January 2016 Issue
Cyber attacks are now the norm. Over the last 12 to 18 months, companies have become ever more vulnerable to assaults on their security, with the frequency and severity of incidents increasing without pause. The question is whether firms are ready to deal with both the threat and the consequences of a significant data breach. If not, the result could be devastation – reputationally, if not operationally. The threat posed by cyber attacks is not going away; it is a matter of ‘when’, not ‘if’.
FW: Reflecting on the last 12-18 months, how vulnerable have companies become to attacks such as data theft and hacking, data security breaches, computer network interruptions and privacy violations?
Bruemmer: Over the last 12-18 months, companies have become even more vulnerable to security attacks, as evidenced by an increase in both the frequency and severity of incidents. According to the recent third annual study ‘Is Your Company Ready for a Big Data Breach?’, which was conducted by the Ponemon Institute, nearly half of organisations surveyed have suffered a data breach involving the loss or theft of more than 1000 records containing sensitive or confidential information in the past two years. Additionally, by July 2015, the number of consumer records exposed through data breaches was almost double the amount of total records impacted in 2014. 135 million records were exposed as of 28 July 2015, compared to 85 million exposed in 2014. Now more than ever, it’s crucial that companies take the necessary steps to prepare and practice for the occurrence of a security incident.
Kellermann: 2015 saw corporations begin to experience an historic crime wave. Not only is sensitive data being pilfered but more often than not corporate brands are being used against their constituencies via watering hole attacks. A watering hole attack occurs when a cyber criminal pollutes a corporate website and has it infect visitors. There was a 148 percent increase in watering holes in 2015.
Bourne: As numerous surveys show, the number of data breaches suffered by UK companies is on the increase. PwC’s 2015 Information Security Breaches Survey shows that the number of security breaches suffered by large companies has increased, and the scale and cost has nearly doubled. Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach, and for most companies it is now therefore a question of ‘when’ rather than ‘if’. George Osborne highlighted the risks to UK companies in a speech at GCHQ in November, and whilst promising more government investment to help with cyber security, he noted that the “painful asymmetry” is that it is much cheaper to attack company networks than it is to defend them.
Papadopoulos: The most important and worrying theme of the past 12-18 months has been the emergence of attacks designed not to steal data but to disrupt or destroy it. Attacks that steal data tend to cause economic or reputational damage, but they are rarely existential, at least for big companies. Disruptive or destructive attacks can be much more damaging. Think about the attack that crippled Sony’s networks and communications, or the ransomware-turned-wiper attack that put one coding company out of business. Imagine if the wiper attack against Saudi Aramco had successfully wiped out not only corporate computers but also computers in its production network operating oil wells and pipelines. Recovering from these attacks is very difficult.
Wirtz: Recent studies show that the number of cyber attacks worldwide is still on the rise. The quantity of professional and highly sophisticated attacks is increasing, which continuously challenges existing defence mechanisms. Undoubtedly, the attackers are becoming more and more strongly connected and ever more professional; accordingly, the public and private sectors should work together to combat them.
Goins: Cyber attacks are now the norm – it’s not a matter of ‘if’, but ‘when’ and ‘how often’. The bad guys are getting better. According to one recent study, attackers are able to operate within a compromised environment for a mean of 256 days before they are identified, and for an additional 82 days before they are caught. With unauthorised access and plenty of time, hackers are capable of causing significant damage. While fortunately not all attacks result in network interruptions or misuse of personal data, experts now recognise that it is impossible to construct a perfect system that is safe from all intrusions. However, companies that have appropriate monitoring, incident response plans, and practiced response teams in place can reduce the cost of a data breach significantly.
Kushwaha: Data theft and security breaches have become almost mainstream over the last 12 to 18 months. If you consider the recent high profile cases like Sony pictures, Target, Ashley Madison and the IRS in the US, and Carphone Warehouse, Talk Talk and Nokia in Europe, all these incidents point to one undisputed fact – security breaches are real, the threat is imminent and negative business implications can be substantial. Not only is the threat real, in select cases there is a whole supply chain beginning to develop in the ‘Dark Web’ that monetises the data that is stolen. There are illegal enterprises that focus on the upstream harvesting of data, such as stealing millions of credit cards, others who enrich the information by aggregating data across hacks, such as illegal big data enterprises that develop comprehensive views of businesses and individuals by buying data from multiple harvesters, and finally those who buy the comprehensive views and actually perpetrate the blackmail of individuals and businesses.
“Security breaches are real, the threat is imminent and negative business implications can be substantial.”
FW: What impact have cyber security legal and regulatory issues had on companies over the past 12 months or so? Could you explain how developments in this space are affecting the cyber security policies that companies instigate?
Papadopoulos: More and more companies are using the Cybersecurity Framework by the National Institute of Standards and Technology (NIST) as a tool to manage risk and explain their cyber security to management, boards, and external stakeholders, like regulators and customers. This is good news for a few reasons. First, it lets boards and management play their role more constructively. Second, it gives companies of all sizes and sectors a common vocabulary to talk about cyber security. Third, the NIST Cybersecurity Framework has helped move companies away from the old ‘perimeter defence’ model of trying to keep the bad guys out to a more sophisticated model of knowing your system and making the company resilient to attack.
Wirtz: External legal and regulatory compliance, as well as adherence to internal regulations, are very important for our company for both product-related and internal IT. We are constantly monitoring international and local regulations and have implemented a process to make sure that all our products and services, as well as all applications we use internally, comply with these requirements.
