Académique Documents
Professionnel Documents
Culture Documents
Published by
Navigating the Digital Age: The Definitive
Cybersecurity Guide for Directors and
Officers
Publisher: Tim Dempsey
Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers
is published by:
Caxton Business & Legal, Inc.
27 North Wacker Drive, Suite 601
Chicago, IL 60606
Phone: +1 312 361 0821
Email: tjd@caxtoninc.com
Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers
© October 2015
Copyright in individual chapters rests with the authors. No photocopying: copyright licenses do not apply.
DISCLAIMER
Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (the Guide) contains
summary information about legal and regulatory aspects of cybersecurity governance and is current as of
the date of its initial publication (October 2015). Although the Guide may be revised and updated at some
time in the future, the publishers and authors do not have a duty to update the information contained in
the Guide, and will not be liable for any failure to update such information. The publishers and authors
make no representation as to the completeness or accuracy of any information contained in the Guide.
This guide is written as a general guide only. It should not be relied upon as a substitute for specific
professional advice. Professional advice should always be sought before taking any action based on the
information provided. Every effort has been made to ensure that the information in this guide is correct at
the time of publication. The views expressed in this guide are those of the authors. The publishers and
authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility
to verify any information contained in the Guide before relying upon it.
SecurityRoundtable.org
Introduction
New York Stock Exchange – Tom Farley, President
iii ■
INTRODUCTION
■ iv
Foreword
Visa Inc. – Charles W. Scharf, CEO
v ■
FOREWORD
There are several elements that we have accounts had been compromised—a pivotal
found to be critical to ensuring an effective moment for our industry.
security program at Visa. The losses experienced by our clients,
combined with the impact on consumer con-
Be open and honest about the effectiveness fidence, galvanized our industry to take
of your security program and regularly actions that, we believe, will have a mean-
share an honest assessment of your security ingful and lasting effect on how the world
posture with the executive team and board. manages sensitive consumer data—not just
payments.
We use a data-driven approach that scores We are taking action as an ecosystem, to
our program across five categories: risk collaborate and share information across
intelligence, malware prevention, vulner- industries and with law enforcement and
ability management, identity and access governments and to develop new technolo-
management, and detection and response. gies that will allow us to prevent attacks and
Scores move up and down not only as our respond to threats in the future.
defenses improve or new vulnerabilities
are discovered but also as threats change. Protect payments at physical retailers.
The capabilities of the adversaries are Fraudsters have targeted the point-of-
growing, and you need a dynamic sale environment at leading U.S. retailers,
approach to measurement. capturing consumer account information
and forcing the reissuance of millions
Invest in security before investing of payment cards. As an industry we
elsewhere. A well-controlled environment are rapidly introducing EMV (Europay,
gives you the license to do other things. MasterCard, and Visa) chip payment
Great and innovative products and technology in the United States. Chip-
services will only help you win if you enabled payment cards and terminals
have a well-protected business. work in concert to generate dynamic
Don’t leave the details to others. Active, data with each transaction, rendering the
hands-on engagement by the executive transaction data useless to fraudsters.
team and the board is required. The risk Protect online payments. Consumer
is existential. Nothing is more important. purchases online and with mobile devices
Your involvement will produce better are growing at a significant rate. In order
results as well as make sure the whole to prevent cyberattacks and fraudulent
organization understands just how use of consumer accounts online, Visa and
important the issue is. the global payments industry adopted
Never think you’ve done enough. The a new payment standard for online
bad guys are smart and getting smarter. payments. The new standard replaces the
They aren’t resting, and they have more 16-digit account number with a digital
resources than ever. Assume they will token that is used to process online
attack. payments without exposing consumer
account information.
Defending against cyberthreats is not some- Collaborate and share information.
thing that we can solve for our company in a Sharing threat intelligence is a necessity
vacuum. At Visa, we must protect not only rather than a “nice to have,” allowing
our own network but the whole payments merchants, financial institutions, and
ecosystem. This came to life for us in late payment networks like Visa to rapidly
2013 when some of the largest U.S. retailers detect and respond to cyberattacks.
and financial institutions in the U.S. reported Public and private partnerships are
data breaches. Tens of millions of consumer also critical to creating the most robust
■ vi
FOREWORD
vii ■
TABLE OF CONTENTS
TABLE OF CONTENTS
iii INTRODUCTION
New York Stock Exchange — Tom Farley, President
v FOREWORD
Visa Inc. — Charles W. Scharf, CEO
■ viii
TABLE OF CONTENTS
ix ■
TABLE OF CONTENTS
■ x
TABLE OF CONTENTS
193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
Palo Alto Networks Inc.
xi ■
TABLE OF CONTENTS
319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED
APPROACHES FOR A MORE SOPHISTICATED ROLE
Egon Zehnder — Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick
■ xii
Introductions — The
cyberthreat in the digital age
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Prevention: Can it be done?
Palo Alto Networks Inc. – Mark McLaughlin, CEO
3 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Cost of launching a
successsful attack
■ 4
PREVENTION: CAN IT BE DONE?
Number of
successsful attacks
So, the strategy must be to significantly U.S. Suddenly, the very way of life in the
decrease the likelihood, and increase the Western world was deemed, appropriately
cost, required for an attacker to perform a so, at risk. The comfort and confidence of
successful attack. To be more specific, we living in a well-protected and prosperous
should not assume that attacks are going environment was shattered as citizens lost
away or that all attacks can be stopped. trust in their ability to follow their daily rou-
However, we should assume, and be very tines and way of life. It appeared as though
diligent in ensuring, that the cost of a suc- there was an insurmountable technological
cessful attack can be dramatically increased lead, and everywhere people turned there
to the point where the incidence of a success- was anxiety and cascading bad news.
ful attack will sharply decline. In the years immediately following
When this point is reached, and it will not Sputnik, the main focus was on how to sur-
come overnight, then we will be able to vive a post–nuclear-war world. Items like
quantify and compartmentalize the risk to backyard bomb shelters and nonperishable
something acceptable and understood. It’s at food items were in great demand, and
that point that cyber risks will be real and schools were teaching duck-and-cover drills.
persistent but that they will leave the head- In other words, people were assuming
lines and fade into the background of every- attacks could not be prevented and were
day life, commerce, communications, and preparing for remediation of their society
interaction. This should be our goal. Not to post-attack.
eliminate all risk, but to reduce it to some- However, this fatalistic view was tempo-
thing that can be compartmentalized. There rary. America relied on diplomacy and tradi-
is a historical analogy to this problem and an tional forms of deterrence while devoting
approach to solve it. technological innovation and ingenuity to
breakthroughs such as NASA’s Mercury
■ Sputnik analogy program. While it took a decade of resourc-
The analogy, which is imperfect but helpful, es, collaboration, trial, and effort, eventually
is the space race. In 1957 the Soviet Union the Mercury program and succeeding efforts
launched Sputnik. The result was panic at changed the leverage in the equation. The
the prospect that this technology provided space-based attack risk was not eliminated,
the Soviets with an overwhelming advan- but it was compartmentalized to the point of
tage to deliver a nuclear attack across the fading into the background as a possible but
5 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
not probable event. It was at this stage that it is an imperative that cost leverage is
the panic and confusion receded from the gained in the cyber battle. This leverage can
headlines and daily reporting. We will know be attained by managing the cyber risk to an
we are in good shape in the cyber battle organization through the continual improve-
when we have reached this point. So, how ment and coordination of several key ele-
do we get there? ments: technology, process and people, and
As with all things in life, ideas and phi- intelligence sharing.
losophy matter. This is true because if you
do not know what you are trying to get Technology
done, it’s unlikely that you will get it done. It is very apparent that traditional or legacy
In the space race analogy, the philosophy security technology is failing at an alarming
shifted over time from one that primarily rate. There are three primary reasons for this:
assumed an attack was imminent and
unstoppable with the majority of planning The first is that networks have been
and resources geared toward life in the post- built up over a long period of time and
attack world, to one of prevention where the often are very complicated in nature,
majority of resources and planning were consisting of security technology that
geared to reduce the probability and effec- has been developed and deployed in a
tiveness of an attack. point product, siloed approach. In other
Importantly, the risk of an attack was not words, a security “solution” in traditional
eliminated, but the probability of occurrence network architecture of any size consists
and success was reduced by vastly increas- of multiple point products from many
ing the cost of a successful attack. It was different vendors all designed to do one
previously noted that no analogy is perfect, specific task, having no ability to inform
so the analogy of “cost” here for space-based or collaborate with other products. This
attacks and cyberattacks is, of course, meas- means that the security posture of the
ured in different ways. Most notably, network is only as “smart” overall as the
cyberthreats are not the sole purview of least smart device or offering. Also, to the
superpower nations, and the technological extent that any of the thousands of daily
innovation most likely to reverse the cost of threats is successfully detected, protection
successful attacks is most likely to come is highly manual in nature because there is
from industry, not governments. However, no capability to automatically coordinate
the principle is the same in that a prevention or communicate with other capabilities in
philosophy is much more likely to result in the network, let alone with other networks
prevention capabilities being developed, uti- not in your organization. That’s a real
lized, and continually refined over time. problem because defenders are relying
more and more on the least leverageable
■ Is prevention possible? resource they have—people—to fight
The obvious question then is whether pre- machine-generated attacks.
vention is possible. I think that most security Second, these multiple point solutions are
professionals and practitioners would agree often based on decades-old technology,
that total prevention is not possible. This is like stateful inspection, which was useful
disheartening but also no different from any in the late 1990s but is totally incapable of
other major risk factor that we have ever providing security capabilities for today’s
dealt with over time. So, the real question is attack landscape.
whether prevention is possible to the point And third, the concept of a “network”
where the incidence of successful attacks is has morphed continues to do so at a
reduced to something manageable from a rapid pace into something amorphous
risk perspective. I believe that this is possible in nature: the advent of software as a
over time. In order to achieve this outcome, service (SaaS) providers, cloud computing,
■ 6
PREVENTION: CAN IT BE DONE?
mobility, the Internet of Things, and other successful leaders understand the need to
macrotechnology trends that have the assess organizational risk and to allocate
impact of security professionals having resources and effort based on prioritized
less and less control over data. competing needs. Given the current threat
environment and the math behind success-
In the face of these challenges, it is critical ful attacks, leaders need to understand both
that a few things are true in the security the value and vulnerabilities residing on
architecture of the future: their networks and prioritize prevention
and response efforts accordingly.
First is that advanced security systems Under executive leadership, it is also
designed on definitive knowledge of very important that there is continued
what and who is using the network be improvement in processes used to manage
deployed. In other words, no guessing. the security of organizations. People must
Second is that these capabilities be as be continually trained on how to identify
natively integrated as possible into cyberattacks and on the appropriate steps to
a platform such that any action by take in the event of an attack. Many of the
any capability results in an automatic attacks that are being reported today start or
reprogramming of the other capabilities. end with poor processes or human error. For
Third is that this platform must also example, with so much personal informa-
be part of a larger, global ecosystem tion being readily shared on social network-
that enables a constant and near-real-time ing, it is simple for hackers to assemble very
sharing of attack information that can be accurate profiles of individuals and their
used to immediately apply protections positions in companies and launch socially
preventing other organizations in the engineered attacks or campaigns. These
ecosystem from falling victim to the same attacks can be hard to spot in the absence of
or similar attacks. proper training for individuals, and difficult
Last is that the security posture is to control in the absence of good processes
consistent regardless of where data and procedures regardless of how good the
resides or the deployment model of the technology is that is deployed to protect an
“network.” For example, the advanced organization.
integrated security and automated A common attack on organizations to
outcomes must be the same whether the defraud large amounts of money via wire
network is on premise, in the cloud, or has transfers counts on busy people being poor-
data stored off the network in third-party ly trained and implementing spotty pro-
applications. Any inconsistency in the cesses. In such an attack, the attacker uses
security is a vulnerability point as a general publicly available personal information
matter. And, as a matter of productivity, gleaned off social networking sites to iden-
security should not be holding back high- tify an individual who has the authority to
productivity deployment scenarios based issue a wire transfer in a company. Then the
on the cloud, virtualization, SDN, NFV, attacker uses a phishing attack, a carefully
and other models of the future. constructed improper email address that
looks accurate on a cursory glance, seem-
Process and people ingly from this person’s manager at the
Technology alone is not going to solve the company telling the person to send a wire
problem. It is incumbent upon an executive transfer right away to the following coordi-
team to ensure their technical experts are nates. If the employee is not trained to look
managing cybersecurity risk to the organi- for proper email address configuration, or
zation. Most of today’s top executives did the company does not have a good process
not attain their position due to technological in place to validate wire transfer requests,
and cybersecurity proficiency. However, all like requiring two approvals, then this attack
7 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
often succeeds. It is important that technol- The network effect of defense is why
ogy, process, and people are coordinated, there is such a focus and attention on threat
and that training is done on a regular basis. intelligence information sharing. It is early
days on this front, but all progress is good
Intelligence sharing progress, and, importantly, organizations are
Given the increasing number and sophistica- now using automated systems to share
tion of cyberattacks, it is difficult to imagine threat intelligence. At the same time, analyti-
that any one company or organization will cal capabilities are being rapidly developed
have enough threat intelligence at any one to make use and sense of all the intelligence
time to be able to defeat the vast majority of in ways that will result in advanced plat-
attacks. However, it is not hard to imagine forms being able to reprogram prevention
that if multiple organizations were sharing capabilities in rapid fashion such that con-
what they are seeing from an attack perspec- nected networks will be constantly updating
tive with each other in close to real time, that threat capabilities in an ever-increasing eco-
the combined intelligence would limit suc- system. This provides immense leverage in
cessful attacks to a small number of the the cybersecurity battle.
attempted attacks. This is the outcome we
should strive for, as getting to this point ■ Conclusion
would mean that the attackers would need There is understandable concern and atten-
to design and develop unique attacks every tion on the ever-increasing incidence of
single time they want to attack an organiza- cyberattacks. However, if we take a longer
tion, as opposed to today where they can use view of the threat and adopt a prevention-
variants of an attack again and again against first mindset, the combination of next-
multiple targets. Having to design unique generation technology, improvements in
attacks every time would significantly drive processes and training, and real-time shar-
up the cost of a successful attack and force ing of threat information with platforms
attackers to aggregate resources in terms of that can automatically reconfigure the secu-
people and money, which would make them rity posture, can vastly reduce the number
more prone to be visible to defenders, law of successful attacks and restore the digital
enforcement, and governments. trust we all require for our global economy.
■ 8 SecurityRoundtable.org
The three Ts of the cyber economy
The Chertoff Group — Michael Chertoff, Executive
Chairman and Former United States Secretary
of Homeland Security, and Jim Pflaging, Principal
9 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
them, and decide how you are going to technology and are thriving. Still, the advan-
embrace the first, deal with the second, and tage lies with the firms who not only
shape the last. embraced the Internet but also built their
entire business around it: Amazon, Google,
■ Technology and Uber. Finally, there is Apple, which
Today we live in a golden age of innovation came of age with the Internet and morphed
driven by technologies that dominate into a wildly successful global leader with
headlines—cloud computing, mobility, big the introduction of the iPhone.
data, social media, open source software, vir- There have been applications for these
tualization, and, most recently, the Internet of technologies, with significant impact, in a
Things. These tectonic shifts allow individu- variety of industries. In transportation, Uber
als, government, and companies to innovate is a great example of transforming a perva-
and reinvent how they interact with each sive but sedentary sector into a newly reimag-
other. These forces mandate that we redefine ined market. Uber used emerging technolo-
what, how, and where we manage any busi- gies to disrupt seemingly distinct segments
ness. We need to challenge core assumptions such as auto rental and even automotive
about markets, company culture, and the art manufacturing. In the electrical sector, smart
of the possible. The winners will be those meters, transformers, and switches have
who leverage these innovations to reduce given utilities greater control over their distri-
costs and deliver better, lower-priced prod- bution networks while their customers have
ucts. Take Table 1 below, for example: gained greater control of their consumption.
However, the golden age of innovation
has a dark side. A new class of "bad guys"
TABLE
TABLE Market capitalization has emerged and is taking advantage of
(or private estimates, USD "holes" in these new technologies and our
A good
in reputation
millions) online behavior to create new risks. This
leads us to the second T—Threat.
3/31/2005 3/31/2015
■ Threat
Amazon $13,362 $207,275 Lifecycle
It is almost cliché to talk about the pervasive-
Apple $30,580 $752,160
ness and escalating impact of cybersecurity
Google $64,180 $378,892 attacks. However, it is useful to provide a
map that can help us better understand
Uber N/A $41,000 where we may be heading to help us prepare
and to develop more lasting defenses.
AT&T $78,027 $175,108 Using a simple x-y graph, we can create an
instructive map, in which x represents the
Citigroup $244,346 $165,488
severity of the impact and y the "actor" or
General perpetrator. Impact can be divided into the
$388,007 $274,771 following stages: embarrassment, theft,
Electric
destruction to a target firm or asset, and wide-
Kodak $6,067 $794 spread destruction. The actors also can be
grouped into four escalating stages: individu-
Sources: Capital IQ, Fortune
als, hacktivists, cyber organized crime, and
nation-states. See Figure 1. Given the impor-
It is easy to see the relationship between tance of understanding threat, business lead-
innovation and valuation. Some companies, ers should understand how the map applies
such as Kodak, did not react fast enough to their business. To aid in this understand-
and lost their market as a result. Others, ing, it is useful to cover a few examples that
such as AT&T, have invested heavily in new illustrate various stages of these threats.
■ 10
THE THREE TS OF THE CYBER ECONOMY
FIGURE
Nation-
??
states
Sony
Saudi Aramco
Cyber JPMorganChase
ACTOR
organized
crime Target
Hacktivist HBGary
Individual
11 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
how damaging such an attack can be. However, develop cyber risk mitigation products. Many
with this knowledge comes increased expecta- of the insurance industry’s largest players,
tions for how companies safeguard their data including Allstate, Travelers, Marsh, and
and that of their consumers. Tennant, have moved to offer companies
cyber insurance products, although the imma-
Role of industry turity of the market has created complications
Fortunately, industry is moving in this direc- for insurers and potential customers. Insurers
tion, and many companies have begun to have had a hard time calculating their risk and
consider cyber risk in their corporate plan- thus appropriate premiums for potential cus-
ning. In 2014, the National Association of tomers, while customers have sometimes
Corporate Directors issued a call to action, found their insurance quotes too expensive.
which included five steps that its members Fortunately, time and the accompanying set-
should take to ensure their enterprises prop- tling of industry standards and actuarial data
erly address cyber risk. These include the will help to mature and grow this market.
following:
Role of government
Treating cyber risk as an enterprise risk Effective risk management—for govern-
Understanding the legal implications of ments or private enterprises—starts with an
cyber risks honest understanding of the situation and
Discussion of cyber risk at board recognition that information sharing with
meetings, giving cyber risk equal footing partners is essential. Information sharing, of
with other risks course, starts with agreeing on common val-
Requiring management to have a ues, and then trusting vetted, capable, and
measureable cybersecurity plan reliable partners. Information sharing can be,
The development of a plan at the board and must be, something that takes place at
level on how to address cyber risks, and across all levels. The Constitution charg-
including which risks should be avoided, es the federal government with the responsi-
accepted, mitigated, or transferred via bility of providing for the defense of the
insurance. nation while protecting the privacy and civil
liberties of our citizens, a difficult balance
Although this guidance is an excellent start, that requires trust in the government and
we at The Chertoff Group believe that indus- processes by which we reach that balance.
try has to go further and move toward a As we discuss the role of government in
common cyber risk management framework information sharing and building trust, we
that allows everyone to understand the have to acknowledge the impact the
cyber risks to a business and how the com- Snowden revelations have had on public
pany intends to address them. This model trust in government. Fundamentally, we
would be a corollary to the General Accepted have to determine what we want the role of
Accounting Principles (GAAP), the standard government to be and engage in legal
accounting guidelines and framework that reforms that reflect that role. Laws such as
underlies the financials and planning of the Computer Fraud and Abuse Act, enacted
almost any business. The emergence of in 1986 and amended five times since then,
GAAP in the 1950s made it significantly and the Electronic Controls Privacy Act
easier for investors, regulators, and other (ECPA), which dates to 1986, have to be
stakeholders to gain a clear understanding updated to reflect the significant changes in
of a business and its financials, allowing for technology and practice that have occurred
comparisons across industries and sectors. since they were envisioned.
In parallel, banks, insurers, and other pro- Beyond these efforts, we need to establish
viders of risk mitigation are scrambling to or reinforce agreed-upon rules and programs
13 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
for government data collection on citizens Information Sharing and Analysis Centers
and the legal frameworks that manage the (ISACs) was a Clinton Administration initia-
transfer of that data between governments tive to build PPPs across critical infrastruc-
for judicial and law enforcement purposes. ture sectors. These sector-by-sector ISACs
Importantly, this initiative must provide for have proven to be models of trust. The
mutual accountability for all participants. Financial Services ISAC has truly epito-
These initiatives have to lay out clearly the mized these ideas and is considered by
roles of all participants and, in our opinion, many to be the leading ISAC in sharing
reinforce and strengthen the role for NSA in threat information. This model has been rep-
helping this nation deal with the adversaries licated in other industries and led President
that are using information technology to Obama to call for an expansion of the infor-
harm us. mation sharing model to smaller groups of
On the international front, in response to companies through Information Sharing and
mounting concerns over data privacy, data Analysis Organizations (ISAOs). Another
security and the rise of online surveillance, example is a U.S. government-industry ini-
governments around the world have been tiative to combat botnets, in which the gov-
seeking to pass new data protection rules. ernment is working with the Industry Botnet
Several governments, including Germany, Group to identify botnets and minimize
Indonesia, and Brazil, have considered their impacts on personal computers.
enacting “data localization” laws that would
require the storage, analysis, and processing ■ Technology, threat, and trust in the
of citizen and corporate data to occur only boardroom
within their borders. What do the three Ts of the cyber economy
However, many of these proposals are mean for you? Here are just a few of the
likely to impose economic harm and sow questions every leader has to consider:
seeds of distrust. For example, several of the
proposals under consideration would force Are we using technology for competitive
companies to build servers in locations advantage?
where the high price of local energy and the Are we secure? How do you know? Do we
lack of trained engineers could translate into have a framework, a GAAP-equivalent
higher costs and reduced efficiencies. for cyber risk, that gives me the tools to
Furthermore, requiring that data reside in a understand and measure risk?
server based in Germany instead of one in Are we a good steward of the data we
Ireland will do little to prevent spies from collect about our customers?
accessing that data if they are determined
and capable. Each of us needs answers to these questions.
So, what should we do? It is critical that Your response will have a big impact on the
policymakers and technology providers future of your organization.
work together to develop solutions that keep A few years ago, there was a common
online services available to all who rely on story in security circles about two types of
them. We must develop principles that can companies: those who knew they had been
serve as a framework for coordinated multi- hacked and those who had been hacked but
lateral action between states and across the did not know it. Going forward, we will talk
public and private sectors. We must be pre- about companies in terms of who cares
pared to lead abroad and at home with effec- about cybersecurity: in some companies, it
tive ideas. will be the entire executive suite; in others,
Public private partnerships (PPPs) are it will just be the CISO or CIO. Your com-
important pieces of the solution and are pany doesn’t want to fall into the latter cat-
good models of trust that we should lever- egory. Use the three Ts to help your organi-
age going forward. First, the formation of zation manage cyber risk and leverage the
3Ts concept - explain 3 questions and the model - as 3 simple ways to start -
1st part
■ 14
THE THREE TS OF THE CYBER ECONOMY
SecurityRoundtable.org 15 ■
Cyber governance best practices
Georgia Institute of Technology, Institute for Information
Security & Privacy – Jody R. Westby, Esq., Adjunct Professor
17 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Increases in cybercrime and attacks on corpo- 17799 and then ISO/IEC 27001.8 ISO/IEC
rate systems and data have propelled discus- 27001 is the most accepted cybersecurity
sions regarding governance of cyber risks standard globally.
and what exactly boards and senior execu- Today, the ISO/IEC 27000 series of infor-
tives should be doing to properly manage mation security standards is comprised of
this new risk environment and protect corpo- nearly 30 standards. ISO, of which the
rate assets. The topic reached a crescendo in American National Standards Institute
May 2014 when the Institutional Shareholder (ANSI) is the member body representing U.S.
Service (ISS) called for seven of the ten Target interests for the development of international
board members not to be re-elected on the standards, has additional information secu-
grounds that the failure of the board’s audit rity standards outside of the 27000 series.9
and corporate responsibility committees “to ISO information security standards cover a
ensure appropriate management of these range of topics, such as security controls, risk
risks set the stage for the data breach, which management, the protection of personally
has resulted in significant losses to the com- identifiable information (PII) in clouds, and
pany and its shareholders.”3 control systems. Additional security stand-
Over the past decade, the concept of cyber- ards also have been developed for financial
security governance has evolved from infor- services, business continuity, network secu-
mation technology (IT) governance and rity, supplier relationships, digital evidence,
cybersecurity best practices. The Information and incident response.10
Systems Audit and Control Association The U.S. National Institute of Standards
(ISACA) has been a frontrunner in IT govern- and Technology (NIST) has developed a
ance best practices with the COBIT (Control comprehensive set of cybersecurity guid-
Objectives for Information and Related ance and Federal Information Processing
Technology)4 framework. ISACA founded the Standards (FIPS),11 including a Framework
IT Governance Institute (ITGI) in 1998 to for Improving Critical Infrastructure
advance the governance and management of Cybersecurity (Framework).12 The NIST
enterprise IT. The ITGI defines IT governance: guidance and standards are world-class
materials that are publicly available at no
IT governance is the responsibility of the charge. NIST recognized existing standards
board of directors and executive manage- and best practices by mapping the
ment. It is an integral part of enterprise Framework to ISO/IEC 27001 and COBIT.
governance and consists of the leadership Other respected cybersecurity standards
and organisational structures and pro- have been developed for particular purpos-
cesses that ensure that the organisation’s es, such as the protection of credit card data
IT sustains and extends the organisation’s and electrical grids. The good news is that
strategies and objectives.5 cybersecurity best practices and standards
are harmonized and requirements can be
Gartner has a similar definition.6 mapped. This is particularly important
because as companies buy and sell operating
■ Cybersecurity program standards and best units or subsidiaries or merge, they may
practices7 have IT systems and documentation based
As IT systems became vulnerable through upon several standards or best practices.
networking and Internet connectivity, secur- Thus, the harmonization of standards ena-
ing these systems became an essential ele- bles companies to blend IT departments and
ment of IT governance. The first cybersecu- security programs and continue to measure
rity standard was developed by the British maturity.
Standards Institute in 1995 as BS 7799. Over Some companies may need to align with
time, this comprehensive standard proved multiple standards. For example, electric
its worth and ultimately evolved into ISO transmission and distribution companies
19 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
21 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
■ Beyond ISO/IEC 27014: Other best practices is IT-focused, however, and does not men-
and guidance tion the roles and responsibilities of chief
At present, the only guidance NIST has information security officers (CISOs). The
developed that addresses information secu- separation of the role of the chief informa-
rity governance is its 2006 Special Publication tion security officer from the chief informa-
800-100, Information Security Handbook: A tion officer (CIO) (in other words, not having
Guide for Managers. This publication, how- the CISO report to the CIO), is a best practice
ever, is written for a federal audience and is that the Board Briefing ignores. It assigns all
more technical than other materials directed responsibilities to the CIO, IT Strategy
toward boards and senior executives. Committee, IT Steering Committee, IT
ISACA’s IT Governance Institute updated Architecture Review Board, and Technology
its Board Briefing on IT Governance in 2014,20 Council. Nevertheless, it is a valuable
which sets forth an approach similar to ISO/ resource for boards and executive teams
IEC 27014, but is based on ISACA’s COBIT seeking to implement good cyber govern-
best practices. The Board Briefing includes ance practices.
questions board members should ask and Finally, Carnegie Mellon University’s
also checklists, tool kits, roles and responsi- Software Engineering Institute developed the
bilities, and other helpful materials. The Governing for Enterprise Security Implementation
Board Briefing focuses on five activity areas: Guide in 2007 as a guide for boards and execu-
Strategic Alignment, Value Delivery, Risk tives on governing enterprise security pro-
Management, Resource Management, and grams.21 It is still quite instructive and includes
Performance Measurement. The publication a model organizational structure for cyber
■ 22
Vrlo bitno za pocetak o CYBER GOVERNANCE BEST PRACTICES
■ 24
CYBER GOVERNANCE BEST PRACTICES
25 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
13. See, e.g., Kevin LaCroix, “Target Directors 16. Id. at 4.2. “Objectives.”
and Officers Hit with Derivative Suits 17. Id. at 4.4. “Relationship.”
Based on Data Breach,” Feb. 3, 2014, 18. Id. at 5.2. “Principles.”
http://www.dandodiary.com/2014/02/ 19. Id. at 5.3. “Processes.” The full
articles/cyber-liability/target-directors- requirements of the standard should be
and-officers-hit-with-derivative-suits- reviewed prior to use by an organization;
based-on-data-breach/. ISO 27014 is available at http://www.iso.
14. See, e.g., Jon Talotta, Michelle Kisloff, & org/iso/home/search.htm?qt=27014&
Christopher Pickens, “Data Breaches Hit sort=rel&type=simple&published=on.
the Board Room: How to Address Claims 20. Board Briefing on IT Governance, IT
Against Directors & Officers,” Hogan & Governance Institute, 2nd ed., 2014,
Lovells, Chronicle of Data Protection, Jan. http://www.isaca.org/restricted/
23, 2015, http://www.hldataprotection. Documents/26904_Board_Briefing_
com/2015/01/articles/cybersecurity- final.pdf.
data-breaches/data-breaches-hit-the- 21. Jody R. Westby & Julia H. Allen, Governing
board-room/. for Enterprise Implementation Guide,
15. ISO/IEC 27014 (2013), Governance Carnegie Mellon University, Software
of Information Security, “Summary,” Engineering Institute, 2007, http://
http://www.iso.org/iso/home/search. globalcyberrisk.com/wp-content/
htm?qt=27014&sort=rel&type=simple& uploads/2012/08/Governing-for-
published=on. Enterprise-Sec-Impl-Guide.pdf.
