This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
We’re long past the point where cybersecurity can be treated like a corporate trend or as a bullet point on your IT team’s wish list. As networks around the world become more sophisticated and complex, cybercriminals are correspondingly honing their talents in everything from hacking and phishing to cyberterrorism and general mayhem.
Modern organizations with savvy security know this and watch events and trends closely. They know that global ransomware damages totaled $325 million in 2015 and that number is supposed to quadruple by 2020. They also know 33% of U.S. companies experienced some sort of data breach in 2016, and most of them had no idea anything happened. In response to threats on the horizon, companies are building the right teams of experts to help prevent the worst from happening, or at least mitigate damage.
The resulting chief security officer boom is a collaborative one, where those experts work together to identify priorities and best practices for protecting their organizations and the health of our shared digital economy. Earlier this summer a group of security-minded executives in Chicago, long a hub for legal and financial tech, sat down for a panel discussion on anticipating and combatting cybercrime. The group included Ricardo Lafosse, CISO at Morningstar; Jerry Finley, director of cybersecurity and deputy CSO at Relativity; Dara Tarkowski, founding partner at Actuate Law; and Joe Rickard, CISO at Incapital. Cybersecurity Law & Strategy asked the group to expand on some questions that came up at the panel.
Q: What Cybersecurity Incident Keeps You Up At Night?
Dara Tarkowski: At the end of the day, all our clients say the same thing: “Our biggest nightmare is having to report something to a regulator.” Many of these [cybersecurity] issues are devastating. Businesses are worried about risking consumer harm as well as suffering monetary losses, having to notify insurance carriers and reputational harm. They also wonder how these incidents may impact shareholder announcements, and worry about the ancillary problems that happen when you experience an incident like this. Individuals like me come in and try to clean up all the spiraling messes that ensue. One data breach could result in a company reporting to 50 regulators in addition to facing civil litigation, shareholder litigation, security litigation, and many other problems — all because of one patch that wasn’t fixed.
Jerry Finley: Something that is on my mind quite often is the threat of hardware attacks as they could harm your corporate environment as well as your product and cloud environments. These are the types of concerns that I tend to be more worried about.
Ricardo Lafosse: At Morningstar, our data is the foundation for everything we do. We are constantly evaluating our environment to deter a potential cybersecurity crisis like the Equifax breach. It is crucial to know where all our key assets are located and to ensure we have the appropriate controls in place to prevent this type of data breach and make sure nothing was overlooked. That is why organizations need to have ongoing situational awareness on their external presence and put the appropriate, preventive measures in place. If a hacker were to infiltrate a data system, organizations should devise not only an action plan, but also place measures in place to make it extremely difficult for a hacker to get to that data.
Joe Rickard: That is a good point that Ricardo raises about making it difficult to get to the data. Last year, an issue that was keeping me up at night was the threat of ransomware. Traders tend to get bored in the middle of the day, so they’ll sometimes go on different websites. This presents great opportunities to click on the wrong link. I went through an exercise where I verified that, when someone in bond trading at our company clicked on the wrong link, it wouldn’t bring down the system that our people in risk management needed to do their jobs. That wasn’t an easy project, but it was an important one.
Q: What Is Your Stance on Executives Bringing Their Own Device When Traveling Overseas?
JR: Interestingly, five years ago, everyone wanted to bring their own device. Now, the climate [around data security] is so complex that the pendulum is swinging back the other way. We’re starting to no longer support people’s personal devices. These types of issues are becoming more and more challenging for organizations. It really comes down to knowing the rules of the country you are operating in. For example, it is illegal in Saudi Arabia to have a separate Internet connection that doesn’t go through the government’s proxy server. It is important to know these types of regulations, so you are not getting your executives in trouble when they are overseas.
RL: It’s about knowing the environment. Having a global workforce, we have put in protections to protect our data regardless of location. Our overall security approach at Morningstar is to protect the data, regardless of the platform where it’s hosted. If it is in the cloud or on your mobile device, we ensure the appropriate security controls are in place. There are different risks that are associated with different countries. And, you should consider the maturity of the cyber criminals in that specific area. What I always say is prepare for the worst.
JF: I agree that it depends on where the executives are traveling throughout the world. At Relativity, we maintain a list of areas throughout the globe that carry a high risk of cyber attacks. Also, if we have a Relativian who is traveling to one of these higher risk places, we will often provide them a laptop that allows for forensic analysis to be performed once the device is returned to the U.S. The FBI also maintains an updated list of countries with a high risk of cyber activity and the types of incidents that you should have on your radar when traveling there.
DT: An organization needs to engage counsel from relevant jurisdictions when your organization is putting together policies and procedures around traveling. This is especially critical if your organization has an international presence. International travel poses different types of security risks for executives, in certain parts of the world in particular. Companies must know the risks in order to make informed policy decisions or invest in additional security protocols. The more work your team does on the front end, the more defensible you are if an incident occurs.
Q: Why Is It Important for Organizations to Have an Incident Response Plan?
DT: Being proactive and preventing these types of incidents is critical. But, it is equally as important to have checkpoints as part of your incident response plan so you can prevent the domino effect of regulatory and legal issues that ensue from a breach. As organizations form their plan and envision various scenarios, it is inevitable that they will evaluate their current processes in order to identify their pain points. This is a healthy exercise and necessary for the development of policies and procedures.
JF: It is crucial to have an incident response plan, especially in the event of ransomware. Of course, these things can get complicated, but we have processes in place surrounding this type of event that will help us keep a level head if the need arises. It is also important to note in your incident response plan which systems require which level of reporting and the time limits for reporting that should be respected from a legal standpoint.
JR: We have found it is critical to conduct a data classification exercise. If your organization hasn’t done it, I highly encourage you to do so. Organizations should go to their business unit managers and have them answering the following: “Which systems would ruin your day if they were to go down?” Have them list the specific features and functionality of the systems that they need to do their jobs. Something I am always thinking about is having data on certain screens or menus that could be wrong. We publish bond prices on these screens that traders execute on, and if we were to publish the wrong price, it could be a several million-dollar problem. For every process that you think is important, test its backup. And, I am not saying do a tabletop exercise; run the backup for a couple of days to make sure you can maintain operations if a failure happens.
RL: To echo what Joe said, a great exercise is to obtain information from business unit managers and have them perform a business impact analysis on what would happen if a system were to go down. There are templates available for download that can guide organizations through getting this type of information from business unit managers in a non-aggressive manner. When forming an incident response plan, make sure corporate communications is involved. One way or another [when something happens], whether internally or externally, it’s likely you will have to make some sort of statement. The first time a breach occurs is not the first time you should be working with these experts. Having relationships with their team, executive management, and legal is paramount. Another key component is solidifying a breach notification process to notify different groups within the organization, including the board.