Kushwaha: Historically, the main regulatory frameworks relevant for cyber security were the HIPAA, Gramm-Leach-Bliley Act, and the Homeland Security Act, which includes FISMA. These were reinforced by the creation of the NIST Cybersecurity Framework, and then finally the recent creation of the SEC guidelines for cyber security compliance and the requirement of public disclosure of cyber security risks and incidents. All of these collectively not only attempt to raise the bar for cyber security awareness at public and private companies that own most of the computer infrastructure, but also attempt to raise the bar for holding them legally accountable for lapses. In fact, this year, within a few weeks of OCIE issuing new guidance outlining areas of cyber security risk that need to be addressed by brokers-dealers, the SEC filed its first enforcement action against a St. Louis based investment adviser, sending a clear message that they are serious about compliance and enforcement.
Goins: Nearly every regulatory body in the US – from the SEC to the FTC to the CFPB – has now weighed in on the issue of cyber security. The financial and healthcare industries are perhaps the most sophisticated today, since they have been more highly regulated for a longer period of time. The recently promulgated Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool is an example of a highly structured set of specific suggestions and guidance for financial institutions to assess cyber risk and structure appropriate response plans. Regulators lean toward holding companies liable for data breaches even when the company is a victim, and regulatory and shareholder actions against directors personalise the risk. Cyber risk now ranks as one of the top two or three issues on the minds of corporate directors, although many do not feel qualified to deal with it.
Bourne: A number of the key developments over this period shared a similar theme: the elevation of an individual’s right to expect their information to be used fairly and secured properly, and redress where organisations fail to achieve these broad aims. In these circumstances, and in the wake of several, recent, high-profile data breaches, we have witnessed a cross-sector expansion of cyber security policies. As cyber threats transform on a daily basis, the pressure to evolve is driving more prescriptive and updated versions of employee policies, demanding higher standards of vigilance among staff, and forcing technical teams to act quickly when vulnerabilities are discovered.
Bruemmer: Currently there is no uniform national data breach response law in the US, so companies lack clear guidance on how to comply with regulatory standards when responding to a data breach. To ensure they are in complete compliance, businesses must refer to a patchwork of 49 existing laws in nearly every state, with the exception of Alabama, New Mexico and South Dakota. Because each state has its own requirements on the timing and language of a data breach notice to consumers, it makes the rules and regulations confusing for companies to follow. However, today Congress is closer to passing a federal data breach law than ever before. Additionally, with the recent passing of the Cyber Security Information Sharing Act (CISA), businesses may start responding differently to cyber attacks. The CISA aims to reduce online attacks by encouraging companies to share more information about cyber threats with federal agencies.
Kellermann: The legal and regulatory environment is becoming more rigid. The FFIEC recently stated that boards of directors must be regularly briefed and directly involved in the cyber security oversight and governance of their institutions. The FTC has become active in leveraging suits against corporations that have been negligent in their cyber security practices. And more and more shareholder lawsuits have been leveraged against corporations that have been breached.
“Cyber risk now ranks as one of the top two or three issues on the minds of corporate directors, although many do not feel qualified to deal with it.”
FW: In your experience, are corporate oversight activities – such as reviewing IT budgets, assessing security programmes and implementing top-level cyber policies – robust enough to deal with today’s risks?
Wirtz: We believe that due to the recent public discussion regarding information security, companies are beginning to understand the importance of corporate oversight and the related risk scenarios, which should make budgeting for information security solutions easier. Boards and senior management need to be committed to the topic and the protection of critical assets.
Bourne: Today’s cyber risks stretch far beyond technical glitches in IT systems and power surges. Companies must be prepared to contend with malicious outsiders, such as hackers or corporate spies, and insiders, including rogue employees. They must also be alive to the risks posed by unwary staff. Socially engineered phishing emails and malicious macros pose a constant danger, particularly to employees with an online profile, as does the careless loss of storage media. In this climate, dealing with the risks involves anticipating, preventing and mitigating – corporate oversight must deal with each. However, while enterprise-wide risk management is at the forefront of some corporate agendas, this is not the case for all.
Goins: Although some companies have appropriate policies and procedures in place to deal with cyber risk, there is significant variation in the sophistication of companies’ cyber response and oversight, so as a general matter we would say that oversight is not sufficiently robust. Midsize and smaller companies, in particular, are having difficulty scaling cyber protection programmes to meet both their needs and their budgets. Moreover, many companies do not have good oversight of seemingly peripheral, but critical items such as vendor interface and management, which may make company systems vulnerable to attack and cause significant losses. Many companies have seemingly robust procedures, but fall down on employee training, although employee carelessness and response to potential hacks such as phishing attacks remain the most common avenues to access internal systems.
Bruemmer: While data breaches have become somewhat inevitable, the steps companies take to prepare before an incident occurs largely influences how smooth a company’s response is. For this reason, corporate preparedness activities are not only essential when dealing with today’s risks, but can also help companies prevent further data loss in the event of a breach if they are practiced and carried out on a regular basis. A data breach response plan should include several preparedness activities, such as conducting employee security training at least once a year, investing in proper cyber security software, conducting breach plan evaluations and drills, and developing data security and mobile device policies, among others.
Kellermann: There exists a governance crisis within corporations related to cyber risk. Every organisation must have a CISO but that individual must report to the COO, not the CIO, as that is akin to an offensive coordinator reporting to a defensive coordinator. Twenty percent of IT budgets must be allocated to protecting the IT and brand via investment in cyber security. Currently, the industry norm is 6 percent, which is woefully inadequate.
Kushwaha: As it stands now, most individuals in roles of responsibility understand notionally the risks associated with cyber security. The biggest risk today is not lack of awareness, but rather lack of a coordinated execution in understanding the individual implications for each role in the company and what each of them need to do individually in their respective spheres of influence and how it comes together to de-risk the enterprise overall.