■ 26 SecurityRoundtable.org
Investors’ perspectives on cyber
risks: Implications for boards
Institutional Shareholder Services Inc. – Patrick McGurn,
ISS Special Counsel and Martha Carter,
ISS Global Head of Research
27 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
■ 28
INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
More ominously for boards, four of five ■ ISS policy respondents indicate a disclosure
investor respondents (79 percent) suggest- framework
ed that they may blacklist stocks of hacked What level of detail do investors expect to
firms. As for a remedy, 86 percent of the see about these issues in disclosures regard-
surveyed investors told KPMG and FTI ing cyberthreats? In 2014, as part of ISS’
that they want to see increases in the time 2015 policy-formulation process, we asked
boards spend on addressing cyber risk. institutional investors to weigh the factors
they assess in reviewing boardroom over-
■ Investors raise the bar for disclosure sight of risk, including cyberthreats. A
Insights on the gap between investors’ majority of the shareholder respondents
expectations and boardroom practices were indicated that the following are all either
gleaned from PwC’s juxtaposition of two “very” or “somewhat” important to their
surveys that it conducted in the summer of voting decisions on individual directors
2014, one of 863 directors in PwC’s 2014 elections:
Annual Corporate Directors Survey, and the
other of institutional investors with more role of the company’s relevant risk
than $11 trillion in aggregate assets under oversight committee(s)
management in PwC’s 2014 Investor Survey. the board’s risk oversight policies and
procedures
Nearly three quarters (74 percent) of directors’ oversight actions prior to and
investors told PwC that they believe subsequent to the incident(s)
it is important for directors to discuss changes in senior management.
their company’s crisis response plan in
the event of a major security breach. Notably, shareholders do not appear to be
Only about half of directors (52 percent) looking for scapegoats. Disclosures about
reported having such discussions. boardroom oversight action subsequent to
Roughly three out of four (74 percent) an incident drew more demand than fir-
investors urged boards to boost cyber ings. An eye-popping 85 percent of the
risk disclosures in response to the SEC’s respondents cited such crisis management
guidance, but only 38 percent of directors and “lessons learned” disclosures as “very
reported discussing the topic. important.” In contrast, only 46 percent of
Similarly, 68 percent of investors believe it is the shareholders indicated that changes in
important for directors to discuss engaging senior management are “very important” to
an outside cybersecurity expert, but only them when it came time to vote on director
42 percent of directors had done so. oversight.
Fifty-five percent of investors said it
was important for boards to consider ■ 2015 disclosures provide few insights
designating a chief information security Despite prodding by the SEC and numerous
officer, if their companies did not indications from investors, many boards
have one in place. Only half as many continue to lack disclosure of cyberthreats
directors (26 percent) reported that such in their flagship documents—the proxy
a personnel move had been discussed in statement and the 10-K. Only a handful of
the boardroom. the companies that drew widespread cover-
Finally, 45 percent of investors believe age of their data breaches during 2014 men-
it is important for directors to discuss tion the events in their proxy statements,
the National Institute of Standards and many cite materiality concerns to avoid
and Technology (NIST)/ Department discussing the data breaches in detail in
of Homeland Security cybersecurity their 10-Ks.
framework, but only 21 percent of directors In sharp contrast to the absence of infor-
reported their boards had done so. mation in Target’s 2014 proxy statement,
29 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
however, another big box retailer provided and management process to the full
investors with a window into the board’s Board.”
role in cyber risk oversight in its 2015
proxy materials. Home Depot addressed its Next, the Home Depot disclosure provides
2014 data breach, which affected up to some color on the board’s risk oversight
56 million customers who shopped at the policies and procedures:
company’s stores between April 2014 and
September 2014, with a concise (roughly For a number of years, IT and data secu-
1000-word) explanation of the steps taken rity risks have been included in the risks
by the board before and after the company’s reviewed on a quarterly basis by the ERC
breach. and the Audit Committee and in the
The proxy statement disclosures include a annual report to the Board on risk assess-
brief summary of the depth and duration of ment and management. In the last few
the breach, an explanation of the board’s years, the Audit Committee and/or the
delegation of oversight responsibility to the full Board have also regularly received
audit committee, and an outline of remedial detailed reports on IT and data security
steps that the board took in response to the matters from senior members of our IT
event. and internal audit departments. These
Notably, Home Depot’s disclosures gen- reports were given at every quarterly
erally align with all the pillars identified by Audit Committee meeting in fiscal 2014,
investors in their responses to the ISS policy including an additional half-day Audit
survey: Committee session devoted exclusively to
First, Home Depot’s board details the these matters that was held prior to the
delegation of risk oversight to the audit com- discovery of the Data Breach. The topics
mittee and describes the directors’ relation- covered by these reports included risk
ship with the company’s internal audit and management strategies, consumer data
compliance team: security, the Company’s ongoing risk mit-
igation activities, and cyber security strat-
The Audit Committee . . . has primary egy and governance structure. . . .
responsibility for overseeing risks related To further support our IT and data
to information technology and data pri- security efforts, in 2013 the Company
vacy and security. . . . The Audit enhanced and expanded the Incident
Committee stays apprised of significant Response Team (“IRT”) formed several
actual and potential risks faced by the years earlier. The IRT is charged with
Company in part through review of quar- developing action plans for and respond-
terly reports from our Enterprise Risk ing rapidly to data security situations. . . .
Council (the “ERC”). The quarterly ERC The IRT provided daily updates to the
reports not only identify the risks faced Company’s senior leadership team, who
by the Company, but also identify wheth- in turn periodically apprised the Lead
er primary oversight of each risk resides Director, the Audit Committee and the
with a particular Board committee or the full Board, as necessary.
full Board . . . The chair of the ERC, who
is also our Vice President of Internal The Home Depot board also highlights its
Audit and Corporate Compliance, reports cyber-risk oversight actions prior to the
the ERC’s risk analyses to senior manage- incident:
ment regularly and attends each Audit
Committee meeting. The chair of the ERC Under the Board’s and the Audit
also provides a detailed annual report Committee’s leadership and oversight,
regarding the Company’s risk assessment the Company had taken significant steps
■ 30
INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
31 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
these conversations were led by Director responsibilities among the committees, most
Anne Mulcahy. In light of this feedback and notably by elevating the risk oversight role
with the assistance of a third-party strategy of the corporate risk & responsibility com-
and risk management and regulatory com- mittee (formerly known as the corporate
pliance consultant, the board “embarked on responsibility committee).
a comprehensive review” of risk oversight Examples such as Home Depot and the
at the management, board, and committee Target board’s 2015 disclosures provide
levels. As a result of this comprehensive more transparency on risk oversight and are
review, in January 2015, the Target board a good framework for other boards to follow.
“clarified and enhanced” its practices to pro- Boards would be wise to raise their games
vide more transparency about how risk by disclosing more details of their board
oversight is exercised at the board and com- oversight efforts and engaging with inves-
mittee levels. As part of this revamp, the tors when cyber incidents occur, or they may
board reallocated and clarified risk oversight run the risk of a loss of investor confidence.
■ 32 SecurityRoundtable.org
Good points for
intro; awareness
and measurments
of risks
33 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Intro points
have “nascent” and “developing” capabili- financial services industry and describes the
ties to combat cyberthreats. In this situa- risk appetite and potential losses for a port-
tion when cyber breaches have become an folio that an institution will incur over a
inevitable reality of doing business, execu- defined period of time and is expressed in a
tives ask themselves, “What does it mean probability to insure the loss.
for my business, how probable is it that a In the cyber value-at-risk, we introduced
devastating breach will happen to us, and three major pillars, according to which com-
how much could it cost us?” Still, very few panies can model their risk exposure: exist-
organizations have developed ways to ing vulnerabilities, value of the assets, and
assess their cyber risk exposure and to profile of an attacker. A complete cyber value-
quantify them. at-risk allows us to answer the question:
In this chapter, we discuss the cyber “Given a successful cyberattack, a company
value-at-risk framework introduced by the will lose not more than X amount of money
Partnering for Cyber Resilience initiative of over period of time with 95% accuracy.” The
the World Economic Forum and released at application of these models will depend on
the Annual Summit in Davos in 2015. More particular industries, companies, and avail-
than 50 organizations, including Wipro, able data and should be built for an organi-
Deloitte (project advisor), and Aon, have zation. We discussed specific indicators that
contributed to this effort. The framework can potentially be used to populate the
laid the foundations for modeling cyber model. Mathematically, these components
risks and encouraged organizations to take can be brought together and used to build a
a quantitative approach toward assessing stochastic model. For example, vulnerabili-
their cyber risks exposure, which could ties can be measured in the number of exist-
also help make appropriate investment ing unpatched vulnerabilities, not up-to-
decisions. date software, number of successful compro-
We were delighted to see many spin-off mises, or results of internal and external
projects and initiatives that were initiated as audits. They can be benchmarked against
part of this work and hope they will contrib- the maturity of existing controls and security
ute to better risk management tools. Our of networks, applications, data, etc. The
research showed that the aggregate impact maturity of defending systems has to be
of cybercrime on the global economy can benchmarked against the threat environ-
amount to $3 trillion in terms of slow down ment, hence the profile of an attacker com-
in digitization and growth and result in the ponent becomes important. In this model, it
slower adoption of innovation. Multiple would be important to look into their moti-
other studies showed significant negative vations (e.g., financial gain, destruction of
impact of cyber breaches. CSIS established assets, espionage), the tools they are using,
that the annual cost of economic espionage and the innovative approaches. Because
reaches $445 billion. Target's breach cost the cyber breaches are criminal activity, nontech-
company more than $140 million, a large nical factors, such as behavioral motivations,
portion of which went to cover litigation are to be considered. The component of the
costs. Interestingly, however, Aon research value of assets of many organizations is dif-
shows that more than 80% of breaches cost ficult to establish. This includes tangible
the companies less than $1 million. assets, such as financial flows, infrastructure,
and products, and intangible assets, primarily
■ Value-at-risk data assets (customer and employee data,
How can companies define their risk expo- business strategies, intellectual property),
sure and the level of investments, as well as brand, reputation, and trust of stakeholders.
priority areas for these investments? To Although cost of business interruption can
answer this question, we turned to the value- be qualified easier, the impact on intangible
at-risk concept. The concept goes back to the assets is still subject to approximation. The
■ 34
TOWARD CYBER RISKS MEASUREMENT
impact of losing these assets can be unno- breach probability distribution”); hacker
ticed in the short term but may hurt long- model (mapping out motivations of adver-
term profitability and market leadership of saries in relation to the organization); attack
an organization. model (attack types and characteristics);
The cyber value-at-risk model has a num- asset and loss model (potential loss given a
ber of limitations, including availability of successful attack); security model (describ-
data, difficulties in calculating probabilities, ing organizations’ security posture), and
and applicability across various industries, company model (modeling organizations’
but it presents a first step and incentives for attractiveness as a target). Cyberpoint’s
organizations to move toward quantitative Cy-var models looks at “time-dependent
risk management. By publishing the model, valuation of assets” while taking into
we aimed to encourage more industry stake- account an organization’s security posture
holders to develop comprehensive quantita- and includes variables such as the values of
tive approaches to cyber risks measurement intellectual property assets, IT security con-
and management. For further examples and trols in place to protect those assets and
information, please refer to Wipro’s use of other related risks, infrastructure risks, a
cyber value-at-risk for its clients, Deloitte’s time horizon, and a probability of an attack.
continuous development cyber value-at- At the same time, all stakeholders came to
risk, Rod Becktom’s cybervar model, and agreement that quantifying risks is a chal-
CXOWare’s Cyber Risk application model. lenging task. In a workshop organized togeth-
The Institute of Risk Management (IRM) er with Deloitte, the World Economic Forum
announced that it will release a cyber risk Partnering for Cyber Resilience members
quantification framework to help companies defined the attributes of an ideal model of
assess their cyber risks exposure. The call to cyber risks quantification: applicability across
action from the Partnering for Cyber various industries; ease of interpretation by
Resilience effort was that to develop a uni- experts and executives alike; association with
fied framework that can be used by indus- real data and measurable security events;
tries to reduce uncertainty around cyber risks scalability across organizations or even
implications on businesses in the absence of across the industry; at the same, not relying
dominant models and frameworks. Aon has on data that are currently absent within most
defined important ways in which quantifica- organizations.
tion of cyberthreats can lead to better busi- Although the cyber value-at-risk frame-
ness decisions. First, as the conversation has work doesn’t specify how to calculate the
shifted from technology and information final number, it presents core components
security departments to boardrooms, the and gives examples of how these compo-
question of costs and risks becomes ever nents can be quantified. This complete
more prevalent. It helps show the scale and model, however, could be characterized by
the impact that cyberthreats can have on general applicability across various indus-
financial targets and overall competitiveness tries. For it to be effective, it has to be vali-
of organizations; helps define and narrow dated by the industry stakeholders. Cyber
down the investments required to mitigate value-at-risk aimed to bring together “tech-
those threats; makes it easy to paint compel- nical, behavioral and economic factors from
ling pictures, build scenarios, and make busi- both internal (enterprise) and external (sys-
ness cases; and helps make a determination temic) perspectives.” As a next step, it would
whether any parts of the risk can be trans- be important to understand dependencies
ferred. Deloitte has put together a compre- between various components in the frame-
hensive model for modular approach to work and ways to incorporate these models
cyber risk measurement introducing the into existing enterprise risk frameworks. It is
following components: probability model important to remember that organizations
(“attractiveness and resilience determine should be wary of new emerging risks and
35 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
consider cyber risks in addition to broader their attackers and threats. The most signifi-
technology or operational risks. cant challenge so far is the absence of input
Overall, the goal was to help raise aware- variables, quality of existing datasets and,
ness of cyber risks as a standing and regular following these, no standardized measures
cost of doing business and help find a way to assess cyber risk exposures. Building such
to measure and mitigate those risks. This a model would require efforts in data classi-
can be done through standardization of fication, encourage a strong organization
various risk factors and indicators into a leadership, process improvement and col-
normal distribution. laboration, as well improve decision making
The components that we looked at in this across various business areas. For example,
chapter help bring together various risk fac- the car industry, mortgage industry, or most
tors via “measures of risk likelihood and insurances have agreed on a standardized
impact.” To achieve a more granular level of metrics and data collection; the same should
sophistication, quantification and standardi- happen for cyber risks measurement.
zation metrics must mature. Some of the Understanding dependencies between these
main cited obstacles are availability of data variables and what they mean for various
to build models, lack of standardized met- industries should be a subject for cross-
rics and tools, lack of visibility within enter- industry collaboration so that input varia-
prise, and inability to collect data and bles are unified. The main benefits of this
dubbed models internally. The variables and approach are seen in the ability to support
components of the model can be brought decision-making processes, quantify the
together into a stochastic model, which will damage at a more granular level, and define
show the maximum loss given a certain appropriate investments. This would help
probability over a given period of time. It stimulate the development of risk transfer
was discussed that close to real-time sharing markets and emergence of secondary risk
of data between organizations could address transfer products to mitigate and distribute
some of the main challenges of datasets' the risks. For organizations, the focus will
availability and provide enough data to shift from an attacker to assets and how to
build models. secure them in such a distributed digital
Although a silver bullet to achieve cyber ecosystem, where everything is vulnerable.
resilience doesn’t exist, organizations con- As more robust quantitative cyber risks
sider comprehensive frameworks for quanti- models emerge and the industries are mov-
fying and mitigating risk factors, including ing toward a standardized recognizable
cyber risks. Following this model, compa- model, the confidence of digital ecosystems
nies will assess their assets and existing stakeholders and their ability to make effec-
controls, quantify vulnerabilities, and know tive decisions will also rise.
■ 36 SecurityRoundtable.org
The evolving cyberthreat and an
architecture for addressing it
Internet Security Alliance – Larry Clinton, CEO
37 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
attacks, and the patching system we have new access points to large amounts of data
relied on to remediate the system can’t keep resulting from the explosion in the number of
pace. Huge vulnerabilities such as mobile devices vastly increases the challeng-
Heartbleed and Shellshock have existed es to securing cyberspace.
within open source code for years only to However, the rise in use of mobile devices
be revealed recently when scrutinized by pales in comparison to the coming Internet
fresh eyes. of Things (IoT). The IoT, embedded comput-
Within hours of the Heartbleed vulnerabil- ing devices with Internet connections,
ity becoming public in 2014, there was a surge embraces a wide range of devices, including
of attackers stepping up to exploit it. The home security systems, cars, smart TVs, and
attackers exploiting the vulnerability were security cameras. Like the bring-your-own-
much faster than the vendors could patch it. device (BYOD) phenomenon, the coming of
This is a growing trend. In 2014 it took the IoT further undermines the overall secu-
204 days, 22 days, and 52 days to patch the top rity of the system by dramatically increasing
three zero-day vulnerabilities. In 2013 it took the vectors, making every new employee’s
only four days for patches to arrive. Even internet-connected device, upon upgrade, a
more disturbing is that the top five zero-day potential threat vector.
attacks in 2014 were actively used for a com-
bined 295 days before patches were available. 2. The bad guys are getting better.
Moreover, because almost no one builds Just after the turn of the century, the NSA
from scratch anymore, the rate of adoption coined a new term, the “APT,” which stood
for open source programming as a core com- for the advanced persistent threat. The APT
ponent of new software greatly exceeds the referred to ultrasophisticated cyberattack
vetting process for many applications. As methods being practiced by advanced
the code gets altered into new apps, the risks nation-state actors. These attacks were char-
continue to multiply. In 2015 Symantec esti- acterized by their targeted nature, often
mates there are now more than a million focused on specific people instead of
malicious apps in existence. In fast-moving, networks, their continued and evolving
early stage industry, developers have a nature, and their clever social engineering
strong incentive to offer new functionality tactics. These were not “hackers” and “script
and features, but data protection and priva- kiddies.” These were pros for whom cyberat-
cy policies tend to be a lesser priority. tacks were their day job.
The risks created by the core of the system They were also characterized by their
becoming intrinsically weaker is being fur- ability to compromise virtually any target
ther magnified by the explosion of access they selected. APTs routinely compromised
points to the system, many with little or no all anti-virus intrusion detection and best
security built into their development. Some practices. They made perimeter defense
analysts are already asserting that there are obsolete.
more mobile devices than there are people Now these same attack methods, once
on the earth. If that is not yet literally true, it practiced only by sophisticated nation-states,
will shortly be. are widely in use by common criminals.
It is now common for individuals to have Whereas a few years ago these attacks were
multiple mobile devices and use them inter- confined to nations and the Defense Industrial
changeably for work and leisure often with- Complex, they now permeate virtually all
out substantial security settings. Although economic sectors.
this certainly poses a risk of data being stolen The APT now stands for the average persis-
directly from smartphones, the greater con- tent threat.
cern is that mobile devices are increasingly The increasing professionalism and
conduits to the cloud, which holds increasing sophistication of the attack community is
amounts of valuable data. The number of fueled by the enormous profits cyberattacks
■ 38
THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
39 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
that 5% of his inventory is “walking out the the Department of Homeland Security
back door” every month. The reason he (DHS) be given authority to set minimum
doesn’t hire more guards or put up more standards for cybersecurity over the private
cameras or other security measures is that sector. Subsequently two bills were offered
the cost benefit presumably suggests it will in the Senate, one by the Chairman of the
cost him 6% to do so, and hence the better Senate Commerce Committee, Senator Jay
business decision is to tolerate this level of Rockefeller (D-WV) with Senator Olympia
insecurity. Snow (R-ME) and separately by Senate
Government doesn’t have that luxury. Homeland Security Chairman Joe Lieberman
The government is charged with providing (D-CN) and Senator Susan Collins (R-ME).
for the common defense. Surely, they have Both bills largely followed the Obama para-
economic considerations with respect to digm of DHS setting regulatory mandates
security; however, they are also mandated to for the private sector with substantial penal-
a higher level of security largely irrespective ties available for noncompliance.
of cost to provide for national security, con- Despite strong backing from the Senate
sumer protection, privacy, and other non- Majority Leader Harry Reid and much of the
economic considerations. military establishment, the bills could not
In the Internet space, government and get out of committee. Even though Reid
industry are using the same networks. This exercised his parliamentary power to control
means the two users of the systems have dif- the Senate agenda, there was not enough
fering security requirements—both legiti- support to even get the bills to the floor for
mate and backed by lawful authority. consideration, let alone vote on it.
Moreover, requiring greater cybersecurity There was certainly industry opposition to
spending, beyond commercial interest as these bills, but what killed them was the
suggested by some, could run afoul of other bipartisan realization that the traditional reg-
government interests such as promoting ulatory model was an ill fit for cybersecurity.
innovation, competitiveness, and job growth Government agencies’ ability to craft regula-
in a world economy (presumably not follow- tions that could keep up with cyberthreats
ing U.S.-based requirements). was highly questionable. Early efforts to
Finally, the presumption that requiring apply traditional regulation to cyberspace,
increased security spending by commercial such as HIPAA in the health-care industry,
entities up to the government risk tolerance had not generated success. Indeed health
is in the corporate self-interest is complicat- care is widely considered one of the least
ed by the data that have emerged after cyber secure of all critical infrastructures.
highly publicized cyber breaches. One year However, with cyber systems becoming
after the Target breach, which would pre- increasingly ubiquitous and insecure threat-
sumably damage the company’s image prof- ening economic development and national
itability and reputation, Target’s stock price security, there was obvious need for an
was up 22%, suggesting such predictions affirmative and effective approach. The non-
were incorrect. Similarly, 6 months after the regulatory, collaborative model selected
high-profile cyberattacks on Sony (the sec- largely followed the “social contract” para-
ond high-profile cyberattack for Sony in a digm previously promoted by industry gov-
few years), Sony’s stock price was up 26%. ernment analysts.
■ Some good news: Enlightened policy working The social contract approach
in partnership In 2013 President Obama reversed course
Traditional regulatory efforts fail 180 degrees. In an executive order on
In 2012 President Obama offered a legisla- cybersecurity the president abandoned the
tive proposal to Congress suggesting that government-centric regulatory approach
■ 40
THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
embodied in his previous legislative pro- telephone service at affordable rates, govern-
posals and the Senate bills. Instead, he sug- ment would guarantee the investment pri-
gested a public private partnership—a vate industry would make in building and
social contract—that would address the providing the service. This agreement
technical as well as economic issues that are ensured enough funds to build, maintain,
precluding the development of a cyber sys- and upgrade the system plus make a reason-
tem that can become sustainably secure. In able rate of return on the investment. Thus
this new partnership, industry and govern- were born the privately owned public utili-
ment would work together to identify a ties and the rate of return regulation system.
framework of standards and practices wor- The result was that the U.S. quickly built
thy of industry based on cyber risk assess- out the electric and communications systems
ments conducted by the companies. The for the expanding nation, which were gener-
president ordered that the framework be ally considered the best in the world. Some
voluntary, prioritized, and cost effective. If have argued this decision was foundational
there were an economic gap between what to the U.S.'s rapid expansion and develop-
ought to be done and what would be ment, which turned it from a relatively
accomplished through normal market minor power in the early part of the twenti-
mechanisms, a set of market incentives eth century to the world’s dominant super-
would be developed to promote voluntary power less than a generation later.
adoption of the framework. Although Although the Obama social contract
industry that operates under regulatory approach to cybersecurity has different
systems would remain subject to regulatory terms than that of previous infrastructure
authority, no new regulatory authority for development, the paradigm is similar.
cybersecurity would be part of the system. Similar modifications of the incentive model
Instead, a partnership system based on vol- are also in use in other areas of the economy,
untary use of consensus standards and such as environment, agriculture, and trans-
practices and reinforced through market portation, but this is the first application in
incentives would be built. the cybersecurity field.
The cyber social contract model has sub- Although it is in its formative stages, at
stantial precedent in the history of infra- this point early indications for the social con-
structure development in the United States. tract approach are positive. The cybersecuri-
In the early twentieth century the innovative ty framework development process conduct-
technologies were telephony and electricity ed by the National Institute of Standards and
transport. Initially the private companies Technology (NIST) has been completed and
that provided these technologies, because of received virtually unanimous praise. In an
natural economies, served primarily high- exceedingly rare development, the Obama
density and affluent markets. Policy makers approach to cybersecurity closely tracks with
of the era quickly realized that there was a that outlined by the House Republican Task
broader social good that would be served by Force on Cyber Security. Bipartisan bills
having universal service of these services using liability incentives, instead of govern-
but also realized that building out that infra- ment mandates, are moving through
structure would be costly and uneconomic Congress, and additional incentive programs
either for industry or government. are under development.
Instead of government taking over the
process or mandating that industry make ■ Conclusion
uneconomic investment, the policy makers The cybersecurity problem is extremely
designed a modern social contract with serious and becoming more so. An inher-
industry. If industry would build out the ently insecure system is becoming weaker.
networks and provide universal electric and The attack community is becoming more
41 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
sophisticated and enjoys massive economic seems to have developed a consensus strat-
incentives over the defender community. egy to better leverage public and private
Traditional government methods to fight resources to combat cyberthreats without
criminal activity have not matured to excessively compromising other critical
address the threat and may be inappropri- social needs. Although there are some ini-
ate to meet the dynamic nature of this tial signs of progress, the road to creating a
uniquely twenty-first century problem. sustainably secure cyber system will be
Fortunately, at least the U.S. government long and difficult.
■ 42 SecurityRoundtable.org
Effective cyber risk management:
An integrated approach
Former CIO of the U.S. Department
of Energy – Robert F. Brese
43 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Managing risks
cybersecurity risk management is key to collaboration. They also predict that the digi-
meeting the fiduciary responsibilities of cor- tal industrial economy, and the Internet of
porate officers and the board. Things (IoT), will result in even greater diffi-
To ensure success, managing cybersecu- culty. However, attempting to scale cyberse-
rity risk must be an ongoing and iterative curity risk management in isolation from an
process, not a one-time, infrequent, or check- organization’s enterprise risk program only
the-box activity. This area of risk manage- exposes the organization to greater risk by
ment must grow with the company and creating a gap in risk oversight.
change with ever-evolving cyber threats. Nearly every company has established
Data holdings and information technology processes to manage enterprise risk. Larger
(IT) systems, and the Internet-connected companies often have a chief risk officer
environment in which they operate, change (CRO) or equivalent individual who is inde-
at a pace that is more rapid than many of the pendent of the business units and is given
other variables affecting enterprise risk. Not the authority and responsibility to manage
only must the right stakeholders be engaged the enterprise risk processes. Incorporating
at the right levels within an organization, cybersecurity into the mix of corporately
but also the right automated tools and managed risks should be a priority. Some
processes must be in place to support risk may argue that cybersecurity is too different
decision making and monitoring. from the other risks a company faces, such as
market risk, credit risk, currency risk, or
■ Perfect security is a myth physical security risk, to be managed in a
As in physical security, there is no such thing similar manner. However, although cyberse-
as perfect IT (cyber) security. All the fire- curity may seem more “technical,” the
walls, encryption, passwords, and patches desired outcome of the treatment is the
available cannot create a zone of absolute same, that is to eliminate, mitigate, transfer,
safety that enables a company to operate or accept risk affecting the company’s future.
unimpeded and free of concern regarding One thing is certain: not all cybersecurity
the cybersecurity threat. However, perfect risk can be eliminated through controls or
security is not required, or even desired. The transferred through insurance, so residual
effects of too little security are fairly obvious. risk must accepted. Making good decisions
However, too much security unnecessarily requires an integrated, formal approach.
constricts the business’ ability to operate by
reducing the effectiveness and efficiency of a ■ The cybersecurity risk management process
customer’s access to the company’s products There are several key steps that should be
and services and unnecessarily constraining taken to effectively integrate cybersecurity
internal and business-to-business (B2B) risk management into the company’s enter-
interactions. Effective risk management prise risk management process. This chapter
finds the balance between the needs of the doesn’t attempt to explain the details of any
business to operate and the needs and cost of particular process but instead focuses on com-
security. In finding this balance, the company mon attributes that should be used, including
will be able to compete successfully in its risk framing and assessment, controls assess-
market while protecting the critical informa- ment, risk decision-making, residual risk sign-
tion and assets on which its success relies. off, risk monitoring, and accountability. Figure 1
provides a visual of the process. For addi-
■ Enterprise risk management tional details on approaches to cybersecurity
Gartner, Inc., the world’s leading IT research risk management, the National Institute of
and advisory company, has found that cyber- Standards and Technology (NIST) Computer
security risk management programs have Security Resource Center (CSRC), interna-
experienced trouble in scaling with corporate tional standards organizations, and other
initiatives in mobility, cloud, big data, and industry sources may be consulted.
FIGURE
Risk Risk
Controls Residual Risk
Framing & Decision
Assessment Risk Sign-off Monitoring
Assessment Making
Risk Framing and Assessment: The ini- a company has to avoid, mitigate, share,
tial activities in risk management include transfer, or accept risk. This means that cor-
risk framing and assessment and controls porate structure, training and awareness
assessment. CIOs and CISOs have been programs, physical security, and other
assessing the risk to IT systems for many options should be considered in addition to
years and are well informed on the range of traditional IT controls. Cyber insurance may
cybersecurity threats and vulnerabilities also be considered. Again, the CIO and
that affect corporate risk. However, the con- CISO cannot do this alone, and there should
sequences (i.e., business impact) may or be active engagement across all the various
may not be well understood, depending on business lines, business support, and IT
how close the relationship between IT and organizations that can contribute to identi-
the line of business leaders has been in the fying potential controls and the impact they
past. The engagement between IT and the may have on cybersecurity risk.
line of business owners is crucial and must Risk Decision Making: A crucial element
result in clarity about the type and amount of risk response is the decision-making pro-
of risk the business is willing to accept with cess. Decisions are made regarding what will
respect to the be done and what will not be done in
response to each risk. A balance must be
confidentiality (preventing unauthorized struck between protecting systems and
disclosure); information and the need to effectively run
the business that relies on them. Other fac-
integrity (preventing unauthorized modifica- tors that should be considered include the
tion or destruction); and amount of risk reduction related to imple-
mentation and maintenance costs and the
availability (ensuring data and systems are impacts on employee training and certifica-
operational when needed) tion requirements.
