development, risks. Budgets vary according to business implementation, and maintenance (e.g., type, data types and sensitivity, volume of cybersecurity policies are updated to meet data, sharing with third parties, and any new regulatory requirements). Operational number of other of risk factors that must be metrics measure the performance of (as the considered by the board and executives. The name implies) various operational compo- budgeting process has to enable the compa- nents of the information protection program; ny to do more than get the right people and the number of cybersecurity incidents per processes in place but also to implement reporting period is an excellent example. technology that truly addresses the security And compliance metrics measure individu- needs of the organization. This process als’ compliance with program requirements. requires commitment from the C-suite and Such metrics may measure, for example, oversight from a board that understands the whether employees are observing required importance of cybersecurity. data security protocols when sending sensi- Cybersecurity budgeting also must tive customer information to a third party include dedicated resources for training of for processing. In general, the trend for personnel. As mentioned above, the human many of these metrics is toward the meas- element is frequently the weakest link in an urement of outcomes; metrics that demon- otherwise solid data security program. Staff strate a company’s frequent intrusion detec- must have the resources they need to be tion scanning are not helpful if the outcome trained not only to be proactive in taking is still a high number of intrusions each year. steps to safeguard data but also to recognize Regardless of whether your organization attempts by unauthorized parties trying to is seeking to measure programmatic, opera- gain network access. Phishing, for example, tional, or compliance aspects of your cyber- remains a remarkably effective tool for gain- security program, the metrics that you ing credentials that open a door to the net- design must be clearly defi ned and meaning- work and the data therein, and inadequate ful and measure progress against a clearly training may increase a company’s vulnera- stated objective. A properly implemented bility to phishing attacks. Regulators know metrics program helps leadership ascertain this and expect board members providing initial uptake and improve the compliance cybersecurity oversight to know, too. with—and performance of—a well-designed The board and C-suite also must bear in cybersecurity program. mind that successful initial implementation of Another challenge for effective imple- a cybersecurity program does not necessarily mentation of cybersecurity compliance and lead to a cybersecurity program that has lon- controls—and one that must be closely mon- gevity. Ongoing success is largely dependent itored by the board—is resource allocation. on top-down involvement by the board and The recognition of data as a highly valued active management by the C-suite. The board

113 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

should be apprised regularly of data security ensure that these measures are being adopt- incidents and emerging data risks, as well as ed. Only with consistent C-suite involve- changes to the regulatory environment. An ment and strong board oversight—informed actively informed and involved board, work- by an understanding of data risk as a central ing in harmony with the C-suite, enables agile enterprise risk—can cybersecurity challeng- enterprise-wide response to evolving threats es be handled effectively. and appropriate upkeep and improvement of a robust cybersecurity program. References 1. See NIST, “Framework for Improving ■ Conclusion Critical Infrastructure Cybersecurity” Today’s cybersecurity risks affect organiza- (2014) (defi ning “cybersecurity”). Of tions of all sizes and across industries course there are many defi nitions of and lead to not only IT headaches but also “cybersecurity”; the NIST defi nition headaches for the entire business. Companies adapted here is just a recent American are increasingly put into the unenviable example. position of needing to put up shields against 2. For example, some regulators require a variety of cyberthreats, knowing that no certain data to be encrypted while many defense can provide perfect protection. others do not. See, e.g., 201 Mass. Code However, the C-suite nevertheless must Regs. § 1700 (2009). strive to employ strong cybersecurity com- 3. See International Compliance Association, pliance and control measures that go beyond “What is Compliance?,” available at http:// mechanical satisfaction of applicable legal www.int-comp.org/faqs-compliance- rules, and the board has an obligation to regulatory-environment.

■ 114 SecurityRoundtable.org Risks of disputes and regulatory investigations related to cybersecurity matters Baker & McKenzie — David Lashway, Partner; John Woods, Partner; Nadia Banno, Counsel, Dispute Resolution; and Brandon H. Graves, Associate

Disputes and regulatory investigations are two of the more important risk categories related to cybersecurity matters. These risk categories can create signifi cant fi nancial exposure, brand risk, and distraction. In the worst case, some of these risks could result in bankruptcy. The risks related to disputes are traditional (e.g., litigation, arbitration, and negotiation of contract terms) and novel (e.g., data ownership disputes). They arise not only in the context of data breaches but in everyday operations. Regulatory investigations are another source of risk. This risk is hard to quantify because there is not clear statutory authority for all regulatory investigations begun or threatened. This creates uncertainty for regulated entities. The costs for non-compliance can be extensive, with fi nes in the millions of dollars and consent decrees authorizing audits for 20 years. These risks affect businesses even in the absence of a data breach incident. More businesses recognize this fact and are accounting for these risks in all aspects of their businesses. Businesses that attempt to deal with risk related to cybersecurity matters as an afterthought may be left behind. Many businesses are international in scope and must comply with cybersecurity rules and regulations in a variety of countries. This can create a highest-common- denominator situation: businesses end up attempting to comply with the strictest regime in which they operate. The dynamic nature of cybersecurity matters makes it impossible to completely enumerate every risk associated with such matters. This chapter provides a short survey of some of the most high-profi le risks that all businesses will face in our current economy.

115 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

■ Risks of disputes These provisions can include security Businesses have a growing awareness of standards and breach disclosure require- cybersecurity matters. As a result, cyberse- ments. For instance, Defense Federal curity matters will increasingly impact tradi- Acquisition Regulation Supplement tional business activities, such as contract (DFARS) 204.7300 requires “adequate negotiation. security” for all contractors and subcon- Plaintiffs also have an increasing aware- tractors with systems on which con- ness of cybersecurity-related causes of trolled technical information is resident action. Courts have been receptive to some on or transits. As with many of these of these causes of action and skeptical of oth- provisions, “adequate security” is not ers, but plaintiffs continue to make threats in defi ned with a checklist but as “protec- pursuit of a lucrative settlement. tive measures that are commensurate with the consequences and probability Dispute risks in business activities of loss, misuse, or unauthorized access Cybersecurity matters will impact every tra- to, or modifi cation of information.” ditional business activity, if they do not already. Two activities, contract negotiation These same provisions include report- and data processing, are already subject to ing requirements for both actual and dispute in many industries. potentially adverse effects on an information system, which is a more strin- 1. Contract negotiation. Contractual parties, gent requirement than many state especially government agencies, data breach requirements. are becoming more sophisticated about requesting provisions related Compliance with these provisions will to cybersecurity during contract be diffi cult, and the set language creat- negotiations. Frequently, these provisions ed by such provisions prevents busi- will place additional burdens on the nesses from negotiating more concrete counterparty, leading to disputes during terms, forcing businesses to accept negotiation. Many businesses are also uncertainty as a cost of entering into attempting to apply existing contract such a contract. provisions to cybersecurity matters. When this reinterpretation is put forward b) Liability/indemnity. Cybersecurity creates in the wake of a security breach, the risk, and more businesses are looking reinterpretation can lead to costly litigation. to affi rmatively allocate that risk a) Flow-down provisions. Federal agencies, through contractual terms. Actuaries especially the Department of Defense, are still developing tables related are including more flow-down to cybersecurity risk (Congress is provisions related to cybersecurity in discussing legislating on this issue), so their contracts with suppliers. Often, the allocation of risk in a contract may the agency requires its contractors not be based on methods as rigorous to include these provisions in their as those in other risk allocations. This contracts with subcontractors and will create tension between parties other contractual counterparties. As who value the risk differently. these fl ow-down provisions expand through the supply chain, businesses Cybersecurity incidents and the atten- with no direct connection with the dant response can be very expensive, federal agency will see requests—or with some sources placing the average demands—that they comply with fi nancial cost of a data breach in the provisions drafted without their input. millions of dollars. The allocation of

■ 116 RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS

such cost, combined with an increas- press, which can create tension with ing chance of an incident triggering notifi cation provisions. these clauses, is an area likely to be subject to dispute both during con- 2. Data ownership/data processing. Most state tract negotiation and in the wake of breach notifi cation laws differentiate a breach. between data owners and data processors, but existing contracts do not always Many contracts already contain liabil- explicitly define these roles. Some ity allocation provisions, but those businesses have attempted to understand provisions do not explicitly address these issues and have asserted ownership cybersecurity matters. In the wake of a (or, in some cases, denied ownership) of cybersecurity incident, interpreting data in the absence of a specifi c ownership the liability allocation provisions will allocation. This can lead to disputes in be a matter of some dispute. long-standing business relationships. One business may seek to sell information it is c) Data security and notifi cation. Laws, collecting while a contractual counterparty regulations, and political and is attempting to safeguard the same data. consumer pressure have increased Not all businesses seek to clarify this businesses’ focus on the security of relationship prior to selling data, which consumer data. At the same time, can lead to signifi cant disputes when such consumer data have become a more sales come to light. valuable commodity. For instance, AT&T and Apple both contested Radio In the context of a data breach Shack’s ability to sell consumer data Data breaches expose businesses to many during Radio Shack’s bankruptcy. additional disputes. At times, these disputes can be more problematic than the intrusion Recognizing these trends, businesses itself. Contractual counterparties, customers, are placing more provisions in contracts and other impacted businesses may all seek that dictate security requirements. some compensation in the wake of a data Because the underlying consumer data breach. Insurance companies may seek to are valuable, these provisions may be avoid payment under policies that arguably subject to signifi cant disputes during apply, leading to additional litigation. negotiations. Other businesses are attempting to read existing provisions 1. Contractual counterparties. Most contracts as covering security requirements and have provisions that are either directly privacy responsibility. or indirectly implicated by a data breach. Some of these provisions are triggered Many businesses that entrust sensitive by a breach, such as obligations to data to counterparties are including notify consumers whose information breach notifi cation provisions in con- is exposed. A counterparty may allege tracts. These provisions vary greatly, that other provisions are broken by even within a single industry, and cre- an intrusion, such as a requirement to ate various thresholds for notifi cation. have adequate or reasonable security. For instance, some provisions require Businesses often struggle with whether a notifi cation in the event of a breach. particular provision requires notifi cation, Others require notifi cation if there is either because the provision itself is not an indication of a breach. Many vic- clear or because the business believes tims of a security breach seek to keep that the intrusion does not rise to the the existence of a breach out of the level contemplated in the contract.

117 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

Counterparties may disagree with this press, but business customers have also interpretation, leading to disputes if the pressed for indemnifi cation in the wake intrusion does come to light. of an intrusion.

Notifi cation provisions often have an Disputes with business partners over data abbreviated time frame for notifi cation. breaches can disrupt normal operations, Attempting to identify and comply with above and beyond the disruption caused notifi cation provisions of impacted coun- by the data breach itself. The need to terparties can create additional stress resume normal operations can pressure beyond the already signifi cant stress the victim to quickly agree to a settlement. related to a data breach. Reviewing and attempting to interpret these provisions Customers will often fi le class actions in after an intrusion also creates risk of con- the wake of a data breach. Plaintiffs’ law- tractual breach, as a business may not yers are growing more sophisticated in discover the notifi cation provision until how and where they fi le these actions. after the required time frame has passed. Both individual consumers and fi nancial institutions have fi led class actions, and, In the wake of a breach, a victim’s securi- in some cases, these class actions are con- ty will come under scrutiny, and a consolidated into complicated multidistrict tractual counterparty may argue that the litigation with multiple tracks for the dif- security was inadequate under the con- fering plaintiffs. This creates expensive tract. For instance, in the DFARS provi- and cumbersome litigation. sion discussed previously, “adequate security” is ripe for protracted litigation 3. Other impacted businesses. Contractual in the wake of a cybersecurity incident. It counterparties are not the only businesses is diffi cult to defi ne such terms adequate- that may sue in the wake of a data breach. ly and still provide fl exibility in the face Banks that issued cards implicated in of changing threats. Target’s data breach are suing Target, even if they lack any traditional relationship to In some industries, such as those that deal Target. Our more interconnected society has with payment cards, many security spread the effects of cybersecurity problems, requirements are codifi ed and subject to and affected parties are developing more audit. The victim of a data breach may be creative methods to fi le suit against the subject to a more intrusive audit to con- original victim of the intrusion. fi rm its security. 4. Insurance. More and more insurance companies are offering cyber policies, Many contracts that involve confi dential and more businesses are attempting to data have a provision for certifying that make claims for intrusions under general the confi dential data have been destroyed. policies. Insurance companies are, in A counterparty may rightly inquire how turn, attempting to limit the scope of such a certifi cation was made in the wake coverage. Some insurance companies are of a cybersecurity incident. denying claims, while others are carefully reviewing invoices for services related to 2. Customers. Many intrusions lead to data breaches. The cost to respond to a lawsuits by customers, whether they be breach can be expensive, and insurers will individual consumers or large businesses. continue to dispute claims and charges. Recent card breaches have resulted in In some cases, this will lead to additional signifi cant class-action litigation, and litigation after the data breach response is these cases have received much of the complete.

■ 118 RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS

■ Risks of regulatory investigations The FTC has been aggressive in fi ling Certain regulators have explicit statutory administrative complaints against busi- jurisdiction over cybersecurity matters. nesses that, in the eyes of the FTC, do not Other regulatory agencies do not, but they adequately protect sensitive consumer attempt to regulate such matters under information. The FTC requires, among their existing, general jurisdiction. As pub- other things, “reasonable security” but pro- lic and congressional scrutiny of cybersecu- vides no formal defi nition. This creates rity measures increases, regulators will be uncertainty for businesses seeking to more aggressive in asserting jurisdiction understand their obligations. The FTC is over their regulated entities’ cybersecurity involved in litigation in federal court matters. concerning both its jurisdiction over data security and the standards it applies to Federal regulators businesses. Congress is considering a bill to 1. Industry regulators. Traditional regulators formalize FTC jurisdiction over data secu- have already applied or are planning to rity, which may further empower the FTC. apply standards related to cybersecurity matters to their regulated entities. The FCC’s Cybersecurity and The Federal Financial Institutions Communications Reliability Division Examination Council (FFIEC), the Federal works to maintain the reliability of commu- Trade Commission (FTC), the Federal nications infrastructure in the face of vari- Communications Commission (FCC), ous cyberthreats. In 2014 the FCC began the Department of Health and Human imposing substantial fi nes on wireless carri- Services (HHS), and the Department ers for insuffi cient secured sensitive con- of Homeland Security (DHS) are some sumer information. of the regulators that have sought to regulate cybersecurity matters among HHS regulates cybersecurity matters their regulated entities. In addition, under the Health Insurance Portability the National Institute of Standards and and Accountability Act of 1996 (HIPAA). Technology (NIST) publishes documents Under this authority, HHS has imposed that plaintiffs and regulators apply in multimillion-dollar fi nes for insuffi cient analyzing a business’s cybersecurity. data security.

The FFIEC has been one of the leading DHS is involved in coordinating informa- regulators with regard to cybersecurity. tion sharing, securing critical infrastruc- The FFIEC has had an IT examination ture, and protecting federal cybersecurity handbook for several years and is devel- assets. Currently, its programs for most oping a tool to help fi nancial institutions private businesses are voluntary, but as assess risk. In addition, the FFIEC requires Congress continues to focus on informa- fi nancial institutions to require certain tion sharing as a key component of reduc- cybersecurity measures of the institu- ing cybersecurity incidents, plaintiffs and tions’ third-party service providers, effec- courts will see these programs less as tively expanding the FFIEC’s jurisdiction. voluntary and more as the minimum The FFIEC has experience in investigating standard of care. data breaches and imposing punishments based on insuffi cient security. Other regu- NIST publishes an array of standards lators look to the FFIEC’s examination related to cybersecurity. Although none of handbook to inform their own regula- these standards are binding on private tions and investigations. entities (at least as of publication), they

119 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

are often cited as what is reasonable secu- State regulators rity or as industry standard. In addition, State regulators and attorneys general are plaintiffs and regulators look to NIST also involved in cybersecurity matters; standards to inform allegations made in indeed, state attorneys general have been complaints and investigations. active in investigating data breaches. Each state has a different legal environment con- 2. Securities and Exchange Commission. The cerning data breaches. These attorneys gen- Securities and Exchange Commission eral typically assert jurisdiction when the (SEC), under pressure from Congress, has state’s citizens are impacted, potentially focused on public statements concerning exposing a business to an investigation even data breaches. This focus encompasses if the business does not typically operate in both disclosures made after breaches and the state. risk factors made in market reports. To California has generally been the fi rst date, the SEC has stated that the materiality state to impose data breach notifi cation analysis for data breaches is the same as for requirements. California passed its data other risk factors, but there is little formal breach notifi cation law in 2003. In the time notice or adjudication on these statements, since, California has expanded what data are creating uncertainty and risk. covered by the statute, including most recently usernames and passwords. Most The SEC released guidance on cybersecu- other states have similar statutes. rity risks in 2011. According to the SEC, Several other states, including Vermont, registrants “should disclose the risk of New York, and Michigan, have been par- cyber incidents if these issues are among ticularly active in investigations. For certain the most signifi cant factors that make larger breaches, some state attorneys gen- an investment in the company specula- eral will work together in a coordinated tive or risky.” investigation.

The SEC, in conjunction with the Financial ■ Conclusion Industry Regulatory Authority, has Cybersecurity matters create extensive risks engaged in enforcement actions against for business. Foremost among these are risks the entities they regulate for insuffi cient related to disputes and regulatory investiga- security for both customer data and tions. These risks are not fully defi ned and market data. likely never will be.

■ 120 SecurityRoundtable.org Legal considerations for cybersecurity insurance K&L Gates LLP – Roberta D. Anderson, Partner

■ Legal, regulatory, and additional concerns driving the purchase of cybersecurity insurance Legal liability, regulatory and other exposures surrounding cybersecurity and data privacy-related incidents In addition to a seemingly endless stream of data breaches and other serious cybersecurity and data protection- related incidents, the past several years have seen signifi - cantly amplifi ed legal liability surrounding cybersecurity and data privacy, a remarkable proliferation and expansion of cybersecurity and privacy-related laws, and increasingly heightened regulatory scrutiny. In the wake of a data breach of any consequence, an organization is likely to face myriad different forms of legal and regulatory exposure, including class action litigation, shareholder derivative litigation, regulatory investigation, the costs associated with forensic investigation, notifi cation to persons whose information may have been compromised, credit monitoring, call center services, public relations expenses, and other event management activities. Beyond third-party liability and event management activities, organizations face substantial fi rst-party losses associated with reputational injury and damage to brand in the wake of a serious breach event. They also face substantial business income loss if an event disrupts normal day- to-day business operations. Even if an organization’s own system is not compromised, the organization may suffer signifi cant losses if an incident affects a key vendor, cloud provider, or any key third party in the organization’s product and service supply chain. Also at stake is the organization’s digital assets, the value of which in some cases may eclipse the value of the organization’s other property. Cybersecurity insurance can play a vital role in an organization’s overall strategy to address, mitigate, and maximize protection against the legal and other exposures fl owing from data breaches and other serious cybersecurity, privacy, and data protection-related incidents.

121 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

SEC’s cybersecurity risk factor disclosure guidance and to carefully evaluate their current insurance cybersecurity insurance program and consider purchasing cyberse- In October 2011, in the wake of what it curity insurance. phrased “more frequent and severe cyber incidents,” the Securities and Exchange ■ The exclusion of cybersecurity and data Commission’s (SEC’s) Division of Corporation privacy-related coverage from traditional Finance issued disclosure guidance on cyber- insurance policies security, which advises that companies In response to decisions upholding coverage “should review, on an ongoing basis, the for cybersecurity and data privacy-related adequacy of their disclosure relating to risks under traditional lines of insurance cov- cybersecurity risks and cyber incidents.” The erage, such as Commercial General Liability guidance advises that “appropriate disclo- (CGL) coverage, the insurance industry has sures may include,” among other things, a added various limitations and exclusions to “[d]escription of relevant insurance cover- traditional lines of coverage. age” that the company has in place to address By way of example, Insurance Services cybersecurity risk. Offi ce (ISO), the insurance industry organi- SEC comments in this area have regularly zation that develops standard insurance pol- requested information regarding “whether icy language, recently introduced a new [the company] ha[s] obtained relevant insur- series of cybersecurity and data breach exclu- ance coverage,” as well as “the amount of [the sionary endorsements to its standard-form company]’s cyber liability insurance.” More CGL policies, which became effective in May recently, the SEC is asking not only whether 2014. One of the endorsements, entitled the company has cybersecurity insurance and “Exclusion - Access Or Disclosure Of how much the company has but also how Confi dential Or Personal Information And solid the company’s coverage is: Data-Related Liability - Limited Bodily Injury Exception Not Included,” adds the following “We note that your network-security insur- exclusion to the primary CGL policy: ance coverage is subject to a $10 million deductible. Please tell us whether this This insurance does not apply to: coverage has any other signifi cant limitations. In addition, please describe for us the p. Access Or Disclosure Of Confi dential Or ‘certain other coverage’ that may reduce Personal Information And Data-related your exposure to Data Breach losses.” Liability (Emphasis added.) “We note your disclosure that an unau- Damages arising out of: thorized party was able to gain access to your computer network ‘in a prior fi scal (1) Any access to or disclosure of any year.’ So that an investor is better able to person’s or organization’s confi dential understand the materiality of this cyber- or personal information, including security incident, please revise your dis- patents, trade secrets, processing closure to identify when the cyber inci- methods, customer lists, fi nancial dent occurred and describe any material information, credit card information, costs or consequences to you as a result of health information or any other type the incident. Please also further describe of non public information; or your cyber security insurance policy, (2) The loss of, loss of use of, damage to, including any material limits on cover- corruption of, inability to access, or age.” (Emphasis added.) inability to manipulate electronic data.

The SEC’s guidance provides another com- This exclusion applies even if damages pelling reason for publicly traded companies are claimed for notifi cation costs, credit

■ 122 LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE

monitoring expenses, forensic expenses, ■ Types of cybersecurity insurance public relations expenses or any other Established coverages loss, cost or expense incurred by you or There are a number of established third- others arising out of that which is party coverages (i.e., covering an organiza- described in Paragraph (1) or (2) above. tion’s potential liability to third parties) and fi rst-party coverages (e.g., covering the In connection with its fi ling of the endorse- organization’s own digital assets and income ments, ISO stated that “when this endorse- loss) as summarized in Table 1: ment is attached, it will result in a reduction of coverage. . . .” Emerging markets Although there may be signifi cant poten- In addition to the established coverages, tial coverage for cybersecurity and data three signifi cant emerging markets provide privacy-related incidents under an organiza- coverage for the following: tion’s traditional insurance policies, includ ing its Directors’ and Officers’ Liability, fi rst-party losses involving physical asset Professional Liability, Fiduciary Liability, damage after an electronic data-related Crime, CGL, and Commercial Property poli- incident cies, the new exclusions provide another third-party bodily injury and property reason for organizations to carefully consider damage that may result from an electronic specialty cybersecurity insurance products. data-related incident

TABLE THIRD-PARTY COVERAGES

Type Description Privacy liability Generally covers third-party liability, including defense and judgments or settlements, arising from data breaches, such as the Target breach, and other failures to protect protected and confi dential information Network security Generally covers third-party liability, including defense and liability judgments or settlements, arising from security threats to networks, e.g., inability to access the insured’s network because of a DDoS attack or transmission of malicious code to a third-party network Regulatory liability Generally covers amounts payable in connection with administrative or regulatory investigations and proceedings, including regulatory fi nes and penalties PCI DSS liability Generally covers amounts payable in connection with payment card industry demands for assessments, including contractual fi les and penalties, for alleged noncompliance with PCI Data Security Standards Media liability Generally covers third-party liability arising from infringement of copyright or other intellectual property rights and torts such as libel, slander, and defamation, which arise from media-related activities, e.g., broadcasting and advertising Continued

123 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

TABLE FIRST-PARTY COVERAGES

Type Description Crisis management Generally covers “crisis management” expenses that typically follow in the wake of a breach incident, e.g., breach notifi cation costs, credit monitoring, call center services, forensic investigations, and public relations efforts Network Generally covers the organization’s income loss associated interruption with the interruption of the its business caused by the failure of computer systems/networks Contingent Generally covers the organization’s income loss associated with network the interruption of the its business caused by the failure of a interruption third-party’s computer systems/networks Digital assets Generally covers the organization’s costs associated with replacing, recreating, restoring, and repairing damaged or destroyed computer programs, software, and electronic data Extortion Generally covers losses associated with cyber extortion, e.g., payment of an extortionist’s demand to prevent a cybersecurity or data privacy-related incident

reputational injury resulting from an Although placing coverage in this dynam- incident that adversely affects the public ic space presents a challenge, it also presents perception of the insured organization or substantial opportunity. The cyber insurance its brand. market is extremely competitive, and cyber insurance policies are highly negotiable. Because privacy and electronic data-related This means that the terms of the insurers’ exclusions continue to make their way into off-the-shelf policy forms often can be sig- traditional property and liability insurance nifi cantly enhanced and customized to policies, and given that an organization’s respond to the insured’s particular circum- largest exposures may fl ow from reputational stances. Frequently, very signifi cant enhance- injury and brand tarnishment, these emerg- ments can be achieved for no increase in ing coverages will be increasingly valuable. premium. The following are fi ve strategic tips for ■ Strategic tips for purchasing cybersecurity purchasing cyber insurance: insurance Cybersecurity insurance coverage can be Adopt a team approach. extremely valuable, but choosing the right Successful placement of cybersecurity insur- insurance product presents signifi cant chal- ance coverage is a collaborative undertak- lenges. A diverse and growing array of prod- ing. Because of the nature of the product and ucts is in the marketplace, each with its own the risks that it is intended to cover, success- insurer-drafted terms and conditions that ful placement requires the involvement and vary dramatically from insurer to insurer— input not only of a capable risk management and even between policies underwritten by department and a knowledgeable insurance the same insurer. In addition, the specifi c broker but also of in-house legal counsel and needs of different industry sectors, and dif- IT professionals, resources, and compliance ferent organizations within those sectors, are personnel—and experienced insurance cov- far-reaching and diverse. erage counsel.

■ 124 LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE

Understand risk profi le and tolerance. Many other factors may warrant considera- A successful insurance placement is facili- tion. When an organization has a grasp on its tated by having a thorough understanding risk profi le, potential exposure, and risk tol- of an organization’s risk profi le, including erance, it is well positioned to consider the the following: type and amount of insurance coverage that it needs to adequately respond to identifi ed the scope and type of data maintained by risks and exposure. the company and the location and manner in which, and by whom, such data are Ask the right questions. used, transmitted, handled, and stored It is important to carefully evaluate the cov- the organization’s network infrastructure erage under consideration. Table 2 shows ten the organization’s cybersecurity, privacy, of the important questions to ask when con- and data protection practices sidering third-party and fi rst-party cyber the organization’s state of compliance insurance. with regulatory and industry standards The list is not exhaustive, and many other the use of unencrypted mobile and other questions should be considered, including, portable devices. for example, the extent to which the policy

TABLE

Third-Party First-Party Does the policy: Does the policy: cover the acts, errors, and omissions of cover business income loss resulting from third parties, e.g., vendors, for which system failures in addition to failures of the organization may be liable? network security, e.g., any unplanned outages? cover data in the care, custody, or cover business income loss resulting from control of third parties, e.g., cloud cloud failure? providers? cover new and expanding privacy laws cover contingent business income loss resulting and regulations? from the failure of a third-party network? cover personally identifi able information cover data restoration costs? in any form, e.g., paper records? cover confi dential corporate data, e.g., cover business income loss after a network third-party trade secrets? is up and running, but before business returns to full pre-incident operation? cover wrongful or unauthorized contain hourly sublimits? collection of data? cover regulatory fi nes and penalties? contain an hourly “waiting period”? cover PCI DSS-related liability? contain a sublimit applicable to the contingent business income coverage? exclude the acts of “rogue” employees? exclude loss for power failure or blackout/ brownout? exclude unencrypted devices? exclude software programs that are unsupported or in a testing stage?

125 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

covers, or excludes, cyberterrorism. In all an organization’s cybersecurity and data cases, the organization should request a ret- protection practices, seeking detailed informa- roactive date of at least 1 year prior to the tion surrounding technical, complex subject policy inception, given that advanced attacks matter. These questions are often answered by go undetected for a median of 229 days. technical specialists who may not appreciate the nuances and idiosyncrasies of insurance Beware the fi ne print. coverage law. For these reasons, it is advisable Like any other insurance policy, cybersecuri- to have insurance coverage counsel involved ty insurance policies contain exclusions that in the application process. may signifi cantly curtail and undermine the purpose of the coverage. Some insurers, for ■ Tips for prevailing in cyber insurance example, may insert exclusions based on coverage litigation purported shortcomings in the insured’s As CNA’s recently fi led coverage action in the security measures. One case recently fi led in Columbia Casualty case illustrates, cybersecu- the California federal court on May 7, 2015, rity insurance coverage disputes and litigation highlights the problems with these types of are coming. In the wake of a data breach or exclusions. The case is Columbia Casualty other privacy, cybersecurity, or data protection- Company v. Cottage Health System, in which related incident, organizations should antici- Columbia Casualty, CNA’s non-admitted pate that their insurer may deny coverage for insurer, seeks to avoid coverage under a a resulting claim against the policy. cybersecurity insurance policy for the defense Before a claim arises, organizations are and settlement of a data breach class action encouraged to proactively negotiate and lawsuit and related regulatory investigation. place the best possible coverage to decrease CNA relies principally upon an exclusion, the likelihood of a coverage denial. In con- entitled “Failure to Follow Minimum trast to many types of commercial insurance Required Practices,” which purports to void policies, cybersecurity policies are extremely coverage if the insured fails to “continuously negotiable, and the insurer’s off-the-shelf implement” certain aspects of computer forms can usually be signifi cantly negotiated security. These types of broadly worded, and improved for no increase in premium. A open-ended exclusions can be acutely prob- well-drafted policy will reduce the likeli- lematic and impracticable. If enforced liter- hood that an insurer will be able to success- ally, they may vaporize the coverage that the fully avoid or limit insurance coverage in the policy is intended to provide. The good news event of a claim. is that, although certain types of exclusions Even where a solid form is in place, how- are unrealistic given the nature of the risk an ever, and there is a solid claim for coverage insured is attempting to insure against, under the policy language and applicable cybersecurity insurance policies are highly law, insurers can and do deny coverage. negotiable. It is possible to cripple inappro- When facing coverage litigation, organi- priate exclusions by appropriately curtailing zations are advised to consider the following them or to entirely eliminate them—and fi ve strategies to prevail: often this does not cost additional premium. Tell a concise, compelling story. Pay attention to the application. In complex insurance coverage litigation, CNA in the Columbia Casualty case also seeks there are many moving parts and the issues to deny coverage based upon alleged misrep- are typically nuanced and complex. It is criti- resentations contained in the insured’s insur- cal, however, that these nuanced, complex ance application relating to the risk controls. issues come across to a judge, jury, or arbitra- The important takeaway is that cybersecurity tor as simple and straightforward. Getting insurance applications can, and usually overly caught up in the weeds of policy inter- do, contain a myriad of questions concerning pretive and legal issues, particularly at the

■ 126 LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE

outset, risks losing the organization’s critical CNA represented in its marketing materials audience and obfuscating a winningly con- that the policy at issue in Columbia Casualty cise, compelling story that is easy to under- offers “exceptional fi rst-and third-party cyber stand, follow, and sympathize with. Boiled liability coverage to address a broad range of down to its essence, the story may be—and in exposures,” including “security breaches” this context often is—something as simple as and “mistakes”: the following: Cyber liability and CNA NetProtect “They promised to protect us from a cyber products breach if we paid the insurance premium. We paid the premium. They broke their promise.” CNA NetProtect fills the gaps by offering exceptional fi rst- and third- Place the story in the right context. party cyber liability coverage to address a It is critical to place the story in the proper broad range of exposures. CNA context because, unfortunately, many insur- NetProtect covers insureds for exposures ers in this space, whether by negligent defi cit that include security breaches, mistakes, or deliberate design, are selling products that and unauthorized employee acts, virus do not refl ect the reality of e-commerce and attacks, hacking, identity theft or private its risks. Many off-the-shelf cybersecurity information loss, and infringing or dis- insurance policies, for example, limit the paraging content. CNA NetProtect cover- scope of coverage to only the insured’s own age is worldwide, claims-made with acts and omissions, or only to incidents that limits up to $10 million. affect the insured’s network. Others contain broadly worded, open-ended exclusions such It is important to use the discovery phase as the one at issue in the Columbia Casualty to fully fl esh out the context of the insur- case, which, if enforced literally, would large- ance and the entire insurance transaction in ly if not entirely vaporize the coverage osten- addition to the meaning, intent, and inter- sibly provided under the policy. These types pretation of the policy terms and condi- of exclusions can be acutely problematic and tions, claims handling, and other matters impracticable. A myriad of other traps in depending on the particular circumstances cyber insurance policies—even more in those of the coverage action. that are not carefully negotiated—may allow insurers to avoid coverage if the language Secure the best potential venue and choice of law. were applied literally. One of the fi rst and most critical decisions If the context is carefully framed and that an organization contemplating insur- explained, however, judges, juries, and arbi- ance coverage litigation must make is the trators should be inhospitable to the various appropriate forum for the litigation. This “gotcha” traps in these policies. Taking the decision, which may be affected by whether Columbia Casualty case as an example, the the policy contains a forum selection clause, insurer, CNA, relies principally upon an can be critical to potential success, among exclusion, entitled “Failure to Follow other reasons because the choice of forum Minimum Required Practices,” which pur- may have a signifi cant impact on the related ports to void coverage if the insured fails to choice-of-law issue, which in some cases is “continuously implement” certain aspects of outcome-determinative. Insurance contracts computer security. In this context, however, are interpreted according to state law and comprising the extremely complex areas of the various state courts diverge widely on cybersecurity and data protection, any insured issues surrounding insurance coverage. can reasonably be expected to make mistakes Until the governing law applicable to an in implementing security. This reality is, in insurance contract is established, the policy fact, a principal reason for purchasing cyber can be, in a fi gurative and yet a very real liability coverage in the fi rst place. In addition, sense, a blank piece of paper. The different

127 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

interpretations given the same language Importantly, it will give the organization from one state to the next can mean the dif- unique access to compelling arguments based ference between a coverage victory and a upon the context, history, evolution, and loss. It is therefore critical to undertake a intent of this line of insurance product. careful choice of law analysis before initiat- Likewise, during the discovery phase, covering coverage litigation or selecting a venue age counsel with unique knowledge and or, where the insurer fi les fi rst, before taking experience is positioned to ask for and obtain a choice of law position or deciding whether the particular information and evidence that to challenge the insurer’s selected forum. can make or break the case—and will be able to do so in a relatively effi cient, streamlined Consider bringing in other carriers. manner. In addition to creating solid ammu- Often when there is a cybersecurity, privacy, nition for trial, effective discovery often leads or data protection-related issue, more than to successful summary judgment rulings, one insurance policy may be triggered. For thereby, at a minimum, streamlining the case example, a data breach like the Target breach in a cost-effective manner and limiting the may implicate an organization’s cybersecu- issues that ultimately go to a jury. Likewise, rity insurance, CGL insurance, and Directors’ counsel familiar with all of the many different and Offi cers’ Liability insurance. To the insurer-drafted forms as they have evolved extent that insurers on different lines of cov- over time will give the organization key erage have denied coverage, it may be ben- access to arguments based upon obvious and efi cial for the organization to have those subtle differences between and among the insurance carriers pointing the fi nger at each many different policy wordings, including other throughout the insurance coverage the particular language in the organization’s proceedings. Again considering the context, policy. Often in coverage disputes, the multi- a judge, arbitrator, or jury may fi nd it offen- million dollar result comes down to a few sive if an organization’s CGL insurer is argu- words, the sequence of a few words, or even ing, on the one hand, that a data breach is the position of a comma or other punctuation. not covered because of a new exclusion, and the organization’s cybersecurity insurer also ■ Conclusion is arguing that the breach is not covered Cyber insurance coverage can be extremely under the cyber policy that was purchased valuable. Although placing coverage in this to fi ll the “gap” in coverage created by the dynamic space presents challenges, it also CGL policy exclusion. Relatedly, it is impor- presents substantial opportunities. Before a tant to carefully consider the best strategy claim arises, organizations are encouraged to for pursuing coverage in a manner that will proactively negotiate and place the best pos- most effectively and effi ciently maximize the sible coverage in order to decrease the likeli- potentially available coverage across the hood of a coverage denial and litigation. In insured’s entire insurance portfolio. contrast to many other types of commercial insurance policies, cyber insurance policies Retain counsel with cybersecurity insurance expertise. are extremely negotiable, and the insurers’ Cybersecurity insurance is unlike any other off-the-shelf forms typically can be signifi - line of coverage. There is no standardization. cantly negotiated and improved for no Each of the hundreds of products in the mar- increase in premium. A well-drafted policy ketplace has its own insurer-drafted terms will reduce the likelihood that an insurer and conditions that vary dramatically from will be able to successfully avoid or limit insurer to insurer—and even between poli- insurance coverage in the event of a claim. If cies underwritten by the same insurer. a claim arises, following sound litigation Obtaining coverage litigation counsel with strategies and refusing to take “no” for an substantial cybersecurity insurance expertise answer will greatly increase the odds of assists an organization on a number of fronts. securing valuable coverage.

■ 128 SecurityRoundtable.org Consumer protection: What is it? Wilson Elser Moskowitz Edelman & Dicker LLP – Melissa Ventrone, Partner and Lindsay Nickle, Partner

From a legal perspective, consumer protection is the application of rules and regulations to agencies, businesses, and organizations that require them to protect their customers from intentional and unintentional harm. Instead of caveat emptor, or buyer beware, the business entity has a mandate to protect its customers from the bad things that may befall them. In essence, the government has decided it is the business’s responsibility to protect the least sophisticated consumers from themselves and what may happen to them. The intersection of consumer protection and cybersecurity imposes a responsibility on businesses to protect their consumers’ information. Unlike many areas of business, when an organization is the victim of a criminal attack, such as being hacked, the business is not considered a victim. Instead, the customers are considered the victims, and the business becomes a potential scapegoat—the target of inquiries, investigations, irate customers, reputational harm, and lost business, even though it was the business that suffered the criminal activity. Leading experts agree that no organization is immune from cyberattacks and that impenetrable data security is not possible. Nevertheless the media and the public continue to vilify and hold businesses responsible for failing to do what experts agree cannot be done. Consumers demand that organizations safeguard their privacy and protect their information from data breaches; however, those same consumers are impatient and intolerant when security measures slow services or degrade usability. Some may terminate their relationships as a result, jumping ship to underfunded start-ups simply because consumers want what they want, and they want it now.

129 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

Adding to the diffi culty of trying to bal- What does this mean? Well, according to an ance data privacy and security with innova- FTC report, this means that an organization’s tion and usability, organizations must con- data security measures must be “reasonable currently maintain compliance with the and appropriate in light of the sensitivity and myriad of state and federal data privacy volume of consumer information it holds, the and security laws, regulations, and guide- size and complexity of its data operations, and lines. It would take several books to outline the cost of available tools to improve security all the laws, regulations, and guidelines and reduce vulnerabilities.” In other words, that affect consumer protection and cyber- the FTC can choose to investigate an organiza- security. This chapter is designed to pro- tion simply because the FTC believes the vide organizations with an understanding organization is doing a poor job protecting of those laws that have the most signifi cant consumers’ information. Confused? You are impact on privacy and security from a con- not alone. Frankly, it appears that the FTC sumer protection perspective. There is no views poor cybersecurity practices a bit like better place to start this discussion than by courts view pornography—they know it examining the recent activities of the when they see it. Federal Trade Commission (FTC). Organizations looking for guidance from the FTC on appropriate security ■ Cybersecurity, consumer protection, measures to protect consumer information and the FTC may fi nd themselves twisting in the wind The FTC has deemed itself the enforcer of like the last leaf on a tree. The FTC has not data privacy and security, the ultimate issued any detailed guidelines on what authority responsible for protecting con- constitutes “reasonable security measures.” sumer privacy and promoting data security To be fair, the FTC most likely struggles, as in the private sector. In fact, the FTC com- do many agencies, with establishing guide- monly is considered the most active agency lines that are fl exible enough to apply to a in the world in this area. Although the wide range of organizations in a variety of debate continues on whether the FTC has industries, yet structured enough to set a authority to police data privacy and security standard. under section 5 of the FTC Act, organizations The FTC addressed this argument by must be aware that the FTC and other regu- instructing companies to review its previous lators are monitoring practices and investi- consent decrees to identify “reasonable”— gating and enforcing various laws under the or more appropriately, what it considered to guise of privacy and cybersecurity as a con- be unreasonable—security standards. Thus, sumer protection issue. The FTC regulates this space under sec- in the midst of day-to-day operations, the tion 5 of the FTC Act, which prohibits unfair FTC apparently expects an organization to or deceptive practices. The FTC may choose carefully review a multitude of previous to investigate an organization if it believes consent decrees to identify what it should be that the organization has made materially doing to reasonably protect consumers’ misleading statements or omissions regard- information. ing the security provided for consumers’ Organizations can also review a 15-page personal data. Further, according to a pre- guide the FTC published in 2011, Protecting pared statement by the FTC, “a company Personal Information: A Guide for Business. engages in unfair acts or practices if its data This guide informs organizations that a security practices cause or are likely to cause “sound business plan” is based on fi ve substantial injury to consumers that is nei- principles: ther reasonably avoidable by the consumer nor outweighed by countervailing benefi ts Know what information you have and to consumers or to competition.” who has access to the information.

■ 130 CONSUMER PROTECTION: WHAT IS IT?

Keep only that information needed to priority is the strengthening of cybersecurity conduct business. in the marketplace, particularly as it pertains Protect the information in your control. to the fi nancial industry and those businesses Properly dispose of information that is no and organizations that provide services in the longer needed. fi nancial sector. To that end, in the summer of Prepare a plan for responding to security 2014, the FFIEC completed a cybersecurity incidents. assessment involving more than 500 community fi nancial institutions with the goal of Although this may have been an accurate list determining how prepared those institutions in 2011, any company that limits its cyberse- were to mitigate cyber risks. The results are curity program to these fi ve principles will instructive as potential standards for the quickly discover its inadequacies. The FTC efforts an organization should take when its claims to recognize that there is no one-size- operations interact with or are tangential to fi ts-all data security program, no program is the fi nancial industry, or simply when a busi- perfect, and the mere fact that a breach ness collects, stores, or shares consumers’ occurs does not mean a company has vio- private information. lated the law. Cyber preparedness—which is the crux Organizations must be aware of the of consumer protection—encompasses the FTC’s heightened activity in this space. following: Right now, data privacy and protection of consumer information has the public’s Risk management and oversight: attention and is sometimes used as a politi- Organizations should proactively train cal platform. Organizations must have an employees, allocate resources, and exercise in-depth understanding of their cybersecu- control and supervision of cybersecurity rity posture, identify key vulnerabilities, operations. This includes involving upper- and have a plan to either mitigate or remedi- level management and boards. ate problems. Failure to place consumer Threat intelligence: A business should protection and cybersecurity at the top of its undertake processes to educate, identify, priority list may land an organization in the and track cyber activities, vulnerabilities, FTC’s crosshairs. and threats. Cybersecurity controls: Businesses ■ Cybersecurity, consumer protection, should implement controls to prevent and the fi nancial industry unauthorized access or exposure of As in other industries, cybersecurity and information, to detect attacks or attempts consumer protection in the fi nancial sector to compromise systems, and to correct are a patchwork of federal statutes, regula- known and identifi ed vulnerabilities. tions, agencies, and enforcers. There are fi ve As the industry begins to more fully federal banking regulatory agencies: the recognize the futility of keeping malicious Offi ce of the Comptroller of the Currency attackers outside the network perimeter, (OCC), the Board of Governors of the Federal companies also should implement Reserve System (FRB), the Federal Deposit controls that more quickly identify when Insurance Corporation (FDIC), the National malicious activity takes place inside the Credit Union Administration (NCUA), and network. the Consumer Financial Protection Bureau External dependency management: (CFPB). A representative from each of them Organizations should have processes in sits on the Federal Financial Institutions place to manage vendors and third-party Examination Council (FFIEC), which is service providers and help ensure that empowered to set out principles, standards, connections to systems are secure, as well and forms for the uniformity of the supervi- as processes to audit and evaluate the sion of fi nancial institutions. A top FFIEC third-party’s cybersecurity protections.

131 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

Cyber incident management and regulatory agencies and state insurance resilience: Organizations should have authorities. procedures and processes to detect incidents, Those entities governed by the SEC respond to those incidents, mitigate the (Securities and Exchange Commission) and impact of the incidents, document and FINRA (Financial Industry Regulatory report on the incidents, and provide for Authority) are expressly required to devel- recovery and business continuity. op written identity theft prevention programs and, in the face of a breach, will Within the fi nancial sector, and regarding likely face questions regarding cybersecu- businesses that interact with the fi nancial rity policies and efforts. Further, the regula- sector, these can reasonably be considered tions imposing these requirements mandate the components of due diligence. Efforts to that upper-level management signs off on protect consumers from the dangers of the any written program and participates in its exposure of personal information entrusted administration. As the goal of these require- to a business involve guiding the organiza- ments is to protect customer information, tion through these steps on a scale appropri- an organization should be mindful to ate to the size of the business and the scope design programs that consider the nature of of the information involved. the organization’s operations, as well as its Adding to the complexity of compliance, size and complexity, so that the plan can be there are multiple statutes and regulations effectively implemented to achieve its that expressly require businesses to under- desired goals. take security measures and notify consumers The OCC recommends all banks and regarding privacy and information-sharing fi nancial institutions implement incident practices. The Gramm-Leach-Bliley Act response and business continuity plans (GLBA) and the corresponding regulations and test those plans regularly. It also sets adopted to implement its requirements are supervisory expectations about how fi nan- aimed at protecting consumer interests. cial institutions and third-party service Similar to other regulations, businesses are providers in the fi nancial sector can and required by the GLBA Safeguard Rule to should safeguard sensitive information. use “reasonable security measures” to pro- The OCC conducts on-site audits of fi nan- tect consumer information that they collect cial institutions and certain third-party ser- and store. In the fi nancial services industry, vice providers to confi rm compliance. The this often includes highly sensitive infor- OCC also gets involved in the aftermath of mation, such as Social Security numbers, cyberattacks to assess the corrective actions fi nancial account numbers, and income and that fi nancial institutions take in response. credit histories. The OCC is vested with the authority to Fortunately, the GLBA outlines, at least in require the banks subject to their regulation some fashion, what constitutes “reasonable and the banks’ service providers to take security measures.” For instance, the GLBA steps to protect systems, prevent loss or Safeguard Rule requires the development theft of sensitive information, and mitigate and implementation of a written informa- identity theft. tion security plan. In addition, the Rule In 2007, under the terms of the Fair and requires companies to provide an annual Accurate Credit Transactions Act, the OCC, written privacy notice to its customers that FRB, FDIC, NCUA, and FTC issued regula- clearly, conspicuously, and accurately tions requiring creditors and fi nancial insti- explains its information-sharing practices tutions to develop and implement formal and provides customers the right to opt out written programs aimed at identifying and of the organization’s sharing practices. Both preventing identity theft (the Red Flags of these consumer protections are enforced Rule). Large banks have resident OCC by the FTC along with several other federal investigators trained to assess cybersecurity

■ 132 CONSUMER PROTECTION: WHAT IS IT?

issues. Smaller banks face on-site visits other organizations that may receive health every 12 to 18 months. In 2013, the OCC information from covered entities while updated its Third-Party Relationship Risk performing various services. HIPAA is Management Guidance to set out expecta- enforced primarily by the U.S. Department tions for risk assessment and management of Health and Human Services Offi ce of of third-party relationships. The senior Civil Rights (OCR). State attorneys general management and boards of banks retain also have the authority to enforce HIPAA. responsibility for cybersecurity even when OCR’s authority to enforce HIPAA third parties are involved. As a result, the encompasses covered entities regardless of OCC mandates comprehensive oversight size and their “business associates,” a term and management of third-party relation- that includes fi rst-tier vendors that contract ships throughout the life of each relation- directly with covered entities and all down- ship. This requires extensive due diligence stream entities that receive PHI in the course prior to establishing a relationship, execu- of their business. Perhaps the most helpful tion of written contracts that should include aspect of HIPAA is that it specifi es privacy the right to audit the third party, ongoing requirements that covered entities must fol- monitoring, documentation, and reporting low, as well as identifi es security elements regarding risk management processes, and for covered entities to consider. independent review of processes. Further, The HIPAA Privacy Rule outlines stand- the OCC requires that third-party contracts ards for the use and disclosure of all forms stipulate that the OCC has the authority to of PHI and categorizes PHI into three major examine and regulate the services provided “usage” categories: treatment, payment, to the bank by the third party. and health care operations and sets up rules The fi nancial industry is highly regulat- associated with each use. Uses that fall out- ed, and its consumer protection and cyber- side of these categories or that do not security aspects are no exception. Identity qualify as any of the exceptions described in theft, at its heart, is a consumer protection the rule require an authorization from the issue. Enforceable security guidelines set affected individual. Meanwhile, the HIPAA out by regulators and aimed at the protec- Security Rule establishes standards for pre- tion of consumer information trickle down serving the confi dentiality, integrity, and to service providers, as the fi nancial institu- availability of electronic PHI. Specifi cally, tions are affi rmatively charged with manag- the Security Rule requires covered entities ing risks associated with vendors and to have appropriate administrative, physi- service providers. The recommendations cal, and technical safeguards in place to and requirements of the fi nancial regulators protect PHI and contains detailed security make clear that extensive due diligence, requirements for protecting PHI. For monitoring, planning, and management are instance, covered entities must conduct an required in the quest to take reasonable assessment of the risks to and vulnerabili- security measures. ties of the protected health information. These guidelines provide organizations ■ Health care, cybersecurity, and consumer with concrete examples of steps needed to protection protect PHI and hence the consumer infor- Any discussion of consumer protection and mation in their systems. However, organiza- cybersecurity must include a discussion of tions should be aware that compliance with the health care industry. The Health HIPAA is a minimum standard. As technol- Insurance Portability and Accountability ogy continues to change and develop, cir- Act of 1996 (HIPAA) governs protected cumstances may require organizations to health information (PHI) maintained by exceed the minimum HIPAA compliance various organizations that fall under the requirements to effectively protect consumer jurisdiction of HIPAA (covered entities) and information.

133 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

This is an important point, because in Content and timeliness of breach addition to OCR, the FTC considers itself notifi cation (the Breach Notifi cation Rule). empowered to regulate organizations that are covered by HIPAA. According to the Phase 2 audits will likely not be as compre- FTC, HIPAA does not preempt the FTC’s hensive as the audits in Phase 1 and will authority to also regulate covered entities. focus on key high-risk areas OCR learned of Furthermore, in 2010 the FTC issued the in its Phase 1 audits. Health Breach Notifi cation Rule, which man- Health care information is commonly con- dates that entities not covered by HIPAA sidered the most sensitive and personal that experience a breach of a “personal information a consumer has, and it therefore health record” provide notifi cation to the deserves increased security controls. This is affected consumer. perhaps recognized by the authority of the Covered entities and their business asso- state attorneys general to enforce HIPAA, a ciates must do more than merely “check the provision not found in all federal statutes. box” on cybersecurity compliance. If an Numerous states have passed laws specifi - organization faces an OCR investigation, it cally intended to protect personal health will be required to provide information information, regardless of whether the related to its entire data privacy and security organization holding such information is program, not just information related to the considered a “covered entity” under HIPAA. “incident” that triggered the investigation. As health care breaches continue to increase Often, organizations are required to provide in number, organizations should expect evidence of policies and procedures going greater regulatory scrutiny and activity relat- back several years. ed to their efforts to protect consumer health As part of its efforts to enforce compli- information. ance with HIPAA, OCR conducted security audits of covered entities in 2011 and 2012, ■ State laws and regulations commonly referred to as Phase 1. Although In addition to the federal landscape, busi- Phase 2 was delayed until OCR imple- nesses should be aware that state laws and ments a web portal that enables covered regulations affect consumer protection obli- entities to submit information, in May 2015 gations. Various states have laws that affect OCR began sending the fi rst surveys of specifi c industries and general consumer Phase 2 audits, so covered entities and their protection laws that may be implicated in business associates should be prepared for business practices. This is a growing concern this next phase. Similar to other agencies, with the increase in e-commerce. Businesses OCR intends to audit the cybersecurity that in the past would have limited their practices of the organizations that fall footprint to the jurisdiction of a single state under its jurisdiction. OCR previously now are more likely to encounter customers announced that it would conduct a pre- across state lines. Because the applicability audit survey of 800 covered entities and of state laws affecting consumers and 400 business associates, and from that pool because cybersecurity is often triggered by select 350 covered entities and 50 business the residence of the consumer, even small associates for a full audit. businesses can fi nd that they face unexpect- The audits will take place over three years ed multijurisdictional questions. and will focus on: ■ Recommendations and conclusion Risk analysis and risk management (the Given the wide range of laws, regulations, Security Rule) and guidelines—only a few of which could Notice of privacy practices and access be covered here—how do organizations rights (the Privacy Rule) begin to navigate these treacherous waters?

■ 134 CONSUMER PROTECTION: WHAT IS IT?

Organizations must build privacy and secu- as well, and an organization’s efforts to pro- rity into their systems, processes, and ser- tect consumer information must similarly vices from the ground up and from the top adapt. It is better to have considered a tool down. Education and training for all employ- and rejected it because it substantially ees should start on day one and be continu- degrades the service offered than to ignore ous. The time and effort required to assess the vulnerability entirely. Organizations cyber risk and understand data is minimal must face cybersecurity risks as an enter- compared with the potential implications of prise and leverage industry experts to guide failing to do so. Technology is constantly them through this quagmire of laws, regula- evolving, which means cybersecurity does tions, and threats.

SecurityRoundtable.org 135 ■

Protecting trade secrets in the age of cyberespionage Fish & Richardson P.C. – Gus P. Coldebella, Principal

The cybertheft of intellectual property (IP) from U.S. companies has, in the words of former NSA director and Cyber Command chief General Keith Alexander, resulted in the “greatest transfer of wealth in human history.” And the data bear that out: by some estimates, the value of IP stolen from U.S. businesses over the Internet alone is $300 billion per year—a whopping 6% of our $5 trillion total intellectual property assets. For certain nations, cyber espionage is a central component of their growth strategies: for example, the Report of the Commission on the Theft of U.S. Intellectual Property (the IP Commission Report) found that “national industrial policy goals in China encourage IP theft, and an extraordinary number of Chinese in business and government entities are engaged in this practice.” Cyber espionage of IP assets allows companies and countries to circumvent the expense and hard work of basic research and product development—which could take years or even decades—and instead quickly pursue their economic agendas based on stolen IP, all to the detriment of U.S. businesses, jobs, and economic growth. On May 1, 2014, a federal grand jury brought criminal charges of hacking, economic espionage, and trade secrets theft against fi ve offi cers of China’s military. The hackers are alleged to have penetrated the networks of important American companies to acquire proprietary and confi dential technical and design specifi cations, manufacturing metrics, attorney-client discussions about upcoming trade litigation, economic strategies, and other forms of sensitive, nonpublic information. What was the object of this indictment? Certainly not to get a conviction: the likelihood of China extraditing the defendants to the U.S. is negligible. Instead, the U.S. used the indictment to transmit two strong signals. First, it sent a message to China: that we are aware of this aberrant behavior—in which a nation-state aims its espionage apparatus not at another country, but at another country’s companies—and that the

137 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

U.S. will expose this misconduct to the patent, the registration of a trademark, and the world. Second, the indictment sent a mes- creation/publication of copyrighted material. sage to U.S. companies that, although past Cyberthieves generally set their sights on breaches and legal and reputational risk may a company’s trade secrets—the one type of have convinced boards and management to IP that is not readily available for the world shore up defenses against cyberattacks to see. involving ‘personally identifi able informa- Some companies keep their trade secrets tion,’ or PII, the most sophisticated attackers offl ine. Legend has it that one of the most sto- are interested in other, more mission-critical ried trade secrets, the formula for Coca-Cola, data on companies’ networks—intellectual is on a handwritten piece of paper in a safe in property. The loss of trade secrets could Coke’s Atlanta headquarters. But air-gapped cause more harm to a company’s reputation, trade secrets are rare in the Internet age. Given value, and future prospects than a PII breach this, it is crucial for a company to identify and ever could. The U.S. government is signaling locate the trade secrets on its networks, and that companies should focus on taking those that are being deposited there in the immediate, reasonable steps to defend their ordinary course of business. Every company intellectual property assets. has such mission-critical secrets: design speci- In a world where countries persistently fi cations, chemical formulas, computer code, attack companies and compromise of a com- fi nancial algorithms, customer lists, and busi- pany’s networks seems inevitable, manage- ness plans, to name a few. Finding them is a ment may be tempted to throw up their hands key, and sometimes overlooked, part of a top- and concede defeat. There are, however, to-bottom network vulnerability analysis. important legal and practical reasons to fi ght. Unless a company knows what trade secrets it In this chapter, we explore reasonable steps has and where they are located, it cannot companies can take to prevent the cybertheft begin to secure them. of their IP assets, to mitigate the harm of such Once a company catalogs its online trade thefts if they occur, and to challenge competi- secrets, it should ask several high-level stra- tors that use stolen IP assets to unfairly gain tegic questions: How are they currently safe- an advantage in the marketplace. guarded? Who may access them? What systems are in place to alert the company that ■ Conducting a trade secrets risk analysis the trade secrets have been exfi ltrated or So what types of IP are cyber spies after? altered? These questions and the protective Intellectual property has four broad catego- measures developed in response are not only ries: patents, trademarks, copyrights, and important to thwart cyber attackers—but trade secrets. A trade secret—according to the also help to prevent all types of attempted Uniform Trade Secrets Act, or UTSA, adopted trade secret theft, whether conducted via the in some form by 48 states and the District of Internet or the old-fashioned way. They also Columbia—is information that gains its actual help to best position the company if it brings or potential economic value from being not litigation seeking damages, injunctive relief, generally known and reasonably protected or other recompense for the theft. Although from disclosure. Of the four IP types, only the cybertheft of trade secrets has not yet trade secrets maintain their value, and their yielded many judicial decisions, law books legal protection as trade secrets, through non- are rife with cases of companies seeking disclosure. If a trade secret is not disclosed, the damages resulting from current or former economic benefi t it provides and the legal employees spiriting off trade secrets to their protection it enjoys can theoretically last next employer or to a competitor. One of forever. If it is disclosed, those advantages can the central questions in any such litigation be destroyed. Trade secrets stand apart from is: did the company make reasonable efforts other IP, which gains and maintains its legal under the circumstances to protect the protection through disclosure: the fi ling of a secrecy of its confi dential information? The

■ 138 PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE

reasonable measures identifi ed in these deci- the full set of information needed to replicate sions—such as training employees on trade a targeted invention, product, or service.” A secret protection, requiring employee confi - company can achieve segmentation in two dentiality agreements prior to granting ways detailed by Villasenor: fi rst, by divid- access, and revoking access upon termina- ing a trade secret into modules, distributing tion from the company—apply with equal the modules across multiple networks, and force in the cyber context, and companies ensuring that there is no easy path from one should employ them. Below, we discuss network to the next; and second, once the additional cyber-specifi c protective meas- trade secrets are broken up into modules, ures that companies can consider taking. by allowing employees access only to the modules that are relevant to them. Some ■ Planning for the worst modules can be separated physically and Certain adversaries—especially nation- allow nearly no user access. For example, states and state-sponsored groups targeting ‘negative information’—valuable secrets U.S. trade secrets—are highly skilled, tech- about what does not work and is often the nologically savvy, and persistent. They are result of meticulous collection of data through not trolling for just any IP, and they will not extensive, costly research—is not frequently be put off by even best-in-class technical accessed in a company’s day-to-day opera- defenses and move onto the next target tions and therefore can be segmented and when their mission is to steal your compa- stored in an extremely limited set of locations. ny’s secrets. Even with reasonable defenses Implementing robust access control alongside in place, companies should assume that an segmentation makes it more diffi cult for an attack will eventually be successful, and that adversary to steal a company’s crown jewel a company’s IP and trade secrets may be trade secrets in a single attack, and to ‘spear- compromised as a result. One way compa- phish’ its way into accessing some or all of a nies can protect themselves is to consider company’s crown jewel data under the guise ways, such as the following suggestions, to of an authorized user. reduce the likelihood that even a successful intrusion leads to IP theft. Monitor data fl ow, not just authorization Instead of monitoring only for unauthorized Access controls and segmentation access, companies should fl ag and investi- Companies should implement access con- gate instances and activity of high-volume or trols on crown jewel data. Although almost suspicious data transfers, whether or not the every employee requires access to certain transferor is ‘authorized.’ Systems that look parts of the company’s network, not all of only for suspicious behavior by unauthor- them need access to fi les containing trade ized users can blind the company to critical secrets. Not even all employees that require and common cyberattacks. History shows access to some trade secrets need access to all. that trade secret theft frequently is carried A smart access control system makes it clear out by authorized users—think about a dis- that secrets actually are treated as secrets— gruntled employee downloading the master i.e., only those with a need to know (as customer list, or the trading algorithm, right opposed to everyone with a network pass- before he or she quits to work for a competi- word) are given access to the data. tor. In another common scenario, when Another related layer of protection is hackers obtain privileged user credentials to ‘trade secret segmentation,’ which, accord- infi ltrate a company’s network, activity that ing to John Villasenor in his article Corporate appears attributable to ‘Mike in Accounting’ Cybersecurity Realism (Aug. 28, 2014), is dis- may actually be malicious. Systems should tributing information “so that no single be designed to monitor the fl ow of key data, cybersecurity breach exposes enough of a whether or not it is being accomplished by trade secret to allow the attacker to obtain someone with apparent trust.