Papadopoulos: Companies are getting better and better at oversight, but there is still room for improvement in how they manage cyber security risk. Some companies overemphasise risks they can quantify over risks they cannot quantify. Companies can count how many records of personally identifiable information (PII) they have and estimate the costs per record of a breach, so they focus on that risk. Companies have a harder time quantifying the impact of stolen intellectual property, or the competitive loss from a leaked business strategy or product launch, so they do not focus as much on these risks.
“Cyber security investments should be perceived as brand protection investments – and therein lies the challenge as CMOs have yet to appreciate that part of their responsibility lies in cyber security and brand protection.”
FW: Do you believe companies are paying enough attention to the possible reputational damage, in addition to the financial repercussions, that can arise in the event of a cyber breach?
Bourne: A variety of first and third party losses can flow from a data breach. Understanding the scope of these losses, and how they arise, is fundamental to an organisation’s security strategy. One limb of the potential first party loss derives from the impact that a breach can have on perception of the organisation among consumers, trading partners, lenders and the like. This is commonly understood as ‘reputational’ damage. Reputational loss can manifest in a number of ways, from an increased cost of capital to a loss of revenue and, potentially, a reduction in shareholder value. Theft of IP can also be extremely damaging to a company’s reputation. Such damage has long been a concern of the financial institutions and professional services firms expected to set the bar in information security.
Kellermann: Cyber security incidents directly impact brand reputation and stock valuation. In addition, more secondary attacks are occurring wherein adversaries use a compromised network to attack the supply chain of the victim, leapfrogging through their trusted connections. This has become very common in the legal sector. Cyber security investments should be perceived as brand protection investments – and therein lies the challenge as CMOs have yet to appreciate that part of their responsibility lies in cyber security and brand protection.
Papadopoulos: Executives and companies tend to be highly focused on reputation. Most executives consider reputation to be one of their company’s biggest assets and vital to their business success. They have invested a lot in earning that reputation and want to preserve it. Reputational risk is, therefore, high on their list of risks. But companies encounter challenges in turning this concern into execution. The challenges come in two forms. First, companies still tend to be too focused on preventing incidents rather than responding and recovering effectively in ways that protect their reputation – the right response must balance efforts at prevention with response and recovery. Second, it is hard to predict how an incident will affect reputation, whether the loss will be recoverable, and so on.
Kushwaha: This area needs to be a priority for companies. Today we have real examples like Target, where the financial implications from the cyber security breach clearly exceeded tens of millions of dollars, resulted in a significant loss of enterprise value in the immediate term, and had significant management transitions associated with the breach. Despite this, if you look at recent surveys on how much time boards are spending on cyber security versus other risk topics, or how many companies have protected themselves with a comprehensive cyber security risk policy, one would have to conclude that not enough attention is being paid to the reputational and financial risks of cyber security. Also, as per a recent KPMG report, of the 45 percent of audit committees that do have oversight responsibility for cyber security, only 25 percent claimed that they have good information on the matter.
Bruemmer: Companies are becoming increasingly aware of both the major reputational risk and financial fallout of a data breach. In fact, data breaches are now ranked by executives as more concerning than product recalls and lawsuits. The good news is that more companies are acknowledging this risk to take the initial steps to prepare. Eighty-one percent of companies report having a data breach response plan in place, an increase from 73 percent in 2014. But, less than one-third of executives – 28 percent – are confident in their organisation’s ability to minimise the financial and reputational consequences of a material data breach – indicating more work needs to be done.
Goins: Many companies fail to recognise the potential for serious reputational damage that can accompany a breach. Retailers like Target that depend heavily on their reputations in generating revenues can find themselves forced to offer expensive incentives to lure consumers back after a breach. While it is difficult enough to estimate the potential cost of theft of personal data or intellectual property, it is far harder to estimate the potential cost of reputational damage when the breach becomes public. Also, poor communication with regulators and the public after a breach can create significant additional exposure. This is why companies should consider having an experienced crisis management firm on call to assist in dealing with the aftermath of a breach.
Wirtz: Due to the fact that more and more cyber attacks against large companies and institutions are becoming more public, companies are becoming much more aware of the threat of reputational risk.
FW: What advice would you give to boards in terms of protecting their data through risk management solutions for cyber security? What key areas should they address when reviewing and reinforcing their systems and controls?
Kushwaha: Boards have a key role to play in enforcing a pragmatic stance toward cyber security. The key recommendation for any board member would be to constantly ask: is cyber security an adequate part of the enterprise risk management framework? Is there clarity in who owns the cyber security risk of the enterprise and is responsible for executing a holistic strategy? Are the board members adequately trained? Do they understand what question to ask in the context of the company and its associated cyber security and compliance risks? Are the board updates meaningful and adequate for them to stay on top of risks and implications? Are there robust training programmes within the company that ensure actionable awareness at all levels in the company?
Goins: Directors are responsible for enterprise risk management – identifying all risks the company may face, including cyber risk, and determining what level of risk is appropriate for the particular entity. While boards usually delegate direct oversight of cyber security to a general counsel or chief compliance officer, to quote SEC Commissioner Aguilar, “at a minimum, boards should have a clear understanding of who at the company has primary responsibility for cyber security risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices”. Boards need to be proactive. Directors must ask questions, starting with what data is critical to maintaining the business – a determination that will vary from one company to another – and identify the potential worst-case cost of a cyber incident. They must also monitor the implementation, enforcement and effectiveness of the company’s cyber security systems and controls, and ensure that corrective action is implemented as needed.