An acceptable course of action is identi-
of the information and systems on which fied and agreed to by the business, and then
the business relies. Once IT understands the controls are implemented and initially eval-
business owner’s risk threshold, the CIO uated for effectiveness. If the controls per-
and CISO can begin planning, implement- form acceptably, then the sign-off and moni-
ing, and assessing the appropriate security toring processes can begin. If not, then a
controls. new course of action must be developed,
Controls Assessment: Preparing an which may require further controls assess-
appropriate response to risk requires the ment to respond to the risk or even addi-
assessment of potential controls. Controls tional framing and assessment to adjust the
include all of the tools, tactics, and processes risk tolerance.
45 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
Residual Risk Sign-Off: The sign-off of treatment plan and/or the accepted level of
residual risk closes the decision-making pro- residual risk may require revision. If so, the
cess. This should be the role of the business previous process steps should be revisited.
because it is the operational customer of the The frequency of review should be in rela-
risk management process. Additionally, this tion to the likelihood and severity of the risk.
should be a formal, documented activity. Because most companies have a large num-
The decisions on how each risk will be ber of systems, each with their own risk
treated and/or accepted must be articulated register, an automated system is typically
in a manner such that the signatory and used to aid monitoring and review.
reviewers (i.e., regulators, etc.) can clearly Accountability: Last and most important,
understand the risk treatment plan and the we have to consider accountability.
residual risk being accepted. Once the resid- Accountability is not about who to blame
ual risk is formally accepted, the system is when something goes wrong. As stated earli-
typically placed into operation. The formal er, the likelihood of something going wrong is
recognition of the residual risk also helps high. Accountability ensures a formal risk
build a culture of risk awareness in the busi- management process is followed and that
ness units. effective decision-making is occurring. One
Risk Monitoring: Monitoring risk is an person should be accountable for the risk
ongoing process. Each monitoring activity is management process; however, numerous
designed with a purpose, type, and frequen- individuals will be
cy of monitoring. Typically, a risk register responsible or
A responsibility assign-
has been developed during the risk framing accountable for
ment matrix (RAM), also
and assessment phase and leveraged the various steps,
known as RACI matrix/
throughout all steps of the risk management and many more 'reisi:/ or ARCI matrix
process. The register also serves as a refer- will be consulted or linear responsibility
ence for auditors. The register should con- and informed chart (LRC), describes
tain the risks that matter most and be rou- along the way. the participation by var-
tinely updated and reviewed with the busi- One option to ious roles in completing
ness over time. If the likelihood or severity ensure roles and tasks or deliverables for
of consequences changes, or if other physical responsibilities are a project or business
or IT environmental factors change, the clearly articulated process.
TABLE
Process Step CIO CISO LOB CRO CEO Board
Risk Framing and A R C C C C
Assessment
Controls Assessment A R C I I I
Risk Decision-Making C R A C I I
Risk Monitoring A R C C I I
Accountability R C C A C C
■ 46
EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
is by using a RACI matrix (see insert) to iden- conduct user acceptance testing or experi-
tify which person or organization is responsi- ence surveys as well.
ble, accountable, consulted, or informed. Table
1 provides an example but should be adjusted ■ Evaluating maturity of an organization’s
to align to the enterprise risk management cybersecurity risk management program
and governance processes of the company. Cybersecurity risk management programs
aren’t born effective and are not immedi-
■ Information supporting cybersecurity risk ately prepared to scale with the business.
management Equally important as making effective risk
No risk management is a precise science, management decisions and accepting resid-
including cybersecurity risk management. ual risk is the continuous evaluation of the
Throughout the risk management process, process itself. Numerous IT, cybersecurity,
the information required for success has to be and business consultants, as well as trade
“good enough” to recognize and understand associations have published guidance,
risks to the level necessary to support effec- checklists, and suggested questions for
tive decision-making. Although complex board members. Although there are many
mathematical models may work to manage ways for the C-suite and board to stay
some risks the company faces, forcibly creat- engaged, a company’s cybersecurity risk
ing objectivity when little or none exists can management program must continuously
actually result in poor or ineffective decisions mature to ensure future success. To under-
by creating a focus on the numbers rather stand a program’s growing maturity, ques-
than on the meaning of the risk analysis. So, tions should be focused on evaluating
using big bucket approach categories such as improvements in how well risk is under-
low, moderate, and high or unlikely, likely, stood and treated, the effectiveness of busi-
and very likely may be adequate. ness leader and general employee participa-
tion, how responsive the risk management
■ Stakeholder engagement process is to change, and the capability to
A key success factor of ensuring that fiduci- effectively respond to an incident.
ary responsibilities are fulfilled in a compa- How consistent is the understanding of
ny’s cybersecurity risk management pro- the company’s tolerance for cybersecurity
gram is the right level of stakeholder engage- risk across the C-suite and senior managers?
ment. Leaving the program to the CRO or How deep in the organization does this
the CIO alone should not be considered due understanding go?
diligence. Framing and assessing risk How well do line of business owners
requires a clear understanding of corporate understand the cybersecurity risks associat-
risk tolerance. The line of business lead ed with their business? Are sound and effec-
should have the responsibility to sign off on tive risk management and acceptance deci-
the residual risk, but to make good risk deci- sions being made in a timely manner to meet
sions, the perspectives of other individuals business needs?
and organizations in the company must be How clearly are roles and responsibilities
consulted and taken into consideration. understood, and how well do role owners
Depending on the system(s) for which risk is adhere to and fulfill their responsibilities?
being evaluated, some potential stakehold- Do employees report cybersecurity issues
ers include the CIO, CISO, chief financial and are they incorporated into the risk mon-
officer (CFO), legal counsel, and other line of itoring process?
business owners and external partners with When threats, vulnerabilities, or other con-
supporting or dependent relationships. If ditions change, does the risk management
there is significant potential to affect the cus- process respond and, when necessary, make
tomer experience, there may be a need to sustainable changes to the risk treatment plan?
47 ■
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
■ 48 SecurityRoundtable.org
Cyber risk and the
board of directors
Electronic version of this guide and additional content available at: SecurityRoundtable.org
The risks to boards of directors
and board member obligations
Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner
51 ■
CYBER RISK AND THE BOARD OF DIRECTORS
to understand and find solutions to address action or inaction. To maximize their per-
and mitigate them. sonal protection, directors must ensure that,
In this chapter, we explore the legal obli- if the unthinkable happens and their corpo-
gations of boards of directors, the risks that ration falls victim to a cybersecurity disaster,
boards face in the current cybersecurity they have already taken the steps necessary
landscape, and strategies that boards may to preserve this critical defense to personal
consider in mitigating that risk to strengthen liability.
the corporation and their standing as dutiful In the realm of cybersecurity, the board of
directors. directors has “risk oversight” responsibility:
the board does not itself manage cybersecurity
I. Obligations of Board Members risks; instead, the board oversees the corpo-
rate systems that ensure that management is
The term “cybersecurity” generally refers to doing so effectively. Generally, directors will
the technical, physical, administrative, and be protected by the business judgment rule
organizational safeguards that a corporation and will not be liable for a failure of oversight
implements to protect, among other things, unless there is a “sustained or systemic fail-
“personal information,”3 trade secrets and ure of the board to exercise oversight—such
other intellectual property, the network and as an utter failure to attempt to assure a rea-
associated assets, or as applicable, “critical sonable information and reporting system
infrastructure.”4 This definition alone should exists.” This is known as the Caremark test,5
leave no doubt that a board of directors’ role and there are two recognized ways to fall
in protecting the corporation’s “crown jew- short: first, the directors intentionally and
els” is essential to maximizing the interests of entirely fail to put any reporting and control
the corporation’s shareholders. system in place; or second, if there is a report-
Generally, directors owe their corporation ing and control system, the directors refuse to
fiduciary duties of good faith, care, and loy- monitor it or fail to act on warnings they
alty, as well as a duty to avoid corporate receive from the system.
waste.3 The specific contours of these duties The risk that directors will face personal
are controlled by the laws of the state in liability is especially high where the board
which the company is incorporated, but the has not engaged in any oversight of their
basic principles apply broadly across most corporations’ cybersecurity risk. This is a
jurisdictions (with Delaware corporations rare case, but other risks are more prevalent.
law often leading the way). More specifical- For example, a director may fail to exercise
ly, directors are obligated to discharge their due care if he or she makes a decision to
duties in good faith, with the care an ordi- discontinue funding an IT security project
narily prudent person would exercise in the without getting any briefing about current
conduct of his or her own business under cyberthreats the corporation is facing, or
similar circumstances, and in a manner that worse, after being advised that termination
the director reasonably believes to be in the of the project may expose the company to
best interests of the corporation. To encour- serious threats. If an entirely uninformed or
age individuals to serve as directors and to reckless decision to de-fund renders the cor-
free corporate decision making from judicial poration vulnerable to known or anticipated
second-guessing, courts apply the “business risks that lead to a breach, the members of
judgment rule.” In short, courts presume the board of directors could be individually
that directors have acted in good faith and liable for breaching their Caremark duties.
with reasonable care after obtaining all mate-
rial information, unless proved otherwise; a II. The Personal Liability Risk to Directors
powerful presumption that is difficult for
plaintiffs to overcome, and has led to dis- Boards of directors face increasing litigation
missal of many legal challenges to board risk in connection with their responsibilities
■ 52
THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
53 ■
CYBER RISK AND THE BOARD OF DIRECTORS
statements of fact that are false or mislead- III. Protecting Boards of Directors
ing. As companies are being asked more and
more questions about data collection and From a litigation perspective, boards of
protection practices, directors (and officers) directors can best protect themselves from
should be careful about statements that are shareholder derivative claims accusing them
made regarding the company’s cybersecurity of breaching their fiduciary duties by dili-
posture and should focus on tailoring cyber- gently overseeing the company’s cybersecu-
security-related risk disclosures in SEC fil- rity program and thereby laying the founda-
ings to address the specific threats that the tion for invoking the business judgment
company faces. rule. Business judgment rule protection is
Cybersecurity disclosures are of keen strengthened by ensuring that board mem-
interest to the SEC, among others. Very bers receive periodic briefings on cybersecu-
recently, the SEC warned companies to use rity risk and have access to cyber experts
care in making disclosures about data secu- whose expertise and experience the board
rity and breaches and has launched inquiries members can rely on in making decisions
to examine companies’ practices in these about what to do (or not to do) to address
areas. The SEC also has begun to demand cybersecurity risks. Most importantly, direc-
that directors (and boards) take a more tors cannot recklessly ignore the information
active role in cybersecurity risk oversight. they receive, but must ensure that manage-
Litigation is not the only risk that direc- ment is acting reasonably in response to
tors face. Activist shareholders—who are reported information the board receives
also customers/clients of corporations— about risks and vulnerabilities.
and proxy advisors are challenging the re- Operationally, a board can exercise its
election of directors when they perceive that oversight in a number of ways, including by
the board did not do enough to protect the (a) devoting board meeting time to presenta-
corporation from a cyberattack. The most tions from management responsible for
prominent example took place in connection cybersecurity and discussions on the subject,
with Target’s data breach. In May 2014, just to help the board become better acquainted
weeks after Target released its CEO, with the company’s cybersecurity posture
Institutional Shareholder Services (ISS), a and risk landscape; (b) directing manage-
leading proxy advisory firm, urged Target ment to implement a cybersecurity plan that
shareholders to seek ouster of seven of incentivizes management to comply and
Target’s ten directors for “not doing enough holds it accountable for violations or non-
to ensure Target’s systems were fortified compliance; (c) monitoring the effectiveness
against security threats” and for “failure to of such plan through internal and/or exter-
provide sufficient risk oversight” over nal controls; and (d) allocating adequate
cybersecurity. resources to address and remediate identi-
Thoughtful, well-planned director fied risks. Boards should invest effort in
involvement in cybersecurity oversight, as these actions, on a repeated and consistent
explained below, is a critical part of a com- basis, and make sure that these actions are
prehensive program, including indemnifica- clearly documented in board and committee
tion and insurance, to protect directors packets, minutes, and reports.
against personal liability for breaches. (a) Awareness. Boards should consider
Moreover, it can also assist in creating a com- appointing a chief information security
pelling narrative that is important in brand officer (CISO), or similar officer, and
and reputation management (as well as liti- meet regularly with that individual
gation defense) that the corporation acted and other experts to understand the
responsibly and reasonably (or even more company’s risk landscape, threat
so) in the face of cybersecurity threats. actors, and strategies to address
■ 54
THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
55 ■
CYBER RISK AND THE BOARD OF DIRECTORS
■ 56 SecurityRoundtable.org
Where cybersecurity meets
corporate securities: The SEC’s
push to regulate public companies’
cyber defenses and disclosures
Fish & Richardson P.C. – Gus P. Coldebella,
Principal and Caroline K. Simons, Associate
57 ■
CYBER RISK AND THE BOARD OF DIRECTORS
■ 58
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
59 ■
CYBER RISK AND THE BOARD OF DIRECTORS
Trend 3: Staff is interested not only in the enumerated material corporate events, such
disclosure, but the pre-disclosure process. As as termination of executive officers or chang-
Chairman White has stated, even with the es in auditors, must be reported on a “current
absence of a direct law or regulation directly basis” on Form 8-K. However, no currently-
compelling companies to adopt strict existing securities law or rule expressly
cybersecurity measure, the SEC is exercis- requires cyberattacks—material or other-
ing its power to indirectly prod companies wise—to be reported on Form 8-K. Generally,
to analyze and strengthen their cybersecu- reporting cyber events is entirely voluntary.
rity programs through issuing disclosure Companies that do so use Form 8-K’s Item
guidance and bringing investigations, 8.01, “Other Events,” which is used to volun-
enforcement actions, and litigation against tarily report events that the company consid-
companies that fall short. In this way the ers to be of importance to investors. Public
SEC has taken on a larger mission than companies must navigate issues such as
simply requiring disclosure—it is using its materiality, selective disclosure, trading, and
existing authorities to steer companies to effect on stock price, all in an environment
engage in a deep, searching process to where disclosure of a cyber event is almost
evaluate cyber risk. Whether or not you sure to draw a lawsuit, a government investi-
think the SEC is the appropriate regulator gation, or other unwanted scrutiny. No one-
of this area, such a searching analysis is size-fits-all answer exists—it is almost always
important to securing a company’s digital a judgment call. In this section, we detail
assets. Management should engage in and some of the questions and analysis that com-
document its analysis of the effects of cyber panies should consider regarding whether to
incidents on the company’s operations, disclose an attack on Form 8-K, and if so,
with special attention to probability of when. One way to think about these ques-
various types of attacks and their potential tions is outlined in the decision tree on the
cost, from a quantitative and qualitative next page (Figure 1).
standpoint. It should do so not just to Why consider disclosure if you don’t have
weather the storm of a possible SEC inquiry, to? Even if no rule mandates disclosure,
but because such an analysis brings neces- companies and experienced counsel know
sary executive-level oversight to a crucial that there are frequently upsides to disclo-
area of enterprise risk. sure—especially in a world where securi-
Trend 4: Third-party risk is on the staff’s mind. ties litigation, derivative suits, and enforce-
Staff is encouraging companies to look ment actions are lurking. Instead of pro-
beyond their four walls to the cyber risk voking shareholder litigation, might an
posed by the use of vendors. Staff will ask announcement ward it off? Can an 8-K
whether the company’s vendors have experi- eliminate a plaintiff’s or regulator’s argu-
enced cyberattacks, and request assessment— ment that an insider traded on the basis on
and disclosure—if a breach at a third-party material non-public information? The chart
vendor could have a material effect on the on the next page (Table 1) lays out some of
company. The SEC likely believes that if the possible advantages—along with the
public companies are required to disclose more well-known disadvantages—that com-
risks in their supply chain in addition to their panies should consider.
own, third-party cybersecurity will improve Is the cyberattack material? The determina-
as a result. tion of whether a cyber event is material is
not clear-cut. First, the Supreme Court has
■ In the heat of battle: 8-K disclosure rejected a bright-line, quantitative rule for
questions during an attack materiality—instead reaffirming Basic v.
Of course, 10-Ks and 10-Qs are not the only Levinson’s formulation that any nonpublic
reports public companies produce—certain information that significantly alters the total
■ 60
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
FIGURE
Is it material? Yes
Yes Maybe not
No Is there a separate
obligation to disclose? No Really? Are you sure?
Yes
(state PII laws, trading
rules)? Yes
Will you disclose
No
Not sure anyway via website,
Will insiders trade Yes to third parties, etc.? Yes No
while in possession of
No this information?
Is discovery of the breach
(by the gov't or public)
Does it make prior Yes No likely or inevitable?
statement misleading?
No
Does the cost and No Is there a potential Yes
consequence of the breach Yes Regulation FD issue?
substantially affect you
or your financial outlook?
Yes Will the disclosure itself No
harm the company?
Not sure
LEAN AGAINST Yes Will it compromise
8-K DISCLOSURE security?
No
Yes Will it trigger securities or LEAN TOWARD
other litigation
or investigations? No 8-K DISCLOSURE
TABLE
Pros Cons
1. May eliminate potential class 1. If incident is truly not material and
plaintiffs’ argument that was not going to be discovered,
8-K Pros and Cons Matrix
Continued
61 ■
CYBER RISK AND THE BOARD OF DIRECTORS
TABLE
Pros Cons
3. Can eliminate a potential Reg 3. May trigger stock price drop—and if
FD selective disclosure issue if so, likely to draw shareholder litigation
8-K Pros and Cons Matrix
■ 62
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
Are you going to disclose anyway? Is the window for insiders. Even after the inci-
incident likely to become widely known? Absent dent’s details are known, if the company is
a mandatory disclosure requirement, a leaning against declaring the incident
company may still have reasons to disclose material, the question is whether to dis-
the attack to stakeholders. There may be close the incident—material or not—on
contractual obligations to customers or Form 8-K, so no later allegation of insider
other third parties to communicate about trading can stick. (Of course, if the incident
breaches involving their information. Even is material, no trading by insiders should
without a contractual obligation, a breach occur until information about the incident
may affect a company’s vendors, suppliers, is made public.)
or partners, and the company may choose When to disclose? The decision to disclose
to disclose the incident to them. A sound is only half of the 8-K equation—another
operating assumption is that once the com- question is, when? Target took two months
pany discloses an incident to even a single after the world knew of its massive data
third party, it is likely to become widely breach to issue an 8-K; Morningstar, which
known. Thus, the company should have releases an 8-K regularly on the first Friday
a coordinated, unified disclosure strategy of every month, disclosed its 2012 breach a
to ensure that all interested parties are little more than one month after becoming
informed in a consistent manner, and very aware of it. Some companies, such as health
close in time. Companies can use affirma- insurer Anthem, choose instead to wait
tive disclosure to mitigate any reputational until the next periodic report. A challenge
harm or embarrassment that could arise facing a victim company is to balance the
from having the narrative created on your benefits of prompt disclosure against the
behalf by the media, security researchers, potential downsides. Because a disclosure
hackivists, or worse. should be accurate and not misleading
Any such disclosure raises potential issues when made, a company should grasp the
under the SEC’s Regulation Fair Disclosure, scope of the cyber incident before disclos-
or Reg FD. Reg FD prohibits companies from ing. In a typical breach, however, it is rare
selectively disclosing material non-public for an entity to be able to immediately
information to analysts, institutional inves- assess the attack’s scope—investigations
tors, and certain others without concurrently take time. Therefore, a factor to consider in
making widespread public disclosure. Many deciding when to disclose is the pace and
companies that communicate with third progress of the post-breach investigation,
parties—as did J.P. Morgan after its October which will allow the company to under-
2014 breach—will issue a Form 8-K to make stand the extent of the attack. A company
sure their communications do not violate confronts an unenviable disclosure dilem-
Reg FD. It is worth considering whether dis- ma: disclose based on the state of the world
closures on a company’s website, or other- as you know it right now, and later be
wise to customers, vendors, or other parties, accused of not telling the whole story? Or
trigger a Reg FD requirement. disclose when you have a better grasp of
What to do about trading? Another reason what actually happened, but face accusa-
that the materiality determination is a tions of allowing earlier (and potentially
tricky one is that insiders in possession of rosier) cybersecurity disclosures to persist
material nonpublic information may not uncorrected? Generally, companies should
trade while in possession of that informa- resist falling into the immediate disclosure
tion. If there is even a chance that the cyber trap, because in our experience a cyber
incident may be material, an early call that incident looks very different at the end of
a public company general counsel must the first week than it does at the end of the
make is whether to close the trading first day. Furthermore, the company will
63 ■
CYBER RISK AND THE BOARD OF DIRECTORS
not want to have to correct itself after mak- revealed that the SEC was among the gov-
ing its cyber disclosure—it will want to get ernment agencies investigating the 2013
it right the first time. data breach, including “how it occurred, its
consequences, and our responses.”
■ SEC cybersecurity enforcement With the growing threat of cyberattacks
The SEC has not yet brought an enforce- and mounting pressure from Congress and
ment action against a public company the public, future regulatory and enforce-
related to its cybersecurity disclosures. It ment actions are almost assured. Companies
has, however, opened investigations look- should be prepared for additional scrutiny,
ing not only into whether companies ade- review their existing disclosures in light of
quately prepared for and responded to the Guidance and the SEC’s stated priori-
cyber incidents but also as to the sufficiency ties, and apply these principles to the pub-
of their disclosures relating to the breaches. lic disclosure and related questions that
Target’s February 2014 Form 8-K filing will arise post-breach.
■ 64 SecurityRoundtable.org
A cybersecurity action plan
for corporate boards
Internet Security Alliance, NACD – Larry Clinton, CEO
of ISA and Ken Daly, President and CEO of NACD
65 ■
CYBER RISK AND THE BOARD OF DIRECTORS
■ 66
A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
in the event of a breach, 67% had not dis- free, even as a goal. The goal is to keep your
cussed the company’s cyber insurance cov- system healthy enough so that you can fight
erage, nearly 60% had not discussed engag- off the germs that will inevitably attack it.
ing an outside cybersecurity expert, more When you do get sick, as we all eventually
than 60% had not discussed risk disclosures do, you detect and understand the infection
in response to SEC guidance, and slightly promptly and accurately and get access to
more than 20% had discussed the National the appropriate expertise and treatment so
Institute of Standards and Technology that you can return to your normal routine as
(NIST) cybersecurity framework. soon as possible—ideally wiser and stronger.
Thinking of cybersecurity narrowly as an
■ A corporate board action plan IT issue to be addressed simply with techni-
for cybersecurity cal solutions is a flawed strategy. The single
In an effort to fill the gap between awareness biggest vulnerability in cyber systems is
and targeted action, The National Association people. Insiders, whether they are poorly
of Corporate Directors (NACD), in conjunc- trained, distracted, angry, or corrupted, can
tion with AIG and the Internet Security compromise many of the most effective tech-
Alliance, published their first Cyber Risk nical solutions.
Oversight Handbook for corporate boards in Building on the NACD model, the Institute
June 2014. The handbook was the first pri- of Internal Auditors (IIA) extended NACD’s
vate sector document endorsed by the U.S. principle 1 by commenting that the board
Department of Homeland Security as well as should receive an internal annual health
the International Audit Foundation and is check of the organization’s cybersecurity
available free of charge either through DHS program that covers all domains of the
or NACD. It identified five core principles organization’s cybersecurity, including an
for corporate boards to enhance their cyber assessment of if the enterprise risk levels
risk oversight. have improved or deteriorated from year to
The five principles can be conceptualized year, and comments specifically that
into two categories. Principles 1, 2, and 3 deal “Sarbanes-Oxley compliance provides little
with board operations. The final two princi- assurance of an effective security program
ples deal with how the board should handle to manage cyber risks.”
the senior management.
2. Directors must understand the legal
1. Understand that cybersecurity is an implications of cyber risk.
enterprise-wide risk management issue.
The legal situation with respect to cyberse-
The board has to oversee management in curity is unsettled and quickly evolving.
setting the overall cyber strategy for the Boards should be mindful of the potential
organization, including how cybersecurity is legal risks posed to the corporation and
understood in terms of the business. It is potentially to the directors on an individual
critical that the board not approach the topic or collective basis. For example, high-profile
simply by thinking, “What if we have a attacks may spawn lawsuits, including
breach?” Virtually every organization will be shareholder derivative suits alleging that the
successfully breached. The board has to organization’s board neglected its fiduciary
understand the issue is how to manage the duty by failing to take steps to confirm the
risks caused by breaches, not to focus solely adequacy of the company’s protections
on how to prevent them. against breaches of customer data. To date
One useful metaphor is to think of corpo- juries have tended not to find for the plain-
rate cybersecurity in a similar fashion to how tiffs in these cases, but that could change
we think of our own personal health. with time and boards need to be aware of the
Obviously, it is impractical to be totally germ risk of court suits.
67 ■
CYBER RISK AND THE BOARD OF DIRECTORS
Prudent steps for directors to take include some boards are now recruiting cyber pro-
maintaining records of discussions related to fessionals for board seats to assist in analyz-
cyber risks at the board and key committee ing and judging staff reports. Another tech-
meetings. These records may include updates nique is to schedule periodic “deep-dives”
about specific risk as well as reports about for the full board. Many organizations have
the company’s overall security program and delegated the task to a special committee—
how it is addressing these risks. Evidence often audit but sometimes a risk or even
that board members have sought out special- technology committee—although no one
ized training to educate themselves about approach has been demonstrated clearly
cyber risk may also be helpful in showing superior. A proliferation of committees can
due diligence. exacerbate the board time problem, and due
No one standard applies, especially for care must be paid to overload any one com-
organizations who do business in multiple mittee, such as audit, with issues that are not
jurisdictions. Some countries, including the inherently in their expertise lane.
U.S. have received specific guidance from Still another technique is to empower the
securities regulators. Many countries have board with the right questions to ask and
passed a variety of laws, some of which may require that the outside or internal experts
be confusing or conflicting with mandates in answer the questions in understandable ter-
other countries. It is critical that organiza- minology. The NACD Cyber Risk Handbook
tions systematically track the evolving laws provides lists of 5 to 10 simple and direct
and regulations in their markets and analyze questions for board members covering the
their legal standing. key issues such as strategy and operation
Again, building on the NACD model, IIA readiness, situational awareness, incident
emphasizes that this legal analysis must be response, and overall board “cyber literacy.”
extended to third parties and recommends At minimum, boards can take advantage
that the board get a report of all the critical of the company's ongoing relationships
data that are being managed by third-party with law enforcement agencies and regu-
providers and be sure the organization has larly make adequate time for cybersecurity
appropriate agreements in place, including at board meetings. This may be through
audits of these providers. The board ought interaction with CISOs or as part of the
to communicate that a “chain of trust” is audit or similar committee reports. More
expected with these third-party providers appropriately, boards, as discussed above,
that they have similar agreements with their should integrate these questions into gen-
down-stream relationships. eral business discussions.
The final two principles offered by NACD
3. Board members need adequate access to focus on how boards should deal with senior
cybersecurity expertise. management:
Most board meetings are incredibly pressed 4. Directors need to set an expectation that
for time, and often there are multiple issues management have an enterprise-wide
and people who feel they need more board cyber risk management framework in
time. Add to this the fact that most acknowl- place.
edge that directors lack the needed expertise
to evaluate cyber risk, and the board is left It is important that someone be thinking
with the conundrum of how to get enough about cybersecurity, from an enterprise-wide
time to become properly educated to address perspective (i.e., not just IT) every day.
this serious issue. Corporations have introduced a variety of
One answer is to increase the use of out- models, chief risk officer, chief financial
side experts working directly with the board officer, chief operating officer as well as the
to provide independent assessments. Indeed, more traditional CIO and CISO models. The
■ 68
A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
important aspect to ensure, however, is that At the people level, it is important to follow
the risk management is truly organization leading practices for managing personnel,
wide, including the following steps: especially with respect to hiring and firing.
Ongoing cybersecurity training is similarly
establish leadership with an individual important and most effective if cybersecurity
with cross-departmental expertise metrics are fully integrated into employee
appoint a cross-organization cyber risk evaluation and compensation methods.
management team including all relevant Of special attention is the inclusion of
stakeholders (e.g., IT, HR, compliance, senior and other executive level personnel
GC, finance, risk) who, research has shown, are highly valued
meet regularly and report directly to the targets and often uniquely lax in following
board through on security protocols.
develop an organization-wide cyber The asset management process then can
risk management plan with periodic be considered in light of the business prac-
tests reports and refinements. At a tices that may create liabilities.
more technical level, the Cyber Security For example, the expansion of the number
Framework developed by the National of access points brought on by the explosion
Institute of Standards and Technologies in mobile devices and the emerging “Internet
(NIST) is a useful model. of Things” (connecting cars, security camer-
develop an independent and adequate as, refrigerators, etc. to the Internet) really
budget for the cyber risk management increases vulnerability (see Chapter 6).
team. Still a different type of vulnerability can
occur in the merger and acquisition process.
One mechanism to implement the frame- Here management may feel pressure to gen-
work is to create a “cybersecurity balance erate value through the merging of highly
sheet” that identifies, at a high level, the complex and technical information systems
company’s cyber assets and liabilities and on accelerated pace. In discussions with
can provide a scorecard for thinking through management, the board must carefully
management progress in implementing the weigh the economics of the IT efficiencies
security system. The balance sheet may the company seeks with the potential to miss
begin with identifying the organization’s or create vulnerability by accessing a system
“crown jewels.” This is an important exer- that is not well enough understood or had its
cise because it is simply not cost efficient to deficiencies mitigated.
protect all data at the maximum level.
However, the organization’s most valued 5. Based on the plan, management needs to
data must be identified (e.g., IP, patient data, have a method to assess the damage of a
credit card data). Other corporate data can cyber event. They need to identify which
be similarly categorized as to its relative risks can be avoided, mitigated, accepted,
security needs. or transferred through insurance.