139 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

Mark and tag secrets exercised it. Under such a plan, the fi rst call Even in the bygone days of trade secrets should be to experienced outside counsel, on paper, companies knew to clearly mark who can hire the forensics and crisis PR their secrets with a legend. This accom- teams to investigate and respond to what plished two things: employees would happened, and who give the results of the know to handle those secrets consistent investigation the greatest chance of being with the company’s trade secrets policies, considered privileged, which is important as and if they were stolen, they could be iden- the legal and regulatory consequences of tifi ed as the company’s property. Just like breaches continue to grow. It is also impor- cartographers of old intentionally included tant—especially with potential trade secret fake shortcuts, streets, and even towns to theft—to preserve all information surround- immediately recognize misappropriated ing the incident in a forensically sound way. copies of their maps, tagging digital assets For example, collecting and analyzing log provides a way to defi nitively prove that information may allow a company to deter- the IP was originally yours. Today, with an mine what data were lifted and where they array of technological means at hand, com- were sent, which could be critical in investi- panies can do more, including tagging gations by law enforcement and in post- digital IP with code that could, say, render breach litigation. stolen fi les inoperable. The IP Commission Report correctly recommended that “pro- ■ Taking on the IP thieves and their tection...be undertaken for the fi les them- benefi ciaries selves and not just the network, which Adversaries want to steal your trade secrets always has the ability to be compromised.” for a simple reason: to use, sell, and profi t It suggested that: from them. Every IP theft contains the seeds of unfair competition based upon the Companies should consider marking stolen secrets. Assume the worst has hap- their electronic fi les through techniques pened, and you begin to see the company’s such as “meta-tagging,” “beaconing,” hard work or research emerge in the mar- and “watermarking.” Such tools allow for ketplace, embedded in a competitor’s awareness of whether protected informa- product or across the negotiating table. tion has left an authorized network and What options do you have? We discuss can potentially identify the location of fi ve here: fi les in the event that they are stolen. Additionally, software can be written that Misappropriation of trade secrets. The victim will allow only authorized users to open of trade secret theft may bring an action fi les containing valuable information. If under state law to enjoin the benefi ciary an unauthorized person accesses the of the theft and recover damages. (There information, a range of actions might then currently is no federal private right of occur. For example, the fi le could be ren- action for misappropriation of trade dered inaccessible and the unauthorized secrets.) As already discussed, most states user’s computer could be locked down, have adopted a version of the Uniform with instructions on how to contact law Trade Secrets Act, or UTSA. UTSA pre- enforcement to get the password needed vents using a trade secret of another with- to unlock the account. (IP Commission out consent if the defendant employed Report at 81.) improper means to appropriate the secret, or “knew or had reason to know that Collect forensic leads as part of incident response his knowledge of the trade secret was Of course, executives must make sure that derived from or through a person who the company has created a robust incident had utilized improper means to acquire response plan and has practiced and it.” UTSA §§ 1(2)(ii)(A); 1(2)(i). UTSA,

■ 140 PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE

therefore, allows an action against the bureaucratic, that was in the context of hacker and the company seeking to ben- arguing for a quicker method for U.S. efi t from the stolen trade secrets, if the companies to seek exclusion. Our experi- plaintiff can show that the competitor had ence is that § 337 actions tend to be much reason to believe that the data it was quicker than currently available alterna- using were stolen from someone else’s tives, including state and federal court network. The remedies available under litigation. The ITC process offers U.S. UTSA are powerful and encompass dam- companies a powerful weapon against ages and injunctive relief. UTSA author- importation of goods containing stolen izes a court to award damages for actual trade secrets. loss and unjust enrichment, including multiple damages if the misappropriation Computer Fraud and Abuse Act (CFAA). was “willful and malicious.” UTSA §§ Under certain circumstances, the CFAA 3(a); 3(b). A court also may enjoin actual provides a private right of action for com- or threatened misappropriation or may panies to bring suit against a party who condition the competitor’s future use of knowingly and intentionally accesses a the trade secret on payment of a reasona- protected computer without authoriza- ble royalty. UTSA §§ 2(a); 2(b). tion, obtains information, and causes harm. 18 U.S.C. § 1030(g). The victim may Section 337 of the Tariff Act of 1930. To sty- be able to seek damages from not only the mie competitors that import their prod- individual who accessed the computer ucts into the U.S., a potent option is to and stole the information but also the initiate a process at the International Trade company profi ting from the stolen trade Commission (ITC) under Section 337 of secret so long as the victim can plead and the Tariff Act of 1930. A company may prove that the competitor “conspire[d] to petition the ITC to investigate whether commit” such an offense (18 U.S.C. § imported goods are the result of “unfair 1030[b]). methods of competition”—which includes incorporating stolen trade secrets—so Call the feds. A company may refer the long as the unfairness has the potential theft to federal criminal authorities, which to injure or destroy a domestic industry. can bring charges under 18 U.S.C. §§ 1831- 19 U.S.C. § 337. Because § 337 investiga- 32 for theft of trade secrets and economic tions are brought against goods, not par- espionage. The economic espionage and ties, there is no need to prove that the trade secret theft statutes reach not only specifi c company profi ting from the stolen parties who steal the trade secret but also data was actually behind the cyberattack, anyone who “receives, buys, or possesses only that the product was made or devel- a trade secret, knowing the same to have oped using misappropriated trade secrets. been stolen or appropriated, obtained, Even though the ITC cannot award dam- or converted without authorization.” ages under § 337, the remedy it can issue 18 U.S.C. §§ 1831(a)(3); 1832(a)(3). In addi- is potent against any company seeking to tion to imposing hefty fi nes ($5 million for import misappropriated products in the organizations, unless the theft was intend- U.S.: it can issue an order, enforceable ed to benefi t a foreign government, in by Customs and Border Protection, pre- which case it is $10 million), the law also venting goods from entering the country allows judges to force the criminals to and enjoining sale of such products forfeit “any property, or proceeds derived already here. from the stolen or misappropriated trade secrets, as well as any property used or Although the IP Commission has criti- intended to be used to help steal trade cized the § 337 process as too lengthy and secrets.” 18 U.S.C. §§ 1834, 2323(b).

141 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

Of course, there are always pros and cons to U.S. assets and imposing sanctions. OFAC be weighed before bringing civil litigation will add foreign individuals identifi ed as or involving federal law enforcement being responsible for, contributing to, authorities. For example, law enforcement complicit in, or profi ting from signifi cant has a greater array of tools to compel pro- malicious cyber-enabled activities to its duction of evidence quickly, unlike in a civil list of Specially Designated Nationals suit, although a parallel criminal action (SDNs). To earn a spot on the SDN list, the may affect the company’s ability to seek associated attack has to be “reasonably civil discovery if the defendants seek a stay likely to result in, or have materially con- or exercise their Fifth Amendment right not tributed to, a signifi cant threat to the to testify. There are also practical and busi- national security, foreign policy, or eco- ness considerations that may argue for or nomic health or fi nancial stability of the against such a suit, including its potential to United States.” Although OFAC cannot affect existing or future commercial rela- assist a company with recovering lost tionships and continued access to foreign information or barring products from markets. entering the market, reporting the perpetrators of particularly serious cyberat- Future action: Report cyberspies and their tacks to OFAC can serve as a powerful benefi ciaries under Executive Order 13694. deterrent. It is important to note that E.O. In response to high-profi le cyberattacks, 13694 is, at the writing of this chapter, so the President and the federal government new that OFAC has yet to promulgate recognized that cyber espionage is a seri- fi nal regulations governing the SDN- ous threat to the nation’s economy and designation process, so companies should national security but acknowledged that consult with counsel to understand their it is not always possible to take criminal options once fi nal rules are in place. or civil action against perpetrators because they are often outside the juris- ■ Conclusion dictional reach of U.S. courts. For that Trade secrets are high on the list of assets reason, the U.S. has devised another that cyber spies are interested in stealing. method for reaching these malefactors, Careful planning will help your company do punishing them for their actions, and its best to prevent the theft of these valuable deterring future attacks. On April 1, 2015, assets and to thwart a competitor’s attempt the President signed Executive Order to profi t from its crimes if an attack is suc- 13694, authorizing the Offi ce of Foreign cessful. If the worst-case scenario material- Assets Control, or OFAC, within the izes and you discover that your company’s Treasury Department, to (i) identify for- IP has been stolen, take immediate steps to eign hackers, the parties who aid them, engage experienced outside counsel to assess and the parties who benefi t from their your best options to investigate the breach, activity by using their stolen information recover damages, enjoin unfair competition, to profi t and (ii) respond by freezing their and seek justice.

■ 142 SecurityRoundtable.org Cybersecurity due diligence in M&A transactions: Tips for conducting a robust and meaningful process Latham & Watkins LLP – Jennifer Archie, Partner

To begin with a tautology, when you buy a company, you buy their data—and the attendant risks to that data. Cybersecurity risks are not limited to consumer-facing businesses, whose recent losses of cardholder or patient data grab news headlines. Indeed, few businesses today have assets and liabilities that are not in some sense data driven. For most business combinations—whether M&A, joint venture, or leveraged buyout—cybersecurity should be a risk category in its own right. Buyers should review not just historic breaches but also cybersecurity risk management. Even though these risks are hard to quantify, the analysis will inform deal terms, deal value, and post-deal indemnity claims.

■ First step: Get an early read on cyber readiness at the engagement stage Buyers should begin all cybersecurity risk assessments early in the engagement process, with the goal of clearly articulating as early as possible the target company’s most important information assets, systems, and business processes. Every target business should be able to readily identify which information technology (IT) systems and data sets are most valuable to the business and explain at a high level how the company protects and exploits them. Even at the earliest stages, the seller should be prepared to identify and discuss the following at a high level:

What types of information or computer systems and operations are most important to your business? What sensitive types of data do you handle or hold relating to natural persons (which data elements in particular)? Where is sensitive information stored? How is it protected in transit, at rest, and in motion? What are the most concerning threats to information, networks, or systems?

143 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

Have there been prior incidents? government investigations from the Federal What is the cybersecurity budget? Trade Commission (FTC) or other agencies What are your recovery plans if may be poorly understood. Federal investi- critical information or systems become gations tarnish brands, especially if enforce- unavailable? ment results. Investigations are expensive and distracting, and may lead to a sweeping If the front line deal-facing personnel 10- or 20-year permanent injunction dictat- respond, “I don’t know, I’d have to ask,” this ing how future information security will be is a telling and interesting sign that the target managed and monitored. Compliance with company’s security management program is such a decree is expensive and limits a com- likely not well integrated into the senior pany’s independence and fl exibility in sig- leadership ranks. Sellers thus should be pre- nifi cant ways. After a breach, management is pared in early discussions to showcase a often surprised to learn how persistent and sophisticated understanding of data security aggressive the FTC or state attorneys general risks and how those risks may materially can be, even if the company sees itself as a affect the company’s operations, reputation, victim of harm, not a perpetrator of con- and legal risks (or not). A buyer’s key dili- sumer injury. If the target’s legal or business gence objective should be to probe and test representatives are not knowledgeable about whether the target company has imple- the regulatory and enforcement environ- mented a mature risk management organiza- ments, buyers should not place much weight tion to evaluate the accuracy of management on a seller’s lulling statements or assurances assurances about lack of historical breaches, that there have been no incidents or that risk payment card industry (PCI) compliance, of a cyber event is low. protections against competitor or insider theft, and business continuity. Too often in ■ Check for integrated cyber risk awareness hindsight, a target’s statements made in dili- and mitigation and a comprehensive security gence turn out to have been good faith management program impressions, or even merely aspirational or Another sign of a mature security program refl ective of paper policy, but not operational is a management team with cross-function- reality. al awareness on these points at the CEO and board levels, as refl ected in board min- ■ Tailor diligence to what types of information utes or other documentation. A security are handled and how important is program will not be effective if it is a silo information security to the bottom line inside the IT or information security func- Beyond these general questions, the buyer tions. All substantial stakeholder depart- should directly probe whether the target ments should be involved in cybersecurity management has a sophisticated under- risk management, including business unit standing of potential cyber-related liabilities leaders, legal, internal audit and compli- and the regulatory environment. Unlike ance, fi nance, human resources, IT, and risk environmental or traditional fi re or natural management. disaster scenarios, cyberattack-related liabil- Diligence questionnaires should ask the ities are multi-faceted and unique. In some target company to generally summarize the industries—such as energy, transportation, administrative, technical, and physical infor- fi nancial institutions, health care, defense mation security controls currently in place to contracting, education, and telecommunica- safeguard the most critical business data sets. tions—government oversight can be active Such controls include technical measures and intrusive, and the target’s subject matter (such as boundary and malware defense, expertise will likely reside within the legal, data encryption, intrusion detection systems, compliance, and/or IT functions. In other anomalous event monitoring, and access industries, however, exposure to costly controls), administrative measures, and

■ 144 CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS

physical security. The company should have been adopted, budgeted and scheduled, or a current documented crisis management/ already implemented. incident response plan in place, including For companies whose vendors hold compre-staging of legal and forensic experts and pany-sensitive data or access systems, the a public relations strategy, all approved by company should have implemented—prior senior management. A seller should specifi - to engaging in a business relationship—a cally inquire about and assess what fi nancial formal vendor management program that resources are applied to data security, in the specifi cally assesses risk and identifi es context of the target’s overall approach to potential security or data privacy concerns risk containment and specifi c to its industry. and appropriate remediation next steps. Also, sellers should ask the following to After a decision to engage, the company gather detailed information about how the should mitigate data security risks through company has organized the management of written agreements and supervision. These cybersecurity and risk: third parties should have data security insurance coverage and/or the agreements Is there a single designated person with should require such a party to defend and overall responsibility? To whom does he indemnify the target company for legal lia- or she report? (Risk Offi cer? CTO? CIO? bility arising from any release or disclosure CEO?) of the information resulting from the negli- Describe board oversight. Have directors gence of the vendor or other third party. and senior managers participated in data Third-party agreements involving data security training/been involved in the exchange or access also should articulate development of data security protocols? breach notifi cation procedures, cooperation Does the company have legal counsel levels, information sharing, and expressly regularly advising on data security assign incident control and reporting compliance? Is counsel internal or responsibilities. external, and if external, who? Cloud-based or other software-as-a- How does the company educate and train solution (SAAS) solutions as well as mobile employees and vendors about company devices present their own cybersecurity risks policies, information security risks, and and should not be overlooked in diligence. necessary measures to mitigate risk? Does the company permit employees to use How can employees or members of the cloud-based fi le-sharing services? Does it public (such as independent security rely on SAAS solutions for critical or other researchers) report potential vulnerabilities/ business needs such as contact relationship breaches, including irregular activity or management or HR? Email? How are the transactions? security and compliance risks presented What is the plan to recover should critical being managed? Companies that issue or or other necessary systems become support mobile devices should have policies unavailable? What are the recovery point and procedures in place designed to protect and recovery time objectives? How have sensitive information in those environments. these and other elements of the plan been correlated to business needs? ■ Use subject matter experts to assess cyber readiness and liabilities If the company has in the last year or two Given the importance of the above ques- completed an internal or external audit or tions, the buyer should pay careful atten- assessment to determine compliance with tion to who asks these questions on behalf company security policies and/or external of the buyer or underwriters, in what set- security standards, this should be requested, tings, and with what time allowances. Put or at a minimum the target company should simply, deal teams ideally should embed report whether all recommendations have subject matter experts on the business side,

145 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

the technical side, and even the legal side network. The attacker then acquired elevat- early on—to do the following: ed rights that allowed it to navigate portions of the company’s systems and to deploy Pose questions orally unique, custom-built malware on self-check- Follow up with document requests out systems to access the payment card Assess the documentation information of up to 56 million customers Conduct on-site testing and analysis who shopped at U.S. and Canadian stores where appropriate between April 2014 and September 2014. In Assess and advise on the maturity fi scal 2014, alone, Home Depot recorded $63 and suitability of the program to the million in pretax expenses related to the data underlying data risks breach, partially offset by $30 million of Review and advise on deal terms or costs expected insurance proceeds for costs to remediate gaps in compliance or risk believed to be reimbursable and probable of management. recovery under insurance coverage, resulting in pretax net expenses of $33 million. Very importantly, the deal team also must be What this sort of fi nancial and reputa- nimble and focused upon the specifi c indus- tional exposure means for M&A diligence try, because cybersecurity risks are highly within the retail sector is that buyers should variable across industry sectors; threats, devote expert and highly substantive atten- liabilities, and government expectations for tion to how cardholder data are collected, adequate security are evolving constantly. stored, handled, and secured. Payment pro- For example, if hackers acquire and then re- cessing services are material to all retail sell large databases of cardholder data to businesses, and all payment processing identity thieves—as happened to Target and agreements have PCI compliance as a mate- Home Depot—the types of expenses and rial term. So just as the SEC always wants to liabilities a buyer could expect are well doc- know about where that relationship stands umented in SEC fi lings. Expenditures in its review of risk factors, buyers too want include the following: to pay special attention in this area. If PCI compliance is lacking, the seller should at Costs to investigate, contain, and remediate least be able to disclose a specifi c remedia- damaged networks and payment systems tion timeline and a budgeted plan that is and to upgrade security hopefully supervised and accepted by the Liability to banks, card associations, or payment processor. payment processors for fi nes, penalties, PCI compliance handled correctly is costly or fraudulent charges and involves constant adaptation and opti- Card reissuance expenses mization to new threats and new standards. Expense of outside legal, technical, and It is not an annual “check-a-box” process. communications advisors. Within the data security space—as was true for Home Depot, Target, and many others— ■ For retail sector, diligence surrounding good business practice assumes that a com- PCI compliance should seek more than promised merchant will have a recent, a “yes” or “no” response valid, self-certifi cation or even third-party Buyers of companies who accept, process, certifi cation of PCI compliance. However, a store, or handle cardholder payment data buyer should not rely simply on the inclusion streams of course will want to pay particular of such a report or certifi cate in a virtual data attention to compliance with current PCI room. Many a breached retailer has held a standards. At Home Depot, for example, an current PCI certifi cation. Accordingly, the attacker used a vendor’s username and buyer should always test the security of password to gain access to Home Depot’s cardholder data independently, at a process

■ 146 CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS

level if necessary. The same security consult- email and no way to process employee ants who arrive post-breach to assess root benefi ts or time cards (Source: http://www. cause and damage can examine card-related cbsnews.com/news/north-korean-cyberat- data security very meaningfully in the M&A tack-on-sony-60-minutes/). To add insult to setting, even with only a few days of on-site injury, much of the exfi ltrated material is interviews and document collection. If PCI now readily available (and free text search- compliance concerns arise in diligence, deal able) on WikiLeaks. terms can be arranged that mandate and The potential for outright theft of intellectu- appropriate funding for third-party inde- al property by competitors should not be over- pendent assessments and implementation of looked. In DuPont v. Kolon (United States v. recommendations. Moreover, many retailers Kolon Industries, Inc. et al.), for example, the now are migrating to new payment systems, manufacturer of Heracron, a competitor prod- and this is a unique technology risk because uct to DuPont’s Kevlar, misappropriated of the likelihood of delay, interruptions, and DuPont’s confi dential information by hiring budgetary over-runs. former DuPont employees as consultants and pressuring them to reveal Kevlar-related trade ■ Understand and assess awareness secrets. DuPont sued the competitor, Kolon, in and mitigation of risks of trade secret 2009, and in 2012 the Department of Justice theft, nation-state espionage, and denial brought criminal trade secret misappropriation of service attacks charges against Kolon and fi ve of its executives Beyond payment card security risks, theft of pursuant to 18 U.S.C. § 1832. In light of the trade secrets by competitors and insiders, parallel charges, Kolon settled, paying $360 state-sponsored espionage that is exploited million in damages—$85 million in fi nes and for economic advantage, and cyberattacks $275 million in restitution. (Source: Department that disable or cripple corporate networks of Justice Offi ce of Public Affairs, http://www. are less publicized but can be equally dam- justice.gov/opa/pr/top-executives-kolon- aging to a target business. For example, the industries-indicted-stealing-dupont-s-kevlar- high-profi le, studio-wide cyberattack at trade-secrets). To assess these sorts of risks, Sony Pictures in November 2014 at the acquirers should ask: hands of a group calling itself #GOP, aka the Guardians of Peace, starkly illustrates Are there former employees who had the potential to cripple a business. The access to critical intellectual property or attack, which the FBI attributed to North other company confi dential information Korea, resulted in the theft of terabytes of who have recently left for competitors? company internal email and documents, What agreements are in place to protect release of unreleased movies to fi le-sharing the proprietary information they have? networks, deletion of documents from Sony computers, threatening messages to the U.S.-based businesses, academic institutions, company and individual employees, theft cleared defense contractors, and government and apparent exploitation of sensitive agencies increasingly are targeted for eco- human resources data, and a near complete nomic espionage and theft of trade secrets by and prolonged disruption of the company’s foreign competitors with state sponsorship ability to transact business and communi- and backing. In the last fi scal year alone, cate electronically over its networks and economic espionage and theft of trade systems. In an interview with CBS News, secrets cost the American economy more Sony’s outside cyber investigator, Kevin than $19 billion. According to the FBI, Mandia, disclosed that 3,000 computers and between 2009 and 2013, the number of 800 servers were wiped, and 6,000 employ- arrests related to economic espionage and ees were “given a taste of living offl ine”—no theft of trade secrets—which the FBI’s

147 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

Economic Espionage Unit oversees—at least What is known about the attackers and doubled, indictments more than tripled, and the attack vector? convictions increased sixfold. These num- What data do you suspect or know were bers grossly understate the frequency of taken? such attacks or losses. Last year, the United How long between the fi rst known States Department of Justice indicted fi ve intrusion and discovery of the incident? Chinese military hackers on charges includ- Do you suspect or know whether the thief ing computer hacking, identity theft, eco- or intruder attempted or made fraudulent nomic espionage, and trade secret theft or competitive use of exfi ltrated data? from 2006 to 2014. The alleged actions During the past three years, have you affected six U.S.-based nuclear power, experienced an interruption or suspension metal, and solar product companies. The of your computer system for any reason indictment, fi led May 1, 2014, alleges that (not including downtime for planned the defendants obtained unauthorized maintenance) that exceeded four hours? access to trade secrets and internal communications of the affected companies for the A buyer should assess a target’s measures to benefi t of Chinese companies, including prevent and detect insider threats, including state-owned enterprises. Some defendants whether basic protections are in place to allegedly hacked directly—stealing sensi- identify and mitigate insider threats, such as tive, nonpublic, and deliberative emails the following: belonging to senior decision makers, as well as technical specifi cations, fi nancial Pre-employment screening via dynamic information, network credentials, and stra- interviews, background checks, and tegic information in corporate documents reference checking and emails—while others offered support Workforce education on warning signs through infrastructure management. Charges Internal network security measures such were brought under 18 U.S.C. §§1028, 1030, as website monitoring, blocking access 1831, and 1832. (Source: Department of Justice to free (unauthorized) cloud-storage sites Offi ce of Public Affairs, http://www.justice. such as Dropbox, turning off USB drives gov/opa/pr/us-charges-five-chinese- Automated monitoring of Web, deep military-hackers-cyber-espionage-against-us- Web, or peer-to-peer network searching corporations-and-labor). for leaked data. Many companies choose not to publicly disclose or discuss these sorts of attacks or Private and state actors have made use of disruptions, which may go undiscovered for denial of service attacks to disrupt the busi- many months and often years. Even when ness of a company that meets with their disap- attacks are discovered, breaches may not be proval (or as an extortion scheme). Material reported to law enforcement or even to impact on ecommerce, on-line entertainment, affected commercial partners. Questions email, and other critical systems are the result. about historical incidents during due dili- An acquirer might reasonably ask: gence therefore should be open-ended but also very direct: Has the target company evaluated its exposure to such attacks? Have you suffered thefts of confi dential What measures does it have in place to data (wherever stored)? defend itself? Has your network suffered an intrusion? How would it know if such an attack was Did you retain outside experts to occurring? investigate? Have any such attacks occurred?

■ 148 CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS

■ Assessing cyber insurance buyers should closely examine policies for Finally, buyers should evaluate the extent what is covered, deductibles, coverage peri- to which cyber risks are mitigated by ods, and limits. Diligence experts should insurance coverage, including whether also evaluate post-closing opportunities to enhancements to the cyber program may be enhance the insurance program if signifi - available post-closing. Most cyber insur- cant unmitigated risks of third-party liabili- ance policies today cover the data breach ties or direct expense from an attack have and privacy crisis management expenses been identifi ed. associated with complying with data breach notifi cation laws. Those costs include the ■ Conclusion costs of expert legal, communications, and If there was ever an era when minimizing forensic advisors, benefi ts such as credit or commoditizing assessment of cybersecu- repair or monitoring to affected individu- rity risks in the M&A space was sensible, als, and even costs of responding to govern- that time has surely passed. Expertise in ment investigations or paying fi nes. Cyber assessing data-driven risks should be coverage is also widely available for extor- embedded on the front end of every transaction events, defacement of website, infringe- tion and tracked throughout the deal, so ment, and network security events, even that deal terms, deal value, and post-closing arising from theft of data on third-party opportunities to strengthen security can systems or malicious acts by employees. be considered against a fully developed Because of the volatility and variability of factual picture of the target company’s the cyber insurance market at this time, cyber readiness and exposure.

SecurityRoundtable.org 149 ■

International infl ection point— companies, governments, and rules of the road Kaye Scholer LLP – Adam Golodner, Partner

In the attorney general’s conference room at the United States Department of Justice is a mural on the ceiling—on one end a heavenly depiction of justice granted, and on the other a depressing tableau of justice denied. These images help remind us that principles matter, choices matter, and in many situations divergent outcomes are possible. We are at this kind of infl ection point in global cyber. Technology, software, hardware, and physical and social networks are embedded everywhere today. Into the future the Internet of Things and the Industrial Internet will bring the next wave of global hyper connectedness and drive business innovation, new markets, effi ciency, and consumer benefi ts globally. Every business today is a technology business, and every society increasingly a technology society. We all benefi t from it. It is good. The world has changed, but it has also stayed the same. In some sense, cyber issues are not new. They are the same issues countries and societies have been dealing with for centuries—theft, fraud, vandalism, espionage, and war. Over time, societies have created rules to deal with these domestically and globally. But cyber presents new facts. Activities and incidents happen at machine speed, and distance hardly matters. Masking who you are is easier. Some seemingly anonymous person can reach out and touch you instantaneously from anywhere. The kind of information we collect is quantitatively and quali- tatively different than the past. We must appreciate and understand these facts and what they mean. With a future of embedded everything and hyper connectivity, we have to create acceptable ‘rules of the road’ that ensure we get the promise of the future, not a world where governments or individuals turn that promise on its head and abuse the very same connectedness. Countries and companies have to defi ne acceptable ‘rules of the road’ for behavior in cyberspace—what’s okay and not okay for governments to do to each other, companies, and

151 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

individuals in cyberspace. Analogies can strategies, and next generation innovation and should be made to longstanding princi- from U.S. companies, with that very same ples relating to theft, fraud, vandalism, espi- stolen intellectual property being given by onage, and war—and how countries deal the governments that stole it to favored with each other on these issues. After all, domestic champions for the purpose of com- technology is a tool; we have had tools in the peting against that very same victim of the past, and we have applied age-old principles theft. Companies share these concerns. No to new tools throughout history. However, company wants to have its operations, the pace of change is accelerating. That brand, or competitive advantage under- means we need to move fast to apply new mined or destroyed. Despite these concerns, facts to old principles now and help shape nation-state, non-nation-state, hacktivist, the future. Like the mural on the ceiling on and criminal activity continues. In fact by all the attorney general’s conference room, dif- accounts it’s increasing in all categories ferent future outcomes are possible. What across the governmental and commercial principles and rules will secure goodness sectors. into the global technology future? What are Although some policy makers have begun the roles of companies, boards of directors, to talk about cyber ‘norms,’ there has not and CEOs in shaping that future? We discuss been sustained multi-lateral head-of-state to these questions in this chapter. head-of-state work to set rules of the road. There are three areas in which companies However, it has to begin. The issues are big and their leaders can help: rules of the road, enough and complex and signifi cant enough cyber laws globally, and security and privacy. that we have to set the right path now. We can build rules that the majority of the fam- ■ Rules of the road ily of nations can agree to and then bring the Cyber is a top issue for the U.S., E.U. Member outliers along. Most commentators are of the States, China, India, Russia, Brazil, Australia, view that a formal treaty is premature, if it and Japan, and the heads of state in each of ever makes sense. This sounds right to me. these countries spend signifi cant time on the However, the time is right to up-lever the issue. For the last three years the U.S. has conversation to the head of state level and said that cyber is the number one national convene the heads of state of some core security threat to the U.S.—not nuclear, bio- countries (such as U.S., U.K., Germany, France, logic, or chemical, but cyberthreat. All these Sweden, Estonia, India, Brazil, Japan, Korea, countries view cyber as a national security Australia, Canada) to start to build out and economic security issue. In national secu- offensive, defensive, law enforcement, and rity, cyber is both an offensive and a defensive commercial rules of acceptable behavior. Of issue. On the offensive side, cyber tools and course, other countries, such as China, could techniques can be a means of espionage, war, join in short order if it turns out they are in or deterring a threat. On the defensive side, fast agreement, but the work of building out conversely, countries are concerned that the core should move ahead without waiting companies in critical infrastructure sectors for everyone to be on board. An additional (fi nancial, communications, defense, electric, benefi t of doing this is that it reduces the energy, transportation, health care, chemical, impulse of countries to complain about the public services) can have their operations activities of other countries when the activity affected, data compromised or destroyed, at issue is one that all countries fi nd to be or public safety threatened—in effect, bring- acceptable, and in the converse, gives weight ing important segments of the economy to complaints about activities outside of the to a halt. acceptable. U.S. policy leaders also are highly con- Why should companies care? Why should cerned about other nation-states stealing they be integral to these discussions? First, core intellectual property, business and deal companies own the enterprise networks and

■ 152 INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD

databases in which cyber activity takes security? What tools in the toolbox are place—domestic companies and global com- acceptable to curb behavior—prosecution, panies. Companies own the software, hard- sanctions, trade, covert action? Is it OK for ware, the information, and the upstream and national security services to steal intellectual downstream relationships where this contest property of companies? Is it OK for intelli- takes place. Think of the Internet—every lit- gence services to give it to competitors? tle bit of it is owned by somebody, and the What collection of information of or about vast majority is owned by public companies individual citizens of another country is globally. Although cyber is the fi fth fi ghting acceptable or unacceptable? What is the domain (along with land, sea, air, and space), standard? What collection on other govern- it is the only one owned essentially by pri- ments and their leaders is acceptable? vate companies. Second, information tech- Most of these questions have some nology and communications services and grounding in existing principles and laws, products are created and sold by the private but the cyber facts have to be understood sector. If a government acts on those services and applied to start to enunciate these or products, it acts on services and products rules of the road. Although work has cer- with a private sector brand. The same brand tainly begun on cyber ‘norms,’ the time is used by other companies. Third, the future right for taking the work to the next level. of the global interoperable, open, secure, Furthermore, because the playing fi eld is network is at stake. Will companies be able made up of private networks and elements to continue to drive innovative business of technology services and products, the models, or will they be stifl ed by the rules outcomes should by defi nition be of inter- and activities of governments, hacktivists, est to companies, CEOs, and boards of and criminals playing in their playing fi eld? directors. Good rules of the road should Here are some ‘rules of the road’ that help build trust in networks and technolo- should be in play. What cyber activity is an gy globally. So, companies should engage act of war? What cyber activity is acceptable in helping set the global rules of the road espionage? What is cyber vandalism, and today. It affects their future. what is the appropriate response? What activity by a nation-state is acceptable on a ■ Cyber laws globally bank, stock exchange, energy, transporta- Given that cyber runs the gamut from tion, electric, or life sciences company? What national security concerns to consumer pro- if it’s a non-nation-state activity? What action tection, and countries around the world is acceptable to proactively stop a planned have different values and interpretation of cyber activity? What principles should ani- what laws protect their country and citizens, mate the decision to use a cyber tool of war it should come as no surprise that companies on a target connected to the Internet? Is it doing business globally will face a myriad of OK to deliver cyber means through private sometimes divergent laws on a range of networks or technologies? What is an accept- cyber topics. able response to another country’s cyber or An in-depth review of these laws is kinetic act? What are the principles for dis- beyond the scope of this chapter, but it is closing or stockpiling zero-day vulnerabili- important to note the categories in which a ties or interdicting a supply chain? How can company, CEO, general counsel, and per- we make global assurance methodologies haps even the board must understand that such as the Common Criteria for Information their activity may trigger a compliance issue Technology Security Evaluation (Common or affect their ability to provide a product or Criteria) for products even more useful? service. Should there be requirements for govern- With regard to compliance and security, ments to share cyberthreat information with there is a saying that ‘compliance does not other countries and companies to improve equal security.’ There is no doubt that driving

153 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

to ‘real security’ is the goal, and one that will data localization (Russia), U.S.-E.U. Safe likely get you where you need to be for com- Harbor (allowing for transfer of E.U. pliance as well. privacy information to U.S.) Here is a list of categories of laws to be speech and content: protection (U.S. concerned about and a few specifi c-use Constitution), limits (France, Germany, cases: Russia, China) consumer protection: unfair or deceptive infrastructure security: voluntary public- security practices (U.S. FTC) private partnerships (U.S., U.K.), regulation criminal law: laws against hacking of critical infrastructure (China, pending (U.S. CFAA, Budapest Convention on in E.U., pending in Germany), sector- Cyber Crime, many countries), mutual specifi c regulation (India telecoms, U.S. legal assistance (MLATs) (U.S. and many chemical, Russia strategic industries) countries for cross-border investigation incident notifi cation: data breach (U.S. and extradition) in 47 states, E.U. telecoms, pending new multilateral agreements: Wassenaar E.U. Privacy Directive), SEC disclose arrangement (obligation to limit export material adverse events (U.S. SEC) of dual-use technologies, including tort, contract, product liability: in the security), mutual defense treaties (e.g., absence of specifi c regulation, a company NATO and Article 5 cyber obligations), must use ‘reasonable care’ to secure WTO and technical barriers to trade their and third-party data, continue to agreement (obligation of WTO members provide service, build secure products, to use international standards, including and protect IP (U.S., E.U., India and for technology), WTO government procurement contract, globally) agreements (many countries, rules opening board of directors corporate: the board government procurement markets for must use its ‘business judgment’ to secure foreign tech products). the assets of the company and provide reasonable security (U.S.) Over the past decade there have been many acquisition of information by nation- skirmishes to try to limit the impact of pro- states: lawful intercept telecoms (most posed laws that would splinter the global countries), requests from non-telecoms by market for technology products and servic- judicial or administrative process (most es and protect the ability of companies to countries), collection outside of home continue to drive innovation in products country (most countries) and services. Particularly in the post- technology controls, national security Snowden world, where trust of countries reviews, and certifications: export and technologies has been strained, compa- control commercial technologies (U.S.), nies must pay particular attention to legis- export control of military technologies lative and regulatory proposals that would ITAR (U.S.), certifi cation of IT product undermine the global interoperability or (26 countries Common Criteria evaluation, security of the network, or use security as a China own requirements, Russia own stalking horse to protect or promote domes- requirements, Korea pending), import tic manufacturers. restriction on encryption (China, Russia), in-country use of encryption (China, ■ Security and privacy Russia), national security reviews for As technology and economics continues to M&A (U.S. CFIUS & FCC, China). drive connectivity, cloud, mobility, data ana- privacy: economy-wide limits on lytics, the Internet of Things, and the collection and transfer of information Industrial Internet, we must deal effectively about individuals (E.U.), sector specifi c with security and privacy. It’s not just the (U.S. health care HIPAA, fi nancial GLB), Snowden effect. People are still working

■ 154 INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD

through what they think about security and questions companies can and should ask privacy. Most want both. Some regions have when providing service, domestically, but differing views. In the U.S., we limit what the particularly globally. There no doubt is com- government can do through Constitutional petitive advantage in providing solutions Fourth Amendment restrictions on unrea- that don’t raise privacy concerns. sonable searches and seizures, but we freely give personal information to commercial ■ Conclusion companies in exchange for free content and Cyber is by defi nition a global issue for any other services we like. In Europe, it’s the company, CEO, and board. The company’s opposite. The E.U. presumptively limits networks are global, products are global, what information relating to individuals the and adversaries are global. Furthermore, the private sector can collect and share but often company must have relationships with gov- has minimal legal procedures regulating ernments globally. Many companies are government activities to collect information ‘global citizens’ and have a majority of their about its citizens. China has its own view on sales outside their home country. Where the national security and information, as does cyber issue is in the top of the mind in each Russia. In any event, companies have an of the major markets these companies serve important role to play in the future of the and where governments have not yet sorted intersection of security and privacy. out acceptable global ‘rules of the road,’ it is Most people talk in terms of balancing incumbent on company leadership to help security and privacy. This may be a false fi gure out what the future is going to look dichotomy. I think the better approach is to like. Without common ground about what’s drive to security and privacy. Try to get both OK and not OK for governments to do with right. Do what you need to secure a system regard to each other, companies, and citi- or crown jewels or an enterprise, and use zens, we will face an uncertain technology techniques and technologies that help future. I am optimistic about the future and ensure privacy. I think this is the challenge about the ability to master the cyber issue. for the future and likely an area that will However, it will take moving through the spur great innovation. How can we work problem set. We are at an infl ection point— effectively with anonymized data? How can as we continue to embed devices, software, we implement machine-to-machine anoma- and hardware into everything, we need to ly detection without identifying the indi- have a view, a path, a structure that gives us vidual or that a device belongs to a particu- confi dence. Therefore, when we sit down in lar individual? How can we manipulate an offi ce such as the attorney general’s or a encrypted data at scale? Can we know board of directors and ponder the better and enough from encrypted data streams across lesser proclivities of mankind, we must be the enterprise or network to understand and confi dent we are driving rules-based deci- stop an exfi ltration or an attack? How can sions to the happier side of the ledger—one we share cyberthreat information that is that ensures we reap the benefi ts of this anonymous and actionable? These are the terrifi c, accelerating, age of technology.

SecurityRoundtable.org 155 ■

Managing third-party liability using the SAFETY Act Pillsbury Winthrop Shaw Pittman LLP – Brian Finch, Partner

One of the most pressing questions directors and offi cers of publicly listed companies is how to manage third-party liability in the post 9/11 era. In particular, directors and offi cers continually struggle with the issue of whether ‘enough’ security measures have been deployed to protect not only corporate assets and employees but also innocent bystanders. Before 9/11, courts typically would not hold makers of items such as ammonium nitrate fertilizer liable for the misuse of their product by terrorists (fi nding that such terrorist acts were ‘unforeseeable’ and that the fertilizer manufacturers did not have a duty to protect the unfortunate victims of the attacks). Unfortunately, a series of decisions completely changed the legal landscape post 9/11. In one case stemming from the 1993 World Trade Center attack, New York state courts initially held the Port Authority of New York and New Jersey partially liable for the losses suffered by the victims of the 9/11 attacks. In that particular case, the Port Authority was held to a standard in which if it knew or should have been aware of the possibility of a terrorist attack, then it was obligated to take all reasonable measures necessary to mitigate the possibility of said attacks. Even considering that the decision was ultimately overturned on a technicality (the Port Authority was found to have a unique form of ‘sovereign immunity’ and therefore could not be held liable under any circumstances), the initial decision set forth a blueprint that other courts are sure to follow in future cases involving terrorist or cyberattacks. Similarly, claims fi led against the manufacturers of airplanes used in the 9/11 attacks were also allowed to proceed, leading to signifi cant costs for those companies. In that instance, a federal court in New York allowed claims alleging that the cockpit doors on planes made by Boeing were negligently designed—thereby allowing

157 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

terrorists to gain control of the planes— receive liability protections under the were allowed to proceed. The court’s ration- SAFETY Act. ale in that case was that a jury could fi nd In addition, entities that purchase or that Boeing should have foreseen that a ter- deploy SAFETY Act approved security prod- rorist would want to breach the cockpit and ucts and/or services also will have the ben- hijack the plane, and thus its cockpit doors efi t of immediate dismissal of third-party should have been more strongly designed. liability claims arising out of, related to, or Because those claims were allowed to resulting from a declared ‘act of terrorism’ 1 proceed, Boeing on average paid 2 ⁄2 times in (a term that encompasses physical or cyber- settlement fees what the plaintiffs (here the attacks, regardless of whether there is any families of persons killed in the 9/11 attacks) motive or intent that could be deemed ‘polit- would have received if they had elected to ical’ in nature). participate in the 9/11 Victims Compensation The reader should remember that at the Fund. time of the drafting of this article, no litiga- In light of the above, it is obvious that tion specifi cally involving the SAFETY Act directors and offi cers of publicly listed com- has occurred, and so there is no established panies must be very concerned about post- legal precedent interpreting the statute itself. attack litigation. Even if a court or jury ulti- However, the fundamental principles of the mately fi nds that there is no culpability on SAFETY Act are based on the “government the part of a director, offi cer, or the company contractor defense,” a well-established com- itself, the stark reality is that the legal fi ght to mon law affi rmative defense to third-party reach that decision will be expensive and litigation that has been reviewed and upheld protracted. by the U.S. Supreme Court. So, the key question that directors and Accordingly, this article is based on inter- offi cers of publicly listed companies must pretations of the SAFETY Act, the Final Rule ask themselves is, ‘How do we manage/ implementing the SAFETY Act, and the minimize third-party liability in a post 9/11 underlying theory of the government con- world?’ Insurance is certainly an option, but tractor defense. obtaining a comprehensive policy can be very expensive, and further coverage is ■ Background of the SAFETY Act uncertain. Again using 9/11 as an example, The SAFETY Act provides extensive liability many companies paid immense amounts in protections to entities that are awarded either legal fees to force their insurance carriers to a ‘Designation’ or a ‘Certifi cation’ as a honor terrorism-related claims under the Qualifi ed Anti-Terrorism Technology (QATT). policies they issued. Under a ‘Designation’ award, successful Understanding the limits of insurance, SAFETY Act QATT applications are entitled the question then becomes what other risk to a variety of liability protections, including mitigation tools exist that could limit by stat- the following: ute or eliminate third-party claims? Based on a review of existing statutes, regulations, All terrorism-related liability claims must and alternative options such as insurance be litigated in federal court. coverage, the best opportunity for limiting Punitive damages and pre-judgment liability is the Support Anti-Terrorism By interest awards are barred. Fostering Effective Technologies Act Compensatory damages are capped at (‘SAFETY Act’). Under the SAFETY Act, an amount agreed to by the Department ‘sellers’ of security products or services of Homeland Security (DHS) and the (a term that also includes companies that applicant. develop their own physical or cybersecurity That damage cap will be equal to a set plans and procedures and then uses them amount of insurance the applicant must only for internal purposes) are eligible to carry, and once that insurance cap is

■ 158 MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT

reached no further damages may be loss to citizens or institutions of the United awarded in a given year. States. A bar on joint and several liability Damages awarded to plaintiffs will be The Secretary has broad discretion to declare offset by any collateral recoveries they that an event is an “act of terrorism,” and receive (e.g., victims compensation funds, once that has been declared, the SAFETY Act life insurance). statutory protections will be available to the seller of the QATT and others. Should the applicant be awarded a A cursory review of this defi nition reveals ‘Certifi cation’ under the SAFETY Act for their that there is no need to divine a motivation QATT, all of the liability protections awarded for the attack and that the language used can under a ‘Designation’ are available. In addi- be interpreted to include physical attacks as tion, the seller of a QATT will be entitled to an well as cyberattacks. The only ‘intent’ that immediate presumption of dismissal of all must be demonstrated under the SAFETY third-party liability claims arising out of, or Act then is that the attack is intended to related to, the act of terrorism. cause destruction, injury, or other loss to the This presumption of immunity can be U.S. or its interests. This is important to overcome in two ways: (1) by demonstrat- remember because it means that cyberat- ing that the application was submitted with tacks also trigger the protections of the incorrect information and that that informa- SAFETY Act. tion was provided though fraud or willful misconduct or (2) by showing that the ■ SAFETY Act protections available claims asserted by the plaintiff related to a to customers and other entities product or service are not encompassed by One of the most signifi cant additional bene- the QATT defi nition as written by the fi ts of the SAFETY Act is that the liability Department of Homeland Security. Absent protections awarded to the seller of the a showing of element, the attack-related QATT fl ow down to customers, suppliers, claims against the defendant will be imme- subcontractors, vendors, and others who diately dismissed. were involved in the development or deploy- For the SAFETY Act protections to be trig- ment of the QATT. In other words, when a gered, the Secretary of Homeland Security company buys or otherwise uses a QATT must declare that an “act of terrorism” has that has been either SAFETY Act ‘Designated’ occurred. The defi nition of an “act of terror- or ‘Certifi ed,’ that customer is entitled to ism” is extremely broad, and includes any immediate dismissal of claims associated act that: with the use of the approved technology or service and arising out of, related to, or (i) is unlawful; resulting from a declared act of terrorism. The bases for these expanded protections (ii) causes harm to a person, property, or are clearly set forth in the SAFETY Act stat- entity, in the United States, or in the case of a ute and in the Final Rule implementing the domestic United States air carrier or a United SAFETY Act. Both are detailed below: States-fl ag vessel (or a vessel based principally in the United States on which United States With respect to the protections offered to income tax is paid and whose insurance cover- entities other than the Seller of the QATT, age is subject to regulation in the United the SAFETY Act statute states as follows: States), in or outside the United States; and IN GENERAL.—There shall exist a (iii) uses or attempts to use instrumentalities, Federal cause of action for claims arising weapons or other methods designed or intend- out of, relating to, or resulting from an act ed to cause mass destruction, injury or other of terrorism when qualifi ed anti-terrorism

159 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

technologies have been deployed in DHS, as set forth in the preamble to the defense against or response or recovery SAFETY Act Final Rule, agrees with this from such act and such claims result or interpretation, stating: may result in loss to the Seller. The substantive law for decision in any such Further, it is clear that the Seller is the only action shall be derived from the law, appropriate defendant in this exclusive including choice of law principles, of the Federal cause of action. First and foremost, the State in which such acts of terrorism Act unequivocally states that a “cause of occurred, unless such law is inconsistent action shall be brought only for claims for with or preempted by Federal law. Such injuries that are proximately caused by sellers Federal cause of action shall be brought only that provide qualifi ed anti-terrorism technol- for claims for injuries that are proximately ogy.” Second, if the Seller of the Qualifi ed caused by sellers that provide qualifi ed anti- Anti-Terrorism Technology at issue were not terrorism technology to Federal and non- the only defendant, would-be plaintiffs could, Federal government customers. in an effort to circumvent the statute, bring claims (arising out of or relating to the perfor- The SAFETY Act statute also reads: mance or non-performance of the Seller’s Qualifi ed Anti-Terrorism Technology) against JURISDICTION.—Such appropriate district arguably less culpable persons or entities, court of the United States shall have original including but not limited to contractors, sub- and exclusive jurisdiction over all actions for contractors, suppliers, vendors, and custom- any claim for loss of property, personal injury, ers of the Seller of the technology. or death arising out of, relating to, or resulting from an act of terrorism when qualifi ed Because the claims in the cause of action anti-terrorism technologies have been deployed would be predicated on the performance or in defense against or response or recovery non-performance of the Seller’s Qualifi ed from such act and such claims result or may Anti-Terrorism Technology, those persons or result in loss to the Seller. entities, in turn, would fi le a third-party action against the Seller. In such situations, The key language, which comes from 6 the claims against non-Sellers thus “may U.S.C. Section 442(a)(1), states that the claims result in loss to the Seller” under 863(a)(2). arising out of, relating to, or resulting from The Department believes Congress did not an act of terrorism “shall be brought only for intend through the Act to increase rather than claims for injuries that are proximately decrease the amount of litigation arising out caused by sellers that provide qualifi ed anti- of or related to the deployment of Qualifi ed terrorism technology to Federal and non- Anti-Terrorism Technology. Rather, Congress Federal government customers.” balanced the need to provide recovery to plain- Furthermore, in Section 442(a)(2), the tiffs against the need to ensure adequate SAFETY Act states that U.S. district courts deployment of anti-terrorism technologies by shall have original and exclusive jurisdiction creating a cause of action that provides a cer- for claims that “result or may result in loss to tain level of recovery against Sellers, while at the seller.” the same time protecting others in the supply The language in 6 U.S.C. Section 442(a)(1) chain. and (a)(2) reads such that terrorism-related claims that have or could have resulted in a Within the Final Rule itself, the Department loss to the seller may only be brought in U.S. also stated: district courts against the seller. Nothing in the statute would give rise to claims against There shall exist only one cause of action for other parties who use or otherwise partici- loss of property, personal injury, or death for pate in the delivery and use of the QATT. performance or non-performance of the

■ 160 MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT

Seller’s Qualifi ed Anti-Terrorism Technology Further, based on the extensive analysis con- in relation to an Act of Terrorism. Such ducted above regarding the applicability of cause of action may be brought only against the SAFETY Act statute and Final Rule, buy- the Seller of the Qualifi ed Anti-Terrorism ers of security QATTs will be considered Technology and may not be brought against ‘customers’ for SAFETY Act purposes, and the buyers, the buyers’ contractors, or down- therefore entitled to immediate dismissal of stream users of the Technology, the Seller’s claims related to an approved security tech- suppliers or contractors, or any other person nology or service. Thus, the SAFETY Act can or entity. and should serve as an excellent tool to mitigate or eliminate said liability. Thus, the SAFETY Act statute and the Final Accordingly, sellers and customers of Rule implementing the law make it clear that ‘QATTs’ are entitled to all appropriate pro- when there is litigation involving a SAFETY tections offered by the SAFETY Act, whether Act QATT (whether Designated or Certifi ed) those offered by Designation, the presump- alleging that the QATT was the cause, direct- tion of dismissal offered by Certifi cation, or ly or indirectly, of any alleged losses, the the fl ow-down protections offered to cus- only proper defendant in such litigation is tomers and others. QATT customers and the Seller of the QATT. Customers and oth- sellers could still face security-related litiga- ers are not proper defendants and are enti- tion should the Homeland Security Secretary tled to immediate dismissal, because allow- not declare the attack to be an “act of terror- ing litigation to proceed against customers ism” or if the claims do not relate to the would be contrary to the SAFETY Act statute QATT as defi ned by DHS. and Congressional intent. ■ Conclusion ■ Practical application of SAFETY Act Entities that are potentially at risk for third- protections to limit third-party claims party liability claims after an attack can be Considering the above, companies that sell materially protected through the SAFETY or deploy security QATTs, as well as their Act. Users of SAFETY Act-approved security customers, are entitled to extensive benefi ts. products or services will also receive direct Sellers of cybersecurity QATTs are entitled to and tangible benefi ts. the broad protections from third-party liabil- The SAFETY Act provides strong liability ity claims offered under a ‘Designation’ and protections that will fl ow down to such cus- a ‘Certifi cation.’ tomers per the language of the SAFETY Act As explicitly set forth in the SAFETY Act statute and Final Rule. A wide variety of statute and the SAFETY Act Final Rule, the attacks, products, and services, including only proper defendant in litigation following cyberattacks and cybersecurity products and an act of terrorism allegedly involving a services, are covered by the language of the SAFETY Act Designated and/or Certifi ed SAFETY Act, and thus, such products and QATT is the seller itself. In this case, the services are also eligible to provide dramati- ‘Seller’ would be the security vendor or cally limited litigation and for such litigation company that deploys its own internally to be limited to ‘sellers,’ not ‘customers.’ developed security policies, procedures, or Certainly not every attack will result in technologies with the QATT being said liability for security vendors or their custom- Certifi ed or Designated security policies, ers, particularly with respect to third-party procedures, or even technologies. liability. Should such liability occur, howev- The basis for this analysis rests upon the er, it can be mitigated or eliminated using fact that sellers of security QATTs will have the SAFETY Act. received the QATT Designation or Perhaps most importantly for directors Certifi cation, thus conferring upon them and offi cers of publicly listed companies, the specific statutory liability protections. SAFETY Act should always be considered

161 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

when examining risk mitigation strategies Given the relative paucity of case law associated with the company’s internal secu- defi ning what constitutes ‘adequate’ or ‘rea- rity programs (physical and/or cyber) as sonable’ security, directors and offi cers well as security goods and services pur- should look to the SAFETY Act as a way to chased from outside vendors. The SAFETY help determine whether their company’s Act offers powerful liability protections and security plans and programs could be con- can doubly serve as evidence that the com- sidered to have achieved those benchmarks. pany exercised ‘due diligence’ and ‘reason- Doing so will not only help improve security able care’ when designing and implement- but also almost assuredly decrease the coming its security programs. pany’s risk exposure.

■ 162 SecurityRoundtable.org Combating the insider threat: Reducing security risks from malicious and negligent employees Littler Mendelson P.C. – Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group

“Edward Snowden,” the affair that bears his name demonstrates the extreme damage that a privileged insider can cause, even to an organization with the most sophisticated security technology and one of the largest cybersecurity budgets. Although Snowden may have been a contractor, survey after survey demonstrates that employees, whether through negligence or malice, are the most common cause of security incidents. According to the Vormetric Insider Threat Report 2015, 89% of respondents globally stated that their organization was more at risk than ever from the insider threat, and 55% identifi ed employees as the #1 internal threat. PwC’s Global State of Information Security 2015 found that current employees are the most frequently cited cause of security incidents, well ahead of contractors, hackers, organized crime, and nation-states. These studies confi rm that there has been no abatement in the insider threat in recent years. Just as PwC’s study found in 2015, a 2013 Ponemon Institute study, entitled the “Post-Breach Boom,” also reported that negligent and malicious insiders were the cause of 61% of security breaches experienced by respondents, substantially exceeding other causes, such as external attacks and system error or malfunctions. Employers can take a wide range of relatively low-cost, low-tech steps to reduce the risk of insider threats. These steps track the stages of the employment lifecycle, ranging from pre-employment screening at the outset of the employment relationship to exit interviews when that relationship ends. Between those endpoints, employers can reduce the insider threat by implementing and managing access controls, securing mobile devices (whether employer-owned or personal) used for work, carefully managing remote work, providing effective training, and following a myriad other steps discussed in more detail below.

163 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

■ Pre-employment screening and post-hire check adequately protects their organiza- risk alerts tion. Currently, the vast majority of employ- Effective background screening can eliminate ers do not conduct background checks after the insider threat before it ever occurs by the job application process has been com- identifying job applicants who pose a pleted. However, several service providers threat to the employer’s information assets. now offer “risk alerts,” either directly to Employees responsible for evaluating back- employers or indirectly through the employ- ground reports should be looking not only er’s background check vendor. These risk for prior convictions for identity theft but alerts notify the employer and/or the back- also for other crimes involving dishonesty, ground check vendor of post-hire risk fac- such as fraud and forgery, which indicate an tors available through public records applicant’s propensity to misuse informa- sources, such as pending criminal charges, tion. Employers that rely on staffi ng compa- criminal convictions, and bankruptcies. nies should consider not hiring temporary Employers may consider using such “con- workers for positions involving access to tinuous monitoring” services to help iden- sensitive employee, customer, or business tify employees who become security risks data, such as positions in the human resourc- over time. es or R&D departments or those responsible for processing credit card payments. If such ■ Employee-oriented safeguards for sensitive hiring is imperative, the employer should corporate data impose on the staffi ng company, by contract, Even employees who have been thoroughly background check criteria for temporary screened and have proven their trustworthi- placements that are at least as stringent as the ness can expose an organization’s sensitive employer’s own background check criteria. data to loss or theft. Organizations and the Employers should beware that pre- employees themselves can take the basic employment screening can itself expose an precautions described below to mitigate employer to signifi cant risks. In the past few these risks. years, the plaintiffs’ class action bar has aggressively pursued employers for alleged A. Safeguarding electronic data violations of the federal Fair Credit Reporting 1. Access control lists: Restricting access Act (FCRA), which regulates the procure- to information, particularly sensitive ment of background checks from third-party customer, employee, and business consumer reporting agencies. As of mid- information, on a need-to-know basis is 2015, nearly 20 jurisdictions—states, coun- a fundamental principle of information ties, and municipalities—have enacted “ban- security. Employees in the accounts the-box” legislation to restrict private payable department, for example, employers’ inquiries into criminal history. At should be barred from accessing the same time, the U.S. Equal Employment human resources information. In Opportunity Commission (EEOC) has fi led addition, access to information by several lawsuits against large employers, employees with a need to know should alleging that their pre-employment screen- be limited to the minimum necessary ing practices have a disparate impact on to perform their job responsibilities. African American and Hispanic job appli- Organizations should implement cants. Consequently, organizations should a process for establishing the access carefully review their pre-employment rights of new hires based on their screening practices for compliance with the job responsibilities, for modifying many federal, state, and local laws aimed at access rights when job responsibilities helping ex-offenders secure employment. change, and for promptly terminating Employers also should consider whether access rights when the employment a one-time, pre-employment background relationship ends.

■ 164 COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES

2. Protecting log-in credentials: password protection, automatic log- Employees should be regularly out after a short period of inactivity, reminded of the importance of automatic log-out after a small number protecting their log-in credentials. of unsuccessful log-in attempts, and They should be instructed not to share remote wipe capability. In addition, their log-in credentials with anyone. employees should be routinely Hackers may pose as IT professionals reminded of the need to physically on the phone or send phishing emails safeguard their mobile device, for purporting to originate with the example, by not sharing the device employer’s IT Department, to trick with others and by securing the device (“social engineer”) employees into (for example, in a hotel safe) when the revealing log-in credentials. Employees device is left unattended. In addition, also should be instructed not to write employees should be instructed to down their log-in credentials and immediately report the loss or theft to immediately change their log- of the device to a person or group in credentials when they suspect the designated to respond to such reports. credentials have been compromised. 5. Remote work security: Corporate spies Finally, each employee should be can tap into unsecured WiFi connections required to acknowledge that only he to steal sensitive data. To reduce this or she is the authorized person to access risk, employees should be required to and view the organization’s information use a secure/encrypted connection, through his or her log-in credentials and such as a virtual private network is personally responsible for all activity (VPN), to access the corporate network using those log-in credentials. when working remotely. In addition, 3. Screen security: Employees can reveal employees should generally be required sensitive data to “shoulder surfers” to use that secure remote connection to in airplanes, at coffee shops, and conduct business involving sensitive even at work by failing to adequately data rather than storing the sensitive protect their computer monitor or data on a portable storage medium, screen. Employees should be reminded such as a thumb drive or a laptop’s to position their monitor or screen hard drive. Where local storage is a to reduce the risk of viewing by business imperative (e.g., when work unauthorized individuals. In locations, must get done during a long fl ight), such as airplanes, where that may employees should be required to use an not be possible, employees should encrypted portable storage medium to use a privacy screen to prevent store sensitive data. unauthorized viewing. Regardless of 6. No storage in personal online location, employees should activate a accounts: Once an organization’s password-protected screen saver when sensitive data move to an employee’s they leave their screen unattended. personal email or cloud storage 4. Mobile device security: One of the account, the organization effectively most common causes of security loses control of the information. breaches is the exposure of sensitive Absent the employee’s prior written data through the loss or theft of authorization, the email or cloud employees’ mobile devices. To reduce service provider generally cannot this risk, organizations should push lawfully disclose the organization’s security controls to all mobile devices— data to the organization. At the same whether employer-issued or personally time, employees often will hesitate owned—that are used for work. These to sign such an authorization out of controls should include encryption, concern that the employer will gain

165 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

access to private information stored secure remote connection. When there in the account, and employees almost is a business need, employees should be always will fl atly refuse to sign if required to keep the paper documents they are disgruntled or after they have with them at all times or to secure the left the organization. Consequently, documents when unattended, just as employers should unambiguously employees should do with a mobile communicate to their workforce that device. storage of the organization’s sensitive 4. Require secure disposal of paper data in a personal online account is documents: Pharmacies and other prohibited. health care providers around the B. Safeguarding sensitive data in paper and country have been the subject of oral form scathing publicity and government 1. Clean desk policy/secure storage: investigations after journalists- Whether employees are working at the cum-dumpster-divers discovered employer’s offi ce or their home offi ce, unshredded patient records discarded paper documents containing sensitive in bulk behind the facility. Whether data can easily be viewed or stolen working from the offi ce or from by those not authorized to access the home, employees should be required information, such as maintenance to shred paper documents containing personnel at the offi ce or those making sensitive data or to discard them in repairs at the home. Employees secure disposal bins. should be reminded to secure paper 5. Private conversations are meant for documents containing sensitive data private places: In today’s world of in locked offi ces, desk drawers, fi ling mobile telephony, employees often cabinets, or storage areas and to can end up discussing sensitive remove papers containing sensitive information while walking down the data from their physical desktop when street, riding in public transportation, it is unattended. or sitting in a crowded restaurant. Even 2. Beware of printers, scanners, and when working at the corporate offi ce fax machines: Office equipment or the home offi ce, employees must located in unrestricted areas poses a be aware that they are not discussing risk to sensitive data in paper form. sensitive data over the phone where Employees should be instructed to unauthorized individuals can promptly remove print jobs, scans, overhear them. and faxes from these machines so that sensitive data cannot be viewed by ■ Employee monitoring unauthorized individuals. Monitoring technology has become increas- 3. Avoid off-site use of paper documents: ingly sophisticated and can now help employ- Massachusetts General Hospital agreed ers root out the insider threat. For example, to pay $1 million to settle alleged recently developed email and Internet moni- HIPAA violations after one of its toring software uses “Big Data” techniques to employees left the medical records of identify patterns of conduct for the workforce 192 HIV patients on the Boston subway. as a whole, for particular groups, or for par- Organizations can avoid incidents like ticular individuals to establish a norm for this by prohibiting employees from expected online conduct. When an employee taking paper documents with sensitive deviates from the norm—for example, by data off-site unless there is a strong downloading an unusually large number of and legitimate business need to do so. fi les to an external storage device or by send- Typically, employees will be able to ing an unusual number of emails to a per- access the same information through a sonal e-mail account—the software alerts the

■ 166 COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES

employer of the deviation from the norm, so Millennials admitted to compromising their the employer can investigate further. organization’s IT security as compared to Employers concerned about the insider threat 5% of Baby Boomers. Given this “culture of should consider investing in monitoring soft- noncompliance,” employers should consid- ware that can perform this type of “user- er three methods for reminding employees based analytics.” of their responsibilities as stewards of the Employers also should consider installing employer’s sensitive data. data loss prevention (DLP) software on their First, employers should consider requir- networks. This software fl ags communica- ing that all new hires whose responsibilities tions, such as outbound emails containing will involve access to sensitive data execute sensitive data, for further action. For exam- a confi dentiality agreement. In addition to ple, DLP software may identify strings of identifying those categories of information digits resembling Social Security numbers in that employees must keep confi dential, the an outbound email, quarantine the email agreement should summarize some of the before it leaves the organization’s network, key steps employees are required to take to and alert the employer’s IT department of a preserve confi dentiality, require return of the potential data theft. employer’s sensitive data upon termination Although network surveillance software of the employment relationship, and confer can substantially enhance other information on the employer enforcement rights in the security measures, implementation can pose event the employee breaches the agreement. risks for the organization. Although case Employers should note that several federal law applying the Federal Wiretap Act to regulators, including the Securities & real-time email interception is somewhat Exchange Commission (SEC), the National sparse, the cases suggest that employers Labor Relations Board (NLRB), and the who capture email content in real time with- EEOC, have been fi nding unlawful overly out robust, prior notice to employees may broad confi dentiality agreements that effec- be exposed to civil lawsuits and even crimi- tively restrict employees’ rights to engage in nal prosecution. Multinational employers legally protected conduct, such as whistle- face broader, potential exposure for violat- blowing or discussing the terms and condi- ing local data protection laws, particularly tions of employment with co-workers. in the European Union. Consequently, Consequently, any confi dentiality agreement employers should conduct a thorough legal should be scrutinized by legal counsel before review before implementing new monitor- it is distributed to new hires for signature. ing technology. Second, educating employees on information security is critical. Training should ■ Confi dentiality agreements, employee address a range of topics, including (a) the training, and exit interviews employer’s legal obligations to safeguard Although many of the safeguards described sensitive data, (b) the types of information above may appear to be common sense, falling within the scope of this legal duty, they likely will appear to be inconveniences (c) the consequences for the employer’s bot- to many employees, especially to the Gen-Y tom line of failing to fulfi ll those legal obliga- members and Millennials in the workforce tions, (d) the steps employees can take to for whom the broad disclosure of sensitive help the employer fulfi ll its legal obligations, information through social media has and critically (e) the situations that consti- become natural. Cisco’s 2012 Annual tute a security incident and to whom the Security Report bears this out, reporting incident should be reported. Training should that 71% of Gen-Y respondents “do not obey be recurring and supplemented with peri- policies” set by corporate IT. Similarly, odic security awareness reminders. These Absolute Software’s 2015 U.S. Mobile reminders could take the form of email, Device Security Report found that 25% of posts on an internal blog, or text messages

167 ■ CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS

and can include critical alerts, such as notifi - the one hand, and the groups responsible for cation of a recent phishing email sent to information security—the IT Department, the members of the employer’s workforce or Chief Information Security Offi cer, and/or warnings against clicking on links or open- the Chief Privacy Offi cer—on the other. The ing attachments that could result in the former group views information security as downloading of malicious code. the sole responsibility of the latter, and the Third, employers should consider modi- latter group views employees (and employee fying their exit interview process to specifi - data) as the sole responsibility of the former. cally address information security. At the However, HR professionals and in- exit interview, the employer can accomplish house employment counsel can play a criti- the following: cal role in enhancing an organization’s information security. They typically are provide the employee with a copy of his responsible for evaluating whether to reject or her executed confi dentiality agreement applicants based on information reported and remind the employee of his or her by the employer’s pre-employment screen- ongoing obligation not to disclose the ing vendor. They routinely train new hires employer’s sensitive data to unauthorized and current employees on a wide range of third parties; topics and could easily partner with infor- obtain the return of all employer-owned mation security professionals to conduct computers, mobile devices, and portable information security training. They often storage media on which sensitive data negotiate contracts with service providers may be stored; who receive substantial quantities of arrange for the remote wiping, or other employees’ sensitive data. They regularly removal, of the employer’s sensitive data receive and investigate complaints of sus- from any of the employee’s personal pected employee misconduct, which may mobile devices allowed to access corporate include reports generated by DLP software information systems; or other online surveillance software or confi rm that the employee has not stored about employees’ otherwise mishandling any of the employer’s sensitive data in sensitive data. They also typically are personal email accounts, personal cloud involved in disciplinary decisions, includ- storage accounts, personal external ing those based on employees’ mishan- storage media, or anywhere else. dling of sensitive data. In sum, by making human resources pro- ■ HR and in-house employment counsel need fessionals and in-house employment counsel a seat at the “information security table” valued members of the organization’s infor- In many, if not most, organizations, there is a mation security team, organizations can sig- chasm between the Human Resources depart- nifi cantly enhance the effectiveness of their ment and in-house employment counsel, on overall information security program.