Bruemmer: It is great to see that boards of directors and CEOs have become more involved and informed in the past 12 months about their companies’ plans to deal with a possible data breach. In 2014, only 29 percent of respondents said their senior leadership were involved in data breach preparedness. This year, perhaps due to recent mega breaches, 39 percent of respondents say their boards, chairmen and CEOs are involved at a high level. Our advice to board members is to ensure they stay up to speed on current data breach threats facing their companies. They should hold risk managers accountable and ensure that incident response plans are up to date and take into account emerging issues. This means senior leadership should be involved with regular audits and fire drills to practice the data breach response plan.
Wirtz: As 100 percent security is not achievable, every organisation must adopt a risk based approach to information security which suits their particular needs. It is clearly necessary to focus on critical information assets which need to be protected to the highest possible degree. Protection measures like antivirus solutions, firewalls and web-filters, and detection measures such as security information and event management and intrusion detection systems, need to be aligned very closely to this approach.
Kellermann: There are several steps companies can take. First, promote your CISO to report directly to your COO or CEO. Next, conduct a compromise assessment to discern if you have already suffered an event unbeknownst to your CIO. Thirdly, conduct a penetration test of your outside general counsel to understand if they are vulnerable to attack. Finally, invest in a breach detection system, an intrusion prevention system, application controls, file integrity monitoring, two factor authentication, mobile security and virtual shielding.
Papadopoulos: The top of the list for us is combining good encryption with multi-factor authentication. Good encryption protects the data wherever it goes, but encryption is only as good as the management of identities and access. If criminals or attackers can easily take over an account that has permission to decrypt data, then the data is not secure. Many companies encrypt data but don’t protect the keys or who controls the keys, so pairing encryption with multi-factor authentication is important. Beyond that, companies need to layer in additional protections – continuous monitoring and logging to detect and analyse compromise, data loss prevention to keep data from leaving the network, good backup and recovery practices, and many more technologies.
Bourne: Risk management requires both technical and organisational measures. Businesses should closely monitor system behaviour, preserve adequate firewalls, patch promptly and routinely encrypt data. Likewise, a culture of vigilance among employees can prevent unauthorised infiltration, whether because suitable passwords have been created or because the authenticity of unexpected emails has been checked before any attachment opened. Boards also need to be aware of the various sources of cyber risk. This requires close scrutiny of where and how data is being stored and backed-up, who has access to that information, and of the separation between systems. Third party contractors with network access should be vetted, and appropriate contractual terms agreed, before information is entrusted to them.
“As 100 percent security is not achievable, every organisation must adopt a risk based approach to information security which suits their particular needs.”
FW: What processes should companies adopt to reduce the threat of staff members compromising the company’s cyber security, either intentionally or unintentionally?
Wirtz: Keeping in mind that the majority of successful attacks are based on human behaviour, it is crucial that companies make employees aware of their contribution to the overall security architecture. Extensive communication and awareness measures regarding existing information security regulations and processes, regular information security training for all employees, as well as specific measures for management, should be in place to minimise these risks.
Papadopoulos: The good news on insider risks is that the shift from a ‘perimeter defence’ model to a ‘resilient network’ model means that many of the technologies and policies that mitigate risk from outside actors also help address insider risks. Nonetheless, there are specific steps that focus on insider risks. To stop the biggest unintentional risks, companies should have good backups, deploy data loss prevention tools to stop data unintentionally leaving the network, and control their social media. Stopping intentional insider risks is harder and requires continuous monitoring, privileged account management to watch over super-users, like IT administrators and segmentation of duties where two people need to sign-off on large financial transactions, for example.
Goins: Training is a critical component of any cyber security programme. Employees and staff should receive frequent updates on current potential cyber risks as they are identified, and should receive comprehensive training in avoiding potential breaches at least annually. Companies should limit the data they store when possible, and restrict access to sensitive data on a ‘need to know’ basis. Frequent password updates and multi-level user authentication tools should be required where appropriate. Personal devices that can store or access company data should be password protected. Some companies enlist employee and staff assistance in maintaining cyber security by offering awards and incentives to encourage reporting potential threats. Lessons can be learned from the recent derivative complaint against Home Depot, which faults directors for the company’s failure to encrypt customer data, use of outdated firewalls and antivirus software, and failure to monitor network access.
Bourne: Cyber ‘good practice’, promoted through employee training and awareness sessions as well as staff handbooks, minimises the possibility that an employee will unintentionally facilitate infiltration. A basic programme would seek to educate staff in the different types of cyber attack and what to look out for. It would outline how to create and use effective, including ‘just-in-time’, passwords. Further, it would address the importance of security settings, including on social media platforms, the information on which can be used to craft spear phishing campaigns. The starting point to protect against intentional employee breaches is often the scope of each employee’s network access, IT privileges and duties. However, there are many other prevention strategies.
Kushwaha: The key process gaps that drive staff member risks are generally associated with a lack of several factors. Firstly, there is often a lack of training and awareness of cyber security at an individual level. Secondly, there is no ongoing review and alignment of an individual’s information access to their current roles and responsibilities. Third, there is often an absence of security verification and compliance requirements for third-party vendors. Finally, there is a lack of ongoing reviews and risk assessment of outsourced operations. Recent cyber security attacks are generally mostly initiated by taking over someone’s individual account as a Trojan horse and then compromising the enterprise from there. An important part of the defence is to institute and monitor policies that secure individual access and fortify the end points – not only for the employees but for any stakeholders that have access to company resources.