The next step is to discuss the strategy for
securing data at each level. This strategy Organizations must identify for the board
generally involves a consideration of people, which data, and how much, the organization
process, and technology. is willing to lose or have compromised. Risk
At the technology process levels there are mitigation budgets then must be allocated
a range of options available with good appropriately between defending against
research indicating cost-effective methods to basic and advanced risks.
secure lower-level data and thus reserving This principle highlights the need for the
deployment of more sophisticated, and “full-team” approach to cybersecurity
hence costly, measures to be reserved for the advocated under principle 4. For example,
higher valued data. the marketing department may determine
69 ■
CYBER RISK AND THE BOARD OF DIRECTORS
that a particular third-party vendor is ideal This is an example of the process pro-
for a new product. The CISO may determine ceeding appropriately, wherein cyber risk
that this vendor does not have adequate is integrated into business decisions con-
security. Marketing may, nevertheless, sistent and managed on the front end con-
decide it is worth the risk to fulfill the busi- sistent with the organization’s business
ness plan and presumably senior manage- plan.
ment may support marketing, but condition If an organization follows these princi-
approval on the ability to transfer some of ples, it should be well on its way to estab-
this additional risk with the purchase of lishing a sustainably secure cyber risk man-
additional insurance. agement system.
■ 70 SecurityRoundtable.org
Establishing a board-level
cybersecurity review blueprint
Stroz Friedberg LLC — Erin Nealy Cox,
Executive Managing Director
Over the last two years cybersecurity has leaped to the top
of the boardroom agenda. If you’re like most board mem-
bers, though, you haven’t had enough time to figure out
how to think about cybersecurity as part of your fiduciary
responsibility, and you’re not quite certain yet what ques-
tions to ask of management. You may even harbor a secret
hope that, like many technology-related issues,
cyberthreats will soon be rendered obsolete by relentless
advancement.
Don’t count on it. Cybersecurity is taking its place
among the catalog of enterprise risks that demand board-
room attention for the long term. It comes along with the
digital transformation that is sweeping through virtually
all industries in the global economy. As businesses “digi-
tize” all aspects of their operations, from customer inter-
actions to partner relationships in their supply chains,
entire corporations become electronically exposed—and
vulnerable to cyberattack.
Cybersecurity risk is not new. However, in the last two
years multiple high-profile attacks have hit brands we all
trusted with our personal information, making for big
headlines in the media and significant reputational and
financial damage for many of the victimized companies.
What’s more, corporate heads have rolled: CIOs and even
CEOs have departed as a direct result of breaches. The
ripple effect continues. Cybersecurity legislation is a per-
ennial agenda item for governments and regulators
around the world, and shareholder derivative lawsuits
have struck the boards of companies hit by high-profile
cyberattacks.
Although directors have added cybersecurity enter-
prise risk to their agendas, there is no standard way for
boards to think about cybersecurity, much less time-tested
guidelines to help them navigate the issue. This chapter’s
goal is to help directors evolve their mindsets for thinking
71 ■
CYBER RISK AND THE BOARD OF DIRECTORS
about the enterprise risk associated with expressed through the following three high-
cybersecurity and provide a simple blue- level questions:
print to help directors incorporate cyberse-
curity into the board’s overall enterprise risk 1. Has your organization appropriately
strategy. assessed all its cybersecurity-related
risks? What reasonable steps have you
■ Establishing the right blueprint for taken to evaluate those risks?
boardroom cybersecurity review 2. Have you appropriately prioritized your
For boards, cybersecurity is an issue of enter- cybersecurity risks, from most critical to
prise risk. As with all enterprise risks, the noncritical? Are these priorities properly
key focus is mitigation, not prevention. This aligned with corporate strategy, other
universally understood enterprise risk business requirements, and a customized
guideline is especially helpful in the context assessment of your organization’s cyber
of cybersecurity because no one can prevent all vulnerabilities?
cyber breaches. Every company is a target, and 3. What actions are you taking to mitigate
a sufficiently motivated and well-resourced cybersecurity risks? Do you have a regularly
adversary can and will get into a company’s tested, resilience-inspired incident response
network. plan with which to address cyberthreats?
Consequently, terms like “cyber defense”
are insufficient descriptors of an effective Naturally, these questions are proxies for the
posture because they evoke the image that industry-specific and/or situation-specific
corporations can establish an invincible questions particular to each organization
perimeter around their networks to prevent that will result in that organization’s most
access by bad actors. Today, it’s more accu- productive cybersecurity review. The key to
rate to think of the board-level cybersecurity formulating the relevant questions for your
review goal as “cyber resilience.” The idea organization is to find the right balance
behind the cyber resilience mindset is that, between asking enough to achieve the assur-
because you know network breaches will ance appropriate to board oversight, but not
happen, it is more important to focus on so much that management ends up spinning
preparing to meet cyberthreats as rapidly as wheels unnecessarily.
possible and on mitigating the associated The rest of this chapter is a guide to fram-
risks. ing board-level cybersecurity review issues
Also important to a board member’s for your organization by exploring meaning-
cybersecurity mindset is to be free from fear ful ways to apply these high-level questions
of the technology. Remember, the issue is in a variety of circumstances and industries.
enterprise risk—not technical solutions. Just The next step is yours, or your board’s: use
as you need not understand internal com- this blueprint to drive cybersecurity enter-
bustion engine technology to write rules for prise risk discussions with management,
safe driving, you need not be excluded from critical stakeholders, and external experts.
the cybersecurity risk discussion based on Doing so will help achieve cyber resilience
lack of technology acumen. Although this is for your organization.
liberating, in a sense, there is also a price:
directors cannot deny their fiduciary respon- ■ The board’s cyber resilience blueprint
sibility to oversee cybersecurity risk based Boards are very comfortable managing finan-
on lack of technology acumen. cial issues and risks. They have audit
Given a focus on enterprise risk (not tech- committees, they have compensation com-
nology) and risk mitigation (not attack mittees, their members include former CFOs
prevention), the correct blueprint for cyber- (to populate those committees), and they
security review at the board level can best be have plenty of experience reviewing financial
■ 72
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
statements and analyzing profit and loss. The review process, and that these discussions
knowns are known and the unknowns are take place regularly—preferably at every
few, if any. meeting of the board.
It is useful to juxtapose this stable, com- A committee responsible for studying
fortable picture with the state of board-level cybersecurity risk can cover both of these
cybersecurity discussion—that is, you may aspects of participation. With such a
not yet be certain what questions to ask, or committee, someone on the board (i.e., the
know what to expect from management’s committee chair) becomes the stakeholder
responses. To help accelerate you toward the charged with becoming educated about cyber-
same level of stability and comfort you have security risk and educating the broader group.
managing financial issues, the following Although the board will never need to know
board-level cybersecurity review blueprint is how to configure a firewall, there is much to
organized into six areas: learn about the nature of cybersecurity risks,
their potential impacts on your organization,
1. Inclusive board-level discussion: and successful mitigation approaches. It may
empowering all directors to be accountable also be appropriate to appoint a director with
for cybersecurity cybersecurity expertise for this purpose.
2. Proactive cyber risk management: Establishing such a committee also fulfills
incorporating cybersecurity into all early the goal of consistent cybersecurity discus-
stage business decisions sion. The chair can give a report, arrange for
3. Risk-oriented prioritization: differentiating reports from the CIO or CISO, or facilitate
assets for varying levels of cyber protection talks by outside experts on issues around
4. Investment in human defenses: ensuring which additional subject matter expertise
the organization’s cybersecurity investment proves useful. Threat intelligence is an exam-
goes beyond technical to include awareness, ple of an excellent topic for an outside expert
education, and training programs for because it’s not a specialty most organiza-
employees tions have in house or that can be justifiably
5. Assessments of third-party relationships: developed. A person or organization steeped
limiting cyber exposure through business in analyzing the tools, approaches, and
partners behaviors of threat actors can look at your
6. Incident response policies and organization’s profile and provide custom-
procedures: mitigating potential risks ized insight that accelerates the board’s
when breaches occur. cybersecurity education.
To empower all directors to engage in
1. Inclusive board-level discussion cybersecurity review, board-level discus-
Given the rapidly growing threat posed by sions should address issues in the enterprise
cybercrime and the potentially devastating risk language with which boards are already
consequences of a major breach, it is critical familiar. One requisite, therefore, is that
that every director have enough of an under- boards not stand for technical jargon. Even
standing of cyber risk to be able to take an reports from the CIO should be delivered in
active part in the board’s cybersecurity plain language free of specialized terms.
73 ■
CYBER RISK AND THE BOARD OF DIRECTORS
■ 74
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
data and where they are being held? What awareness. Furthermore, investments in
data are not sensitive and where are they human defenses should be aligned to the
being held? Are your retention policies insights from customized threat intelli-
ensuring you keep the information that is gence so they are focused on the ‘most
important and throw away everything valuable/most vulnerable’ prioritization
else? We’ve all read headlines about discussed in the previous section.
breaches that could have been less sensa- When looking at cybersecurity invest-
tional if the victims had better retention ment, board reviews should include classic
practices. IT spending on systems that authenticate
The second dimension—your compa- user identity and manage access, as well as
ny’s cyber vulnerabilities—is where cus- compliance with applicable laws and regula-
tomized threat intelligence plays a role. tions. However, that’s just the baseline.
Analyzing your network for weaknesses, Boards need to think further, to issues such as
learning where sensitive information is the following:
stored and how it is protected, and assess-
ing your environment: the competitiveness How well does our IT knowledge/expertise
of your industry (e.g., how valuable your align with the kind of challenges suggested by
intellectual property is to others) and the our threat intelligence reports?
way information flows in concert with
business processes (e.g. whether or how Are we appropriately augmenting our inter-
you store sensitive information about con- nal staff with outside expertise?
sumers or clients, what countries you do
business in, and what that implies for your Should we hire “white hat” hackers to attack
security). our networks in search of gaps?
The board’s cybersecurity review should
include discussion of both dimensions, and Should we test our employees’ anti-phishing
the issues should be discussed often—these awareness/ability?
risks are not static. They can vary signifi-
cantly over time and depend on evolving No matter how well your security technol-
Internet connectivity and infrastructure ogy works, hackers can always go after the
complexity. weakest link—humans—through a combi-
nation of tactics known as social engineer-
4. Investment in human defenses ing and spear phishing. The only defense
Cyber defense and cyber resilience are as against these phenomena is enterprise-
much human matters as they are matters wide education. Ongoing education and
of products and technology confi gura- awareness programs, such as spear phish-
tions. Although security technologies for ing training, should be part of the cyberse-
protection and response are indeed neces- curity investment. Boards should ask
sary, boards should also ask about enter- about, support, and ensure these programs
prise-wide cybersecurity education and are aligned with business requirements.
75 ■
CYBER RISK AND THE BOARD OF DIRECTORS
■ 76
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
Two key thoughts boards should keep in our risk in a way that is consistent with most
mind when reviewing incident response likely attacks?
plans were noted previously, albeit in a dif-
ferent context. First, it is critical to engage the ■ Conclusion: No surprises!
entire enterprise in your incident response No one likes unpleasant surprises, least of all
plan. IT security professionals can only do so corporate boards. The goal of a board’s
much if an employee clicks on a spear phish- cybersecurity review is to avoid being unpre-
er’s link, creating a hole in your network. pared for a cyber incident. Unfortunately,
Employees can be educated to avoid those experience so far suggests that the only com-
clicks and incented to be first responders—or, panies with truly top-grade, board-level
at least, to notice these attempts to breach cybersecurity plans are those that have expe-
your company’s defenses. Employees are on rienced an unpleasant surprise in the form of
the front lines of cybersecurity; prompt notice a bad breach. They felt the pain once and
of a breach from an alert employee can often don’t ever want to go through it again.
significantly mitigate damage. Second, your If you follow the board-level cybersecu-
organization’s cybersecurity risk environ- rity review thinking and principles dis-
ment is a dynamic, ever-changing thing. Your cussed in this chapter, and partner with
incident response plan must be kept up to external experts that bring domain-specific
date and rehearsed continually, taking evolv- knowledge and skills you may not have in-
ing threat intelligence into account. house, you can avoid surprises and be pre-
Appropriate board-level review questions pared to meet risk head on. The review
include the following: approach described in this chapter will
enable you to lead your organization’s shift
What are the organization’s policies and pro- from a paradigm of discomfort and uncer-
cedures to rapidly identify breaches? tainty in the cybersecurity risk realm to one
of assurance and comprehensive answers,
How are all employees empowered to monitor facilitated by the board’s regular cyber risk
and report/respond? discussions; from simple perimeter protec-
tion to around-the-clock monitoring and
How are we triaging/escalating once an inci- universally understood incident response;
dent is detected? from lack of cyber risk awareness to enter-
prise-wide awareness led by top-down
How is incident response integrated into IT C-suite messaging and incentivized
operations? employee behavior.
The blueprint presented in this chapter
What are we doing to align our cyber respons- can help ensure you truly have your eye on
es to business requirements and to ensure that the cyber risk ball. Obviously, that doesn’t
all parts of the business understand their roles mean your company won’t be breached.
in the response plan? But if—or when—you are, you will be able
to handle the event with clear-eyed confi-
How does our response plan match up with dence that the risks have been properly
our threat intelligence? Are we characterizing managed.
77 ■
CYBER RISK AND THE BOARD OF DIRECTORS
Risk-Oriented Prioritization
Assessment of Third-Party
Relationships
■ 78 SecurityRoundtable.org
Demystifying cybersecurity
strategy and reporting: How
boards can test assumptions
Dell SecureWorks – Mike Cote, CEO
79 ■
CYBER RISK AND THE BOARD OF DIRECTORS
■ 80
DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS
we already know about. As we already 4. Stay a step ahead: The future won’t look like
established, however, hackers are highly the past.
adaptive. No one piece of technology can
provide a complete defense. A good security To stay one step ahead of the threat, an infor-
program assumes that at some point preven- mation security program should also be able
tion will fail and the business will have to to predict what the adversary will do next.
deal with threats in its network. To make financial predictions, business lead-
Detection then becomes the focus. ers apply internal and environmental intel-
Companies need the right technology, pro- ligence to test assumptions. In the case of
cesses, programs, and staff to help them cybersecurity, security teams should apply
detect what has happened so that they can “threat intelligence,” which tells them the
find the threat and respond more quickly intent and capabilities of current, real-world
to contain and eradicate it. The question is hackers who may want to harm them.
not if the hackers will get in but when. Gathered from a company’s own environ-
Board members may test this assumption ment and often supplemented with much
by asking their security team, “Do we broader environmental intelligence from a
know if hackers are inside our defenses third party, threat intelligence can be applied
right now? How do we know when they to cybersecurity technologies and human
get in?” procedures. As a result, the enterprise is able
to anticipate the nature of forthcoming
3. You can’t defend with your eyes closed. attacks and more effectively allocate limited
resources to stop them.
No one wants to be blindsided. If a compa- Companies with the ability to predict can
ny’s security team can’t “see” what is hap- also defend earlier with less effort and recov-
pening on the network and across all of the er faster when a breach occurs. When boards
endpoints such as work stations, point-of- and management discuss metrics like breach
sale terminals, and mobile devices, then the frequency, response time, and potential
company will have little chance to detect or impact, it’s helpful to know if the security
respond quickly to an attack when preven- team is applying threat intelligence to help
tion fails. Visibility across the enterprise is an them make their assumptions.
essential attribute of the cybersecurity strat-
egy because it helps companies respond to 5. Educate and train vigilant employees.
unusual activity more quickly, reducing
down time and related costs. One of the most important defenses against
Business leaders should know that hav- cyberattack is an informed, vigilant employ-
ing visibility means collecting large amounts ee population. Employees and executives are
of data from all of those places. Unfortunately often targeted with carefully crafted emails
those data are useless if the security team designed to be relevant to the employee’s
doesn’t have the bandwidth to analyze and personal or work life. In reality, these phish-
act on it. The information security industry ing emails are often loaded with malicious
has responded to this problem, and services code. One click by a less careful individual
are available to manage the data, do the can deploy a cyber weapon into the compa-
heavy lifting, and sort out what is actionable. ny’s network and execute various actions
The actionable data can then be fed back to that shut down critical business functions or
the information security team to more effi- steal information and accounts. Similar tac-
ciently zero in on the threats that need their tics may be used over the phone to get
immediate attention. Boards may ask if their employees to divulge confidential informa-
security team is managing all the data itself, tion such as client lists, which can then be
and, if so, does it still have the bandwidth to paired with other stolen data to complete a
focus on the actual threats. set of stolen identities.
81 ■
CYBER RISK AND THE BOARD OF DIRECTORS
The bottom line is that human behavior 7. Measure effectiveness, not compliance.
is equally as important as security tech-
nologies in defending against the threat. It is impossible for a company to know how
Boards should know whether employee effective its security program is against real-
awareness and training programs are in world attackers unless it conducts real-world
place and how effective they are. The best exercises to test its defenses. Compliance
programs will simulate how hackers may frameworks can improve rigor in many
trick an employee and provide on-the-spot areas of cybersecurity, but it is folly to
training if the employee falls victim. An assume that following a compliance man-
open dialog in these cases helps employees date (or even passing a compliance inspec-
and the organization as a whole learn from tion) is commensurate with resilience. No
mistakes. It also builds a culture of security matter how well architected a security pro-
awareness. gram is against recommended standards, no
two companies’ environments are alike.
6. Organize information security teams for That’s why it is so important to battle-test
success. one’s own environment. Network security
testing emulates actual hackers using real-
Defending and responding effectively life tactics such as phishing to validate how
against cyber adversaries also depends on well defenses work against simulated
manpower and expertise. Technologies attacks. By learning how hackers penetrate
cannot be used to full advantage without security defenses, companies can determine
highly skilled people to correlate, analyze, actual risk and resource cybersecurity opera-
prioritize, and turn the data into actiona- tions accordingly. Testing also helps compa-
ble intelligence that can be used to increase nies meet compliance mandates. Compliance
resilience. A properly organized and should be a by-product of an effective secu-
staffed security team needs people with rity program, not the other way around.
many different types of expertise and
skills. It requires people to deploy the 8. Emphasize process as much as technology.
technologies, understand what the threats
are, determine what hackers are doing, fix Technology is only half the solution to mak-
system and software vulnerabilities, and ing a company resilient. Breaches can occur
counter active threats. Although these as the result of human and process errors
professional capabilities are interdepend- throughout the enterprise. Take the example
ent, they are not all interchangeable, of recent high-profile cases in which weak-
requiring different training and certifica- nesses in a supply chain or a business part-
tions. Information security leaders also ner’s security allowed hackers to access the
need the management skills to put the parent company’s network and do signifi-
right governance processes and proce- cant damage. Leading practice today is for
dures in place, advocate for security companies to insist, by contract, that their
requirements, and communicate risk to business partners meet the same security
senior management. requirements.
Boards are encouraged to inquire as to However, what if a business line leader
whether the security team has the band- fails to insist on contract requirements in the
width and manpower to be able to respond interest of going to market quickly? What
and remediate a crisis, as well as to handle happens when business enablement trumps
day-to-day operations. Security teams security in the far reaches of the business,
should be organized to focus on what mat- where people think, “No harm done”?
ters most—immediate threats—and other Adequate checks and balances should be in
resources should be considered where there place to ensure that IT security and business
are gaps. procedures are being executed, and policies
■ 82
DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS
should hold relevant business leaders and element of cybersecurity, but it is a by-product
employees accountable for implementation. of a good program, not the measure of effec-
How do you know when procedure isn’t fol- tiveness. Nor is it a guarantee of security, as
lowed? Real world testing confirms not only illustrated by many recent high-profile
the effectiveness of your defenses but also breaches in which companies had already
the process, policies, and procedures that met the requirements for one compliance
keep those defenses in place, operational mandate or another.
and optimized for resilience. Difficult decisions about funding can be
made more easily by discussing how exist-
■ Summary: A framework for oversight ing resources are allocated. Many business
By the very nature of being connected to leaders fear that “we’ll never spend enough,”
the Internet, companies are targeted 24/7, but experience shows that a pragmatic
365 days a year by anonymous, sophisti- approach to funding the security program is
cated hackers who strive to steal from or to focus on effectiveness and prioritization:
harm the business and its employees. That
ongoing challenge is taking place across Determine actual vulnerabilities by
the entire enterprise, not just on the net- regularly testing defenses.
work, so it’s important to remember that Detect the perpetrators more quickly by
we all play a role in managing the risk: increasing visibility.
employees, business partners, and even Predict and mitigate risks more quickly and
board members. There is no silver bullet efficiently by applying threat intelligence.
piece of technology that will eliminate all Apply time, attention, and funding
danger, and being resilient is just as accordingly.
dependent on people and process as it is on
technology. A cybersecurity ‘win’ in this Companies may also want to consider third-
environment is defined as how effectively party providers to monitor, correlate, and
and efficiently the company finds and analyze the massive quantity of data that a
removes threats from its environment and mature security program generates. This
whether it remains fully operational in the allows valuable, and sometimes scarce,
process. human resources to focus on the actual
Cybersecurity risk is an enterprise risk, threats. A reputable third party can also pro-
not a function of IT. For boards to provide vide the testing that determines effectiveness
reasonable oversight they’ll have to under- and be a helpful validator of the program.
stand what the company is protecting, Armed with an understanding of what a
inquire about how well the company is mature security program looks like and how
organized to defend those assets, and explore it plays out across the entire enterprise,
whether it has the manpower and capabili- boards will be better equipped to discuss the
ties to respond and remediate in the event company’s current strategy and inquire
of a breach. Compliance is an important about assumptions in the metrics.
SecurityRoundtable.org 83 ■
Cyber risk corporate
structure
Electronic version of this guide and additional content available at: SecurityRoundtable.org
The CEO’s guide to driving better
security by asking the right questions
Palo Alto Networks Inc. – Davis Hake,
Director of Cybersecurity Strategy
87 ■
CYBER RISK CORPORATE STRUCTURE
a broader business issue, signaling a shift common problems such as a lack of invest-
AWAY from the chief information security ment, absence of high-level strategy, and
officer (CISO) and the IT security team.” failure to integrate into business operations
Where is this shift moving to? “When a still plagued many organizations struggling
breach does occur, boards are increasingly to address cyberthreats. Seeing this tension
looking to the CEO and other members of in many of the organizations they were brief-
the executive team to step up and take ing on cyberthreats, the U.S. Department of
responsibility,” said the authors. Homeland Security worked with current
Yet despite this shift in perceived respon- and former executives to help capture five
sibility to the executive level, there does not simple questions that a CEO could ask his or
appear to be the same drive to connect tech- her technical team, which would also drive
nical teams to the board-level focus on con- better security practices. They are:
cerns about cybersecurity risk. A 2015
Raytheon and Ponemon Institute study of 1. What is the current level and business
those with the day-to-day technical respon- impact of cyber risks to our company?
sibility for cybersecurity, CIOs, CISOs, and What is our plan to address identified
senior IT leaders, found that 66 percent of risks?
respondents believe senior leaders don’t 2. How is our executive leadership informed
perceive cybersecurity as a priority. What about the current level and business
this means is that while CEOs are increas- impact of cyber risks to our company?
ingly on the hook from their boards for being 3. How does our cybersecurity program
savvy about cyber risks, many are not yet apply industry standards and best
engaging with the necessary parts of their practices?
organization to address cybersecurity issues. 4. How many and what types of cyber
Our hope is that this guide can prime you incidents do we detect in a normal week?
to ask productive questions that drive better What is the threshold for notifying our
people, processes, and technological change executive leadership?
to reduce the risk of successful breaches of 5. How comprehensive is our cyber incident
your organization. As the CEO, it is your job response plan? How often is the plan
to balance risk and reward within your com- tested?
pany. Cyberthreats are not magic, hackers
are not wizards, and the risks to your spe- The team that coordinated the Cybersecurity
cific organization from a breach can be man- Framework also provided key recommenda-
aged just like any other risks that you make tions to leadership, to align their cyber risk
decisions about every day. In fact, these risks policies with these questions. First and fore-
can even be turned into opportunities for most, it is critical for CEOs to lead incor-
new innovation. poration of their cyber risks into existing risk
But where to begin? You want to avoid management efforts. Forget the checklist
causing unnecessary work, but you are approach; only you know the specific risk-
required to participate, and often lead, the reward balance for your business, so only
conversation around addressing cyber risks. you can understand what is most important
When the U.S. Government began working to your company. It seems simple, but with
with members of the IT and critical infra- cybersecurity, the default practice tends to
structure industry on a Cybersecurity be for organizations to silo considerations
Framework for improving critical infrastruc- about risks into a separate category apart
ture cybersecurity, a key point that arose was from thinking about their valuable assets.
the need for nontechnical tools that could be You have to start by identifying what is most
used at an executive level. Technical best critical to protect and work out from there.
practices have existed in international stand- The process of aligning your core value with
ards and government agencies for years, but your top IT concerns is a journey and is not
■ 88
THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT QUESTIONS
something that can be solved in one lump not having a cybersecurity background, you
investment or board meeting. Just like any will certainly be able to make valuable con-
risk analysis, it requires serious considera- tributions about which cyber risks are
tion and thought about what is most impor- acceptable. You will find situations where
tant to your core business practices. the operational priorities that you are
Which brings me to the second recom- responsible for as CEO, outweigh cybersecu-
mendation to come out of the Cybersecurity rity risks. Your perspective on these matters
Framework effort: don’t begin your journey is what makes you core to leading cyberse-
alone! Bring your leadership team, especially curity efforts in your organization.
your CIO, chief security officer (CSO), and Finally, as with any risk management
CISO, into the conversation from the start, to effort, you must plan for the best but prepare
help determine how your IT priorities match for the worst. Cyberthreats are very real, and
to your business goals. Building a diverse advanced hacking tools once available only
team that includes other leaders, such as to nation-states are regularly sold on the
your head of human resources, will help online black market. There are technical
foster a culture that views cyberthreats not architectures that can prevent and limit
as “someone else’s problem” but as chal- damage done by cyberattacks (see Palo Alto
lenges that should be addressed and dealt Network’s other chapter, “Designing for
with as an entire organization. For example, breach prevention”), but no solution is ever
cyber criminals still continue to successfully 100 percent. Developing an incident response
use fake emails as a primary method for plan that is coordinated across your enter-
gaining access to a company’s network. prise and regularly tested is vital for even
Stopping these attacks requires not just a the most well-defended organizations. Use
technical solution but also strong training, your existing risk management practices and
which is often the responsibility of human your leadership team to identify your most
resources and not your IT security team. important assets; then plan for what would
As more significant challenges arise, and happen to your company if those assets were
they will do so often and unexpectedly, lean shut off or inaccessible for a sustained peri-
on your leadership team to evaluate prob- od of time. Similar to fire drills, regular prac-
lems in relation to the impact to your other tice also helps you stay aware of cybersecu-
business risks. Then let your team address rity’s constantly changing environment and
them based on your existing business goals. shows a personal interest that will signal the
For example, if you experience a cyber issue’s importance throughout your compa-
breach or accidental disclosure of sensitive ny. There are also excellent chapters in this
information, a diverse leadership team is book to get you started in setting up an inci-
incredibly helpful at not just responding to dent response plan, and there are many
the technical problems but also ensuring good companies that specialize in the sticky
other areas such as public image, legal problems of rebuilding your network when
ramifications, and revenue impact are taken you need to call in the cavalry.
into consideration in any mitigation and While risk management is a strong
remediation efforts. It is your job to help approach to tackling the challenges of
frame the problem for your team and pro- cybersecurity, the bottom line is that it will
vide oversight and guidance, not microman- often require some investment in new peo-
age a crisis. ple, processes, or technology. A common
As with normal business operations, you myth is that security must be a cost center
should also be asking your team to assist for every organization. This view has plagued
you in day-to-day requirements of your IT security experts for years, as their efforts
cybersecurity, such as reviewing IT budgets are viewed as drains on resources that would
and personnel security policies. None of this otherwise be bringing in revenue. But as
is surprising, and you will find that despite you start to lay out cybersecurity from a
89 ■
CYBER RISK CORPORATE STRUCTURE
risk management perspective, you will know these as web-based email or online
be forced to identify your most valuable storage services. They are incredibly popular
assets, pressing vulnerabilities, and core for their low cost, flexibility, and availability
motivations. This introspective approach across multiple platforms, but they also exist
can also drive new ideas applicable to your on servers outside your control and can pre-
core business lines. It is imperative that sent a huge risk from users accidentally
you recognize these innovations and make making company resources available to
the right investments to reap both the external parties. There are now innovative
benefits of better security and new business solutions that can manage these programs
opportunities. just like any normal application that lives on
For example, take a company that wants your network and even block their use for
to enable its sales staff to securely meet with only malicious purposes.
customers face to face away from the office True leadership in any issue doesn’t
for consultations. Using mobile devices and involve simply throwing more money at the
phones to access internal company data, problem; you must always balance the risks
such as customer accounts, from the field and rewards of your decisions and invest-
can open serious cyber risks. In this case you ments into a coherent strategy. Cybersecurity
could ensure that when purchasing a mobile is no different. Unfortunately, today’s reality
platform, you also choose a security vendor is such that cyberthreats will remain an issue
that can provide mobile device management of fear for boardrooms in the foreseeable
capabilities. This allows your IT department future, leading to default knee-jerk reactions
to secure lost or stolen devices and limit as new threats evolve. Ultimately, we must
malicious software that could be accidental- get to a place where cybersecurity is a nor-
ly downloaded by employees (or often their mal part of any business’s operational plan.
kids), limiting cyber risks and enabling flex- With cool-headed, rational leadership, you
ibility of your sales team. have the unique ability to help transform
Another great example is the use of soft- this issue in your company from a crisis to
ware as a service (SaaS) products. You may an opportunity for real innovation.
■ 90 SecurityRoundtable.org
Establishing the structure,
authority, and processes to
create an effective program
Coalfire – Larry Jones, CEO and Rick
Dakin, CEO (2001-2015)
91 ■
CYBER RISK CORPORATE STRUCTURE
■ 92
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
93 ■
CYBER RISK CORPORATE STRUCTURE
FIGURE
Cyber Risk Organizational Structure
and Responsibilities
TIER 1:
Executive • Corporate strategy
Leadership • Policy
• Results of
monitoring TIER 2: • Actionable policy
• Feedback Business and procedures
Management • Guidance and
constraints
• Results of
monitoring TIER 3:
• Feedback Systems
Management
The primary objective for a risk assess- increasingly popular means of transferring
ment is to drive selection of adequate and risk but comes with the requirement that
rational controls and then assign responsi- you understand risk in ways that may not
bilities to manage those controls. During the have been previously considered. It is impor-
process the environment will be character- tant that the business units and security staff
ized to bring context and the existing system are able to communicate the constraints as
vulnerabilities, and weaknesses will be well as the risk mitigation alternatives for
evaluated to select controls to offset the senior executives to make reasonable deci-
probability of compromise during an attack. sions on risk management strategies.