■ 168 SecurityRoundtable.org Comprehensive approach to cybersecurity

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Developing a cybersecurity strategy: Thrive in an evolving threat environment Booz Allen Hamilton – Bill Stewart, Executive Vice President; Sedar LaBarre, Vice President; Matt Doan, Senior Associate; and Denis Cosgrove, Senior Associate

The Internet and ‘always on’ connectivity is transforming how we live, work, and do business. Game-changing technology, powered by our increasingly connected society, offers more effi cient workers, new revenue streams, and stronger customer relationships. Technology is not optional; it is a core business enabler. That means it must be protected. Cybersecurity was once widely considered just another item in a long list of back-offi ce functions. Vulnerability patching? Device confi guration? These were IT problems for the IT team to worry about. However, that has changed. A series of high-profi le cybersecurity attacks— from Stuxnet to Target—demonstrate that cybersecurity represents a business risk of the highest order. The C-suite and board are taking notice. However, as cybersecurity makes its way onto the executive agenda, it is simultaneously time to rethink our strategies. The ‘Internet of Things’ is more than a fad. Suddenly, and increasingly, everything is connected. Business leaders get it: to fend off emerging players and ensure market competitiveness, companies are re- architecting their business models around this concept. It will drive success. It also requires new cybersecurity strategies that take a broader view of risk. Developing strategies that recognize risk beyond back-end IT systems is critical, to include products, customer interfaces, and third-party vendors. Above all, the new challenges in cybersecurity demand an organizational-wide approach to protecting, and ultimately enabling, the business. It is time to cast the net wider, and more effectively, than ever before.

171 ■ COMPREHENSIVE APPROACH TO CYBERSECURITY

■ The value of getting cybersecurity right 3. Product/service development: the research, An effective cybersecurity strategy must design, testing, and manufacturing start with placing it in the context of the environments for your products and business—what your company uniquely services provides as products or services really deter- 4. Customer experience: the operational mines how to approach the challenge. For realms where customers use and interact old-school IT security hands, this is a differ- with your products or services ent way of thinking. It means getting out of 5. External infl uencers: all external entities the IT back offi ce and learning the nuances that affect how you guide your business of what makes the business go. Take the to include regulators, law enforcement, view of the CEO and board. It isn’t just that media, competitors, and customers. it is the right thing to do or because compliance matters. There are more meaningful A cybersecurity strategy at this scale requires answers to uncover. enterprise-wide collaboration. It will take The right cybersecurity strategy is guided the whole organization to manage cyber by two related considerations: (1) ‘How does risk, so it is imperative to cast a wide net cybersecurity enable the business?’ and and include representatives from across (2) ‘How does cyber risk affect the business?’ business units in strategy formulation dis- From this perspective, cybersecurity breaks cussions. It requires a multidisciplinary out of its technical box and IT jargon. It team effort to develop a security strategy focuses on competitive advantage, and it that refl ects the scale and complexity of the positions cybersecurity as an enabler and business challenge. guarantor of the core business, whatever business you’re in. If done right, cybersecu- ■ Elements of cyber strategy at scale rity helps drive a consistent, high-quality Building a cybersecurity strategy can seem customer experience. overwhelming, but it doesn’t have to be. Start with a vision, understand the risk, ■ It takes an enterprise identify controls, and build organizational A cybersecurity strategy grounded in your capacity. Every element builds on each other. unique business ecosystem will quickly reveal what must be protected. Enterprise IT 1. Set a vision: It all starts with a creative still matters; it moves, analyzes, and stores vision. It’s critical to paint a high-level so much of your business-critical data. landscape of the future that portrays However, a cybersecurity strategy must now how cybersecurity is intertwined with go further. Your industry should shape the the most critical parts of your business. fi ne-tuning of the scope here, but we can boil Think about the how value is created the components of your ecosystem ‘map’ within your company. Is it a cutting-edge down into several key features: product? Is it by delivering world-class customer service? Craft a short story on 1. Enterprise IT: the back-end technology how cyber protects and enables that. infrastructure that facilitates company- 2. Sharpen your priorities: You have wide communications; processes, stores limited resources, just like every other corporate, and transfers data; and enables company. You can’t protect everything, so workforce mobility you better be certain you’re focusing on 2. Supply chain: the fl ow of materials the most critical business assets. The fi rst and components (hardware and step is to fi gure out what your company software) through inbound channels determines to be its ‘crown jewels.’ Once to the enterprise, where they are you’ve defi ned what truly matters, it’s then operationalized or used in the time you evaluate how exposed—or development of products and services at-risk—these assets are. That will give

■ 172 DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT

you a basis for right-sizing your security undesirable will most certainly happen. program around these assets. Incident response is more than just having 3. Build the right team: Once you defi ne the right technology capabilities in place, what matters and how much security such as forensics and malware analysis. In makes sense, think about the people. What fact, real success in cyber incident response does your direct and extended workforce usually comes down to the people aspect. have to look like to be uniquely successfully How plugged in are you with your at your company? These days, you can’t company’s legal, privacy, communications, get by with your security program being and customer sales units? They are all fi lled with technologist majority. Time to critical to success; and with this expanded weave in an accompanying set of skill scope of players, you can imagine how a sets that will help you propel you to cyber matter can quickly rise to become a success, to include organizational change top-line business matter. management, crisis management, third- 7. Transform the culture: The best party risk management, and strategic organizations out there today do this communications. well. Because people are the core of your 4. Enhance your controls: This is largely business, it comes down to them ‘buying about scope. With your company’s in’ to cybersecurity as something that they quickly expanding ‘map,’ you’ll need to care about. From your dedicated cyber adopt new methods for treating risk. workforce, to business unit leaders, to For example, if you deliver a ‘connected’ those that manage your company’s supply product to consumers, you’ll have to chain, you’ll need all hands on deck, each ensure strong embedded device security, doing their part in advocating for and as well as protections over the airwaves. implementing cybersecurity measures. A Without this, your brand could be at security organization can make this easier stake. Fortunately there’s a great deal by fi nding ways to make cyber relevant of momentum in the world today, with for each part of the business by sharing new methodologies, technologies, and innovations that excite and enable the skill sets continuously being developed to business. meet the challenge of today’s expanding cyberattack surface. 5. Monitor the threat: Unfortunately, ■ Bringing the strategy to life cybersecurity isn’t only about reducing Perhaps the best measure of an effective risk behind your fi rewalls. It must also cybersecurity strategy is its ability to be include maintaining awareness of the implemented and make a visible change in threat landscape—external and internal. how the business is operated. With a strate- Because the threat is always changing gy in hand, the next move is to build momen- and always determined, you have to take tum with ‘quick wins’ while investing in on that same adaptive mindset. Whether long-term capability development. that’s employing strong monitoring and The fi rst step is to use your strategy’s risk detection capabilities, consuming threat framework to assess where you must apply intelligence feeds, or participating in new or enhanced controls. Look broadly. The an industry-level information sharing biggest cybersecurity challenges may not be forum, there many avenues that you where your organization usually expects to should strongly consider using. see them. There are multiple ways to assess 6. Plan for contingencies: No one can ever how well the organization is performing, be 100% secure, so it’s vital to have a including workshops, external assessments, strong incident response capability in tabletop exercises, or war games. place to manage the ensuing events when To appropriately assess the organization, something happens, because something you need to know what ‘good’ looks like.

173 ■ COMPREHENSIVE APPROACH TO CYBERSECURITY

This is different for each organization and core message, and it will feel alive. That tone industry, but relying on industry bench- will be set from the top, with senior executives marks and existing standards/frameworks explaining how cyber will drive the future suc- (e.g., NIST Cyber Framework) is a good cess of the business. place to get a quick read on your maturity. However, don’t adopt these standards It’s at the beginning of every new story. blindly; fi gure out what’s applicable to Whether you’re designing a new product or your needs and what’s relevant for your launching into a fresh multinational joint organization. venture, cyber is a conversation that will Once you’ve assessed your priorities and always take place. Requirements are built in set a maturity target, the next move is to from the beginning and brought to life as the build a roadmap that pairs ‘quick wins’ with venture evolves. Remember, it’s always easier more strategic and enduring capabilities. and cheaper to implement cyber earlier rather Right away, you’ll want to ensure that you than later in the lifecycle. are doing the basic blocking and tackling of cybersecurity. Many call this instilling prop- Cyber is communicated in simple busi- er ‘cyber hygiene,’ or putting a foundational ness language. Don’t be paralyzed by those layer of protections and capabilities in place. who only want to ‘speak geek.’ Simple, easy- Once you’ve gained a solid foothold, time to to-understand logic should prevail when com- take the next step, such as establishing pre- municating how cybersecurity is enabling dictive intelligence mechanisms that help your business. you anticipate the next threat, instead of reacting to it when it hits. You’ve established a predictive edge. If Perhaps the best way—and the biggest you’ve evolved your strategy in a disciplined challenge—to bringing your strategy to life manner, some really amazing things start to is to remember it isn’t policy or technology come to life. One powerful aspect is that that matters most, but people. Once you’ve you’re using multiple sources of intelligence embraced this idea and put the person at the to understand the world around you, and you center of all of your decisions, you can really are able to anticipate the adversary’s next start to envision what it’ll take for cybersecu- move. Sometimes this can feel like playing a rity ‘change’ to happen in your organization. fun video game, but it could really mean sav- ing the lifeblood of your business. ■ What getting it right looks like It is easier to write about the concepts of a The puzzle pieces come together. With all good cyber strategy than it is to deliver one that you’ve invested in cybersecurity, the real for your organization. However, getting payoff comes when you see the component ele- cybersecurity right for the organization has ments work in harmony as a system. A unifi ed benefi ts far beyond IT. A strong cyber strategy construct that links constituent technologies, drives security capability development and processes, and people together will prove ultimately has the power to transform the highly effective in monitoring and responding business into a more successful one. An effec- to events and engaging the broader business tive cyber strategy looks different depending ecosystem to get things done. on the industry and individual business, but they all share some key features. You play a role in the community. Cybersecurity is not something you should It’s driven from the top. First, a strong cyber attempt alone as an organization. The com- strategy won’t be locked away in a fi le cabinet, plexity of vulnerability and the highly buried in a hard drive, or lost in the cloud. resourced threats today are simply over- Instead, it will be part of your organization’s whelming for any one entity. Cybersecurity

■ 174 DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT

requires the power of community, new ideas, the ‘map’ of your business, and you now and security capabilities coming to life. When understand all the points where cybersecuri- successful, your organization is an active part ty must play a part. Success at this point of key dialogues with industry and govern- means that you’ve carefully and deliberately ment. Threat intelligence and best practices initiated dialogue and worked with different are shared two ways, but more importantly, elements of the business to embed security in you integrate into the fabric of a very impor- places beyond Enterprise IT and extended it tant and very valuable community. into broader touchpoints across the external world. ‘Change agents’ are swarming. You’ll need these thought leaders to move across all ele- Your enterprise embraces it. From senior ments of the business to shift mindsets and leadership to customer-facing sales teams, anchor new behaviors. These advocates help cybersecurity is integrated as part of your spread the cybersecurity vision broadly and cultural DNA. You hear about it all the time, provide ‘on the ground’ feedback to make your and you see how it’s factored into all major security strategy stronger. business decisions. Your organization has evolved to the point where your organization Security is now embedded across your is now living the principles of good cybersecu- ecosystem. You’ve taken a long, hard look at rity without even thinking about it.

SecurityRoundtable.org 175 ■

Designing a Cyber Fusion Center: A unifi ed approach with diverse capabilities Booz Allen Hamilton – Bill Stewart, Executive Vice President; Jason Escaravage, Vice President; Ernie Anderson, Principal; and Christian Paredes, Associate

Since the early 2000s, organizations have focused cybersecurity efforts around a preventative, “defense-in-depth” approach. The multiple layers of security are intended to thwart attackers; this trend has become known as the “moat-and-castle” defense: higher walls, a deeper moat, and other fortifi cations to deter or prevent the enemy from breaching the castle grounds. Within the past several years, high-profi le breaches across the fi nancial, government, retail, health-care, defense, and technology sectors have spotlighted the need for a better incident response (IR) capability to detect, contain, and remediate threats. These breaches are evidence that prevention alone is no longer a suffi cient approach. However, many organizations lack a mature IR capability and end up spending millions of dollars to outsource IR services. Furthermore, once the incident is remediated, organizations are still left wondering how to effectively secure themselves for the highest return on investment (ROI). Prevention remains a critical component of an effective security program. And organizations are increasingly investing in native detection and response capabilities, or a Security Operations Center (SOC). But the people, processes, and technologies that are the backbone of SOC must be integrated within one Cyber Fusion Center (CFC) that also combines functions such as Cyber Threat Intelligence (CTI), Red Teaming, and Attack Surface Reduction (ASR). The Cyber Fusion Center. The CFC is a comprehensive, integrated approach to security. The CFC mission is to protect the business—its assets, people, clients, and reputation—so that it can thrive and operate without costly disruptions.

177 ■ COMPREHENSIVE APPROACH TO CYBERSECURITY

The CFC approach does not guarantee centralize threat knowledge and analysis, that there will be no security incidents; this is unify the organization’s security strategy, an impossible feat. Rather, it ensures that all and ultimately maximize the value of invest- security efforts are coordinated effi ciently by ments in cybersecurity. leveraging the benefi ts of proximity (either Although the security functions that physical or logical) and easy communication make up the CFC are not new, the CFC between security teams. approach represents a complex interaction The CFC is designed to integrate key between the security teams with multiple security functions into a single unit without “touch points,” parallel workfl ows, and con- stovepipes or prohibitive bureaucracy: stant feedback mechanisms. With the right design and implementation considerations Security Operations Center (SOC): the organizations can: heart of the CFC and the fi rst line of an organization’s defense responsible for increase operational effectiveness by detecting, responding to, containing, and orchestrating the security functions and remediating threats, as well as proactively information fl ow from threat intelligence, identifying malicious activity. The SOC is through security and IT operations also home to Threat Defense Operations improve security readiness by enabling (TDO), the dedicated “hunting” arm stronger detection mechanisms and of security and intelligence operations awareness of threats responsible for actioning intelligence, accelerate security maturation by conducting in-depth malware analysis, reducing the costs associated with and continually building and improving coordinating complex security functions prevention and detection methods. across multiple teams. Cyber Threat Intelligence (CTI): the “forward observers” responsible for The CFC is distinguished not by its individ- identifying threats to the organization ual parts but by the integration and interde- and disseminating timely, relevant, and pendencies across its functions. More than actionable reporting to the SOC, C-Suite, just a security approach, the CFC is a secu- and other stakeholders. rity mind-set that organizations can imple- Red Team: the “attackers” who simulate ment to better secure themselves, protect the tactics, techniques, and procedures their customers, and reduce costly business (TTP) of threats relevant to your disruptions. organization. The Red Team will continually “stress test” your SOC, driving ■ Building a robust SOC to detect and respond improvements in detection, response, and to threats SOC analyst threat understanding. Organizations are quickly recognizing the Attack Surface Reduction (ASR): the need to detect and respond to a variety of proactive defense group responsible threats; simply blocking threats isn’t for identifying and mitigating enough. The Security Operations Center vulnerabilities, unnecessary assets, and (SOC) is the organization’s fi rst line of nonessential services. More than just defense against all forms of threats and is patch management, optimized ASR the heart of the CFC. The SOC will handle teams focus on continually improving an any suspected malicious activity and work organization’s hardening and deployment closely with the other teams in the CFC. A procedures to eliminate vulnerabilities well-designed and maintained SOC will before systems go live. focus on gaining effi ciencies though continuous analyst training and mentoring, and By integrating these functions, the CFC aims constant evaluation of the organization’s to break down communication barriers, security technologies.

■ 178 DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES

A tiered SOC structure. The SOC can be malware analysis that yields valuable techni- designed around a simple detect, identify, cal intelligence (TECHINT) that can be used in and mitigate model. Analysts at various tiers detection logic and further enriched by CTI. investigate malicious activity (aka alerts or Managing all the security alerts (aka “alert events) with these three stages in mind: Tier fatigue”). This process—building detection 1 analysts are charged with classifying the solutions and then identifying and mitigat- severity of the event and correlating the ing threats—is where many organizations event with any historical activity. If neces- struggle. Oftentimes, implementation of effi - sary, Tier 1 analysts will escalate incidents to cient and effective SOC processes are stifl ed Tier 2 and 3 analysts, who will conduct in- by an overwhelming number of consoles, depth investigations and perform root-cause alerts, threat feeds, and tools that prohibit analysis to determine what happened. seamless workfl ows for analysts. While Threat Defense Operations (TDO). security managers should continually iden- Additionally, specialized analysts within the tify potential feeds and technologies to SOC—Threat Defense Operations (TDO) invest in, their impact on the SOC analyst analysts—are responsible for creating detec- should always be a primary consideration: tion logic in the form of signatures, rules, and custom queries based on CTI-provided How many new alerts will this technology threat intelligence. TDO engineers deploy or new data feed produce? the detection logic to a range of devices, Who will tune the technology to limit the appliances, tools, and sensors that make up number of false positives it produces? an organization’s security stack. The rules, Is the technology fi lling a gap in detection signatures, and queries create a threat-based capabilities or adding on to existing preventative sensor network that generates capabilities? network and host-based alerts that Tier 1–3 How does the introduction of this new analysts in the SOC respond to. technology affect the SOC workfl ow? TDO analysts will then fi ne-tune their detection logic based on SOC feedback, cre- The main point to remember is that more ating an effi cient CFC that won’t waste time technology, tools, and threat feeds do not investigating false alarms. The TDO team is necessarily enable your SOC to operate more also responsible for providing in-depth effi ciently. Designs that emphasize smooth

SOC 24/7 Organizational Framework Capabilities Description “Operationlize” threat intelligence to enable automated detection and Enable Detection manual analysis within and across prevention and detection technology

First-level responder responsible for detecting and assessing cybersecurity Identify Threats threats and incidents across the environment Conducts in-depth analyses of security incidents with speciﬁc ability to Mitigate Threats identify Indicators of Compromise, perform root-cause analysis, and execute containment strategies

Case Management Approach

Manage Standardize Measure • Formal Shift Change Process • Case Mgt. Dashboard • Shift Leader Oversight • Process and Procedures • Monitor, Detect, and • Case Mgt. Tracking Tool Documentation Contain Metrics • 24/7 Structure • Business Process Reengineering • Real-Time Improvements

179 ■ COMPREHENSIVE APPROACH TO CYBERSECURITY

workfl ows and “painless” methods of data Instead of looking to new technology fi rst, collection (e.g., analysts do not need to con- successful organizations will constantly tact other teams to access certain data) are evaluate their security posture and frequent- more likely to succeed than those that prior- ly train their analysts on how to react to new itize technology. Organizations should focus threats. Organizations must carefully con- on technology that enables SOC investiga- sider how new technology and tools will tors to spend less time collecting data and impact the analysts’ workfl ow and their abil- more time investigating the root cause of the ity to detect and respond to threats while activity they’ve been alerted to. focusing on processes and procedures. Implementing 24/7 operations and managing investigations. Design and implementation ■ Using Cyber Threat Intelligence to anticipate should focus on standardizing daily opera- threats tions, case management, and methods of Cyber Threat Intelligence (CTI) has become “measuring success.” Modern-day threats the security buzzword of 2015. Many prod- necessitate that SOCs operate 24/7, 365 days ucts and services claim to provide threat a year, requiring well-thought-out shift intelligence and promise to prevent a major schedules and defi ned roles. Leaders with incident. As this term has saturated the mar- managerial and technical experience can aid ket and security circles, the true meaning in workfl ow management and provide ana- and value of threat intelligence has become lyst training. clouded. As a result, the usefulness of threat Having a well-integrated, easy-to-use intelligence is, in some cases, dismissed. case-management system that doesn’t get However, true threat intelligence is incred- in the way of investigations and seamlessly ibly powerful—it can serve as a force-multi- interacts with other SOC tools is key. This plier for your CFC, helping to improve aware- tool ideally provides metrics on how effec- ness of threats and offering the means by tively your SOC monitors, detects, and which these threats could be prevented or contains cases and will allow an organiza- detected. tion to identify gaps in people, processes, So what is threat intelligence? First, and and technologies. most important, only humans can produce Standardizing your standard operating pro- threat intelligence through focused research, cedures. Successful implementation also a synthesis of multiple sources (aka “all- demands accurate and up-to-date docu- source analysis”), and clear, concise commu- mentation. This includes documentation on nication that explains the relevance of threats network architecture, standardized operat- to your organization. Generally, threat intelli- ing procedures (SOPs), and point-of-contact gence feeds will not provide much intelli- lists. If the SOC is considered the “heart” gence value unless they are thoroughly vetted of the CFC, then SOPs act as its beat, guid- by human analysts fi rst; feeds are more likely ing analysts in situations ranging from col- to generate false alarms than to indicate mali- lecting forensic evidence to stopping data cious activity. Additionally, good threat intel- exfi ltration. ligence will be implemented in a way that These procedures change as new technol- demonstrates the following characteristics: ogy and organizational structures are imple- Cyber Threat Intelligence is timely. Cyber mented. Many organizations fail to update, intelligence addresses an impending threat train, and test their staff and leaders on to the business environment. Receiving that SOPs, hurting their response times and con- intelligence before the threat is realized is tainment metrics. crucial to the organization. Dissemination of The bottom line. The SOC provides core strategic and tactical intelligence, including security functions within the CFC and can indicators of compromise (IOCs), can take achieve effi ciencies through close integration the form of indications and warning (warn- with other teams such as CTI and TDO. ing of an imminent threat), daily or weekly

■ 180 DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES

reports (highlights on relevant threats), and Oftentimes, business decisions have to be executive briefs (assessments on major and made without all the information. An under- specifi c cyber issues for C-suite stakehold- standing of the threat landscape can help to ers). Depending on the audience, other tech- make these business decisions, however. For nical or nontechnical reports can also be example, attacks on organizations in related produced. industries can serve as an indication that Cyber Threat Intelligence is relevant. For your business might soon be targeted (or has many organizations thresholds for relevan- already been targeted). cy are tricky to defi ne, especially when Although the SOC team is your organiza- media reports constantly warn about a tion’s fi rst line of defense, it can operate more range of threats. A cyber breach in a distant effectively and effi ciently with the support of industry—even a major one—may not con- CTI. Your security team will handle a wide cern you as much as a breach within your array of potential threats and must be able to own sector; a vulnerability in a technology quickly triage events, determine the threat platform you don’t use is obviously less level, and mitigate incidents. CTI can help important than a potential zero-day vulner- SOC analysts to prioritize these alerts, can aid ability in your enterprise-enabling plat- in investigations, and can help SOC analysts form. Relevant threat intelligence produces attribute malicious activity to specifi c threats valuable insights on not only issues occur- or threat groups. Over time, by leveraging ring in the global business environment but technical intelligence the SOC will develop a also on specifi c issues within your industry stronger understanding of the threats they and related to your IT environment. Even face, enabling them to act more quickly. The further, it strives to give you unique insight TDO component of SOC will also closely into specifi c adversaries targeting your coordinate with CTI to conduct analysis and organization or peers, by assessing their develop creative detection mechanisms. intentions and capabilities. The bottom line. Real, human-developed Cyber Threat Intelligence is actionable. Cyber Threat Intelligence will enable your Actionable threat intelligence is created organization to pre-empt threats, assess when analysts fi lter through large volumes risk, and take appropriate defensive actions. of data and information (from human sourc- Benefi ts such as avoiding the cost of poste- es, technical feeds, criminal forums, etc.), vent recovery and remediation, and pre- analyze why specifi c pieces of information venting the theft, destruction, and public are relevant to your organization, and com- release of critical data, make Cyber Threat municate how that information can be used Intelligence critical to your organization. by various stakeholders. C-suite executives need strategic “big picture” intelligence to ■ Conducting Red Team exercises to “stress- inform business decisions such as risks asso- test” and strengthen your Cyber Fusion ciated with an increasingly global IT foot- Center print. On the other hand, your SOC, TDO, A fundamental question for every business and ASR teams need tactical and technical is: Will your cybersecurity organization be intelligence to support current investiga- ready when an attack comes? An important tions, create detection logic, and prepare for means of assessing and “stress-testing” your potential attacks. Technical intelligence will CFC is to actively attack it. Through coordi- also be used to determine if certain mali- nated Red Team exercises, your CFC per- cious actions or indicators have already been sonnel can learn to detect and respond to a present on your network. variety of threats. Strategic and tactical threat intelligence. Simulate threat actors’ TTP. Red Team oper- Today’s corporate leaders face a serious ations will ideally be designed to simulate challenge in that it is not always possible to the tactics, techniques, and procedures of accurately predict a cyberattack or its effects. threats that your CTI team has assessed to be

181 ■ COMPREHENSIVE APPROACH TO CYBERSECURITY

a risk to your organization. Your SOC could strained—no SOC likes to lose, and often- also be a valuable source of input as you times the Red Team has the advantage. This determine how to implement your Red Team can make after-action review of an incident operations. What types of threats does your stressful for both teams. However, a healthy, SOC regularly observe? More important, competitive relationship between the SOC what types of threats does your SOC typi- and Red Team can foster improvements in cally not see? Does your SOC fi nd that there the CFC, particularly in detection and are gaps in detection? What does your SOC response capabilities. Although the SOC and think they detect/mitigate well and is worth Red Team functions contrast, their missions testing? Where does your SOC have limited are the same: to protect the organization and detect/mitigate capabilities? improve its security capabilities. It is the Red Team’s responsibility to test Implementation of Red Team operations these questions and the limits of your SOC should therefore emphasize the interde- and broader CFC. For example, if it is known pendency between the SOC and Red Team that the SOC rarely encounters web shells— mission. The Red Team should assist the a type of malware installed on web servers— SOC during remediation efforts to ensure your Red Team may choose to directly attack any uncovered vulnerabilities are no longer a web server. susceptible to exploitation. An important aspect of a Red Team The bottom line. Fundamentally, Red Team operation is that only select leaders are design and implementation takes a human- aware of operations (often referred to as centric approach. The benefi ts of placing your the “white team”), adding to the realism of “attackers” in close (physical or logical) prox- the event. This implementation allows imity to your SOC analysts cannot be under- those who are aware to observe the event stated. SOC analysts learn to develop an as it unfolds, particularly how teams inter- appreciation for the fact that they are fi ghting act with each other, how information is people who make decisions to achieve an passed along, how stakeholders are objective—it’s not just about the malware. engaged, and how the teams handle a variety of attack scenarios. These leaders can ■ Reducing your organization’s attack surface also help to scope Red Team activities to Efforts to protect your organization will be ensure no critical data or operations are signifi cantly diminished if your IT systems actually compromised or exposed. have easily exploitable vulnerabilities, unnec- (Remember to loop in the legal department essary services, and nonessential assets. On prior to the exercise as well.) the other hand, shutting down all protocols, After-action improvements. The end result services, and data resources is not a viable of a Red Team activity should be valuable option. Thus, the goal of Attack Surface insight your security team can use to Reduction (ASR) is to close all but the required improve its capabilities. For example, during doors to your technical infrastructure and a web server attack exercise, the CFC will limit access to those doors through monitor- need to evaluate how it handled the inci- ing, vulnerability assessment/mitigation, dent. At what point did the SOC detect the and access control. attack? Are there changes that could be The ASR team is dedicated to identifying, made in how security tools are confi gured to reducing, and managing critical vulnerabili- improve future detection of this type of ties, services, and assets, while also focusing attack? These sample questions frame the on preventing the introduction of vulnera- improvements that can be implemented bilities via improved hardening procedures. within the cybersecurity organization. Understanding and prioritizing your “attack The nature of the Red Team’s operations surface.” Implementing ASR is all about iden- means that communication between the tifying and understanding your most critical SOC and Red Team can sometimes be business applications and services—the

■ 182 DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES

“crown jewels”—including their functions, Organizations require continuous scans and supporting infrastructure, scope, and inherent costly-to-maintain confi guration manage- vulnerabilities. This process entails a series of ment databases (CMDB) to track and ensure vulnerability scans, security documentation the attack surface hasn’t expanded beyond review, architecture assessments, host discov- the organization’s acceptable risk level. And, ery scans, nonintrusive penetration tests, and new exposures often emerge throughout the targeted interviews with IT personnel. course of normal business as new IT systems Next, the ASR team should prioritize each are introduced or upgraded. asset, considering their critical value to oper- While there are many technologies avail- ations and the ability for the most relevant able to aid organizations in managing vul- threat actors—as assessed by your CTI nerabilities and assets, human analysts can team—to leverage these assets in an intru- leverage contextual understanding of vul- sion. In addition, the impact of these attacks nerabilities and the attack surface in ways must be considered. The assets that are most that scanning software cannot provide. likely to be the victim of a high-impact attack Experienced ASR security professionals— or leveraged in a high-impact attack (such as who possess a deep understanding of network Adobe Flash) should receive the highest pri- engineering, IT concepts, and security—are ority, most robust security controls, and able to synthesize disparate pieces of informa- attention from the CFC. tion that can point to a previously undetected More than just patch management. While or contextually important attack vector. vulnerability and patch management is a core The bottom line. Attack Surface Reduction ASR function, achieving a vulnerability-free enables organizations to proactively reduce organization is not a realistic goal. security vulnerability-related risk prior to Vulnerabilities must be identifi ed and man- implementation and to mitigate existing and aged appropriately—keeping a focus on pre- other inevitable risks. Importantly, the ASR venting and quickly responding to the most function is designed so that humans comple- critical. Continually improving deployment ment the technology to minimize the attack and hardening procedures, especially for surface to an optimized level that balances publicly facing services and services that may security risks and day-to-day realities of permit attackers to access high-trust zones, is enterprise business operations. a critical ASR process for facilitating preventive measure and effective mitigation timing. ■ Cyber Fusion Center attention As such, the ASR function should be The seemingly endless string of breaches ongoing. ASR closely collaborates with other across major U.S. sectors—fi nance, technol- CFC functions, especially CTI and TDO, ogy, manufacturing, and others—leaves which can develop rules to detect exploita- C-suite executives wondering, “Will we be tion of new vulnerabilities. For example, CTI next?” or even, “Have we already been may become aware of new vulnerabilities breached?” New tools, technologies, and that threat actors are leveraging. ASR will data sources may help in preventing an work with CTI to prioritize the most relevant attack, but threat actors are clearly capable of vulnerabilities based on reports of their scaling the castle walls, or forging the castle exploitation “in the wild.” moat. Yet by developing a Cyber Fusion A highly technical function that demands Center, organizations develop the speed, col- strong human analysis. Maintaining complete laboration, coordination, information fl ows, asset awareness is increasingly diffi cult in and C-suite awareness necessary to not only today’s dynamic business environment. survive but thrive.

SecurityRoundtable.org 183 ■

Design best practices

Electronic version of this guide and additional content available at: SecurityRoundtable.org

What are they after? A threat-based approach to cybersecurity risk management Intercontinental Exchange & New York Stock Exchange – Jerry Perullo, CISO

Given fi nite resources and the ongoing threat of the “next big hack,” cybersecurity is not the place to let a thousand fl owers bloom. How does a governance body that is balancing this complex topic with so many other complex risks pick the right questions to ask? The spectrum of popular guidance ranges from an end-to-end program that generates hundreds of inspection points to a kneejerk reaction to the latest headlines. Distilling the truly critical areas of focus requires a balanced approach that is well served by beginning with the end in mind and asking, “What are they really after?” Traditional guidance has centered security program construction and audit on comprehensive standards-based frameworks. Although the popularity of specifi c standards has waxed and waned, general principles have revolved around identifying assets, establishing a risk management program around those assets, and establishing preventative, detective, and corrective controls to protect those assets. There is nothing wrong with this recipe at the tactical level. In fact, boards should expect a continuous program cadence around this type of strategy and expect to see third-party auditors, customers, vendors, and regulators use this approach in examination. Controls should be mapped to an established framework and any gaps or vulnerabilities identifi ed. The challenge, however, is that this produces a massive corpus of focus areas and controls that cannot be digested in a single targeted governance session. And fi nally, it does not produce a ready answer to the top board concern: “How could we be hacked?” Likewise, reacting to headlines and rushing to establish the controls and technology cited in the latest news story will divert all resources to someone else’s vulnerability, whereas yours may be very different. Simply asking, “Could what happened last week happen to us?” may at best result in a false sense of confi dence or a mad dash to

187 ■ DESIGN BEST PRACTICES

address a gap that isn’t relevant to your allow identity theft. Capturing 100 or 1000 is organization. Vendors cannot be faulted for not, however, alluring enough. Do you have preying on this tendency, and the result is a bulk card or PII data? Card processors, retail barrage of solutions to the last headline’s institutions, and health-care providers are problems: “You desperately need encryp- clear targets for this type of penetration. If tion.” “You need behavioral technology to this is your world, the major breaches of the baseline administrator activity and to alert day serve as case studies. Lessons learned in unusual access times or locations.“ “You these areas lead to an emphasis on the follow- need to give up on securing everything and ing questions: only focus on the critical assets.” “You need stronger passwords.” All of these solutions Do we know all the places where these have their place, but if they are not respon- sensitive data live, and have we limited sive to the threats facing your business, they it to the smallest set of systems possible may cause more distraction than protection (ring-fencing)? based on your unique requirements. Is access to the systems housing this data Identifying a relevant and reasonable tightly controlled, audited, and alarmed, agenda for a governance session requires a including via asset-based controls? targeted and balanced approach. Let us Is this data encrypted in a manner that group the major cyber headlines of the last would thwart some of the specifi c tactics decade into several large categories. With a observed in major breaches? fi nite grouping of threats, we can begin to model what each threat would look like to If you do not hold easily monetized data, your organization, which leads to an assess- these questions may not be the right place to ment of likelihood and impact. With this start. Again, this does not mean that data picture of viable threats, the board can hone theft is acceptable in any organization. in on specifi c questions that will produce the Confi dential email, intellectual property, most value. By all means, all of the threats customer login credentials, and trade secrets listed below should receive treatment in are some of the many examples of data we some capacity in any cybersecurity plan, but must protect. Close examination often shows prioritizing which are most relevant to your that ring-fencing, asset-focused controls, organization will expose the most valuable encryption, and other concentrations born of areas to explore with limited time. Further, the rash of recent card and PII breaches may identifying business practices that expose not be appropriate for more common and you to a particular threat category may lead less frequently targeted data, however. If you to reconsider them in light of new costs the data you are protecting are much more that were not included in previous assess- valuable to you than to an assailant, tradi- ments. The calculus around maintaining a tional controls such as company-wide access lower profi le or outsourcing targeted data control, permission reviews, and identity may change when you factor in cybersecu- management are probably the right empha- rity risk. sis and should not be neglected in pursuit of stopping a phantom menace. ■ Threat category 1: Data theft Do you manage assets that can be easily mon- ■ Threat category 2: Activism etized? Credit numbers and social security Is your organization the target of frequent numbers—in bulk—are the drivers behind protest or activism? Perhaps the issue is cli- many newsworthy breaches. Criminals have mate change. Perhaps it is labor relations. established the proper fencing operations and Perhaps you are caught up in the storm of can justify enormous risk and effort to cap- anti-capitalism, anti-pharma, anti-farming, ture millions of card numbers or pieces of or simply high profi le. You may or may not personally identifi able information (PII) that know if there are groups with an ideological

■ 188 WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT

motivation to put a black eye on your busi- If this type of threat is not applicable to your ness. Cyber opens up a whole new realm of organization, focusing controls and review ways for people to accomplish this, and on mitigating such attacks may not be the often with anonymity. When attacks fall into best allocation of resources. this category, the most likely impact is an action that can be touted in public. This usu- ■ Threat category 3: Sabotage ally means one of two things: Denial of Are you a provider of critical infrastructure? Service (DoS) or defacement. The former Do you or your key executives issue politi- category will attempt to demonstrate your cally charged statements publicly? Would powerlessness by rendering a component of the interruption of your business further an your business unavailable to your customers extremist objective? Although these threats or the general public. Although attacking require more sophisticated tactics and more customer access or more internalized sys- time to perpetrate, they often bring highly tems may be more damaging in reality, motivated and coordinated threat actors. remember that the goal is to make a splash Adversary objectives in this area usually go on a big stage with minimal effort or expo- well beyond website attacks. Physical con- sure. More often than not, that means attack- trol systems, data integrity, or even the func- ing your public website. The same target tionality of employee workstations may be (plus social media accounts) is most com- the target in this type of attack. Although mon for defacement attacks. The only thing there are many vectors for this type of attack more satisfying to an activist than rendering and several are often used in conjunction, a your service unavailable is replacing it with common theme quickly becomes targeting a pointed message. High-profi le attacks in employees individually. Social engineering this category include the near-incessant and phishing preys on common habits and Distributed Denial of Service (DDoS) attacks assumptions to dupe people into disclosing against major banks, particularly those with a password, clicking a malicious web link, names evoking western countries. Targets of or opening an attachment. These attacks can defacement include Twitter and Facebook be the most diffi cult to defend against, but profi les of targeted companies and govern- their reliance on persistent access and a ment entities. If this type of threat is likely to longer lifecycle to build towards the fi nal be pointed at your organization, good ques- goal makes detective and corrective controls tions to ask include the following: more valuable and decreases reliance on absolute prevention. Additionally, the actors Can we sustain a DDoS attack on the involved and potential impact to national order of magnitude recently observed in interests likely make mitigation assistance the wild? available to you if you focus on detection If we have a DDoS mitigation plan, how and have the right contacts in place. Good long would it take to activate during an questions to ask if you are at risk of this attack? Is an outage for this duration category of attack include the following acceptable, or would it be considered a (and employees includes contractors and failure in the public eye? vendors): Are we continuously scanning our primary website(s) for common vulnerabilities Do individual employees recognize the that may allow unauthorized changes? importance of their role in securing the If our website were defaced, how long organization and what an attack may would it take to restore? look like? Are credentials to offi cial company social Are employees routinely reporting media accounts tightly controlled by a suspicious activity? group outside marketing that is more Are employees educated and incentivized security conscious? to act responsibly with regard to cyber?

189 ■ DESIGN BEST PRACTICES

Are systems detecting suspicious employee advanced threats. At a minimum, automated behavior that may indicate credentials attacks look to procure access to your IT envi- under the control of an outsider? ronment so that your computing resources Has contact been established with incident can be made available for more nefarious response fi rms and law enforcement, and aims. Even if you do not host critical infra- could they quickly be mobilized if a structure or easily monetized data, commod- compromise is detected? ity threats look to compromise your computers so that they can be used as agents of more ■ Threat category 4: Fraud sophisticated attacks. Malware looks to enlist Do you operate a system that makes or pro- your computing, storage, and bandwidth to cesses payments? Although any pay-for- help criminals blast out junk email, store service you offer may be the target of some- pirated media, or contribute to a Denial of one looking for a free ride, nothing attracts Service attack. Attackers in this category do the sophisticated criminal element like cash. not care (or often know) if your computers If you offer the ability to move money, you belong to a fi nancial services fi rm, manufac- should have a focus here. Although fraud is turer, university, home network, or hospital. certainly not a new challenge, Internet con- Protecting your organization from these nectivity has certainly brought it to new common attacks requires being less exposed levels. If this is relevant to your organiza- than the next target. Ask yourself: tion, you have likely been dealing with the ramifi cations long before cyber considera- Have we identifi ed a role in our tions were added. The following questions, organization that is responsible for however, may be helpful to ensure cyberse- cybersecurity? curity efforts are aligned with traditional Are only absolutely required services fraud protections: exposed to the Internet? Are PCs and email servers protected Have we deployed and enforced two- from common viruses and malware in an factor authentication such as text automated fashion? messages, mobile phone apps, or physical Does our corporate email employ controls tokens to require our customers to have to fi lter out the most common virus and more than a username or password to spam campaigns? authenticate? Does our corporate Internet access Are we using adaptive authentication incorporate controls to block access to to identify suspicious locations, access malicious websites? times, or transaction patterns in addition to classic credentials? One special form of opportunistic attack Are we tracking and trending the sources, involves ransom. Some malware encrypts frequency, and value of losses? the content of infected computers so that it Are we working closely with peer becomes unavailable until a payment is institutions and competitors to share made. This type of attack can be crippling. In threat intelligence and identify common addition to the preventative controls out- patterns we should detect and/or block? lined above, you should ask the following:

■ Threat category 5: Commoditized hacking Are our fi le servers backed up and tested Although specialized threats are associated regularly, and could we recover quickly if with specifi c targets, all organizations have all current data were unavailable? exposure to the most common family of com- Have we, via policy and practice, moditized threats. These threats are oppor- established the principle that PCs and tunistic and warrant different controls than laptops are disposable, that data on these

■ 190 WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT

devices should not be relied upon, and around mission critical infrastructure and that network storage should be used to data. Attention to governance has ramped up house any critical data? dramatically in a short period, and it can be diffi cult to sift through the advice of experts. ■ Conclusion Investing time in analyzing threats and iden- Although cybersecurity is a relatively new tifying what assets adversaries are truly after fi eld, it has already grown into an expansive is a critical fi rst step in establishing an effec- area requiring monitoring and controls tive governance policy around cybersecurity.

SecurityRoundtable.org 191 ■

Breaking the status quo: Designing for breach prevention Palo Alto Networks Inc.

■ Today’s reality and commoditization of threats The statistics regarding the success of advanced cyberthreats paint a very grim picture. The increasing speed at which new security threats appear, and the growing sophistication of criminal hackers’ techniques, make fi ghting cybercrime a constant challenge. A recent study by Cyber Edge found that 71 percent of the security professionals polled said their networks had experienced a breach, up signifi cantly from the previous year (62 percent). And half of those respondents felt that a successful cyberattack against their network was likely in the next 12 months, compared to just 39 percent in 2013. Unfortunately, there isn’t a week that goes by these days when we aren’t learning about some new data breach. To say that keeping up with attackers’ evolving techniques and advanced threats is diffi cult is an under- statement. These attacks come from multiple angles, through the edge of the network and directly at the users of our digital infrastructure. Not only are they more targeted in nature, the mechanisms that attackers use increasingly utilize a growing pool of software vulnerabilities. Some vulnerabilities are known only to the attacker, referred to as zero-days. Others are known to the general public but have yet to be fi xed by the software vendor. A fact attackers are very much aware of. Additionally, new attack methods and malware are shared readily on the black market, each more sophisticated than the last. The cat-and-mouse game between attackers and defending organizations is no longer a competition. Attackers have not only pulled ahead, they’ve gained so much distance that most security teams have given up on the notion that they can prevent an attack and are instead pouring investment into trying to quickly detect attacks, and defi ning incident response plans rather than trying to stop them. Why? Because legacy security offerings consist

193 ■ DESIGN BEST PRACTICES

of a set of highly disjointed technologies that blocking the different techniques attackers only allow detection of attacks once they are might use to evade detection and establish already on the network or endpoint. command-and-control channels Organizations cannot hire their way out preventing installation of malware— of this problem by throwing more people at including unknown and polymorphic navigating a legacy architecture or making malware up for the inherent gaps between the siloed blocking the different techniques that technologies. Instead, organizations should attackers must follow in order to exploit be considering next-generation technology a software vulnerability that natively integrates security to deliver closely monitoring and controlling data automated results, preventing attackers traffi c within the organization to protect from achieving their ultimate objectives. against the unabated lateral movement Given the sheer volume and complexity of when legitimate identities are hijacked. threats, it’s important to use automation to accelerate detection and prevention with- ■ Cyberattack lifecycle out the reliance on a security middleman. Despite the headlines, successful cyberat- Despite the growing cybersecurity chal- tacks are not inevitable, nor do they happen lenge we are all facing, we cannot give up on by magic. Often it is a ‘window’ that is left our digital infrastructure. Customers are open or a ‘bag’ that is not screened that lets becoming more and more reliant on the an attacker slip into a network undetected. Internet and our networks to do business After they are inside a network, attackers and access commercial services. They use will sit and wait, patiently planning their these systems because of the trust they place next move, until they are sure they can in them. This trust underpins everything reach their objective. Much like a game of they do online and extends to an organiza- chess, it is only at the end of a long and tion’s brand and place in the market. Legacy logical series of steps that they will try to security approaches that focus only on detec- act. Knowing the playbook of a cyberattack tion and remediation, or rely on a series can help us disrupt and prevent not just of disjointed tools, abandon this trust and well-understood attacks but also highly can introduce signifi cant risk by failing to sophisticated new attacks used by advanced consider how to prevent cyberattacks in the actors. fi rst place. Despite different tools, tactics, and proce- A new approach is needed in order to dures used by an attacker, there are certain prevent modern cyberattacks. This new high-level steps in the attack lifecycle approach must account for the realities that that most cyberattacks have in common. today’s attacks are not only multidimensional Traditional approaches to security focus on in nature but also use an increasingly sophis- installing a feature to disrupt only one point ticated set of techniques that are constantly in along this lifecycle. This approach often a state of change. As these techniques evolve, comes from the fact that different parts of an the risk of breach increases, and, as we all IT security team have different objectives: know, an organization is only as strong as its network administrators care about connec- weakest entry point. Therefore, an effective tivity and the fi rewall, info security analysts strategy must work to disrupt an attack at care about analytics, and so forth. They multiple points, including: seldom have to really work together in a coordinated manner because this approach developing a Zero Trust security posture was previously useful at stopping low-level that focuses on only allowing legitimate threats that involved opportunistic target- users and applications, as opposed to ing, such as the infamous email scam from a trying to block everyone and everything foreign prince needing to transfer $1 million that is bad to the U.S.

■ 194 BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION

However, today’s attacks have become intellectual property and fi nancial informa- more and more sophisticated as advanced tion, disrupt digital systems, or cause embar- tools have proliferated and as effective attack rassment. It is against these patient and strategies have been developed and shared persistent advanced adversaries that tradi- among criminal and nation-state adversaries. tional single-point approaches fail. However, These attacks are often called advanced per- by targeting every step of an attacker’s play- sistent threats (APTs), so named because they book, it is possible to architect a solution that use advanced tools and persistently target an offers much greater odds at stopping the organization again and again until they get attacks before they can reach their objective. in. They are patient and stealthy, preferring At the very least, putting preventative meas- to forego a quick boom and bust for a longer ures in place that take the complete lifecycle payoff of high-value information. into consideration will raise the cost for the While APTs used to be the domain of attacker, potentially forcing him to look else- nation-state espionage, today organizations where for an easier victim. Let’s take a look large and small face these high-level threats at the steps an attacker goes through to get from actors seeking to steal sensitive into and out of a network.

Advice along the cyberattack lifecycle Reconnaissance. Just like burglars and thieves, advanced attackers carefully plan their attacks. They research, identify, and select targets, oftentimes using phishing tactics or extracting public information from an employee’s public online profi le or from corporate websites. These criminals also scan for network vulnerabilities and services or applications they can exploit. Even job websites can be a gold mine of information. If you are looking to hire a new engineer who is familiar with a certain security product, an attacker can deduce what you are using to protect your network and will know where common gaps are in your security. You can’t stop all reconnaissance activity, but you certainly shouldn’t make it any easier for the attacker! People and processes are just as important to security as technology. Good training and strong security practices will help limit reconnaissance and harden your security profi le. You should be aware of what your adversary can learn from your corporate website and ensure that members of your organization with high-level access receive training to be security conscious. Finally, there are many services that offer advanced ‘red-team’ exercises to help you identify weaknesses in your security posture. These simple steps can also put in place policy ‘trip wires’ that can alert you to unusual activity that may indicate an advanced actor is interested in you. Weaponization and delivery. As we move to the next stage of the cyberattack lifecycle, technology becomes even more critical to preventing advanced threats. The hacker must choose his method for gaining access onto your network. This access can be digital, or even physical, but is primarily intended to gain a foothold from which to plan the assault and achieve the attacker’s objectives. Spear phishing With the information gained from their reconnaissance, the attackers have to determine which methods they must use to penetrate your network. They often choose to embed intruder code within seemingly innocuous fi les like a PDF document or email message. They may also seek to use highly targeted attacks to catch specifi c interests of an individual.

Continued

195 ■ DESIGN BEST PRACTICES

Advice along the cyberattack lifecycle—cont'd Spear phishing is by far the most commonly used tactic because it’s simple and effective. An attacker will use information gathered during the reconnaissance phase to craft an email with a malicious attachment for a specifi c user he believes has access to sensitive credentials or information. Many organizations have begun training their employees to spot these attacks by sending test emails that can track who opens them. Over time they can see which departments continually fall for these attacks and target training there. However, we are all conditioned to read emails and open attachments if they seem relevant to our positions. Even with the best training, a well-crafted spear phishing email that appears to come from a family member, friend, or boss can trick the most seasoned security veteran. It’s vital to ensure that you have technical security measures as well to mitigate any malicious malware that might ride email into your networks. Watering hole Another approach to gaining access is known as watering hole attacks. In this method the attacker will set up a fake website that downloads malicious code to any visitor, then direct their victims to it. When a user visits the website, a software exploitation kit installs malware on the victim’s computer, which then reports back to the attacker so he knows who he’s infected and can access their system to steal data. Watering hole attacks are harder to pull off because they require compromising a separate web server, but they can be very effective if a company is watching for malicious fi les in email. Traditional security products do not always prevent their users from visiting malicious websites. However, advanced approaches will fi lter known malicious addresses to keep users from becoming a victims of a ‘drive-by download.’ Exploitation. Once attackers gain access ‘inside’ an organization, they can activate attack code on the victim’s computer (also known as a ‘host’) and ultimately take full control. To gain full control over a victim, specialized programs exploit vulnerabilities in existing software to install themselves as legitimate users. Vulnerabilities are usually old bugs that were not caught during the original writing of the code. Sometimes they are known bugs that have not been repaired, or ‘patched’; sometimes they are as of yet unknown to anyone except the attacker. These unknown vulnerabilities are called zero-days because they are not found by the victim until the fi rst day he realizes he has been penetrated by an attacker. As noted earlier, zero-days are the most nefarious of threats. Luckily, true zero- days are also the most rare. When they are used, however, it generally means that no one else is protected from them. Because no one is patched for it, if an attacker moves quickly, he can take advantage of the same vulnerability on many, many systems. If you can’t catch an unknown threat, you can at least prevent an attacker from using that vulnerability to cause damage. Because attackers have similar goals, such as stealing or damaging important fi les, there are only so many techniques they can use after they have penetrated a system to achieve their end goals. Advanced security software will hunt for malware that uses zero-days by searching for and stopping common techniques attackers use after they have gained access to your network.

■ 196 BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION

Advice along the cyberattack lifecycle—cont'd Common vulnerabilities are being found and fi xed every day. Your organization should also have a process in place to regularly update and patch all your software and hardware. However, sometimes these new versions and updates can cause existing systems to malfunction. This will often leave IT teams hesitant to update systems until a new patch can be tested and can cause delays that leave you with vulnerabilities known to the entire world. While you should always lean toward patching and updating as soon as possible, the balance of security and operability must be viewed through your own business risk management practices. Installation. As a fi rst order of business, advanced attackers will seek to establish themselves as securely and quietly as possible across your network. They do this by taking advantage of the trust of the digital systems they are working in. Often an attacker will make himself an administrator on a computer and then try to infect other users in order to steal their digital identities. He will play this game of laterally escalating access privileges to gain a higher and higher level of control of your systems. Along the way the attacker will also open backdoors that allow him to connect back into your network even if he is eventually caught and shut out. This is why it can be especially diffi cult to fully remove an advanced actor from a network. It seems strange, but many of the tools attackers use can be found freely online or for sale on the Internet. Tools are viewed just like a hammer and nails, where on the one hand security professionals use them to test systems and build stronger security, but on the other hand they can be used as weapons. These ‘off-the-shelf’ security tools, while highly capable, can often be found by traditional security methods such as antivirus software. However, more advanced actors will build their own custom tools, such as remote access tools (RATs), that are undetectable by antivirus software. In fact, some tools commonly shut off antivirus software as one of the fi rst steps of installation. These tools require a larger investment from the attacker and will primarily be designed to gain a foothold as a seemingly legitimate user on the network. From there the attacker can act like a normal employee and use authorized applications such as fi le-sharing software or internal email to cause mischief. Command and control. Gaining a foothold in a network is of no use to attackers if they can’t control their attack. An advanced actor knows that he is likely to be discovered at some point and must be ready to improvise by hiding and running from security teams or software. To do this, an attacker establishes a command-and-control channel back through the Internet to a specifi c server so he can communicate and pass data back and forth between infected devices and his server. The most commonly used channel for attackers to communicate to their tools is through regular Internet traffi c (using hypertext transfer protocol, or HTTP). Usually their communications will pass through defenses of traditional security tools as they blend in with the large volume of traffi c from legitimate users. The attacker’s tools will periodically phone home, typically referred to as beaconing, to obtain the next set of commands. Beacons can also contain reconnaissance information from the compromised target, such as the operating system confi guration, software versions, and the identity of users who are logged on to the network. In very complicated networks, this information can allow an attacker to quietly burrow deeper and deeper. Clever malware also moves beyond simple requests for command and control and tries to emulate human behavior by using email or social networking applications to receive its attacker commands.

Continued

197 ■ DESIGN BEST PRACTICES

Advice along the cyberattack lifecycle—cont'd If you treat your network with zero trust, as though it might already be breached, you can start to lock down unnecessary pathways for attackers to communicate and move around. Segmenting networks and building internal controls on applications can act like a fi rebreak, keeping an attacker from spreading to other parts of your network. Actions on the objective. Attackers may have many different motivations for breaching your network, and it’s not always for profi t. Their reasons could be data exfi ltration, defacement of web property, or even destruction of critical infrastructure. The most common goals of attackers often involve fi nding and exfi ltrating your data without getting caught. During this late stage, the work is usually done by an active person issuing commands to his tools on your network. He has a goal and a script that is followed in a complex process that may last days, weeks, or months, but ends with all your sensitive data slipping through a backdoor in your network. This is one of the most diffi cult steps to stop, as an active person can improvise and adapt to your security response efforts. While it may seem counterintuitive, it’s important to respond with patience when trying to stop an active intruder. A common tactic of advanced attackers when they are caught is to ‘smash and grab’; this means they will forget about remaining quiet and do whatever they can to achieve their objectives, potentially damaging your systems in the process. They can also choose to slip deeper into your systems, burrowing in and waiting to reuse one of their backdoors to gain entry after you believe you have patched all your vulnerabilities. For these reasons, it is critical to have a response plan in place ahead of time so that the adversary doesn’t detect signs of panic and get tipped off. If you can discover the attacker before he realizes he is caught, you can work to clean up his tools, while closing doors and windows he may have used to get in. A strong response plan will also help you prepare in advance for any mitigation efforts needed, including the vital step of external relations if it becomes public that you have had an incident. Depending on the data that was accessed or stolen, you may have regulatory or legal reporting requirements that you will need to be prepared to deal with. Even if the attacker is not successful at actually taking data, these requirements may still be in place as in many cases you may not be able to determine if data was stolen, exposed, or remained untouched.

Trying to stop an advanced adversary at been assembled like a manufacturing pro- only one point in this lifecycle is an exercise duction line, where a series of security events in futility. Just like a network has vulnerabil- roll down a conveyor belt of individual ities and weaknesses, so too does the attacker. point products, while different staff mem- He will reuse tactics, techniques, and proce- bers perform their individual duties. This dures on multiple victims, establishing pat- has been the traditional approach to security, terns that can be recognized, studied, and and historically we’ve been able to use it to exploited. But to gain this leverage, a new fend off low-level threats. However, these approach to security is needed. architectures are beginning to show their weaknesses as attackers have learned to slip ■ Why legacy approaches fail between silos. Today we see how costly leg- Most security architectures today resemble a acy systems can be both in their inability to set of siloed organizations, processes, and prevent targeted attacks and in their unnec- technical infrastructure. They have largely essary expense to the organization.

■ 198 BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION

One of the primary strategic failures of This essentially allows adversaries to distrib- traditional security architectures is their ute malware and steal intellectual property reactive approach. Following the assembly- through basic applications into which they line model, security teams work to read data have little or no visibility. We must break logs about events that happened to their away from the traditional approach to secu- network in the past. Since most of these rity that has proven ineffective at stopping teams operate in a siloed manner, these log advanced attacks time and time again. fi les are routinely examined in isolation from Over the last several years in particular, other critical teams and thus lack important there has been a dramatic evolution in both context that can be used to quickly detect the attackers and the techniques they use. By and prevent an attack. Relying on a human many estimates cybercrime is now a nearly in the middle of a network’s defenses is too half-trillion-dollar industry, and like any slow to be effective against advanced, auto- industry, opportunity fuels more investment mated hacking tools and creative attackers. and innovation. The best way to get an A secondary strategic failure is a lack of industry to collapse in on itself is to take attention toward ‘proactive prevention.’ away that potential for profi t. Therefore, we Organizations often don’t do enough to must make it so unbelievably hard for cyber reduce their attack surface, allowing certain criminals to achieve their objectives that classes of applications that are unnecessary their only option is to invest more and more for their business and leaving doors open on resources to stage a successful attack, to the their network by using port-based policies. point that it becomes unprofi table.

Tenets of a traditional security architecture Limited visibility. You can’t secure what you can’t see. Traditional sensors only seek out what they know to be bad, rather than inspect all traffi c to only allow what is good. Your security architecture must eliminate blind spots by having the ability to see all applications, users, and content across all ports and protocols (the doors and windows of your network) even if they are encrypted. It must also have the ability to see and prevent new, targeted attacks that are utilizing threats that have never been seen before, such as malware and zero-day vulnerability exploits. Lacking correlation. If attacks are multidimensional, your defense must be as well. Today’s attackers shift techniques while they are working their way into a network in order to step over traps laid by them for traditional defenses. In order to fi nd the clues they leave behind, your architecture must act like a system of systems where individual technologies work in concert to identify and then automatically prevent attacks. Correlating sensors and protection makes each element within the system smarter. For example, if a thief has hit multiple houses using the same techniques, you will need to adjust your burglar alarm for those techniques. In cyberspace, however, this process can be automated to increase the speed of detection and prevention. Manual response. With attacks evolving at a rapid pace, it’s critical that we wean ourselves from relying on the ‘man in the middle.’ Systems focused on detection often throw up mountains of alerts and warnings for low-threat items, overwhelming your IT security team. An advanced security architecture must employ a system of automation that’s constantly learning and applying new defenses without a requirement for any manual intervention. It must weed out the congestion automatically, handling 99 percent of low-level threats so you can focus your team’s attention on the 1 percent of the highest priority incidents.