Bruemmer: All companies should have regular security and privacy awareness training for employees, and include data protection as part of the new hire orientation process. Despite human error being a leading cause of data breaches, 43 percent of organisations indicate they still do not have training programmes for employees and other stakeholders that have access to sensitive or confidential personal information. It’s absolutely crucial that businesses conduct regular security training and work with employees to integrate smart data security efforts into their daily work habits.
Kellermann: Companies should limit privileges of accounts, segregate networks, conduct in person cyber security awareness training, implement mobile security and deploy virtual shielding for exploits.
FW: To what extent is cyber security becoming an increasingly important part of M&A due diligence when evaluating a potential target? In your experience, are acquirers more aware of the risks of inheriting weak systems and processes?
Bourne: IT systems due diligence and integration is now an accepted and standard part of an acquisition process and one of the things a purchaser looks at as part of that process is system weakness, including breaches that have occurred. With the current focus on cyber attacks, it must be that this is now more of a focus area for purchasers when they carry out their due diligence, particularly for those companies, such as insurers, professional services firms and healthcare organisations, which hold a large amount of personal data. Integration of IT systems is always a challenge during the integration phase of a merger process, and with the seemingly ever increasing risks associated with data security, and the board level profile of this exposure, we expect that this will be an area that continues to move up the agenda in an M&A context.
Bruemmer: There has been a spike in M&A activity this year and companies should consider cyber security a crucial part of the process of evaluating a potential target. During mergers, companies acquire both the benefits and threats of another organisation, and many M&A transactions run into unexpected security concerns. These risks underscore the importance of companies investigating the security posture of their potential partners before making a business decision – including checking that they have a data breach response plan and cyber insurance policy in place, conduct regular security trainings, and so on.
Kushwaha: Cyber security is an increasingly important part of M&A due diligence. There is generally always a section on cyber security risk in any meaningful and quality diligence exercise. However, most M&A diligence today is likely to yield gaps in the information security stance for any company. The gaps are generally process or technology gaps that can be remediated with a focused effort and generally do not tend to prohibit the pursuit of a transaction except in some unique cases. Having said that, the challenge is now shifting from ensuring that the gaps are being identified in the M&A process, to ensuring that there is a process for closing the loop to remediate the gaps after the transaction closes.
Kellermann: We are beginning to awaken to this stark reality. Many corporations that are acquired are infected with malware and a footprint of adversaries. Penetration tests and compromise assessments via the deployment of breach detection systems must be conducted prior to M&A finalisation. In addition, your outside general counsel who is handling the process is being targeted by criminals, competitors and nation states, thus the cyber security of the outside general counsel must be improved dramatically.
Papadopoulos: Companies are starting to pick up basic cyber security due diligence – they ask whether the target company has been hacked before, and they do high-level assessments of its cyber security readiness. That is a good start, but it misses the full potential of due diligence. Due diligence should inform the valuation of the target in M&A deals. If the cyber security is terrible or the network is already compromised, the company is less valuable, whereas if the cyber security is strong, the company is better protected and more valuable.
Wirtz: In general, M&A activities are based on business related targets. Each M&A transaction runs, via a due diligence phase, an extensive risk assessment process, and the analysis of potential information security risks must start as early as possible. At a later stage, the secure connection of the new acquisition must be ensured.
Goins: Most acquiring companies now recognise they are buying their target’s data security problems and are concerned, but many are not doing anything about it. The majority of companies are not analysing cyber risk in depth and are not dealing with it in due diligence. Companies appear to be most concerned that a cyber attack during deal discussions will alter the price or kill the deal, that the target will be proven to be the victim of a breach, or that the target has not handled past breaches effectively. Companies often neglect to plan the logistics of transferring sensitive data and personal information, and fail to investigate whether a company using a cloud or other vendor for data storage even has the capability to transfer data, which not all do. Acquirers may also fail to recognise issues related to local privacy and data transfer laws.
“Many companies encrypt data but don’t protect the keys or who controls the keys, so pairing encryption with multifactor authentication is important.”
FW: How should firms initially respond to a cyber attack in order to maintain confidence and credibility and demonstrate that they have done the right thing?
Kellermann: They should have a crisis communications plan in place that deals with all contingencies. They should actively review their incident response plan once per month at the c-level. They should have either in-house forensics capabilities or have a firm on retainer just in case. They should have a breach detection system deployed so they might react in real time.
Papadopoulos: Convincing outside parties that you have done the right thing usually starts with doing the right thing. In other words, effective incident response doesn’t start after the incident, but long before the incident. Companies need to consider their biggest risks, try reasonably to mitigate them, and prepare to respond if an incident does occur. With those fundamentals in place, there are some basic response best practices that companies should follow. Here are the top two. First, find the breach yourself, and find it quickly. Most breaches go undetected for months, and two-thirds of companies learned they were breached because an outside party told them, not because they discovered it themselves. Second, be transparent, direct and honest, getting complete and accurate information out quickly while avoiding erroneous statements that can hurt credibility. The good news for big companies is that most breaches are survivable, whereas, small and medium enterprises have a much harder time surviving the reputational, financial and legal consequences.
Bruemmer: It’s important that firms respond quickly and strategically when a data breach is discovered. Legal counsel should be contacted immediately for guidance on initiating the critical steps that must follow an incident and companies should always record the moment of discovery. Additionally, law enforcement should be notified and a forensic firm should be brought in to begin an in-depth investigation of the attack. To maintain confidence and credibility, companies also need to prioritise protecting those who may have been affected by the breach.