A comprehensive cybersecurity program
addresses administrative, physical, and Governance and organization structure
technical controls as an integrated suite. The risk assessment management duties and
Once the inherent threats and vulnerabili- responsibilities are typically allocated in
ties are understood within the context of the accordance with Table 1.
impact they could have on the organization,
its clients, and partners, senior executives ■ Protect
must approve the risk management strategy. Program design and implementation
Many executives want to see all risk either The outcome for any cybersecurity program
mitigated or transferred. However, the bulk is the expectation that an organization can
of companies in critical infrastructure indus- defend its critical cyber assets from irrepara-
tries end up accepting some level of risk in ble damage resulting from a cyberattack.
their strategy. Cost, continuity of operations, The impact of cyberattack is different for
or other concerns may drive the formation of every organization. As a result, the cyberse-
the cybersecurity program to mitigate what curity strategy and associated program
is reasonable and accept the residual risk. must be considered against the potential
Cybersecurity insurance is becoming an impact.
■ 94
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
Although security programs are different the security solutions selected. Rather, the
for every company, the principles for devel- magic is in the ability of the organization to
oping the program are fairly consistent. NIST manage those solutions to mitigate risks.
Special Publication 800-53 has done a good Because the security skills available in the
job in describing the selection of controls for industry today are low and growing increas-
high-, medium-, and low-level impacts. ingly rare, companies should expect to spend
Every organization needs access controls, but a disproportionate amount of training dol-
only those that result in national security lars on cybersecurity.
impact are realistic candidates for deploying
the high-level version of that control. Many Maintenance
executives are “sold” a package of controls Anyone working in forensic response will tell
because they are used by the NSA, but the you that system compromise and data breach
question to ask is, “How does the NSA are rarely the result of some sophisticated
mission relate to our operations?” attack that no one has ever been seen before.
As discussed in the risk assessment seg- The bulk of effective attacks use vulnerabili-
ment, executives have to define their risk ties that have been known for years. Cross-
appetite. This is hard during the early days site scripting, shell or SQL injection, shared
of cybersecurity program development administrator accounts, lack of patching, and
because most of the C-suites have an inher- other standard security hygiene issues are
ently low risk appetite and do not yet under- normally the culprits. There are two signifi-
stand the impact of lowering the threshold cant operations that go dramatically under-
for control selection. As a result, cybersecu- funded in most organizations: maintenance
rity programs are often a work in process for of systems and security controls, which leaves
several years. organizations vulnerable to attack.
Training ■ Detect
The best cybersecurity programs are the Program monitoring and reporting
ones that staff and partners will actually The days of ‘acquire, deploy, and forget’ are
execute. Contrary to what many vendors over. For years, senior executives did not
and partners will tell you, the magic is not in have to participate in cybersecurity program
95 ■
CYBER RISK CORPORATE STRUCTURE
oversight, because a combination of fire- response is to take systems off line. Without
walls, malware protection, and light access executive and business unit involvement, a
controls were adequate to defend against poor decision could be made.
previous generations of relatively static
cyberattacks. Today, continuous monitoring ■ Respond
is critical to see the evolving threat and tech- Response capabilities vary after discovery of a
nology landscape. cybersecurity incident, and organizations are
Cybersecurity programs have moved from typically faced with two unappealing options:
a period of static defenses to active defenses,
and we must become more nimble to success- 1. Pull up the drawbridge and stop the
fully protect critical systems and sensitive hoards from overrunning the castle.
data. From a military perspective, think of 2. Keep the drawbridge down while trying
this shift as moving from multiple armored to figure out where the bad guy is.
divisions with significant force and firepower
protecting cities or regions to the more recent The most immediate, and some say rational,
Special Forces mindset, in which quick detec- response is to “pull up the drawbridge” to
tion and reaction are the key to success. eliminate whatever access hackers have.
In the previous section, we mentioned Unfortunately, this alerts the bad guy that you
two areas for increased investment. The sec- know he’s inside, so whatever systems and
ond area is to develop cybersecurity pro- accounts he may have compromised or what-
grams with a much higher focus on threat ever backdoors he’s created will be unknown.
intelligence, monitoring, and alerting. This On the other hand, if a company decides to
requires new security solutions and specially take option two, to play it low-key and con-
trained security professionals. The old line tinue with business as usual to determine the
of firewalls, malware protection, and access scope of the problem, the organization can
controls are still required, but much more determine what systems have been compro-
active system patching, vulnerability man- mised, what new privileged accounts have
agement, and monitoring are driving mod- been created, and what back doors may exist.
ern security programs. This will give the company a better chance of
To avoid the perception of negligence, long-term success in eliminating the breach
senior executives often reinforce old line and repairing lost or damaged information.
security controls that are audited for regula- One response is not necessarily better
tory compliance. However, focusing only on than the other, because situations vary.
compliance will not secure an organization. However, these critical decisions must be
Cyberthreats are ongoing, while compliance made almost immediately.
is a point-in-time review. What is needed to
address increasing cyberthreats is a nimble ■ Adjust
program that can suffer an intrusion but No program is ever perfect. Continuous
repel the intruder and recover operations monitoring and reporting will enable all
quickly. Just like a good boxer needs to be three tiers of responsibility to constantly
able to take a punch and stay in the ring, adjust the program and inform the other
companies today must be able to absorb a tiers of actions.
cyber punch and keep operating while at the
same time mitigating and recovering. ■ Summary
Effective cybersecurity program develop-
Incident alerting and escalation ment and oversight requires executives
Identifying a potential attack is only half the to implement and manage a distributed
solution. Cybersecurity programs must alert process at three levels within an organiza-
the technology teams and business units tion: executive level; business unit level;
to respond appropriately. One potential and operational level (Table 2).
■ 96
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
If Sun Tzu lived today, he would clearly have to take a warrior’s attitude in develop-
see the nature of current cybersecurity pro- ing strategies and programs to be successful
grams and responsibilities and recognize that in combatting the cybersecurity challenges
criticality of executive level management. We we face today.
SecurityRoundtable.org 97 ■
Cybersecurity legal and
regulatory considerations
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Securing privacy and profit in the era
of hyperconnectivity and big data
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Dean Forbes, Senior Associate; Agatha
O'Malley, Senior Associate; Jaqueline Cooney,
Lead Associate; and Waiching Wong, Associate
91%
101 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
Every minute
■ 102
SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA
Privacy is very often conflated with security. While privacy is about the appropriate collec-
tion, use, and sharing of personal information, security is about protecting such information
from loss, or unintended or unauthorized access, use, or sharing.
■ Privacy and security intersect through Gmail service scans emails in order to target
breaches and tailor advertising to the user. In 2013
Although privacy and security are two sepa- Microsoft ran TV ads that claim that “your
rate concepts, the importance of these two privacy is [Microsoft’s] priority.”
ideas intersect for the consumer if personal Companies are also competing to be pri-
information is not safeguarded. In a nut- vacy champions against government surveil-
shell, consumers are more likely to buy from lance. For the last few years, the Electronic
companies they believe protect their privacy. Frontier Foundation has published the “Who
Large-scale security breaches, such as the Has Your Back” list—highlighting compa-
recent theft of credit card information of nies with strong privacy best practices, par-
56 million Home Depot consumers (2015) ticularly regarding disclosure of consumer
and 40 million Target shoppers (2013), pro- information to the government.
vide consumers with plenty to worry about.
Breach-weary consumers need to know who ■ Challenges and trends
to trust with their personal information, to Maintaining compliance
ensure that only the company that they pro- Beyond the moneymaker of the data econo-
vided the information to can use it. Risk my, there is also a need to comply with a
management for data privacy and security swirl of conflicting regulations on privacy.
of that data should guard against external For global companies, this task is made more
malicious breaches and inadvertent internal difficult as privacy regulations vary by region
breaches and third-party partner breaches. and country. Although international accords
often serve as the basis of national laws
■ Privacy is linked to trust—differentiate and policy frameworks,1 the local variations
with it complicate compliance. For example, the
Trust, and the data that it allows companies May 2014 ruling of the European Court of
to have access to, is a critical strategic asset. Justice on the “right to be forgotten” set a
Privacy issues that erode trust can disman- precedent for removing information from
tle the goodwill that a brand has spent dec- search results that are deemed to be no
ades building with consumers. Forward- longer relevant or not in the public interest
leaning companies are already moving by affirming a ruling by the Spanish Data
toward proactively gaining the trust of their Protection Agency. Countries across Europe
customers and using that as a differentiator. have applied the ruling at a national level,
Learning from its issues with the lack of which means that they are not exactly the
security on iCloud, Apple now markets all same.2 Compliance with this decision has yet
of the privacy features of their products and to be fully understood. Google has fielded
apps. With an eye toward the desires of its about 120,000 requests for deletions and
customers, the iPhone’s iOS 8 is encrypted granted approximately half of them.3
by default. This makes all “private” infor- Compliance is costly and complicated.
mation such as photos, messages, contacts, Beyond technical issues (which were easier
reminders, and call history inaccessible to solve), Google’s main issue with compli-
without a four-digit PIN and numeric pass- ance was administrative—forms needed to
word. In 2012 Microsoft launched its “Don’t be created in many languages, and dozens
get Scroogled” campaign as a direct attack of lawyers, paralegals, and staff needed to
on its rival, Google, by highlighting that its be assembled to review the requests. Issues
103 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
remain, such as the possibility of removing conduct, along with a clearly defined means
links from Google.com as well as from of enforcement. Externally, this means
country-specific search engines. building privacy considerations into the
Compliance with established laws in the products and services offered to customers.
U.S. is often topic- and industry-specific. For Some of the ways to do this include the
example, Congress has passed laws prohib- following.
iting the disclosure of medical information
(the Health Insurance Portability and Create easy-to-understand consumer-facing policies
Accountability Act), educational records The average website privacy policy averages
(the Buckley Amendment), and video-store more than 2,400 words, takes 10 minutes to
rentals (a law passed in response to revela- read, and is written at a university-student
tions about Robert Bork’s rentals when he reading level.6 No wonder half of online
was nominated to the Supreme Court).4 Americans are not even sure what a privacy
policy is.7 Writing clear, easy-to-understand
Growing data = growing target for hackers consumer-facing policies can help you
As data availability increases, the attractive- increase the number of people who will
ness of datasets for hackers increases as well. actually read them, and you will gain the
Companies in all sectors—health care, retail, trust of your consumers. No company has a
finance, government—all have datasets that perfect solution, but many organizations
are attractive to hackers. Just a few of the con- have come closer. Facebook has recently
firmed cyberattacks that targeted consumer rewritten its privacy policy for simplicity
information in 2014 include: eBay, Montana and included step-by-step directions for
Health Department, P.F. Chang’s, Evernote, users.8 To increase trust, privacy policies
Feedly, and Domino’s Pizza.5 should clearly state the following:
■ 104
SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA
implementation stages, to ensure that busi- Building consumer trust includes keeping
nesses meets their customer and employee information safe from hackers, creating easy-
privacy expectations, and policy and regula- to-understand consumer-facing policies,
tory requirements. The approach is a market and applying the principle of “privacy by
differentiator that is intended to reduce default”. Companies that reframe these
privacy and security risks and cost by actions as business enablers instead of busi-
embedding relevant company policies into ness costs will thrive—and find it easier to
such designs. As such, privacy settings are comply with an increasingly complex web of
automatically applied to devices and ser- regulations. Finally, communicating your
vices. Privacy by design and default is good work to consumers will elevate the
recognized by the U.S. Federal Trade profile of your organization as a trusted part-
Commission as a recommended practice for ner, and pave the way for future gains.
protecting online privacy, and is considered
for inclusion in the European Union’s Data References
Protection Regulation, and was developed 1. https://www.eff.org/issues/international-
by an Ontario Information and Privacy privacy-standards.
Commissioner. 2. http://www.hitc.com/en-gb/2015/07/
07/facebook-questions-use-of-right-to-be-
Communicate your good work forgotten-ruling/.
Privacy policies and actions are more than 3. http://www.newyorker.com/magazine/
legal disclosure; they are marketing tools. 2014/09/29/solace-oblivion.
All the actions you take to protect consum- 4. http://www.newyorker.com/magazine/
ers’ privacy should be communicated so 2014/09/29/solace-oblivion.
they know you can be trusted. The Alliance 5. h t t p : / / w w w. f o r b e s . c o m / s i t e s /
of Automobile Manufacturers, representing jaymcgregor/2014/07/28/the-top-5-most-
companies such as Chrysler, Ford, General brutal-cyber-attacks-of-2014-so-far/.
Motors, and Toyota, publicly pledged more 6. http://www.computerworld.com/
transparency about how they will safe- article/2491132/data-privacy/new-
guard data generated by autonomous vehi- software-targets-hard-to-understand-
cle technologies. Many groups have pub- privacy-policies.html.
lished data principles that communicate 7. http://www.pewresearch.org/fact-tank/
how data is gathered, protected, and 2014/12/04/half-of-americans-dont-
shared.9 know-what-a-privacy-policy-is/.
8. https://www.washingtonpost.com/
■ Conclusion blogs/the-switch/wp/2014/11/13/
Our current data economy brings exciting facebook-rewrites-its-privacy-policy-so-
opportunities for companies to grow by that-humans-can-understand-it/.
enhancing their products and services. These 9. https://fortunedotcom.files.wordpress
innovations rely on consumers to trust your .com/2014/11/privacyandsecurity
organization with their personal information. principlesforfarmdata.pdf.
SecurityRoundtable.org 105 ■
Oversight of compliance
and control responsibilities
Data Risk Solutions: BuckleySandler LLP &
Treliant Risk Advisors LLC – Elizabeth McGinn,
Partner; Rena Mears, Managing Director; Stephen
Ruckman, Senior Associate; Tihomir Yankov,
Associate; and Daniel Goldstein, Senior Director
107 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
oversight of cybersecurity compliance and encompasses the risks of financial loss; busi-
controls requires leadership from the C-suite ness or operational disruption; loss or com-
and the boardroom. promise of assets and information; failure to
Critically, this leadership must be coordi- comply with legal, regulatory, or contractual
nated. For a company’s cybersecurity com- requirements; or damage to the reputation of
pliance and control programs to be effective, an organization because of the unauthorized
efforts must be structured in ways that ensure access to or exploitation of data assets.
the board and senior management, including Cybersecurity is the protection of data assets
the C-suite, work together to achieve its risk from unauthorized electronic access or
objectives. Each has distinct cybersecurity exploitation risks through processes
responsibilities: senior management is designed to prevent, detect, and respond to
responsible for determining relevant cyber- these risks.1 Effective oversight of cybersecu-
related risks and implementing a compliance rity is therefore essential to a company’s
program that incorporates appropriate pro- oversight of risk management.
cesses and controls to mitigate them, whereas Two core components of the company’s
the board is responsible for overseeing the cybersecurity program must be overseen at
risk identification process and independently the highest levels of management: compli-
evaluating whether the program is designed, ance and controls. Compliance here means
implemented, and operating effectively to the company’s program for ensuring actual
meet the company’s cybersecurity risk miti- adherence to internal cybersecurity policies
gation objectives. Meeting these responsibili- as well as external privacy and data protec-
ties well requires a formalized integrated tion laws and regulations in the jurisdictions
approach to cybersecurity risk evaluation, where the company operates. Controls mean
defined roles and responsibilities, implemen- the company’s systems and processes for
tation of a program that is supported by the protecting its data infrastructure and carry-
board, clearly articulated by the C-suite, and ing out incident response. These components
effectively implemented by operational should be overseen actively to confirm that
resources. Disconnect between the board, compliance and controls are going beyond
C-suite, and operations poses as much of a mechanical application of generic cybersecu-
challenge to corporate cybersecurity as rity rules and standards, which may just
cyberthreats themselves. establish a regulatory floor for corporate
practices, not a set of industry-leading prac-
■ Cybersecurity oversight is risk management tices, and which may not be appropriate or
oversight relevant to the threat landscape and unique
To understand why coordinated C-suite and regulatory requirements for the company’s
board oversight of cybersecurity is essential, industry. Moreover, even industry-leading
one must understand cybersecurity as a practices quickly may become dated, because
means of managing and responding to cor- regulators’ views on “reasonable” cybersecu-
porate risk. The purpose of risk management rity are changing all the time.2 The legal risks
in general is to identify and mitigate the from inattentive oversight are limited only
risks a company faces to a level acceptable to by plaintiffs’ imagination and regulators’
the enterprise as determined by the board, a zeal, and the practical risks are limited only
level known as a company’s “risk appetite.” by hackers’ ambition and creativity.
The strategies and objectives for managing From a risk management perspective, the
risks and responding to threats are articu- key inquiry revolves around the value of
lated in the policies, procedures, and con- each data asset. For example, data assets
trols of the organization and are the respon- whose business usefulness has long passed
sibility of senior management. may still be rich in information that may be
One significant and growing area of risk embarrassing to the organization if released
for most companies is data risk. Data risk publicly. So in a way, cybersecurity risks are
■ 108
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
109 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
FIGURE
Report
& Identify
Reassess
Design
Evaluate &
Implement
Monitor
■ 110
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
Second, the C-suite should extend the well-developed monitoring and assessment
enterprise-wide approach to compliance processes that encourage timely internal
risk management to the company’s entire communication of potential risks to the
ecosystem—its vendors and other third-party compliance team.
partners (e.g., cloud services providers, out- Fourth, consistent with the risk manage-
side data processors). This means ensuring ment lifecycle, the C-suite should make sure
that oversight is robust for the corporate vet- it has effective means to test compliance in
ting of cybersecurity practices at third par- practice and communicate the results to the
ties and that the contractual relationships board. It is critical for updates to cybersecu-
with third parties allow for monitoring and rity compliance policies to translate actually
oversight. Many technological innovations into updated implementation, and the board
are leading companies to outsource aspects must be able to see—and where needed
of their business involving data, but this spur—this implementation. (See the next
comes with risks of the partners not securing section). The C-suite also has to be able to
data to the degree the company is. test to see that cybersecurity compliance is
Third, the C-suite should ensure—and taking root across the company’s operations
the board should monitor—the independ- and prevent ‘siloing’ within business lines
ence of the cybersecurity compliance team or cost centers.
from the company’s IT and business units. Fifth and finally, the board should make
Given silos that frequently develop around cybersecurity compliance a priority, plain
the compliance, IT, and business teams, the and simple. None of the above measures will
C-suite ought to ensure that the compliance be prioritized at the senior management
team has the resources and skills to inde- level and below unless they are also the
pendently evaluate the sufficiency of the board’s priority.
company’s cybersecurity program. If the
compliance team is not equipped to under- ■ Building blocks of effective oversight
stand what technological steps the IT team is of cybersecurity controls
or should be taking to advance the organiza- Board and C-suite oversight of cybersecurity
tion’s cybersecurity, and so defers entirely to controls relates to the control of associated
their judgment, it may fail to apprehend the enterprise risks: legal, financial, regulatory,
compliance implications of the steps ulti- and reputational, to name a few. None of
mately taken. these risks can be fully avoided, but effective
Of course, independence should not controls can reduce their impact on the
mean isolation. It is critical that these teams organization, and effective oversight can
can and do speak to each other regularly: ensure that these controls are thorough.
compliance risks arise in the IT and busi- One step a board can take to provide
ness lines, and the compliance team must effective oversight of cybersecurity controls
be involved in assessing those risks. For is to ensure that the controls implemented
example, if a new business line involves by the C-suite contain prevention, detection,
collection of new pieces of customer data, and rapid remediation components. Many
failure to ensure that data are properly companies focus on prevention and detec-
secured and kept private from the start cre- tion, but not remediation, and then are
ates compliance risks. Likewise, the IT caught off guard when they learn of an
Department’s failure to patch software in a intrusion requiring immediate remediation
timely manner creates compliance risks. that went undetected. Prevention measures
The compliance team must be sufficiently in include data inventorying, data loss preven-
the loop to ensure steps are being taken to tion planning, strong perimeter and internal
prevent these failures, without being opera- defenses, and processes for timely patching
tionally involved in the actual prevention core software to plug security holes. Many of
efforts. This can be achieved through these are IT measures, but prevention is not
111 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
limited to IT and includes building a corpo- As with cybersecurity compliance, for the
rate culture that is mindful of data risk, as is above measures to be prioritized, they must
discussed more below. be a board priority. In this vein, the board
Detection measures include analysis of should check to see that cybersecurity con-
operational data and anomaly detection as trols are appropriately funded; none of these
well as systems for logging, monitoring, and controls can be prioritized without adequate
testing data moving into and out of the corpo- funding.
rate IT environment and across various devic-
es (e.g., from computer to cloud service or ■ Implementation challenges
external storage devices), where legally per- Even the best designed data security initia-
missible. Rapid remediation measures include tives are prone to failure if not implemented
incident response plans that are rehearsed, correctly. A common problem that can occur
implementation of forensic recovery tools, even after apparently successful program
and measures to quickly restore failed sys- implementation is a disconnect between
tems from back-ups. Boards should recom- appropriately drafted policies and proce-
mend appointment of a permanent incident dures on the one hand, and operational
response team—comprising senior manage- practices and technology infrastructure on
ment from IT, legal, compliance, vendor man- the other (in-house and third party-man-
agement, PR, investor relations, and business aged), and a failure of the board to notice.
lines—to lead the incident response efforts, Cybersecurity policies and procedures
report incidents and remediation plans to the are effective only if they are tailored to the
C-suite and the board, and notify external company’s unique business environment,
regulators and customers when necessary. applicable regulatory requirements, and
In line with the previous point, a key step known security risks. However, too often,
the C-suite should take is to oversee lines of boards and C-suite leadership oversee the
communication among the various parts of development and adoption of boilerplate
the company that either manage or make use policies and procedures that, although per-
of the company’s cybersecurity controls. If a haps built on generally appropriate founda-
business line is experiencing occasional bugs tions, are either insufficiently customized or
in its online customer order processing, for implemented inappropriately. The resulting
example, and IT is not informed of the issue disconnects may lead not only to damaging
in a timely manner, malware may go unde- data breaches and unauthorized disclosure
tected. If an employee with database access of personal information but also to scrutiny
quits and HR does not timely inform IT, then from regulators and actions from the plain-
user credentials may remain active long after tiffs’ bar. For example, the Federal Trade
they should. Commission (FTC) currently views the dis-
Another key step the C-suite can take is to connects between cybersecurity policies
prioritize regular training of employees—at and procedures and their actual implemen-
a minimum annually—on cybersecurity tation as unfair or deceptive trade practices
threats and how to avoid them. A surprising under Section 5 of the FTC Act, and this is a
number of threats can be thwarted by trend that senior executives should expect
employee education about suspicious to continue.
emails, strong password practices, and cau- It is critical to the success of a cybersecu-
tious use of personal devices. The more rity program that the operational uptake
employees at every level learn to treat data of—and ongoing adherence to—program
as a valuable asset, the more careful they will requirements are measured effectively.
be. Conversely, no matter how strong a com- Monitoring of the program not only enables
pany’s cybersecurity controls, it only takes effective reporting up to the board but also,
one employee mistake to expose sensitive more importantly, identifies vulnerabilities
company data. in the program and areas for improved
■ 112
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
security. Although evaluating the effective- business asset is clearly established; its value
ness of a cybersecurity program would is verified on a daily basis by those who seek
appear to be a core component of any suc- to gain access to business networks and
cessful implementation, many organizations view, remove, or otherwise exploit the data
fail to adequately address this need, often residing there. However, resources allocated
leading to exploited weaknesses, data to cybersecurity are still frequently an IT line
breaches, and programmatic failure. item, rather than an enterprise-wide issue.
Effective metrics for evaluation can be Businesses operating in this environment of
broken down into several categories to ena- perpetually evolving digital risks must rec-
ble more targeted application across the ognize that data security is no longer a cost
enterprise. Programmatic metrics measure of doing business; it is a core component of
the progress of various organizational com- remaining in business. As such, budgets
ponents of the information protection pro- must be allocated appropriately to meet the
gram, such as overall program development, risks. Budgets vary according to business
implementation, and maintenance (e.g., type, data types and sensitivity, volume of
cybersecurity policies are updated to meet data, sharing with third parties, and any
new regulatory requirements). Operational number of other of risk factors that must be
metrics measure the performance of (as the considered by the board and executives. The
name implies) various operational compo- budgeting process has to enable the compa-
nents of the information protection program; ny to do more than get the right people and
the number of cybersecurity incidents per processes in place but also to implement
reporting period is an excellent example. technology that truly addresses the security
And compliance metrics measure individu- needs of the organization. This process
als’ compliance with program requirements. requires commitment from the C-suite and
Such metrics may measure, for example, oversight from a board that understands the
whether employees are observing required importance of cybersecurity.
data security protocols when sending sensi- Cybersecurity budgeting also must
tive customer information to a third party include dedicated resources for training of
for processing. In general, the trend for personnel. As mentioned above, the human
many of these metrics is toward the meas- element is frequently the weakest link in an
urement of outcomes; metrics that demon- otherwise solid data security program. Staff
strate a company’s frequent intrusion detec- must have the resources they need to be
tion scanning are not helpful if the outcome trained not only to be proactive in taking
is still a high number of intrusions each year. steps to safeguard data but also to recognize
Regardless of whether your organization attempts by unauthorized parties trying to
is seeking to measure programmatic, opera- gain network access. Phishing, for example,
tional, or compliance aspects of your cyber- remains a remarkably effective tool for gain-
security program, the metrics that you ing credentials that open a door to the net-
design must be clearly defined and meaning- work and the data therein, and inadequate
ful and measure progress against a clearly training may increase a company’s vulnera-
stated objective. A properly implemented bility to phishing attacks. Regulators know
metrics program helps leadership ascertain this and expect board members providing
initial uptake and improve the compliance cybersecurity oversight to know, too.
with—and performance of—a well-designed The board and C-suite also must bear in
cybersecurity program. mind that successful initial implementation of
Another challenge for effective imple- a cybersecurity program does not necessarily
mentation of cybersecurity compliance and lead to a cybersecurity program that has lon-
controls—and one that must be closely mon- gevity. Ongoing success is largely dependent
itored by the board—is resource allocation. on top-down involvement by the board and
The recognition of data as a highly valued active management by the C-suite. The board
113 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
should be apprised regularly of data security ensure that these measures are being adopt-
incidents and emerging data risks, as well as ed. Only with consistent C-suite involve-
changes to the regulatory environment. An ment and strong board oversight—informed
actively informed and involved board, work- by an understanding of data risk as a central
ing in harmony with the C-suite, enables agile enterprise risk—can cybersecurity challeng-
enterprise-wide response to evolving threats es be handled effectively.
and appropriate upkeep and improvement of
a robust cybersecurity program. References
1. See NIST, “Framework for Improving
■ Conclusion Critical Infrastructure Cybersecurity”
Today’s cybersecurity risks affect organiza- (2014) (defining “cybersecurity”). Of
tions of all sizes and across industries course there are many definitions of
and lead to not only IT headaches but also “cybersecurity”; the NIST definition
headaches for the entire business. Companies adapted here is just a recent American
are increasingly put into the unenviable example.
position of needing to put up shields against 2. For example, some regulators require
a variety of cyberthreats, knowing that no certain data to be encrypted while many
defense can provide perfect protection. others do not. See, e.g., 201 Mass. Code
However, the C-suite nevertheless must Regs. § 1700 (2009).
strive to employ strong cybersecurity com- 3. See International Compliance Association,
pliance and control measures that go beyond “What is Compliance?,” available at http://
mechanical satisfaction of applicable legal www.int-comp.org/faqs-compliance-
rules, and the board has an obligation to regulatory-environment.
■ 114 SecurityRoundtable.org
Risks of disputes and regulatory
investigations related to
cybersecurity matters
Baker & McKenzie — David Lashway, Partner; John
Woods, Partner; Nadia Banno, Counsel, Dispute
Resolution; and Brandon H. Graves, Associate
115 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 116
RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS
such cost, combined with an increas- press, which can create tension with
ing chance of an incident triggering notification provisions.
these clauses, is an area likely to be
subject to dispute both during con- 2. Data ownership/data processing. Most state
tract negotiation and in the wake of breach notification laws differentiate
a breach. between data owners and data processors,
but existing contracts do not always
Many contracts already contain liabil- explicitly define these roles. Some
ity allocation provisions, but those businesses have attempted to understand
provisions do not explicitly address these issues and have asserted ownership
cybersecurity matters. In the wake of a (or, in some cases, denied ownership) of
cybersecurity incident, interpreting data in the absence of a specific ownership
the liability allocation provisions will allocation. This can lead to disputes in
be a matter of some dispute. long-standing business relationships. One
business may seek to sell information it is
c) Data security and notification. Laws, collecting while a contractual counterparty
regulations, and political and is attempting to safeguard the same data.
consumer pressure have increased Not all businesses seek to clarify this
businesses’ focus on the security of relationship prior to selling data, which
consumer data. At the same time, can lead to significant disputes when such
consumer data have become a more sales come to light.
valuable commodity. For instance,
AT&T and Apple both contested Radio In the context of a data breach
Shack’s ability to sell consumer data Data breaches expose businesses to many
during Radio Shack’s bankruptcy. additional disputes. At times, these disputes
can be more problematic than the intrusion
Recognizing these trends, businesses itself. Contractual counterparties, customers,
are placing more provisions in contracts and other impacted businesses may all seek
that dictate security requirements. some compensation in the wake of a data
Because the underlying consumer data breach. Insurance companies may seek to
are valuable, these provisions may be avoid payment under policies that arguably
subject to significant disputes during apply, leading to additional litigation.
negotiations. Other businesses are
attempting to read existing provisions 1. Contractual counterparties. Most contracts
as covering security requirements and have provisions that are either directly
privacy responsibility. or indirectly implicated by a data breach.
Some of these provisions are triggered
Many businesses that entrust sensitive by a breach, such as obligations to
data to counterparties are including notify consumers whose information
breach notification provisions in con- is exposed. A counterparty may allege
tracts. These provisions vary greatly, that other provisions are broken by
even within a single industry, and cre- an intrusion, such as a requirement to
ate various thresholds for notification. have adequate or reasonable security.