199 ■ DESIGN BEST PRACTICES

Stopping today’s advanced threats lies in enabler. By preventing damage to networks turning the economics of our reality on its and theft of sensitive information, vital IT head by preventing threats in multiple places resources, people, and time are freed up to at each step of the cyberattack lifecycle. This tackle core business functions. In order to requires creating an architecture that can shift from a ‘detect and remediate’ stature detect attacks at every point around and to preventing attacks, business leaders need within a network, closing any gaps and pre- to consider three cybersecurity imperatives: venting them from successfully launching in the fi rst place. 1. Process: organize to reduce your attack surface. ■ Prevention architecture Modern networks can be a rat’s nest No organization today is immune to cyber- of systems and users cobbled together attacks. Cyber criminals are ramping up from mergers, legacy architectures, activity across the globe and utilizing new and prior acquisitions. This confusion methods to evade traditional security meas- leaves many points of entry for ures. An effective security architecture must attackers to slip in unnoticed and not only prevent threats from entering and reside on your network for months damaging the network but also take full or even years. A critical step to advantage of knowledge about threats in preventing advanced cyberattacks is other security communities. Traditional to know your network better than the solutions typically focus on a single threat attacker does. To do this you must vector across a specifi c section of the organi- work at simplifying your architecture zation. This lack of visibility is leaving down to manageable pieces that can multiple areas vulnerable to attack. In addi- be controlled, watched, and defended. tion, these legacy solutions are made up of a A key step in reducing your attack ‘patchwork’ of point products that make it surface is to only allow network very diffi cult to coordinate and share intel- traffi c and communications that are ligence among the various devices. required to operate your business by As a result, security teams are forced to utilizing technology that understands invest more and more time and money in the applications, users, and content detection and remediation efforts, under the transiting your network. This seems to assumption that prevention is a lost battle. be common sense that any unknown These efforts require a time-consuming traffi c could also be hiding malicious process of piecing together evidence from activity, but often when organizations different devices, combing through them to take a deep look at their traffi c, they discover unknown threats, and then manu- fi nd high-risk applications that they ally creating and deploying protections. By had no idea were running on their the time this happens—often days or weeks network. Legacy approaches often only later—it’s too late because minutes or hours search to block what is bad, rather are all an attacker needs to accomplish his or than allowing only what is good. This her end goal. This Band-Aid approach approach is also known as ‘white doesn’t fi x the fundamental problem of listing’ and will immediately reduce accounting for the new threat landscape. the scope of your security challenge by While nothing will stop every attack, eliminating opportunities for malware designing a security architecture with a pre- to get into your network. vention mindset (and following some of the Another step to reducing your attack risk management best practices outlined in surface is to segment important our chapter, “The CEO’s guide to driving components of your networks, such better security by asking the right ques- as data centers. As described earlier, tions”) can make cybersecurity a business advanced actors often seek to break

■ 200 BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION

into a less secure part of the network risk. However, by using an integrated and then move laterally into more cybersecurity platform that protects sensitive areas. By segmenting the across your entire enterprise, your most vital parts of a network from defenses can work together to identify email or customer-facing systems, you and close gaps that would be exploited will be building in fi rebreaks that can by an attacker. Communication is key prevent the spread of a breach. to any strong defense. If your products You also can’t neglect to secure the can’t share information on what they endpoint or individual user. This is are seeing, there is no chance to pick the fi nal battlefi eld. Originally, anti- up clues that might aid in preventing virus software contained signatures for an advanced attack. malicious software and could, thus, catch The next step is automating prevention most major infections from common measures. Humans have proven time threats because it knew what to look for. and again that we are the weakest link However, as we learned earlier, today’s in security. Advanced actors are faster, attacks can include unknown malware more persistent, and stealthier than or exploits that are essentially invisible manual response efforts. It just takes to antivirus software. This has led to a one overlooked log fi le or one missed massive decline in the effectiveness of security alert to bring down an entire traditional antivirus products and a rise organization. However, if you have an in a new way of thinking about endpoint integrated platform that communicates protection. Rather than looking for visibility across your defenses, it can something that can’t be seen, you can also automatically act on new threats, reduce the endpoint attack surface by preventing what is malicious and preventing the type of actions taken by Indeterminate what is unknown. exploits and malware. Stopping the type Integration should also enable your of malicious activity associated with organization’s agility and innovation. an attack is much more effective than Business doesn’t stop at the elevator, hunting for an attack that, by nature, is as employees take laptops to work stealthy and hidden. from home or use their personal mobile Finally, it seems simplistic, but as you devices to access your corporate cloud make investments to re-architect your on the road. As your data moves to network and reduce your attack surface, enable your workforce, security should you have to use all those investments to go with it. Choose a platform compatible their fullest. Purchasing next-generation with newer technologies such as mobile, technology is useless if you don’t cloud, and network virtualization. turn it on and confi gure it properly. 3. People: participate in a community that Establishing a process for staying up to shares cyberthreat information. date on your security investments is one End users cannot be relied upon to of the most critical habits to form. identify every malicious URL or phishing 2. Technology: integrate and automate attack. Organizations must educate their controls to disrupt the cyberattack lifecycle. constituents about what they can do on Don’t use yesterday’s technology their part to stop cyberattacks. However, to address today’s and tomorrow’s beyond education, to protect against security challenges. As noted earlier, today’s truly advanced cyberthreats, legacy security approaches offer we must utilize the global community individual products to be bolted on to combine threat intelligence from a for single-feature solutions. This leaves variety of sources to help ‘connect the gaps that can be broken by new methods dots.’ Real-time, global intelligence feeds of attack, leaving your organization at help security teams keep pace with

201 ■ DESIGN BEST PRACTICES

threat actors and easily identify new regulatory requirements or mandatory certifi - security events. cations. IT security personnel are often drafted As attackers move from target to target, from projects that support core business opera- they leave digital fi ngerprints in the tions to work in the ‘dark corners’ of network form of their tactics, techniques, and security with a gloomy future of scanning procedures. By analyzing this evidence thousands of false alarms, updating old soft- and then sharing it, threat intelligence ware, and, of course, getting blamed for the from other organizations can quickly inevitable cyber incidents that are usually inoculate you from new attacks as caused by larger organizational problems. This bad guys seek to move between sad tale is a reality for a shocking number of organizations and even industries. organizations; it not only guarantees failure, it Combined with an integrated platform ensures lost opportunity for innovation that that can act automatically on this comes from having a strong security posture. intelligence, you can rapidly distribute Adopting a prevention philosophy helps warnings and make it impossible for create strategies for better security and attackers to strike twice. The network maximizes the value of an organization’s effect from vendors with large actions and resources. Viewing cybersecu- customer bases is extremely powerful rity as a business enabler helps drive appro- as it builds a security ecosystem, which priate resource allocation by returning can organically respond to new threats. value to the business based on new oppor- Many organizations are even coming tunities that would not have been available together to share threats as an entire without the level of trust afforded by a sector. Recent policy from the U.S. prevention architecture. Government has made it easier to Take the case of the IT security team. collaborate and share cyberthreat When an organization decides to take their information between companies and security more seriously, usually after a cyber work together to identify and stop incident, one of the fi rst things they do is advanced cyber actors. dump more people into IT security positions. While trained security experts are a boon for The most signifi cant way to fi ll in all the any organization, the architecture they are gaps and truly protect an organization from working in can have them needlessly chasing advanced and targeted threats is to imple- cycles of work, wasting budget by hunting ment an integrated and extensible security for cyber needles in digital haystacks of platform that can prevent even the most alarms, and manually remediating countless challenging unknown threats across the vulnerabilities. Employing a prevention entire attack lifecycle. An IT architecture architecture that automates protection capa- must remain secure while also providing bilities and shares threat intelligence using an business fl exibility and enabling applica- integrated platform means that security tions needed to run day-to-day operations. teams can operate much more effi ciently and Stopping even the most advanced attacks is effectively. Their time is an organization’s possible, but we have to begin with a pre- money, and it’s imperative to ensure that vention mindset. personnel working on core IT functions that keep business operations running are not ■ Conclusion: Cybersecurity as a business being wasted on outdated security practices. enabler Strong cybersecurity can also open new Traditionally, IT security has been seen by opportunities by making organizations most organizations as a cost center, requiring more fl exible and resilient. Today’s work- continued expenses but not bringing in any force is constantly connected to the Internet revenue. The attention and resources devoted at home, on the road, and at their desk. to it are often the bare minimum to meet Users move between applications and

■ 202 BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION

devices seamlessly and expect that their If organizations continue to view investments actions will translate between these differ- in cybersecurity simply as cost centers to be ent environments. However, this tradition- solved by bolting on legacy technology, we ally has not been the case. Threats from will all continue to suffer the consequences. third-party applications, unsecured cloud Our most valuable data and the keys to vital environments, and infected personal mobile pieces of infrastructure will walk out the door devices have become so prevalent that many in the hands of cyber criminals, while the traditional security products will either trust we have built between our customers block them completely or just assume that and our systems continues to degrade. This they cannot be protected. This old way of will happen time and time again until we are doing business doesn’t match the reality of forced to change and narrow the way we use today’s workers, who are expected to be digital systems in our everyday lives. This more agile and mobile than ever before. must not become the reality for the entire Architecting a network to wrap these devic- community that receives such unimaginable es and third-party services into an existing benefi ts from the Internet. By adopting a pre- security platform ensures that data will vention mindset it is possible to change the remain secure as workers go out to meet status quo and take back the control and trust with customers in the fi eld and expand busi- in systems that enable critical business opera- ness beyond its offi ce walls. tions. Planning for disaster is always a smart The security fi eld is stuck today with few move, but preparing for failure will accom- answers to increasingly challenging problems. plish just that.

Cybersecurity glossary Advanced persistent threat (APT): An adversary that possesses sophisticated levels of expertise and signifi cant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). http://niccs.us-cert.gov/glossary Attack surface: An information system’s characteristics that permit an adversary to probe, attack, or maintain presence in the information system. http://niccs.us-cert.gov/glossary Antivirus software: A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents, sometimes by removing or neutralizing the malicious code. http://niccs.us-cert.gov/glossary Command-and-control channel: Data link for an attacker to communicate with his malicious software installed on a victim’s system. Data exfi ltration: After an attacker has found sensitive data that he is targeting, he will attempt to package this data and remove it silently from a victim’s system. Endpoint: Specifi c parts of an IT infrastructure that users interact with directly, such as workstations or mobile devices. Exploit: A technique to breach the security of a network or information system in violation of security policy. http://niccs.us-cert.gov/glossary Hypertext transfer protocol (HTTP): Technical rules for transferring data over the Internet. Web browsers use HTTP, and the encrypted variant HTTPS, to allow users to interact directly with websites in a secure manner. Malware: Software that compromises the operation of a system by performing an unauthorized function or process. http://niccs.us-cert.gov/glossary Network: Joined pieces of an IT infrastructure that transfer and route data to and from endpoints and other networks. Polymorphic malware: Malicious software that is designed to continuously change its appear- ance, allowing it to evade legacy security detection technology such as antivirus software.

Continued

203 ■ DESIGN BEST PRACTICES

Cybersecurity glossary—cont'd Port-based security: Stateful inspection fi rewalls block any Internet traffi c coming into or out of a network on a specifi c line of communication, called a port. However, modern applications use different ports, and malicious software can change the port it uses. Remote access tools (RATs): Malicious software that allows an attacker to control a system where he is not physically present. These functions in IT systems also exist for legitimate uses, such as support functions. Zero-day: A software vulnerability that is unknown to the public but is used by an attacker to gain access and control of a network or system.

■ 204 SecurityRoundtable.org Cybersecurity beyond your network

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Supply chain as an attack chain Booz Allen Hamilton – Bill Stewart, Executive Vice President; Tony Gaidhane, Senior Associate; and Laura Eise, Lead Associate

The supply chain ecosystem reaches farther and wider than ever before. The growing range of suppliers provides signifi cant competitive advantages for companies that strategically and securely source from this global network. Yet this complex footprint comes with an equally complex range of cyberthreats, and the majority of organizations do not realize the breadth and depth of these challenges. However, hackers are well aware of existing supply chain vulnerabilities and are moving aggressively to take advantage of these exposures. Threat actors typically target organizations’ supply chains through two vectors: the fi rst type of attack is known as “adversarial supply chain operations to,” or “ASCO To,” and the second is known “adversarial supply chain operations through,” or “ASCO Through” (Figure 1). In an ASCO To attack, your organization is the direct target. In the latter, the adversary uses your supply chain as a means to target one of your customers. Although the intent is different, both have the potential for devastating impact to your revenue, reputation, and end consumer. To compound this issue, today’s attackers are often well funded and extremely organized. These attackers have the resources, skills, and patience to conduct sophisticated attacks on your supply chain. For example, a supply chain cyber adversary may clandestinely intercept delivery of your products and switch cyber sensitive components with a malware-infused copycat. These attacks are often so sophisticated that the end users may not realize that they did not receive the original version. Nation-states, hacktivists, organized criminal groups, and lone wolves are constantly scanning supply chains

207 ■ CYBERSECURITY BEYOND YOUR NETWORK

FIGURE

Attack methods on the supply chain

Adversaries Lifecycle Process • Nation–State Actors Sustainment Design Build Fulﬁllment Distribution Disposal • Competitors (esp. Source & Nation–State- Operations owned) ASCO To Example Methods: Potential Effects: • Criminals • Interdiction/Compromise • Halt or slow prodution • Hacktivists • Theft/Re-route • Prevent sustainment operations • Break/Fix subversion • Loss of intellectual property ASCO Through

Example Methods: Potential Effects: • Malware shotgun infection • National security risk • Malicious component insertion • Customer compromise Customer Operations • Repair part compromise • Impaired customer operations • Trojan insertion/Design to fail • Brand/Legal/Market impact • Fraud • Loss of customer intellectual property for weak points, and the impact of this atten- Supply chain traditionally has been seen tion has the potential to reverberate well as part of internal operations; it is some- beyond your supply chain. You inherit the thing that happens behind the scenes for risks of your suppliers. If one of your suppli- your customers. In the past, customers did ers lacks security controls, you may absorb not care where you made your products or their vulnerabilities. This is particularly true how you sourced them as long as you deliv- if you do not comprehensively test their ered them on time, at the appropriate cost, components during your acceptance pro- and in good condition. However, this is all cess; once you accept their product, you changing. Companies and governments accept the risks of being attacked or passing around the world are realizing that the sup- along an attack to your customers. In the ply chain is an ideal way for attackers to event that a cyberattack occurs, you own the quietly infi ltrate their networks and infect a impacts as well. This includes brand dam- system well before customers place an order. age, operational stoppage, legal exposure, Companies, large and small, have to begin canceled sales, and government sanctions. looking at supply chain security as part of their overall supply chain risk management ■ Dangerous combination of hidden risks and process. higher expectations By prioritizing supply chain cybersecurity, Tackling cybersecurity risk in supply chain you are well on your way to tackling this may feel like you are trapped between a vir- complex issue. You have an opportunity to tual rock and a hard place. As companies mitigate cyber risk and transform your sup- drive to increase supply chain fl exibility at ply chain risk management capability into the lowest overall cost, sourcing decisions a competitive advantage to inform your expose them to the vulnerabilities of suppli- broader business. ers and all of their successive networks of suppliers. This ever-evolving cybersecurity ■ Increasing expectations threat in the multi-layered supply chain pre- The U.S. government has been a force for driv- sents a number of challenges when managing higher-level visibility and controls across ing cybersecurity. See Figure 2. the supply chain. As the future progresses,

■ 208 SUPPLY CHAIN AS AN ATTACK CHAIN

FIGURE

Cybersecurity challenges in the supply chain

Lack of Visibility

Limited visibility across the supply chain regarding exposure and controls

Dynamic Threat

The evolving capabilities of well-resourced and determined adversaries means that “point in time” solutions are insufﬁcient.

External Dependencies

Companies cannot ensure part integrity on their own—they will need participation from suppliers and other business partners.

Cross-Functional Challenge

Requires change and collaboration from various internal business functions to collectively manage cyber risk throughout the supply chain

Decision Making

Increased information requires new strategic and tactical decision- making processes.

insurance companies will be an even larger and your customers that you have a strong driver for increasing supply chain standards. supply chain cyber cybersecurity capability. Business continuity policies are in place to It is not just the U.S. federal government address threats that disrupt the supply chain. that is raising the stakes. Many clients also Companies with weak supply chain cyber are demanding to know more about the security policies and procedures could fi nd supply chain. Private sector clients are real- their insurers raising their premiums or izing that securing high assurance services excluding claims in case of a breach. The next on an untrusted hardware platform is the wave of standards could take shape with same as building a fort on a foundation of requiring you to maintain a list of all cyber shifting sand. They want to know the depth sensitive supply chain components as well as of visibility into the components and ser- develop comprehensive risk frameworks to vices of products, and they want to be reas- classify, prioritize, and proactively manage sured that there are controls in place to the sourcing of each of those components. manage a robust supply chain cybersecurity You need to proactively get ahead of these program. As with the government, many of standards. Prove to the government, insurers, these requests and requirements are at an

209 ■ CYBERSECURITY BEYOND YOUR NETWORK

all-time high and will become more sophis- could necessitate that your approach be dif- ticated and comprehensive only during the ferent than that of a competitor. Using a next several years. If you are their supplier, maturity model also allows you to answer they know that you are only as trustworthy the questions that are not yet asked by com- as your supply chain. pliance while aligning your supply chain to your business strategy. It allows you to focus ■ How to create both a secure and compliant capability on increasing your overall security and to Complying with standards and guidelines is stay ahead of the curve. not enough for securing all of the factors you need to comprehensively increase your secu- ■ Where do I start? rity posture. Although standards strive to Developing a robust supply chain cyberse- create consistency among cybersecurity pro- curity program is complex, but that doesn’t grams, the fundamental truth is that there is mean your approach has to be. It requires a no formula for security. Standards and risk-based prioritization approach to changes frameworks can help identify the landscape in policy, supplier contracts, resource alloca- of potential areas to address and may let you tion, and investment. Most companies do not set a minimum level of performance, but have the appetite or the budget for wholesale, that’s it. You must move beyond merely drastic changes. If you are like most organiza- striving to be compliant rather than noncom- tions, you face the dilemma of not knowing pliant. Supply chain cybersecurity is more where to begin. than an IT problem. If not used in the appro- So the best place to start is to get your priate context, standards can be a generic arms around what has to be done. solution to a highly individualized problem set. Supply chain risk is tied intimately to 1. Conduct a maturity assessment and build your business strategy and operations, and it a roadmap. must be tailored to your organization. Your organization needs a plan for the path Rather than focusing on a standard, look at forward in securing your supply chain. Before your program with a maturity lens. Understand you transition to developing a roadmap, you the various degrees of risk you face. Then, must begin with a maturity assessment. within a well-established structure, decide Supply chain cybersecurity program maturity where you need to invest and develop. It is assessments are simply gap analyses between up to you to prioritize the control areas to how well your program operates today com- address. Focus on your current maturity in pared with how it should operate in a target state. To evaluate this, you must identify the those areas and what you must do to increase key controls that apply to supply chain risk your maturity. Focusing on your maturity management—either controls you already use provides you with an opportunity to identify as part of your corporate cybersecurity pro- where your program stands today, where it gram or controls that may be more unique to must be in the future, and how to get there. A supply chain. Even if you use existing con- maturity approach is not “one size fi ts all.” trols, you should modify them to apply to your Special considerations for your organization supply chain operations.

Maturity Assessment Tip The set of controls you select for your maturity assessment should incorporate the compliance standards that customers might use as part of their Request for Proposal requirements (e.g., NIST SP 800-161). You likely will cover more controls than these standards, but mapping them will allow you to kill two birds with one stone.

■ 210 SUPPLY CHAIN AS AN ATTACK CHAIN

Five Common Early Wins Below are fi ve common ways you can gain early traction with your supply chain cybersecurity program: ᭿ Integrate/enhance component tracking ᭿ Include cyber in your supply chain risk management framework ᭿ Enhance acceptance testing ᭿ Conduct supply chain vulnerability penetration testing ᭿ Enhance monitoring of supplier network access points

Next, identify key objectives for each control physical deliveries of products, place malware in you plan to evaluate. Threat intelligence, for cyber sensitive components, and allow the ship- example, may have data collection, analysis, ments to continue to end customers. As you and distribution as key control objectives. For identify risks for each phase, you have to assess each objective, defi ne a scale as well as the key the likelihood and impact of each risk. This prior- characteristics for each step in that scale. Taking itized list becomes your risk agenda and helps the threat intelligence example, a low maturity determine what to address fi rst to enhance your rating for data collection could be the ad hoc supply chain cybersecurity program. collection of threat data via unstructured sources, such as email. A higher maturity implementa- Supply chain tion of data collection would be a comprehensive Lifecycle ingestion of multiple formal data feeds that can be analyzed automatically and effi ciently. Design

Next, conduct a baseline assessment of your Source current state—an honest assessment, backed by examples. This will help you surface risks asso- Build ciated with each control. After the baseline, defi ne the target state for each control. The tar- Fulﬁll get state should be a balance between high effectiveness and practical costs, keeping in Distribute mind that not all controls need the highest level of maturity. Comparing the target state with the Sustain & Operate baseline provides you the gap you need to address. Dispose

The outcome of your maturity assessment will be a robust roadmap designed to transform your supply chain cybersecurity program. This equates to quick wins and key priorities for your 3. Decompose your key product lines. organization. It should also help address the key To assess the visibility, control, and risks in your requirements your customers demand. supply chain, select a few key product lines and decompose them into their cyber sensitive com- 2. Identify key risks throughout your supply ponents. Then see how much information you chain lifecycle. can collect on their manufacturing sources, Breaking down your supply chain lifecycle into acceptance testing, suppliers, and intended cus- discrete phases can help you identify key risks for tomers. You will likely fi nd that your internal each phase. Each phase presents its own vulner- systems and policies are prohibiting you from abilities and risks. For example, during the dis- this level of visibility; however, it is this level of tribution phase, threat actors can intercept visibility that customers will be demanding in

211 ■ CYBERSECURITY BEYOND YOUR NETWORK

the future, if not already. Once you can obtain advantage in the market. Understanding how this kind of visibility, you can then assess the to identify risk and then effectively manage processes, controls, and risks associated with those risks will allow you to be in greater those cyber sensitive components. control of your supply chain. A robust supply chain cyber risk management program will ■ Supply chain cybersecurity as a differentiator allow you to close vulnerabilities, making The risks and expectations of your supply you less of a target for attackers while helping chain cybersecurity are increasing as threats you meet and even shape your customer become more sophisticated and customers’ expectations. The trust in your brand and the expectations rise. As you inherit the vulner- quality of your product depend on the abilities from your suppliers and the risks of strength of your supply chain cybersecurity. your customers, you have to be more aware Creating the right balance of security of how your supply chain can become an and resilience in your supply chain will attack chain. Compliance is not enough; you allow you to build a foundationally strong- must develop a robust maturity model to er supply chain cybersecurity program. help identify your vulnerabilities and devel- This not only will differentiate you from op a roadmap to reduce your risks. your competitors but also will allow you to Companies that are able to effectively better understand the opportunities and manage their supply chain risks will have the advantages that are key to your success.

■ 212 SecurityRoundtable.org Managing risk associated with third-party outsourcing Covington & Burling LLP – David N. Fagan, Partner; Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H. Canter, Associate; and Patrick Redmon, Summer Associate

■ Third-party outsourcing and cybersecurity risk Businesses increasingly work with third parties in ways that can render otherwise well-guarded data vulnerable to attack or accidental disclosure. These third parties can include technology service providers; other major business function vendors, such as payroll, insurance, and benefi ts companies; and accounting and fi nance, advertising, delivery and lettershop, legal, and other consulting services. Many of these commercial relationships require sensitive information—whether the business’ own confi dential business information or the personal information of its employees or customers—to be shared with, or stored by, the third parties. Such relationships also may entail third- party access to a company’s networks. There is, in turn, an inherent risk in the third-party services: they can create new avenues of attack against a company’s data or its systems and networks—and those avenues require appropriate mitigation. Perhaps no data security breach highlighted this risk more than the incident incurred by Target. That incident began not with a direct attack on the Target network but with a phishing attack on a Pennsylvania HVAC contractor that had access to Target’s external billing and project management portals. The HVAC contractor depended on a free version of consumer anti-malware software that allegedly failed to provide real-time protection. Once the phishing campaign succeeded in installing key-logging malware, the hackers obtained the HVAC contractor’s credentials to Target’s external billing and project management systems and from there infi ltrated Target’s internal network, eventually reaching Target’s customer databases and point-of-sale systems.

213 ■ CYBERSECURITY BEYOND YOUR NETWORK

The results of the Target breach are well contractual provisions to manage third- known: the personal information of up to party risk, and, in some cases, to monitor 70 million customers was compromised, and service providers on an ongoing basis about 40 million customers had their credit (e.g., 12 C.F.R. Pt. 225, App. F at III.D. or debit card information stolen. By the end [2012]) of 2014, the costs to Target from the breach the HIPAA Privacy Rule, requiring had exceeded $150 million. These costs specifi c contractual provisions in dealing include the litigation and settlement expens- with business associates who handle es resulting from lawsuits brought by con- protected health information, 45 C.F.R. sumers and credit card issuers. Further, in the §164.502(e) (2014) quarter in which the data breach occurred, state regulations, such as the Target’s year-over-year earnings plummeted Massachusetts Standards for the 46 percent. Ultimately, in the aftermath of the Protection of Personal Information, breach, Target’s CEO resigned. requiring reasonable steps in selecting The Target breach was not an isolated third parties and the use of contractual incident. In 2014, a Ponemon Institute sur- provisions to require their compliance vey found that in 20 percent of data breach- with Massachusetts law, 201 Mass Code es, a failure to properly vet a third party Regs. 17.03(2)(f). contributed to the breach. Even more troubling, 40 percent of the respondents to In addition, the Federal Trade Commission another Ponemon survey named third-party has applied its authority under Section 5 of access to or management of sensitive data as the FTC Act, 15 U.S.C. §45 (governing unfair one of the top two barriers to improving acts and deceptive trade practices) to apply cybersecurity. Further, the Ponemon to cybersecurity and data security, and has Institute’s 2015 U.S. Cost of Data Breach taken action against companies that fail to Study reports that third-party involvement take “reasonable steps to select and retain in a data breach increased the per capita cost service providers capable of appropriately of data breaches more than any other factor. safeguarding personal information” a de However, despite the cybersecurity risks facto regulatory requirement. See, for exam- posed by third-party service providers, ple, GMR Transcription Servs., Inc., F.T.C. many companies fail to systematically Docket No. C–4482, File No. 122–3095, 2014 address such risks. Only 52 percent of com- WL 4252393 (Aug. 14, 2014). panies surveyed in a 2014 Ponemon Institute report have a program in place to systemati- ■ Sources of third-party cybersecurity risk cally manage third-party cybersecurity risk. The cybersecurity and privacy risks generated by third-party engagements include the ■ Legal risks following: Although there are many commercial and other reasons to adopt strong third-party risk breaches of personal data—whether the management processes, a variety of legal personal data of customers or employees— frameworks require the management of third- and the attendant regulatory obligations party risk. Examples of such statutory or regu- (e.g., notifi cation requirements), as well as latory requirements include the following: legal liability, as in the Target breach breaches of a business’s proprietary data, the Interagency Guidelines Establishing including the following: Information Security Standards that competitively sensitive data, privileged implement Section 501 of the Gramm- information, attorney work product, Leach-Bliley Act and require fi nancial and trade secrets institutions to engage in due diligence in business partner data resulting in the selection of service providers, to use obligations to notify business partners

■ 214 MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING

as well as potential contractual liability the sophistication of the vendor and the to them nature of the IT systems and data at issue. data that result in fi nancial harm to Nonetheless, three elements are common to the company, such as bank account all third-party risk management: information other confi dential, market moving 1. due diligence prior to entering an insider information in the hands engagement of third parties such as investment 2. contractual commitments and legal risk bankers, consultants, and lawyers, such management as information regarding nonpublic 3. ongoing monitoring and oversight. M&A activity, clinical trial results, or regulatory approvals ■ Pre-engagement due diligence the introduction into internal networks A critical element of managing third-party of viruses or other malicious code, as risk is the assessment of the third party’s in the Dairy Queen attack, in which own security practices and posture before vendor credentials were used to any contract is signed. Such diligence is cru- gain access to internal networks and cial for the identifi cation and evaluation of eventually install malware targeting risks, and, in turn, can ensure that such risks point-of-sale systems are mitigated before the engagement, the introduction of other vulnerabilities including through the use of contractual to IT systems, for instance, by the use provisions. The actual evaluation may be of vulnerable third-party applications more ad hoc (i.e., conversations with key or code, as occurred in the Heartbleed business or technology stakeholders) or for- OpenSSL exploit that potentially mal (i.e., through a questionnaire or even exposed the data transmitted to and on-site assessment), and the extent of an from secure web servers evaluation may depend on various factors misuse and secondary use of company in the prospective relationship, including, data such as for direct marketing or data for example, whether the service provider mining for the benefi t of the vendor will have access to the company’s IT sys- “fourth-party” risk, that is, the third- tems, the nature of the information that it party cybersecurity risks introduced may access, and whether it will store such by a vendor’s relationships with its information. own third-party service providers and Depending on the extent of the relation- vendors ship and information that may be accessed potential director or management liability by the vendor, the following areas of inquiry for breach of fi duciary duty in the exercise may be necessary to inform a cybersecurity of cybersecurity oversight. diligence assessment:

To help manage this array of risks effectively, whether and how often the vendor companies may consider whether they have has experienced cybersecurity appropriate procedures in place to evaluate incidents in the past, the severity of and monitor individual vendors, as well as a those incidents, and the quality of the program to manage and monitor third-party vendor’s response relationships. whether the vendor maintains cybersecurity policies, such as whether ■ Engagement-level management of third-party the vendor has a written security policy cybersecurity risk or plan The appropriate measures needed to scruti- organizational considerations, such as nize and monitor third-party service pro- whether the vendor maintains suffi cient viders will depend to a large extent upon and appropriately trained personnel to

215 ■ CYBERSECURITY BEYOND YOUR NETWORK

protect the data and/or service at issue ■ Contractual risk and negotiation and respond to incidents In addition to evaluating third parties on the human resources practices, particularly basis of their cybersecurity practices, anoth- background screening of employees, er important risk mitigation tool is the actual cybersecurity training, and the handling contractual language. As with other areas, of terminations contractual requirements can be an effective access controls, particularly whether way to allocate risk and responsibility for controls are in place that restrict access potential breaches of cybersecurity, includ- to information and uniquely identify ing the investigation and remediation of users such that access attempts can be such incidents. Commonly negotiated terms monitored and reviewed include the following: encryption practices, including whether information is encrypted at rest, whether a requirement that the vendor have a information transmitted to or from written information security program the vendor is properly encrypted, and that complies with applicable law or whether cryptographic keys are properly other regulatory or industry standards managed limits and conditions on the use of evaluation of in what country any data subcontractors and other third-party will be stored service providers the vendor’s policies regarding the restrictions on secondary use of data, secondary use of customer data, and including making clear that the customer whether IT systems are created in remains the owner of any data transmitted such a way as to respect limitations on to the vendor and any derivatives of that secondary use data physical security, including resilience mandatory and timely notifi cation in case and disaster recovery functions and of a security incident the use of personnel and technology to rights to audit or otherwise monitor the prevent unauthorized physical access to vendor’s compliance with the terms of facilities the contract back-up and recovery practices in case of a breach, a requirement that the change control management, including vendor take on reasonable measures to protocols on the installation of and correct its security processes and take any execution of software necessary remediation steps system acquisition, development, and provisions ensuring an orderly transition maintenance to manage risk from software to in-house systems or another third development or the deployment of new party in case of the termination of the software or hardware relationship. risk management of the vendor’s own third-party vendors In addition to such terms, indemnifi cation incident response plans, including clauses can be used to shift the risk of data whether evidence of an incident breach onto the third party and to incentiv- is collected and retained so as to be ize healthy security practices. To accompany presentable to a court and whether the an indemnifi cation clause, it sometimes can vendor periodically tests its response be desirable to draft clauses that defi ne capabilities when the entity is or is not liable, on which whether the vendor conducts regular, party the burden of proof falls, and how independent audits of its privacy and root-cause analysis should be conducted. To information security practices ensure capacity to take on the fi nancial costs

■ 216 MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING

of a breach, third parties are frequently Although relatively uncommon outside required to obtain a cybersecurity insurance of certain regulated industries, such as the policy. fi nancial and health-care industries, provi- From the business’s perspective a third- sions in vendor contracts for regular secu- party vendor should be fully responsible for rity audits by an independent third party any liability for data breaches that occur provide a robust but intrusive form of while the data are under the vendor’s con- periodic monitoring. However, it is not trol. However, vendors often push for caps always possible to obtain audit rights from on their cybersecurity liability. To guide a vendor. Alternatively, the vendor could negotiations as to appropriate caps on liabil- be required to provide up-to-date certifi ca- ity, consider the type of data processed or tions of compliance with industry stand- accessed by the third party (e.g., how sensi- ards or regular, third-party audit reports. tive is it, does it relate to employees, con- In addition, to manage fourth-party risk, sumers, or is it not personally identifying vendors could be required to perform ini- information), the volume of records to be tial and periodic assessments of their own handled by the third party, the ability for the service providers and vendors if they will customer to implement security controls be handling sensitive information. If, in such as encryption, the nature and extent of the course of an audit, vulnerabilities are the third-party promises on cybersecurity, identifi ed or practices are found that are and the brand and reputation of the third not in compliance with industry practices party with respect to data security. Based on or regulatory requirements, the vendor those inputs, a company can then consider may be required to notify the customer the potential losses and sources of third- and correct any outstanding issues in a party liability to evaluate what constitutes timely fashion. an acceptable level of risk in terms of exclu- As part of ongoing monitoring of vendor sions for indemnifi cations and caps on liabil- cybersecurity, it is useful if the contract with ity. A business also may consider offsetting a third-party service provider also includes any contractual concessions with corre- notifi cation and remediation provisions if sponding increases in their own cybersecu- the vendor becomes aware of defi ciencies in rity insurance coverage. its cybersecurity posture. In addition, as part of the remedies, the outsourcing party may ■ Ongoing monitoring and oversight seek the right to terminate the agreement Ongoing monitoring and oversight of third- immediately and to receive a pro rata refund party service providers is essential given the of any fees paid or payable. In addition to rapidly changing landscape of cybersecurity contractual provisions dealing with the ter- threats. Whereas due diligence provides a mination, contingency plans to facilitate an snapshot of a third party’s cybersecurity orderly end to the third-party relationship stance at a specifi c point in time, continual and a smooth transition to an in-house solu- monitoring and the right to such monitoring tion or another a third-party provider may are necessary to help ensure that the third prove useful. party responds and adapts to secure its systems against new threats. Over the life of the ■ Conclusion relationship, periodic checks, including on- The measures described above—diligence, site reviews of vendor, can be important contractual terms, and continued monitor- oversight mechanisms. Other monitoring ing and oversight—are critical elements of a requirements include access to timely and comprehensive cybersecurity program that accurate records and reports of the third- includes managing third-party relationships. party provider’s cybersecurity posture. To effectuate these elements, in turn, it often

217 ■ CYBERSECURITY BEYOND YOUR NETWORK

is helpful to have standardized processes that scales due diligence, contractual obliga- and documentation. tions, and oversight processes according to Examples include standardized diligence the nature and extent of the cybersecurity checklists and questionnaires, template con- risks presented by the vendor relationship. tract addendums addressing cybersecurity In all events, it is important that organiza- issues, and standardized schedules for tions periodically review their processes for audits and other forms of monitoring. evaluating and overseeing third-party rela- Because there is no one-size-fi ts-all approach tionships to ensure that such processes are that is appropriate for every vendor, it is periodically updated and appropriately tai- appropriate to implement a tiered approach lored to address new and emerging threats.

■ 218 SecurityRoundtable.org A new look at an old threat in cyberspace: The insider Delta Risk LLC – Thomas Fuhrman, President

The fi rst thing that business leaders should do about the “insider threat is to take it seriously.“ People are, without doubt, the most consequential part of cybersecurity. They design the hardware, write the software, build the systems, confi gure and manage the boxes, install the software patches, and, obviously, use the computers. At every point in cyberspace, people create vulnerabilities. Whether they realize it, people are a major security risk. The insider threat, however, is not just a product of conscientious but fallible humans: the dark side of human nature is also in play. The idea of the ‘enemy within’ is as old as the hills, and its cyber equivalent is too. The insider threat to computer systems and networks has been a recognized reality for decades. It was a topic in 1970 in the landmark report by the RAND Corporation, Security Controls for Computer Systems, and its roots go back even further. However, since 2013 when defense computer systems contractor Edward Snowden—an insider—carried out one of the largest and most signifi - cant unauthorized disclosures of classifi ed government information in U.S. history, the issue was brought home to business executives. They realized, “If that can happen to the National Security Agency, it can happen to me.”

■ What’s new with the insider threat? In this, the post-Snowden era, the potential impact of the insider has become a much more tangible issue to companies and organizations of every kind. However, although this heightened awareness is new, there are also other recent developments that make the current insider threat challenge more diffi cult than ever. Key among such developments are the following:

the vast amount of vital business and personal data that is online

219 ■ CYBERSECURITY BEYOND YOUR NETWORK

the migration of data outside the security to effi ciently screen potential employees, man- perimeter of the enterprise through age access rights, enforce obligations, detect the widespread adoption of cloud- malicious tendencies and behaviors, and based services, increased outsourcing, implement security controls are needed. increasingly Internet-enabled supply The insider threat is usually thought of as chain operations, and the ubiquity of having two types: the malicious insider and mobile communications and computing the unwitting insider. Although these two devices in the ‘bring your own device’ types of insider are very different in motiva- (BYOD) environment tions and objectives, they can have similar the increase in the marketability of ruinous effects on the organization. sensitive, personal, proprietary, or confi dential data through global cyber The malicious insider. The malicious insider crime syndicates and hacker networks. is the ‘spy’ or ‘traitor’ who represents the insider cyberthreat at its most basic. These developments in combination invest This rogue employee, at most a small more power—and risk—in the individual percentage of the workforce (Spectorsoft insider and make ‘keeping a secret while selec- reports that an estimated 10 percent of tively sharing it’ a harder problem than ever. employees account for 95 percent of From a cyber perspective, the insider is incidents), uses her or his legitimate access the person who the enterprise has entrusted to a company’s information resources to to access and operate with the company’s deliberately harm the organization. data and information resources in the routine course of business. Anyone who has Malicious insiders know about the organi- legitimate (or ‘authorized’) access to the zation’s information, its systems, its struc- information and the business systems, data- ture and people, and its internal opera- bases, email, or other information resources tions. They have access to the enterprise of the enterprise is an insider. network from inside the perimeter defens- In many companies today, a large number es. They can do damage such as stealing of legitimate insiders are not actually data, disabling systems, and installing employees. This group includes former viruses or malware. Those with privileged employees, contractors, business partners, access can do even more, such as disabling vendors, suppliers, and others such as cloud accounts, destroying backups, changing service providers and business application confi guration fi les, and more. Those with- hosting services that have been granted out privileged access can sometimes get access to corporate enterprise networks. it through insider trickery, bypassing Evidence indicates that the access privileges authentication processes or gaining access of such non-employee insiders are diffi cult through the credentials of others. Snowden to manage and thus more easily exploited. In himself reportedly persuaded colleagues the large data breach at The Home Depot in to share passwords with him to get access 2014, for example, the hackers entered the beyond what he was already allowed. corporate network through a vendor’s legitimate access credentials. A fundamental and important point to Can employees and other insiders be recognize is that the insider as a malicious trusted? The answer, of course, is mostly yes. threat is not limited to the cyber and infor- It has to be. Business runs on human capital. mation systems realm. Other targets and Without trustworthy insiders, the organiza- methods are possible, including physical tion cannot function. However, the residual theft, destruction, or violence, coercion ‘no’ is a cause for serious concern. Seen in and extortion, or other non-cyber actions. this light the question is more about setting This fact has a direct bearing on the the limits of trust at the right level. Better ways approaches available to prevent, detect,

■ 220 A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER

and act against malicious or potentially become unconcerned about the associated malicious insiders. security and privacy risks. Users sometimes bring such personal Internet habits into the The psychology of the malicious insider is workplace, often paradoxically because of a defi ned fi eld of study. In short, an insider their zeal to do their jobs. They may insert a can become a threat for many reasons— thumb drive into a corporate machine to including for example, anger as a result of transfer a fi le. (“I needed to work on the workplace confl icts or disputes, fear of fi le—what was I supposed to do?”) They termination, dissatisfaction with work- could sync a personal smartphone to a cor- place policies, ideology, or fi nancial need. porate computer. (“What’s wrong with that?”) They may drop a proprietary docu- The unwitting insider. Almost anyone can ment into a public cloud. (“I need to work fall into the category of unwitting insider on it while I travel.”) The list continues. All threat agent, including senior executives. of these actions and many others like them As a threat actor, the unwitting insider by the unwitting insider create serious unintentionally and unknowingly enterprise security risks. makes security blunders that expose the enterprise to serious cyber risks. The single most common security weakness of most people is a susceptibility to Because the pool of potential unwitting phishing attacks. Phishing is a form of actors is so large and their behaviors are ‘social engineering’ that has the goal of unintentional and hard to predict, the getting information such as usernames, unwitting insider is one of the most dan- passwords, or credit card numbers. gerous weak points in the entire enterprise. Phishing usually starts with a fraudulent email message (although other mecha- One group of insiders who can pose a nisms are also used) that appears to be major threat are those who have a lax atti- from a legitimate or known source. The tude about security. These attitudes are not message may contain an attachment that, always obvious. Security awareness cam- if opened, installs malware on the victim’s paigns are so commonplace now that just computer, or the message may direct the about everyone exercises at least some cau- user to a website that is also designed to tion in online activities. At the same time, look legitimate, even familiar, to the target though, we can also observe that a certain victim. This bogus website prompts the insouciance about the risks in cyberspace user to enter information such as log-in has crept into the behavior of many people. credentials or account numbers. If the The same person who would refrain from user’s suspicions have not been aroused, using the word ‘password’ as a password she or he may enter the requested data— or from writing it on a sticky note to place and gotcha!—the hacker has succeeded in on the computer monitor may think noth- capturing information that can be used for ing of other poor security practices. access later. Alternatively or in addition, the bogus website may push out a virus, Today’s culture, for example, seems to remote access software, key-logging soft- encourage the melding of personal and ware, or other malware. Very often phish- professional pursuits. People have become ing is the start of a chain of exploits that so accustomed to online life—being always leads to a very serious breach. The Verizon connected, using multiple computing plat- 2015 Data Breach Investigations Report forms, putting their ‘whole life’ (as they (DBIR) states that more than 75% of mal- say) on their smartphones, or posting pho- ware installs were the result of unwitting tos and personal information on social users clicking on attachments or web links websites—that it appears many have contained in emails.

221 ■ CYBERSECURITY BEYOND YOUR NETWORK

Phishing also is used in a more focused in shares of the Brooklyn Bridge, the way that targets specific people— unwitting person can easily be taken in by frequently senior executives or people in a well-designed phishing ploy. However, the organization who have privileged whether the result of inadvertent or delib- access to information resources. The erate acts, the impact to the organization hacker will mine the Internet for personal can be the same—fi nancial loss, compro- information on the target, information mise of intellectual property, theft of cus- that only the target would know, names tomer personal information and credit and contact information of colleagues, card data, and reputational harm or loss of web browsing and purchase history, competitive position. non-business activities and community involvement, even writing styles to zoom This highlights a third and more sinister in on that specifi c person. When such type of ‘insider’ that must also be information is used in a phishing email, considered—the malicious outsider the look and feel, the text, and the context posing as an insider. Such actors explic- of the message can appear unexceptional itly seek to exploit insiders by appropri- and entirely authentic. If this were a game ating their credentials and moving it would be unfair. The target frequently unnoticed within the network. falls for the scheme. Figure 1 illustrates the categories of the Like the poor soul who sends money to the insider threat, along with typical motiva- Nigerian prince or the person who invests tions and potential impacts.

FIGURE

Insider threat actors and their effects

Threat Actors Motivations Methods Results

• Efficiency and • Move sensitive internal data to a convenience public cloud Cyber • Customer service • Lose a laptop Incident Unwitting insider • `Getting the job done´ • Use a memory stick to import or export data • Mix company data with personal Examples data on moblie devices • Theft of sensitive information (e.g., personally identifiable information, intellectual • Financial gain • Use legitimate access for property, proprietary • Do harm to the company illegitimate purposes information) Malicious insider • Advance an ideology or • Financial fraud or theft other personal agenda • Insertion of malware and/or establishing a long-term presence in the network for repeat • Financial gain—obtain • Exploit the access of a action sensistive data that can legitimate user • Damaged or destroyed be monetized • Bypass security controls on information resources Malicious outsider • Fraud or theft of money privilege escalation and lateral • Sabotaged product (the All insider threats can have the same outcomes posing as an movement throughout the merchandise produced • Do harm to the company insider network to get to key systems by the enterprise) • Advance an ideology or for exfiltration and/or • Reputation harm and other personal agenda insertion of malware customer alienation; loss of revenue

■ 222 A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER

The outsider posing as an insider. This cybercrime is exhibited in the tradecraft type of insider is not an insider in the that is applied once the initial breach is true sense, but rather an imposter who achieved. uses the legitimate credentials of others to access the network in ways the real The outsider-posing-as-insider is not user would not. This actor seeks to get interested in impersonating a particular legitimate credentials using a variety of person other than to use the person’s net- tactics and techniques. He then uses these work or system credentials. Through acquired credentials to access password password cracking and other techniques, fi les, directories and access control lists, a hacker can exploit the credentials of and other network resources—which is more than one authorized user or admin- made easier if the credentials are already istrator in the course of an attack. Unlike those of a system administrator or other the true insider, the only observables that privileged user. the outsider leaves are those network footprints and fi ngerprints that may show As described above, the unwitting insider up in system logs or the actual malware is very commonly exploited by sophisti- code or other digital fragments they cated hackers as a soft point of entry for leave behind. advanced attacks. Elaborate penetration techniques are hardly needed when a rel- ■ The dimensions of the insider threat atively simple phishing email is likely to The insider threat is easy to understand in serve the purpose. Upon achieving initial concept but very hard to quantify in prac- access, the hacker may try to move later- tice. How big of a threat is it? Hard data and ally within the network or to escalate statistics on the frequency of occurrence and access privileges to implant advanced the impact of insider threats have histori- malware deeply in the network fabric. cally been elusive and remain so. Lack of Phishing is the dominant mechanism detection and discovery of insider events, used today to penetrate networks by even and an unwillingness to share or report the most sophisticated hackers because it them, are two of the primary reasons for the has a high success rate for very low cost. paucity of data. Nevertheless, recent insider threat surveys and breach data analyses are Other social engineering tactics include consistent in their main fi ndings, including in-person deceit, such as impersonating the following: someone in authority, pretending to represent the Help Desk, asking someone for There has been an increase in insider assistance, or claiming to have left an threat events in the last few years. access badge inside the restricted area of a Most organizations do not have adequate facility. It can be a particularly effective controls in place to prevent or thwart tactic because people usually try to be insider attacks. courteous and helpful. Insider attacks are believed to be more diffi cult to detect than external attacks. Hackers have tricks other than social engi- Third parties and other non-employee neering to obtain the access they desire. insiders represent a major risk, and Most of the time, though, social engineer- insuffi cient attention is devoted to ing can be found somewhere along the managing them. Most contracts and attack chain because it is a powerful and service level agreements with external effi cient way of getting past perimeter vendors, suppliers, and business partners defenses. The sophistication we hear do not include robust security provisions. about in reports of state-sponsored espio- Insider policy violations and inappropriate nage, hacker networks, and organized activity are often discovered only during

223 ■ CYBERSECURITY BEYOND YOUR NETWORK

examination of user devices after Provide regular insider threat awareness individuals have left the organization. training as well as realistic phishing Most incidents are handled internally training exercises. An organized with no legal nor law enforcement action. phishing awareness exercise program can raise the company’s standard of ■ What to do performance in this critical area. The fi rst thing that business leaders should Establish a set of institutional values do about the insider threat is to take it seri- refl ecting the desired culture, select ously. Although there is widespread recogni- leaders based on their adherence tion that the threat is very serious, in most to these values, and include sectors there is insuffi cient follow-through to demonstration of these values as build the threat-specifi c plans, organization- an item on employee performance al structures, and controls to deal with it. assessments. What is needed is a comprehensive approach Building a multi-disciplinary program. that addresses and leverages the unique Establish an executive committee to aspects of the insider threat. Technology by manage an integrated multidisciplinary itself is not the answer; the critical human program designed to deter, prevent, dimension of the insider threat must also be detect, and respond to insider threats addressed. and to limit their impact. The program A comprehensive approach would should have the active participation of include the following: the functional organizations across the business such as Risk, IT, Cybersecurity, Establishing a threat-aware culture of Physical Security, Human Resources, institutional integrity and personal reliability. Fraud, and General Counsel, as Company culture is a product of many well as company-specific verticals factors, but one of the most decisive (manufacturing, operations, etc.). is the behavior of senior leadership and the values they model. A culture The program should include the following: of institutional integrity and personal creation and oversight of policies reliability is conducive to success in almost related to the management of insider any enterprise. Factors for achieving this risk include the following: regularized workfl ow, processes, and Create an environment in which self- meetings to actively and collectively directed employee actions refl ect a review threat intelligence, the internal high degree of institutional integrity threat landscape, internal indicators of and personal reliability. risk, insider events, sponsored activities, Articulate clear expectations in an and trends from each subdiscipline enterprise Acceptable Use Policy implementation and oversight of governing IT resources. This should personnel reliability processes from be a formal signed agreement between pre-employment background checks the company and each employee and to off-boarding procedures to assess external party who has access to the and act upon personnel security enterprise IT resources or facilities. risks, behavioral risk indicators, Create a safe environment in which and individual vulnerability to to self-report accidental actions compromise that jeopardize security. Removing decision-making authority pertaining the stigma of having inadvertently to the integration of programs within committed a security violation can help each vertical, the aggregation of insider minimize impact and help everyone risk data across the verticals, and the learn. corporate response to insider events

■ 224 A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER

defi nition of requirements for employee (SIEM) systems, pinpoint potentially training and awareness of insider illicit activities by identifying threats and prevention measures. anomalies in a person’s IT resource Building and operating security controls. and data access patterns. Many of the security controls that already Non-technical. Unique to the insider exist (or should exist) within the enterprise threat is the availability of a large can be effective in detecting, preventing, amount of relevant non-technical or mitigating the results of insider threat behavioral observables. Integrating activity. Key technical controls include the operational intelligence information at following: the intersection of cybersecurity, fraud access controls, particularly for detection, and physical security can privileged users (those with yield critical insights about potential administrative authority) insider threats. data protection, including encryption, Examples of non-technical cyber data data loss prevention technology, data include the following: backups, and exfi ltration monitoring email behavior: volume, content, confi guration management and secure and addressees; presence and type confi gurations of attachments vulnerability and patch management workday activities: patterns of on/ internal network segmentation. off duty time, including weekdays, Monitoring and detecting insider behavior. weekends, and holidays; location The program should seek to prevent job performance: performance insider attacks by capturing observable reviews, productivity, and time indicators of potential activity before accountability insiders act. Intelligence on the insider indicators of affi liation: degree threat generally comes from within the of participation in company- enterprise through either technical data sponsored activities; indications of or behavioral indicators: discontent through online behavior Technical. The most signifi cant sources and social media usage. of cyber-related technical intelligence are the real-time alerts and outputs Analysis of this type of data through auto- of security appliances, network- mated and manual processes can identify and host-based sensors, and data patterns of behavior that indicate at-risk loss prevention tools, as well as the employees or imminent insider attacks. network- and system-level logs that There may also be value in integrating are generated automatically (if so external threat intelligence for factors that confi gured) throughout the enterprise. could infl uence at-risk insiders. In most enterprises these sources provide so much data that managing It is important that the company’s legal and effectively integrating it with counsel advise the executive committee operations become serious challenges. on informing employees of ongoing In addition, the volume of data drives monitoring and how the data will be a need for storage that can become used. Oversight by the executive com- acute depending on policy decisions mittee is essential to ensure it is operat- regarding what logs are maintained ed within the bounds of policy. and for how long. Insider threat-tracking tools in use Having a plan. The executive committee today, such as data loss prevention, should develop a detailed (though threat intelligence, and security confi dential) action plan for what to do information and event management in the event of actual or suspected insider

225 ■ CYBERSECURITY BEYOND YOUR NETWORK

misbehavior or law-breaking. The plan and conducting operations pertaining to should describe how and when to contact the insider threat. Proven approaches and law enforcement and other authorities practices for addressing this threat are regarding insider threats or actions. It available, allowing the company to build should provide a framework of possible on the learnings of other organizations. legal remedies to pursue in the event of (See inset box.) an insider attack. This action plan should be tested on a regular basis through ■ Summing up scenario-based exercises involving the Companies often declare that people are company offi cials who would actually be their greatest asset. Surely the human involved if a real event were to occur. resource is what propels a company for- Evolving the approach. The executive ward. However, the insider threat will committee should refi ne the program as always be present. Commitment, loyalty, the organization matures in the use of and general affi liation with the organization this capability within the specifi c business cannot be taken for granted. Personal ethics environment. and allegiance to the employer collide with Not ‘going it alone.’ The executive the chance for selfi sh gains in those who committee should take advantage of the have become security risks or who are many resources available for planning vulnerable to compromise. With legitimate

Resources The following resources can help enterprises deal with the insider threat. Each provides a wealth of information on proven approaches and practices that companies can build upon.

Insider Risk Evaluation and Audit Tool. This tool is designed to help the user gauge an organization’s relative vulnerability to insider threats and adverse behavior including espionage against the U.S., theft of intangible assets or intellectual property, sabotage or attacks against networks or information systems, theft or embezzlement, illegal export of critical technology, and domestic terrorism or collaboration with foreign terrorist groups. The tool can be used for a number of purposes, including self-audit of an organization’s current defenses against insider abuse, the development of a strategic risk mitigation plan, and employee training and awareness. http://www.dhra.mil/perserec/products.html#InsiderRisk

CERT Insider Threat Center. Since 2001, the CERT Insider Threat Center has conducted empirical research and analysis to develop and transition socio-technical solutions to combat insider cyberthreats. Partnering with the U.S. Department of Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community, the CERT Insider Threat Center is positioned as a trusted broker that can provide short-term assistance to organizations and conduct ongoing research. https://www.cert.org/insider-threat/

Federal Bureau of Investigation. The Insider Threat: An introduction to detecting and deterring an insider spy. This brochure provides an introduction for managers and security personnel on how to detect an insider threat and provides tips on how to safeguard trade secrets. https://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat

■ 226 A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER

authorization to access company and infor- occur. Insiders are also the target for care- mation resources, a rogue insider can do fully scripted phishing tactics; the insider tremendous harm to the company. The who innocently clicks a link in an email may effects of an insider attack can be felt as enable damage to the company well beyond fi nancial loss, erosion of competitive posi- her or his pay grade. tion, brand degradation, customer aliena- However, there is much that the organi- tion, and more. The Snowden disclosures of zation’s executive leadership can do to 2013 have, at least for now, sensitized busi- mitigate the insider threat, including estab- ness leaders to the grave risks posed by the lishing the right culture, implementing insider threat. security controls, conducting ongoing mon- The unwitting insider is the equal of the itoring and detection efforts, and being malicious insider in potential damaging ready to respond quickly if indicators point impact. A momentary and unintentional to a likely insider threat. The following box lapse in vigilance regarding security threats summarizes the actions that are recom- can be all it takes for a major compromise to mended here.

Summary of actions to address the insider threat 1. Establish a culture of threat awareness, institutional integrity, and personal reliability Provide regular insider threat awareness training as well as realistic phishing training exercises. Articulate clear expectations in an enterprise Acceptable Use Policy governing IT resources. Create a safe environment in which to self-report accidental actions that jeopardize security.

2. Build a multi-disciplinary program to deter, prevent, detect, and respond to insider threats and to limit their impact.

3. Build and operate security controls designed to mitigate the insider risk.

4. Monitor insider behavior: multiple interdisciplinary dimensions draw on outside resources look inside the network for observables of potential insider threat activity

5. Have a plan for what to do in the event of actual or suspected insider malfeasance Know how and when to contact law enforcement and other authorities regarding insider threats. Explore legal remedies.

6. Be ready to develop your approach as conditions continue to change.

7. Don’t ‘go at it alone.’ There are many resources available for planning and ongoing operations. Best practices can be implemented based on another organization’s learning curve.

SecurityRoundtable.org 227 ■

The Internet of Things The Chertoff Group – Mark Weatherford, Principal

In the time it takes you to read this sentence—about eight seconds—approximately 150 new devices will have been added to the Internet of Things (IoT). That’s 61,500 new devices per hour, 1.5 million per day. There are currently about 7.4 billion devices connected to the IoT, more than there are human beings on the planet. By 2020, according to Gartner, there will be 26 billion. Cisco puts the number at 50 billion, and Morgan Stanley says it will be 75 billion. By any estimation, it will be a lot more devices than are in existence today. People are beginning to notice this phenomenal rate of growth, and some companies are seeing incredible economic opportunities. However, the fact that the fi eld has grown so quickly and so dynamically means that some of the lessons we’ve learned in the past about security and privacy are not being employed—in the interest of fi rst-to- market opportunities—and the lack of oversight has many wondering about the unknown unknowns. These three defi nitions together provide a starting point for understanding the IoT and its implications for our future:

In the physical sense, the IoT is all of those billions of devices, installed on apparel, appliances, machines, vehicles, electronics—most of them incorporating sensors to gather bits of data and then sharing that information via the Internet through central servers. The concept of the IoT was introduced in 1999 and evolved from the Machine-to-Machine (M2M) technology that originated in the 1980s, in which computer processors communicated with each other over networks. The major difference is that most of the new devices cannot be considered processors but rather sensors and relays that simply facilitate the aggregation of data. Analogous to the shift to “cloud” computing, it may be useful to consider this new data-generating aspect as “the fog.”

229 ■ CYBERSECURITY BEYOND YOUR NETWORK

The two concepts—the IoT and M2M— is, in that existential meaning, the latest are now poised for complete integration, iteration of communication technology. in what is termed convergence, as we Of course, as soon as we developed the move into technology’s future. Keep in ability to send information over great mind that in that future, anything that can distances in just seconds, some people be connected will be connected. Christian began to look for ways to capture that Byrnes, a managing vice president information from sources other than at Gartner, says that “The Internet of their own. Early twentieth century Things brings a major addition to the wartime code breakers monitoring the responsibilities of cybersecurity: safety. IoT enemy’s radio communications often are includes the fi nal convergence of physical mentioned as the fi rst hackers. and information security practices. As such, CIOs and CISOs will face the The last aspect of the IoT should cause the possibility of their failures being the direct most concern. As technology has become cause of death. Confi dentiality, Integrity ever more sophisticated in its march toward and Availability will be remembered as providing greater capabilities for private ‘the good old days.’” enterprise, governments, and the people The IoT can also be thought of as just the they serve, so have the tools and strategies of collected data. With billions of connected the people who would access and use the devices, all contributing information information for more malicious purposes. around the clock, it’s more data about The lack of recognition about the seriousness more machines, operations, and people of this threat to companies and governments than has ever been collected before— leads to a lack of security suffi cient to defend more in the past year than perhaps has against attacks. been recorded in all of human history, and certainly more than was imagined possible ■ IoT benefi ts just a few years ago. The intelligent According to John Chambers, CEO of Cisco management and implementation of that Systems Inc., the Internet of Everything data make it possible to do such things (which includes the IoT plus the actual as navigate a driverless car through city networks that support and transmit the traffi c, monitor a person’s anatomical data these devices generate) could be worth signals and take action to manage his $14.4 trillion in revenue, plus another or her health, monitor the movement $4.6 trillion in savings to industry and and health of livestock, provide global government. That’s $19 trillion, greater tracking and communications, manage than the GDP of many countries. The ben- energy use in buildings, and even operate efi ts the IoT provides can be seen in every sophisticated industrial equipment from area that relies on technology, as well as remote locations. Our intelligence and many that traditionally have not. A few industrial abilities in the era of the IoT will examples: be limited only by our imaginations; we will have the data we need to accomplish The amount of municipal solid waste almost anything we can envision. generated around the world is expected In the philosophical sense, the IoT is also to reach 2.2 billion tons annually by 2025, part of a movement. It’s been evolving almost double the amount recorded in for more than a century, from our fi rst 2012. The cost of handling this waste will ability to communicate with each other be about $375.5 billion per year. However, instantaneously by radio. The early days by changing the traffi c patterns of garbage of the Information Age quickly showed trucks and installing sensors in garbage us how important data gathering could cans to identify when they are full and be to the success of an operation. The IoT should be picked up, U.S. cities alone can

■ 230 THE INTERNET OF THINGS

save $10 billion in waste management personal information) to data entered costs. actively during the site visit. In addition, Unscheduled maintenance events are most transactions a person conducts while responsible for about 10 percent of all fl ight out in the world have the potential to be cancellations and delays in commercial recorded and added to databases, and these aviation, costing $8 billion per year. transactions, when merged with other col- According to Marco Annunziata, chief lected information, can be interpreted using economist at General Electric, preventive computer algorithms. Even when the data maintenance systems can allow airplanes, are anonymized, many people believe their while in fl ight, to communicate with privacy is violated by such usage. In his technicians on the ground so that when book Future Crimes, Mark Goodman writes, the plane lands, the technicians already “Data brokers get their information from know what needs attention. These systems our Internet service providers, credit card are self-learning and can predict issues issuers, mobile phone companies, banks, that a human operator may never see, credit bureaus, pharmacies, departments of helping prevent more than 60,000 delays motor vehicles, grocery stores, and increas- and cancellations every year. ingly, our online activities. All the data we On the personal scale there’s Amazon’s give away on a daily basis for free to our Dash button. The idea is a perfect example social networks . . . are tagged, geo-coded, of how the IoT works at the micro and sorted for resale to advertisers and level. The buttons are simple wireless marketers.” devices with the logos of consumables manufacturers, about the size and shape For example, in a well-publicized case of a thumb drive. A Dash button for a from 2012, mega-retailer Target analyzed detergent could be attached to a washing purchasing records to predict when machine. When the supply of detergent women may be pregnant and even is low, the consumer need only press when they were due. The company then the button, and another bottle is ordered mailed pregnancy-related coupons to through Amazon Prime. Amazon and the women’s addresses. The program other developers are also working on IoT came to national attention when a high devices that sense when the supply of a school student received the coupons at consumable is low, and order the item her family’s home, alerting her father automatically, without the consumer even to her condition. Although embarrassing being aware of the act. for the young woman, Target’s use of the information gathered was legal under ■ IoT privacy issues the Fair Credit Reporting Act, which One of the keys to IoT advancements, of allows “fi rst parties” to perform in-house course, is the interconnectivity of informa- analytics on collected data. tion sources and their recipients. The infor- During the Women’s Mini Marathon held mation is often used in the commercial in Dublin, Ireland, last year, Symantec realm for monetization strategies, and by security researcher Candid Wueest stood the government to target security threats, on the street and stealthily monitored each of which leads inevitably to concerns data from the activity trackers worn by about privacy. In many cases when human hundreds of runners. The data included beings are the sources of this information, everything from their names and they do not even know they are acting as addresses to the type of device they were such. Virtually every site a person visits on wearing and the passwords for those the Internet in return gathers information devices. about that person, from data stored on the In a 2013 case, a British man discovered computer being used (such as location and that his LG smart TV was clandestinely

231 ■ CYBERSECURITY BEYOND YOUR NETWORK

transmitting viewing information back to our networks.” As connectivity grows expo- the South Korean manufacturer, as well nentially, so do the possibilities for security as reporting the contents of devices, such breaches. Any device in the IoT that stores as a USB drive, that were connected to information, whether it contains Internet or the TV. LG claimed the information was TV viewing preferences, credit card num- used, as in the Target case, “to deliver bers, health information, etc., can become a more relevant advertisements and to target. The proliferation of devices that are offer recommendations to viewers based part of the IoT means that the number of on what other LG smart TV owners access points to a system is limitless. are watching.” However, the man, an Don’t think that just because a device has IT consultant, discovered that the TV a limited function—such as a smart light- transmitted the information whether the bulb, a FitBit, a smart toilet, or a thermostat— system setting for “collection of watching that it holds no attractiveness for hackers. Put info” was set to on or off. enough of these connected devices together and cyber criminals can create a botnet, a According to a report on privacy and security network of processors that can be used to released by the Federal Trade Commission in facilitate large, repetitive tasks, such as gen- January of 2015, one company that makes an erating passcode possibilities. IoT home automation product indicated that Also of great concern is the potential to fewer than 10,000 households can “generate cause physical damage and harm to indi- 150 million discrete data points a day,” or viduals and property. The FTC report con- approximately one data point every six sec- tains claims by company researchers of the onds for each household. Another participant ability to hack into a self-driving automo- in the report noted that “existing smartphone bile’s built-in telematics unit and control the sensors can be used to infer a user’s mood; vehicle’s engine and braking. Another claim stress levels; personality type; bipolar disor- involves the ability to access computerized der; demographics (e.g., gender, marital health equipment and change the settings so status, job status, age); smoking habits; over- that they are harmful to the patient. Through all well-being; progression of Parkinson’s the medical device hijack attack vector disease; sleep patterns; happiness; levels of (MEDJACK), the TrapX Labs security team exercise; and types of physical activity or has identifi ed that in many cases, medical movement.” Such “sensitive behavior pat- devices themselves are the key entry points terns could be used in unauthorized ways or for health-care network attacks. Devices as by unauthorized individuals.” diverse as diagnostic equipment such as CT scanners and MRI machines, life support ■ IoT security issues equipment including medical ventilators The IoT is subject to the same security risks and dialysis machines, and even medical as traditional computer systems, but the lasers and LASIK surgical machines are typi- issues, unfortunately, don’t stop there. Like cally delivered to medical facilities wide any storage aspect of the Internet, security open for attacks that can compromise device vulnerabilities can be exploited to compro- readings and operations, not to mention put- mise sensitive information. Rick Dakin, CEO ting people’s health and lives at risk. of Coalfi re in Boulder, Colorado, says that A recent Hewlett-Packard report noted “while headlines about cybersecurity usually that 70 percent of IoT devices contain security focus on the changing threat landscape, a vulnerabilities. Some of these weaknesses greater concern is the evolving technology pertain to the current differences in commu- landscape. Most people rapidly connect nication standards, as developers seek to unsafe devices to their networks with no make their devices compatible with all types thought to security, and the Internet of of systems—an aspect of the convergence Things will accelerate the contamination of factor mentioned earlier. Although many

■ 232 THE INTERNET OF THINGS

companies are working on standardization goals because the payoffs, if they are success- protocols, the issue will not go away anytime ful, are huge—such as global economic or soon. Sensitive commercial, industrial, and even military dominance. Looking at the sit- government information is at risk, and that uation in this way helps validate the actual risk will likely grow as the IoT develops, threat these actors represent and can in turn before measures suffi cient to mitigate that stimulate companies and governments to risk propagate. As Rod Beckstrom, the former mount a more adequate defense. CEO of ICANN, said in his Beckstrom’s Law: ■ Addressing the issues If it’s connected to the Internet it’s hackable. The U.S. Congress, since 2012, has pro- Everything is being connected to the posed more than 100 pieces of legislation Internet. related to Internet security and privacy. Therefore, everything is hackable. Only a couple were actually signed into law, but continuing security incidents, such Putting all the security aspects together, as as the breach of Sony’s network and subse- some cyber criminals apparently already quent hostage-taking of one of its movies, have, and the risks that accompany the have created greater awareness of security growth of the IoT can seem frightening. issues that will surely prompt more Hackers have become so sophisticated in attempts at legislation and regulation. In their tactics that some are creating databases fact, as of this writing, at least 10 pieces of from the information gathered in previous legislation are being considered on Capitol attacks, which can enable them to defeat Hill. In its report, the FTC endorsed strong, common security measures. For example, in fl exible, and technology-neutral general the successful breach of more than 100,000 legislation but added that IoT-specifi c leg- taxpayer returns fi led electronically with the islation would be premature, as the fi eld is IRS in 2014, the attackers were able to cor- still in its early stages of development. rectly answer security questions that the They would prefer to see industry adopt taxpayers themselves had selected, simply self-regulatory practices. by cross-referencing information collected in At the corporate or company level, previous breaches of other organizations’ though, there is much decision makers can information. do now to address security and privacy con- Put a nation-state or other global entity cerns. Much of that involves adopting a behind such efforts, and the risks to sensitive forward-thinking attitude about the IoT and information in the IoT mount exponentially. its role. In commerce, as well as in politics and war, entities make decisions based on what they First is to understand that the IoT is not a believe is in their best interests. This is espe- possibility or a projection of the future—it cially true in the case of state and large non- is a reality. It is here now and will only state actors. It’s helpful to think of their continue to grow and affect every facet of efforts to infi ltrate technological and security our world. information not so much as instigated by an The IoT carries with it many risks and evil intent or ideology, but as motivated by challenges; it’s the companies and the survival and practical success of their organizations that address those issues entity—the concept of realpolitik updated for head on that will survive. Conventional the twenty-fi rst century. They have a vested approaches to network security will likely interest in hacking information systems that have to be rethought. goes far beyond simple greed. It means they Companies and organizations should stay are unfazed by potential punishments or up to date with evolving vulnerability repercussions and have the willingness to assessments and advancements in commit resources and effort towards their security solutions. This also applies to

233 ■ CYBERSECURITY BEYOND YOUR NETWORK

administrators and executives, who security measures and to guard against should become fl uent in the language that the unauthorized access of sensitive describes IoT capabilities, trends, and risks information. so that they can make more relevant and responsive decisions for their shareholders Remember that IoT security is not a battle and customers. Administrators should that can be won and left behind. It is a war attend conferences and industry events that will be fought for the foreseeable future— when possible as well. the proverbial marathon versus a sprint. Standardization of security protocols in Keep in mind also that the IoT challenges the IoT space must be made an industry- we face mean a tremendous opportunity for wide priority. fresh thinking. The future of the Internet, When breaches to networks do occur, it’s which carries with it the future of our world, is important to notify consumers quickly so ours for the making. If you’ve read Isaac that they can protect themselves from the Asimov, you know that he was visionary misuse of their data. about the future of technology. In his science Such breaches should also prompt fi ction composed in the 1940s, he wrote, “No industry-coordinated action to address sensible decision can be made any longer with- the vulnerabilities exposed and propagate out taking into account not only the world as it industry standards. is, but the world as it will be.” That realization Companies can give themselves some is more important now than ever before degree of protection also by entering into because someday soon we’ll almost certainly legal agreements with IoT vendors to ask why things aren’t connected to the Internet provide adequate, tested, and updated rather than why they are connected.