Kushwaha: A key aspect of having a cyber security strategy is to have a formal cyber security response plan. The response plan should have a clearly defined purpose, audience and scope. In no order of priority, the components of an incident response plan would include items like containment, investigation, communication, response and remediation. The two most critical aspects to getting a cyber incident response right, something that most companies struggle with, are not underestimating the extent of the compromise and quickly assessing the true extent of the existing and potential boundary of the compromise, and activating an appropriate communications strategy that not only meets fiduciary and legal requirements, but also ensures that if required, all primary and secondary stakeholders are prepared for downstream collateral implications.
Goins: An incident response plan developed before the crisis arises that spells out the protocol to be followed in case of a breach will provide the best defence. Recognise that not every cyber attack results in a breach. Determining whether a breach has occurred requires analysis of the facts and the law by an attorney working with appropriate in-house IT or outside consultants. For a major breach, involve the directors early and often. Many regulators and the laws of 47 states require prompt notice to regulators, state attorneys general, and the affected individuals if personal information is taken. Companies that operate outside the US may also need to consult local privacy law experts to determine whether additional steps are required. If the breach affects the company’s confidential business information, the company should reach out to law enforcement.
Bourne: Advance planning is crucial to formulating an appropriate response plan, and a coordinated response team should be in place prior to the incident. This team should report, via an appointed business-lead, into senior management on the breadth of legal, PR, IT-forensic and crisis-management issues. A key priority is to immediately assess the scope and nature of the breach. Speed of response is vital: within a short space of time, the business will need to make a number of time-critical decisions. Communication is at the root of this process; there may, depending upon the nature of the breach, be issues of notification, network safeguarding and injunctive relief to act upon.
Wirtz: There must be a standard incident management process in place to analyse and estimate the consequences of a concrete cyber attack. Depending on the outcome, a defined remediation plan aligned and supported by business and information security should be effective.
“It’s absolutely crucial that businesses conduct regular security training and work with employees to integrate smart data security efforts into their daily work habits.”
FW: In your opinion, what are the key D&O risks that can arise from a data security breach? Do any recent cyber liability cases demonstrate this particular issue?
Goins: Directors and officers run the risk of personal liability through shareholder suits claiming breach of fiduciary duties, mismanagement, corporate waste and breach of disclosure requirements, for failing to prevent the breach as well as mishandling the company’s response to the breach. In addition, regulators may hold individual D&Os responsible. In connection with the Wyndham Worldwide breach, for instance, shareholders faulted directors for failing to ensure that adequate information security policies were implemented. The company was successful in obtaining a dismissal of the shareholder suit because the court held the directors had systems in place and had not “consciously failed to monitor or oversee its operations”. The FTC also instituted an action against the company’s directors. The recent Home Depot derivative complaint attempts to avoid dismissal through more specific allegations. Critically, insurance coverage for D&Os may be problematic under standard policies.
Bourne: While we have not seen any shareholders claims against UK directors relating to cyber or data breach issues to date, as privacy and network security issues are increasingly viewed as a board issue, it may become harder for directors to escape liability if their companies experience a serious loss. Although there are no specific duties which relate to data security, directors are required to act with a certain degree of skill and in good faith. Any claim is likely to be brought as a derivative action under the Companies Act, and there are hurdles to getting a claim off the ground. Experience in the US and the UK has shown that a stock drop following a data breach is not inevitable and in many cases temporary, but there are predictions that as cyber security becomes a competitive advantage, more US claims may follow in the future with the potential for a rise in securities class actions following a data breach.
Wirtz: Financial risks, personal consequences, as well as reputational risks, can arise from a data breach. By having a professional information security system in place, with state-of-the art technology, a network of experts from IT and product security, as well as general communication and awareness measures, the risks for a data security breach can be minimised, as can any potential D&O risks.
Kushwaha: When claimants filed shareholders’ data breach-related derivative suits against the boards of Target and Wyndham Worldwide, it raised the possibility that we could see a wave of cyber security related D&O lawsuits. This was further born out with 12 Home Depot D&Os being sued, alleging that the defendants breached “their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties failing to ensure that Home Depot took reasonable measures to protect its customers’ personal and financial information”. Finally, NIST, with its cyber security framework, and the SEC, with its guidelines for public companies regarding proper disclosures for cyber-attack incidents, are continuing to raise the bar for proper governance and accountability.
Bruemmer: As the severity of data breaches and cyber security attacks continues to grow, directors and officers can no longer afford to ignore the potential impact on their business. After high-profile data breach cases like Target and Wyndham Worldwide pointed the blame at D&Os, more companies are concerned that security incidents will lead to D&O lawsuits. C-suite executives and boards are now being held more accountable, and if an incident is mismanaged, many could lose confidence in their ability to manage security issues or lose their positions completely. Additionally, many officers and directors may assume they will be legally covered if they are targeted with a cyber-related lawsuit, but we could see the D&O insurance space changing in terms of whether insurers attempt to exclude cyber coverage from their policies, or companies overlook and fail to review policy terms.
Papadopoulos: The most important thing for directors and officers to do is exercise effective and methodical oversight of cyber security risks and risk management. This can include getting periodic reporting on useful data, requiring the company to set a risk tolerance and a strategic plan for cyber security, monitoring progress against that plan, benchmarking against peers, and preparing for an incident. The NIST Cybersecurity Framework is an extremely useful tool for directors and officers to oversee cyber security, because it provides a sensible framework and lets companies set their current maturity level and choose a target maturity level they want to achieve.
“Advance planning is crucial to formulating an appropriate response plan, and a coordinated response team should be in place prior to the incident.”
FW: In what ways do you see the appetite for cyber insurance developing over the coming years, as a means of mitigating the damage caused by cyber crime and data breaches?