For instance, some provisions require Businesses often struggle with whether a
notification in the event of a breach. particular provision requires notification,
Others require notification if there is either because the provision itself is not
an indication of a breach. Many vic- clear or because the business believes
tims of a security breach seek to keep that the intrusion does not rise to the
the existence of a breach out of the level contemplated in the contract.
117 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
Counterparties may disagree with this press, but business customers have also
interpretation, leading to disputes if the pressed for indemnification in the wake
intrusion does come to light. of an intrusion.
Notification provisions often have an Disputes with business partners over data
abbreviated time frame for notification. breaches can disrupt normal operations,
Attempting to identify and comply with above and beyond the disruption caused
notification provisions of impacted coun- by the data breach itself. The need to
terparties can create additional stress resume normal operations can pressure
beyond the already significant stress the victim to quickly agree to a settlement.
related to a data breach. Reviewing and
attempting to interpret these provisions Customers will often file class actions in
after an intrusion also creates risk of con- the wake of a data breach. Plaintiffs’ law-
tractual breach, as a business may not yers are growing more sophisticated in
discover the notification provision until how and where they file these actions.
after the required time frame has passed. Both individual consumers and financial
institutions have filed class actions, and,
In the wake of a breach, a victim’s securi- in some cases, these class actions are con-
ty will come under scrutiny, and a con- solidated into complicated multidistrict
tractual counterparty may argue that the litigation with multiple tracks for the dif-
security was inadequate under the con- fering plaintiffs. This creates expensive
tract. For instance, in the DFARS provi- and cumbersome litigation.
sion discussed previously, “adequate
security” is ripe for protracted litigation 3. Other impacted businesses. Contractual
in the wake of a cybersecurity incident. It counterparties are not the only businesses
is difficult to define such terms adequate- that may sue in the wake of a data breach.
ly and still provide flexibility in the face Banks that issued cards implicated in
of changing threats. Target’s data breach are suing Target, even
if they lack any traditional relationship to
In some industries, such as those that deal Target. Our more interconnected society has
with payment cards, many security spread the effects of cybersecurity problems,
requirements are codified and subject to and affected parties are developing more
audit. The victim of a data breach may be creative methods to file suit against the
subject to a more intrusive audit to con- original victim of the intrusion.
firm its security. 4. Insurance. More and more insurance
companies are offering cyber policies,
Many contracts that involve confidential and more businesses are attempting to
data have a provision for certifying that make claims for intrusions under general
the confidential data have been destroyed. policies. Insurance companies are, in
A counterparty may rightly inquire how turn, attempting to limit the scope of
such a certification was made in the wake coverage. Some insurance companies are
of a cybersecurity incident. denying claims, while others are carefully
reviewing invoices for services related to
2. Customers. Many intrusions lead to data breaches. The cost to respond to a
lawsuits by customers, whether they be breach can be expensive, and insurers will
individual consumers or large businesses. continue to dispute claims and charges.
Recent card breaches have resulted in In some cases, this will lead to additional
significant class-action litigation, and litigation after the data breach response is
these cases have received much of the complete.
■ 118
RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS
The FFIEC has been one of the leading DHS is involved in coordinating informa-
regulators with regard to cybersecurity. tion sharing, securing critical infrastruc-
The FFIEC has had an IT examination ture, and protecting federal cybersecurity
handbook for several years and is devel- assets. Currently, its programs for most
oping a tool to help financial institutions private businesses are voluntary, but as
assess risk. In addition, the FFIEC requires Congress continues to focus on informa-
financial institutions to require certain tion sharing as a key component of reduc-
cybersecurity measures of the institu- ing cybersecurity incidents, plaintiffs and
tions’ third-party service providers, effec- courts will see these programs less as
tively expanding the FFIEC’s jurisdiction. voluntary and more as the minimum
The FFIEC has experience in investigating standard of care.
data breaches and imposing punishments
based on insufficient security. Other regu- NIST publishes an array of standards
lators look to the FFIEC’s examination related to cybersecurity. Although none of
handbook to inform their own regula- these standards are binding on private
tions and investigations. entities (at least as of publication), they
119 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 120 SecurityRoundtable.org
Legal considerations for
cybersecurity insurance
K&L Gates LLP – Roberta D. Anderson, Partner
121 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
SEC’s cybersecurity risk factor disclosure guidance and to carefully evaluate their current insurance
cybersecurity insurance program and consider purchasing cyberse-
In October 2011, in the wake of what it curity insurance.
phrased “more frequent and severe cyber
incidents,” the Securities and Exchange ■ The exclusion of cybersecurity and data
Commission’s (SEC’s) Division of Corporation privacy-related coverage from traditional
Finance issued disclosure guidance on cyber- insurance policies
security, which advises that companies In response to decisions upholding coverage
“should review, on an ongoing basis, the for cybersecurity and data privacy-related
adequacy of their disclosure relating to risks under traditional lines of insurance cov-
cybersecurity risks and cyber incidents.” The erage, such as Commercial General Liability
guidance advises that “appropriate disclo- (CGL) coverage, the insurance industry has
sures may include,” among other things, a added various limitations and exclusions to
“[d]escription of relevant insurance cover- traditional lines of coverage.
age” that the company has in place to address By way of example, Insurance Services
cybersecurity risk. Office (ISO), the insurance industry organi-
SEC comments in this area have regularly zation that develops standard insurance pol-
requested information regarding “whether icy language, recently introduced a new
[the company] ha[s] obtained relevant insur- series of cybersecurity and data breach exclu-
ance coverage,” as well as “the amount of [the sionary endorsements to its standard-form
company]’s cyber liability insurance.” More CGL policies, which became effective in May
recently, the SEC is asking not only whether 2014. One of the endorsements, entitled
the company has cybersecurity insurance and “Exclusion - Access Or Disclosure Of
how much the company has but also how Confidential Or Personal Information And
solid the company’s coverage is: Data-Related Liability - Limited Bodily Injury
Exception Not Included,” adds the following
“We note that your network-security insur- exclusion to the primary CGL policy:
ance coverage is subject to a $10 million
deductible. Please tell us whether this This insurance does not apply to:
coverage has any other significant limita-
tions. In addition, please describe for us the p. Access Or Disclosure Of Confidential Or
‘certain other coverage’ that may reduce Personal Information And Data-related
your exposure to Data Breach losses.” Liability
(Emphasis added.)
“We note your disclosure that an unau- Damages arising out of:
thorized party was able to gain access to
your computer network ‘in a prior fiscal (1) Any access to or disclosure of any
year.’ So that an investor is better able to person’s or organization’s confidential
understand the materiality of this cyber- or personal information, including
security incident, please revise your dis- patents, trade secrets, processing
closure to identify when the cyber inci- methods, customer lists, financial
dent occurred and describe any material information, credit card information,
costs or consequences to you as a result of health information or any other type
the incident. Please also further describe of non public information; or
your cyber security insurance policy, (2) The loss of, loss of use of, damage to,
including any material limits on cover- corruption of, inability to access, or
age.” (Emphasis added.) inability to manipulate electronic data.
The SEC’s guidance provides another com- This exclusion applies even if damages
pelling reason for publicly traded companies are claimed for notification costs, credit
■ 122
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
THIRD-PARTY COVERAGES
TABLE
Type Description
Privacy liability Generally covers third-party liability, including defense and
judgments or settlements, arising from data breaches, such as
the Target breach, and other failures to protect protected and
confidential information
Network security Generally covers third-party liability, including defense and
liability judgments or settlements, arising from security threats to
networks, e.g., inability to access the insured’s network
because of a DDoS attack or transmission of malicious code
to a third-party network
Regulatory liability Generally covers amounts payable in connection with
administrative or regulatory investigations and proceedings,
including regulatory fines and penalties
PCI DSS liability Generally covers amounts payable in connection with payment
card industry demands for assessments, including contractual
files and penalties, for alleged noncompliance with PCI Data
Security Standards
Media liability Generally covers third-party liability arising from infringement
of copyright or other intellectual property rights and torts such
as libel, slander, and defamation, which arise from media-related
activities, e.g., broadcasting and advertising
Continued
123 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
FIRST-PARTY COVERAGES
TABLE
Type Description
Crisis management Generally covers “crisis management” expenses that typically
follow in the wake of a breach incident, e.g., breach notification
costs, credit monitoring, call center services, forensic
investigations, and public relations efforts
Network Generally covers the organization’s income loss associated
interruption with the interruption of the its business caused by the failure of
computer systems/networks
Contingent Generally covers the organization’s income loss associated with
network the interruption of the its business caused by the failure of a
interruption third-party’s computer systems/networks
Digital assets Generally covers the organization’s costs associated with
replacing, recreating, restoring, and repairing damaged or
destroyed computer programs, software, and electronic data
Extortion Generally covers losses associated with cyber extortion, e.g.,
payment of an extortionist’s demand to prevent a cybersecurity
or data privacy-related incident
■ 124
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
Understand risk profile and tolerance. Many other factors may warrant considera-
A successful insurance placement is facili- tion. When an organization has a grasp on its
tated by having a thorough understanding risk profile, potential exposure, and risk tol-
of an organization’s risk profile, including erance, it is well positioned to consider the
the following: type and amount of insurance coverage that
it needs to adequately respond to identified
the scope and type of data maintained by risks and exposure.
the company and the location and manner
in which, and by whom, such data are Ask the right questions.
used, transmitted, handled, and stored It is important to carefully evaluate the cov-
the organization’s network infrastructure erage under consideration. Table 2 shows ten
the organization’s cybersecurity, privacy, of the important questions to ask when con-
and data protection practices sidering third-party and first-party cyber
the organization’s state of compliance insurance.
with regulatory and industry standards The list is not exhaustive, and many other
the use of unencrypted mobile and other questions should be considered, including,
portable devices. for example, the extent to which the policy
TABLE
Third-Party First-Party
Does the policy: Does the policy:
cover the acts, errors, and omissions of cover business income loss resulting from
third parties, e.g., vendors, for which system failures in addition to failures of
the organization may be liable? network security, e.g., any unplanned
outages?
cover data in the care, custody, or cover business income loss resulting from
control of third parties, e.g., cloud cloud failure?
providers?
cover new and expanding privacy laws cover contingent business income loss resulting
and regulations? from the failure of a third-party network?
cover personally identifiable information cover data restoration costs?
in any form, e.g., paper records?
cover confidential corporate data, e.g., cover business income loss after a network
third-party trade secrets? is up and running, but before business
returns to full pre-incident operation?
cover wrongful or unauthorized contain hourly sublimits?
collection of data?
cover regulatory fines and penalties? contain an hourly “waiting period”?
cover PCI DSS-related liability? contain a sublimit applicable to the
contingent business income coverage?
exclude the acts of “rogue” employees? exclude loss for power failure or blackout/
brownout?
exclude unencrypted devices? exclude software programs that are
unsupported or in a testing stage?
125 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 126
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
outset, risks losing the organization’s critical CNA represented in its marketing materials
audience and obfuscating a winningly con- that the policy at issue in Columbia Casualty
cise, compelling story that is easy to under- offers “exceptional first-and third-party cyber
stand, follow, and sympathize with. Boiled liability coverage to address a broad range of
down to its essence, the story may be—and in exposures,” including “security breaches”
this context often is—something as simple as and “mistakes”:
the following: Cyber liability and CNA NetProtect
“They promised to protect us from a cyber products
breach if we paid the insurance premium. We
paid the premium. They broke their promise.” CNA NetProtect fills the gaps
by offering exceptional first- and third-
Place the story in the right context. party cyber liability coverage to address a
It is critical to place the story in the proper broad range of exposures. CNA
context because, unfortunately, many insur- NetProtect covers insureds for exposures
ers in this space, whether by negligent deficit that include security breaches, mistakes,
or deliberate design, are selling products that and unauthorized employee acts, virus
do not reflect the reality of e-commerce and attacks, hacking, identity theft or private
its risks. Many off-the-shelf cybersecurity information loss, and infringing or dis-
insurance policies, for example, limit the paraging content. CNA NetProtect cover-
scope of coverage to only the insured’s own age is worldwide, claims-made with
acts and omissions, or only to incidents that limits up to $10 million.
affect the insured’s network. Others contain
broadly worded, open-ended exclusions such It is important to use the discovery phase
as the one at issue in the Columbia Casualty to fully flesh out the context of the insur-
case, which, if enforced literally, would large- ance and the entire insurance transaction in
ly if not entirely vaporize the coverage osten- addition to the meaning, intent, and inter-
sibly provided under the policy. These types pretation of the policy terms and condi-
of exclusions can be acutely problematic and tions, claims handling, and other matters
impracticable. A myriad of other traps in depending on the particular circumstances
cyber insurance policies—even more in those of the coverage action.
that are not carefully negotiated—may allow
insurers to avoid coverage if the language Secure the best potential venue and choice of law.
were applied literally. One of the first and most critical decisions
If the context is carefully framed and that an organization contemplating insur-
explained, however, judges, juries, and arbi- ance coverage litigation must make is the
trators should be inhospitable to the various appropriate forum for the litigation. This
“gotcha” traps in these policies. Taking the decision, which may be affected by whether
Columbia Casualty case as an example, the the policy contains a forum selection clause,
insurer, CNA, relies principally upon an can be critical to potential success, among
exclusion, entitled “Failure to Follow other reasons because the choice of forum
Minimum Required Practices,” which pur- may have a significant impact on the related
ports to void coverage if the insured fails to choice-of-law issue, which in some cases is
“continuously implement” certain aspects of outcome-determinative. Insurance contracts
computer security. In this context, however, are interpreted according to state law and
comprising the extremely complex areas of the various state courts diverge widely on
cybersecurity and data protection, any insured issues surrounding insurance coverage.
can reasonably be expected to make mistakes Until the governing law applicable to an
in implementing security. This reality is, in insurance contract is established, the policy
fact, a principal reason for purchasing cyber can be, in a figurative and yet a very real
liability coverage in the first place. In addition, sense, a blank piece of paper. The different
127 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
interpretations given the same language Importantly, it will give the organization
from one state to the next can mean the dif- unique access to compelling arguments based
ference between a coverage victory and a upon the context, history, evolution, and
loss. It is therefore critical to undertake a intent of this line of insurance product.
careful choice of law analysis before initiat- Likewise, during the discovery phase, cover-
ing coverage litigation or selecting a venue age counsel with unique knowledge and
or, where the insurer files first, before taking experience is positioned to ask for and obtain
a choice of law position or deciding whether the particular information and evidence that
to challenge the insurer’s selected forum. can make or break the case—and will be able
to do so in a relatively efficient, streamlined
Consider bringing in other carriers. manner. In addition to creating solid ammu-
Often when there is a cybersecurity, privacy, nition for trial, effective discovery often leads
or data protection-related issue, more than to successful summary judgment rulings,
one insurance policy may be triggered. For thereby, at a minimum, streamlining the case
example, a data breach like the Target breach in a cost-effective manner and limiting the
may implicate an organization’s cybersecu- issues that ultimately go to a jury. Likewise,
rity insurance, CGL insurance, and Directors’ counsel familiar with all of the many different
and Officers’ Liability insurance. To the insurer-drafted forms as they have evolved
extent that insurers on different lines of cov- over time will give the organization key
erage have denied coverage, it may be ben- access to arguments based upon obvious and
eficial for the organization to have those subtle differences between and among the
insurance carriers pointing the finger at each many different policy wordings, including
other throughout the insurance coverage the particular language in the organization’s
proceedings. Again considering the context, policy. Often in coverage disputes, the multi-
a judge, arbitrator, or jury may find it offen- million dollar result comes down to a few
sive if an organization’s CGL insurer is argu- words, the sequence of a few words, or even
ing, on the one hand, that a data breach is the position of a comma or other punctuation.
not covered because of a new exclusion, and
the organization’s cybersecurity insurer also ■ Conclusion
is arguing that the breach is not covered Cyber insurance coverage can be extremely
under the cyber policy that was purchased valuable. Although placing coverage in this
to fill the “gap” in coverage created by the dynamic space presents challenges, it also
CGL policy exclusion. Relatedly, it is impor- presents substantial opportunities. Before a
tant to carefully consider the best strategy claim arises, organizations are encouraged to
for pursuing coverage in a manner that will proactively negotiate and place the best pos-
most effectively and efficiently maximize the sible coverage in order to decrease the likeli-
potentially available coverage across the hood of a coverage denial and litigation. In
insured’s entire insurance portfolio. contrast to many other types of commercial
insurance policies, cyber insurance policies
Retain counsel with cybersecurity insurance expertise. are extremely negotiable, and the insurers’
Cybersecurity insurance is unlike any other off-the-shelf forms typically can be signifi-
line of coverage. There is no standardization. cantly negotiated and improved for no
Each of the hundreds of products in the mar- increase in premium. A well-drafted policy
ketplace has its own insurer-drafted terms will reduce the likelihood that an insurer
and conditions that vary dramatically from will be able to successfully avoid or limit
insurer to insurer—and even between poli- insurance coverage in the event of a claim. If
cies underwritten by the same insurer. a claim arises, following sound litigation
Obtaining coverage litigation counsel with strategies and refusing to take “no” for an
substantial cybersecurity insurance expertise answer will greatly increase the odds of
assists an organization on a number of fronts. securing valuable coverage.
■ 128 SecurityRoundtable.org
Consumer protection: What is it?
Wilson Elser Moskowitz Edelman & Dicker LLP –
Melissa Ventrone, Partner and Lindsay Nickle, Partner
129 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
Adding to the difficulty of trying to bal- What does this mean? Well, according to an
ance data privacy and security with innova- FTC report, this means that an organization’s
tion and usability, organizations must con- data security measures must be “reasonable
currently maintain compliance with the and appropriate in light of the sensitivity and
myriad of state and federal data privacy volume of consumer information it holds, the
and security laws, regulations, and guide- size and complexity of its data operations, and
lines. It would take several books to outline the cost of available tools to improve security
all the laws, regulations, and guidelines and reduce vulnerabilities.” In other words,
that affect consumer protection and cyber- the FTC can choose to investigate an organiza-
security. This chapter is designed to pro- tion simply because the FTC believes the
vide organizations with an understanding organization is doing a poor job protecting
of those laws that have the most significant consumers’ information. Confused? You are
impact on privacy and security from a con- not alone. Frankly, it appears that the FTC
sumer protection perspective. There is no views poor cybersecurity practices a bit like
better place to start this discussion than by courts view pornography—they know it
examining the recent activities of the when they see it.
Federal Trade Commission (FTC). Organizations looking for guidance
from the FTC on appropriate security
■ Cybersecurity, consumer protection, measures to protect consumer information
and the FTC may find themselves twisting in the wind
The FTC has deemed itself the enforcer of like the last leaf on a tree. The FTC has not
data privacy and security, the ultimate issued any detailed guidelines on what
authority responsible for protecting con- constitutes “reasonable security measures.”
sumer privacy and promoting data security To be fair, the FTC most likely struggles, as
in the private sector. In fact, the FTC com- do many agencies, with establishing guide-
monly is considered the most active agency lines that are flexible enough to apply to a
in the world in this area. Although the wide range of organizations in a variety of
debate continues on whether the FTC has industries, yet structured enough to set a
authority to police data privacy and security standard.
under section 5 of the FTC Act, organizations The FTC addressed this argument by
must be aware that the FTC and other regu- instructing companies to review its previous
lators are monitoring practices and investi- consent decrees to identify “reasonable”—
gating and enforcing various laws under the
or more appropriately, what it considered to
guise of privacy and cybersecurity as a con-
be unreasonable—security standards. Thus,
sumer protection issue.
The FTC regulates this space under sec- in the midst of day-to-day operations, the
tion 5 of the FTC Act, which prohibits unfair FTC apparently expects an organization to
or deceptive practices. The FTC may choose carefully review a multitude of previous
to investigate an organization if it believes consent decrees to identify what it should be
that the organization has made materially doing to reasonably protect consumers’
misleading statements or omissions regard- information.
ing the security provided for consumers’ Organizations can also review a 15-page
personal data. Further, according to a pre- guide the FTC published in 2011, Protecting
pared statement by the FTC, “a company Personal Information: A Guide for Business.
engages in unfair acts or practices if its data This guide informs organizations that a
security practices cause or are likely to cause “sound business plan” is based on five
substantial injury to consumers that is nei- principles:
ther reasonably avoidable by the consumer
nor outweighed by countervailing benefits Know what information you have and
to consumers or to competition.” who has access to the information.
■ 130
CONSUMER PROTECTION: WHAT IS IT?
131 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 132
CONSUMER PROTECTION: WHAT IS IT?
issues. Smaller banks face on-site visits other organizations that may receive health
every 12 to 18 months. In 2013, the OCC information from covered entities while
updated its Third-Party Relationship Risk performing various services. HIPAA is
Management Guidance to set out expecta- enforced primarily by the U.S. Department
tions for risk assessment and management of Health and Human Services Office of
of third-party relationships. The senior Civil Rights (OCR). State attorneys general
management and boards of banks retain also have the authority to enforce HIPAA.
responsibility for cybersecurity even when OCR’s authority to enforce HIPAA
third parties are involved. As a result, the encompasses covered entities regardless of
OCC mandates comprehensive oversight size and their “business associates,” a term
and management of third-party relation- that includes first-tier vendors that contract
ships throughout the life of each relation- directly with covered entities and all down-
ship. This requires extensive due diligence stream entities that receive PHI in the course
prior to establishing a relationship, execu- of their business. Perhaps the most helpful
tion of written contracts that should include aspect of HIPAA is that it specifies privacy
the right to audit the third party, ongoing requirements that covered entities must fol-
monitoring, documentation, and reporting low, as well as identifies security elements
regarding risk management processes, and for covered entities to consider.
independent review of processes. Further, The HIPAA Privacy Rule outlines stand-
the OCC requires that third-party contracts ards for the use and disclosure of all forms
stipulate that the OCC has the authority to of PHI and categorizes PHI into three major
examine and regulate the services provided “usage” categories: treatment, payment,
to the bank by the third party. and health care operations and sets up rules
The financial industry is highly regulat- associated with each use. Uses that fall out-
ed, and its consumer protection and cyber- side of these categories or that do not
security aspects are no exception. Identity qualify as any of the exceptions described in
theft, at its heart, is a consumer protection the rule require an authorization from the
issue. Enforceable security guidelines set affected individual. Meanwhile, the HIPAA
out by regulators and aimed at the protec- Security Rule establishes standards for pre-
tion of consumer information trickle down serving the confidentiality, integrity, and
to service providers, as the financial institu- availability of electronic PHI. Specifically,
tions are affirmatively charged with manag- the Security Rule requires covered entities
ing risks associated with vendors and to have appropriate administrative, physi-
service providers. The recommendations cal, and technical safeguards in place to
and requirements of the financial regulators protect PHI and contains detailed security
make clear that extensive due diligence, requirements for protecting PHI. For
monitoring, planning, and management are instance, covered entities must conduct an
required in the quest to take reasonable assessment of the risks to and vulnerabili-
security measures. ties of the protected health information.
These guidelines provide organizations
■ Health care, cybersecurity, and consumer with concrete examples of steps needed to
protection protect PHI and hence the consumer infor-
Any discussion of consumer protection and mation in their systems. However, organiza-
cybersecurity must include a discussion of tions should be aware that compliance with
the health care industry. The Health HIPAA is a minimum standard. As technol-
Insurance Portability and Accountability ogy continues to change and develop, cir-
Act of 1996 (HIPAA) governs protected cumstances may require organizations to
health information (PHI) maintained by exceed the minimum HIPAA compliance
various organizations that fall under the requirements to effectively protect consumer
jurisdiction of HIPAA (covered entities) and information.
133 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 134
CONSUMER PROTECTION: WHAT IS IT?
Organizations must build privacy and secu- as well, and an organization’s efforts to pro-
rity into their systems, processes, and ser- tect consumer information must similarly
vices from the ground up and from the top adapt. It is better to have considered a tool
down. Education and training for all employ- and rejected it because it substantially
ees should start on day one and be continu- degrades the service offered than to ignore
ous. The time and effort required to assess the vulnerability entirely. Organizations
cyber risk and understand data is minimal must face cybersecurity risks as an enter-
compared with the potential implications of prise and leverage industry experts to guide
failing to do so. Technology is constantly them through this quagmire of laws, regula-
evolving, which means cybersecurity does tions, and threats.
SecurityRoundtable.org 135 ■
Protecting trade secrets in the
age of cyberespionage
Fish & Richardson P.C. – Gus P. Coldebella, Principal
137 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
U.S. will expose this misconduct to the patent, the registration of a trademark, and the
world. Second, the indictment sent a mes- creation/publication of copyrighted material.
sage to U.S. companies that, although past Cyberthieves generally set their sights on
breaches and legal and reputational risk may a company’s trade secrets—the one type of
have convinced boards and management to IP that is not readily available for the world
shore up defenses against cyberattacks to see.
involving ‘personally identifiable informa- Some companies keep their trade secrets
tion,’ or PII, the most sophisticated attackers offline. Legend has it that one of the most sto-
are interested in other, more mission-critical ried trade secrets, the formula for Coca-Cola,
data on companies’ networks—intellectual is on a handwritten piece of paper in a safe in
property. The loss of trade secrets could Coke’s Atlanta headquarters. But air-gapped
cause more harm to a company’s reputation, trade secrets are rare in the Internet age. Given
value, and future prospects than a PII breach this, it is crucial for a company to identify and
ever could. The U.S. government is signaling locate the trade secrets on its networks, and
that companies should focus on taking those that are being deposited there in the
immediate, reasonable steps to defend their ordinary course of business. Every company
intellectual property assets. has such mission-critical secrets: design speci-
In a world where countries persistently fications, chemical formulas, computer code,
attack companies and compromise of a com- financial algorithms, customer lists, and busi-
pany’s networks seems inevitable, manage- ness plans, to name a few. Finding them is a
ment may be tempted to throw up their hands key, and sometimes overlooked, part of a top-
and concede defeat. There are, however, to-bottom network vulnerability analysis.
important legal and practical reasons to fight. Unless a company knows what trade secrets it
In this chapter, we explore reasonable steps has and where they are located, it cannot
companies can take to prevent the cybertheft begin to secure them.
of their IP assets, to mitigate the harm of such Once a company catalogs its online trade
thefts if they occur, and to challenge competi- secrets, it should ask several high-level stra-
tors that use stolen IP assets to unfairly gain tegic questions: How are they currently safe-
an advantage in the marketplace. guarded? Who may access them? What sys-
tems are in place to alert the company that
■ Conducting a trade secrets risk analysis the trade secrets have been exfiltrated or
So what types of IP are cyber spies after? altered? These questions and the protective
Intellectual property has four broad catego- measures developed in response are not only
ries: patents, trademarks, copyrights, and important to thwart cyber attackers—but
trade secrets. A trade secret—according to the also help to prevent all types of attempted
Uniform Trade Secrets Act, or UTSA, adopted trade secret theft, whether conducted via the
in some form by 48 states and the District of Internet or the old-fashioned way. They also
Columbia—is information that gains its actual help to best position the company if it brings
or potential economic value from being not litigation seeking damages, injunctive relief,
generally known and reasonably protected or other recompense for the theft. Although
from disclosure. Of the four IP types, only the cybertheft of trade secrets has not yet
trade secrets maintain their value, and their yielded many judicial decisions, law books
legal protection as trade secrets, through non- are rife with cases of companies seeking
disclosure. If a trade secret is not disclosed, the damages resulting from current or former
economic benefit it provides and the legal employees spiriting off trade secrets to their
protection it enjoys can theoretically last next employer or to a competitor. One of
forever. If it is disclosed, those advantages can the central questions in any such litigation
be destroyed. Trade secrets stand apart from is: did the company make reasonable efforts
other IP, which gains and maintains its legal under the circumstances to protect the
protection through disclosure: the filing of a secrecy of its confidential information? The
■ 138
PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
reasonable measures identified in these deci- the full set of information needed to replicate
sions—such as training employees on trade a targeted invention, product, or service.” A
secret protection, requiring employee confi- company can achieve segmentation in two
dentiality agreements prior to granting ways detailed by Villasenor: first, by divid-
access, and revoking access upon termina- ing a trade secret into modules, distributing
tion from the company—apply with equal the modules across multiple networks, and
force in the cyber context, and companies ensuring that there is no easy path from one
should employ them. Below, we discuss network to the next; and second, once the
additional cyber-specific protective meas- trade secrets are broken up into modules,
ures that companies can consider taking. by allowing employees access only to the
modules that are relevant to them. Some
■ Planning for the worst modules can be separated physically and
Certain adversaries—especially nation- allow nearly no user access. For example,
states and state-sponsored groups targeting ‘negative information’—valuable secrets
U.S. trade secrets—are highly skilled, tech- about what does not work and is often the
nologically savvy, and persistent. They are result of meticulous collection of data through
not trolling for just any IP, and they will not extensive, costly research—is not frequently
be put off by even best-in-class technical accessed in a company’s day-to-day opera-
defenses and move onto the next target tions and therefore can be segmented and
when their mission is to steal your compa- stored in an extremely limited set of locations.
ny’s secrets. Even with reasonable defenses Implementing robust access control alongside
in place, companies should assume that an segmentation makes it more difficult for an
attack will eventually be successful, and that adversary to steal a company’s crown jewel
a company’s IP and trade secrets may be trade secrets in a single attack, and to ‘spear-
compromised as a result. One way compa- phish’ its way into accessing some or all of a
nies can protect themselves is to consider company’s crown jewel data under the guise
ways, such as the following suggestions, to of an authorized user.
reduce the likelihood that even a successful
intrusion leads to IP theft. Monitor data flow, not just authorization
Instead of monitoring only for unauthorized
Access controls and segmentation access, companies should flag and investi-
Companies should implement access con- gate instances and activity of high-volume or
trols on crown jewel data. Although almost suspicious data transfers, whether or not the
every employee requires access to certain transferor is ‘authorized.’ Systems that look
parts of the company’s network, not all of only for suspicious behavior by unauthor-
them need access to files containing trade ized users can blind the company to critical
secrets. Not even all employees that require and common cyberattacks. History shows
access to some trade secrets need access to all. that trade secret theft frequently is carried
A smart access control system makes it clear out by authorized users—think about a dis-
that secrets actually are treated as secrets— gruntled employee downloading the master
i.e., only those with a need to know (as customer list, or the trading algorithm, right
opposed to everyone with a network pass- before he or she quits to work for a competi-
word) are given access to the data. tor. In another common scenario, when
Another related layer of protection is hackers obtain privileged user credentials to
‘trade secret segmentation,’ which, accord- infiltrate a company’s network, activity that
ing to John Villasenor in his article Corporate appears attributable to ‘Mike in Accounting’
Cybersecurity Realism (Aug. 28, 2014), is dis- may actually be malicious. Systems should
tributing information “so that no single be designed to monitor the flow of key data,
cybersecurity breach exposes enough of a whether or not it is being accomplished by
trade secret to allow the attacker to obtain someone with apparent trust.