■ 234 SecurityRoundtable.org Incident response

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Working with law enforcement in cyber investigations U.S. Department of Justice – CCIPS Cybersecurity Unit

The decision to call law enforcement, or to respond to a law enforcement inquiry, during a cyber incident can be a harrowing moment for a company’s executives and board members. Fear of losing control of key systems, of the investigation’s course, or over sensitive company information are often given as reasons for caution or even to forego cooperation altogether. However, working with law enforcement need not be fearsome. With early planning, clear communications, and an understanding of law enforcement’s roles and responsibilities, law enforcement and private companies can partner successfully on cyber investigations.

■ Law enforcement’s role in cyber investigations Law enforcement’s roles and responsibilities in a cyber incident vary depending on the nature of the incident, the suspected perpetrators, and the desires of the victim. Although every investigation is different, law enforcement agencies working on cyber investigations are trained to understand company concerns and to incorporate their needs into the investigation’s goals. Although a primary law enforcement goal is to protect public safety and national security, agencies have evolved to do this in a way that does not cause further harm to the victims of a cyberattack.

■ Why work with law enforcement? The fi rst question that may come to mind in the hours after a cyber incident is why a company should work with law enforcement at all. After all, it introduces another source of management challenges to an already diffi cult working environment. However, working with law enforcement can have signifi cant benefi ts:

Agencies can compel third parties to disclose data (such as connection logs) necessary to understanding

237 ■ INCIDENT RESPONSE

how the incident took place, which can and work with companies on timing. Law help a company better protect itself. enforcement also has tools, including obtain- Investigators can work with foreign ing judicial protective orders, that can protect counterparts to obtain assistance that may sensitive information from disclosure during be otherwise impossible. investigations and prosecutions. Early reporting to and cooperation with If an investigation is successful and an law enforcement will likely be favorably indictment is contemplated, prosecutors will considered when a company’s response consider victims among other factors when is subsequently examined by regulators, making charging decisions. If a particular shareholders, the public, and other charge would place sensitive company infor- outside parties. mation at risk, for example, prosecutors may Law enforcement may be able to seek protections from the court or, if appro- secure brief delays in breach reporting priate, use alternative charges that can requirements so that they can pursue reduce that risk, while still serving the over- active leads. all interests of justice. A successful prosecution prevents the Sometimes, the best available course of criminal from causing further damage action in a cyber investigation may not be and may deter others from trying. pursuing an arrest of the perpetrator but Information shared with investigators rather disrupting the threat in some other may help protect other victims, or even way. For example, law enforcement has used other parts of the same organization, from combinations of civil and criminal tools to further loss and damage. disrupt attacks from ‘botnets’ designed to steal fi nancial information from companies Effective partnership with law enforcement and individuals. In other cases, pursuing the can be built into an overall response plan, fi nancial or technical infrastructure of a especially when companies understand law criminal organization will be the most effec- enforcement’s priorities and responsibilities. tive strategy. Other tools may be available to the government that work best in a particu- ■ Law enforcement’s priorities lar case. Whatever path is chosen, law and responsibilities enforcement’s aim is to consult regularly Law enforcement agencies, including the FBI with victims to ensure that the path chosen and the U.S. Secret Service, prioritize con- advances, rather than harms, the interests of ducting cyber investigations in ways that the victim as well as the public. limit disruptions to a victim company’s normal operations. They work cooperatively ■ Best practices for preparing for work and discreetly with victims, and they employ with law enforcement investigative measures that avoid computer Preparing to work with law enforcement is downtime or displacement of a company’s an essential part of incident planning. The employees. If they must use an investigative full scope of such preparation goes beyond measure likely to inconvenience a victim, what this chapter can cover. The CCIPS they try to minimize the duration and scope Cybersecurity Unit has published a short of the disruption. guide entitled Best Practices for Victim Law enforcement agencies also conduct Response and Reporting of Cyber Incidents, their investigations with discretion and work which covers this topic in greater detail. with a victim company to avoid unwarranted Some of the recommended preparations disclosure of information. They attempt to include the following: coordinate statements to the news media concerning the incident with a victim company Implement appropriate technology, services, to ensure that information harmful to a com- and authorizations. Investigations will be pany’s interests is not needlessly disclosed severely hampered if a business lacks key

■ 238 WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS

information needed for law enforcement cultivates information sharing that helps to develop and pursue leads early. victims and law enforcement. Ensure that intrusion detection systems Law enforcement agencies, including the and network logging tools are in place, FBI and U.S. Secret Service, have established as well as the banners and other legal regular outreach channels for companies authorizations necessary to use them. that may be victims of cyberattacks. These Identify the information, services, or systems include the following: that are most essential to your business operations. Knowing and communicating FBI Infragard chapters and Cyber Task this information to law enforcement Forces in each of their 56 fi eld offi ces early in an investigation will be crucial to U.S. Secret Service’s Electronic Crimes prioritizing early investigative steps. Task Forces Determine who will work with law Computer Hacking and Intellectual enforcement. Law enforcement may Property coordinators and National need essential information about your Security Cyber Specialists in every U.S. systems and what you have learned Attorney’s Offi ce about the attack to pursue ephemeral leads. Designating a person or group as a Incorporating these resources into your principal liaison to law enforcement will planning can pay dividends in the hours ease this process and allow others in your after you discover that you may be a victim company to focus on other immediate of an attack. priorities. This person or group should Victims may wonder which law enforce- be authorized to gather necessary ment agency is best to call when they face a information and communicate it to law cyberattack. Although agencies have differ- enforcement agents. ent areas of expertise, they work together to Ensure that legal counsel are familiar with ensure that there is ‘no wrong door’ for vic- key legal and technology issues. Cyber tims. As agencies follow leads and develop investigations often raise diffi cult legal information about the likely attacker, they issues relating to privacy and monitoring. understand and can bring together expertise Legal counsel who are familiar with your from across the government to ensure that systems and with legal principles in this the investigation is pursued aggressively area will be able to navigate these issues using all appropriate tools. with law enforcement counsel more quickly. These counsel can work with ■ What to expect when law enforcement your company’s law enforcement liaison knocks on your door to ensure that information is collected and Often, a company will not be the fi rst to transferred lawfully and appropriately. know that they have been the victim of an intrusion or attack. Law enforcement may ■ Calling authorities for assistance discover additional victims as they investi- Optimally, your fi rst contact with law gate an intrusion into a single entity. When enforcement will not be in the throes of a this happens, agencies typically reach out to crisis. Companies should establish relation- these additional victims directly. ships with their local federal law enforce- A primary goal in such contacts is to ment offi ces before they suffer a cyber ensure that additional victims get the infor- incident. Having a point-of-contact and a mation necessary to mitigate harms and pre-existing relationship with law enforce- secure their systems. At the same time, ment facilitates any subsequent interaction understanding the victim’s business, the that may occur if an organization needs to information that it processes, and its rela- enlist law enforcement’s assistance. It also tionship with other entities can help agen- helps establish the trusted relationship that cies better understand the relationship

239 ■ INCIDENT RESPONSE

among a series of thefts and the possible damage and response costs for loss and res- motivations for a given cyberthreat. titution purposes. Cyber intrusions are rarely isolated to a When contacting law enforcement or single victim, and law enforcement collects communicating within the company, compa- examples of common techniques and prac- nies should avoid using systems suspected tices from cyberthreats that can assist vic- in the compromise. Such actions may pro- tims in securing their systems. For example, vide a key tip to attackers that they have knowing that a particular group of criminals been discovered. To the extent possible, enters systems through a common vulnera- companies should use trusted accounts and bility but once inside patches the original systems for communication about the inci- vulnerability while introducing several more dent and be wary of attempts to gather infor- can be crucial information for victims. By the mation about the investigation via ‘social same token, knowing that a group is focused engineering.’ on a specifi c version of a common software package or is targeting a particular industry ■ Network forensics and tracing can help law enforcement narrow down a One way that law enforcement conducts list of possible perpetrators. investigations is through network forensics and tracing. Although it is occasionally pos- ■ Realities of cybercrime investigations sible to follow a “hot lead” when an attack is Not surprisingly, the realities of cyber ongoing, investigations more often depend investigations differ from their portrayals on a careful examination of network logs. in movies and television. Agents are rarely, Because company systems are often complex if ever, able to trace an intrusion in pro- and interrelated, investigators must consult gress instantly, nor do they often identify a with the system administrators who are perpetrator from halfway around the world experts on critical systems to identify where quickly. Instead, such investigations often information necessary to developing leads require painstaking assessment of histori- will be stored. Such consultations can prove cal log fi les, a long-term understanding of diffi cult if all system personnel are working key motivations of likely attackers, and intently on rebuilding security or restoring collection of evidence using exacting legal critical systems. processes. Companies can help with this by reserving a few experts whose job it is to work ■ Cooperation with law enforcement with law enforcement and to identify critical in the investigation logs and other information that can be used Robust cooperation with law enforcement in to identify leads for law enforcement. These the early hours and days of an investigation experts will be particularly important if the is essential to success. Agents likely will threat is believed to be an insider who has have many questions about the intrusions stolen trade secrets or other sensitive infor- and the overall confi guration of the system. mation, because the most important evi- Beginning from the time the intrusion is dis- dence is likely to be on internal systems. covered, companies should make an initial assessment of the scope of the damage, take ■ Working with outside counsel and private steps to minimize continuing damage, and forensic fi rms begin preserving existing logs and keeping Companies experiencing a severe cyber an ongoing written record of steps under- incident often turn to outside legal counsel taken. Such documentation is often essential and private forensic fi rms to assist them. to understanding the scope of the intrusion Such entities can provide substantial sup- at the inception; it can also be essential much port and expertise, based upon their experi- later in the prosecution, as companies assess ence assisting other victims, and can guide

■ 240 WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS

companies through diffi cult legal and tech- provide an internationally recognized nical issues relating to system monitoring, means for exchanging evidence. response options, and breach notifi cation. If a suspect is identifi ed overseas, law Having ready access to advice from lawyers enforcement has a range of options to obtain well acquainted with cyber incident justice for the victim. Extraditing the suspect response can speed decision-making and to face charges in the U.S. is a traditional help ensure that a victim organization’s means, but the process can be lengthy, and incident response activities remain on fi rm many countries refuse to extradite their own legal footing. nationals. In such cases, prosecutors in the An additional benefi t is that legal and U.S. may work with their counterparts forensic fi rms often have established connec- abroad to ensure an appropriate prosecution tions with law enforcement agencies and are in the suspect’s home country. Other options familiar with the information that they will may be available depending on the case. likely seek and understand the cyberthreats Because these choices often implicate victim that they are investigating. Far from a interests, prosecutors frequently consult replacement for law enforcement, these enti- with victims before undertaking major inter- ties are often a crucial link between law national investigative steps. enforcement and victims. ■ Victim rights and expectations ■ International issues Victims of cyber incidents—including corpo- Because of the unbounded nature of com- rate victims—have established rights under puter networks and hence of cyberthreats, federal law. The specifi c victim rights and cyber investigations often cross international the responsibilities of prosecutors and law borders. A prime advantage of working with enforcement are described in the Attorney law enforcement on a cyberthreat investiga- General Guidelines for Victim and Witness tion is that it has the tools and capabilities to Assistance (2012), which is available on the broaden an investigation to include foreign Department of Justice’s public website. partners and collect foreign evidence. Victim rights typically attach at the time that U.S. law enforcement agencies recognize charges are fi led, and include the following: the international opportunities and challenges and so have worked to build investi- the right to notice of public hearings in gative and prosecution capabilities around the prosecution the world. The U.S. and other countries have the right to be reasonably heard at such entered into international treaties, most hearings prominently the Budapest Convention on the reasonable right to confer with the Cybercrime, to ensure that there is an ade- attorney for the government quate legal foundation for investigations the right to full and timely restitution as into cyberthreats. Investigative agencies provided in law. have trained cyber agents who regularly work alongside their foreign counterparts on Beyond these mandatory rights, investiga- investigations. tors and prosecutors in cyber cases strive to Many times, direct police-to-police inter- ensure cooperation with and support to the national cooperation will be the fastest way victim, to pass key information back to vic- to get information necessary to advance an tims to support their security and recovery investigation. More formal processes, such efforts, and to work to ensure that the victim as Mutual Legal Assistance requests, are is not further harmed by the investigation used when evidence needs to be in a form and prosecution. usable in prosecutions. Although they are Although law enforcement cannot disclose often slower than direct assistance, they every aspect of an ongoing investigation,

241 ■ INCIDENT RESPONSE

especially when such sharing may implicate ■ Active defense, hacking back, and potential other victims, companies should expect that liabilities law enforcement will communicate with Companies undergoing a cyber attack may them regularly. Information fl ow should not be tempted to “hack back” and attempt to be a “one-way street” to law enforcement. access or impair another system that appears ■ to be involved in a cyber intrusion or attack. Legal considerations when working closely Although that temptation is certainly under- with law enforcement standable in the heat of an incident, doing so As useful as it can be to cooperate with law is often illegal under U.S. and foreign laws enforcement, it is also crucial that companies and could result in civil or even criminal understand and delineate their role in the liability. Many intrusions and attacks are investigation and exercise care before they launched from already compromised sys- take on roles that may effectively make them tems, precisely to confuse the identity of the agents of law enforcement. For example, true actor. Consequently, hacking back may companies are generally permitted under damage or impair another innocent victim’s U.S. law to monitor their own systems to system rather than that of the intruder. protect their rights and property. Usually, This does not mean, however, that com- that information can be shared with law panies cannot engage in “active defense” enforcement once they arrive on scene. If within their own systems. For example, law enforcement begins directing the reacting to cyberattacks by changing net- response, however, different authorities and work confi gurations or establishing “sand- limitations typically apply. boxes,” in which companies place realistic The law relating to law enforcement but false data to distract intruders from more monitoring is complex and goes beyond sensitive data are active steps that can be what can be discussed in this chapter. In taken to help defend systems. Law enforce- general, companies should carefully delin- ment agencies can help identify other proac- eate between actions undertaken by the tive steps that companies may be able to provider for its own purposes and those undertake to protect their systems. undertaken at law enforcement’s behest. If possible, companies should set out the facts and their understandings relating to ■ Conclusion such monitoring in writing shared with the Effective cybersecurity and cyber investiga- investigating agency. More information on tions are essential to protecting company this topic can be found in Chapter 4 of the assets and public safety in our increasingly Department of Justice’s manual Searching networked world. A close and respectful part- and Seizing Computers and Obtaining nership between companies and law enforce- Electronic Evidence in Criminal Investigations, ment when cyberattacks occur is an impor- which is available from the Department’s tant aspect of both. Planning for such coop- website. In addition, a sample letter relat- eration in advance and carefully delineating ing to company monitoring that can be the roles played by company representatives, used by company counsel is included as law enforcement, and outside experts greatly Appendix G of that manual. enhances the likelihood of success.

■ 242 SecurityRoundtable.org Planning, preparation, and testing for an enterprise-wide incident response Booz Allen Hamilton – Jason Escaravage, Vice President; Anthony Harris, Senior Associate; James Perry, Senior Associate; and Katie Stefanich, Lead Associate

Cyber incident management is happening at your organization right now. In fact, it’s happening every day, all day. Sometimes a cyber breach requires very little response; for example, it may be a benign attempt by a curious but harmless hacker to see if your network can be accessed. For large companies, this kind of attack can happen hundreds of times in a week. You probably never even hear about it from your IT department because those small incidents aren’t worth your attention. They are easily eradicated; usually, just deleting the malicious email is enough, so they hardly cause any irreparable harm. But what happens when it is a not-so-small breach? What happens when your intellectual property is stolen, or your employees’ personal records are exposed? What if your e-commerce website goes down for a day? Those incidents you will hear about, and that moment is not the time to fi gure out what to do. Of course, every situation has its own nuance, but at a foundational level, every organization, regardless of size, geographical location, or industry must have an incident management plan. One that includes participation from organizations and staff throughout the enterprise. Effective cyber incident management happens in phases; it is not just about a response. Planning and preparing, or “steady-state” activities are just as important, if not more important than responding to a breach. To truly be ready for any kind of cyber incident, organizations need C-level support for smooth incident management coordination. This is supported by a plan that is thorough, easy to understand, and widely tested.

243 ■ INCIDENT RESPONSE

Fill in the blank: During a major cyber breach, the fi rst thing I do is ______HINT: The answer is not to wait for instruction from the IT department. If you can’t answer, imagine whether your legal department could. How about HR department? Or corporate communications team or VP of sales? They all should; they’re all impacted by cyber incidents, so they have a role to play.

This chapter will focus on the following: The C-suite must understand and enforce organization-wide roles in cyber incident incident response responsibility for the management. Everyone—corporate commu- C-Suite and the business nications, legal, business unit leaders, and so key considerations for cyber incident on—has a role to play. They may not even management plans know it—so it is important for leadership to testing a plan stress their responsibility in these efforts. enabling plan adoption across the enterprise In addition to collaborating with the CISO and truly understanding the incident man- ■ Incident response for the C-Suite and beyond agement capability, stay on top of current Cyber incident response is often thought of cyber risks. They change all the time—phish- as an IT department function. This assump- ing becomes spear-phishing becomes pharm- tion could be a costly mistake. Businesses in ing, for example. Not only that, some are their entirety are connected to the Internet. exclusive to certain industries. Product secu- As such, a cyber breach can happen any- rity risks vary from retail. Retail varies from where within the business, ranging in sever- automotive. However, one thing is certain— ity, complexity, and impact. Relying on the all parts of the business have evolving cyber IT department alone to be ready for any risks. By staying on top of cyber risks, you manifestation of a cyber incident would be can incorporate them as part of your enter- an unfair if not impossible expectation. prise-wide risk management strategy. Which IT security, typically led by a chief infor- would do the most harm? Which are most mation security offi cer (CISO), needs to be likely? Anticipating and preparing for all empowered by the C-Suite so they can coor- kinds of cyberthreats doesn’t mean sitting on dinate cyber incident response activity among edge all the time. It requires simple demon- all the impacted organizations and staff—this stration of good steady-state behavior— requires the facilitation of good working rela- which is the fi rst phase of any incident man- tionships during non-crisis times. One way agement lifecycle, so a key section of an to do this is for the CISO and the CEO to con- incident management plan. nect on cybersecurity trends frequently. The CISO has responsibility for assembling the ■ Putting together the cyber incident right team, making sure the right technology management plan architecture is in place, and for reporting Cyber incident management is constant; it cybersecurity issues upward. In a show of happens in phases, and an actual incident partnership, C-level leadership should enable lifecycle is only one part of it. the CISO to improve the organization’s inci- Shown in Figure 1 is a full lifecycle for dent management capability. incident management.

If you are starting from scratch, the National Institute of Standards and Technology (NIST) Cybersecurity Framework is a good reference point. It was created in collaboration between public sector and private industry.

■ 244 PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE

FIGURE

Threat Intelligence Crisis Communication

Prepare Communication & Stakeholder Prevent

Event Lifecycle Management

Detect

Respond

Remediate

There is a caveat, however: incident how people, process, and technology work management lifecycles do not fi t neatly together in harmony across the whole enter- into a calendar. They overlap, phases are prise. And, once the plan is created, it repeated, and truly, “Preparation” and requires consistent support from the C-level “Prevention,” or steady-state activities are to ensure adherence by the whole organiza- happening all the time, even in the midst of tion. The plans must be tested and updated an incident. frequently to make sure they keep up with When the steady-state activities are done changes in threats, tools, and resources. well, it makes an organization resilient and better able to bounce back after a breach occurs. ■ Testing the plan Short of being the victim of an actual intru- ■ Elements of planning sion, testing your incident response pro- A good cyber incident management plan gram is paramount to understanding how considers the whole enterprise, and it well your business would fair during a real considers more than just the technical incident. Many organizations pay for aspects of incident response. When plan- expensive tools, documentation, and con- ning for cyber incident management, sultation but are unable to replicate any of responsibilities and activities can be organ- their strategies because they are not pre- ized and integrated by three categories: pared to use them. Executives should people, process, and technology (Table 1). understand that an incident response pro- Each of these things should be consid- gram with an always vigilant, always ready ered in the context of your organizational team is the greatest defense to a cyber intru- philosophy to risk management. Policies sion and will reduce risk and increase con- that help mitigate risk—such as acceptable fi dence. use policies and data handling policies—can Assessing an organization’s incident be used as governing authority for cyber response program can provide a clear vision incident management planning. into their future, showing would happen if a Although an incident management plan cyberattack occurred and delivering insight starts with the CISO, the rest of the business into what works and what does not. There units should follow suit. Drafting an initial are several benefi ts to testing an organiza- plan requires substantial effort to integrate tion’s incident response plan:

245 ■ INCIDENT RESPONSE

TABLE

People Process Technology

In the main incident An incident Technology aids the management plan, management plan incident response consider how the should include process—from incident management a process and vulnerability intake team is structured procedure for every to understanding the and staffed. Is it phase of the incident security controls on composed of people management lifecycle. your electronic assets already in your IT to facilitating quick department or are communication. At a there some roles that basic level, there should need to be fi lled? Staff be automated process should have the mix for incident handling—if of skills necessary your organization is still to orchestrate the using manual incident strategic and technical tracking systems, you are sides of an incident overdue for a technology response. investment. Consider also the The plan should be Threat and vulnerability touchpoints from the supported by runbooks, detection technology can IT department into the which are tactical mitigate the impacts of rest of the organization. guides that address a cyber breach. Beyond Make sure you know specifi c incident basic, more sophisticated who will provide you scenarios most likely data analytics tools with the information to affect your business. provide complex, you need to make Make sure the processes customized statistics critical decisions in the are updated per a that can help measure midst of an incident. determined frequency the business impact of Finally, keep in mind to refl ect evolving a breach, among other the partnerships cyberthreats. capabilities. internal and external— such as vendors and media—to the organization that must be built prior to an incident that would enable the smooth coordination of incident response.

■ 246 PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE

Steady-state activities should be the heftiest part of your plan. Your IT department is always monitoring your network, but you’d be surprised how often organizational cybersecurity relies on the human eye and manual processes. Your IT team could use your support to enhance their capability, for example: Automated tool development Asset management Threat detection ability Trend analysis Wargaming and tabletop exercises

Keeping the program relevant and at the strategy can apply to an incident response forefront of cybersecurity: reducing risk program. Although many organizations have and increasing executive confi dence plenty of documentation surrounding their Understanding current knowledge and program, they sometimes rarely review or tool gaps update it. The cybersecurity landscape Increasing work performance and effi ciency changes every day, which leaves an under- to reduce cost and time spent resolving an reviewed program in an incomplete state, incident. becoming more irrelevant as time passes. Employing specialized third parties to review ■ Testing methods an organization’s program on a regular basis Testing entails far more than just making can assist in maintaining an up-to-date, risk- sure employees are trained on tools and averse program. procedures, they have to be able to detect, Strategic simulations, also known as war contain, and remediate active incidents— games, can simulate numerous possible situ- real or fi ctional—and the only way to do ations in which their program will be that is by managing realistic situations. applied. These scenarios ask participants to There are a variety of ways to provide sce- use their current technological and process narios that can test an organization’s inci- knowledge to solve situations ranging from dent response program. the exfi ltration of organizational intellectual Using a “red team,” or a group whose property to a large phishing campaign purpose is to simulate a cyber adversary, is requesting employee information, to an a way to covertly test the response to an enterprise-wide denial of service—halting actual adversary. Only employees with a productivity, sales, or transactions. War need to know will be aware of a red team’s games also help an organization to craft sce- activities, so to the organization’s incident narios in which teams that do not typically responders, the scenario is treated like an communicate with one another have to actual incident (without the loss of capital). cooperate to solve problems. This is espe- Results from these exercises can be shared cially helpful when senior leadership is with executives, providing an overview of involved—it helps illustrate major decision strengths and weaknesses to tweak the pro- points and clarifi es the business impact of gram and try again. various cyber breach scenarios. Engaging specialized third parties to Although developing, preparing, and review an incident response program can implementing the incident response plan is validate program elements. It’s often said that essential, making sure all of that work is a second set of eyes can fi nd fl aws in a docu- functional and as effi cient as possible is vital ment that the author overlooked. This same to having a successful incident response

247 ■ INCIDENT RESPONSE

program. By implementing tests such as red is why corporate communications can help team exercises, war games, and regular craft the appropriate messaging. reviews, an organization can understand In addition to internal messaging, make what may happen if they are an unfortunate sure cyber incidents are incorporated into victim of a cyberattack and, maybe, through the organization’s crisis communications solutions implemented through test fi nd- capability. Just as corporate communications ings, prevent a real incident. would be on hand to protect the brand’s image during an emergency, they should ■ Internal and external communications similarly have a crisis communications plan planning for a cyber incident. As a part of that, ensure Once the plans have been written and tested, that the right spokespersons are media it’s important to keep up momentum and trained prior to an incident. continued awareness about cyber risks. Just as the IT department is constantly engaged ■ The inevitable cyber breach in cyber incident management, so too must It’s hard to estimate the cost of a cyber inci- the staff throughout the organization—albeit dent. Undoubtedly, the longer that busi- with regard to their own personal role. ness operations are affected—production is Enlist the help of your corporate commu- stalled, websites are down, IP is stolen, and nications department to help with cyberse- so on—the cost climbs higher and higher. curity awareness messaging that is tailored Having a plan that is pervasive enterprise- for all staff. Messaging should help employ- wide that uses a tested, all-staff approach ees stay attuned to cyberthreats that could can help resolve cyber incidents quicker. affect them, as well as how they can play a Given that cyberthreats are present all the part in keeping the organization secure. time, an incident is all but inevitable. Keep in mind that “cyber” may not resonate Fortunately, incident response planning with staff outside the IT department, which can mitigate the impacts of such an event.

■ 248 SecurityRoundtable.org Detection, analysis, and understanding of threat vectors Fidelis Cybersecurity – Jim Jaeger, Chief Cyber Strategist

■ Rapidly evolving cyberthreat landscape Cybersecurity and cyberattacks are no longer emerging issues. Over the past three to fi ve years, the complexity of cyberthreats has increased dramatically, and the nature of cyberattacks has evolved from the theft of fi nancial data and intellectual property to include recent destructive attacks. Organizations now face increasingly sophisticated attacks from adversaries using multiple threat vectors and cunning strategies to penetrate the security perimeter. Although the 2008 TJX data breach has long been assumed to be the turning point in board of directors’ awareness of cybersecurity, it took the 2013 Target breach to have an impact on the boards’ agenda. Faced with the possibility of loss of data and intellectual property, decreased shareholder value, regulatory inquiries and litigations, and damaged reputations, boards are realizing that cybersecurity is no longer just an IT issue but one of strategic risk. Corporate directors understand that they must become more involved in addressing cyber risks; however, cybersecurity is a new and highly technical area that leaves many corporate boards uncertain as to how to proceed. Research from the Ponemon Institute reveals that 67 percent of board members have only some knowledge (41 percent) or minimal to no knowledge about cybersecurity (26 percent). Although board members realize that they need to invest in cybersecurity, such a lack of knowledge is affecting their ability to respond to cybersecurity risk and provide proper oversight.

■ Understand the adversaries Cybercrime is big business, and sophisticated cyber criminals are playing for high stakes. However, motivations among the groups may differ:

Hacktivists often seek to damage the reputation of an organization and cause disruptions.

249 ■ INCIDENT RESPONSE

Organized cyber criminals include couple of years, organizations are now fac- international crime syndicates targeting ing a new challenge. Cybercrime has organizations largely in the fi nancial advanced to include cyber warfare and cyber services and retail industries for fi nancial terrorism as nation-state actors have moved gain. Although there are a number of from disruptive to destructive attacks. players, this arena is dominated by Experts predict that cyberattacks will loosely knit teams of attackers located in intensify as cyber criminals accelerate their Eastern Europe. activities. Organizations face a world of State-sponsored espionage threat actors continuous compromise. It is no longer a deploy targeted malware in stealthy, question of whether the company will be multi-stage attacks, sometimes called breached, but when. Ponemon research, advanced persistent threats (APT), however, shows that board members gener- targeting intellectual property. At risk is ally lack knowledge about cybersecurity anything that may be of value, including breach activity within their organizations. business plans and contracts; trading One in fi ve, for example, was unaware if the algorithms; product designs and business organization had been breached in the processes; trade secrets; client data; lists recent past. of employees, customers, and suppliers; Although larger organizations are gener- and even employee log-on credentials. ally able to recover from a signifi cant breach, providing that negligence is not a factor and As attackers have sharpened their skills and excessive liability is avoided, sustaining expanded their techniques over the last operations over the course of two or more

Blurring lines of attack It used to be that the tactics employed by Eastern European cyber criminals were relatively unique compared with those used by hackers deploying state-sponsored APT attacks to target intellectual property. Cybercrime experts are now seeing a blurring of the lines of attack, which has caused some forensics teams to misidentify the adversary. For example, researchers from two forensics fi rms investigated an attack on a global credit card processor for two months without success, convinced that it was an APT attack. It wasn’t until the fi rm brought in a new forensics team that they were able to identify the attack as originating from Eastern Europe and stop the breach.

Corporate espionage leads to company downfall Cyberattacks aimed at stealing intellectual property can put a company out of business. A classic example involves Nortel, a telecommunications giant that was the victim of a decade- long low and slow attack wherein hackers used seven stolen passwords to extract research, business plans, technical papers, corporate emails, and other sensitive data. The attack was discovered by an employee who noticed unusual downloads that appeared to have been made by a senior executive. The company changed the compromised passwords but did little else beyond conducting a six-month investigation that yielded nothing. In the following years, the company reportedly ignored recommendations to improve network security. Analysts speculate that the extensive cyberattacks on the technology company ultimately contributed to its downfall. The company continued to lose ground to overseas competitors and ultimately declared bankruptcy.

■ 250 DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS

extended breaches would be considered a Internal employees present at least as big huge challenge. Clearly, cybersecurity has an exposure for companies as do external become an increasingly challenging risk that attacks. There is increasing recognition that demands both corporate management and the activity of employees with privileged board attention. To provide the proper risk access and administrative rights must be oversight, the C-level leaders and board monitored, controlled, and audited. Part of members are advised to work closely with IT the concern is not necessarily that the security leaders to examine the threat envi- employees go rogue and become insider ronment and how adversaries are attacking threats, which certainly has to be considered, peer organizations. but that hackers target the credentials of system administrators because they grant unfet- ■ Understand the threat vectors tered system access. To guard against the use The fast pace of cloud, mobile, virtualization, of compromised credentials, organizations and emerging technologies present opportu- should implement the concept of least privi- nities to gain operational effi ciencies, deploy lege for employee digital rights, especially innovative business models, and create new for those with administrative rights. markets. However, as companies increasing- Determined attackers use a variety of ly digitize valuable assets and move opera- approaches to exploit system vulnerabilities tions online, the risk of cyberthreats grows and penetrate virtually all of a company’s even greater. In today’s digital world, perimeter defense systems. Threat vectors employees are increasingly interconnected used to compromise an organization can and leverage a variety of mobile devices, include network intrusions, compromised applications, and cloud platforms to conduct websites and web applications, malware, business in the offi ce, at home, and “on-the- targeted “spear phishing” and other email go.” Mobile applications, email, WiFi net- attacks, Trojans, zero-day exploits, social works, and social media sites are just some of engineering tactics, and privilege misuse. the vulnerable access points that attackers This dynamic nature of the cyberthreats seek to exploit. presents ongoing challenges to companies Not only are employees increasingly inter- and boards as every possible threat vector connected, but organizations are as well. must be addressed. Boards and corporate management must consider the extended attack surface and the ■ Detect advanced threats potential security risks associated with third Like any business risk, cybersecurity risk parties such as suppliers, transaction proces- must be calculated and then mitigated sors, affi liates, and even customers. Not to be through the use of specifi c types of controls, overlooked are law fi rm partners, as they such as fi rewall, antivirus, intrusion detec- hold data relating to an organization’s confi - tion, and other similar solutions. However, dential operations and trade secrets. no network is so secure that hackers won’t

Questions to ask about risk Who are our most likely intruders? What is the biggest weakness in our IT systems? What are our most critical and valued data assets? Where are they located? Do we consider external and internal threats when planning cybersecurity programs? Do our vendor partners have adequate security measures? Do we have suffi cient contractual clauses regarding such security? What are best practices for cybersecurity? Where do our practices differ? Have we created an incident response plan?

251 ■ INCIDENT RESPONSE

fi nd their way in. Once in, they can go for on the automated threat-detection capabili- months, even years, without detection. ties of numerous disparate solutions. Because deeply embedded hackers can be However, this overreliance on technology extremely diffi cult to eradicate, the challenge alone to address security threats can cause is to detect these threats as soon as possible. organizations to lose sight of the bigger threat Unfortunately, organizations are hard picture. pressed to match resources with cyber crimi- Organizations also jeopardize their ability nals. Similar to a game of “whack-a-mole,” to detect advanced threats through a failure once organizations get on top of one type of to fully integrate the security solutions into attack, the cyber criminals simply evolve the entire network defense infrastructure. their tactics. Often security technologies are deployed A solid cybersecurity governance pro- with default settings, resulting in many false- gram is vital to getting ahead of cybercrime. positive alerts. Many times organizations Unfortunately, there is a gap in the percep- overlook the human element. Organizations tion of governance effectiveness between can’t depend on technology alone to defend board members and security professionals. networks. Detecting advanced threats Ponemon research indicates that 59 per- requires a risk management program that cent of board members believe the corpora- includes technology, people, and processes. tions’ cybersecurity governance practices Board members should ensure that security are very effective, whereas only 18 percent budgets include funding for security experts of security professionals believe so. This who can understand the risk, interpret the gap in perspective has to be closed if organ- alerts, and act on the intelligence. izations are to improve their ability to face increasingly stealthy and sophisticated ■ Anticipate attacks cyber risks. Today’s threat actors conduct detailed reconnaissance and develop custom malware in ■ Robust, constant monitoring is key to detection an effort to penetrate networks. It’s diffi cult The saying, “You don’t know what you don’t to know when an attack will happen. A know” is especially true in cybersecurity. dynamic threat intelligence capability helps Robust, constant network monitoring is vital to ensure that organizations can anticipate to uncovering threats. Any number of solu- breaches before they occur and adjust their tions are available that enable organizations defensive strategies. to monitor network activity. Because the vol- Widespread sharing of threat intelli- ume of network traffi c combined with gence among security professionals can increasingly complex networks defi es manual empower organizations to detect threats threat analysis, many organizations often rely more effi ciently and effectively and avoid

Dismissed security alerts lead to massive breach A large retailer became the victim of a major data breach. The retailer had invested hundreds of millions of dollars in data security, had a robust monitoring system in place, and had been certifi ed as PCI compliant. Despite the investment, the company failed to completely deploy and tune the monitoring system. The system could have been confi gured to remove malware automatically, but because the software was new and untested, the feature was deactivated. A small amount of hacker activity was surfaced to the security team, evaluated, and acted on; however, the team determined it didn’t warrant further investigation. Several subsequent alerts were either ignored or lost in the noise of hundreds of false-positive alerts. It wasn’t until the Department of Justice warned the company about suspicious activity that the retailer began investigating the activity.

■ 252 DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS

cyber attacks. At one end of the threat intel- on cybersecurity matters into the boardroom ligence spectrum are indicators of compro- include the following: mise (IOC). Integrated from several sources and typically shared through an automat- Periodic briefings from in-house ed, continuous, real-time threat intelligence specialists data stream, IOCs provide information on “Deep dive” briefi ngs from third-party malicious code and malicious web pages experts, including cybersecurity fi rms, that hackers are using. government agencies, and industry At the other end of the threat intelligence associations spectrum are threat advisories, which pro- Guidance from the board’s existing vide big picture analysis of current security external auditors and outside counsel, issues posing risks to enterprises. Such advi- who will have a multi-client and industry- sories typically feature an overview of the wide perspective on cyber risk trends threat, a risk assessment, indicators, and and how the organizations’ cyber defense mitigation strategies. program compares with others in the industry ■ Build board cyber literacy Director education programs, whether As boards become more involved in cyberse- provided in house or externally curity, they should address cybersecurity Periodic exercise of the incident response risk as they would other types of business plan to include board members. risk. To be effective in leading their organizations with the right knowledge, oversight, ■ Empower the chief information security and actions, boards need a base level of offi cer understanding of cybersecurity risks facing Boards have a responsibility to manage the organization. However, organizations cyber risks as thoroughly as possible. One are challenged with what is the best way to critical element in providing effective over- build this board cyber literacy. sight is to empower the chief information Many boards already have some form of security offi cer (CISO) to drive security oversight when it comes to cyber exposure, throughout the organization. In many organ- generally in the audit committee or risk izations the CISO’s role is subordinate to committees specifi cally tasked with enter- that of the chief information offi cer (CIO). prise IT security and emerging risks. To Directors should be mindful that the agenda gain a deeper understanding of the relevant of the CIO is sometimes in confl ict with that issues surrounding cyber risk, some organi- of the CISO. Whereas the CISO is focused on zations are adding cyber expertise directly data and network security, the CIO is focused to the board via the recruitment of new on supporting business processes with directors. However, because nominating applications and networks that have high and governance committees must balance availability. many factors in fi lling board vacancies, Recognizing that business strategies that there is a concern that it may take a long lack a security component increase vulner- time for boards to achieve the proper board abilities and place the organization at risk, composition. the CISO must have a strong, independent In addition to board composition, direc- voice within the organization. To accom- tors point to a lack of available time on the plish this, the board must ensure that the agenda to discuss cybersecurity as a road- CISO is reporting at the appropriate levels block in becoming cyber literate. Although within the organization. Although there is board members are not expected to be cyber- no single right answer, the trend has been security experts, they need access to exper- to migrate reporting lines to other offi cers, tise to help inform boardroom discussions. including the general counsel, the chief Ways to bring knowledgeable perspectives operating offi cer, the chief risk offi cer, or

253 ■ INCIDENT RESPONSE

Questions to ask about cyber literacy and CISO empowerment Are we considering cybersecurity aspects of our major business decisions, such as mergers and acquisitions, partnerships, and new product launches? Are we allocating enough time for cybersecurity on the board agenda? Are we continuously monitoring and regularly reporting on governance compliance, maturity level, progress of information security, and data privacy projects and activities, as well as the status of incidents, risks, and issues within the organization? Are they used for active oversight? Do we have clear lines of accountability and responsibility for cybersecurity? Is the information security management function organizationally positioned at the appropriate level to effectively implement policies? Is the cybersecurity budget adequate? Are we investing enough so that we are not an easy target for a determined hacker?

even the chief executive offi cer, depending cybersecurity as part of the organization’s on the industry, size, and scope of the com- strategy will leave their fi rms open to signifi - pany, and the organization’s dependency cant fi nancial, reputational, and competitive on technology. risk. The overwhelming number of cyber inci- ■ Conclusion dents has forced board members to become The threat landscape is rapidly evolving as more involved in cybersecurity, which is as it well-funded cyber criminals continue to should be. However, to be effective, much launch increasingly sophisticated attacks education is still needed. Board members through multiple threat vectors. Cybersecurity don’t need to be cyber experts, but they will continue to pose a serious risk that will should have a thorough knowledge of the demand corporate management and board risks their organization faces and provide attention and oversight. Boards that fail to the support needed to the IT security profes- actively measure and continuously monitor sionals to protect against those risks.

■ 254 SecurityRoundtable.org Forensic remediation Fidelis Cybersecurity – Jim Jaeger, Chief Cyber Strategist and Ryan Vela, Regional Director, Northeastern North America Cybersecurity Services

When a data breach occurs, directors and C-level executives must be ready with an incident response and remediation plan to minimize the damage, limit the company’s liability and exposure, and help the company resume normal operations as quickly as possible. Incident response preparedness, however, varies greatly. Although some organizations are well prepared, sometimes even companies that have invested millions of dollars on preventive and detection systems fall short in responding to and remediating data breaches. Frequently, it’s because the organization hasn’t fully developed the relationships and processes necessary for rapid and coordinated response. Companies that have been compromised must act quickly to investigate and remediate the breach while preserving all electronic evidence. Ascertaining what data were lost, destroyed, or stolen is paramount because it enables companies to determine their risk exposure and potential liability. Beyond digital forensic preservation, investigation, and containment, the complexities of breach remediation require notifi cation of a broad range of third parties and engagement with law enforcement. By engaging breach resolution experts that provide forensics services, litigation support, and crisis communications, organizations can more effectively combat today’s sophisticated cyberthreats.

■ Assemble a cross-functional response team Effective investigation and remediation of a data breach requires an understanding of the cyber adversary and specialized forensic skills that most IT staffs lack. When a company that does not have its own internal security team experiences a cyberattack, it is vital that the fi rm hire experts who are experienced in digital forensics, incident

255 ■ INCIDENT RESPONSE

response, and remediation. Engaging an specialized skills and credentials that independent and impartial breach response internal teams lack fi rm: law enforcement liaison: serves as liaison with law enforcement, such as the Secret provides the technological expertise and Service, Federal Bureau of Investigation, industry knowledge to fully remediate and Department of Justice the incident attorney-client privilege: engaging ensures integrity in incident response and outside counsel secures the privilege creates a defensible record of investigation needed to protect internal communications and remediation from discovery by any opposing party enables the organization to maintain and during pretrial investigation and from secure attorney-client privilege for the being used as evidence in a trial; also, reports and other investigative documents. invoked privilege allows the forensic company to report breach results directly Breach response also requires that an organi- to the law fi rm zation have a well-prepared internal inci- leadership advice: leadership of any dent response team. Companies that suffer a organization falling victim to a data breach breach without having established such a instinctively seeks to minimize costs and team often waste valuable time trying to get take shortcuts in incident response; by organized and assign responsibilities, stall- quarterbacking the investigation and ing the breach remediation process. The remediation, outside counsel often proves team should include representatives from IT, invaluable in providing a strategy and security, legal, compliance, communications, helping C-level leadership and directors risk management, and affected business to hold themselves to the course of action. units. In addition, it is important to involve a member from the executive leadership ■ Control breach communications team to ensure that business considerations Ultimately, all communications about the are addressed and to maintain the remedia- breach have the potential to leave an organi- tion momentum by ensuring rapid approval zation open to legal liability. Outside breach on courses of action when needed. counsel should therefore oversee all breach communications. This includes facilitating ■ Engage outside legal counsel conversations between members of the inci- The legal ramifi cations of a data breach can dent response team and organizing external be devastating, ranging from litigation and communications. regulatory investigations to civil liabilities Internally, getting the right information to effects that may include shareholder and the right people at the right time can make or customer-driven lawsuits. Because inside break breach incident response efforts. When counsel lacks the specialized cyber exper- members of the response team are working tise that is needed for effective breach with incomplete, inaccurate, or different sets response, it’s vital that an organization of information, it can lead to costly ineffi - identify, vet, and retain outside counsel that ciencies, delays, and errors in breach has the ability to respond on a moment’s response. Outside counsel is well positioned notice. The benefi ts of outside counsel to know the types of conversations that must include the following: happen between incident response team members to keep efforts on track. Similarly, specialized skillsets: cyberattack breach counsel knows what hazards are investigations require a team of lawyers likely to arise with external communications. with regulatory, data-breach response, It is also vital that organizations engage a privacy, litigation, and eDiscovery crisis communications fi rm to handle all expertise; outside counsel brings the external communications. Because such

■ 256 FORENSIC REMEDIATION

Vetted investigation report vital to external communications When faced with a data breach, the instinct is often to go public as quickly as possible to get ahead of the situation. However, to avoid public announcements backfi ring and making an already bad situation worse, leadership would do well to wait for confi rmation of breach status from the incident response team. On occasion, they even get to give their client good news. Case-in-point is a large blood donor system involving multiple hospitals and universi- ties. The organization was maintaining a database of 90,000 donors when it noticed indications of hacker activity in the network. Already under media pressure for physical loss of sensitive data, leadership was under- standably concerned about reducing negative publicity by being proactive in its communications. They agreed to give the response team the time needed to conduct an investigation, and fortunately so. It was determined that the indicators were actually false-positive alerts. By synching the communication cycle with the progress of the investigation, the organization was able to avoid falsely alerting 90,000 donors that their data was at risk.

communications have either positive or neg- prepare and pre-coordinate a contingency ative lingering effects, it’s important that all announcement in case their hand is communications be carefully composed and forced. Crisis communications fi rms also carry the right tone. have the media relationships that can Just as important, there is nothing worse enable the rapid response necessary in than having to publically recant information. these situations. In deciding whether to release a statement, organizations should consider the following: ■ Partner with law enforcement and seek their assistance Is there accurate information to report? Seeking assistance from law enforcement Executives, feeling pressure to go public, can be extremely valuable in data breach may disclose key facts only to retract investigations because these agencies are the statement at a later date. Waiting continuously following the digital trail of until a report from an external forensic cybercrime. Law enforcement can play a response fi rm has been reviewed can vital role in providing indicators of compro- help organizations maintain accurate mise (IOCs) observed in similar breaches communications. that may be linked, thus providing the inci- Is disclosure within a specifi c timeframe dent response and forensic team with key required? Timing of disclosures often data to search for and fi ll in missing pieces in is dictated by statutory and regulatory the breach investigation. Attributing a single requirements. Several state breach laws, breach to a specifi c attacker or hacker organ- for example, require notifi cation upon ization is often diffi cult, but when you look discovery or without reasonable delay. at the IOCs provided by law enforcement Here, outside counsel often can be across multiple hacks, this task often invaluable in providing justifi cation to becomes much easier. delay an announcement until the facts Involving law enforcement is also prudent are solid. in that cyber criminals routinely hide behind Has the incident been leaked? However borders, and bringing them to justice remains it occurs, leaks by journalists or postings a challenge. The U.S. government is increas- in the blogosphere can accelerate ingly partnering with foreign governments a company’s disclosure timeline. It is and international law enforcement agencies critical that fi rms experiencing a breach in efforts to prosecute malware creators and

257 ■ INCIDENT RESPONSE

Collaboration with law enforcement takes down hacking ring Monday mornings can hit hard for many people, but for a major payments processor, one particular Monday morning packed a punch. In a brazen move, a global network of thieves had breached the processor’s network. As a result of the hack, the gang was able to generate debit cards and crack the ATM PIN codes. Once that was done, the gang withdrew millions of dollars over the weekend. By acting on information provided by the FBI, the forensic team was able to uncover additional details about the breach and advance the investigation to the point of identifying the culprits. Through cooperation from various law enforcement agencies worldwide, the investigation broke the sophisticated computer hacking ring and, for the fi rst time, resulted in a Russian court convicting hackers for cybercrimes committed in the United States via the Internet.

those who are engaged in cybercrime. If there terms of money, time, resources, and distrac- is any indication that the investigation may tions. Because regulators will have to be have an international aspect, federal law satisfi ed that the data breach has been com- enforcement may be able to expedite the pletely resolved, organizations should investigation. Law enforcement’s expertise in engage with regulators as early as possible gathering evidence and conducting forensic during the remediation process. analysis can be leveraged to ensure that the data can be used in future court proceedings. ■ Notify insurance providers Also, in some cases, organizations may be After a data breach, organizations can expect able to delay notifi cation requirements if it to see signifi cant costs arising from forensic would impede or interfere with a law enforce- investigations, outside counsel, crisis comment investigation. munications professionals, data breach notifi cation expenses, regulatory investigations ■ Alert industry regulators and fi nes, lawsuits, and remedial measures. Threat actors are neither attacking one insti- Such costs can quickly reach tens of millions tution at a time, nor are they quickly chang- of dollars in a few weeks. ing their methods. They often use the same Once an incident is determined to be a techniques on multiple institutions in multi- breach, it’s important to engage with the ple sectors. With the increasing number of fi rm’s insurance providers to evaluate the data breaches comes a renewed push for the insurance coverage and determine which sharing of cyber risk information between existing policies may cover the event; as the United States government and the pri- well as identify the necessary reporting vate sector to help individual organizations requirements. and industries as a whole better defend One of the challenges with cyber insur- against attacks. Because of their position in ance is the lack of standardization in terms the industry, regulators can be an important of coverage. From a broad standpoint most source of information on cyber threats, policies cover the initial incident response attacks, and trends. Information sharing and and investigation. Few, however, cover analysis organizations have made a resur- remediation. Because the policies vary gence and organizations can benefi t by seek- widely, general counsel and outside coun- ing their aid for insight on indicators of sel have to understand the details of the compromise during a data breach. policies to tailor an incident response Regulatory investigations have the poten- approach that maximizes the coverage. tial to represent a signifi cant challenge in Here, the outside forensics response team

■ 258 FORENSIC REMEDIATION

can also be invaluable in helping organiza- attack as hackers disperse their tools tions to articulate and justify cyber insur- throughout the network. This is especially ance claims. true in advanced persistent threat attacks, in which malware can remain dormant and ■ Conduct complete, focused digital forensics undetected for months. The remediation analysis phase is therefore critical to remove malware When a data breach occurs, organizations from infected hosts and prevent future reoc- need answers fast: Who was involved? How currences of the same or similar breaches. did they do it? What data was compromised? At one end of the remediation spectrum is What are the risks? Answers depend on the sequential eradication. Here, incident forensic analysis of digital evidence. Further, responders work to eliminate malware as the proper preservation of digital evidence is soon as it is discovered. This traditional crucial to demonstrate to regulators that rea- approach has the benefi t of lower costs and sonable security controls are in place or to reducing the risk of data loss. However, the prove wrongdoing in criminal prosecution. drawback is that the organization forfeits the However, organizations all too often are opportunity to learn about the hacker’s thrown into panic. Hasty decisions are made tactics and runs the risk of retaliation. Also, and evidence is lost. Here, directors should attackers may go quiet, making it more dif- look to outside counsel for guidance. Their fi cult to fi nd their tools and requiring that experience and focus on minimizing legal forensic investigators shift their efforts to liability make their advice about what should eradication. be considered evidence, and thus preserved, At the other end of the spectrum is invaluable. aggressive remediation, in which all reme- In the course of its forensics efforts, diation actions are executed simultaneously organizations typically encounter two across the entire network. If executed prop- challenges: erly, aggressive remediation precludes the hacker from detecting and reacting to the Limited scope of forensics. Many times remediation actions. This approach is called organizations fail to look beneath the for when an organization experiences surface in the hopes that a simple review repeated breaches by the same advanced will fi x the problem. Alternatively, they attackers or a breach has gone undetected may limit the scope of the investigation for weeks or months. Aggressive remedia- to mitigate the high cost of forensics. Such tion provides a better understanding of the actions may fail to uncover the true cause attacker’s tools, tactics, targets, and motiva- and extent of the breach. By exploring tions. Because this method fully removes all all potentially compromised systems, traces of the attacker’s tools, threats, and organizations can reduce the risk of vulnerabilities, including the attacker’s overlooking exposed system components. ability to re-enter the network, it minimizes Improper handling of evidence. retaliatory risk. A company’s internal IT staff may This approach allows the attacker to compromise the evidence even before remain active in the network during investi- forensic experts can preserve it. gation. Should they become aware of foren- Organizations must ensure that the sic activities, they could move quickly to a internal IT staff is mindful of proper destructive attack. Special forensic skills, evidence-handling protocol. extensive planning, and sophisticated execution therefore are required to avoid inter- ■ Focus on aggressive remediation fering with or alerting the attacker as to the When an organization experiences a data forensic efforts underway, as well as to breach, it is often diffi cult to determine the minimize the potential for damage and nature of the attack cycle and pathways of data loss.

259 ■ INCIDENT RESPONSE

Aggressive remediation outwits hacker mastermind “Please don’t lock the attacker out of the network.” Not the request that any CEO wants to hear, let alone the leadership of a major retailer that was under attack by a hacker mastermind who was stealing 45,000 credit cards every three days. Yet here was the Secret Service explaining that it was the best live investigation in three years, and that if kept alive, they would be able to track and identify the hacker—with a good chance of getting a conviction. Faced with the challenge of how to minimize the damage without alerting the attacker, the forensic team decided on the strategy of letting the attacker continue his efforts, but to change several digits of the credit card numbers the hacker was collecting. Other than actually trying to use the cards, the attacker would have no way of knowing he had stolen invalid card numbers. The ruse worked, allowing the team to keep the attacker alive in the network long enough to complete the forensic analysis and eradication. The attacker is now serving two 20-year jail terms.

■ The critical importance of network monitoring executing incident response activities, organ- If determined attackers want to get in, they izations are placing a priority on robust will fi nd a way. The real question is whether network monitoring to detect the extraordi- the organization will detect the breach. narily complicated threats hidden in the Unfortunately, the answer is, “Probably network. Once identifi ed, these threats not.” Advanced, targeted attacks focus on demand a host of remediation responses that quiet reconnaissance and infi ltration of their include forensic preservation, containment, victims’ network. Professional cyber crimi- expulsion, and remediation. Responding to a nals are so adept at cloaking their activities major breach correctly requires a team of that they routinely go unnoticed for months, outside forensic and legal experts partnered even years, without detection. with their internal incident response team. A Although defense-in-depth has long been well-defi ned incident response team includes hailed as a best practice, organizations are key staff functions and line of business man- now urged to improve their abilities to detect agers as well as C-level executives and cor- attacks that have succeeded. Robust network porate directors. monitoring is a strategically important ele- Experiencing a cyberattack is disruptive, ment in IT security and is crucial to deter- and combating the malware behind large mining if anything was stolen. By employing data breaches remains a constant challenge. robust network monitoring organizations Getting the right people involved and under- can maintain control, limit the damage, and standing the best way to effi ciently use them plan for an appropriate response. is essential to properly investigating and remediating the event while managing costs ■ Summary and extent of business impact. Board direc- Organizations have reached a pivot point, tors and C-level leadership must ensure that realizing that it is no longer a question of if their organizations are ready with a well the fi rm has been hacked, but an assump- thought out breach incident response plan to tion that it has. Faced with the new reality help minimize the organization’s liability of operating the business while potentially and exposure.

■ 260 SecurityRoundtable.org Lessons learned—containment and eradication Rackspace Inc. – Brian Kelly, Chief Security Offi cer

Cyberattacks continue to proliferate and show no signs of stopping. Information security is a business risk issue, and concerns over how to manage data breaches have moved beyond IT security teams to the C-suite and the board. Recognizing that attacks happen to the best of organizations, board directors are asking, “What can be done to minimize the damage?” Based on the experience of senior information security leadership servicing some of the largest data breaches to date, here are ten lessons that offer guidance in successfully containing and eradicating cyberattacks.

■ Cast incident response in the context of business risk Although the natural tendency has been to treat cyberattacks as a technical issue to be resolved by the security team, such attacks are serious business problems that can pose substantial risk to the business. Decisions made uni- laterally by the security team without an appreciation for strategic initiatives can have signifi cant implications for the corporation. To correctly characterize the risk and make the appropriate decisions to limit the liability to the company, cyberattacks and incident response must be put in the context of business risk. For this to happen, discussions with the board must be two-way conversations. CISOs have to translate the event or incident into business terms, at which point the board and leadership team can provide a point of view or strategic focus that may be vital to the incident. For example, the incident response team may be unaware of such considerations as M&A activity, clinical trials, and new R&D efforts. Through board-level conversations the response team can gain the necessary insight into the motives of an attacker and make a connection that may alter the investigation.

261 ■ INCIDENT RESPONSE

■ Seek unity of command The exercises also provide insights into the Unity of command is vital to respond to a following: cyberattack. However, not every incident requires the same command and control how and when to engage external structure. Careful planning should deter- partners mine in advance the level of management what can potentially go wrong during required based on the severity of the event the phases and identify those that require board atten- what types of communications are needed tion and corporate offi cer leadership. how to protect the incident response Similar to military operations, in which information fl ow that is for the response the general commands the day-to-day oper- team’s exclusive use ations of the military during peacetime, a how to bring other departments into the CISO oversees the day-to-day responsibili- investigation. ties and projects. During times of war, command shifts to the Joint Chiefs of Staff and Armed with such information, leadership designated war fi ghting commanders. The and board directors are better enabled to for- same holds true in a cyberattack. The inci- mulate questions and act on the information dent response leader takes control and to provide proper governance and oversight. leads the team through the steps necessary to respond to the incident. ■ Retain incident response teams and Effective command and control during outside counsel experienced in managing these times of crisis is critical. However, cybersecurity incidents when an incident is declared, people often When it comes to containment and eradica- come out of the woodwork to get involved. tion, it is vital that internal security teams Because time is critical, nothing can be understand their strengths and weaknesses. worse than senior executives trying to Often internal teams assume they can handle infl uence activity or wrestle control when the event and try to fi x the problems them- an attack is in progress. Slow response and selves, only to make matters worse by acci- uncoordinated containment activities can dentally destroying or tainting crucial evi- provide attackers with the time necessary dence. Organizations are therefore turning to move laterally in the network, creating to external counsel and forensic response an even more serious breach. It is therefore teams that can step in on a moment’s notice vital that command and control be clear, to respond to cyberattacks. understood, disciplined, and followed with Selecting the right counsel and forensic precision. team—especially those experienced in inter- To increase leadership’s understanding actions with law enforcement—can be the of the workings of command and control difference between success and failure. In and provide insight into the protocols and addition to benefi ting from their expertise, procedures of incident response, it is imper- involvement of an attorney allows organiza- ative that organizations rehearse the inci- tions to maintain attorney-client privilege. dent response plan at least annually. Because different phases of the incident Whether the activity is a mock tabletop response lifecycle require different capabili- exercise or a live-fi re drill, the rehearsal ties, such as evidence collection, forensic gives company leadership and directors a analysis, and malware reverse engineering, baseline understanding of the criteria used organizations should select teams that have to determine the severity of an event, the broad expertise. Established relationships lifecycle of an attack and incident response, with several teams is wise because the scope and the goals for each phase of the lifecycle. and magnitude of an incident may require

■ 262 LESSONS LEARNED—CONTAINMENT AND ERADICATION

more than one forensics team. Having rela- interact with internal personnel, query the tionships with several partners provides a forensic investigators, analyze the fi ndings, fallback. and provide the perspective that the board The worst time to fi nd a partner is during and senior management need for decision an incident. In addition to running the risk making. Many fi rms use outside counsel with of no fi rm being available, the breached experience in guiding incident response oper- company is faced with paying rates that are ations to perform this trusted advisor role. non-negotiable and entering into a diffi cult relationship that often leads to protracted ■ Employ good case management practices investigations. Selecting and vetting cyber No one ever fully knows how an investiga- response teams in advance allows the team tion will evolve. Even if it is unlikely that a an opportunity to learn about the fi rm’s security event will become public or that the operational practices and environment. The investigation will end up in a court of law, forensics team can come up to speed quickly directors should assume that it could and and hit the ground running. In addition to take the appropriate actions from day one. It the qualitative advantage, selecting partners is vital to follow good case management in advance provides a quantitative advan- practices and do everything possible to pre- tage in that you can pre-negotiate rates and serve forensics evidence—from the fi rst indi- terms that are acceptable to both parties and cation of the event through to the comple- begin the relationship on a positive note. tion of the investigation. Organizations also should look to engage a Evidence is perishable and can be tainted. trusted advisor to provide independent Organizations that are slow to engage the advice to directors and offi cers regarding the appropriate forensics partners run the risk of security incident. Faced with pressure to potentially destroying, tainting, or missing defl ect accusations or make things look better key evidence that could be crucial in the during an event, internal staff may report later stages of the investigation. By asking only what is necessary or skew information. the question, “Should this go to court; what An impartial trusted advisor knows how to do we need to do from the moment we start

Make sure you have the right forensic team Forensic services fi rms provide highly specialized resources that can cost tens of thousands of dollars. An inexperienced team, or one lacking the proper evidence collection, forensic analysis, and incident response skills, may not only cost an organization in terms of time and money but also jeopardize the success of mitigating the attack by inadvertently destroying or tainting evidence. It may be time to bring in a new team if the forensics team: is unable to put a big picture together that includes the scope of the breach as well as the sequence and path of movement has no clear plan for collection of evidence is unable to distinguish between evidence that is “need to have” and evidence that is “nice to have” takes a checklist approach to incident response is grasping at straws after the fi rst couple of weeks is unable to scale efforts if needed is unable to provide guidance and stand fi rm in communications with clients, regulators, and other stakeholders fails to understand or exercise proper chain of custody.