Papadopoulos: Today, most cyber insurance policies are good at covering business disruption – for example, if your website is down and you cannot sell merchandise or conduct transactions – as well as costs associated with a breach of PII. For companies that depend on up-time or have lots of PII, cyber insurance can be a great investment, so long as the company looks closely at premiums, exceptions, caps and so on. In the coming years, we can hope to see cyber insurance mature. With better data, insurance providers can price their premiums in a more targeted fashion based on a company’s risk and can increase caps in some cases. In some cases, cyber insurance may expand to cover reputational harm, competitive loss or other consequences that are not yet as easy to quantify as business disruption or PII breach costs. Ultimately, cyber insurance is one part of a company’s risk mitigation strategy.
Wirtz: From a financial point of view, cyber insurances are interesting products to look at, while the number of cyber attacks is still growing and consequences are often markedly harmful. Nevertheless, the main focus should be to minimise the risks of a successful attack, to avoid negative consequences in the first place.
Kellermann: In the US we have seen strong competition on the buy side of M&A transactions in the regulated utilities sector. This could be a reaction to market volatility – with the steady return on utility rate base investment continuing to be an attractive investment. Purchase prices in some cases have been at a significant premium to market prices and in addition, in many deals, the actual agreements have included more seller-favourable provisions than we saw, for example, 10 years ago. We have also seen utility ‘roll-up’ machines – holding companies already owning several utilities – acquiring additional utilities. In the past, the Public Utility Holding Company Act of 1935 restricted the ability of holding companies to own utilities across the nation, but that act was largely repealed by Congress in 2005, paving the way for what we are seeing now.
Kushwaha: As the sophistication of hackers continues to improve, the scope and magnitude of breaches continues to expand, and the regulatory and governance environment continues to increase corporate accountability for prevention, the notion of cyber insurance will be a significant topic of discussion. Currently, the cyber insurance policies can best be described as multiple point solutions and more of a jigsaw puzzle that needs to be assembled to ensure companies, their customers and their boards are adequately protected. As the cyber security landscape continues to evolve with the magnitude of losses becoming increasingly material for the company and for its customers, and legal actions being brought against the company and its board members becoming more frequent, comprehensive cyber security policies will be mandatory.
Goins: The insurance industry has been responsive to the need for adequate coverage to mitigate the impact of cyber incidents and has developed new products to provide coverage in the case of a cyber breach. Traditional entity and D&O policies often contain exclusions – such as ‘bodily injury’, interpreted to exclude violations of a person’s right to privacy, ‘antitrust’, or ‘regulatory’ exclusions – that may limit the policy’s effectiveness in case of a cyber breach or regulatory investigation. Newer products are available now at relatively reasonable cost, but may become more expensive over time as insureds draw down on the coverage in future cyber breaches, so companies should consider obtaining such insurance coverage in the near future.
Bourne: Instances of network infiltration are rising. With businesses being advised to prepare for the worst, cyber insurance is an obvious, and increasingly prevalent, risk management tool for organisations. However, it is a complex product that exists within an uncertain regulatory environment. Over time, this uncertainty will diminish as more cases receive judicial attention; the Supreme Court is, for example, shortly to hear the appeal of Google v Vidal Hall. This, we hope, will shed more light on the issue of compensation under the Data Protection Act, and, of course, third party privacy liability. As companies better understand the cyber risks that most significantly affect their size of business and industry-sector, we may see a demand for increasingly nuanced forms of discrete cyber cover.
Bruemmer: There is definitely a growing appetite for cyber insurance and we expect this will only continue to increase in the coming years. To put it into perspective, the number of companies that have a cyber insurance policy has more than tripled over the last three years. Our annual study on corporate data breach preparedness found that today 35 percent of organisations have a policy compared to only 10 percent in 2013. For those organisations that don’t yet have cyber insurance policies, 17 percent are planning to buy a policy in the next six months and 20 percent in the next year. Cyber insurance policies are gaining traction for a number of reasons. Firstly, they are viewed as an important piece to manage the potential damage and financial risk of a data breach. Secondly, they are used as a resource to help organisations understand cyber threats. Thirdly, they provide companies with access to third party expertise under stressful circumstances.
FW: Going forward, should companies expect a business environment which is constantly under threat of cyber attack? Are companies well positioned to meet this challenge?
Goins: The threat posed by cyber attacks is not going away. Whether the result of criminal activity, foreign government-funded assaults on corporate intellectual property, or the machinations of bright teenage hackers, companies must be aware that someone, somewhere, will be attempting to access their systems and their data. Systems are becoming less, not more secure. Hackers become more sophisticated as the practice becomes more profitable, while core system security becomes weaker with countless additional access points. Awareness of cyber risk continues to grow, however, and more and more companies are implementing effective cyber security policies and incident response plans.
Kushwaha: Going forward, it would be very prudent to expect a business environment that is not only under constant threat of cyber attack, but to expect an environment that will become substantially more litigious, and an environment that will be substantially more regulated with compliance risks becoming a material issue. Today, the overall magnitude of the changes required are not well understood. This is not only because the issues here are very new and quite technical in nature, but also because this space has not yet evolved and trying to understand where it ends up is akin to looking at a crystal ball to predict the different routes it can take in its evolution.
Bourne: In recent years, we have seen cyber attacks become more sophisticated, and hackers have become adept at concealing their behaviour. Old forms of attack have waned, and new forms have emerged. This trend will continue. Whilst patterns in system behaviour can yield clues about when a network has been targeted, identifying and acting upon these clues is complex and expensive. For the SME market, it is a particularly challenging environment. Government investment to protect UK business is welcomed, but there is much more to be done. Recognising the value of information-sharing is crucial, as simply passing on threat details can alert others to potential attacks and vulnerabilities.
