Cybersecurity strategy for a threatening landscape

This article originally appeared in Thomson Reuters Regulatory Intelligence. For full access to this and other resources, please visit our website.

The regulatory and legal landscape surrounding the use of business data and its security is rapidly becoming more complex. As state and even city regulations and laws are being retooled, proposed or enacted, a patchwork of regulations has cropped up, along with federal guidance and enforcement and new industry standards – all for compliance and legal departments to consider.

The threat of cybersecurity damage to a business's profitability or reputation does not wait, however, and the landscape keeps changing.

John Carlin, a former senior Justice Department official for national security who is now head of the risk and crisis management group at law firm Morrison & Foerster, joined Regulatory Intelligence to discuss the challenges of achieving cyber resiliency in a recent webinar.

The webinar's warning boiled down to this: the threat of being hacked is increasing in size and scope and should be considered a top risk for all businesses. But Carlin also had some anecdotes and best practice pointers to share.

Some stats

A Thomson Reuters survey this year of compliance officers and general counsels about their expectations of cybersecurity threats yielded these results:

• 50% of firms expect more compliance and general counsel involvement in assessing cyber resilience
• 73% said senior managers receive information on information security either quarterly or annually
• 33% said they receive such information monthly

Furthermore, 24% of data breach incidents are caused by human error, says the Ponemon Institute and IBM, in a report they jointly authored that measured the impact of reported breaches between July 2018 and April 2019 at 507 organizations in 16 countries.

Data held for ransom, terrorism and intellectual property theft

Carlin used examples to describe the myriad purposes behind a cyber attack; at times, it's as straightforward as a hacker wanting a payment in bitcoin for the return of stolen information, which some companies pay, as there is no legal prohibition.

In a case exemplifying another threat, a hacker stole U.S. government-held data on behalf of the Islamic State in what prosecutors called "an attempt to incite terrorist attacks."

Organizations may not consider themselves subject to such risk.

But Carlin also reminded of Sony Pictures, which in late 2014, following threats from hackers of a violent attack against theaters, canceled its plans to release a satirical movie that depicts the assassination of North Korea’s leader, Kim Jong Un.

The United States called out North Korea for the attack, and Carlin, who advised the White House on the matter while at the Justice Department, noted three components to the cyber breach to underscore his point about the risks that breaches pose to companies being multi-faceted.

The North Koreans had deployed malware that made some of Sony's systems inoperable, they stole Sony movies, and they stole emails embarrassing top Sony executives.

The hackers released the embarrassing communications, which Carlin called the most harmful part of the equation: they used nontraditional media to get the information into the public knowing the mainstream media – and social media – would amplify it.

Bad guys will get in, Carlin said. The challenge for firms is to make it harder for them once they get in to steal valuable resources.

Best practices

• Make sure there is a policy for every aspect of a cyber breach incident. For example, in a ransom-seeking attack making the demanded payment may not be completely off the table, but the business needs to consider consequences such as whether the business could be paying an entity under U.S. government sanctions.
• Different types of stolen data will justify varying responses and disclosure. This should be carefully considered before incidents arise.
• The incident response plan must suit the business and its risk profile, and be consistently tested, Carlin said. Risks include regulatory risk, reputation risk, possible intellectual property loss, business disruption and loss of sales or customers, plus an almost inevitable rash of lawsuits from aggrieved parties.
• The business side and the information technology sides of the business must come together to outline top threats, possibly by bringing in outside experts to aid with the assessment.
• It is essential to make an inventory of the business's valuable information – the critical data that a bad actor could use against the business.
• Each department should outline its cybersecurity roles and top persons for carrying them out – from IT, legal, compliance, and the business units.
• The Chief Information Security Officer is an increasingly popular role at businesses, and is required by businesses regulated by the New York Department of Financial Services. No matter who this person reports to in the business, it is imperative that the person has unrestricted access to the board of directors, Carlin said.

Employees, including top managers, must appreciate communications between employees about and following the incident ("I kept saying these systems were not well-protected!") can later be used by regulatory authorities, unless they are deemed privileged.

Regulators will want to see that the business knows who has access to its systems, including third parties, how they were vetted and are monitored and trained, and how the business has segmented its network so one breach does not create an enterprise-wide vulnerability.

Carlin recommends developing relationships with law enforcement authorities – local ones and the Federal Bureau of Investigations and the Secret Service. Such agencies often have programs to provide businesses with threat briefings, and they offer information that can be tailored to one's business. Some state attorney general offices are required by law to be informed promptly of a cyber breach.

Businesses need not wait for the federal government to issue data security and privacy regulation, Carlin said. Some highly prescriptive front-end data privacy approaches coming out of states like California are changing the landscape already and must be tracked, and others are likely to follow suit.

Julie DiMauro is a regulatory intelligence expert for Thomson Reuters Regulatory Intelligence, based in New York.