263 ■ INCIDENT RESPONSE

this investigation to present a solid case?” customers, answer to the press, respond to organizations can limit their liability down regulators, and defend the company’s con- the road and better position themselves for duct in parallel actions, such as a civil suit successful litigation. and a regulatory investigation. A company’s internal public relations ■ Adopt an outcome-based approach team knows much about the organization Some forensics organizations take a checklist but is not an expert in directing cyber breach approach to incident response. However, no communications. When multi-billion dollar two cyber events are the same, and incident payments and corporate reputations are at response is not a scripted process. Security risk, board directors and senior management teams operate under the fog of cyberwar, must take care to turn to independent, and decisions will be made under conditions impartial crisis communications experts. of stress, fatigue, and confusion in response Cyberattacks are distressing events. to seemingly random events. What is needed Those involved often have an emotional is an outcome-based approach to incident attachment or are too close to the incident to response, recognition that there are multiple be viewed as impartial in their communica- ways to achieve the outcome, and an under- tions. Independent experts provide the clear standing of what can go wrong. Normally, thinking and unbiased perspective that is outcomes are based on a specifi c list of ques- required to assist the company in all dia- tions that must be answered by the incident logues and announcements—from initial response team based on initial attack indica- notifi cation to worst-case communications. tions and regulatory responsibility. The team Further, the external team will be able to should be focused on answering these ques- ensure that once communications are initi- tions during the investigation. Investigators ated, such as notifying customers of a breach, who are experienced in outcome-based inci- follow-up communications occur on a timely dent response are better able to focus on schedule. Often overlooked is the need to what matters, form hypotheses, take action manage negative nonverbal communica- based on the type of attack and observable tions that may be sent to internal and exter- facts, and pivot should something go wrong. nal parties as a result of actions taken by the During the course of containment and response team. For example, shutting down eradication, it is expected that attackers will a website or requiring password changes take new action based on the security team’s sends a clear message that something has efforts. One model that can be used to pre- happened. The communications team must vent enemies from gaining the upper hand manage these types of communications as is the “O-O-D-A Loop”: Observe, Orient, well. Finally, in addition to being able to Decide, and Act. This model provides a articulate what is happening, it is vital that method for making informed decisions and the crisis communications team stands fi rm acting based on feedback from various in its mission to protect the company by sources. Recognizing that attackers are doing advancing the facts in the face of unjustifi ed the same, the key is to tighten and accelerate assertions or incorrect accusations. the OODA Loop, leveraging people, process, and technology to move faster than the ■ Be prepared for containment adversaries. to affect business activities Incident containment has two major compo- ■ Hire impartial, independent spokespersons nents: stopping the spread of the attack and for crisis communications preventing further damage to hosts. During The stakes for immediate and effective cri- the containment effort, organizations should sis communications throughout an investi- be prepared to shut down or block services, gation have never been higher. During a revoke privileges, increase controls, and cyber crisis, a company may need to notify place restrictions on network connectivity

■ 264 LESSONS LEARNED—CONTAINMENT AND ERADICATION

and Internet access. Such activities can affect people and processes into consideration, business processes dramatically by restrict- technology actually can create more coming organizational functions and work plexity, consume more resources than it fl ows; therefore, the decision to perform returns, and deliver only incremental value. such actions should never be one sided. In short, complexity is the enemy of security. Because business activities are dynamic, the Organizations must take a holistic decision to implement controls during con- approach to eradicating and closing the tainment always should include a two-way security gaps. This may necessitate new discussion with business process owners processes and policies, new services and and company leadership. It is vital that technologies, and additional personnel. organizations have strategies and proce- Skimping on cybersecurity may result in dures in place for making containment- much higher costs down the line. Board related decisions that refl ect the level of directors should be prepared to increase acceptable risk to the organization. security budgets and can be fi rm but fair in maintaining their fi duciary responsibility by ■ Focus on people, process, and technology requiring the right justifi cation from the during eradication security team. Malware detection and eradication can be an expensive and time-consuming process, as ■ Share information with others malware can lie dormant in a system for who can benefi t months and then activate again. Although it The fact that hackers have breached the com- is easy and tempting to apply a quick fi x in puter systems is the kind of news that no the heat of the incident, attention must be organization wants to reveal. Corporate given to fi nding and fi xing the true root leadership worries about attrition of custom- cause. Here, the natural tendency is to lead ers, negative press, and diffi culties with with a technology solution. With new secu- partners that may occur if news of an inci- rity tools comes the belief that the problem is dent leaks out. However, for the good of the solved. The reality is that, without taking industry, the sharing of incident details may

Attacker gains the upper hand—once When the cyberattack happened, it caught everyone by surprise, but it shouldn’t have. It was just a matter of time, because the organization had a high level of technology debt, the IT security lacked alignment with the business, the business unit failed to understand its level of risk and necessary controls, and the organization had given minimal attention to rehearsing incident response. It took the organization more than 48 hours to detect the breach. Then, several days passed before they realized the event was bigger than what could be handled internally. The delay in detection and slow action to call in security experts allowed the attackers to move quickly through the network, expand their footprint, and ultimately affect more than twenty customer environments. The investigation and recovery lasted for about four months, with costs totaling in the millions. Sensing easy prey, the attacker returned in several months. This time the organization was prepared. The technology debt had been paid, resulting in a stronger foundation and improved security monitoring. IT security was well aligned with the business, and the business unit understood and accepted its risk and controls. More important, the organization had rehearsed incident response scenarios. This time the attack was detected in minutes. The internal response team was able to shut the attack down in a matter of minutes with little cost and no risk to the business or customers.

265 ■ INCIDENT RESPONSE

be precisely what is needed. Cyberattacks Are the risk defi nitions correct? are the new normal and security breaches no Did we manage the command and control longer carry the stigma that they once did. effectively? What is important to recognize is that Did we bring the right people in at the cyber criminals use the same attacks over right time? and over again. By using the same code with Did we think about everything properly slight modifi cations, cyber criminals achieve from a risk perspective, business effi ciency in their efforts while driving their perspective, communications perspective, costs down. By sharing information with oth- and customer perspective? ers who can benefi t, such as other companies within the industry sector, the U.S. Computer ■ Summary Emergency Response Team, and cybersecu- No matter what precautions are taken, no rity researchers who may be able to assist, organization is immune to cyberattacks. organizations can help protect others while Organizations must have a comprehensive driving up the adversary’s costs. incident response team that includes external incident response and forensic analysis, ■ Debrief following an event to capture lessons outside and in-house counsels, and public learned relations fi rms in place prior to any breach What is worse than a big public breach? A event. These partners provide incident second big public breach. Because the han- response forensics, legal and crisis commu- dling of cyberattacks can be extremely expen- nications assistance; and will manage the sive, organizations may fi nd it helpful to incident in conjunction with the organiza- conduct a robust, non–fi nger-pointing assess- tion to mitigate the damage and return the ment of lessons learned after major cyberat- business to full operational capacity as tacks to prevent similar incidents from hap- quickly as possible. Unfortunately, the pening in the future. Capturing the lessons worst time to fi gure out how to respond is learned from the handling of such incidents during an actual incident. Making the plan should help an organization improve its inci- up on the fl y in the middle of a crisis only dent handling capability. Questions to ask leads to mistakes that aggravate the situa- include the following: tion. Lines of communication, roles, and identifi cation of decision makers must be Why did this happen? known before a breach occurs. Tabletop or What could have prevented it? similar exercises that include C-level man- Did we classify the event at the correct agement and board directors should be risk level? carried out to help organizations practice What were the indicators that drove the incident responses and stress-test their event classifi cation? plans.

■ 266 SecurityRoundtable.org Cyber incident response BakerHostetler – Theodore J. Kobus, Partner and Co-Leader, Privacy and Data Protection; Craig A. Hoffman, Partner; and F. Paul Pittman, Associate

Most security experts acknowledge that a dedicated and well-resourced attacker will eventually fi nd a way to break into a company’s network. Sophisticated attackers are not the only threat—fi nancially or politically motivated individuals with less-than-average skills also have been able to compromise companies. Faced with an ever- increasing number of endpoints to guard, online access management issues related to cloud services and vendors, budgetary constraints, and the fact that systems are built and maintained by individuals (who are fallible), companies are recognizing at an increasing rate that a security incident involving the unauthorized access to its customer, employee, or sensitive business data is inevitable. How are companies responding? By taking a series of measures to become ‘compromise ready,’ including developing an incident response plan. Proper preparation for an incident enables a company to be better positioned to respond in a way that mitigates risk and pre- serves relationships. In addition, how a company responds infl uences whether the company experiences a drop in revenue or faces a regulatory investigation or consumer litigation. This response can signifi cantly affect a company’s reputation. Offi cers and directors are tasked with ensuring that their company’s incident response strategy is appropriate and adapts to the constantly changing threat landscape. They also have a role in overseeing the response to an incident. Incidents often arise just prior to an SEC reporting deadline, and companies that are caught unprepared may not be positioned well to withstand any subsequent scrutiny over their disclosure decision. In this chapter we discuss the underlying state and federal notifi cation obligations that are implicated by

267 ■ INCIDENT RESPONSE

potential incidents along with best practices to ensure that the various team members developed from our experience in helping understand their role and authority to companies respond to more than 1,000 make decisions. potential events. Although these laws are a Categorization. Provide a simple structure critical part of a response, responding to an for classifying events by severity (e.g., incident is not just a legal issue. Being low, medium, high) and risk to “level set” viewed as handling the incident well the team regarding urgency, escalation to involves also an effective communications the C-suite, and level of engagement of response. the representative groups on the incident response team. ■ Incident response best practices Response protocol. Provide a fl exible frame- A company’s incident response should be work for executing the eight key steps guided by a plan that has been tailored to the of incident response: (1) preparation, company’s industry and fi ne-tuned through (2) identification, (3) assessment, mock breach exercises. The response plan is (4) communication, (5) containment, a critical element of the crisis management (6) eradication, (7) recovery, and strategy—not because it provides a prescrip- (8) post-incident. tive, detailed list of action items, but because Third parties. Identify key third parties it has been refi ned and practiced through that will assist the company, including tabletop drills. A good plan outlines a fl exi- external privacy counsel, forensics, crisis ble framework of the general steps that must communications, mail and call center be taken to prepare for, respond to, and vendor, and credit monitoring. recover from a security incident. An incident response plan must be fl exible enough to Once the plan is created, test the plan for adapt to the particular security incident the gaps and provide training for the incident company is facing (e.g., network intrusion, response team. External privacy counsel denial of service, account takeovers, mal- often conducts these exercises, sometimes in ware, phishing, loss of paper, employee conjunction with the primary forensic fi rm data, security vulnerabilities detected by and crisis communications fi rm. Most com- third parties, or theft of assets). panies choose to use a hypothetical scenario that they would consider to be the most Identify the internal incident response likely catastrophic incident they may face team. Identify team members from (e.g., a payment card event for a retailer) fol- critical departments (e.g., IT, IS, legal, lowed by subsequent, periodic testing using communications, internal audit, HR, risk different scenarios (e.g., service disruption, management, business lines), describe employee data). their roles, and defi ne how and when No two incident scenarios are the same, they will be activated when a potential so there is not a one-size-fi ts-all, turnkey incident is identifi ed. solution to incident response. There are, Identify who will lead the incident response however, critical factors that drive a success- team. Companies approach this in different ful response. ways. For some, the IT and IS groups play a signifi cant role. At highly regulated Notify and assemble incident response team companies, legal and regulatory members members and begin the investigation. Don’t will be integral to the response. Because panic when a security incident arises. Be some issues go beyond the technical methodical, but swift, in your response. response, being a good project manager is Assemble the incident response team probably one of the key traits a company members and notify them of the security should look for when deciding who will incident. If a member of the C-suite is lead the group. Practice drills also help not on the team, there must be a direct

■ 268 CYBER INCIDENT RESPONSE

connection to the C-suite so that decisions such helpful information when fi ling a can be approved in a timely fashion and motion to dismiss. the response team can move forward with Determine any legal obligations and comply. the investigation. It is useful to appoint a Experienced outside privacy counsel that security incident manager; often this is is well versed in incident response can someone with strong project management help the company quickly and accurately skills who can move the process forward determine the state, federal, and in a productive way working alongside international privacy and security laws outside privacy counsel. Once the team and regulations that may be implicated is assembled, it should initiate an internal by the security incident. Complying with investigation into the security incident, these laws is sometimes a balancing act and depending on the potential severity that requires a company to consider other of the incident, daily progress calls should factors. Engaging outside privacy counsel be scheduled. who understands how the regulators Identify and fi x the issue. Conduct an initial view these laws, as well as the challenges analysis of the reported incident and companies face in responding to these focus on getting quickly to a point where types of incidents, is critical. Outside the internal and/or external computer privacy counsel must be a partner with security fi rm can develop and implement the company in the response. There is no an effective containment plan. If news of one-size-fi ts-all approach. the incident is going to become public, at Communicate with the public and report least the company will be in a position to the incident response team. During the to say that it identifi ed and blocked the course of the investigation and response, attack from continuing. The company can there should be constant communication then turn to identifying the full nature among incident response team members. and extent of the attack. Working with Periodic reporting meetings are useful. internal resources, at least initially, is very In addition, offi cers and directors should common; however, consider bringing in receive reports that provide essential facts external security fi rms when the company and plans for responding to the security is facing capability, credibility, or capacity incident. It is critical to have outside issues. counsel involved in the communications Gather the facts and let them drive the plan to preserve any privileges that decision-making. Resist the pressure to may attach to communications. Further, communicate about the incident too early develop a ‘holding statement’ for or to be overly reassuring. Focus on the executives to use when communicating investigation. Institute a plan early on with the media, affected individuals, and for collecting all available forensic data— shareholders. Also, consider creating hardware, devices, database activity, and a website and using a call center to system logs—and transfer it to a safe keep affected individuals apprised of location for subsequent analysis. Create developments. a timeline of events surrounding the Eradicate remnants of the security incident security incident and the actions taken and recover business operations. When by the company. Structure additional the security incident and any resulting investigation and response efforts damage have been contained, develop based on the information gathered a plan to eliminate the vestiges of the and the scope of the incident. Work to security incident, restore the company’s include any favorable fi ndings in public assets, and return your business to communications; notifi cation letters are normal operations. Ensure that the often attached to class action complaints threat created by the security incident is and therefore a company can rely on any eradicated.

269 ■ INCIDENT RESPONSE

■ Potential legal issues and obligations In addition, certain federal laws such as The issues caused by the ‘patchwork quilt’ the Health Insurance Portability and of state breach notifi cation laws in the Accountability Act (HIPAA) and the United States receive a lot of attention and Gramm-Leach Bliley Act (GLBA) require feed calls for a single federal law that pre- companies to notify affected individuals. empts any inconsistent state laws. However, Under HIPAA, notifi cation is required within most incidents, especially for incidents in 60 days and a failure to provide timely that affect individuals across the country, notice will likely result in an investigation differences across state breach notifi cation that may lead to a fi ne. Timely notifi cation laws rarely make a difference in how the enables consumers to exercise self-help in company responds. Complications do arise monitoring their payment card, bank when only a few state laws are implicated, accounts, and credit reports to prevent fraud. such as when one state does not have a By reducing the likelihood that consumers “risk of harm” trigger that allows a compa- will be subject to fraud, a company can also ny to determine that notifi cation is not reduce the likelihood of future suits based required but the other states do. There are on the data breach. no decisions from courts describing how to interpret and apply these laws. There are Reporting state attorneys general who have certain In addition to providing notifi cation of a interpretations regarding the timing of noti- data breach to affected individuals, a com- fi cation and others who have well-known pany also may be required to report a data ‘hot button’ issues, neither of which are breach to other individuals and entities evident from reading the text of the notifi - under certain state and federal laws and cation law. industry guidelines. Law enforcement: Law enforcement can Notifi cation be helpful during an investigation, but it Typically, a security incident becomes a data should be brought in at the appropriate time. breach when there is unauthorized access to Telecoms and fi nancial institutions have spe- unencrypted personally identifying infor- cifi c guidelines regarding reporting to law mation (PII), which is generally a person’s enforcement, but most industries do not name associated with his or her Social have similar regulations. Typically, compa- Security number, driver’s license number, nies engage either the Federal Bureau of health and medical information, and fi nan- Investigation (FBI) or the United States cial information, depending on the state or Secret Service (USSS), although local law federal law. When a data breach occurs, all enforcement can be helpful in certain situa- states (except Alabama, New Mexico, and tions. Your outside privacy counsel should South Dakota) require that a company notify have established relationships with law the affected individuals that their PII has enforcement and understand when they been compromised. The breach notifi cation should be contacted. Although law enforce- laws of each state and the type of data that ment can be helpful with the investigation are considered PII vary between states and and communications with regulators, keep can create multiple and sometimes inconsist- in mind that its goal is very different from ent obligations on the company required to the company’s: law enforcement wants to provide notice. Most state laws require catch the ‘bad guy’ and the company must notice as soon as reasonably possible, where- fi gure out the appropriate way to respond to as a few require notifi cation within 30 or the incident. 45 days of discovery. Providing notifi cation Federal regulators: Certain industry- within 30 days of initial discovery is often a specifi c laws also require reporting of a signifi cant challenge. breach to federal regulators. Under HIPAA,

■ 270 CYBER INCIDENT RESPONSE

a company must report any data breach to affected by the incident for their costs associ- the Secretary for the Department of Health ated with fraudulent charges and the reissu- and Human Services, although the timing ing of cards. The liability assessments can be of that reporting differs depending on one of the largest fi nancial consequences of whether the number of affected individuals an incident. exceeds 500. Under the GLBA, fi nancial In certain circumstances, a company may institutions must report a security incident be required to report a data breach to the to their primary federal regulator as soon media. Under state notifi cation laws, if the as possible. company does not have suffi cient contact State attorneys general and agencies: information to mail notifi cation letters to Some state laws require a company to report affected individuals, the company has to a data breach to the state attorney general, provide notice through substitute means, depending on the number of affected indi- which involves posting a link in a conspicu- viduals, which may range from 1,000 in ous location on the company’s website, issu- some states to only one person in others. ing a press release to major statewide media, Other states require notifi cation to state and sending an email to the individuals (if agencies, such as state consumer protection the company has their email addresses). agencies, departments of health, or cyberse- HIPAA requires a press release if a data curity agencies. The form of the notice may breach involves more than 500 affected indi- also vary. Some states require simply that a viduals. In other circumstances, a company copy of the breach notifi cation letter that was may have no legal obligation to report a sent to the affected individuals be fi led with security incident or data breach to the media the state attorney general. Other states may but may feel compelled to do so in an effort require more, such as written notice identify- to control the story and prevent inaccurate ing the nature of the breach, the number of or misleading information from being con- affected individuals, any steps taken to veyed to the public by the hacker, affected investigate and prevent future breaches, and individuals, or other sources. Accordingly, the content of the notice intended for the careful thought should be given to develop- affected individuals. Working with regula- ing a communications strategy as part of a tors can be one of the most critical pieces of company’s incident response—one that con- an incident response. Ensure that your outsiders not only the message but also the tim- side privacy counsel has a working relation- ing of the message and the medium in which ship with your regulators and can guide you it is distributed. on the timing and content of communica- Board of directors: Although reporting a tions. In most cases, if this piece is handled security incident to the board of directors is appropriately, there is a greater chance of not required by any specifi c state or federal very little fallout. law, a director’s duty to shareholders Other entities: When payment card data requires that the director be informed of are at risk, the response is governed by pay- important topics that signifi cantly affect the ment card network operating regulations overall business of the company. Consequently, that merchants have agreed to follow as part directors may (and should) require that an of the merchant services agreement with incident response team member (preferably their acquiring bank and payment processor. counsel) provide reports on any security The card network regulations defi ne a spe- incidents or data breach, and the progress of cifi c security standard that merchants must any incident response efforts. Some compa- comply with (PCI DSS). They also dictate the nies are establishing a special audit commit- investigatory process and provide for the tee for cyber incidents and even engaging a recovery of noncompliance fi nes and assess- “cyber advisor” to brief the board on these ments to reimburse banks that issued cards issues.

271 ■ INCIDENT RESPONSE

Lawsuits and/or regulatory action should apply to the communications A company’s response to a security incident with and fi ndings of the forensic fi rm or data breach can have signifi cant legal and and others engaged in assisting the law fi nancial consequences beyond those associ- fi rm. The external law fi rms also should ated with investigating and responding to provide guidance to other members of an incident. Some state and federal laws the incident response team on how to allow for consumers affected by a data preserve privileges, such as through the breach to assert a private right of action use of an ‘Attorney-Client Privileged against companies. When the incident affects Communication’ stamp in emails and a large number of individuals, it is fairly communications, for example. Outside common to see putative class actions fi led in counsel should collaborate with in-house the hours or days after the incident becomes counsel in determining whether there are public. Regulators, such as the FTC, any legal or contractual obligations to Department of Health and Human Services, notify or report, or potential liability as a and Federal Communications Commission result of a data breach. may initiate investigations that may result in Forensics fi rm. An outside forensics fi rm multimillion-dollar fi nes or the imposition of is sometimes needed to conduct an a consent order that imposes a lengthy obli- examination of the available forensic data gation to implement a privacy and security to determine whether there are signs of compliance program and have it audited by unauthorized access, and if so, determine a third party. Last, although not common, the nature and extent of the issue and directors and offi cers may be named in provide recommendations on short-term shareholder lawsuits. containment and longer-term measures to remediate and enhance security. ■ Role of external parties in a company’s Crisis communication firm. Although incident response public relations fi rms understand how An incident response typically requires the to get a company into the news, crisis involvement of several external parties who communications fi rms have to exercise serve important roles in identifying and a different skill set in guiding the assessing the cause, extent, and impact of a communication strategy for companies security incident as well as crafting and dis- facing security incidents. Those fi rms seminating a response to the affected indi- understand that there is often little, if viduals, the public, the media, law enforce- any, good news to report, so they focus ment, and regulatory authorities. One step on communications designed to make it that may save a few days during an incident clear that the company is responding in response is to engage and negotiate the mas- a quick and transparent manner that is ter services agreements with these compa- designed to protect affected individuals. nies before an incident so that only a new They can also provide media training for statement of work has to be prepared when the spokesperson and assist in responding an incident arises. to media inquiries in a consistent and measured manner. Privacy counsel. An external law fi rm often Breach response and notifi cation fi rm. Using a serves as the ‘quarterback’ of the incident dedicated external call center and mailing response. This role includes engaging other vendor to notify and handle inquiries third parties to assist the fi rm in providing from affected individuals can greatly legal advice to the company, such as a assist a company with the logistical forensics fi rm, which then serves as a challenges it faces during an incident foundation for establishing that attorney- response. The call center can answer calls client privilege. Work-product protection from an approved FAQ sheet.

■ 272 CYBER INCIDENT RESPONSE

Regardless of the external parties retained to derivative suits. This is particularly impor- assist in an incident response, it is important tant because communications to directors to ensure that they are retained by outside that are not made at the direction of, or by, counsel to enable the assertion of the attor- counsel may not be privileged and could be ney-client privilege and work-product doc- discoverable in subsequent litigation. trine to protect documents and communica- Should a security incident or data breach tions generated in the investigation and be made public, executives should be pre- during the response to a security incident. pared to comment on the incident. When necessary, a holding statement should be ■ Role of offi cers and directors in a company’s developed and vetted by counsel. incident response Communications by offi cers or directors The C-suite and boardroom play a small but with the public should be accurate, com- important part in a company’s actual inci- plete, and truthful, but also simple, so as not dent response: they mainly ensure that criti- to be misleading or admit liability. Any fi l- cal executive-level decisions concerning ings or disclosures with the federal regula- impact to the business and expenditures are tors, such as the Securities and Exchange made promptly. This is best facilitated by Commission, should be carefully vetted to having a C-suite representative serve as a ensure accuracy, which may prove diffi cult member of the incident response team. It is when the facts surrounding a security inci- also important for offi cers and directors to be dent are being determined. This can be par- engaged in the incident response process, ticularly problematic in quarterly (or peri- because in the event that another security odic) earnings calls with analysts that may incident occurs, the offi cers and directors occur while investigation and response could be held accountable by consumers, efforts are taking place. shareholders, and regulators for any lack of familiarity with the company’s cybersecurity ■ Conclusion program. In this ‘cyber climate,’ companies must be Given the potential liability and impact prepared for a security incident. Offi cers and to a company’s reputation posed by a data directors cannot sit on the sideline; they breach, directors should have procedures in must be aware of cyberthreats and engaged place to ensure that they receive timely in developing and implementing an incident updates on any incident response. response plan to limit the amount of damage Communications with the board regarding that can be caused by a data breach. An the incident response and the fi ndings of effective incident response can help preserve any investigation should be carefully craft- the company’s reputation and limit its expo- ed and limited to factual information if pos- sure, allowing it to continue and grow its sible, because of the prospect of shareholder business operations.

SecurityRoundtable.org 273 ■

Communicating after a cyber incident Sard Verbinnen & Co – Scott Lindlaw, Principal

Data security is the number one concern that keeps board members up at night, NYSE’s annual Law in the Boardroom survey found. It’s a rational nightmare for anyone running a company, given the explosion of data breaches and the havoc they can wreak. As recent shareholder derivative and securities lawsuits underscore, a director is not merely responsible for ensuring that a company’s cyber defenses are robust. Rather, lawsuits against directors of Target Corp., the TJX Companies, and Heartland Payment Systems, Inc. have taught us that directors must also ensure that the company is prepared to manage the aftermath of a breach. To contain the damage, effective communications with a host of internal and external audiences are essential. The two greatest harms infl icted by a breach are reputational damage and loss of customer loyalty, according to the Ponemon Institute, which compiles breach costs globally. To mitigate reputational damage, loss of customers, and related harms from a breach, it is critical that a company communicate clearly (and often simultaneously) with multiple audiences. The board’s oversight of this aspect of cybersecurity should not start in the fog of a cyber crisis. It should begin well before an incident.

■ The director’s duties and cybersecurity-related communications A data breach can substantially diminish stock value, as several academic studies have found. The most recent study, involving 174 breaches, found “the cumulative change in net earnings including extraordinary items in the four quarters after a breach announcement is a 22.54% decrease, indicating deteriorated earnings performance.” These fi ndings by Kholekile L. Grebu, Jing Wang, and Wenjuan Xie of the University of New Hampshire Peter T. Paul College of Business and Economics do not always hold true. A study of several prominent data breaches by

275 ■ INCIDENT RESPONSE

Sard Verbinnen & Co. found that share price increased customer acquisition activities, impact is hard to measure because of a mul- reputation losses, and diminished goodwill, titude of factors affecting stocks. Still, a com- cost the victimized companies an average of pany should anticipate that revenue and $3.72 million per incident. profi ts may take a hit after a breach. A pri- Companies have an opportunity to miti- mary goal of a post-breach communications gate each of these classes of loss through strategy should be to mitigate this impact as effective communications. This means fol- much as possible. lowing the law on all notifi cations required Because breaches can have a substantial to consumers and investors, of course. effect on the bottom line, preparing for and However, a company should not stop there. responding to such incidents fall squarely in Communicating about a cyber incident to the director’s fi duciary duties. As explained customers and investors as required by law in Chapter 8, directors owe their companies should be the bare minimum from a commu- certain obligations, such as the duties of care, nications standpoint. To preserve goodwill good faith, and loyalty. In the context of and stanch reputational losses, companies cybersecurity incidents, these duties require must move beyond mere compliance and directors to ensure the company develops a operate from a perspective of stewardship. reasonable crisis-management plan for use in They must demonstrate leadership, integrity, the event a breach occurs. This calls for board and responsibility through thoughtful com- members to have at least a high-level under- munications. To achieve that, these princi- standing of communications strategies and ples should guide any communications relat- tactics, for internal and external audiences. ing to a cyber incident: For example, almost all states have laws requiring companies to notify customers Preserve the company’s credibility with when a breach compromises sensitive per- all constituencies, including consumers, sonal data. Directors and companies have customers, partners, regulators, employees, been sued on the ground that they failed to investors, journalists, and analysts. take reasonable steps to notify consumers Maintain control of the communications that a company’s systems had been breached. process by establishing concise, agreed- When the law requires it, notifying customers upon messages so that the company speaks about a breach is fundamentally a legal func- with one voice. tion but also a communications function. Provide pertinent, confirmed facts Plaintiffs will try to hold directors accounta- without jeopardizing any internal or law ble for a perceived failure of notifi cation. enforcement investigations. Likewise, regularly disseminating accurate Coordinate all public communications information to shareholders may be a regula- with legal counsel to (1) ensure accuracy; tory requirement but also requires effective (2) avoid compromising any investigation communications. The Securities and Exchange or increasing legal exposure; and Commission has put companies on notice as (3) preserve attorney-client privilege. to the reputational harms of breaches and Prepare for potential negative legal, companies’ disclosure obligations regarding fi nancial, and customer scenarios. cyber incidents. “Reputational damage adversely affecting customer or investor con- These should be the tactical goals of com- fi dence” may cause an attacked company to munications responding to a cyber incident: sustain “substantial costs and suffer other negative consequences,” the Commission Reassure all constituencies that you are wrote in disclosure guidance in 2011. The taking steps to contain and fi x the issue. Ponemon Institute reported that in 2014, Manage how the breach is portrayed in breach-related lost business costs, including news and social media—where possible, the abnormal turnover of customers, position company as victim, not villain.

■ 276 COMMUNICATING AFTER A CYBER INCIDENT

Confi ne public comments to what you prepared to respond very quickly to any know. Do not speculate. cyber incident and to communicate the com- Avoid prolonging news media coverage pany’s position. As part of this, the board unnecessarily. should review the company’s budget for Do and say nothing to heighten the security risk management, ensuring the interest of regulators. availability of the funds necessary to hire Provide no fodder to plaintiffs’ attorneys. outside law fi rms, IT and forensics experts, Minimize damage in the eyes of remediation support services, and commu- consumers, customers, and investors. nications consultants. Protect share price. ■ Audiences to consider when responding Companies must integrate these communi- to a breach cations principles and goals into a coherent A company responding to a breach must incident-response plan before a breach communicate with myriad audiences. It strikes. An effective plan will position the must coordinate and calibrate its messaging victimized company to communicate quick- with each while recognizing that messages ly and effectively in the event of a data aimed at investors may end up in news sto- breach or other security incident. Important ries, that news stories will shape investors’ decisions will have to be made in real time, perceptions, and that everything the com- but the tools and guidelines in a cyber inci- pany says could end up on Twitter. dent response plan should ensure immediate engagement of the proper personnel, the Consumers, customers, and partners: In proper process for obtaining and reviewing addition to legally required notifi cations, information needed to determine the appro- the breached company must be prepared priate communications response, and align- to communicate what it is doing to ment on all appropriate steps to communi- contain an incident; provide assurances, cate to employees and external audiences. if applicable, regarding safety of A company’s incident-response plan customer information and recourse on should identify members of several sub- future fraudulent activity; give front- teams, including legal, IT, and communica- line customer service representatives tions. Anyone who will be directly involved guidance on how to communicate with in making communications decisions or in customers; provide a dedicated call the dissemination of internal and/or exter- center and/or website to handle nal communications must read and under- customer inquiries; and provide third- stand this plan. Press releases, key messages, party credit monitoring, if appropriate. question-and-answer documents, contact Journalists and social media lists, and letters to stakeholders such as communities: It will not be suffi cient investors and employees should be prepared to issue prepared public statements at in advance, leaving blank spaces to fi ll in as the company’s convenience. The victim facts emerge. The plan should contemplate company must be prepared to react the establishment of a dedicated website and to a deluge of media inquiries and be whether the company’s existing corporate prepared for leaks. The company may blogs and social media presence may be use- also have to proactively engage reporters, ful communications instruments after a including regional, national, and breach. The communications plan, and espe- cybersecurity beat reporters. This requires cially its contacts lists, should be treated as a developing a process for engaging the living document. It should be kept up to news media, including designating date and reviewed and tested regularly. media spokespersons, preparing key Directors must make clear to manage- executives for direct exposure to news ment that they expect the company to be media, correcting inaccurate reports,

277 ■ INCIDENT RESPONSE

and monitoring traditional and social typically comprise two main arguments. media on an ongoing basis. The company First, they allege directors failed to prevent must also prepare to use social media to the breach. Second, they contend directors distribute messages. covered it up and/or failed to notify inves- Investors and analysts: The breached tors and consumers. This latter class of argu- company must be prepared to answer ments essentially alleges failures of commu- questions about the impact of the incident nication. The cases against Target and on fi nancial outlook and about the costs Heartland show how the plaintiffs use deriv- of response and security upgrades. It ative and securities suits to blame directors can expect to face such questions on its and offi cers for these alleged sins of commu- fi rst earnings call after the incident, and nications, or lack thereof: thereafter. A Form 8-K may be required if shareholders would view the impact of Target Corp.: On December 18, 2013, the incident as material. the blog Krebs on Security broke the Internal audiences: Employees need to news of a major breach at the retailer. hear from the company about what has The next day the company confi rmed transpired, and what changes in security it was investigating a security breach policies and protocols are coming. They involving stolen credit card and debit must be alert to future attacks and avoid card information of 40 million customers talking publicly about the incident. who shopped in its stores. A few weeks Human resources should prepare to later, the company disclosed that the data involve itself if employees had a possible theft was signifi cantly more extensive role in causing the incident or failing to and affected millions more shoppers than detect it. it had initially reported. Four sets of shareholders filed In addition to the above audiences, the derivative lawsuits against Target breached company must carefully weigh offi cers and directors. Later these were and coordinate each statement with a sec- consolidated into one derivative action. ondary set of audiences in mind. Plaintiffs’ The plaintiffs alleged that directors attorneys will be circling and will race to the breached their fi duciary duties by failing courthouse to sue the company on behalf of to “timely notify customers of the theft of purportedly aggrieved customers and share- their personal and fi nancial information holders. Banks and credit card companies [and] to accurately notify customers who may have lost money on fraudulent regarding the scope and substance of the transactions will expect to be made whole. data breach.” The amended complaint Insurance companies will also be monitoring chronicled a series of statements in which public statements if the victimized company Target provided shifting information. As has a cyber incident or other relevant policy a matter of media relations, this had and moves to fi le a claim. the effect of continually adding fuel to the fi re: each time the company updated ■ Lawsuits against directors: communications the number of affected customers, the issues coverage spiked anew. As if the breaches themselves weren’t The plaintiffs also pre-emptively enough to keep directors up at night, board argued that the directors’ actions in members have an additional and unique set managing the response did not constitute of worries: shareholder derivative and secu- decisions under the business judgment rities lawsuits after an incident. Directors of rule, which would have protected them Target, the TJX Companies, and Heartland against such a lawsuit. “The Board caused Payment Systems, among others, have each Target to disseminate false and misleading seen these actions after breaches. These suits public statements concerning, among

■ 278 COMMUNICATING AFTER A CYBER INCIDENT

other things, the true nature and extent investors, the plaintiffs claimed, was that of the data breach at the Company,” the “Defendants’ misrepresentations and amended complaint stated. (A separate omissions obfuscated the Company’s true action brought by consumers similarly fi nancial condition and future business alleges that “Target failed to disclose and prospects, artifi cially infl ating the price of provide timely and accurate notice of the Heartland’s common stock.” data breach to the public...”) Heartland Payment Systems, Inc.: On ■ Conclusion December 26, 2007, hackers broke into Cybersecurity is the number one fear keep- Heartland’s corporate computer network ing directors up at night, but they can rest a and stole about 130 million credit and little easier by holding management account- debit card numbers and related card data. able and requiring a current, useful prepar- The SQL injection attack on its corporate edness plan before a crisis. Critical to any network resulted in malware being placed company’s breach-response plan must be on its payment processing system. communications. A breached company can- Plaintiffs brought a securities class not assume a defensive crouch and issue action against the company after the U.S. reactive statements at the times of its choos- Department of Justice indicted several ing. On the other hand, it should not say individuals for what was reportedly more than it is confi dent of, or more than is then the largest data security breach necessary to safeguard its interests and those in U.S. history. They accused CEO of its customers and investors. An effective and Chairman of the Board Robert O. communications plan helps protect the com- Carr and CFO Robert H.B. Baldwin of pany after a cyber incident by blunting the concealing the breach for more than a loss of reputation and customers and by year—of “lying about the very existence keeping plaintiffs at bay. of the breach.” They also contended Every breach starts with an event outside the defendants knowingly made false a company’s control, and the Target and and misleading statements about Sony Pictures attacks underscore how the breach in a 10-K annual report to unfolding events can further buffet a com- the SEC, during interviews with the pany. However, with a communications plan media, in press releases, and in other that is carefully conceived and rehearsed, a public presentations and speeches. The company can meet its legal obligations to plaintiffs alleged that Carr and Baldwin communicate and help limit the secondary concealed the incident and made a harms of a cyber incident, such as loss of series of materially false and misleading reputation and customers. It is incumbent on statements on an earnings call, “outright directors to ensure that the plan’s communi- den[ying] that a security breach had even cations components are ready to activate occurred at Heartland.” The harm to when the cyber crisis strikes.

SecurityRoundtable.org 279 ■

Cyber risk management investment decisions

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Optimizing investment to minimize cyber exposure Axio Global, LLC – Scott Kannry, CEO and David White, Chief Knowledge Offi cer

We are living in the Dark Ages of security. We cling to outmoded world views and rely on tools and tactics from “the past, and yet we are surprised to fi nd ourselves living in an era of chaos and violence.” Amit Yoran, President of RSA; 2015 RSA Conference Keynote

Why begin a chapter about minimizing cyber exposure with a recent quote criticizing the security industry and raising a question about whether it is even possible to succeed? It underscores the importance of understanding the current climate, how it has evolved to the current state, and its inherent challenges. Ideally, one can then grasp that a new way of thinking about cybersecurity is critical to succeed and look to defi ne a process and methodology that gives security leaders a better foundation to achieve that goal. Let’s start with where we’ve been. Our hope is that few, if any, security leaders still believe that impenetrability is achievable. We’ve been subject to a barrage of verbiage such as, “There are only two kinds of companies—those that know they have been hacked and those that don’t yet know it,” and hacked executives publicly expressing surprise that their organization was successfully victimized, despite investing in the best possible defense. However, that belief was prevalent for many years, and investment decisions during this “castle-wall” era were fairly easy to make: focus on buying technological controls to fortify the perimeter. Thankfully, we have evolved from that era into one that we’ll call the “defense-in-depth” era. The original premise was fairly simple: put up more castle walls, or perimeters, and hopefully the multiple layers will act in concert to create impenetrability, or at least something as close to it as possible. A more evolved premise is based on a mantra such as, “Operate as if the bad guys are already

283 ■ CYBER RISK MANAGEMENT INVESTMENT DECISIONS

inside,” which starts to balance perimeter weather the storm. This point supports the controls with those that focus on behavioral relevance of the insurance industry, not only monitoring, segmentation, and simulated as a provider of fi nancial certainty but also internal environments. This trend is defi - as an industry that can provide insight and nitely one that is taking hold. Many fi rms data to support thoughtful cybersecurity still spend the majority of their security investments. We’ll now explain all of these budgets on perimeter-focused controls, but elements and how this approach stands the spending is now being shared with internal greatest chance of minimizing exposure to and reactive controls. the organization. However, despite the improved strategy, The approach is best evidenced by Figure 1, events over the past year and those that which depicts the relationship between undoubtedly have happened since this chap- cyber risk and cybersecurity capability. ter was written should easily debunk any Organizations that have minimal cybersecu- notion that the defense-in-depth era has rity capability face an extraordinary degree been substantially more successful than the of risk. For these organizations, investments castle-wall era. Arguably, it has gotten worse, in basic controls will produce meaningful in large part because of improvements and downward movement on the risk curve. It’s industrialization of the tools and techniques also the reality that organizations on the far used by adversaries. This has led not only to left side of the curve will be given harsh treat- calls for a rethinking of how security is ment by the insurance industry—premiums approached but also to the practical reality will be extraordinarily high or coverage may that security leaders’ jobs are more diffi cult not be available at all—which is a signal that than ever: their rate of success at protecting the organization must bolster its capability the enterprise seems to be precipitously through traditional controls. At a certain declining, along with their job longevity. point, however, the curve begins to fl atten Plus, the castle-wall and defense-in-depth and the relative reduction in risk per dollar eras exacerbated a problem central to secu- invested pales in comparison to that which rity leader decision making; they facilitated was previously achieved. Beyond this point a monumental buildup in the availability fi rms would be wise to invest more substan- and use of technological controls. Evidence tially in insurance because of its dispropor- of this is apparent at the RSA conference, tionate effect on the risk curve. Unlike a tra- where a landscape of thousands of security ditional control, insurance actually reduces providers displays their wares, each claim- (or eliminates) the cost of an event and ing to be the ultimate solution or silver bul- therefore shifts the entire risk curve down- let. Security leaders ask where to start. What ward. An organization that adopts this should I spend my next dollar on? How can approach is one that is more thoughtfully I justify this investment and intended return protected and better able to withstand the to the board? How can I keep my job when impact of that inevitable event. an event inevitably occurs? Welcome to the To better understand the elements, let’s modern reality for security leaders. look at the risk calculus, which can be We propose that it is time to evolve into explained with the following equation: what we’ll call the cybersecurity enlighten- Business Impact ϫ Likelihood ment era. It’s an era that focuses on risk Risk = Capability management, not risk elimination, and where cybersecurity strategy is acknowl- where business impact is a measure of edged as an investment challenge. It’s also impact to the enterprise from a cyber event, an era that highly values impact minimiza- likelihood is an estimate of an event actually tion because cyber events are inevitable and occurring, and capability is a measure of the ultimately, the organization’s resilience organization’s ability to detect, protect, depends on having the fi nancial resources to respond, and recover from an event.

■ 284 OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE

FIGURE

Invest in Cyber Sustain Capability & Capabilities Invest in Insurance

Risk

Cybersecurity Capability

Insurance lowers the risk impact curve overall

It is important to understand that organi- to detect events. Many of these controls will be zations may have very little control over the technological or administrative, but the numerator in this equation, as these elements human element is also critical and can’t be are largely infl uenced by the constantly overlooked, nor can the protocols surround- evolving threat climate, the capability and ing third-party vendors, outsourced parties, desire of adversaries to carry out an attack, and subcontractors. The denominator is also and the ever-increasing complexity of the where the positive impact of insurance takes technologies controlling operations, which hold, because successfully responding to and can fail unexpectedly in ways that result in recovering from an event depends not only on damage. For example, various recent reports technical capabilities but also on the fi nancial pegged the cause of a cargo plane crash on a ability to cover the costs and losses involved. failure in software confi guration, evidencing How does an organization put actual the reality that cyber events aren’t only those numbers into the equation? Our recommen- with malicious connotations. It’s also impor- dation is to start with developing and ana- tant to recognize that neither business impact lyzing organization-specifi c cyber loss sce- nor likelihood can ever equal zero, even for narios. Gather a group of individuals that the most capable organizations. represent key functions and insights into the Organizations can infl uence the denomina- organization—information technology and tor by implementing, sustaining, and matur- operational technology security, safety, risk ing a capable cybersecurity program. This management, treasury, and legal— and brain- measure refl ects the controls that an organiza- storm about the likelihood and impact of tion has in place to protect its cyber assets and cyber events across the critical functions of the

285 ■ CYBER RISK MANAGEMENT INVESTMENT DECISIONS

organization. It’s important to capture as much Benchmarking is also a critical and strongly of the loss spectrum as possible—fi rst- and recommended element of the capability third-party fi nancial damages and fi rst- and factor. We recognize that many security third-party tangible damages, the latter half leaders may be wary of supplying cyber being critically important for organizations program information for benchmarking pur- that use industrial control systems. poses as to not create additional vulnerabili- In our experience, this type of exercise ties by giving away the proverbial keys to proves to be very fruitful. We’ve found that the back door, but resources that do so in an most of the informational insight actually entirely de-identifi ed manner can provide resides within the organization—it’s simply powerful comparative insight that is other- a matter of getting the right stakeholders at wise unavailable. From a security leader’s the table. In some instances, organizations perspective, this information may actually are surprised at how much they already be the most powerful, because it can provide know and can bake into the calculations. For justifi cation for additional investment in example, we’ve worked with energy fi rms controls and, in the worse case event of a that had already commissioned numerous breach, exculpability. loss engineering studies based on traditional This is an appropriate place to introduce perils such as earthquake, fi re, or mechanical the fi nal detail and insight for the denomina- breakdown, each with fully developed tor and right side of the risk curve—the impact estimates. All it took in this instance importance of insurance coverage and rele- was confi rmation from operational and vance of the insurance industry to deploying cybersecurity leaders that a cyber event an enlightened cybersecurity strategy. One could produce many of the same outcomes, of the roles that the industry can serve, and coupled with a technical discussion about will increasingly serve, is a resource for the likelihood of such an event to very effi - benchmarking intelligence via the under- ciently compile enough data for the numera- writing and premium pricing process. This tor in the equation. capability is candidly in its infancy for a few Using the loss scenario approach also reasons: the scope of coverage is evolving helps inform the numbers in the denomina- and therefore the depth of information tor, because the technical part of the discus- required to underwrite is not truly compre- sion helps determine the organization’s hensive, many insurers are happy to deploy capability to protect its operations from, a nonintrusive approach as a competitive detect signs of, and effectively respond to a lever, and correlation information lacks in particular scenario. For example, if we are areas where claims or losses have not yet working with a retailer and a scenario involv- occurred. Despite this evolving capability, ing the theft of credit card information, we fi rms can fi nd meaningful value in the pro- may start with the fi nancial impact if the cess, because even an extraordinarily high event occurs and then work backward to dis- premium or a denial of coverage does have cuss where the information resides and how informative value. Additionally, for areas in it is processed, and most critically, how each which cyber coverage is relatively more access point is or could be protected from mature, top insurers do have enough data to known and conceivable threats. Here, it is provide a “risk engineering” benefi t similar useful to compare an organization’s current to other well-established areas of insured capabilities against any applicable standards risk, and the industry is continually evolving or regulatory frameworks, ensure that appro- to provide greater capabilities in this respect. priate threat intelligence for that particular Another area of insurance industry rele- area of risk is being used, and continually vance requires a more nuanced dive into monitor the performance of the organiza- coverage, but one that is important for its tion’s protective mechanisms in its own envi- informative value and relevance to security ronment and the environment at large. investment decisions. Security leaders

■ 286 OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE

should familiarize themselves with their Beyond the continually evolving risk engi- own fi rm’s insurance portfolio as well as neering capabilities of the insurance industry industry trends relating to coverage availa- and the insight provided by simply under- bility and pricing. The exercise should not be standing the complete insurance landscape limited to cyber insurance, because despite for cyber exposures, the biggest benefi t pro- what many in the insurance industry would vided by insurance is the aforementioned profess, there is currently no such thing as an ability to meaningfully reduce the risk curve. all-encompassing, all-risk cyber insurance Here too it is critically important to under- policy. Cyber insurance, as it is commonly stand the entire insurance landscape, because known, covers many fi rst-party fi nancial fi rms that purchase a single cyber insurance losses and resultant fi nancial liabilities from policy may be disappointed in how it per- a cyber event, but not tangible losses such as forms. This point is not intended as criticism property damage and bodily injury. Therefore, of the insurance industry—the industry does fi rms also must be attentive to property, casu- offer coverage for the vast majority of the alty, environmental, terrorism, and any other cyber exposure spectrum—it’s a point recog- type of insurance that could provide coverage nizing that comprehensive coverage for com- for losses resulting from a cyber event. plex cyber events can involve multiple types What type of actionable insight does this of policies. provide? On one hand, simply knowing Ultimately, our hope is that this process what cyber exposures the insurance industry and balanced approach provides a higher is willing to cover can help security leaders likelihood of minimizing cyber risk, espe- make investment decisions. For example, the cially in comparison to any of the legacy insurance industry currently does not offer strategies deployed to date. If nothing else, it much, if any, coverage for losses attributable helps to more effectively minimize cyber risk to the theft of intellectual property such as through the effective deployment of insur- trade secrets and R&D. Knowing this may ance as a complementary control, but the prompt overweight investment into controls process overall does produce defendable and protocols protecting trade secrets, insight and a means by which security lead- whereas investment into other areas of risk ers can optimize investment while minimiz- where coverage is readily available can be ing risk, thus allowing cybersecurity to start more balanced. to evolve out of the dark ages.

SecurityRoundtable.org 287 ■

Investment in cyber insurance Lockton Companies Inc. – Ben Beeson, Senior Vice President, Cybersecurity Practice

A number of high-profi le corporate data breaches, mainly in the US retail sector over the last two years, have led rapidly to a major change in enterprise cybersecurity strategy. Many chief information security offi cers (CISOs) now view risk avoidance as extremely challenging, if not impossible, and a traditional approach that builds layered defenses around the network perimeter as increasingly insuffi cient. Accepting risk means adopting an approach that seeks to mitigate and build enterprise resilience. This approach now also must weigh the benefi ts of transferring residual severity risk from the balance sheet through cyber insurance. Here are 10 reasons to consider making the investment.

1. Advanced persistent threats (APTs) Targeted attacks, known as APTs, have become increasingly diffi cult to detect, let alone stop. The emergence of the nation-state as an adversary leaves the majority of organizations vulnerable regardless of the resources committed to defense. 2. Governance and an enterprise-wide risk management strategy The emergence of cybersecurity as a governance issue that must be addressed by the board of directors is redefi ning the role of cyber insurance as purely a fi nancial instrument to transfer risk. Cybersecurity involves the entire enterprise, with numerous stakeholders, no longer only the domain of the IT department. Driving a culture of collaboration between these stakeholders is challenging for many organizations, but cyber insurance and, more importantly, the underwriting process can be the catalyst. 3. Increasing regulatory risk Liability to boards of directors is expected to increase and give added weight to a focus on governance. SEC guidance published in 2011 highlights how regulators see cyber insurance as part of a strong enterprise risk

289 ■ CYBER RISK MANAGEMENT INVESTMENT DECISIONS

management strategy. Many in the legal attack by a third party. This will not community see the launch in February extend to an act involving the board of 2014 of a federal cybersecurity framework directors or executive team. (known as the NIST framework) as 7. Security is not about compliance creating a standard of care to be used by Treating security as a compliance plaintiff attorneys to allege negligence or exercise only will result in failure. For worse. example, many organizations that are 4. A fi nancial incentive compliant with payment card industry Legislators are giving greater prominence data security standards have been to the role of cyber insurance. The failure breached. to pass laws to drive stronger enterprise 8. Monetizing the cost of cybersecurity security has demonstrated the challenges One of the biggest challenges to the in trying to enforce minimum standards. CISO is to quantify cybersecurity risk in There is growing support for market-based dollar terms to the executive team. The incentives such as insurance that can premium charged by an insurance reward strong cybersecurity through company can help solve this problem. discounted premium or broader coverage. 9. Merger and acquisition activity However, the insurance market for cyber The difficulty in evaluating the risks is young, if not embryonic in some cybersecurity posture in any acquisition respects, and faces signifi cant challenges target leaves the acquirer vulnerable. if it is to continue to grow. Reversing the 10. Operational technology lack of actuarial data to model risk and Industry sectors dependent on an underwriting process that must operational technology and industrial change to meet ever-evolving threats sit control systems are particularly at the top of the insurance industry’s vulnerable. Built primarily to be available priorities. 24/7 and to operate in isolation, these 5. Vicarious risk to vendors and business devices are increasingly being connected associates to the corporate information technology Adversaries are focusing increasingly on network and the Internet. third parties that have access to sensitive information and other critical assets of the ■ The cyber insurance marketplace today target enterprise. Professional service It is estimated that more than 50 insurers fi rms or cloud-based solution providers domiciled mainly in the U.S. and London are examples of business associates whose insurance market provide dedicated cyber security may be weaker than that of their products and solutions today. Buyers are client and consequently provide an easier concentrated overwhelmingly in the U.S. back door for the attacker. Liability for with little take up to date internationally, a breach of personally identifi able with low demand in the rest of the world. information (PII) or protected health Annual premium spending at the end of 2014 information (PHI) typically still rests with was estimated to be in excess of $2 billion. the enterprise data owner, even though Total capacity (the maximum amount of a breach may have occurred to the insurance available to any single buyer) is vendor’s network. Cyber insurance currently at about $300,000,000, although this addresses costs of responding to a breach is now contracting substantially in certain and possible privacy regulatory action or sectors such as retail and health care. Cyber civil litigation. insurance fi rst emerged at the end of the 6. Insider threat 1990s, primarily seeking to address loss of Attacks from the inside continue to be revenue and data restoration costs from hard to prevent. Cyber insurance covers attacks to corporate networks. However, the employee as perpetrator as well as an the underwriting process was seen as too

■ 290 INVESTMENT IN CYBER INSURANCE

intrusive and the cost prohibitively expen- Certain insurers will also extend coverage sive. It was not until 2003, and the passage to downtime of vendors on whom a of the world’s fi rst data breach notifi cation policyholder is reliant. This is commonly law in California, that demand started known as “contingent business to grow. interruption.” Costs to restore compromised data What does cyber insurance cover? Reimbursement for costs associated with Insurers do not address all enterprise assets an extortion threat at risk. The majority of premium spent by Operational technology buyers was intended to address increasing A few insurers have begun to extend liability from handling personally identifi a- coverage for the information technology ble information (PII) or protected health network to also include operational information (PHI) and the costs from either technology such as industrial control unauthorized disclosure (a data breach) or a systems. violation of the data subject’s privacy. Physical assets Insurable costs range from data breach Cybersecurity is no longer just about risks response expenses such as notifi cation, to information assets. A cyberattack can forensics, and credit monitoring to defense now cause property damage that also costs, civil fi nes, and damages from a pri- could lead to fi nancial loss from business vacy regulatory action or civil litigation. interruption as well as liability from Insurers also continue to address certain bodily injury or pollution, for example. fi rst party risks, including the impact on Understanding where coverage lies in a revenue from attacks on corporate net- corporate insurance policy portfolio is works, extortion demands, and the costs to challenging and at times ambiguous. An restore compromised data. assumption that coverage should rest Insurable assets include the following: within a property or terrorism policy may not be accurate. Exclusionary language PII and/or PHI of employees or consumers has begun to emerge and is expected to Data breach response costs to include the accelerate across the marketplace as losses following: occur. Dedicated products also have Notifi cation started to appear. Credit monitoring Reputation and brand IT forensics Insuring reputational risk from some Public relations form of cyber event remains out of the Defense costs and civil fi nes from a scope of the majority of insurers. At the privacy regulatory action time of writing, the London market has Defense costs and damages from civil begun to innovate to address the fi nancial litigation loss after adverse media publicity. Corporate confi dential information However, capacity remains constrained at Addresses defenses costs and damages $100,000,000 at best. incurred for a breach of third-party corporate confidential information. What does cyber insurance not cover? Certain insurers will extend to address Intellectual property assets misappropriation of a third party’s trade Theft of one’s own corporate intellectual secret, but fi rst-party loss of intellectual property (IP) still remains uninsurable property remains uninsurable. today as insurers struggle to understand its Corporate information technology intrinsic loss value once compromised. The network increasing diffi culty in simply detecting an Addresses the loss of income as a attack and, unlike a breach of PII or PHI, the consequence of network downtime. frequent lack of a legal obligation to

291 ■ CYBER RISK MANAGEMENT INVESTMENT DECISIONS

disclose, suggest that a solution is not in the assets. However, the ever-evolving nature of immediate future. the threat, particularly the emergence of APTs, undermines the reliability of these statistics. ■ Leveraging cyber insurance as a risk Pricing risk to physical assets is a bigger prob- management tool lem because this has begun to emerge only Since 2009 the marketplace has evolved to since 2010, and actuarial data are extremely also provide services to help buyers manage thin on the ground. risk. Focused mainly on post-event response, Fundamentally insurers continue to look turnkey products have emerged, which pro- for a strong security culture within the fi rm vide a panel of legal, forensics, and public as a fi rst step in risk triage. Additional fac- relations specialists. Popular with smaller tors such as industry, revenue size, and enterprises that lack the resources or rela- actual assets at risk also contribute to how tionships, this innovation has been a key risk is priced. component in increasing the relevance of cyber insurance and consequently its growth. ■ How to engage the insurance market Larger fi rms typically seek products based Once a decision has been made to explore a on breadth of coverage and the fl exibility to suitable solution, the fi rst step is to choose a use their own vendor network. broker. The lack of consistency in policy lan- Services that help mitigate risk before an guage from one insurer to the next means event occurs have started to emerge. Insurers that a broker with dedicated expertise is vital likely will begin to incentivize buyers to for a successful outcome. First class brokers adopt these services with rewards such as work with their clients to understand the discounted premiums. assets at risk and how best to address them either under the existing insurance program ■ How do insurers underwrite cyber risks? or through a new dedicated product. An Historically, underwriters have sought to existing Directors and Offi cer’s policy form understand the controls that enterprises lev- (D&O) addressing management liability erage around their people, processes, and from a cyber event probably offers suffi cient technology. However, the majority of assess- coverage. However, more often than not, lia- ments are “static,” meaning a snapshot at a bility to the enterprise requires a new dedi- certain point in time through the completion cated product. of a written questionnaire, a phone call inter- A broker should understand that insur- view, or a presentation. A consensus is grow- ers seek to understand the security culture ing that this approach is increasingly redun- of a fi rm and will work to position their dant and that insurers will seek to partner clients as best as possible. For many larger with the security industry to use tools that organizations this does not involve com- can help predict and monitor the threat as pleting a written questionnaire and staying part of the underwriting process to adopt a divorced from the process. Rather, an inves- more threat intelligence led capability as tor-style presentation to the marketplace by part of the underwriting process. In fact, this key stakeholders in IT, legal, and risk man- already has started to happen, as certain agement in particular, which involves ques- insurers have started to use technology to tions and answers, ensures the best possible underwrite vendor and M&A activity risks. outcome. Top-tier underwriters appreciate that cybersecurity is not a tick-box exercise. ■ How do insurers price risk? They understand that the risk is dynamic Pricing cybersecurity risk remains a challenge. and will not necessarily penalize a buyer An insurance market that is only 15 years old today for shortcomings if a roadmap is has begun to build up a profi le for frequency spelled out as to how these shortcomings and severity of loss with regard to PII and PHI will be addressed in the next 12 months.

■ 292 INVESTMENT IN CYBER INSURANCE

A broker must then negotiate competi- upon up front. Forensics are not tive terms and conditions with competing inexpensive and can form a signifi cant insurers with a fi nal recommendation as to part of the overall cost. whom their client should choose. 7. Law enforcement 10 key coverage items to negotiate: Law enforcement typically is involved in a major security breach. In fact, many 1. Full prior acts coverage times the FBI, the agency leading Insurers try to limit coverage to acts from cybersecurity corporate defense, notifi es the fi rst day that the policy begins, known the enterprise before it becomes aware of as the retroactive date. However, in the the breach. A claim should not be context of the challenges in detecting an excluded by an insurer for failure to attack, buyers should seek to remove this disclose as soon as practicable if law exclusion and avoid the risk of a claim enforcement had advised nondisclosure denial. during the investigation. 2. Restrict knowledge and notice of a 8. War and terrorism circumstance to the executive team Many insurance policies exclude acts of Again, an insurer should not be allowed war and terrorism which must be deleted to impute liability to the whole enterprise with the emergence of the nation-state because detection has proven to be such a adversary in particular. challenge. 9. Intentional act 3. Security warranty Ensure that coverage addresses the Remove any language that tries to warrant employee or insider as perpetrator that security is maintained to the same acting in isolation of the executive team. level as represented in the underwriting 10. Continuity of coverage submission. The dynamic nature of the When renewing the insurance policy risk leaves this too open to insurer with the same insurer, avoid signing a interpretation in the event of a loss. warranty regarding a circumstance or 4. Operational technology claim. The majority of insurance policies provide coverage only to the corporate IT network. ■ Conclusion If relevant, ensure that language is Cyber insurance has a broader role to play broadened to also address operational than simply reimbursing costs associated technology such as industrial control with a loss. Fundamentally, engaging in an systems. underwriting process that forces collabora- 5. Outside counsel tion from stakeholders across the enter- Choice of counsel must be agreed upon prise can drive stronger cybersecurity up front. In the event of a security breach, resilience. Increasing regulator and share- a dedicated legal expert must take holder scrutiny means that the case for the response lead not least for attorney investment will continue to grow. In addi- client privilege. Negotiating with an tion, insurers will start to provide premi- insurer during the event would be um- and coverage-based incentives for counterproductive. adopting best practices such as the NIST 6. IT forensics framework and leveraging preferred tech- In a similar vein to choice of counsel, the nology tools. preferred forensics fi rm must be agreed

SecurityRoundtable.org 293 ■

Cyber risk and workforce development

Electronic version of this guide and additional content available at: SecurityRoundtable.org

Cyber education: A job never fi nished NYSE Governance Services – Adam Sodowick, President

Whether it stems from a lack of education, a sense of ambivalence, or, in some cases, malice, nearly all cyber vulnerabilities begin and end with some degree of human error. In today’s data-driven environment, companies must establish a culture of responsibility so that all levels of employees work together to maintain vigilant practices that mitigate cyber risk. Despite vast amounts of resources spent on countless fi rewalls, security systems, and algorithms to ferret out breaches, these complex efforts barely scratch the surface of the problem.