139 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
Mark and tag secrets exercised it. Under such a plan, the first call
Even in the bygone days of trade secrets should be to experienced outside counsel,
on paper, companies knew to clearly mark who can hire the forensics and crisis PR
their secrets with a legend. This accom- teams to investigate and respond to what
plished two things: employees would happened, and who give the results of the
know to handle those secrets consistent investigation the greatest chance of being
with the company’s trade secrets policies, considered privileged, which is important as
and if they were stolen, they could be iden- the legal and regulatory consequences of
tified as the company’s property. Just like breaches continue to grow. It is also impor-
cartographers of old intentionally included tant—especially with potential trade secret
fake shortcuts, streets, and even towns to theft—to preserve all information surround-
immediately recognize misappropriated ing the incident in a forensically sound way.
copies of their maps, tagging digital assets For example, collecting and analyzing log
provides a way to definitively prove that information may allow a company to deter-
the IP was originally yours. Today, with an mine what data were lifted and where they
array of technological means at hand, com- were sent, which could be critical in investi-
panies can do more, including tagging gations by law enforcement and in post-
digital IP with code that could, say, render breach litigation.
stolen files inoperable. The IP Commission
Report correctly recommended that “pro- ■ Taking on the IP thieves and their
tection...be undertaken for the files them- beneficiaries
selves and not just the network, which Adversaries want to steal your trade secrets
always has the ability to be compromised.” for a simple reason: to use, sell, and profit
It suggested that: from them. Every IP theft contains the
seeds of unfair competition based upon the
Companies should consider marking stolen secrets. Assume the worst has hap-
their electronic files through techniques pened, and you begin to see the company’s
such as “meta-tagging,” “beaconing,” hard work or research emerge in the mar-
and “watermarking.” Such tools allow for ketplace, embedded in a competitor ’s
awareness of whether protected informa- product or across the negotiating table.
tion has left an authorized network and What options do you have? We discuss
can potentially identify the location of five here:
files in the event that they are stolen.
Additionally, software can be written that Misappropriation of trade secrets. The victim
will allow only authorized users to open of trade secret theft may bring an action
files containing valuable information. If under state law to enjoin the beneficiary
an unauthorized person accesses the of the theft and recover damages. (There
information, a range of actions might then currently is no federal private right of
occur. For example, the file could be ren- action for misappropriation of trade
dered inaccessible and the unauthorized secrets.) As already discussed, most states
user’s computer could be locked down, have adopted a version of the Uniform
with instructions on how to contact law Trade Secrets Act, or UTSA. UTSA pre-
enforcement to get the password needed vents using a trade secret of another with-
to unlock the account. (IP Commission out consent if the defendant employed
Report at 81.) improper means to appropriate the secret,
or “knew or had reason to know that
Collect forensic leads as part of incident response his knowledge of the trade secret was
Of course, executives must make sure that derived from or through a person who
the company has created a robust incident had utilized improper means to acquire
response plan and has practiced and it.” UTSA §§ 1(2)(ii)(A); 1(2)(i). UTSA,
■ 140
PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
therefore, allows an action against the bureaucratic, that was in the context of
hacker and the company seeking to ben- arguing for a quicker method for U.S.
efit from the stolen trade secrets, if the companies to seek exclusion. Our experi-
plaintiff can show that the competitor had ence is that § 337 actions tend to be much
reason to believe that the data it was quicker than currently available alterna-
using were stolen from someone else’s tives, including state and federal court
network. The remedies available under litigation. The ITC process offers U.S.
UTSA are powerful and encompass dam- companies a powerful weapon against
ages and injunctive relief. UTSA author- importation of goods containing stolen
izes a court to award damages for actual trade secrets.
loss and unjust enrichment, including
multiple damages if the misappropriation Computer Fraud and Abuse Act (CFAA).
was “willful and malicious.” UTSA §§ Under certain circumstances, the CFAA
3(a); 3(b). A court also may enjoin actual provides a private right of action for com-
or threatened misappropriation or may panies to bring suit against a party who
condition the competitor’s future use of knowingly and intentionally accesses a
the trade secret on payment of a reasona- protected computer without authoriza-
ble royalty. UTSA §§ 2(a); 2(b). tion, obtains information, and causes
harm. 18 U.S.C. § 1030(g). The victim may
Section 337 of the Tariff Act of 1930. To sty- be able to seek damages from not only the
mie competitors that import their prod- individual who accessed the computer
ucts into the U.S., a potent option is to and stole the information but also the
initiate a process at the International Trade company profiting from the stolen trade
Commission (ITC) under Section 337 of secret so long as the victim can plead and
the Tariff Act of 1930. A company may prove that the competitor “conspire[d] to
petition the ITC to investigate whether commit” such an offense (18 U.S.C. §
imported goods are the result of “unfair 1030[b]).
methods of competition”—which includes
incorporating stolen trade secrets—so Call the feds. A company may refer the
long as the unfairness has the potential theft to federal criminal authorities, which
to injure or destroy a domestic industry. can bring charges under 18 U.S.C. §§ 1831-
19 U.S.C. § 337. Because § 337 investiga- 32 for theft of trade secrets and economic
tions are brought against goods, not par- espionage. The economic espionage and
ties, there is no need to prove that the trade secret theft statutes reach not only
specific company profiting from the stolen parties who steal the trade secret but also
data was actually behind the cyberattack, anyone who “receives, buys, or possesses
only that the product was made or devel- a trade secret, knowing the same to have
oped using misappropriated trade secrets. been stolen or appropriated, obtained,
Even though the ITC cannot award dam- or converted without authorization.”
ages under § 337, the remedy it can issue 18 U.S.C. §§ 1831(a)(3); 1832(a)(3). In addi-
is potent against any company seeking to tion to imposing hefty fines ($5 million for
import misappropriated products in the organizations, unless the theft was intend-
U.S.: it can issue an order, enforceable ed to benefit a foreign government, in
by Customs and Border Protection, pre- which case it is $10 million), the law also
venting goods from entering the country allows judges to force the criminals to
and enjoining sale of such products forfeit “any property, or proceeds derived
already here. from the stolen or misappropriated trade
secrets, as well as any property used or
Although the IP Commission has criti- intended to be used to help steal trade
cized the § 337 process as too lengthy and secrets.” 18 U.S.C. §§ 1834, 2323(b).
141 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
Of course, there are always pros and cons to U.S. assets and imposing sanctions. OFAC
be weighed before bringing civil litigation will add foreign individuals identified as
or involving federal law enforcement being responsible for, contributing to,
authorities. For example, law enforcement complicit in, or profiting from significant
has a greater array of tools to compel pro- malicious cyber-enabled activities to its
duction of evidence quickly, unlike in a civil list of Specially Designated Nationals
suit, although a parallel criminal action (SDNs). To earn a spot on the SDN list, the
may affect the company’s ability to seek associated attack has to be “reasonably
civil discovery if the defendants seek a stay likely to result in, or have materially con-
or exercise their Fifth Amendment right not tributed to, a significant threat to the
to testify. There are also practical and busi- national security, foreign policy, or eco-
ness considerations that may argue for or nomic health or financial stability of the
against such a suit, including its potential to United States.” Although OFAC cannot
affect existing or future commercial rela- assist a company with recovering lost
tionships and continued access to foreign information or barring products from
markets. entering the market, reporting the perpe-
trators of particularly serious cyberat-
Future action: Report cyberspies and their tacks to OFAC can serve as a powerful
beneficiaries under Executive Order 13694. deterrent. It is important to note that E.O.
In response to high-profile cyberattacks, 13694 is, at the writing of this chapter, so
the President and the federal government new that OFAC has yet to promulgate
recognized that cyber espionage is a seri- final regulations governing the SDN-
ous threat to the nation’s economy and designation process, so companies should
national security but acknowledged that consult with counsel to understand their
it is not always possible to take criminal options once final rules are in place.
or civil action against perpetrators
because they are often outside the juris- ■ Conclusion
dictional reach of U.S. courts. For that Trade secrets are high on the list of assets
reason, the U.S. has devised another that cyber spies are interested in stealing.
method for reaching these malefactors, Careful planning will help your company do
punishing them for their actions, and its best to prevent the theft of these valuable
deterring future attacks. On April 1, 2015, assets and to thwart a competitor’s attempt
the President signed Executive Order to profit from its crimes if an attack is suc-
13694, authorizing the Office of Foreign cessful. If the worst-case scenario material-
Assets Control, or OFAC, within the izes and you discover that your company’s
Treasury Department, to (i) identify for- IP has been stolen, take immediate steps to
eign hackers, the parties who aid them, engage experienced outside counsel to assess
and the parties who benefit from their your best options to investigate the breach,
activity by using their stolen information recover damages, enjoin unfair competition,
to profit and (ii) respond by freezing their and seek justice.
■ 142 SecurityRoundtable.org
Cybersecurity due diligence in M&A
transactions: Tips for conducting
a robust and meaningful process
Latham & Watkins LLP – Jennifer Archie, Partner
143 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
Have there been prior incidents? government investigations from the Federal
What is the cybersecurity budget? Trade Commission (FTC) or other agencies
What are your recovery plans if may be poorly understood. Federal investi-
critical information or systems become gations tarnish brands, especially if enforce-
unavailable? ment results. Investigations are expensive
and distracting, and may lead to a sweeping
If the front line deal-facing personnel 10- or 20-year permanent injunction dictat-
respond, “I don’t know, I’d have to ask,” this ing how future information security will be
is a telling and interesting sign that the target managed and monitored. Compliance with
company’s security management program is such a decree is expensive and limits a com-
likely not well integrated into the senior pany’s independence and flexibility in sig-
leadership ranks. Sellers thus should be pre- nificant ways. After a breach, management is
pared in early discussions to showcase a often surprised to learn how persistent and
sophisticated understanding of data security aggressive the FTC or state attorneys general
risks and how those risks may materially can be, even if the company sees itself as a
affect the company’s operations, reputation, victim of harm, not a perpetrator of con-
and legal risks (or not). A buyer’s key dili- sumer injury. If the target’s legal or business
gence objective should be to probe and test representatives are not knowledgeable about
whether the target company has imple- the regulatory and enforcement environ-
mented a mature risk management organiza- ments, buyers should not place much weight
tion to evaluate the accuracy of management on a seller’s lulling statements or assurances
assurances about lack of historical breaches, that there have been no incidents or that risk
payment card industry (PCI) compliance, of a cyber event is low.
protections against competitor or insider
theft, and business continuity. Too often in ■ Check for integrated cyber risk awareness
hindsight, a target’s statements made in dili- and mitigation and a comprehensive security
gence turn out to have been good faith management program
impressions, or even merely aspirational or Another sign of a mature security program
reflective of paper policy, but not operational is a management team with cross-function-
reality. al awareness on these points at the CEO
and board levels, as reflected in board min-
■ Tailor diligence to what types of information utes or other documentation. A security
are handled and how important is program will not be effective if it is a silo
information security to the bottom line inside the IT or information security func-
Beyond these general questions, the buyer tions. All substantial stakeholder depart-
should directly probe whether the target ments should be involved in cybersecurity
management has a sophisticated under- risk management, including business unit
standing of potential cyber-related liabilities leaders, legal, internal audit and compli-
and the regulatory environment. Unlike ance, finance, human resources, IT, and risk
environmental or traditional fire or natural management.
disaster scenarios, cyberattack-related liabil- Diligence questionnaires should ask the
ities are multi-faceted and unique. In some target company to generally summarize the
industries—such as energy, transportation, administrative, technical, and physical infor-
financial institutions, health care, defense mation security controls currently in place to
contracting, education, and telecommunica- safeguard the most critical business data sets.
tions—government oversight can be active Such controls include technical measures
and intrusive, and the target’s subject matter (such as boundary and malware defense,
expertise will likely reside within the legal, data encryption, intrusion detection systems,
compliance, and/or IT functions. In other anomalous event monitoring, and access
industries, however, exposure to costly controls), administrative measures, and
■ 144
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
physical security. The company should have been adopted, budgeted and scheduled, or
a current documented crisis management/ already implemented.
incident response plan in place, including For companies whose vendors hold com-
pre-staging of legal and forensic experts and pany-sensitive data or access systems, the
a public relations strategy, all approved by company should have implemented—prior
senior management. A seller should specifi- to engaging in a business relationship—a
cally inquire about and assess what financial formal vendor management program that
resources are applied to data security, in the specifically assesses risk and identifies
context of the target’s overall approach to potential security or data privacy concerns
risk containment and specific to its industry. and appropriate remediation next steps.
Also, sellers should ask the following to After a decision to engage, the company
gather detailed information about how the should mitigate data security risks through
company has organized the management of written agreements and supervision. These
cybersecurity and risk: third parties should have data security
insurance coverage and/or the agreements
Is there a single designated person with should require such a party to defend and
overall responsibility? To whom does he indemnify the target company for legal lia-
or she report? (Risk Officer? CTO? CIO? bility arising from any release or disclosure
CEO?) of the information resulting from the negli-
Describe board oversight. Have directors gence of the vendor or other third party.
and senior managers participated in data Third-party agreements involving data
security training/been involved in the exchange or access also should articulate
development of data security protocols? breach notification procedures, cooperation
Does the company have legal counsel levels, information sharing, and expressly
regularly advising on data security assign incident control and reporting
compliance? Is counsel internal or responsibilities.
external, and if external, who? Cloud-based or other software-as-a-
How does the company educate and train solution (SAAS) solutions as well as mobile
employees and vendors about company devices present their own cybersecurity risks
policies, information security risks, and and should not be overlooked in diligence.
necessary measures to mitigate risk? Does the company permit employees to use
How can employees or members of the cloud-based file-sharing services? Does it
public (such as independent security rely on SAAS solutions for critical or other
researchers) report potential vulnerabilities/ business needs such as contact relationship
breaches, including irregular activity or management or HR? Email? How are the
transactions? security and compliance risks presented
What is the plan to recover should critical being managed? Companies that issue or
or other necessary systems become support mobile devices should have policies
unavailable? What are the recovery point and procedures in place designed to protect
and recovery time objectives? How have sensitive information in those environments.
these and other elements of the plan been
correlated to business needs? ■ Use subject matter experts to assess cyber
readiness and liabilities
If the company has in the last year or two Given the importance of the above ques-
completed an internal or external audit or tions, the buyer should pay careful atten-
assessment to determine compliance with tion to who asks these questions on behalf
company security policies and/or external of the buyer or underwriters, in what set-
security standards, this should be requested, tings, and with what time allowances. Put
or at a minimum the target company should simply, deal teams ideally should embed
report whether all recommendations have subject matter experts on the business side,
145 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
the technical side, and even the legal side network. The attacker then acquired elevat-
early on—to do the following: ed rights that allowed it to navigate portions
of the company’s systems and to deploy
Pose questions orally unique, custom-built malware on self-check-
Follow up with document requests out systems to access the payment card
Assess the documentation information of up to 56 million customers
Conduct on-site testing and analysis who shopped at U.S. and Canadian stores
where appropriate between April 2014 and September 2014. In
Assess and advise on the maturity fiscal 2014, alone, Home Depot recorded $63
and suitability of the program to the million in pretax expenses related to the data
underlying data risks breach, partially offset by $30 million of
Review and advise on deal terms or costs expected insurance proceeds for costs
to remediate gaps in compliance or risk believed to be reimbursable and probable of
management. recovery under insurance coverage, result-
ing in pretax net expenses of $33 million.
Very importantly, the deal team also must be What this sort of financial and reputa-
nimble and focused upon the specific indus- tional exposure means for M&A diligence
try, because cybersecurity risks are highly within the retail sector is that buyers should
variable across industry sectors; threats, devote expert and highly substantive atten-
liabilities, and government expectations for tion to how cardholder data are collected,
adequate security are evolving constantly. stored, handled, and secured. Payment pro-
For example, if hackers acquire and then re- cessing services are material to all retail
sell large databases of cardholder data to businesses, and all payment processing
identity thieves—as happened to Target and agreements have PCI compliance as a mate-
Home Depot—the types of expenses and rial term. So just as the SEC always wants to
liabilities a buyer could expect are well doc- know about where that relationship stands
umented in SEC filings. Expenditures in its review of risk factors, buyers too want
include the following: to pay special attention in this area. If PCI
compliance is lacking, the seller should at
Costs to investigate, contain, and remediate least be able to disclose a specific remedia-
damaged networks and payment systems tion timeline and a budgeted plan that is
and to upgrade security hopefully supervised and accepted by the
Liability to banks, card associations, or payment processor.
payment processors for fines, penalties, PCI compliance handled correctly is costly
or fraudulent charges and involves constant adaptation and opti-
Card reissuance expenses mization to new threats and new standards.
Expense of outside legal, technical, and It is not an annual “check-a-box” process.
communications advisors. Within the data security space—as was true
for Home Depot, Target, and many others—
■ For retail sector, diligence surrounding good business practice assumes that a com-
PCI compliance should seek more than promised merchant will have a recent,
a “yes” or “no” response valid, self-certification or even third-party
Buyers of companies who accept, process, certification of PCI compliance. However, a
store, or handle cardholder payment data buyer should not rely simply on the inclusion
streams of course will want to pay particular of such a report or certificate in a virtual data
attention to compliance with current PCI room. Many a breached retailer has held a
standards. At Home Depot, for example, an current PCI certification. Accordingly, the
attacker used a vendor’s username and buyer should always test the security of
password to gain access to Home Depot’s cardholder data independently, at a process
■ 146
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
level if necessary. The same security consult- email and no way to process employee
ants who arrive post-breach to assess root benefits or time cards (Source: http://www.
cause and damage can examine card-related cbsnews.com/news/north-korean-cyberat-
data security very meaningfully in the M&A tack-on-sony-60-minutes/). To add insult to
setting, even with only a few days of on-site injury, much of the exfiltrated material is
interviews and document collection. If PCI now readily available (and free text search-
compliance concerns arise in diligence, deal able) on WikiLeaks.
terms can be arranged that mandate and The potential for outright theft of intellectu-
appropriate funding for third-party inde- al property by competitors should not be over-
pendent assessments and implementation of looked. In DuPont v. Kolon (United States v.
recommendations. Moreover, many retailers Kolon Industries, Inc. et al.), for example, the
now are migrating to new payment systems, manufacturer of Heracron, a competitor prod-
and this is a unique technology risk because uct to DuPont’s Kevlar, misappropriated
of the likelihood of delay, interruptions, and DuPont’s confidential information by hiring
budgetary over-runs. former DuPont employees as consultants and
pressuring them to reveal Kevlar-related trade
■ Understand and assess awareness secrets. DuPont sued the competitor, Kolon, in
and mitigation of risks of trade secret 2009, and in 2012 the Department of Justice
theft, nation-state espionage, and denial brought criminal trade secret misappropriation
of service attacks charges against Kolon and five of its executives
Beyond payment card security risks, theft of pursuant to 18 U.S.C. § 1832. In light of the
trade secrets by competitors and insiders, parallel charges, Kolon settled, paying $360
state-sponsored espionage that is exploited million in damages—$85 million in fines and
for economic advantage, and cyberattacks $275 million in restitution. (Source: Department
that disable or cripple corporate networks of Justice Office of Public Affairs, http://www.
are less publicized but can be equally dam- justice.gov/opa/pr/top-executives-kolon-
aging to a target business. For example, the industries-indicted-stealing-dupont-s-kevlar-
high-profile, studio-wide cyberattack at trade-secrets). To assess these sorts of risks,
Sony Pictures in November 2014 at the acquirers should ask:
hands of a group calling itself #GOP, aka
the Guardians of Peace, starkly illustrates Are there former employees who had
the potential to cripple a business. The access to critical intellectual property or
attack, which the FBI attributed to North other company confidential information
Korea, resulted in the theft of terabytes of who have recently left for competitors?
company internal email and documents, What agreements are in place to protect
release of unreleased movies to file-sharing the proprietary information they have?
networks, deletion of documents from Sony
computers, threatening messages to the U.S.-based businesses, academic institutions,
company and individual employees, theft cleared defense contractors, and government
and apparent exploitation of sensitive agencies increasingly are targeted for eco-
human resources data, and a near complete nomic espionage and theft of trade secrets by
and prolonged disruption of the company’s foreign competitors with state sponsorship
ability to transact business and communi- and backing. In the last fiscal year alone,
cate electronically over its networks and economic espionage and theft of trade
systems. In an interview with CBS News, secrets cost the American economy more
Sony’s outside cyber investigator, Kevin than $19 billion. According to the FBI,
Mandia, disclosed that 3,000 computers and between 2009 and 2013, the number of
800 servers were wiped, and 6,000 employ- arrests related to economic espionage and
ees were “given a taste of living offline”—no theft of trade secrets—which the FBI’s
147 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
Economic Espionage Unit oversees—at least What is known about the attackers and
doubled, indictments more than tripled, and the attack vector?
convictions increased sixfold. These num- What data do you suspect or know were
bers grossly understate the frequency of taken?
such attacks or losses. Last year, the United How long between the first known
States Department of Justice indicted five intrusion and discovery of the incident?
Chinese military hackers on charges includ- Do you suspect or know whether the thief
ing computer hacking, identity theft, eco- or intruder attempted or made fraudulent
nomic espionage, and trade secret theft or competitive use of exfiltrated data?
from 2006 to 2014. The alleged actions During the past three years, have you
affected six U.S.-based nuclear power, experienced an interruption or suspension
metal, and solar product companies. The of your computer system for any reason
indictment, filed May 1, 2014, alleges that (not including downtime for planned
the defendants obtained unauthorized maintenance) that exceeded four hours?
access to trade secrets and internal commu-
nications of the affected companies for the A buyer should assess a target’s measures to
benefit of Chinese companies, including prevent and detect insider threats, including
state-owned enterprises. Some defendants whether basic protections are in place to
allegedly hacked directly—stealing sensi- identify and mitigate insider threats, such as
tive, nonpublic, and deliberative emails the following:
belonging to senior decision makers, as
well as technical specifications, financial Pre-employment screening via dynamic
information, network credentials, and stra- interviews, background checks, and
tegic information in corporate documents reference checking
and emails—while others offered support Workforce education on warning signs
through infrastructure management. Charges Internal network security measures such
were brought under 18 U.S.C. §§1028, 1030, as website monitoring, blocking access
1831, and 1832. (Source: Department of Justice to free (unauthorized) cloud-storage sites
Office of Public Affairs, http://www.justice. such as Dropbox, turning off USB drives
gov/opa/pr/us-charges-five-chinese- Automated monitoring of Web, deep
military-hackers-cyber-espionage-against-us- Web, or peer-to-peer network searching
corporations-and-labor). for leaked data.
Many companies choose not to publicly
disclose or discuss these sorts of attacks or Private and state actors have made use of
disruptions, which may go undiscovered for denial of service attacks to disrupt the busi-
many months and often years. Even when ness of a company that meets with their disap-
attacks are discovered, breaches may not be proval (or as an extortion scheme). Material
reported to law enforcement or even to impact on ecommerce, on-line entertainment,
affected commercial partners. Questions email, and other critical systems are the result.
about historical incidents during due dili- An acquirer might reasonably ask:
gence therefore should be open-ended but
also very direct: Has the target company evaluated its
exposure to such attacks?
Have you suffered thefts of confidential What measures does it have in place to
data (wherever stored)? defend itself?
Has your network suffered an intrusion? How would it know if such an attack was
Did you retain outside experts to occurring?
investigate? Have any such attacks occurred?
■ 148
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
SecurityRoundtable.org 149 ■
International inflection point—
companies, governments,
and rules of the road
Kaye Scholer LLP – Adam Golodner, Partner
151 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 152
INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD
databases in which cyber activity takes security? What tools in the toolbox are
place—domestic companies and global com- acceptable to curb behavior—prosecution,
panies. Companies own the software, hard- sanctions, trade, covert action? Is it OK for
ware, the information, and the upstream and national security services to steal intellectual
downstream relationships where this contest property of companies? Is it OK for intelli-
takes place. Think of the Internet—every lit- gence services to give it to competitors?
tle bit of it is owned by somebody, and the What collection of information of or about
vast majority is owned by public companies individual citizens of another country is
globally. Although cyber is the fifth fighting acceptable or unacceptable? What is the
domain (along with land, sea, air, and space), standard? What collection on other govern-
it is the only one owned essentially by pri- ments and their leaders is acceptable?
vate companies. Second, information tech- Most of these questions have some
nology and communications services and grounding in existing principles and laws,
products are created and sold by the private but the cyber facts have to be understood
sector. If a government acts on those services and applied to start to enunciate these
or products, it acts on services and products rules of the road. Although work has cer-
with a private sector brand. The same brand tainly begun on cyber ‘norms,’ the time is
used by other companies. Third, the future right for taking the work to the next level.
of the global interoperable, open, secure, Furthermore, because the playing field is
network is at stake. Will companies be able made up of private networks and elements
to continue to drive innovative business of technology services and products, the
models, or will they be stifled by the rules outcomes should by definition be of inter-
and activities of governments, hacktivists, est to companies, CEOs, and boards of
and criminals playing in their playing field? directors. Good rules of the road should
Here are some ‘rules of the road’ that help build trust in networks and technolo-
should be in play. What cyber activity is an gy globally. So, companies should engage
act of war? What cyber activity is acceptable in helping set the global rules of the road
espionage? What is cyber vandalism, and today. It affects their future.
what is the appropriate response? What
activity by a nation-state is acceptable on a ■ Cyber laws globally
bank, stock exchange, energy, transporta- Given that cyber runs the gamut from
tion, electric, or life sciences company? What national security concerns to consumer pro-
if it’s a non-nation-state activity? What action tection, and countries around the world
is acceptable to proactively stop a planned have different values and interpretation of
cyber activity? What principles should ani- what laws protect their country and citizens,
mate the decision to use a cyber tool of war it should come as no surprise that companies
on a target connected to the Internet? Is it doing business globally will face a myriad of
OK to deliver cyber means through private sometimes divergent laws on a range of
networks or technologies? What is an accept- cyber topics.
able response to another country’s cyber or An in-depth review of these laws is
kinetic act? What are the principles for dis- beyond the scope of this chapter, but it is
closing or stockpiling zero-day vulnerabili- important to note the categories in which a
ties or interdicting a supply chain? How can company, CEO, general counsel, and per-
we make global assurance methodologies haps even the board must understand that
such as the Common Criteria for Information their activity may trigger a compliance issue
Technology Security Evaluation (Common or affect their ability to provide a product or
Criteria) for products even more useful? service.
Should there be requirements for govern- With regard to compliance and security,
ments to share cyberthreat information with there is a saying that ‘compliance does not
other countries and companies to improve equal security.’ There is no doubt that driving
153 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
to ‘real security’ is the goal, and one that will data localization (Russia), U.S.-E.U. Safe
likely get you where you need to be for com- Harbor (allowing for transfer of E.U.
pliance as well. privacy information to U.S.)