Bruemmer: In today’s data breach landscape, it’s not a matter of if but when a company will be impacted by a data breach. And while more are taking the basic steps to prepare by having a data breach response plan in place, many companies still lack confidence in their ability to manage security issues and execute their responses. Only 34 percent say their organisation’s data breach response plan is effective, citing a lack of crucial considerations – including steps to take when responding to a data breach involving an overseas location and accounting for loss or theft of paper documents and tapes containing confidential information. Furthermore, while it’s promising to see more companies have a response plan, it is no good if it sits on the shelf. Companies should make an effort to practice and audit their response plan on a semi-annual basis.
Kellermann: We believe that cyber space will become more hostile and punitive. It was noted in the 2015 report, ‘Cyber Security in the Americas’, that over 44 percent of critical infrastructures suffered from delete and destroy attacks. Winter has come. They are not choosing to set your house on fire after they rob it in order to burn the evidence and make the corporation suffer. Sony was not an isolated incident. We must expect to be hit and prepare to survive.
Papadopoulos: For as long as it is easy, profitable and beneficial to hack companies, bad guys will keep hacking companies. Today, it is easy, profitable and beneficial to hack companies. The fundamental reason is that the IT hardware and software we rely on is inherently insecure and makes compromise easy. Why? Today, hardware and software is generally built to be open, interoperable, fast, and cheap; security is not a priority. So, it is easy to hack. The security industry makes it harder through defensive technologies, but this creates a cat-and-mouse game that will not end. The answer, the light at the end of the tunnel, is secure design. When we start to demand hardware manufacturers and software developers build more secure products, we will tip the balance to make systems harder to hack and easier to protect.
Wirtz: We definitely won’t see a decrease in the number of cyber attacks in the next couple of years. And as the business world becomes more and more interlinked, we are seeking an exchange of knowledge with our providers, customers and external experts as well as governmental institutions in order to ensure consistent, sustainable protection concepts for our critical assets. That’s what we would recommend other companies do as well.
Helen Bourne has a broad range of commercial and insurance litigation experience, often advising insurers and corporates on high value complex disputes. Ms Bourne is responsible for Clyde & Co’s cyber insurance team in the UK, and has experience of evaluating data breaches and related claims arising from cyber risks, including liabilities arising from cyber crime. She also advises insurers on the development of cyber insurance programmes in the UK. She can be contacted on +44 (0)20 7876 5000 or by email: helen.bourne@clydeco.com.
Michael Bruemmer is vice president of the Experian data breach resolution group at Experian Consumer Services. With more than 25 years in the industry, he brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call centre and identity theft protection services. He can be contacted on +1 (949) 294 8886 or by email: michael.bruemmer@experianinteractive.com.
Emilian Papadopoulos is president of Good Harbor Security Risk Management, a cyber risk management advisory firm. Mr Papadopoulos leads the firm's business operations and advises Boards, CEOs, investment professionals, and government leaders on managing cyber risk. He has helped clients across sectors including energy, insurance, law, technology, defense, and manufacturing. Mr Papadopoulos' experience in strategic planning and international security risk management spans North America, the Middle East, Latin America, and Asia. He can be contacted on +1 (703) 812 9199 or by email: emilian@goodharbor.net.
Udo Wirtz is Siemens’ chief information security officer. In this function he reports directly to Siemens CIO Dr Norbert Kleinjohann. In this role, he redesigned Siemens’ global Information Security (ISEC) organisation and established global Cyber Defense Centers, adding Threat Intelligence, Monitoring (SIEM) and Analytics to Siemens’ information security landscape. He has also created a new foundation for cooperation between Siemens ISEC and the operational business units, as well as with external partners. He can be contacted by email: udo.wirtz@siemens.com.
Tom Kellerman is the Chief Cybersecurity Officer for Trend Micro, responsible for analysis of emerging cyber security threats and relevant defensive technologies, strategic partnerships and government affairs. Professor Kellermann served as a commissioner on the Commission on Cyber Security for the 44th Presidency and serves on the board of the National Cyber Security Alliance, the International Cyber Security Protection Alliance (ICSPA), and the National Board of Information Security Examiners Panel for Penetration Testing. He has 19 years of experience. He can be contacted on +1 (817) 569 8900 or by email: tom_kellermann@trendmicro.com.
Frances Floriano Goins is co-chair of the Data Privacy & Information Security Group at Ulmer & Berne LLP. Her practice focuses on resolving complex business disputes for public and private companies, primarily in the areas of corporate governance and control, securities, cyber security, shareholder claims, and financial services. Ms Goins routinely assists clients with regulatory and internal corporate investigations, and counsels businesses on training and compliance issues, including data privacy. She can be contacted on +1 (216) 583 7202 or by email: fgoins@ulmer.com.
Raj Kushwaha, based in New York, joined Warburg Pincus LLC in 2012 and serves as Chief Technology Officer responsible for technology diligence with prospective investments, as well as ongoing work with the firm’s existing portfolio companies. He brings over 22 years of experience in leading commercial software product development, strategic planning, technology operations, business transformation, ERP implementations, and process outsourcing initiatives at Fortune 500 companies in a variety of industries. He can be contacted by email: raj.kushwaha@warburgpincus.com.
© Financier Worldwide
THE PANELLISTS
Clyde & Co
Experian Data Breach Resolution
Good Harbor Security Risk Management, LLC
Siemens AG
Trend Micro
Ulmer & Berne LLP
Warburg Pincus LLC