■ Overview Cybercrime is one of the most prevalent economic crimes today according to PwC’s Global Economic Crime Survey. The damages continue to grow with 24% of the more than 5,000 organizations represented in the 2014 PwC study reporting being a victim of cybercrime. A recent study by Verizon Enterprise Solutions points to another signifi cant issue, noting that 66% of cybercrimes are not detected for at least six months. The trajectory of costs continues to rise. According to the Ponemon’s Cost of Cybercrime 2014 report, cyberattacks cost the average U.S. company more than $12.7 million. With some companies experiencing more than $61 million in losses, this average is an increase of more than 9% from the prior year. Attacking the problem means understanding the source. As one of the top fi ve most reported crimes against businesses, cybercrime is not merely a technology problem anymore. “It is a strategy problem, a human problem, and a process problem,” according to the PwC report. The Online Trust Alliance’s (OTA) 2015 Data Protection & Breach Readiness Guide reports that employees caused 29% of data breaches between January and June of 2014, proving that internal weaknesses are a signifi cant area of vulnerability for every organization. The

297 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

OTA guide further reports that data leaks by A vast number of cases are actually a result employees who lost documents or used of error, employee ineptitude, or apathy. social engineering or fraud to access and These situations can cause severe holes in the leak information were caused by a lack of system and are cases for organizations to internal controls. Therefore, educating and change behavior so that employees become a cultivating true employee buy-in to a culture defensive tool against cyber risk. of responsibility is crucial to mitigating pos- The computer manufacturer Dell Inc., for sible damaging breaches. example, boasts a “culture of security” that is fostered by the following four fundamen- ■ Types of insider threats tal principles: security awareness training, The genesis of insider threats is not always proper access management, mobile security, malicious; however, the malicious or politi- and securing and monitoring the organiza- cally driven acts tend to be the ones that tion’s networks, according to the company’s make headlines. Media did not ignore white paper, The Human Side of IT Security. instances such as Home Depot’s former secu- Kevin Hanes, executive director, Security rity architect who sabotaged his previous and Risk Consulting, Dell SecureWorks, employer’s computer network and the April describes how Dell’s information security 2015 case in which the Department of Justice unit works with other organizations to deal indicted a Nuclear Regulatory Commission with cybersecurity issues. “My view is employee for attempting to deliver nuclear organizations need to keep in mind that the secrets to a foreign government via spear- bad actors are going to typically follow a phishing tactics. path of least resistance, and often that path is Although not intentionally malicious, a the people,” he notes. Dell’s approach to related form of insider abuse stems from a imparting a cyber-aware culture at an organ- sense of privilege, when someone abuses the ization begins at the top and involves con- trust he or she is given to safeguard sensitive sistent communication at all levels to ensure and valuable data. The 2014 Verizon Enterprise employees understand why the vigilance, Solutions report found that in 55% of cases inconvenient though it may be, is necessary involving insider incidents, the primary moti- in all aspects of what they do. vator was privilege abuse; the primary moti- Interestingly, not all employees view the vator in 40% of cases was fi nancial gain. threats in the same light. In a June 2015 global A 2012 survey of global employees by study commissioned by Dell SecureWorks Boston-based data storage and information and the Ponemon Institute, 56% of the IT management company Iron Mountain found security/IT staff surveyed consider ‘negligent that workers often develop a feeling of per- insiders’ a serious threat, whereas only 37% of sonal ownership when they are involved the IT Security/IT corporate leaders surveyed with the collection of data. The study found considered such insiders a serious threat. This that in Europe, for example, many offi ce difference, the study’s authors note, points to workers are likely to take data with them a need to listen more carefully to those in the when they switch jobs, which, for certain “security trenches who are dealing with these subgroups, such as millennials, happens threats.” with more frequency than with previous generations. The study found that of those ■ Taking action who did steal company information, 51% Once companies have better awareness of exited with confi dential customer databases, the root causes of insider threats, what steps 46% with presentations, 21% with company can be taken? OTA recently reported that proposals, 18% with strategic plans, and 90% of data breaches occurring in the fi rst another 18% with product/service road half of 2014 could have been prevented eas- maps—all of which represent highly sensi- ily by adhering to commonly accepted best tive, valuable assets. practices for data protection. For companies

■ 298 CYBER EDUCATION: A JOB NEVER FINISHED

that are behind the curve, this means there is Although Teradata works diligently to a lot of work to be done. train employees and maintain awareness of In addition to implementing stringent best cyber issues, Carver concedes the job is practices and requiring employees to follow never fi nished. He continually takes the les- them, self-reporting is a key component. Each sons learned and the new angles and feeds company should have a clear understanding them back into the funnel, honing and sharp- about its reporting guidelines as well as what ening the employee education program. items or activities are suspicious. Even with that level of attentiveness, Carver Each organization’s management and cul- assumes his company will encounter a ture are unique, but looking to what works at breach and is planning for that eventuality. other companies can help in understanding He also feels it’s important to help employ- and making recommendations on sound ees understand what to do if they think starting places that help to benchmark prac- they’ve made a cyber-related error and how tices and measure success of respective cyber- to report any questionable or erroneous security defense and mitigation programs. activity. Carver suggests three tips for chief compli- ■ Case study perspectives ance offi cers who are working to implement a Taking a look at a few case studies often can more robust cyber awareness program. First, help pull blue sky ideals down to earth. At begin with including everybody. “It’s all Teradata, a leading data analytics provider, employees’ job to assure data protection,” he Chief Compliance Offi cer Todd Carver says says. Second, it’s an issue for all companies cyber awareness is viewed as a funnel, with across all sectors and needs to be prioritized new information continually feeding into no matter what the industry. Finally, remem- the top and recirculating in the form of ongo- ber that what makes an organization vulner- ing education to keep employees aware of able is the human aspect. “You could do eve- the latest developments. Carver says his rything [right] technology-wise, but could company’s program spans from the board of still be vulnerable because people are directors to 11,000 employees in 43 coun- involved—employees, third-party vendors, tries. Protecting data and assets is one of the customers, and the bad guys.” commitments in Teradata’s code of conduct, At Dell, Hanes’ SecureWorks group han- and if anything isn’t specifi cally covered in dles security monitoring, consulting, and the training, or if employees come up with threat intelligence gathering for itself as well their own questions, Carver explains, there’s as its many clients. Although SecureWorks also an ethics helpline so that employees can has the capacity to test “crazy amounts of ask questions, request guidance, or say, “I malware samples” in a lab, according to screwed up. What do I do now?” Hanes, most companies can take steps on Annual ethics and compliance education their own to mitigate risks from such activi- covers a host of issues at Teradata, including ties as phishing and vishing (hacking cyber-related modules for intellectual prop- attempts made via phone call). Creating, erty, privacy, phishing, and mobile-device communicating, and monitoring protocols awareness. The company also has policies in can go a long way toward keeping the place regarding keeping a clean computer, human element in check, according to password practices, and email usage, to name Hanes. a few. In addition, Teradata uses role-specifi c In his experience, Hanes says people gen- training. It’s all about getting employees truly erally have two mentalities: those who want engaged, Carver explains. “It’s important to to check a compliance box by doing annual explain why we have these rules.” Carver training at their companies and those who says his company has shared scenarios of want to transform employee behavior with attempted hacks to better help employees programmatic changes. The former is much understand the need for the procedures. easier, but the latter has the potential to offer

299 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

tangible results. Creating an organization Directors Think Survey, 63% of director with a cyber-aware culture requires an ongo- respondents said they are only somewhat ing commitment, he explains, because even confi dent that their board is adequately over- after years of training “check-the-box” seeing cyber risk; nearly a quarter of respond- employees, without a complete buy-in and ents said they are not confi dent about their understanding, there will still be those who board’s oversight. In sum, there is clear indi- click on a phishing email link. cation that there is room for improvement at even the highest levels. ■ Creating a cyber-aware culture These fi ndings build a strong case that Proactive companies such as Teradata, Dell, board members, along with employees, and others understand that effective cyber would benefi t from being included in the awareness education can transform employ- cyber awareness program at their organiza- ees into a powerful force in the fi ght against tion to make better decisions and oversee cybercrime. Having a culture of awareness cyber risk on an ongoing basis and help set can help prevent breaches, keep data secure, the proper tone at the top. Roughly two and positively affect a company’s bottom thirds of companies appear committed to line. In fact, there’s arguably no greater bar- this idea. According to Ethisphere’s 2015 rier to cyber risk than investing in and sup- World’s Most Ethical Companies data set, porting the right employee culture. 66% of respondents had offered their board Surprisingly, only 29% of companies sur- formal training on information security/ veyed by NYSE Governance Services and cybersecurity within the last two years. the Society of Corporate Compliance and Ethics train all their employees for cyber ■ Conclusion issues despite the fact that cyber was chosen There is no substitute for a sound, well- one of the top three risk areas for employee understood culture of responsibility and education, according to the 2014 Compliance awareness with regard to cybersecurity, a and Ethics Program Environment Report pervasive risk that begins and ends with the issued by the same two groups. human element. The bottom line is that Companywide education often means ele- unhappy and/or untrained employees can vating awareness for the board as well; espe- be a company’s biggest threat, whereas a cially because most board members say it’s a motivated, well-educated workforce can be diffi cult area for them to wrap their arms its biggest defense. Proofpoint, a Sunnyvale, around. In the 2014 RSA/EY survey with California, security service provider, warns Corporate Board Member, 83% of directors said that cyber criminals are continually adjust- that a signifi cant impediment to their over- ing to companies’ employee education, so sight of IT/cyber risk was the fact that it was the cat-and-mouse game is never fi nished constantly changing. A 2015 Cybersecurity in and constant vigilance is required. the Boardroom report published by NYSE Although the margin for human error will Governance Services and Veracode notes that never be eradicated, with proper awareness IT security matters are discussed in most or education and follow through, companies every meeting by 81% of director respond- can leverage their greatest asset to alleviate ents. In a separate NYSE Governance Services’ vulnerabilities and strengthen cybersecurity study with Spencer Stuart, the 2015 What resistance.

■ 300 SecurityRoundtable.org Collaboration and communication between technical and nontechnical staff, business lines and executives Wells Fargo & Company – Rich Baich, CISO

You can have brilliant ideas, but if you can’t get them across, your ideas won’t get you anywhere.” “ Lee Iacocca Delivering results is a key metric of success for any leader. Exceeding revenue goals, meeting hiring and retention goals, or ensuring operational budget goals are well known and understood results. These goals are clear, easily measurable, and most importantly all individuals understand their role in achieving these results. These goals often are established with limited collaboration and a single communication to the appropriate leaders with minimal tolerance associated with not achieving the goals. The language used when establishing these goals and publishing the results transcends technical and nontechnical executives. This information must be understood and actionable; regardless of the executives’ background, having this information available allows them to make an informed decision. Leaders need the right information, at the right time to collaborate, communicate, and ultimately make the best decision. Information enables the executive to use a decision process or framework of reasoning to help rationalize the data and choose the best course of action. As the topic of cybersecurity rapidly moves to the top of every C-level executive’s agenda, cyber leaders must embrace the importance of collaboration and communication while building bridges to ensure decisions are understood and actionable.

■ Establish a cyber risk decision framework We live in a time of acute and persistent threats to our national security, our economy, and our global communities. The number of reported cyber incidents continues to grow. The threat of a cyber catastrophic event continues to lurk in the distance. New cyber vulnerabilities are reported each day and the frequency of zero-day threats is increasing. New victims make the headlines

301 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

weekly. As a result, cyber leaders continue to How vulnerable are their products and be asked if their organizations are spending solutions to this exploit? enough to address cyberthreats. To answer Is there any potential for business impact this question, cyber leadership must have to customers or suppliers? the facts to establish a decision framework to Do they need to contact their third parties guide them. Having a fi rewall, purchasing to see if they are secure? the latest technologies, growing the number Will this affect their ability to service their of cyber professionals, and having informa- own third-party relationships? tion security policies do not adequately provide all the information needed to answer Using the following framework formula to this question. Knowing what data to collect, explain an approach could be helpful: demonstrating the ability to get the data in a timely fashion, operationalizing the data, Risk = Vulnerability ϫ Threat ϫ Asset and ensuring the data get to the right deci- Value ϫ Probability of Occurrence sion maker can provide an actionable framework. The following are a few examples of Having the trustworthy data readily avail- what information is needed to enable a able can allow cyber executives to quickly framework: and confi dently communicate throughout the organization and the third parties. For What risks will be mitigated if these example, a quick query of the asset inven- additional funds are provided tory indicates there are 50 instances of this Specific cyberthreats are known, exploit in the current infrastructure and monitored, and integrated into the risk fi ve within the third-party ecosystem. Of prioritization decision process. those 50 internal instances, only three are Vulnerabilities are identifi ed, prioritized, external facing, and the remaining 47 are remediated, and validated in a timely internal to the network. All the third-party manner. instances are internal to the partner’s Critical assets are well known, network. The associated vendor to the accountability is clear, and responsibility to zero-day exploit has provided a patch and ensure those assets meet defi ned protection recommended an immediate application of criteria are met. the patch. The internal cyberthreat team The likelihood of a specifi c exploit, attack, has reviewed the external intelligence, and or signifi cant occurrence is understood there are already indications of potential and utilized in the cyber risk prioritization miscreants scanning for the newly identi- framework. fi ed vulnerabilities. Additional intelligence and analysis suggest exploit code is already Having trustworthy data is the foundation being crafted to take advantage of this new to all cybersecurity decision frameworks. exploit. If successful, the exploit can be It is important to have a framework to help used to deliver malicious code throughout support the fundamental changes required the organization providing kinetic and to enhance cyber practices and enable nonkinetic damage to an organization. communication. Armed with this information, cyber leadership can quickly move to gain consensus, Scenario: Cyber risk decision framework communicate recommendations, and infl u- Today, the media announces a new zero-day ence the mitigation activities required to exploit that has been identifi ed. Business address the threat. executives want to know: ■ Defi ning your stakeholders What do they need to do to respond to Trustworthy data are a key foundation to the exploit? establishing cybersecurity creditability.

■ 302 COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES

Performance of executives, regardless if they 3. assess business impact of material work in a line of business, in corporate staff, cybersecurity program changes or in technology, is often measured by results. 4. discuss lessons learned and situations in Achieving results in cybersecurity requires which program adjustment is prudent others taking action. Effective leaders can 5. identify potential areas of confl ict and/or motivate groups of like-minded people to resource constraints between cybersecurity come together and rally behind a cause to program and business priorities achieve a goal. Finding those individuals in 6. discuss impacts from and/or to the larger the organization is critical to success. applicable industry. Identifying individuals who will become stakeholders in the cybersecurity journey Stakeholders want the facts and reassur- provide the support needed to drive change. ance that the information being reporting is The following is a list of potential stakehold- trustworthy and actionable. Risk manage- ers to consider: ment is everyone’s responsibility, and individuals take great pride when helping chief executive offi cer (CEO) reduce risk. Proactively removing risk chief fi nancial offi cer (CFO) before the risk evolves in negative conse- chief auditor quence is a signifi cant measurement for chief administration offi cer (CAO) success. Providing a stakeholder with the chief communication offi cer (CCO) data that clearly demonstrate a risk was chief risk offi cer (CRO) remediated before it was signifi cant will member(s) of the board of directors win the trust of most individuals. chief information offi cer line of business leader Scenario: Defi ning stakeholders audit committee You have been asked by a line of business chief technology offi cer (CTO) leader to provide information regarding a line of business leaders, CIO, CTO, risk third party before a contract is signed. Due leaders diligence is done for third parties before any contracts are signed; that is a leading indus- In addition to individual stakeholders, try practice. However, what if you and your establishing a cybersecurity steering com- cybersecurity team were able to provide mittee with cross-organizational representa- cyber intelligence that suggests the potential tion can provide an additional platform for third-party partner is on a top-fi ve easiest- collaboration and communication. The pur- to-hack organization list being posted in pose of the committee should be to promote credible underground forums? Having cybersecurity awareness, provide a forum in information without being able to make it which cybersecurity topics can be discussed, actionable often results in a very heavy and to solicit cyber feedback to help evolve paper weight being created. In this scenario, cyber practices and mature over time. In having the cyber intelligence to provide the addition, the committee will seek to identify stakeholders helped provide transparency cybersecurity topics that may affect the into cyber risks that can produce measured broader applicable industry and the emerg- results. Maintaining a results-oriented men- ing trends that may affect the organization. tality coupled with the right stakeholder The cybersecurity committee could: group can help enable a cyber support culture. 1. review cybersecurity strategic direction and planned initiatives ■ Delivering the message 2. discuss major milestones for cybersecurity Effective communication, especially during a initiatives that are in process of being time of change, requires frequent touchpoints. deployed Having a communicator or a communication

303 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

team specifi cally aligned with the cybersecu- help build collaboration by demonstrating rity team can provide immense benefi ts. how individuals can partner with cyberse- There is delicate balance associated with the curity to address customer needs. Regardless frequency and content that is communicated of the industry, customers want to know to stakeholders. The fundamental goal is to their information is safe and the organiza- tell the cybersecurity story throughout the tion that has their data has a clear plan to organization through clear, concise, targeted achieve that goal. Adding cybersecurity communications through the most effective reminders in existing individual customer dissemination channels. Some will want more communications begins to demonstrate that frequent communications, whereas others commitment to the customer. It takes a long will desire less communication. Some will time to earn trust, but it only takes a second prefer “pull” communications and others will to lose it. want the information pushed to them. This also holds true for internal stake- Cultural appetite, tone from the top, and holders. Often the information and measure- organizational commitment help drive the ment of results reported by the cybersecurity various required communication delivery team may not be perceived as positive news. techniques to ensure stakeholders are aware. For example, the cybersecurity team may Some examples include the following: implement new technology that provides an enhanced visibility into the health and publish monthly newsletters to various hygiene of various technology assets. If these stakeholders assets have never had this improved visibil- create a robust intranet presence with ity, it is possible that the results may provide tools and communications awareness of critical vulnerabilities or celebrate success stories of collaborative weakness associated with the platform. achievements Consequently, when reporting these results, provide platforms for cyber champion others may take offense to these perceived recognition negative results. However, this is a great track, measure, and report the opportunity to educate leadership by effectiveness of the communications explaining that it is far better to fi nd these through a cyber communication opportunities internally rather than be told dashboard about these vulnerability gaps from a law enforcement representative. Don’t pass up Having a venue into the corporate commu- the opportunity to build a champion; one nications team provides cybersecurity the champion can quickly lead to two, which, in opportunity to align, infl uence, and enable turn, can often grow to thousands. the infl ux of cybersecurity into normal business communications. It is critical that the ■ Conclusion corporate crisis communication team be part During times of confl ict it is proven those of the cybersecurity incident response team countries that have aligned themselves with because of the potential reputational impact the right allies have prevailed and overcome associated with a signifi cant cyber incident. grave challenges. These are challenging times; During a time of crisis, concise and timely cyberthreats are real and present signifi cant communications to key stakeholders and risks for most organizations. Communicating customers can often be the difference these risks to technical and nontechnical exec- between an incident being managed and an utives can often be a daunting task that incident being exaggerated. requires additional background and context to Tactically positioning the cybersecurity successfully communicate the message. story within the organization through effec- Executives are results driven and appreciate tive education and awareness while address- other executives who are proactive when ing the latest trends in cybersecurity can dealing with risks. The ability to provide

■ 304 COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES

trustworthy data and a cyber decision support time to include, educate, and collaborate with framework enables cyber executives to trans- stakeholders can build alliances. Having the late a new language to other executives. These right information is powerful, and those actions can positively enhance cybersecurity’s stakeholders who get accurate, timely, and internal reputation by strengthening trust and meaningful data will have the opportunity to credibility across the organization. Taking the lead change.

SecurityRoundtable.org 305 ■

Cybersecurity readiness through workforce development Booz Allen Hamilton – Lori Zukin, Principal; Jamie Lopez, Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew Smallwood, Lead Associate

The demand for skilled cybersecurity professionals currently outweighs the supply. The growing sophistication of cyber adversaries, coupled with our increasingly networked enterprises, means that demand will only continue to grow. To compound this issue, traditional information technology (IT) roles are increasingly insuffi cient to address enterprise-wide cybersecurity risks. A broader skillset, including communication, change management, and leadership, is required in order to respond quickly and collaboratively to evolving cyber threats. In light of these challenges, it is clear that a new approach to workforce planning and development is necessary. Yet what would that entail? This chapter covers fi ve recommendations to improve your cybersecurity workforce, including: (1) rethink your approach to cybersecurity, (2) develop alternative talent management strategies, (3) empower your cybersecurity leadership, (4) connect your organization, and (5) invest in your cyber human capital. ■ Redefi ne cyber operations in your organization Cyber operations are integral to every business function— a fundamental part of business management in which understanding your cyberthreat is key to your bottom line. Coupled with that is a recognition that the IT function and the cyber operations function are not one and the same. IT is an infrastructure enabler, whereas cyber operations are an organization-wide risk issue. A major cyber breach—one that involves sensitive corporate or customer data—poses more than a technical problem or a business continuity challenge. A major incident can create a multidimensional crisis that affects nearly all aspects of the company’s business, as well as its customers, regulators, and other external stakeholders.

307 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

In addition, the talent management chal- environmental factors for their cyber work- lenges for cyber operations are much more force are better prepared to adapt to chang- complex because there is a major crisis to ing threats. backfi ll cyber talent. Even once your organi- Global business trends have shown suc- zations recruits top cyber professionals, cessful cyber practices have fi ve key traits: there is no guarantee you will retain them. they are agile, multifunctional, dynamic, As such, it is not enough for cybersecurity to fl exible, and informal. be relegated to a subset of people, as with the IT function. Every employee in your Agile: Cyber work requires agility. Employees organization faces cyberthreats, and talent act like chameleons shifting quickly and deci- management for IT and cyber operations sively as threat warrants change course should not be combined. By shifting this and as a unit, the capability is alert to new mindset and developing strategies that circumstances. refl ect these realities, your ability to develop an effective workforce will immediately Multifunctional: Cybersecurity is a team improve. sport. A strong cyber practice is built of teams with diverse knowledge sets who can execute ■ Develop alternative talent management a variety of activities at once. Your employees strategies do not have to be good multitaskers, but your Most cybersecurity professionals are per- overall capability does. sonifi ed by their love for cutting-edge technology, casual work environments, and crea- Inquisitive: Cyber professionals embrace tive mindsets. These unique tendencies help learning and they will be curious; they will them excel under the constantly changing want to solve problems regardless of how hard cyber environment but differentiate them it is to fi nd the solution. Because threat actors from the rest of your company in a number across the globe are offering an array of new of ways—fundamentally, their atypical char- threats to consider, your cybersecurity work acteristics of (1) work environment, (2) work practice will change based on evolving infor- preferences, and (3) nontraditional career mation. By taking on new endeavors, your paths. capability will be ready to solve new problems. Recruiting, developing, and retaining this unique workforce requires alternative talent Flexible: Cyberthreats move fast. With con- management strategies—strategies that are stantly changing work requirements, your often connected to but distinct from those practice must be enabled to adapt to new areas applied across the rest of your company. of focus. Your cyber organization must be infused with a strategy that allows for employ- Develop an appealing work environment ees to expand or change their roles to increase Not every business has a culture of prevalent your capability’s fl exibility. ping-pong tables, free food, and a dress code involving fl ip-fl ops and jeans. However, Informal: Cybersecurity professionals thrive there are environmental factors that compa- in a nontraditional environment. Your nies must account for in attracting—and recruits and team members will likely look keeping—the necessary talent for accom- for unconventional working hours and shift- plishing cyber work. ing duties. Creating this type of environment The nature of cyber work means that it is for your cybersecurity professionals allows often executed in an environment that dif- your cyber organization to adjust quickly to fers from that of its parent organization. tackle any challenge. Your cybersecurity Think of your cybersecurity practice as the practice may have different work locations, fast moving, quickly adapting branch of matrixed reporting lines, around-the-clock your organization. Businesses that consider shifts, and a more relaxed dress code than the

■ 308 CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT

majority of your workforce. The budget proof diffi culty, and present opportunities to cess for your cyber organization may be work with emerging technologies. centered around technological investments or on a different timeline to meet shifting Create nontraditional career paths threats. Given the work requirements, it is Placing two cybersecurity resumes side by especially important that your cyber envi- side can sometimes feel like you are compar- ronment has leaders who not only share a ing an apple to an orange. Cyber profession- competitive nature and passion for technolo- als have a variety of experiences, only some gy but also have success operating in dynam- with an educational background in cyber ic, multifunctional environments. and many with certifi cations to designate profi ciency. Although it would be nice if Understand work preferences cyber professionals could be ‘cyber warri- Like the work environment, your cybersecu- ors,’ or experts in all areas of cyber opera- rity professionals also have unique work tions, your cybersecurity professional’s traits. These traits, or work preferences, make diverse backgrounds more likely match the them the perfect candidates to tackle the diversity of the cybersecurity fi eld. daily challenges from threat actors around Booz Allen has found that instead of the globe but also can separate them from the ‘cyber warriors,’ it is much more likely that rest of your organization. Recognizing these your organization’s cyber workforce will be work preferences, for your capability as a composed of three types with many subsets whole as well as on an individual level, is in each: senior leadership, specialized critical to developing your cyber talent man- experts, and generalist staff. Instead of agement strategies. imposing linear career paths on these cyber If your cybersecurity professional had a types, our work has shown that cybersecu- social media profi le, it may look like this: rity professionals work better under a ‘build- your-own’ career path option. Lover and early adopter of new technologies, Senior leadership cyber professionals are as a cybersecurity professional my passion a rare breed of combined expertise and lead- for technology fuels my curiosity to solve ership who can manage teams and opera- complex problems. I am a systems thinker tions. With specialized experts, their deep with confi dence in my ability to put things know-how within a specifi c group of cyber- together and learn new techniques while security capabilities often makes them the using my competitive nature to fuel my center of the talent war. Your generalist staff work as well as engage in offi ce competitions. are early in their cyber careers or have cho- As a natural problem solver and abstract sen a broad role, making them equally high thinker, I tend to look ‘outside the box’ and in demand but commonly part of a larger evaluate challenges from many different supply pool. angles and perspectives before acting. For most of your company, established career paths diagram career progression As one method, try offering applicants an options through linear lines of technical expe- on-the-spot challenge while testing their rience or managerial ranks. However, attract- ability to solve problems using senario- ing and retaining cyber professionals requires based challenges. Capitalize on your alternative pathways that refl ect the diversity employees’ problem solving skills by allow- of positions within the fi eld. For cybersecurity ing them to be a part of strategy, offense, and professionals, try providing a nonlinear defense and by fostering a culture that career path—one that can be horizontal, verti- encourages every level of employee to sug- cal, and diagonal. Show cybersecurity profes- gest solutions. Reward your employees for sionals a set of attributes that describe how to forward thinking, provide them with con- progress using their experience, unconven- stantly changing tasks with different levels tional education, and industry certifi cation.

309 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

This provides your cyber professionals with Once relegated to the IT department, fl exibility to put the pieces together using cybersecurity is now part of a company’s defi ne career progression opportunities and core strategic planning and investment port- opens up your ability to recruit talent who folio. That said, many CISOs currently don’t want to grow with your organization. have the appropriate skill set to deal with all the overall strategic implications of a major ■ Give CISOs a ‘seat at the table’ cyber breach. Although CISOs likely have Although progress is being made in profes- the technical expertise required to fi x the sionalizing and institutionalizing cybersecu- problem or at least manage it, they may not rity as a fi eld, much remains to be done. In be prepared for the magnitude of other mul- fact, less than half of Fortune 100 companies tidimensional challenges that surface during have a CISO. Organizations still struggle to the crisis. In addition to technical know-how, build, recruit, and retain a cybersecurity CISOs have to be able to think on their feet, workforce. There is no ‘one-size-fi ts-all’ for nimbly and calmly handling the internal and placement of the CISO within your organiza- external nontechnical issues that may arise. tion. It depends on the industry, the type of organization, and what the organization is ■ Connect your organization protecting. In some organizations, the CISO The cyber-ready organization is a connected may report to the CIO. In others, with a dif- one. Ineffective collaboration between lines ferent architecture, mission statement, and of business and the cyber function limits set of complex challenges, the CISO may data sharing and effective change. However, report to the chief risk offi cer, or even directly before you can foster true collaboration to the COO or CEO. between your lines of business, you must No matter where the CISO sits in your have appropriate cyber channels weaved organization, you need to give the CISO ‘a throughout your organizational structure. seat at the table’ during regular operations, Your organization needs effective processes for example, when discussing risk analysis, in place to manage cyber-related communi- profi t reductions, performance indicators, cations and policies. This ‘interconnected- and other strategies in your organization’s ness’ comes to life when your central cyber balanced scorecard. Elevating the level of unit is feeding information to key business your CISO during normal operations helps leaders and those business leaders are imple- nurture leadership, management, and non- menting change throughout their lines of technical skills—skills that are critical during business and communicating information a cyber crisis. Further, by making the CISO a back to the core cyber unit. The cybersecurity member of the C-suite leadership team, function deserves to be placed at the center you will be able to raise the level of cyber of your organization, to inform all of your awareness—and coordinated response— business units. across your entire organization. Cybersecurity should be viewed as a cen- The CISO’s role within the organization tral business function that informs other abruptly shifts to hands-on, crisis mode in a business units. See Figure 1. cyber breach. The CISO’s foremost responsi- You also will need strong leaders at the bility is to quickly address the crisis from a helm of each business unit who are bilin- technical perspective. The CISO should be gual in business and cyber operations. fully immersed in directing the cyber Cybersecurity is the new education leaders response, working with the computer inci- have to undergo to lead your organization dent response team or security operations effectively. In connecting the channels experts to remediate and minimize damage, across your organization, all leaders must while delegating or outsourcing other roles/ be on the same page, communicating the issues such as policy implications, legal, and same message, implementing the same public relations. security measures, with the same vigor.

■ 310 CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT

FIGURE

Cybersecurity as a central business function

Finance

Technology Operations

Cyber Function

Human Resources Marketing

Supply Chain

■ Finally, invest in cyber human capital An effective way to improve the long- Most leaders in today’s business world agree term security of your company is by cybersecurity is important. However, when investing in your cyber leaders and cyber the meeting is over, will they truly buy in workforce. Investments in technology and and embrace cybersecurity as a key priority processes go unrealized unless your organ- for their divisions? This is the tough ques- ization has strong cyber leaders along with tion CEOs, CIOs, and CSOs encounter. An a capable workforce to defend your net- organizational cybersecurity plan can only works and improve your security. be as strong as the weakest commitment Successful organizations will invest in from any key leader. It doesn’t matter how their workforce, give their CISO a seat at strong your security posture is for individual the table, and foster integrated lines of departments; if one division is vulnerable, communication for the sharing of cyber- your entire organization is at risk. related information.

SecurityRoundtable.org 311 ■

Building a cyber-savvy board Korn Ferry – Jamey Cummings, Senior Client Partner; Joe Griesedieck, Vice Chairman and Co-Leader, Board and CEO Services; and Aileen Alexander, Senior Client Partner

Given the growing magnitude and frequency of cybersecurity breaches, which have the potential to shake major corporations to their core, cybersecurity has become an issue of enterprise-wide importance. These incidents have become commonplace events, and organizations that are targets may suffer lost or stolen intellectual property, damage or destruction of critical data or infrastructure, disruptions to critical operations, and loss of confi dence among customers, investors, and employees. The longer- term damage to value and reputation is incalculable.

■ Startling statistics PwC’s Global State of Information Security Survey 2015 of more than 9,700 security, IT, and business executives found that the total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over 2013. That is the equivalent of 117,339 incoming attacks per day, every day. The Identity Theft Resource Center reported a record high of 738 U.S. data breaches, a 28% year-over-year increase. If you’re thinking you can build a modern-day “moat” to keep the bad guys out, consider that the 2014 U.S. State of Cybercrime Survey, co-sponsored by PwC, CSO magazine, the CERT Division of the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service, found that almost one-third of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders. In a virtual ecosystem that increasingly includes the Internet of Things (IoT), traditional fi rewalls do not ensure protection, as employees come and go each day with connected devices, such as smartphones and computers, which may wittingly or unwittingly introduce threats that can threaten the survival of the organization.

313 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

This greatly expanded cyberattack sur- importance of cybersecurity has shifted from face and resulting breaches add up to a something of marginal interest to the board huge price tag. The annual cost of cyber- to a high priority that resides within the crime to the global economy is estimated to board’s risk management framework. be between $375 billion and $575 billion, This is a new role for CEOs and directors, according to a June 2014 study by the many of whom feel unequipped to deal with Center for Strategic and International it because cybersecurity does not remotely Studies; Gartner Inc. estimates that total relate to traditional areas of director exper- spending will grow 8.2 percent in 2015 to tise. Armed with a tested protocol to combat reach $76.9 billion. cyberthreats and the right resources, how- If that’s not a wake-up call, we don’t ever, every board should be able to imple- know what is. But, the challenge remains: ment a preparedness and response plan that translating awareness into an action plan. will give the board and management team, Although CEOs and boards are alert to the as well as investors, the reassurance that the issue and the devastating, long-lasting company is as well positioned as reasonably effects of security breaches, there is surpris- possible to confront these ever-evolving ingly little knowledge of recommended challenges. practices to best position organizations In practical, operational terms, what does defensively and enable quick and effective all this mean for the C-suite and the board, response when the inevitable occurs. Let’s and how can they get started on overseeing be blunt: There is no foolproof way of pre- the many-headed beast that is cybersecu- venting security breaches, but a systematic, rity? For one thing, it starts with ensuring proven approach can make the difference everyone on the board is speaking the same between the survival and the demise of an language when it comes to cyberthreats. enterprise. Because directors are generally business people, the common language should be the ■ Alignment at the top language of business. Cybersecurity is an insidious threat, all the more so because breaches, including the ■ The right questions most disastrous ones, often are not detected According to Melissa Hathaway, private until the damage is done. One cybersecurity sector cybersecurity expert and former fi rm recently estimated that close to three cybersecurity “czar” under Presidents quarters of security breaches go undetected. George W. Bush and Barack Obama, “Until No board or management team can afford to cybersecurity is refl ected in balance sheet become complacent. If you haven’t yet fallen terms, it’s never going to be fully embraced victim, you may have been smart, but most by the board.” She emphasizes that once likely lucky. You should assume it’s just a cybersecurity has been identifi ed as a criti- matter of time, perhaps there already has cal risk, it must be managed with the same been a breach that has gone undetected, so rigor and processes applied to other risks plan accordingly. and remain visible on directors’ dashboards In a relatively short time cybersecurity with key, comprehensible metrics. “Tech has gone from something that was compart- speak,” or any jargon that obfuscates the mentalized and handled by the IT depart- issues for directors, has no place in the ment to something that is regularly on the boardroom. agenda at board meetings. At the same time The reality of boardrooms, however, is “major threats” have been redefi ned, from that the scale of that impact is often obscured identifying a Trojan horse and upgrading or lost in translation. Unless directors can cut anti-virus software to threats that strike at through the technical jargon in what are the very heart of organizations and are capa- often massive amounts of information they ble of taking them down. The view and receive, the size of the risk and the steps to

■ 314 BUILDING A CYBER-SAVVY BOARD

mitigate it may not be clear. Companies industry in which it operates, so each board depend on a functioning Internet, which was should decide on a case-by-case basis. never invented with security in mind, and Shortfalls in board experience often can be all that is linked to it. Therefore, related risks made up by retaining the appropriate addi- and costs must be made known to the board tional expertise to advise on an as-needed so that the cost of potential breaches can be basis; however, we are starting to see more calculated in capital and operational terms, demand for this specifi c sort of talent on rather than remaining hidden. boards. Among the questions directors should be Sometimes, as noted above, the board’s asking regularly to ensure alignment as a most important role lies in asking the right team and a fi rm grasp on cybersecurity, says questions, which may require business Hathaway, are the following: smarts and good old-fashioned common sense but not necessarily technical cyberse- Is cyber risk accounted for in our overall curity expertise. corporate planning process? The board As overseer-in-chief of the CEO and the must be assured that cyber risk is an business, the board has a responsibility for element of a broader risk framework managing the company’s risk portfolio, of and that exposures are recognized and which cybersecurity is now a key compo- planned for. nent. Proper oversight entails remaining at a What is the process for evaluating high, supervisory level—not getting dragged security and measuring liabilities? down into the management weeds—and Boards should know not only what boards can properly perform their fi duciary controls are in place but also how they duties by focusing on a few main areas. are evaluated. The board must be reassured by the CEO Do we have directors with relevant that the most capable people are in the criti- expertise? Although boards may not cal positions, and this extends to the leader- require general technology expertise, ship and team managing cybersecurity. With it may be advisable to have one or so much at stake, this is not a place to cut more directors who understand IT and corners. its associated risks, or have a security Directors should be kept abreast of main background. cybersecurity risks, as well as the remedia- Have we identifi ed executive ownership tion process and timeline for effectively of the issue? The CEO should have dealing with them. Certainly no one expects controls in place that indicate how directors to be technology wizards, but they cybersecurity is being managed and the should be inquiring about safeguards the true costs to the business, which should company has in place to guard against be part of an internal and external audit. intrusion and be satisfi ed by management What will we do in the event of a breach? that protection along with response and If and when a problem arises, a process recovery capabilities are adequate. In addi- should be in place for communicating tion, they will want to be informed about effectively, internally and externally, and education for everyone throughout the dealing with attendant costs. organization, to ensure awareness of threats, and a step-by-step response plan to follow ■ Overseeing cyber risk in the event of a breach. Boards are increasingly adding directors with cybersecurity backgrounds and, more ■ The board at the nexus generally, security expertise, but boards Cybersecurity has expanded well beyond should not assume that they need to add a the confi nes of IT and emerged as a concern director with this specialized background. at the highest enterprise level, primarily Much depends on company specifi cs and the because of the devastating potential effects

315 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

on shareholder value, market share, reputa- can always be made available should direction, and long-term survival. Cybersecurity tors need bolstering in this area. is an issue that crosses all organizational In fact, directors owe it not only to their silos and boundaries top to bottom, encom- shareholders to ensure a comprehensive passing people, culture, and risk manage- approach to monitoring and developing a ment and must bridge security, technology, proactive approach to tackling cybersecurity privacy, and compliance. Cybersecurity is, but also to themselves. With cybersecurity in therefore, taking its rightful place on a short the spotlight—where it is likely to remain— list of the board’s crucial responsibilities, directors could also face personal risks, which now include protecting a company’s because D&O insurance may not be suffi - assets, particularly digital, as part of an cient if boards don’t take what are deemed organization’s overall risk portfolio. appropriate actions. Boards should consider In fact, managing cyber risk doesn’t differ adding cyber insurance as part of a compre- signifi cantly from managing more tradition- hensive approach to enterprise risk manage- al forms of risk and must be managed in a ment if they are to continue to recruit the similar way, remaining visible on directors’ best directors. According to a recent post on dashboards so that it is tracked and the Harvard Law School Forum on Corporate addressed regularly. Governance and Financial Regulation, “no Those boards that do not have a cyberse- company in the U.S. should forego buying curity expert as a member of their team cyber insurance to protect against the real, should not assume they need a director with ever-present risk of a major cyber-attack and this experience, but they should seriously the massive costs associated with such a evaluate that potential need based on their breach.” situation and needs. Some boards have determined that they do require this exper- ■ A framework to meet the cybersecurity tise on their audit committee—where risk challenge oversight generally lives—on a special Perhaps most important in properly meeting cybersecurity subcommittee, or on a dedi- the cybersecurity challenge, ensuring pre- cated cybersecurity committee. While some paredness and a ready response to any boards have recruited this expertise, many breaches, directors need a framework, which have not and may not, accessing what they can be tailored to the needs of their organiza- require to keep them informed and able to tion, in which to operate. A deep dive into make key decisions either from internal tech- each area will link to additional responsibili- nology experts or from external consultants ties and timeframes, most of which will be to the board. These solutions are varied and the responsibility of management. tailored and continue to evolve. The baseline for board involvement in CEOs and those who serve as directors overseeing cybersecurity should comprise on their boards are generally a smart group the six following components: of people, and they don’t have to be subject matter experts to provide oversight for the 1. Security strategy. The board must ensure few crucial areas—including strategy for- that the company has a strategic vision mulation, succession planning, and risk and a tactical road map that proactively management—in which they exercise their protect assets and keep pace with fi duciary duties. Cybersecurity is yet another escalating threats and evolving regulatory form of risk, but it is a dynamic, still-emerging requirements. form that is new to most directors. We are 2. Policy and budget review. Company likely years away from the point where security policies, and roles and boards as a whole consider managing cyber responsibilities of all relevant leadership, risk familiar terrain, so additional resources should be evaluated, along with data

■ 316 BUILDING A CYBER-SAVVY BOARD

security and privacy budgets to ensure eliminated—clearly they cannot—but the they are adequately funded. resulting damage can be greatly minimized 3. Security leadership. The board must with signifi cant planning and a quick confi rm that the organization has the response protocol. credible leadership and talent to develop, In part, effectively managing cyberse- communicate, and implement an curity starts at the top with the board rec- enterprise-wide plan to manage cyber ognizing what it must manage and how risk. that will be done, including additional 4. Incident response plan. The board resources it may require. While the board should oversee the development of a may have ultimate responsibility for the comprehensive incident response plan war on cyberthreats, everyone, at every that is widely understood, rehearsed, and level of the organization, must understand stress tested. his or her role on the front lines of this 5. Ongoing assessment. The board should ongoing war, because threats can come periodically review a thorough assessment from anywhere. of the organization’s information Moreover, in an increasingly robust regu- security capabilities, targeting internal latory environment with cybersecurity high vulnerabilities and external threats. on the SEC’s agenda, adherence to best prac- 6. Internal education. The board should tices with a well-designed plan approved ensure that the company implements a and monitored by the board should prove far strong communication and education preferable to regulations imposed from the program to create an environment outside. Given the current direction, in the in which all employees embrace near future it is likely that publicly owned responsibility for cybersecurity. companies will be required to disclose more information about their cybersecurity vul- ■ A cybersecurity strategy nerabilities, including data breaches. Organizations must have a cybersecurity Ultimately, boards should work with strategy, lest they simply be engaged in a senior management to build a cybersecurity- game of whack-a-mole, reacting to one aware culture if they are to truly protect threat after another rather than having a their companies from this relatively new, comprehensive game plan. That is not to continually morphing, and potentially dev- say that cyberthreats and breaches can be astating form of risk.

SecurityRoundtable.org 317 ■

Evaluating and attracting your next CISO: More sophisticated approaches for a more sophisticated role Egon Zehnder – Kal Bittianda, Selena Loh LaCroix, and Chris Patrick

The role of the chief information security offi cer (CISO) has changed dramatically in the last decade. No longer merely a digital sheriff called on to protect the fi rm’s data valuables, the CISO is expected to act as a full strategic partner with the rest of the C-suite. The upgrading of the role is a natural response to the extensive technological, societal, economic, and geopolitical developments over the same time period. For many organizations, information—whether customer records, intellectual property, or strategic planning—is now their most valuable asset. As those assets have become more valuable, they have also become less secure because of the increase in the number and the sophistication of attackers, as well as the vulnerabilities inherent in an increasingly networked society. The bottom line is that, although the CISO rarely reports directly to the chief executive offi cer, he or she must have the qualities expected at the CEO-1 level. Organizations endeavoring to fi ll the CISO role must ensure that their recruitment strategies and candidate evaluation processes keep pace with these greater expectations, lest those organizations increase their risk of unmet security goals, shorter CISO tenures, and the associated costs. This is in addition to the diffi culty of maintaining a consistent security culture in the shadow of frequently changing information-security leaders.

■ Taking a holistic view of CISO candidates Our observation at Egon Zehnder has been that when looking for their next CISO, organizations can benefi t by taking a broader view of the required qualities and capabilities. Effective candidate evaluation can be achieved by dividing a candidate’s career into its past, present, and future components and evaluating each element

319 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

with the appropriate perspective. A consoli- to get the right things done. Audits are dation of the three elements provides a responded to in a timely fashion, the holistic view of the CISO candidate that board of directors is clear on the impact corresponds with the multi-faceted nature of information security investments, and of the role today. core data assets are well protected. 2. Strategic orientation: As mentioned The past: What has the candidate done? earlier, the CISO must be a strategically A candidate’s credentials, work history, oriented partner with critical thinking and track record have always been a cen- skills. He or she must process disparate tral part of the evaluation process, and for information and generate valuable good reason. This component includes insight regarding external issues such examining the types of organizations in as shifts in threats and countermeasures which the candidate has worked, their size and internal matters such as business and complexity, and which markets they implications of information security served, and then seeing what the candi- policies and protocols. date accomplished in each role, what 3. Transformational leadership: Regardless transformations the candidate has led, and of the context into which the new CISO the security record of the organizations is taking the helm—after a major breach, under the candidate’s watch. These fi nd- under the glare of heightened board ings provide the raw material, basic facts, scrutiny, or with an acquisition that must and context for measuring the fi t between be integrated—he or she will need to the candidate and role. Although the CISO transform systems to address current role has grown signifi cantly beyond its challenges, creating a vision others buy technical roots, the technical expertise into and moving the organization forward indicated by work history are essential while keeping day-to-day operations “table stakes” for a candidate to warrant running smoothly. further consideration. 4. Relationship management: The CISO must be able to lead in a matrixed The present: What can the candidate do? environment, working diplomatically Until about a decade or so ago, exploring a with a range of constituencies with candidate’s work history generally consti- different perspectives on information tuted the bulk of the assessment process. security, including the board, the CEO, Then the realization emerged that what a the CFO, the COO, and general counsel. candidate had done so far is a mere subset of In addition to managing internal what a candidate could do, because one’s relationships, the CISO must also work experience can never be so broad as to leverage external networks that include capture everything of which someone is peers at other organizations, Internet capable. Looking at competencies is a way of service providers, third-party security taking an inventory of an executive’s full solution vendors, and law enforcement leadership toolbox. and intelligence agencies. The CISO must The key is to evaluate for the right com- have the gravitas and infl uence necessary petencies given the demands of the posi- to communicate effectively with each of tion. In our experience, fi ve competencies these internal and external groups in a are particularly important when evaluating range of conditions, from off-site strategy CISO candidates. They are listed here in sessions to emergency response. order from the most common to the most 5. Team leadership: Most organizations elusive: focus all their attention on fi lling the CISO position, leaving relatively little 1. Results orientation: The successful energy for establishing a pipeline of candidate must be able to move quickly internal talent. This is understandable but

■ 320 EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE

shortsighted. Identifying and developing competency-based evaluation in the same internal information security leadership way that examining competencies provides talent is critical to the long-term success much more depth than merely looking at of the function and should be considered work history. None of these elements are part of the CISO’s role. sufficient on their own for identifying how a given candidate will respond to the The future: How will the candidate adapt to change unfolding challenges of the CISO role, but and unforeseen developments? in combination they produce a vivid, and Looking at competencies provides a more in our experience, highly accurate, por- complete view of a candidate’s abilities than trait and predictor. These added dimen- examining just professional history. But sions are particularly important because competency-based assessment has its own of how much the CISO role has changed in limitations in that it assumes the future will the last several years. Few CISOs have be more or less like the past or present. It established track records acting as the sort does not measure a person’s ability to of strategic leaders—rather than technical respond to fundamental changes such as managers—that the role requires today. those brought about by the current waves of The attributes of potential add another digital transformation. Someone who looks element to help identify who is likely to highly qualifi ed on paper and presents well successfully navigate this leap. thus can fall short of expectations as condi- But the above framework is only that— tions become highly complex and ambigu- the quality of its output depends on the ous. Also, looking at only experience and quality of the input. Without a concerted competencies means the organization risks effort, reliable input can be diffi cult to overlooking candidates who may seem obtain in CISO evaluations because of the underprepared today but with suffi cient tendency of data-security function to move support would be best suited for the future. quickly from crisis to crisis, leaving little In Egon Zehnder’s examination of the concrete evidence of who did what when. assessments of thousands of senior execu- The key to obtaining the needed level of tives, we discovered that those who fl ourished detail is in-depth interviews with multiple in the face of volatility, complexity, uncertain- informed references. Doing so requires ty, and ambiguity shared four traits, which the ability to tap an extensive professional collectively we call potential. The four ele- network. ments of potential are the following: Because of the number of factors being weighed, it is important to not merely collect 1. Curiosity: A penchant for seeking out observations for each quality being exam- new experiences, knowledge, and candid ined but to place the candidate on a scale feedback, as well as an openness to based on average performance in the indus- learning and change try. Some organizations also complement 2. Insight: The ability to gather and make candidate and reference interviews with psy- sense of information to suggest previously chometric testing to provide another layer of unseen opportunities and threats objective input for the evaluation process. 3. Engagement: A knack for using emotion and logic for communicating a persuasive ■ Positioning the role vision and connecting with people The market for top-tier CISOs is now highly 4. Determination: The resilience to fi ght for competitive. Information security has diffi cult goals despite challenges and to become a high-profi le corporate concern, bounce back from adversity. and the bar has been raised on the pool of qualifi ed candidates. By one estimate there The elements of potential add an extra were 2,700 CISO job openings in the United dimension to what is learned from a States in June 2015. So even if organizations

321 ■ CYBER RISK AND WORKFORCE DEVELOPMENT

are able to effectively evaluate candidates 3 . “What key performance indicators will I against current and future requirements, be measured against?” Given that every they must also be prepared from the start to large organization must assume that it is actively sell the opportunity to an audience continually under cyberattack, it follows that is naturally skeptical. that security breaches are a matter of In our experience, every CISO candidate not “if” but “when.” Therefore, it is not asks four overarching questions when evalu- realistic for a company to hold its CISO to ating an opportunity: a “one strike and you’re out” performance benchmark. The conversation about 1. “Who is my sponsor and how much expectations is just as important as the infl uence does he or she have?” This ones about resources, reporting lines, and is likely to be the fi rst question on the compensation. CISO candidate’s mind, and he or she is 4 . “Where will I be in fi ve years?” Those thinking about this issue in at least two who lead the information security function specifi c ways. First, although the CISO is are like other functional leaders in their likely to have some interaction with the range of career ambitions. For some, the board and C-suite, there will still be many opportunity to lead the function at a quality conversations that affect the information organization is the goal; others, however, security function to which the CISO are looking ahead to a CIO role or even a will not be privy. As a result, the CISO broader role in organizational leadership. It will have to rely his or her supervisor is important to understand each candidate’s to act as an effective intermediary in desires against what the organization can advocating for resources and policy offer. Remember that the CISO’s reporting initiatives and in educating the board relationship will be one factor that frames and CEO on information security issues this issue in his or her mind. as they unfold. Second, when the CISO needs to take an unpopular position to Long gone are the days when an argument strengthen an organization’s information had to be made regarding the strategic security profi le, he or she has to know importance of information security. In most there will be support in high places. organizations, the CISO role now has the 2 . “How deep is the organization’s weight and sophistication its responsibilities commitment to information security?” require. Organizations can assess the state of This is more than a question of staff their CISO recruitment and assessment strat- and budget allocation, although those egies by asking themselves the following elements are certainly important. The four questions: CISO wants to know that the C-suite and the board appreciate the complexity and 1. Have we identifi ed the CISO’s full range uncertainty at the core of the information of strategic responsibilities and the security function and the need for making competencies needed to be successful? everyone in the organization, top to 2. Do we have a consistent methodology bottom, responsible for security. For the for evaluating a candidate against those CISO to be successful, he or she must be responsibilities? empowered to act and be armed with 3. Have we reviewed the CISO reporting the necessary resources to deploy both in relationship against the information times of normalcy and crisis. Although security context of the organization the CISO expects organizations to have to ensure that the CISO is adequately high standards, he or she will avoid empowered to accomplish the enterprises who refl exively cycle through organization’s information security security teams. goals?

■ 322 EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE

4. Do we have an adequate professional adjustments to ensure they have the development program in place to support approach and tools to identify and attract the CISO and his or her team to help them the information security talent that can per- meet the standards demanded by the form at the level the position now requires. function’s heightened importance?

From the answers to these questions, organizations can then begin to make the necessary

SecurityRoundtable.org 323 ■

Contributor Profi les

Electronic version of this guide and additional content available at: SecurityRoundtable.org

CONTRIBUTOR PROFILES

responsible for Product, Market Strategy, and Marketing. Prior to NYSE Governance Services, Mr. Sodowick founded True Offi ce in 2010 to solve a long-standing problem: the tedi- um and high cost of regulatory compliance training. Recognizing that humans are New York Stock Exchange hardwired to learn via stories and play, 11 Wall Street True Offi ce creates data-rich desktop and New York, New York 10005 mobile compliance apps that help compa- Tel +1 212 748 4000 nies identify risk, save money, and educate Web www.nyse.com employees on complex and risk-sensitive TOM FARLEY business issues in a fun way. Since its launch, True Offi ce has experi- President, NYSE Group enced a steep growth trajectory and has been Tom Farley is President of the NYSE Group, adopted as the compliance training solution which includes the New York Stock Exchange of choice for many Fortune 500 companies. and a diverse range of equity and equity True Offi ce has won multiple awards across options exchanges, all wholly owned sub- the GRC, Technology, and Innovation seg- sidiaries of Intercontinental Exchange ments and has been featured prominently in (NYSE/ICE). Mr. Farley joined the NYSE many media outlets, including the BBC, the when ICE acquired NYSE Euronext in 2013, Wall Street Journal, Forbes, Fortune’s annual serving as Chief Operating Offi cer. He held 500 Issue, and more. previous roles at ICE, including SVP of Initially backed by Morgan Stanley Financial Markets and President and COO of Strategic Investments, The Partnership for ICE Futures U.S., formerly the New York New York City Fund and Rho Ventures, True Board of Trade. Offi ce was acquired by Intercontinental Prior to joining ICE, Mr. Farley was Exchange, parent company of the New York President of SunGard Kiodex, a risk man- Stock Exchange in October 2014. agement technology provider to the deriva- Prior to founding True Offi ce, Mr. Sodowick tives markets. He has also held various was the co-founder and CEO of 50 Lessons. positions in investment banking at During this time, Mr. Sodowick pioneered the Montgomery Securities and in private creation of the award-winning ‘50 Lessons equity at Gryphon Investors. Mr. Farley Digital Business Library.’ holds a BA degree in Political Science from Today, 50 Lessons is widely recognized as Georgetown University and is a Chartered the world’s pre-eminent collection of multi- Financial Analyst. media business insights from global business leaders. These assets are housed in a NYSE GOVERNANCE SERVICES digital library and sold via various channels 55 East 52nd St, 40th Floor to more than 350 corporate customers and New York, New York 10005 academic institutions globally. Tel +1 212 323 8500 Mr. Sodowick envisioned and led the ADAM SODOWICK publishing initiative behind the best-selling Lessons Learned: Straight Talk From The World’s President, NYSE Governance Services Top Business Leaders, a set of 24 books pub- Email [email protected] lished by Harvard Business School Press. Adam Sodowick is currently President of Initially backed by the BBC, 50 Lessons was NYSE Governance Services after serving as acquired by Skillsoft in 2011. Chief Operating Offi cer, where he was

327 ■ CONTRIBUTOR PROFILES

Intercontinental Exchange 5660 New Northside Drive NW 3rd Floor Atlanta, Georgia 30328 Tel +1 770 857 4700 Web www.intercontinentalexchange.com Palo Alto Networks Inc. JERRY PERULLO 4401 Great America Parkway Chief Information Security Offi cer Santa Clara, California 95054 Email [email protected] Tel +1 408 753 4000 Jerry Perullo has led the Information Web www.paloaltonetworks.com Security program at Intercontinental Exchange, Inc. (NYSE:ICE) since 2001. As MARK D. MCLAUGHLIN Chief Information Security Officer, he is Chairman, President, and CEO responsible for the security of ICE’s Mark D. McLaughlin joined as president and heavily regulated exchanges and clearing- CEO of Palo Alto Networks in August of houses, including the New York Stock 2011 and became Chairman of the Board in Exchange. 2012. Previously Mr. McLaughlin served as Mr. Perullo is an active participant in the President and CEO of Verisign. Prior to Financial Services Sector Coordinating Verisign, he was the Vice President of Sales Council (FSSCC) and Financial Services and Business Development for Signio and Information Sharing and Analysis Center was instrumental in driving the acquisition (FS-ISAC), where he serves as Chair of the of Signio by Verisign in 1999. Before joining Clearinghouse and Exchange Forum Signio, he was the Vice President of Business (CHEF). He also co-founded the Global Development for Gemplus, the world’s lead- Exchange Cyber Security (GLEX) working ing smart-card company. Previous to group under the World Federation of Gemplus, he also served as General Counsel Exchanges and serves on several industry of Caere Corporation and practiced law as and customer advisory boards within the an attorney with Cooley Godward Kronish cybersecurity industry. LLP. In 2014 President Obama appointed Mr. Prior to ICE, Mr. Perullo was a Principal McLaughlin as the Chairman of the National Consultant at Digital Consulting and Security Telecommunications Advisory Software Services providing information Committee (NSTAC). He received his JD, security testing and consulting services to magna cum laude, from Seattle University the health-care, energy, and data service School of Law and his BS degree from the industries and built an Internet Service U.S. Military Academy at West Point. Provider in the mid 1990s. Mr. Perullo studied Computer Engineering at Clemson University and earned a BS degree in Legal Studies from the University of Maryland and an MBA from Georgia State University.

■ 328 CONTRIBUTOR PROFILES

DAVIS Y. HAKE awarded the Risk and Insurance Magazine Director of Cybersecurity Strategy “Power Broker” distinction and was named to Business Insurance Magazine’s inaugural As Director of Cybersecurity Strategy, “Top 40 under 40” brokerage honor roll Davis Y. Hake is responsible for building and 2014 Rising Star by Reactions magazine. and sharing the company’s strategy for Mr. Kannry received a BS and BA from Case cybersecurity thought leadership and deliv- Western Reserve University, a JD from the ering valuable information, insights, and Northwestern School of Law, and his MBA instructional tools on all things related to from the Kellogg School of Management. cyberthreats and today’s security landscape. Prior to joining Palo Alto Networks in 2015, DAVID W. WHITE Mr. Hake was a leader in U.S. government Co-Founder and Chief Knowledge Offi cer cybersecurity serving in the White House, at Email [email protected] senior levels in the Department of Homeland Security, and as a policy expert for the U.S. David W. White is a founder and Chief Congress. Mr. Hake also drafted some of Knowledge Offi cer at Axio Global. Axio is a the fi rst comprehensive cybersecurity legis- cyber risk-engineering fi rm that helps organi- lation, for which he received a Federal 100 zations implement more comprehensive Award for leadership in the IT community. cyber risk management based on an approach He is a graduate of the University of that harmonizes cybersecurity technology/ California–Davis, where he studied interna- controls and cyber risk transfer. Mr. White tional relations and economics and received works directly with Axio clients and is a Masters degree in Strategic Security Studies responsible for the frameworks and methods from the National Defense University. that guide Axio’s services, including cybersecurity program evaluation and benchmarking, cyber loss scenario development and analysis, insurance program analysis, and data analytics. Previously, Mr. White worked in the CERT Program at Carnegie Mellon’s Software Engineering Institute, a cyberse- Axio Global, LLC curity research program primarily funded 77 Water Street, 8th Floor by the U.S. Department of Defense and the New York, New York 10005 U.S. Department of Homeland Security. Tel +1 708 420 8611 While there, he was responsible for techni- Web www.axioglobal.com cal leadership and research strategy for a portfolio of cybersecurity and resilience SCOTT KANNRY maturity models and frameworks and Chief Executive Offi cer associated research, diagnostic methods, Email [email protected] and training. Scott Kannry is the Chief Executive Offi cer of Mr. White served as chief architect for the Axio Global. Mr. Kannry’s entire career has Electricity Subsector Cybersecurity Capability been in the commercial insurance industry Maturity Model (ES-C2M2) and served on the with a focus on cyber and previously spent review team for the oil-and-natural-gas ver- 10 years in the Financial Services Group at sion (ONG-C2M2) and industry-agnostic Aon. He works with clients in all industries version (C2M2). Mr. White co-authored the but specializes in those with evolving cyber CERT Resilience Management Model (CERT- risks, such as energy, utility, transportation, RMM) and served as the chief architect for the and manufacturing. Mr. Kannry has been Smart Grid Maturity Model (SGMM).

329 ■ CONTRIBUTOR PROFILES

governance advice. He routinely counsels companies victimized by cybercriminals to investigate the underlying incident, coordinate with law enforcement, and Baker & McKenzie manage consumer-related civil litigation 815 Connecticut Avenue, NW and regulatory investigations. Mr. Woods Washington, DC 20006 has signifi cant experience handling gov- Tel +1 202 452 7000 ernment investigations and business Web www.bakermckenzie.com crimes, privacy litigation, class actions, information governance, and electronic discovery matters. He regularly oversees DAVID C. LASHWAY and advises on the intersection between Partner data protection issues and data collection Email [email protected] issues associated with internal investiga- David C. Lashway leads Baker & McKenzie’s tions and litigations. global cybersecurity practice and is located in Washington, DC. He focuses his practice in NADIA BANNO the areas of crisis management, internal Counsel, Dispute Resolution investigations, and complex criminal, civil Nadia Banno joined Baker & McKenzie’s and administrative litigation and has signifi - Dispute Resolution department in London as cant experience advising clients with respect Of Counsel in September 2014. She previously to various aspects of cybersecurity-related held the position of Head of Litigation at the matters. Mr. Lashway is a sought-after law- BBC, where she regularly advised the yer who advises the Fortune 100 on the full Executive Board and senior management on a lifecycle of enterprise risks associated with wide range of high-value, high-profi le dis- information security, including before, dur- putes and investigations. Ms. Banno advises ing, and after a network breach, as well as clients in the areas of regulatory and public federal regulatory and criminal matters. He law, defamation and media law, data protec- regularly conducts global investigations tion, freedom of information, and commercial around the theft or compromise of confi den- disputes. She also advises clients on the legal tial data and is repeatedly called upon to liti- aspects of crisis and reputation management, gate post-data breach issues. His clients including handling internal investigations include investment banks, publicly traded and appearing before Parliamentary Select and private companies, trade associations, Committees. and individual managers, and his matters span the globe. BRANDON H. GRAVES JOHN W. WOODS, JR. Associate Partner Email [email protected] Email [email protected] Brandon H. Graves is a member of Baker & John W. Woods is a partner in Baker & McKenzie’s global cybersecurity practice McKenzie’s Washington, DC, offi ce. He and is located in Washington, DC. He co-leads the cybersecurity practice. His has extensive experience in conducting practice in the cybersecurity area focuses on investigations and advising clients before, internal investigations, data security com- during, and after cybersecurity incidents. He pliance, privacy litigation, and information represents clients in a variety of industries

■ 330 CONTRIBUTOR PROFILES

on incident response matters and related Chambers USA and was one of only three disputes. Mr. Graves was formerly a attorneys named an MVP by Law360 for law clerk for Judge J. L. Edmondson of the Privacy & Consumer Protection in 2013. United States Court of Appeals for the Eleventh Circuit. Before graduating from CRAIG A. HOFFMAN the University of Virginia School of Law, Partner he was an infantry officer in the Email [email protected] th 25 Infantry Division with service in Craig A. Hoffman provides proactive coun- Iraq. He holds a BS degree in Computer sel on the complex regulatory issues that Science from the United States Military arise from data collection and use, including Academy at West Point. customer communications, data analytics, emerging payments, cross border transfers, and security incident response preparedness. He uses his experience as a litigator and works with hundreds of companies who BakerHostetler have faced security incidents to help clients 45 Rockefeller Plaza develop a practical approach to meet their New York, New York 10111-0100 business goals in a way that minimizes regu- Tel +1 212 589 4200 latory risk. Mr. Hoffman conducts incident Web www.bakerlaw.com response workshops—built upon applicable THEODORE J. KOBUS notifi cation laws and guidelines, “good” and “bad” examples from other incidents, and a Partner and Co-Leader, Privacy and Data tabletop exercise—to prepare companies Protection to respond to security incidents quickly, Email [email protected] effi ciently, and in a manner that complies Theodore J. Kobus is national leader of the with applicable law while mitigating risk BakerHostetler’s Privacy and Data Protection and preserving customer relationships. team. Mr. Kobus focuses his practice in the Mr. Hoffman also serves as the editor of area of privacy and data security. He advises BakerHostetler’s Data Privacy Monitor blog, clients, trade groups, and organizations providing commentary on developments in regarding data security and privacy risks, data privacy, security, social media, and including compliance, developing breach behavioral advertising. response strategies, defense of regulatory actions, and defense of class action litigation. Mr. Kobus counsels clients involved in F. PAUL PITTMAN breaches implicating domestic and interna- Associate tional laws, as well as other regulations Email [email protected] and requirements. Having led more than F. Paul Pittman provides guidance to clients 800 data breach responses, Mr. Kobus has in responding to data security incidents and respected relationships with regulators data breaches, ensuring that they meet their involved in privacy concerns as well as deep response and notifi cation obligations under experience to help clients confront privacy state and federal data privacy laws. issues during the compliance risk manage- Mr. Pittman also advises clients on data pri- ment stages. He is invested in his client rela- vacy and security issues that may arise in tionships and approaches engagements their business and assists them with the practically and thoughtfully. He is ranked in development of data privacy notices and

331 ■ CONTRIBUTOR PROFILES

policies to ensure compliance with applica- (COE) with more than 3000 staff members, ble laws and industry standards. In addition, and he built a large Technology Consulting he counsels clients on the permissible collec- and Integration Business focused on the tion of data and usage in online advertising U.S. government. in compliance with online and mobile data Before joining Booz Allen, Mr. Stewart standards. Mr. Pittman also offers his clients worked for a major electronics fi rm, where he extensive experience defending against com- developed communications security and key plex class action and state attorney general management devices. He also served as a litigation. Signal Offi cer, Battalion Commander, Brigade/ Battalion S-3, and Company Commander in the U.S. Army. He holds a BS degree in Engineering from Widener University and an MS degree in Electrical Engineering from Drexel University. Booz Allen Hamilton 8283 Greensboro Drive Hamilton Building JASON ESCARAVAGE McLean, Virginia 22102 Vice President Tel +1 703 902 5000 Email [email protected] Web www.boozallen.com Jason Escaravage is a leader in the Strategic Innovation Group for Booz Allen Hamilton. WILLIAM (BILL) STEWART With a focus on Digital Services and Solutions, he drives the integration of Global Threat Executive Vice President solutions for the fi rm’s Predictive Intelligence Email [email protected] division. He is an expert in the systems devel- William (Bill) Stewart currently leads the opment lifecycle, software solution design Commercial Cyber Business for Booz Allen and development, and intelligence support to Hamilton. In this role he leads teams that real-world mission operations. develop strategies and implement solutions Mr. Escaravage is recognized for leading for the most complex issues facing Private large-scale, complex information technology Sector Organizations. He has more than (IT) and analytical support programs support- 25 years of professional experience building ing government and commercial clients and in consulting and systems integration businesses. multiple focus areas, including conventional Mr. Stewart is responsible for providing operations, counter-terrorism, anti-money services that appropriately balance risk and laundering, and cyberthreat analysis. He has resource expenditure. Current clients include led teams of global/cyberthreat intelligence C-suite executives as well as senior govern- analysts in support of U.S. government and ment offi cials. Mr. Stewart has extensive commercial customers focused on collecting, experience envisioning, designing, and processing, and fusing data to create action- deploying solutions that enhance business able intelligence. He holds a degree in Military performance. He helps clients create cutting History and Computer Science from Rutgers edge strategies that optimize and secure University and is a certified Project critical business systems. Management Professional (PMP). Mr. Stewart and his team help clients develop state-of-the-art cyber solutions, including Threat Intelligence, Advanced SEDAR LABARRE Adversary Hunt, Incident Response, Insider Vice President Threat, and Identity and Access Control. Email [email protected] Mr. Stewart also led Booz Allen Hamilton’s Sedar LaBarre is a Vice President with Booz Cyber Technology Center of Excellence Allen Hamilton, where he leads the fi rm’s

■ 332 CONTRIBUTOR PROFILES

commercial High-Tech Manufacturing instrumental in developing Booz Allen’s Practice. He has more than 18 years of practi- CyberSim tool, an immersive training and cal consulting experience—providing clients assessment tool used to select, train, and with unique advisory services equally bal- place cyber professionals. anced in strategy and functional expertise. Ms. Zukin holds a Doctorate degree in Mr. Labarre leads a multi-disciplinary team Organizational Psychology from George focused on helping companies realize tech- Mason University and a Master’s degree in nology-enabled growth from advanced ana- Organizational Psychology from Columbia lytics, military grade cyber, and cutting-edge University. She also holds a certifi cate in IT transformation. leadership coaching from Georgetown Mr. Labarre is a recognized international University. She is a certifi ed executive coach expert in cybersecurity standards and was through the International Coaching the chief architect of Booz Allen’s CyberM3 Federation. Ms. Zukin is on the faculty at reference model. He has worked extensively Georgetown University’s Institute for within all sectors of the U.S. government Transformational Leadership and served as (cabinet-level agencies, all branches of the a coach for the inaugural class of the military, the intelligence community, as well Presidential Leadership Scholars Program as several small to micro government agen- created by former Presidents George W. Bush cies); public sector clients in the United and Bill Clinton. Kingdom, Europe, and the Middle East; and within the private sector areas of fi nancial DENIS COSGROVE services, retail, telecommunications, con- Senior Associate sumer products, industrial manufacturing, Email [email protected] and automotive. Denis Cosgrove is a leader in Booz Allen Hamilton’s Commercial High-Tech LORI ZUKIN Manufacturing business, where he is an Principal advisor to senior clients and oversees project Email [email protected] teams delivering strategy and analytical Lori Zukin is a leader with Booz Allen solutions. His recent client engagements Hamilton, where she leads People include working with staff members of a Innovations for the firm’s Strategic major automaker to reimagine their approach Innovations Group. She has led engagements to vehicle cybersecurity and partnering with for clients in the public and private sectors them to build new capabilities. Within the and engaged with them to solve their tough- fi rm, he drives thought leadership for brand- est organizational challenges. She has directing and intellectual capital. Mr. Cosgrove ed several high-profi le projects for federal previously worked with clients in the U.S. and commercial organizations, providing tal- government national security market, devel- ent management expertise to help them oping new methods in risk analytics. improve the bottom line. Prior to joining Booz Allen, he served as a Most recently, Ms. Zukin worked with a Senior Associate Scholar at the Center for global pharmaceutical company to dramati- European Policy Analysis and taught under- cally improve how a newly formed senior graduate courses in philosophy. He earned leadership team manages and measures per- graduate degrees studying political philoso- formance while reducing risk during a period phy at the University of Chicago and interna- of signifi cant growth. In other client engage- tional relations at Georgetown University. ments she has worked with large organiza- Mr. Cosgrove has published essays on foreign tions to help them implement cutting edge policy and presents an annual graduate-level solutions for cyber talent management and lecture on strategy in Machiavelli’s The Prince leadership development. She was also at Johns Hopkins University.

333 ■ CONTRIBUTOR PROFILES

MATTHEW DOAN Security for WellPoint, Inc. Mr. Gaidhane Senior Associate holds an MBA from Duke University’s Email [email protected] Fuqua School of Business and also BS and MS degrees in Computer Science from Matthew Doan leads Booz Allen’s Nagpur University (India) and Texas Tech Commercial Cyber Strategy practice while University, respectively. He also holds also serving as a leader in the fi rm’s High- numerous certifi cations, such as the PMP, Tech Manufacturing business. He specializ- CISSP, CISM, CGEIT, CRISC, CISA, and es in driving innovative cybersecurity CIPP/US in the fi elds of Information and risk management solutions, particularly Security, Audit, Information Privacy, and for automotive, industrial, and consumer Project Management. product companies. Mr. Doan provides fundamental knowledge in large-scale maturity assessments, enterprise risk management, JAMIE LOPEZ strategic planning, organizational change Senior Associate management, and governance. Email [email protected] Mr. Doan has an array of experiences in consulting C-suites, boards, and other sen- Jamie Lopez is a leader with Booz Allen ior decision makers in driving important Hamilton’s Strategic Innovation Group, changes that effectively reduce business risk where he provides thought leadership and and capture new opportunity. Mr. Doan talent solutions to his client base across the holds an MA in Security Studies from commercial and federal sector. He helps ™ Georgetown University and a BBA in drive Booz Allen’s TalentInsight Solutions Computer Information Systems from James focusing on Data Science and Cyber and Madison University, as well as a Graduate Predictive Intelligence. In addition to his Certifi cate in Applied Intelligence from core consulting and advisory duties, Mercyhurst University. Dr. Lopez serves as the Booz Allen Program Manager for a large human capital vehicle, where he leads a sizable team in the devel- TONY GAIDHANE opment of HR Shared Services, Competency Senior Associate Modeling, Talent Placement & Acquisition, Email [email protected] Change Management, Promotional Systems, Tony Gaidhane is a dynamic and innovative and Professional & Leadership Development. information security leader with a strong Prior to joining Booz Allen Hamilton, background in implementing IT security, Dr. Lopez was the Vice President of Lopez compliance (including NIST and ISO), pri- and Associates Inc., a thirty-year-old vacy, and risk management. His most recent Industrial-Organizational psychology con- experience includes diverse engagements sulting company focusing on commercial such as leading the assessment of high-risk clients in the fi nancial services and utility technology platforms for attack surface sectors. In this capacity he specialized in tal- reduction for a large retailer, leading the ent management, individual assessment, build of a Cyber Incident Response Playbook and personnel selection. for a large fi nancial institution, and leading a Dr. Lopez completed his PhD in supply chain cyber risk assessment for a Industrial-Organizational Psychology at large high-tech client. Mr. Gaidhane has Hofstra University and MA degree with a more than 17 years of experience with cyber- Scholars Designation in I/O Psychology security, and his experience includes manag- from New York University’s Graduate ing large Affordable Care Act implementa- School of Arts. He also holds an MBA in tions in multiple states for Accenture, as a Finance with a specialization in Trading and senior leader in its Information Security Portfolio Management from the Fordham Practice and as a Director of Information Graduate School of Business, a BA in

■ 334 CONTRIBUTOR PROFILES

Psychology from the College of the Holy teams achieve signifi cant organizational Cross, and an Advanced Graduate Certifi cate transformations. She is an Associate Business in Counterintelligence from Mercyhurst Continuity Manager with Disaster Recovery University. Institute International, a Certifi ed Information Privacy Professional, and received a gradu- JAMES PERRY ate certifi cate from University of Maryland in Senior Associate Cyber Security. Email [email protected] James Perry is a Chief Technologist in Booz KATIE STEFANICH Allen Hamilton’s Strategic Innovation Lead Associate Group, where he leads the commercial cyber Email [email protected] incident response planning, investigation, Katie Stefanich is a management consultant and remediation services offerings, includ- that specializes in cyber incident management ing our National Security Cyber Assistance strategy, cyber education and outreach, and Program Certifi ed Incident Response capa- crisis communication. She has strong experi- bility. Mr. Perry works with chief informa- ence in authoring enterprise-wide cyber tion security offi cers, security operations incident management strategies for retail, center directors, and incident response teams energy, and high-tech commercial organiza- across fi nance, retail, energy, health, manu- tions. Ms. Stefanich helps clients understand facturing, and public sectors. In this role, cybersecurity in terms of risk management, as he helps organizations to design and imple- well as identify and build cross-organization ment Cyber Security Operations capabilities relationships for smooth incident response. to protect from, detect, and respond to She also has extensive experience providing advanced cyberthreats. Mr. Perry leverages strategic counsel to startups, entrepreneurs, his experience supporting incident response and organizations interested in using lean investigations across multiple sectors to help startup methodology. Prior to her time at Booz these organizations prepare for and rapidly Allen, Ms. Stefanich implemented integrated contain cyber incidents. marketing campaigns for high-tech commercial organizations. LAURA EISE Lead Associate ERIN WEISS KAYA Email [email protected] Lead Associate Laura Eise is a cybersecurity consultant in Email [email protected] Booz Allen’s commercial practice. In this Erin Weiss Kaya is a Lead Associate with role, she works with leaders across multiple Booz Allen Hamilton. She has more than industries in aligning cybersecurity pro- 15 years of experience designing and manag- grams to manage risk and meet the needs of ing strategic transformation programs, most the business. She specializes in program- recently serving as an external consultant on matic assessment, incident response, enter- cybersecurity workforce and organization prise risk management, strategy setting, and issues to the Department of Homeland organizational design. Recently, she has led Security and a number of large fi nancial teams across the fi nancial, retail, and manu- services institutions. facturing industries to create three-year Ms. Weiss Kaya has served as an external strategy roadmaps to improve their cyberse- consultant to Fortune 500 companies, state curity programs. Ms. Eise is a co-author of government agencies, and non-profi ts and the CyberM3 maturity model and co-leads as an internal strategic advisor and execu- the fi rm’s internal investment in the capabil- tive. She has led large projects for effective ity. She is also an Executive Coach and change implementations as well as cyberse- focuses on helping leaders and leadership curity human capital strategies, including

335 ■ CONTRIBUTOR PROFILES

the hiring, compensation, development, providing strategy, competitive analysis, pro- and allocation of cybersecurity workforce. cess improvement, organizational design, She also manages Booz Allen’s internal ini- and project management support tiative in Cybersecurity Workforce and to commercial and government clients. Organization, where she established a new Ms. Wong works with clients to seize busi- service offering and designed a suite of tools ness opportunities while navigating risks to support clients in the development and around connected products and the data used maturation of their cybersecurity workforce to power them. She holds a Masters degree in capabilities. Ms. Weiss Kaya holds a BA from City and Regional Planning from Cornell University of Maryland-College Park and a University and a BA in Political Economy Masters degree from Columbia University. from the University of California, Berkeley.

CHRISTIAN PAREDES Associate Email [email protected] Christian Paredes is an Associate on Booz Allen Hamilton’s Predictive Intelligence team within the fi rm’s Strategic Innovation’s Group BuckleySandler LLP (SIG), where he focuses on cyberthreat intel- 1250 24th Street NW, Suite 700 ligence (CTI) and CTI program development Washington, DC 20037 for commercial clients. Mr. Paredes has expe- Tel +1 202 349 8000 rience helping commercial clients to produce Web www.buckleysandler.com actionable threat intelligence for internal stakeholders at the operational and strategic ELIZABETH E. MCGINN levels. He has expertise in analytic tradecraft Partner and production standards; technical threat Email [email protected] intelligence; intelligence workfl ow integra- Elizabeth E. McGinn is a partner in the tion with security operations; and threat intel- Washington, DC, offi ce of BuckleySandler ligence program development. He has also LLP, where she assists clients in identifying, worked with global organizations to assess evaluating, and managing risks associated their information security capabilities. with privacy and information security prac- His emphasis on improving analytic qual- tices of companies and third parties. ity by maximizing analyst time, resources, Ms. McGinn advises clients on privacy and workfl ows, tools, and data sources has helped data security policies, identity theft red fl ags clients to realize value in their cyberthreat programs, privacy notices, safeguarding and intelligence programs. Mr. Paredes holds an disposal requirements, and information MS degree in International Affairs from sharing limitations. She also has assisted Georgia Institute of Technology and a BA clients in addressing data security incidents degree in Political Science from Georgia and complying with the myriad security College & State University. breach notifi cation laws and other U.S. WAICHING WONG state and federal privacy requirements. Ms. McGinn is a frequent speaker and author Associate on a variety of topics, including privacy and Email [email protected] data security, consumer fi nancial services Waiching Wong is part of Booz Allen litigation, electronic discovery, and vendor Hamilton’s high-tech manufacturing practice, management. Ms. McGinn received her JD,

■ 336 CONTRIBUTOR PROFILES

cum laude, from The American University, data security, as well as federal and state Washington College of Law in 2000, and investigations and enforcement actions. received the Mooers Trial Practice Award. Mr. Ruckman joined BuckleySandler from She received a BS from St. Lawrence the Federal Communications Commission, University. Ms. McGinn has been recognized where he served as Senior Policy Advisor to with the fi rm’s Privacy, Cyber Risk, and Data Commission’s Enforcement Bureau Chief, Security practice group in Legal 500 (2013 advising him on enforcement strategies in and 2015). the areas of privacy and data security. Prior to his time at the FCC, Mr. Ruckman RENA MEARS spent fi ve years as an Assistant Attorney General at the Maryland Attorney General’s Managing Director offi ce, where he was the fi rst Director of the Email [email protected] offi ce’s Internet Privacy Unit. The Unit played Rena Mears is a Managing Director at a leading role in several multistate investiga- BuckleySandler LLP, where she focuses on tions into practices that threatened consum- data risk, cybersecurity, and privacy. She has ers’ online privacy and security, including the more than 25 years’ experience advising largest privacy settlement in AG history. fi nancial services, hospitality, technology, Mr. Ruckman is a graduate of Yale Law bio-tech, and consumer-focused companies School and Yale Divinity School. and boards on effective methods for addressing data asset risks while operating in complex business and regulatory environments. TIHOMIR YANKOV Prior to joining BuckleySandler, Ms. Mears Associate was a partner in a Big Four advisory fi rm’s Email [email protected] Enterprise Risk Services practice, where she Tihomir Yankov is an associate in the founded and led the Global and U.S. Privacy Washington, DC, offi ce of BuckleySandler and Data Protection practice. She has signifi - LLP. Mr. Yankov represents clients in a cant experience building and implementing wide range of litigation matters, including multinational and enterprise data risk, priva- class actions and complex civil litigation, as cy and security programs, performing com- well as government enforcement matters. pliance assessments, developing cybersecuri- His government enforcement experience ty initiatives, and leading breach response includes representing clients before the teams. Ms. Mears has served on industry Consumer Financial Protection Bureau standards committees and company advisory (CFPB), the New York Department of boards for privacy and security. She regularly Financial Services (DFS), and various state researches, speaks, and publishes on data regulators and attorneys general, as well as in risk, privacy, and cybersecurity and holds the cases involving unfair, deceptive, and abusive CISSP, CIPP, CISA, and CITP certifi cations acts and practices (UDAAP). Mr. Yankov also counsels clients on elec- STEPHEN (STEVE) M. RUCKMAN tronic discovery issues, including matters Senior Associate related to document and data retention, data Email [email protected] assessment, data extraction strategies, and Stephen (Steve) M. Ruckman is a senior pre-litigation discovery planning. associate in the Washington, DC, offi ce of Mr. Yankov received his JD from American BuckleySandler, where his practice focuses University (cum laude) and his BA from the on privacy, cyber risk, mobile payments, and University of Virginia.

337 ■ CONTRIBUTOR PROFILES

JIM PFLAGING Principal Email jim.pfl [email protected] Jim Pfl aging is the global lead for The Chertoff Group’s business strategy practice. Based in The Chertoff Group Menlo Park, California, Mr. Pfl aging works 1399 New York Avenue, NW closely with leading technology companies, Suite 900 private equity investors, and system integra- Washington, DC 20005 tors to identify, diligence, acquire and build, Tel +1 202 552 5280 exciting companies. Based on dozens of suc- Web www.chertoffgroup.com cessful client engagements, Mr. Pfl aging has MICHAEL CHERTOFF become a trusted advisor on technology and security to many in the U.S. Government Co-Founder and Executive Chairman and private industry. Mr. Pfl aging has more Email [email protected] than 25 years of Silicon Valley experience (assistant) including 15 years as chief executive offi cer of Michael Chertoff is Co-Founder and cybersecurity and data management compa- Executive Chairman of The Chertoff Group, nies. He serves on the board of several secu- a premier global advisory fi rm that focuses rity companies and is a frequent speaker on exclusively on the security and risk man- technology and security issues. agement sector by providing consulting, mergers and acquisitions (M&A), and risk management services to clients seeking to MARK WEATHERFORD secure and grow their enterprises. In this Principal role, Mr. Chertoff provides high-level stra- Email [email protected] tegic counsel to corporate and government or [email protected] leaders on a broad range of security issues, (assistant) from risk identifi cation and prevention to Mark Weatherford is a Principal at The preparedness, response, and recovery. Chertoff Group, where he advises clients on a From 2005 to 2009, Mr. Chertoff served as broad array of cybersecurity services. As one Secretary of the U.S. Department of Homeland of the nation’s leading experts on cybersecuri- Security (DHS), where he led the federal gov- ty, Mr. Weatherford works with organizations ernment’s efforts to protect our nation from a around the world to effectively manage today’s wide range of security threats, including cyberthreats by creating comprehensive blocking potential terrorists from crossing the security strategies that can be incorporated United States border or allowing implemen- into core business operations and objectives. tation of their plans on U.S. soil. Before lead- Prior to joining The Chertoff Group, ing DHS, Mr. Chertoff served as a federal Mr. Weatherford served as the U.S. judge on the U.S. Court of Appeals for the Department of Homeland Security’s fi rst Third Circuit and earlier headed the U.S. Deputy Under Secretary for Cybersecurity. Department of Justice’s Criminal Division. In In this position, he worked with all critical this role he investigated and prosecuted cases infrastructure sectors as well as across the of political corruption, organized crime, and federal government to create more secure corporate fraud and terrorism—including the network operations and thwart advanced investigation of the 9/11 terrorist attacks. persistent cyber threats. He previously

■ 338 CONTRIBUTOR PROFILES

served as the Chief Information Security public and private companies in the busi- Offi cer for the states of Colorado and ness process outsourcing, marketing servic- California and as Vice President and Chief es, enterprise software, smart-grid, informa- Security Offi cer for the North American tion, and IT services industries. He has Electric Reliability Corporation (NERC). a proven track record as the CEO of six companies and has served as director of 13 private equity, public, and VC-backed companies and executive chairman of two others. Prior to his leadership role with Coalfi re, from 2007 to 2011, Mr. Jones was CEO of Denver-based StarTek, Inc. (NYSE: Coalfi re SRT), a provider of global outsourced call center and customer support services. He 361 Centennial Parkway, Suite 150 has also served as CEO of Activant Solutions, Louisville, Colorado 80027 an enterprise software company; chairman Tel +1 303 554 6333 of WebClients, an internet affi liate marketing Web www.coalfi re.com fi rm; CEO of Interelate, Inc., a marketing RICK DAKIN services fi rm; CEO of MessageMedia (NASD: MESG), an email marketing services com- Chief Executive Offi cer (2001-2015) pany; CEO of Neodata Services, Inc., a direct Rick Dakin provided strategic manage- marketing services fi rm; and was founding ment IT security program guidance for CEO of GovPX, a provider of government Coalfi re and its clients. After serving in the securities data. Mr. Jones also was a senior U.S. Army after graduation from the U.S. vice president at Automatic Data Processing Military Academy at West Point, Mr. Dakin and held various positions at Wang began his management career at United Laboratories between 1977 and 1987. Technology Corporation. Prior to co-found- Mr. Jones currently also serves as a direc- ing Coalfi re, he was President of Centera tor of Diligent Corporation (NZX: DIL) and Information Systems, a leading eCommerce Essential Power, LLC. He is also active mem- and systems integration fi rm. He was a ber and Fellow in the National Association past president of the FBI’s InfraGard proof Corporate Directors (NACD). Over the gram, Denver chapter, and a member of a past 10 years, Mr. Jones has served as committee hosted by the U.S. Secret Service director of numerous public and private and organized by the Joint Council on companies including Work Options Group, Information Age Crime. StarTek, Exabyte, Activant Solutions, Realm Mr. Dakin passed away June 20, 2015. Solutions, SARCOM, WebClients, DIMAC, and Fulcrum Analytics. Mr. Jones graduated LARRY JONES from Worcester Polytechnic Institute with Chief Executive Offi cer a degree in computer sciences in 1975 Email Larry.Jones@Coalfi re.com and earned his MBA from Boston University Larry Jones has served as Chairman of the in 1980. Board of Coalfi re since 2012 and became CEO in 2015. He has more than 25 years of experience building, operating, and growing

339 ■ CONTRIBUTOR PROFILES

NIGEL L. HOWARD Partner Email [email protected] Covington & Burling LLP Nigel L. Howard, a partner in Covington’s One City Center New York offi ce, helps clients execute their 850 Tenth Street, NW most innovative and complex transactions Washington, DC 20001-4956 involving technology, intellectual property, Tel +1 202 662 6000 and data. Mr. Howard has been at the fore- Web www.cov.com front of initiatives to protect data assets for his clients, helping them achieve a competi- DAVID N. FAGAN tive advantage or fend off a competitive Partner threat. He advises clients on their proprie- Email [email protected] tary rights to data and global strategies for David N. Fagan, a partner in Covington’s protecting these assets. He has represented global privacy and data security and inter- companies in transactions covering the full national practice groups, counsels clients on spectrum of data-related activities, including preparing for and responding to cyber- data capture and storage, business and oper- based attacks on their networks and infor- ational intelligence, analytics and visualiza- mation, developing and implementing tion, personalized merchandizing, and the information security programs, and com- related cloud computing services, such as plying with federal and state regulatory Data as a Service and Analytics Infrastructure requirements. Mr. Fagan has been lead as a Service. investigative and response counsel to companies in a range of cyber- and data security ELIZABETH H. CANTER incidents, including matters involving mil- Associate lions of affected consumers. Email [email protected] KURT WIMMER Elizabeth H. Canter is an associate in the Washington, DC, offi ce of Covington. She Partner represents and advises technology compa- Email [email protected] nies, fi nancial institutions, and other clients Kurt Wimmer is a Washington partner and on data collection, use, and disclosure prac- U.S. chair of Covington’s privacy and data tices, including privacy-by-design strate- security practice. Mr. Wimmer advises gies and email marketing and telemarket- national and multinational companies on ing strategies. This regularly includes privacy, data security, and digital technology advising clients on privacy and data secu- issues before the FTC, the FCC, Congress, rity issues relating to third-party risk man- the European Commission, and state attor- agement. Ms. Canter also has extensive neys general, as well as on strategic advice, experience advising clients on incident data breach counseling and remediation, preparedness and in responding to data and privacy assessments and policies. He is security breaches. chair of the Privacy and Information Security Committee of the ABA Antitrust Section and is a past managing partner of Covington’s London offi ce.

■ 340 CONTRIBUTOR PROFILES

PATRICK REDMON was the Ernst & Young Entrepreneur of the Summer Associate Year Regional winner for Alabama/Georgia/ Email [email protected] Tennessee in 2011 and was awarded The Deal of the Year by The Association of Patrick Redmon will graduate from the Corporate Growth (ACG) and The IndUS University of North Carolina School of Law Entrepreneurs (TiE). Mr. Cote’s leadership in 2016. He graduated from Fordham style is punctuated by high integrity and a University in 2007 with a BA in Philosophy client-centric philosophy. and Economics and in 2013 was awarded an MA in Liberal Arts from St. John’s College in Annapolis, Maryland. Mr. Redmon is the Managing Editor of the North Carolina Law Review. Delta Risk LLC 4600 N Fairfax Dr., Suite 906 Arlington, Virginia 22203 Tel +1 571 483 0504 Web www.delta-risk.net THOMAS FUHRMAN Dell SecureWorks President One Concourse Pkwy NE Thomas Fuhrman is President of Delta Risk. #500 In this capacity he is a practicing cybersecu- Atlanta, Georgia 30328 rity consultant and the leader of the Delta Tel +1 404 929 1795 Risk business. Web www.secureworks.com Prior to joining Delta Risk, Mr. Fuhrman was the founder and president of 3tau LLC, a MICHAEL R. COTE specialized consulting fi rm providing infor- Chief Executive Offi cer mation security and technology advisory, Email [email protected] analysis, and strategy services to senior clients in commercial industry and government, in Michael (Mike) R. Cote became chairman the United States and internationally. He is a and CEO of SecureWorks in February of 2002 former Partner at Booz Allen Hamilton, where and led the company through an acquisition he led a $100 million consulting practice in by Dell in February of 2011. Under his cybersecurity and science and technology leadership Dell SecureWorks has become a serving Department of Defense clients. recognized global leader in information Mr. Fuhrman has more than 35 years of security services, helping organizations of military and government experience and has all sizes protect their IT assets, reduce costs, expertise in many areas including cyberse- and stay one step ahead of the threats. curity strategy, policy, and governance; Previously Mr. Cote held executive positions cybersecurity controls and technology; and with Talus Solutions, a pricing and revenue risk management. management software fi rm acquired by Mr. Fuhrman has degrees in electrical Manugistics in 2000. He joined Talus from engineering, mechanical engineering, and MSI Solutions, where he was Chief Operating mathematics and is a Certifi ed Information Offi cer, and his early career included Systems Security Professional (CISSP). international assignments with KPMG. He

341 ■ CONTRIBUTOR PROFILES

recruits senior legal and technology executives for Fortune 500 and private-equity owned portfolio companies and consults to boards of directors on a range of issues. Egon Zehnder Prior to joining Egon Zehnder, Ms. LaCroix 350 Park Avenue, 8th Floor was a senior international attorney with New York, New York 10022 major international law fi rms as well as serv- Tel +1 212 519 6000 ing in house at Texas Instruments and Web www.egonzehnder.com Honeywell International, where she was Asia Pacifi c General Counsel. Ms. LaCroix KAL BITTIANDA began her career as an attorney in private Email [email protected] practice at Gray Cary Ware & Freidenrich Kal Bittianda is a consultant at Egon Zehnder, (now DLA Piper) in California and in a global executive search and assessment Singapore, focusing on mergers and acquisi- fi rm. Based in the fi rm’s New York offi ce, tions, intellectual property, and admiralty law. Mr. Bittianda advises and recruits senior Ms. LaCroix completed the Graduate executives in technology, telecommunica- Program in American Law at the University tions, and fi ntech, with a special focus on of California at Berkeley and Davis. She emerging technologies. He also leads the holds an LLB from the National University fi rm’s Cybersecurity Practice. of Singapore and is admitted to practice law Prior to joining Egon Zehnder, Mr. Bittianda in Singapore, California, and the United served in leadership positions at several pri- Kingdom. vately held technology-enabled businesses. He built teams and led growth in North CHRIS PATRICK America for Kyriba, an enterprise cloud solu- Email [email protected] tions provider, for EXL, a knowledge and Chris Patrick is a consultant at Egon business process outsourcing fi rm, and for Zehnder, a global executive search and Inductis, an analytics consulting and services assessment fi rm. Based in the fi rm’s Dallas fi rm. He was previously an Engagement offi ce, he is a trusted advisor for CIO and Manager at the Mitchell Madison Group. C-suite talent strategy and development for Mr. Bittianda started his career in technology global companies across a diverse set of and leadership roles at Unisys and industries, including retail/consumer prod- International Paper. ucts, IT services, industrial, fi nancial servic- Mr. Bittianda earned a BTech in Naval es, and digital. As the global leader for Egon Architecture at the Indian Institute of Zehnder’s Chief Information Officer Technology, MA in Industrial Engineering Practice, Mr. Patrick advises some of the from Purdue University, and an MBA from world’s leading corporations on talent Harvard Business School. development and assessment at the board level and across the executive suite. SELENA LOH LACROIX Prior to joining Egon Zehnder, Mr. Patrick Email [email protected] was CIO/Vice President of Mergers and Selena Loh LaCroix is a consultant at Egon Acquisitions with Chatham Technologies, a Zehnder, a global executive search and start-up telecommunications systems manu- assessment fi rm. Based in the fi rm’s Dallas facturer/integrator. Previously, he was a offi ce, she is global leader of the Legal, Senior Manager with Ernst & Young Regulatory and Compliance Practice and of Consulting and MD80 Project Manager for the Global Semiconductor Practice. She McDonnell Douglas in Los Angeles.

■ 342 CONTRIBUTOR PROFILES

conducting investigations and digital forensic analysis and has served as Director, Lead Investigator, Quality Assurance Manager, and Forensic Examiner. For the past 12 years Fidelis Cybersecurity he has led large-scale breach incident 4416 East West Highway responses for the private and public sectors, Suite 310 specializing in organizational strategies, inci- Bethesda, Maryland 20814 dent response, network security, computer Tel 1 800 652 4020 or +1 617 275 8800 forensics, malware analysis, and security Web www.fi delissecurity.com assessments. He facilitates liaison with legal counsels, regulators, auditors, vendors, and JIM JAEGER law enforcement. Also during this time Chief Cyber Strategist Mr. Vela served as a Strategic Planner at the Email jim.jaeger@fi delissecurity.com Defense Computer Forensics Laboratory Jim Jaeger serves as Chief Cyber Strategist (DCFL) and Defense Cyber Crime Institute for Fidelis Cybersecurity, responsible for (DCCI), where he established operational developing and evolving the company’s improvements and laboratory accreditation. cyber services strategy while synchronizing Mr. Vela earned his MBA from Johns Hopkins it with product strategy. Mr. Jaeger previ- University and bachelor’s degree from ously managed the Network Defense and Georgetown University. Forensics business area at Fidelis, including the Digital Forensics Lab. He also held leadership roles for a wide range of cyber programs, including General Dynamics’ support for the DoD Cyber Crime Center, the Defense Computer Forensics Lab, and the Defense Fish & Richardson P.C. Cyber Crime Institute. One Marina Park Drive Mr. Jaeger is a former Brigadier General Boston, Massachusetts 02210-1878 in the United States Air Force. His military Tel +1 617 521 7033 service includes stints as Director of Web www.fr.com Intelligence for the U.S. Atlantic Command, Assistant Deputy Director of Operations GUS P. COLDEBELLA at the National Security Agency, and Principal Commander of the Air Force Technical Email [email protected] Applications Center. Mr. Jaeger frequently Gus P. Coldebella is a principal at the law fi rm advises organizations on strategies to of Fish & Richardson concentrating on cyber- mitigate damage caused by network security, litigation, and government investi- breaches and prevent their reoccurrence. gations. From 2005 to 2009, he was the deputy He also presents on Large Scale Breach general counsel, then the acting general coun- “Lessons Learned” at cyber symposiums sel, of the U.S. Department of Homeland worldwide. Security, focusing on all major security issues confronting the nation. As the department’s RYAN VELA top lawyer, Mr. Coldebella helped lead imple- Regional Director, Northeastern North mentation of President Bush’s Comprehensive America National Cybersecurity Initiative, designed to Email rvela@fi delissecurity.com shore up the government’s civilian networks Ryan Vela brings expertise in large-scale breach from attack and to promote information shar- incident response management to Fidelis ing and cooperation between the public and Cybersecurity. He has 15 years’ experience in private sector.

343 ■ CONTRIBUTOR PROFILES

At Fish & Richardson, he focuses on help- Previously, Ms. Westby launched In-Q-Tel, ing companies plan for and respond to was senior managing director at cyberattacks. As a securities litigator, he is PricewaterhouseCoopers, was senior fellow well positioned to advise public companies and director of IT Studies for the Progress on SEC disclosures regarding cybersecurity and Freedom Foundation, and was director and boards of directors’ corporate govern- of domestic policy for the U.S. Chamber of ance responsibilities to oversee and manage Commerce. Ms. Westby practiced law at this important enterprise risk. Shearman & Sterling and Paul, Weiss, Mr. Coldebella is a graduate of Colgate Rifkind, Wharton & Garrison. University, where he currently serves as She is co-chair of the American Bar audit committee chair on its Board of Association’s Privacy & Computer Crime Trustees; he received his JD, magna cum laude, Committee (Science & Technology Law from Cornell. He is on Twitter at @g_co. Section) and co-chair of the Cybercrime Committee (Criminal Justice Section) and CAROLINE K. SIMONS served three terms on the ABA President’s Associate Cybersecurity Task Force. Ms. Westby speaks Email [email protected] globally and is the author of several books Caroline K. Simons is a litigation associate at and articles on privacy, security, cybercrime, Fish & Richardson P.C. Her practice focuses and enterprise security programs. She has on white collar defense, cybersecurity and special expertise in the governance of privacy trade secret theft, internal investigations, and and security and responsibilities of boards complex commercial litigation, including sig- and senior executives. She is author of the nifi cant state and federal appellate experience. 2008, 2010, 2012, and 2015 Governance of In 2013 Ms. Simons was selected by the Boston Enterprise Security Reports and was lead Bar Association to participate in the Public author of Carnegie Mellon University’s Interest Leadership Program. Ms. Simons is a Governing for Enterprise Security Implementation graduate of Harvard College and Columbia Guide. She graduated magna cum laude from Law School. Georgetown University Law School and summa cum laude from the University of Tulsa and is a member of the Order of the Coif, American Bar Foundation, and Cosmos Club.

Georgia Institute of Technology North Ave NW Atlanta, Georgia 30332 Tel +1 404 894 2000 Institutional Shareholder Services Inc. Web www.gatech.edu 702 King Farm Boulevard Suite 400 JODY R. WESTBY, ESQ. Rockville, Maryland 20850 Adjunct Professor Tel +1 646 680 6350 Email [email protected] Web www.issgovernance.com Jody R. Westby is CEO of Global Cyber Risk and provides consulting services in the areas MARTHA CARTER of privacy, security, cybercrime, and cyber Head of Global Research governance. She is a professional blogger for Email [email protected] Forbes and also serves as Adjunct Professor Martha Carter is the head of global research at Georgia Institute of Technology’s School for ISS. In this role, she directs proxy voting of Computer Science. research for the fi rm, leading a research

■ 344 CONTRIBUTOR PROFILES

team that analyzes companies in more than Corporate Directors. He was named to the 110 markets around the world, provides 2011 National Association of Corporate institutional investors with customized Directors’ Directorship 100 list. research, and produces studies and white papers on issues and topics in corporate governance. In addition, Ms. Carter serves as the head of the ISS Global Policy Board, which develops the ISS Global Proxy Voting Policies. Named for fi ve years in a row to the National Association of Corporate Directors’ Directorship 100 list of the most Internet Security Alliance infl uential people in the boardroom com- 2500 Wilson Boulevard munity (2008–2012), Ms. Carter has been Arlington, Virginia 22201 quoted in media around the world and is a Tel +1 703 907 7090 frequent speaker for corporate governance Web www.isalliance.org events globally. Ms. Carter holds a PhD in fi nance from George Washington LARRY CLINTON University and an MBA in fi nance from the President Wharton School, University of Pennsylvania. Email [email protected] Larry Clinton is President of the Internet PATRICK MCGURN Security Alliance (ISA). He is the primary Executive Director and Special Counsel author of ISA’s “Cyber Social Contract,” Email [email protected] which articulates a market-based approach Patrick McGurn is executive director and to securing cyber space. In 2011 the House special counsel at ISS. Considered by indus- leadership GOP Task Force on cybersecurity try constituents to be one of the leading embraced this approach. In 2012 President experts on corporate governance issues, he is Obama abandoned his previous regulatory- active on the U.S. speaking circuit and plays based approach in favor of the ISA Social an integral role in ISS’s policy development. Contract model. The ISA document is the Prior to joining ISS in 1996, Mr. McGurn was fi rst and most often referenced source in the director of the Corporate Governance Service President’s “The Cyber Space Policy at the Investor Responsibility Research Review.” He is also the primary author of Center, a not-for-profi t fi rm that provided the Cyber Security Handbook for corporate governance research to investors. He also boards published by the National Association served as a private attorney, a congressional of Corporate Directors (NACD) in 2014. In staff member, and a department head at the 2015 Mr. Clinton was named one of the Republican National Committee. He is a nation’s 100 most infl uential persons in the graduate of Duke University and the fi eld of corporate governance by NACD. He Georgetown University Law Center. He is a has published widely on various cybersecu- member of the bar in California, the District rity topics and testifi es regularly before of Columbia, Maryland, and the U.S. Virgin Congress and other government agencies Islands. Mr. McGurn serves on the Advisory including the NATO Center for Cyber Board of the National Association of Excellence.

345 ■ CONTRIBUTOR PROFILES

Kaye Scholer LLP K&L Gates LLP The McPherson Building K&L Gates Center 901 Fifteenth Street NW 210 Sixth Avenue Washington, DC 20005-2327 Pittsburgh, Pennsylvania 15222-2613 Tel +1 202 682 3500 Tel +1 412 355 6500 Web www.kayescholer.com Web www.klgates.com ADAM GOLODNER ROBERTA D. ANDERSON Partner Partner Email [email protected] Email [email protected] Adam Golodner is a partner and the Leader Roberta D. Anderson is a partner of K&L of the Global Cybersecurity & Privacy Practice Gates LLP. A co-founder of the fi rm’s global Group at Kaye Scholer LLP, a leading global Cybersecurity, Privacy and Data Protection law fi rm. Mr. Golodner represents companies practice group and a member of the fi rm’s on cyber and national security matters global Insurance Coverage practice group, globally—including public policy, litigation, Ms. Anderson concentrates her practice in corporate governance, and transactions. insurance coverage litigation and counseling Prior to joining Kaye Scholer, he spent and emerging cybersecurity and data priva- ten years as an executive at Cisco Systems, cy-related issues. She has represented clients Inc., where he led cyber policy globally. in connection with a broad spectrum of insur- Before Cisco, Mr. Golodner was Associate ance issues arising under almost every kind Director of the Institute for Security, of business insurance coverage. A recognized Technology and Society, Dartmouth College; national authority in insurance coverage, Chief of Staff of the Antitrust Division, cybersecurity, and data privacy–related United States Department of Justice: Deputy issues, Ms. Anderson frequently lectures and Administrator of the Rural Utilities Service, publishes extensively on these subjects. In USDA; and Search Manager, The White addition to helping clients successfully pur- House Offi ce of Presidential Personnel (on sue contested claims, Ms. Anderson counsels leave from law fi rm). clients on complex underwriting and risk Mr. Golodner is also a Senior Advisor at management issues. She has substantial The Chertoff Group, a member of Business experience in the drafting and negotiation of Executives for National Security (BENS), “cyber”/privacy liability, D&O, professional and a Fellow at the Tuck School of Business. liability, and other insurance placements. Ms. Anderson received her JD, magna cum laude, from the University of Pittsburgh School of Law and her BA from Carnegie Mellon University.

■ 346 CONTRIBUTOR PROFILES

Prior to Korn Ferry, Mr. Cummings served as an associate principal in the industrial, supply chain, and transportation and logis- Korn Ferry tics practices of another leading executive 2101 Cedar Springs Road search fi rm, where he executed executive Suite 1450 search assignments for public and private Dallas, Texas 75201 equity-backed companies. Tel +1 214 954 1834 Earlier in his career, Mr. Cummings was a Web www.kornferry.com consultant with The Boston Consulting Group in Dallas and, before that, he served AILEEN ALEXANDER nine years with distinction as an offi cer in Senior Client Partner the U.S. Navy’s SEAL teams. Email [email protected] He earned a master’s degree in business administration from Stanford University Aileen Alexander is a Senior Client Partner and graduated with merit with a bachelor of and co-leads Korn Ferry’s Cybersecurity science in aeronautical engineering from The Practice. Based in the fi rm’s Washington, United States Naval Academy. D.C., offi ce, she has led senior executive searches across the security domain. She also JOE GRIESEDIECK partners with the fi rm’s Board & CEO Vice Chairman & Co-Leader, Board & CEO Services practice. Services In a previous position with another inter- Email [email protected] national executive search fi rm, Ms. Alexander served clients in the aerospace and defense Joe Griesedieck is Vice Chairman and and professional services sectors. Co-Leader, Board and CEO Services at Korn Prior to the talent management profession, Ferry. He focuses primarily on engagements Ms. Alexander was a Professional Staff for board director searches across multiple Member on the Committee of Armed Services industries, as well as working with boards of in the U.S. House of Representatives. directors on succession planning and other Previously, she was a Presidential Management related senior talent management solutions. Fellow in the Offi ce of the Secretary of Defense Mr. Griesedieck’s prior experience includes and served as a Captain in the U.S. Army. two terms as global chief executive offi cer of Ms. Alexander holds a master’s degree in another international search fi rm. He also public policy from Harvard University’s served as co-head of the fi rm’s strategic lead- Kennedy School of Government and earned ership services practice in North America. a Bachelor of Arts degree from The Johns Prior to entering the executive search pro- Hopkins University. fession, Mr. Griesedieck was a group vice president with Alexander & Baldwin, Inc., and spent a number of years with the Falstaff JAMEY CUMMINGS Brewing Corporation, concluding his tenure Senior Client Partner as president and chief operating offi cer and Email [email protected] as a director of this NYSE company. Jamey Cummings is a Senior Client Partner Mr. Griesedieck has been named by The in Korn Ferry’s Global Technology and National Association of Corporate Directors Information Offi cers Practices, and he co- (NACD) to the Directorship 100, recognizing leads the fi rm’s Global Cybersecurity the most infl uential people in corporate Practice. Based in the fi rm’s Dallas offi ce, he governance and the boardroom. is also a member of the fi rm’s Aviation, Mr. Griesedieck is a graduate of Brown Aerospace & Defense Practice. University.

347 ■ CONTRIBUTOR PROFILES

Mendelson, the nation’s largest law fi rm representing only management in employment law matters. He counsels employers Latham & Watkins LLP on the full range of workplace privacy and 555 Eleventh Street NW data protection issues, including back- Suite 1000 ground checks; monitoring employees’ Washington, DC 20004-1304 electronic communications; regulating Tel +1 202 637 2205 employees’ social media; developing Web www.lw.com “bring-your-own-device” programs; com- JENNIFER ARCHIE pliance with HIPAA and other federal, state, and international data protection Partner laws; and security incident preparedness Email [email protected] and response. Mr. Gordon sits on the Jennifer Archie is a litigation partner in the Advisory Board of BNA’s Privacy and Washington, DC, offi ce of Latham & Watkins Security Law Report and Georgetown with extensive experience investigating and University Law Center’s Cybersecurity responding to major cybersecurity and hack- Law Institute. Mr. Gordon was named to ing events, advising clients from emerging Best Lawyers in America in 2014 and 2015 companies to global enterprises across all and a Colorado Super Lawyer annually since market sectors in matters involving com- 2006. He received his undergraduate degree puter fraud and cybercrime, privacy/data from Princeton University and his law security compliance and program manage- degree from the New York University ment, advertising and marketing practices, School of Law. He served as a law clerk on information governance, consumer fraud, the United States Court of Appeals for the and trade secrets. Ms. Archie regularly sup- Tenth Circuit. ports Latham & Watkins’ leading national and global M&A, private equity, and capital markets practices in identifying, evaluating and mitigating deal or company privacy and data security risks. Lockton Companies Inc. 1801 K Street, NW, Suite 200 Washington, DC 20006 Tel +1 202 414 2653 Web www.lockton.com Littler Mendelson P.C. 1900 Sixteenth Street BEN BEESON Suite 800 Senior Vice President, Cybersecurity Denver, Colorado 80202 Practice Tel +1 303 629 6200 Email [email protected] Web www.littler.com Ben Beeson advises organizations on how best to mitigate emerging cyber risks to mission PHILIP L. GORDON, ESQ. critical assets that align with the business strat- Co-Chair, Privacy and Background Checks egy. As insurance continues to take a greater Practice Group role in a comprehensive enterprise cyber risk Email [email protected] management program, he also designs and Philip L. Gordon chairs the Privacy and places customized insurance solutions to fi t an Background Check Practice Group of Littler organization’s specifi c needs.

■ 348 CONTRIBUTOR PROFILES

Mr. Beeson is also engaged in the devel- executive director of KPMG’s Audit opment of Cybersecurity Policy in the U.S. Committee Institute. He routinely lends his and U.K.. In March 2015 he testifi ed before regulatory expertise to counsel audit com- the Senate Commerce Committee on the mittees in critical areas, and he has extensive evolving cyber insurance marketplace. experience as an auditor and consulting with A frequent public speaker, in April 2015 companies in the banking and insurance Mr. Beeson was one of the fi rst panelists to industries. Mr. Daly is a frequent speaker present on the topic of Cyber Insurance at and writer on many issues confronting the world’s largest Cyber Security today’s corporate board, including executive Conference, RSA, San Francisco. compensation. He regularly appears in Prior to moving to Washington, DC, media and has been quoted in the Wall Street Mr. Beeson was based in Lockton’s London Journal, the New York Times, and Fox News office for seven years, where he cofounded Radio, among others. and built one of the leading cybersecurity teams within the Lloyd’s of London marketplace. Mr. Beeson holds a BA (Hons) degree in modern languages from the University of Durham, U.K., and a certifi cation in Cyber Security Strategy from Georgetown Orrick, Herrington & Sutcliffe LLP University, Washington, DC. 51 West 52nd Street New York, New York 10019-6142 Tel +1 212 506 5000

ANTONY KIM Partner Email [email protected] National Association of Corporate Antony Kim is a partner in the Washington, Directors DC, offi ce of Orrick, Herrington & Sutcliffe 2001 Pennsylvania Ave. NW and serves as Global Co-Chair of its Suite 500 Cybersecurity and Data Privacy practice. Washington, DC 20006 Mr. Kim represents clients in federal and state Tel +1 202 775 0509 regulatory investigations, private actions, and Web www.nacdonline.corg crisis-response engagements across an array KEN DALY of cybersecurity, data privacy, sales and marketing, and consumer protection matters, Chief Executive Offi cer on behalf of private and public companies. Ken Daly is the Chief Executive Offi cer of the National Association of Corporate Directors (NACD). As head of the nation’s ARAVIND SWAMINATHAN largest member-based organization for Partner board directors, Mr. Daly is a recognized Email [email protected] expert on corporate governance and board Aravind Swaminathan is a partner the transformation. Prior to NACD, Mr. Daly Seattle offi ce of Orrick Herrington & Sutcliffe was an audit partner at KPMG, where he LLP and serves as the Global Co-Chair of its also served as the partner-in-charge of the Cybersecurity and Data Privacy practice. national risk management practice. After Mr. Swaminathan advises clients in proac- retiring from the fi rm, he assumed the role of tive assessment and management of internal

349 ■ CONTRIBUTOR PROFILES

and external cybersecurity risks, breach inci- cyber and physical security matters, focusing dent response planning, and corporate gov- his practice on providing proactive liability ernance responsibilities related to cybersecu- mitigation advice to clients. rity and has directed dozens of data breach Mr. Finch is also a leading authority on investigations and cybersecurity incident the SAFETY Act, a federal statute that can response efforts, including incidents with provide liability protection to companies fol- national security implications. A former lowing a terrorist or cyberattack. Cybercrime Hacking and Intellectual He is a senior advisor to the Homeland Property Section federal prosecutor, Security and Defense Business Council, Mr. Swaminathan also represents companies serves on the National Center for Spectator and organizations facing cybersecurity and Sports Safety and Security’s advisory board, privacy-oriented class action litigation that and is an adjunct professor at The George can often follow a breach. Washington University Law School. Mr. Finch regularly speaks and writes on DANIEL DUNNE security issues and has written articles for Partner the Wall Street Journal, Politico, The Hill, and Email [email protected] other publications. Dan Dunne, a partner in the Seattle offi ce of Orrick, Herrington & Sutcliffe LLP, represents corporations, fi nancial institutions, accountants, directors, and offi cers in complex litigation in federal and state courts. Mr. Dunne defends directors and offi cers in Rackspace Inc. shareholder derivative suits, securities class 1 Fanatical Place actions, SEC, and other state and federal City of Windcrest regulatory matters. San Antonio, Texas 78218 Tel +1 860 869 3905 Web www.rackspace.com BRIAN KELLY Chief Security Offi cer Email [email protected] Pillsbury Winthrop Shaw Pittman LLP Brian Kelly brings three decades of leader- 1200 Seventeenth Street, NW ship in security, special operations, investi- Washington, DC 20036 gations and intelligence to Rackspace. Tel +1 202 663 8062 In the Air Force, Mr. Kelly rose to the rank Web www.pillsburylaw.com of lieutenant colonel. He led teams involved in satellite surveillance, cybersecurity, and special operations; as a Department of BRIAN FINCH Defense Senior Service Fellow, advised the Partner Joint Chiefs of Staff and the Secretary of Email brian.fi [email protected] Defense; and received a Department of Brian Finch is a partner in the Washington, Defense meritorious service medal. DC, offi ce of Pillsbury Winthrop Shaw In the private sector, Mr. Kelly held the Pittman LLP. He has been named by Law360 positions of vice president with Trident Data as one of its “Rising Stars” in Privacy Law in Systems, principal (select) at Deloitte, and 2014 and a “Rising Star” by National Law CEO of iDefense. He led the Giuliani Journal D.C. He is a recognized authority on Advanced Security Center and served as

■ 350 CONTRIBUTOR PROFILES

executive director of IT risk transformation for Ernst and Young. Mr. Kelly is the author of From Stone to Silicon: a Revolution in Stroz Friedberg LLC Information Technology and Implications for 2101 Cedar Springs Rd #1250 Military Command and Control. Dallas, Texas 75201 Mr. Kelly holds a degree in management Tel: +1 214 377 4556 from the U.S. Air Force Academy, an MBA Web www.strozfriedberg.com from Rensselaer Polytechnic Institute, and an MS degree from the Air Force Institute of Technology. ERIN NEALY COX Executive Managing Director Email [email protected] Erin Nealy Cox is an Executive Managing Director at Stroz Friedberg, a global leader in Sard Verbinnen & Co investigations, intelligence, and risk man- 475 Sansome St. #1750 agement. In this capacity, she leads the San Francisco, California 94111 Incident Response Unit for Stroz Friedberg. Tel +1 415 618 8750 Ms. Nealy Cox is responsible for the overall Web www.sardverb.com operations of the global incident response group, including supervising fi rst respond- SCOTT LINDLAW ers, threat intelligence analysts, and mal- Principal ware specialists. These responders are Email [email protected] deployed to assist corporate clients affected Scott Lindlaw is a Principal at Sard Verbinnen by cyberattacks, state-sponsored espionage, & Co, a strategic communications fi rm that and data breach cases in sectors, including helps clients manage overall positioning and retail, hospitality, energy, biomedical and specifi c events affecting reputation and mar- health, and critical infrastructure. Ms. Nealy ket value. He counsels companies on how Cox also maintains a full docket of corporate best to prepare for and respond to data client assignments in the areas of cybercrime breaches, as well as how to effectively com- investigations, data breach response, digital municate in a wide range of other special forensics, and electronic discovery process- situations and transactions. Before joining ing. She is a trusted advisor to top execu- Sard Verbinnen, Mr. Lindlaw practiced tives, in-house lawyers, and outside counsel. cybersecurity and intellectual property law Prior to Stroz Friedberg, Ms. Nealy Cox at the law fi rm Orrick, Herrington & Sutcliffe served as an Assistant U.S. Attorney, leading LLP. In addition to litigating IP cases, several major cybercrime prosecutions nationwide of which went to trial, he wrote extensively while also handling complex cases of white- about developments in data-breach litiga- collar fraud, public corruption, and intellec- tion. Prior to his legal career, Mr. Lindlaw tual property theft. Additionally, she served was a reporter for The Associated Press, as Chief of Staff and Senior Counsel for the including a four-year posting as an AP Offi ce of Legal Policy at the Department of White House correspondent, covering Justice in Washington, DC, during the Bush President George W. Bush. Administration.

351 ■ CONTRIBUTOR PROFILES

U.S. Department of Justice

Treliant Risk Advisors LLC Cybersecurity Unit 1255 23rd Street NW 1301 New York Ave NW Suite 500 Suite 600 Washington, DC 20037 Washington, DC 20530 Tel +1 202 249 7950 Tel +1 202 514 1026 Web www.treliant.com Web www.justice.gov Email [email protected] DANIEL J. GOLDSTEIN In December 2014 the Criminal Division Senior Director created the Cybersecurity Unit within the Email [email protected] Computer Crime and Intellectual Property Daniel J. Goldstein is a Senior Director with Section to serve as a central hub for expert Treliant Risk Advisors. He advises clients advice and legal guidance regarding how operating in complex business and regulatory the criminal electronic surveillance and environments on data risk mitigation strate- computer fraud and abuse statutes impact gies and solutions. His career has centered on cybersecurity. Among the unit’s goals is to guiding U.S. and multinational clients ensure that the powerful law enforcement through complex international data protec- authorities are used effectively to bring per- tion requirements to provide business solu- petrators to justice while also protecting the tions that can be implemented across large privacy of every day Americans. In pursu- organizations. ing that goal, the unit is helping to shape Prior to joining Treliant, Mr. Goldstein cybersecurity legislation to protect our was the Director of International Data nation’s computer networks and individual Privacy for Amgen GmbH in Switzerland. victims from cyberattacks. The unit also At Amgen, he initiated and led privacy and engages in extensive outreach to the private data protection efforts across Amgen’s glob- sector to promote lawful cybersecurity al affi liates, while managing an international practices. privacy offi ce and a network of data protection offi cers. Mr. Goldstein is a graduate of the UCLA and the Golden Gate University School of Law and a member of the State Bar of California. He is a Certifi ed Information Systems Security Professional (CISSP) and a Certifi ed Information Privacy Professional (CIPP–US and Europe).

■ 352 CONTRIBUTOR PROFILES

the Board of Visa U.S.A. from 2003 to 2007 and the Visa Inc. Board from 2007 to January 2011. He was also previously director of Travelers Insurance. Visa Inc. He holds a Bachelor of Arts degree from 900 Metro Center Boulevard Johns Hopkins University and an MBA Foster City, California 94404 degree from New York University. He is cur- Tel +1 415 932 2100 rently on the Executive Council for UCSF Web usa.visa.com Health, the Board of Trustees for Johns Hopkins University, the Board of Directors CHARLES W. SCHARF for the Financial Services Roundtable, and Chief Executive Offi cer the Board of Directors for Microsoft Corp. Email Offi [email protected] Prior to joining Visa Inc., Charles W. Scharf spent nine years at JPMorgan Chase & Co. as the chief executive offi cer of Retail Financial Services, one of JPMorgan Chase’s six lines of business and a major issuer of Visa-branded cards. He was a member of the fi rm’s Operating Committee and its Wells Fargo & Company Executive Committee. Mr. Scharf was previ- 420 Montgomery Street ously managing director at One Equity San Francisco, California 94104 Partners, which manages $10 billion of Tel +1 800 869 3557 investments and commitments for JPMorgan Web www.wellsfargo.com Chase. From 2002 through 2004, he led Bank RICH BAICH One’s consumer banking business, helping Chief Information Security Offi cer to rebuild the brand, expand the branch and Rich Baich is Wells Fargo’s Chief Information ATM network, and develop senior talent. He Security Offi cer. Prior to joining Wells Fargo, was appointed Chief Financial Offi cer of he was a Principal at Deloitte & Touche, Bank One in 2000, leading the company’s where he led the Global Cyber Threat and effort to fortify its balance sheet, improve Vulnerability Management practice. Mr. Baich’s fi nancial discipline, and strengthen manage- security leadership roles include retired ment reporting. Mr. Scharf spent 13 years at Naval Information Warfare Offi cer, Senior Citigroup and its predecessor companies, Director for Professional Services at Network serving as chief fi nancial offi cer for Associates (now McAfee) and after 9/11, as Citigroup’s Global Corporate and Investment Special Assistant to the Deputy Director for Bank prior to joining Bank One. He was chief the National Infrastructure Protection Center fi nancial offi cer of Salomon Smith Barney (NIPC) at the Federal Bureau of Investigation when its parent company—Travelers (FBI). He recently retired after 20+ years of Group—merged with Citicorp in 1998 to cre- military service serving in various roles such ate the nation’s largest fi nancial institution. as a Commander in the Information Mr. Scharf became CFO of Smith Barney in Operations Directorate at NORAD/Northern 1995, after serving in a number of senior Command Headquarters; Commanding fi nance roles at Travelers companies, includ- Offi cer Navy Information Operations Center ing Smith Barney, Primerica and Commercial (NIOC), Denver, Colorado; Special Assistant Credit Corporation. He previously served on at the National Reconnaissance Offi ce (NRO),

353 ■ CONTRIBUTOR PROFILES

Real Time Military Analysis Center, the LINDSAY NICKLE Reserve Armed Forces Threat Center, the Partner Center for Information Dominance, and the Email [email protected] Information Operations Technology Center Lindsay Nickle is experienced in assisting (IOTC) within the National Security Agency clients with the development and implemen- (NSA). Mr. Baich was also selected as an advi- tation of risk management processes and sor for the 44th President’s Commission on data security measures related to the receipt Cybersecurity. and use of confi dential, private, and highly sensitive data. As part of the fi rm’s breach response team, Ms. Nickle assists clients in developing an effi cient and prompt response to the loss or compromise of sensitive and protected data. She has assisted numerous Wilson Elser Moskowitz Edelman clients with responding to data security & Dicker LLP incidents, and she is experienced with stand- 55 West Monroe Street ards and issues unique to consumer protec- Suite 3800 tion, as well as the payment card industry. Chicago, Illinois 60603 She also has provided guidance and advice Tel +1 312 821 6105 regarding regulatory compliance within the Web www.wilsonelser.com fi nancial industry. Ms. Nickle is an experienced civil litigator MELISSA VENTRONE with a background in general civil litigation Partner and creditors’ rights. In her years of repre- Email [email protected] senting fi nancial institutions, she has handled litigation and arbitrations involving Melissa Ventrone, chair of Wilson Elser’s fraud and identity theft issues related to Data Privacy & Security practice, focuses fi nancial accounts. Ms. Nickle has extensive privacy breach response (pre- and post- courtroom experience, including successful- event), including assisting clients with iden- ly handling more than one hundred bench tifying, evaluating, and managing fi rst- and and jury trials. third-party data privacy and security risks. Ms. Ventrone frequently advises clients on compliance with state, federal, and interna- World Economic Forum tional laws and regulations. She has assisted numerous clients with identifying and miti- World Economic Forum gating cybersecurity risks, including inci- 91-93 route de la Capite, dent response. CH-1223 Cologny/Geneva A member of the Marine Corps Reserve SWITZERLAND for more than 20 years, she uses her strong Tel +41 (0) 22 869 1212 organizational skills to manage Wilson Web www.weforum.org Elser’s breach response team, quickly bringing lawyers, clients, and forensic and breach response vendors together to optimize DANIL KERIMI response time and effectiveness. Ms. Ventrone Director, Center for Global Industries has handled numerous breaches for small Danil Kerimi is currently leading the World and large entities, including merchants, Economic Forum’s work on Internet govern- fi nancial institutions, medical providers, and ance, evidence-based policy-making, digital educational institutions, successfully reduc- economy, and industrial policy. In addition, ing public and regulatory scrutiny and pro- he manages Global Agenda Council on tecting clients’ reputations. Cybersecurity. Previously, Mr. Kerimi led

■ 354 CONTRIBUTOR PROFILES

Forum’s engagement with governments and Individual Contributor business leaders in Europe and Central Asia, was in charge of developing the Forum’s ROBERT (BOB) F. BRESE global public sector outreach strategy on Former Chief Information Offi cer, U.S. various projects on cyberspace, including Department of Energy cyberresilience, data, digital ecosystem, ICT Email [email protected] and competitiveness, and hyperconnectivity. Before joining the Forum, Mr. Kerimi worked Robert (Bob) F. Brese is a Vice President and with the United Nations Offi ce on Drugs and Executive Partner with Gartner, Inc., the Crime/Terrorism Prevention Branch, the world’s leading information technology Organization for Security and Cooperation research and advisory company. He brings in Europe, the International Organization for his recent, real-world Federal CIO experi- Migration, and other international and ence to provide IT leaders with insight on regional organizations. their most pressing issues and their most thrilling business opportunities. Most ELENA KVOCHKO recently, Mr. Brese was the Chief Information Cyber Security Strategist Offi cer (CIO) for the U.S. Department of Energy (DOE), whose national laboratories, Elena Kvochko is currently head of global production facilities, and environmental information security strategy and imple- cleanup site missions span open science to mentation in the fi nancial services indus- nuclear security. Mr. Brese led DOE’s policy, try. Previously, she was Manager in governance, and oversight of more than Information Technology Industry at World $1.5 billion in annual IT investments, as Economic Forum, where she led global well as DOE’s key initiatives in open data, partnership programs on cyber resilience cloud computing, and energy-effi cient IT and the Internet of Things and was respon- strategies. Mr. Brese also served as the sible for developing relationships with top Department’s Senior Agency Offi cial for information technology industry partners. Privacy and for Information Sharing and Prior to her position at the Forum, she Safeguarding. A leader in the U.S. worked as Information and Communication Government’s cybersecurity community, Mr. Technology specialist at the World Bank. Brese was a key contributor to the Ms. Kvochko focused on a portfolio of pro- Administration’s efforts in cyber legislation; jects aimed at leveraging ICT for economic policy; cybersecurity technology research, growth and transparency in emerging development and deployment; and in the economies. cybersecurity protection of the country’s Ms. Kvochko is an author of numerous critical infrastructure. publications and reports and has contributed to Forbes, the New York Times, and Harvard Business Review.

SecurityRoundtable.org 355 ■