Here is a list of categories of laws to be speech and content: protection (U.S.
concerned about and a few specific-use Constitution), limits (France, Germany,
cases: Russia, China)
consumer protection: unfair or deceptive
infrastructure security: voluntary public- security practices (U.S. FTC)
private partnerships (U.S., U.K.), regulation criminal law: laws against hacking
of critical infrastructure (China, pending (U.S. CFAA, Budapest Convention on
in E.U., pending in Germany), sector- Cyber Crime, many countries), mutual
specific regulation (India telecoms, U.S. legal assistance (MLATs) (U.S. and many
chemical, Russia strategic industries) countries for cross-border investigation
incident notification: data breach (U.S. and extradition)
in 47 states, E.U. telecoms, pending new multilateral agreements: Wassenaar
E.U. Privacy Directive), SEC disclose arrangement (obligation to limit export
material adverse events (U.S. SEC) of dual-use technologies, including
tort, contract, product liability: in the security), mutual defense treaties (e.g.,
absence of specific regulation, a company NATO and Article 5 cyber obligations),
must use ‘reasonable care’ to secure WTO and technical barriers to trade
their and third-party data, continue to agreement (obligation of WTO members
provide service, build secure products, to use international standards, including
and protect IP (U.S., E.U., India and for technology), WTO government procurement
contract, globally) agreements (many countries, rules opening
board of directors corporate: the board government procurement markets for
must use its ‘business judgment’ to secure foreign tech products).
the assets of the company and provide
reasonable security (U.S.) Over the past decade there have been many
acquisition of information by nation- skirmishes to try to limit the impact of pro-
states: lawful intercept telecoms (most posed laws that would splinter the global
countries), requests from non-telecoms by market for technology products and servic-
judicial or administrative process (most es and protect the ability of companies to
countries), collection outside of home continue to drive innovation in products
country (most countries) and services. Particularly in the post-
technology controls, national security Snowden world, where trust of countries
reviews, and certifications: export and technologies has been strained, compa-
control commercial technologies (U.S.), nies must pay particular attention to legis-
export control of military technologies lative and regulatory proposals that would
ITAR (U.S.), certification of IT product undermine the global interoperability or
(26 countries Common Criteria evaluation, security of the network, or use security as a
China own requirements, Russia own stalking horse to protect or promote domes-
requirements, Korea pending), import tic manufacturers.
restriction on encryption (China, Russia),
in-country use of encryption (China, ■ Security and privacy
Russia), national security reviews for As technology and economics continues to
M&A (U.S. CFIUS & FCC, China). drive connectivity, cloud, mobility, data ana-
privacy: economy-wide limits on lytics, the Internet of Things, and the
collection and transfer of information Industrial Internet, we must deal effectively
about individuals (E.U.), sector specific with security and privacy. It’s not just the
(U.S. health care HIPAA, financial GLB), Snowden effect. People are still working
■ 154
INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD
through what they think about security and questions companies can and should ask
privacy. Most want both. Some regions have when providing service, domestically, but
differing views. In the U.S., we limit what the particularly globally. There no doubt is com-
government can do through Constitutional petitive advantage in providing solutions
Fourth Amendment restrictions on unrea- that don’t raise privacy concerns.
sonable searches and seizures, but we freely
give personal information to commercial ■ Conclusion
companies in exchange for free content and Cyber is by definition a global issue for any
other services we like. In Europe, it’s the company, CEO, and board. The company’s
opposite. The E.U. presumptively limits networks are global, products are global,
what information relating to individuals the and adversaries are global. Furthermore, the
private sector can collect and share but often company must have relationships with gov-
has minimal legal procedures regulating ernments globally. Many companies are
government activities to collect information ‘global citizens’ and have a majority of their
about its citizens. China has its own view on sales outside their home country. Where the
national security and information, as does cyber issue is in the top of the mind in each
Russia. In any event, companies have an of the major markets these companies serve
important role to play in the future of the and where governments have not yet sorted
intersection of security and privacy. out acceptable global ‘rules of the road,’ it is
Most people talk in terms of balancing incumbent on company leadership to help
security and privacy. This may be a false figure out what the future is going to look
dichotomy. I think the better approach is to like. Without common ground about what’s
drive to security and privacy. Try to get both OK and not OK for governments to do with
right. Do what you need to secure a system regard to each other, companies, and citi-
or crown jewels or an enterprise, and use zens, we will face an uncertain technology
techniques and technologies that help future. I am optimistic about the future and
ensure privacy. I think this is the challenge about the ability to master the cyber issue.
for the future and likely an area that will However, it will take moving through the
spur great innovation. How can we work problem set. We are at an inflection point—
effectively with anonymized data? How can as we continue to embed devices, software,
we implement machine-to-machine anoma- and hardware into everything, we need to
ly detection without identifying the indi- have a view, a path, a structure that gives us
vidual or that a device belongs to a particu- confidence. Therefore, when we sit down in
lar individual? How can we manipulate an office such as the attorney general’s or a
encrypted data at scale? Can we know board of directors and ponder the better and
enough from encrypted data streams across lesser proclivities of mankind, we must be
the enterprise or network to understand and confident we are driving rules-based deci-
stop an exfiltration or an attack? How can sions to the happier side of the ledger—one
we share cyberthreat information that is that ensures we reap the benefits of this
anonymous and actionable? These are the terrific, accelerating, age of technology.
SecurityRoundtable.org 155 ■
Managing third-party liability
using the SAFETY Act
Pillsbury Winthrop Shaw Pittman LLP – Brian Finch, Partner
157 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
terrorists to gain control of the planes— receive liability protections under the
were allowed to proceed. The court’s ration- SAFETY Act.
ale in that case was that a jury could find In addition, entities that purchase or
that Boeing should have foreseen that a ter- deploy SAFETY Act approved security prod-
rorist would want to breach the cockpit and ucts and/or services also will have the ben-
hijack the plane, and thus its cockpit doors efit of immediate dismissal of third-party
should have been more strongly designed. liability claims arising out of, related to, or
Because those claims were allowed to resulting from a declared ‘act of terrorism’
proceed, Boeing on average paid 21⁄2 times in (a term that encompasses physical or cyber-
settlement fees what the plaintiffs (here the attacks, regardless of whether there is any
families of persons killed in the 9/11 attacks) motive or intent that could be deemed ‘polit-
would have received if they had elected to ical’ in nature).
participate in the 9/11 Victims Compensation The reader should remember that at the
Fund. time of the drafting of this article, no litiga-
In light of the above, it is obvious that tion specifically involving the SAFETY Act
directors and officers of publicly listed com- has occurred, and so there is no established
panies must be very concerned about post- legal precedent interpreting the statute itself.
attack litigation. Even if a court or jury ulti- However, the fundamental principles of the
mately finds that there is no culpability on SAFETY Act are based on the “government
the part of a director, officer, or the company contractor defense,” a well-established com-
itself, the stark reality is that the legal fight to mon law affirmative defense to third-party
reach that decision will be expensive and litigation that has been reviewed and upheld
protracted. by the U.S. Supreme Court.
So, the key question that directors and Accordingly, this article is based on inter-
officers of publicly listed companies must pretations of the SAFETY Act, the Final Rule
ask themselves is, ‘How do we manage/ implementing the SAFETY Act, and the
minimize third-party liability in a post 9/11 underlying theory of the government con-
world?’ Insurance is certainly an option, but tractor defense.
obtaining a comprehensive policy can be
very expensive, and further coverage is ■ Background of the SAFETY Act
uncertain. Again using 9/11 as an example, The SAFETY Act provides extensive liability
many companies paid immense amounts in protections to entities that are awarded either
legal fees to force their insurance carriers to a ‘Designation’ or a ‘Certification’ as a
honor terrorism-related claims under the Qualified Anti-Terrorism Technology (QATT).
policies they issued. Under a ‘Designation’ award, successful
Understanding the limits of insurance, SAFETY Act QATT applications are entitled
the question then becomes what other risk to a variety of liability protections, including
mitigation tools exist that could limit by stat- the following:
ute or eliminate third-party claims? Based on
a review of existing statutes, regulations, All terrorism-related liability claims must
and alternative options such as insurance be litigated in federal court.
coverage, the best opportunity for limiting Punitive damages and pre-judgment
liability is the Support Anti-Terrorism By interest awards are barred.
Fostering Effective Technologies Act Compensatory damages are capped at
(‘SAFETY Act’). Under the SAFETY Act, an amount agreed to by the Department
‘sellers’ of security products or services of Homeland Security (DHS) and the
(a term that also includes companies that applicant.
develop their own physical or cybersecurity That damage cap will be equal to a set
plans and procedures and then uses them amount of insurance the applicant must
only for internal purposes) are eligible to carry, and once that insurance cap is
■ 158
MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
159 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
technologies have been deployed in DHS, as set forth in the preamble to the
defense against or response or recovery SAFETY Act Final Rule, agrees with this
from such act and such claims result or interpretation, stating:
may result in loss to the Seller. The sub-
stantive law for decision in any such Further, it is clear that the Seller is the only
action shall be derived from the law, appropriate defendant in this exclusive
including choice of law principles, of the Federal cause of action. First and foremost, the
State in which such acts of terrorism Act unequivocally states that a “cause of
occurred, unless such law is inconsistent action shall be brought only for claims for
with or preempted by Federal law. Such injuries that are proximately caused by sellers
Federal cause of action shall be brought only that provide qualified anti-terrorism technol-
for claims for injuries that are proximately ogy.” Second, if the Seller of the Qualified
caused by sellers that provide qualified anti- Anti-Terrorism Technology at issue were not
terrorism technology to Federal and non- the only defendant, would-be plaintiffs could,
Federal government customers. in an effort to circumvent the statute, bring
claims (arising out of or relating to the perfor-
The SAFETY Act statute also reads: mance or non-performance of the Seller’s
Qualified Anti-Terrorism Technology) against
JURISDICTION.—Such appropriate district arguably less culpable persons or entities,
court of the United States shall have original including but not limited to contractors, sub-
and exclusive jurisdiction over all actions for contractors, suppliers, vendors, and custom-
any claim for loss of property, personal injury, ers of the Seller of the technology.
or death arising out of, relating to, or result-
ing from an act of terrorism when qualified Because the claims in the cause of action
anti-terrorism technologies have been deployed would be predicated on the performance or
in defense against or response or recovery non-performance of the Seller’s Qualified
from such act and such claims result or may Anti-Terrorism Technology, those persons or
result in loss to the Seller. entities, in turn, would file a third-party
action against the Seller. In such situations,
The key language, which comes from 6 the claims against non-Sellers thus “may
U.S.C. Section 442(a)(1), states that the claims result in loss to the Seller” under 863(a)(2).
arising out of, relating to, or resulting from The Department believes Congress did not
an act of terrorism “shall be brought only for intend through the Act to increase rather than
claims for injuries that are proximately decrease the amount of litigation arising out
caused by sellers that provide qualified anti- of or related to the deployment of Qualified
terrorism technology to Federal and non- Anti-Terrorism Technology. Rather, Congress
Federal government customers.” balanced the need to provide recovery to plain-
Furthermore, in Section 442(a)(2), the tiffs against the need to ensure adequate
SAFETY Act states that U.S. district courts deployment of anti-terrorism technologies by
shall have original and exclusive jurisdiction creating a cause of action that provides a cer-
for claims that “result or may result in loss to tain level of recovery against Sellers, while at
the seller.” the same time protecting others in the supply
The language in 6 U.S.C. Section 442(a)(1) chain.
and (a)(2) reads such that terrorism-related
claims that have or could have resulted in a Within the Final Rule itself, the Department
loss to the seller may only be brought in U.S. also stated:
district courts against the seller. Nothing in
the statute would give rise to claims against There shall exist only one cause of action for
other parties who use or otherwise partici- loss of property, personal injury, or death for
pate in the delivery and use of the QATT. performance or non-performance of the
■ 160
MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
Seller’s Qualified Anti-Terrorism Technology Further, based on the extensive analysis con-
in relation to an Act of Terrorism. Such ducted above regarding the applicability of
cause of action may be brought only against the SAFETY Act statute and Final Rule, buy-
the Seller of the Qualified Anti-Terrorism ers of security QATTs will be considered
Technology and may not be brought against ‘customers’ for SAFETY Act purposes, and
the buyers, the buyers’ contractors, or down- therefore entitled to immediate dismissal of
stream users of the Technology, the Seller’s claims related to an approved security tech-
suppliers or contractors, or any other person nology or service. Thus, the SAFETY Act can
or entity. and should serve as an excellent tool to miti-
gate or eliminate said liability.
Thus, the SAFETY Act statute and the Final Accordingly, sellers and customers of
Rule implementing the law make it clear that ‘QATTs’ are entitled to all appropriate pro-
when there is litigation involving a SAFETY tections offered by the SAFETY Act, whether
Act QATT (whether Designated or Certified) those offered by Designation, the presump-
alleging that the QATT was the cause, direct- tion of dismissal offered by Certification, or
ly or indirectly, of any alleged losses, the the flow-down protections offered to cus-
only proper defendant in such litigation is tomers and others. QATT customers and
the Seller of the QATT. Customers and oth- sellers could still face security-related litiga-
ers are not proper defendants and are enti- tion should the Homeland Security Secretary
tled to immediate dismissal, because allow- not declare the attack to be an “act of terror-
ing litigation to proceed against customers ism” or if the claims do not relate to the
would be contrary to the SAFETY Act statute QATT as defined by DHS.
and Congressional intent.
■ Conclusion
■ Practical application of SAFETY Act Entities that are potentially at risk for third-
protections to limit third-party claims party liability claims after an attack can be
Considering the above, companies that sell materially protected through the SAFETY
or deploy security QATTs, as well as their Act. Users of SAFETY Act-approved security
customers, are entitled to extensive benefits. products or services will also receive direct
Sellers of cybersecurity QATTs are entitled to and tangible benefits.
the broad protections from third-party liabil- The SAFETY Act provides strong liability
ity claims offered under a ‘Designation’ and protections that will flow down to such cus-
a ‘Certification.’ tomers per the language of the SAFETY Act
As explicitly set forth in the SAFETY Act statute and Final Rule. A wide variety of
statute and the SAFETY Act Final Rule, the attacks, products, and services, including
only proper defendant in litigation following cyberattacks and cybersecurity products and
an act of terrorism allegedly involving a services, are covered by the language of the
SAFETY Act Designated and/or Certified SAFETY Act, and thus, such products and
QATT is the seller itself. In this case, the services are also eligible to provide dramati-
‘Seller’ would be the security vendor or cally limited litigation and for such litigation
company that deploys its own internally to be limited to ‘sellers,’ not ‘customers.’
developed security policies, procedures, or Certainly not every attack will result in
technologies with the QATT being said liability for security vendors or their custom-
Certified or Designated security policies, ers, particularly with respect to third-party
procedures, or even technologies. liability. Should such liability occur, howev-
The basis for this analysis rests upon the er, it can be mitigated or eliminated using
fact that sellers of security QATTs will have the SAFETY Act.
received the QATT Designation or Perhaps most importantly for directors
Certification, thus conferring upon them and officers of publicly listed companies, the
specific statutory liability protections. SAFETY Act should always be considered
161 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
when examining risk mitigation strategies Given the relative paucity of case law
associated with the company’s internal secu- defining what constitutes ‘adequate’ or ‘rea-
rity programs (physical and/or cyber) as sonable’ security, directors and officers
well as security goods and services pur- should look to the SAFETY Act as a way to
chased from outside vendors. The SAFETY help determine whether their company’s
Act offers powerful liability protections and security plans and programs could be con-
can doubly serve as evidence that the com- sidered to have achieved those benchmarks.
pany exercised ‘due diligence’ and ‘reason- Doing so will not only help improve security
able care’ when designing and implement- but also almost assuredly decrease the com-
ing its security programs. pany’s risk exposure.
■ 162 SecurityRoundtable.org
Combating the insider threat:
Reducing security risks from
malicious and negligent employees
Littler Mendelson P.C. – Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group
163 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 164
COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES
165 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
■ 166
COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES
employer of the deviation from the norm, so Millennials admitted to compromising their
the employer can investigate further. organization’s IT security as compared to
Employers concerned about the insider threat 5% of Baby Boomers. Given this “culture of
should consider investing in monitoring soft- noncompliance,” employers should consid-
ware that can perform this type of “user- er three methods for reminding employees
based analytics.” of their responsibilities as stewards of the
Employers also should consider installing employer’s sensitive data.
data loss prevention (DLP) software on their First, employers should consider requir-
networks. This software flags communica- ing that all new hires whose responsibilities
tions, such as outbound emails containing will involve access to sensitive data execute
sensitive data, for further action. For exam- a confidentiality agreement. In addition to
ple, DLP software may identify strings of identifying those categories of information
digits resembling Social Security numbers in that employees must keep confidential, the
an outbound email, quarantine the email agreement should summarize some of the
before it leaves the organization’s network, key steps employees are required to take to
and alert the employer’s IT department of a preserve confidentiality, require return of the
potential data theft. employer’s sensitive data upon termination
Although network surveillance software of the employment relationship, and confer
can substantially enhance other information on the employer enforcement rights in the
security measures, implementation can pose event the employee breaches the agreement.
risks for the organization. Although case Employers should note that several federal
law applying the Federal Wiretap Act to regulators, including the Securities &
real-time email interception is somewhat Exchange Commission (SEC), the National
sparse, the cases suggest that employers Labor Relations Board (NLRB), and the
who capture email content in real time with- EEOC, have been finding unlawful overly
out robust, prior notice to employees may broad confidentiality agreements that effec-
be exposed to civil lawsuits and even crimi- tively restrict employees’ rights to engage in
nal prosecution. Multinational employers legally protected conduct, such as whistle-
face broader, potential exposure for violat- blowing or discussing the terms and condi-
ing local data protection laws, particularly tions of employment with co-workers.
in the European Union. Consequently, Consequently, any confidentiality agreement
employers should conduct a thorough legal should be scrutinized by legal counsel before
review before implementing new monitor- it is distributed to new hires for signature.
ing technology. Second, educating employees on informa-
tion security is critical. Training should
■ Confidentiality agreements, employee address a range of topics, including (a) the
training, and exit interviews employer’s legal obligations to safeguard
Although many of the safeguards described sensitive data, (b) the types of information
above may appear to be common sense, falling within the scope of this legal duty,
they likely will appear to be inconveniences (c) the consequences for the employer’s bot-
to many employees, especially to the Gen-Y tom line of failing to fulfill those legal obliga-
members and Millennials in the workforce tions, (d) the steps employees can take to
for whom the broad disclosure of sensitive help the employer fulfill its legal obligations,
information through social media has and critically (e) the situations that consti-
become natural. Cisco’s 2012 Annual tute a security incident and to whom the
Security Report bears this out, reporting incident should be reported. Training should
that 71% of Gen-Y respondents “do not obey be recurring and supplemented with peri-
policies” set by corporate IT. Similarly, odic security awareness reminders. These
Absolute Software’s 2015 U.S. Mobile reminders could take the form of email,
Device Security Report found that 25% of posts on an internal blog, or text messages
167 ■
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
and can include critical alerts, such as notifi- the one hand, and the groups responsible for
cation of a recent phishing email sent to information security—the IT Department, the
members of the employer’s workforce or Chief Information Security Officer, and/or
warnings against clicking on links or open- the Chief Privacy Officer—on the other. The
ing attachments that could result in the former group views information security as
downloading of malicious code. the sole responsibility of the latter, and the
Third, employers should consider modi- latter group views employees (and employee
fying their exit interview process to specifi- data) as the sole responsibility of the former.
cally address information security. At the However, HR professionals and in-
exit interview, the employer can accomplish house employment counsel can play a criti-
the following: cal role in enhancing an organization’s
information security. They typically are
provide the employee with a copy of his responsible for evaluating whether to reject
or her executed confidentiality agreement applicants based on information reported
and remind the employee of his or her by the employer’s pre-employment screen-
ongoing obligation not to disclose the ing vendor. They routinely train new hires
employer’s sensitive data to unauthorized and current employees on a wide range of
third parties; topics and could easily partner with infor-
obtain the return of all employer-owned mation security professionals to conduct
computers, mobile devices, and portable information security training. They often
storage media on which sensitive data negotiate contracts with service providers
may be stored; who receive substantial quantities of
arrange for the remote wiping, or other employees’ sensitive data. They regularly
removal, of the employer’s sensitive data receive and investigate complaints of sus-
from any of the employee’s personal pected employee misconduct, which may
mobile devices allowed to access corporate include reports generated by DLP software
information systems; or other online surveillance software or
confirm that the employee has not stored about employees’ otherwise mishandling
any of the employer’s sensitive data in sensitive data. They also typically are
personal email accounts, personal cloud involved in disciplinary decisions, includ-
storage accounts, personal external ing those based on employees’ mishan-
storage media, or anywhere else. dling of sensitive data.
In sum, by making human resources pro-
■ HR and in-house employment counsel need fessionals and in-house employment counsel
a seat at the “information security table” valued members of the organization’s infor-
In many, if not most, organizations, there is a mation security team, organizations can sig-
chasm between the Human Resources depart- nificantly enhance the effectiveness of their
ment and in-house employment counsel, on overall information security program.
■ 168 SecurityRoundtable.org
Comprehensive approach
to cybersecurity
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Developing a cybersecurity
strategy: Thrive in an evolving
threat environment
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate
171 ■
COMPREHENSIVE APPROACH TO CYBERSECURITY
■ 172
DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT
you a basis for right-sizing your security undesirable will most certainly happen.
program around these assets. Incident response is more than just having
3. Build the right team: Once you define the right technology capabilities in place,
what matters and how much security such as forensics and malware analysis. In
makes sense, think about the people. What fact, real success in cyber incident response
does your direct and extended workforce usually comes down to the people aspect.
have to look like to be uniquely successfully How plugged in are you with your
at your company? These days, you can’t company’s legal, privacy, communications,
get by with your security program being and customer sales units? They are all
filled with technologist majority. Time to critical to success; and with this expanded
weave in an accompanying set of skill scope of players, you can imagine how a
sets that will help you propel you to cyber matter can quickly rise to become a
success, to include organizational change top-line business matter.
management, crisis management, third- 7. Transform the culture: The best
party risk management, and strategic organizations out there today do this
communications. well. Because people are the core of your
4. Enhance your controls: This is largely business, it comes down to them ‘buying
about scope. With your company’s in’ to cybersecurity as something that they
quickly expanding ‘map,’ you’ll need to care about. From your dedicated cyber
adopt new methods for treating risk. workforce, to business unit leaders, to
For example, if you deliver a ‘connected’ those that manage your company’s supply
product to consumers, you’ll have to chain, you’ll need all hands on deck, each
ensure strong embedded device security, doing their part in advocating for and
as well as protections over the airwaves. implementing cybersecurity measures. A
Without this, your brand could be at security organization can make this easier
stake. Fortunately there’s a great deal by finding ways to make cyber relevant
of momentum in the world today, with for each part of the business by sharing
new methodologies, technologies, and innovations that excite and enable the
skill sets continuously being developed to business.
meet the challenge of today’s expanding
cyberattack surface.
5. Monitor the threat: Unfortunately, ■ Bringing the strategy to life
cybersecurity isn’t only about reducing Perhaps the best measure of an effective
risk behind your firewalls. It must also cybersecurity strategy is its ability to be
include maintaining awareness of the implemented and make a visible change in
threat landscape—external and internal. how the business is operated. With a strate-
Because the threat is always changing gy in hand, the next move is to build momen-
and always determined, you have to take tum with ‘quick wins’ while investing in
on that same adaptive mindset. Whether long-term capability development.
that’s employing strong monitoring and The first step is to use your strategy’s risk
detection capabilities, consuming threat framework to assess where you must apply
intelligence feeds, or participating in new or enhanced controls. Look broadly. The
an industry-level information sharing biggest cybersecurity challenges may not be
forum, there many avenues that you where your organization usually expects to
should strongly consider using. see them. There are multiple ways to assess
6. Plan for contingencies: No one can ever how well the organization is performing,
be 100% secure, so it’s vital to have a including workshops, external assessments,
strong incident response capability in tabletop exercises, or war games.
place to manage the ensuing events when To appropriately assess the organization,
something happens, because something you need to know what ‘good’ looks like.
173 ■
COMPREHENSIVE APPROACH TO CYBERSECURITY
This is different for each organization and core message, and it will feel alive. That tone
industry, but relying on industry bench- will be set from the top, with senior executives
marks and existing standards/frameworks explaining how cyber will drive the future suc-
(e.g., NIST Cyber Framework) is a good cess of the business.
place to get a quick read on your maturity.
However, don’t adopt these standards It’s at the beginning of every new story.
blindly; figure out what’s applicable to Whether you’re designing a new product or
your needs and what’s relevant for your launching into a fresh multinational joint
organization. venture, cyber is a conversation that will
Once you’ve assessed your priorities and always take place. Requirements are built in
set a maturity target, the next move is to from the beginning and brought to life as the
build a roadmap that pairs ‘quick wins’ with venture evolves. Remember, it’s always easier
more strategic and enduring capabilities. and cheaper to implement cyber earlier rather
Right away, you’ll want to ensure that you than later in the lifecycle.
are doing the basic blocking and tackling of
cybersecurity. Many call this instilling prop- Cyber is communicated in simple busi-
er ‘cyber hygiene,’ or putting a foundational ness language. Don’t be paralyzed by those
layer of protections and capabilities in place. who only want to ‘speak geek.’ Simple, easy-
Once you’ve gained a solid foothold, time to to-understand logic should prevail when com-
take the next step, such as establishing pre- municating how cybersecurity is enabling
dictive intelligence mechanisms that help your business.
you anticipate the next threat, instead of
reacting to it when it hits. You’ve established a predictive edge. If
Perhaps the best way—and the biggest you’ve evolved your strategy in a disciplined
challenge—to bringing your strategy to life manner, some really amazing things start to
is to remember it isn’t policy or technology come to life. One powerful aspect is that
that matters most, but people. Once you’ve you’re using multiple sources of intelligence
embraced this idea and put the person at the to understand the world around you, and you
center of all of your decisions, you can really are able to anticipate the adversary’s next
start to envision what it’ll take for cybersecu- move. Sometimes this can feel like playing a
rity ‘change’ to happen in your organization. fun video game, but it could really mean sav-
ing the lifeblood of your business.
■ What getting it right looks like
It is easier to write about the concepts of a The puzzle pieces come together. With all
good cyber strategy than it is to deliver one that you’ve invested in cybersecurity, the real
for your organization. However, getting payoff comes when you see the component ele-
cybersecurity right for the organization has ments work in harmony as a system. A unified
benefits far beyond IT. A strong cyber strategy construct that links constituent technologies,
drives security capability development and processes, and people together will prove
ultimately has the power to transform the highly effective in monitoring and responding
business into a more successful one. An effec- to events and engaging the broader business
tive cyber strategy looks different depending ecosystem to get things done.
on the industry and individual business, but
they all share some key features. You play a role in the community.
Cybersecurity is not something you should
It’s driven from the top. First, a strong cyber attempt alone as an organization. The com-
strategy won’t be locked away in a file cabinet, plexity of vulnerability and the highly
buried in a hard drive, or lost in the cloud. resourced threats today are simply over-
Instead, it will be part of your organization’s whelming for any one entity. Cybersecurity
■ 174
DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT
requires the power of community, new ideas, the ‘map’ of your business, and you now
and security capabilities coming to life. When understand all the points where cybersecuri-
successful, your organization is an active part ty must play a part. Success at this point
of key dialogues with industry and govern- means that you’ve carefully and deliberately
ment. Threat intelligence and best practices initiated dialogue and worked with different
are shared two ways, but more importantly, elements of the business to embed security in
you integrate into the fabric of a very impor- places beyond Enterprise IT and extended it
tant and very valuable community. into broader touchpoints across the external
world.
‘Change agents’ are swarming. You’ll need
these thought leaders to move across all ele- Your enterprise embraces it. From senior
ments of the business to shift mindsets and leadership to customer-facing sales teams,
anchor new behaviors. These advocates help cybersecurity is integrated as part of your
spread the cybersecurity vision broadly and cultural DNA. You hear about it all the time,
provide ‘on the ground’ feedback to make your and you see how it’s factored into all major
security strategy stronger. business decisions. Your organization has
evolved to the point where your organization
Security is now embedded across your is now living the principles of good cybersecu-
ecosystem. You’ve taken a long, hard look at rity without even thinking about it.
SecurityRoundtable.org 175 ■
Designing a Cyber Fusion
Center: A unified approach
with diverse capabilities
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Jason Escaravage, Vice President; Ernie
Anderson, Principal; and Christian Paredes, Associate
177 ■
COMPREHENSIVE APPROACH TO CYBERSECURITY
The CFC approach does not guarantee centralize threat knowledge and analysis,
that there will be no security incidents; this is unify the organization’s security strategy,
an impossible feat. Rather, it ensures that all and ultimately maximize the value of invest-
security efforts are coordinated efficiently by ments in cybersecurity.
leveraging the benefits of proximity (either Although the security functions that
physical or logical) and easy communication make up the CFC are not new, the CFC
between security teams. approach represents a complex interaction
The CFC is designed to integrate key between the security teams with multiple
security functions into a single unit without “touch points,” parallel workflows, and con-
stovepipes or prohibitive bureaucracy: stant feedback mechanisms. With the right
design and implementation considerations
Security Operations Center (SOC): the organizations can:
heart of the CFC and the first line of
an organization’s defense responsible for increase operational effectiveness by
detecting, responding to, containing, and orchestrating the security functions and
remediating threats, as well as proactively information flow from threat intelligence,
identifying malicious activity. The SOC is through security and IT operations
also home to Threat Defense Operations improve security readiness by enabling
(TDO), the dedicated “hunting” arm stronger detection mechanisms and
of security and intelligence operations awareness of threats
responsible for actioning intelligence, accelerate security maturation by
conducting in-depth malware analysis, reducing the costs associated with
and continually building and improving coordinating complex security functions
prevention and detection methods. across multiple teams.
Cyber Threat Intelligence (CTI): the
“forward observers” responsible for The CFC is distinguished not by its individ-
identifying threats to the organization ual parts but by the integration and interde-
and disseminating timely, relevant, and pendencies across its functions. More than
actionable reporting to the SOC, C-Suite, just a security approach, the CFC is a secu-
and other stakeholders. rity mind-set that organizations can imple-
Red Team: the “attackers” who simulate ment to better secure themselves, protect
the tactics, techniques, and procedures their customers, and reduce costly business
(TTP) of threats relevant to your disruptions.
organization. The Red Team will
continually “stress test” your SOC, driving ■ Building a robust SOC to detect and respond
improvements in detection, response, and to threats
SOC analyst threat understanding. Organizations are quickly recognizing the
Attack Surface Reduction (ASR): the need to detect and respond to a variety of
proactive defense group responsible threats; simply blocking threats isn’t
for identifying and mitigating enough. The Security Operations Center
vulnerabilities, unnecessary assets, and (SOC) is the organization’s first line of
nonessential services. More than just defense against all forms of threats and is
patch management, optimized ASR the heart of the CFC. The SOC will handle
teams focus on continually improving an any suspected malicious activity and work
organization’s hardening and deployment closely with the other teams in the CFC. A
procedures to eliminate vulnerabilities well-designed and maintained SOC will
before systems go live. focus on gaining efficiencies though contin-
uous analyst training and mentoring, and
By integrating these functions, the CFC aims constant evaluation of the organization’s
to break down communication barriers, security technologies.
■ 178
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
A tiered SOC structure. The SOC can be malware analysis that yields valuable techni-
designed around a simple detect, identify, cal intelligence (TECHINT) that can be used in
and mitigate model. Analysts at various tiers detection logic and further enriched by CTI.
investigate malicious activity (aka alerts or Managing all the security alerts (aka “alert
events) with these three stages in mind: Tier fatigue”). This process—building detection
1 analysts are charged with classifying the solutions and then identifying and mitigat-
severity of the event and correlating the ing threats—is where many organizations
event with any historical activity. If neces- struggle. Oftentimes, implementation of effi-
sary, Tier 1 analysts will escalate incidents to cient and effective SOC processes are stifled
Tier 2 and 3 analysts, who will conduct in- by an overwhelming number of consoles,
depth investigations and perform root-cause alerts, threat feeds, and tools that prohibit
analysis to determine what happened. seamless workflows for analysts. While
Threat Defense Operations (TDO). security managers should continually iden-
Additionally, specialized analysts within the tify potential feeds and technologies to
SOC—Threat Defense Operations (TDO) invest in, their impact on the SOC analyst
analysts—are responsible for creating detec- should always be a primary consideration:
tion logic in the form of signatures, rules,
and custom queries based on CTI-provided How many new alerts will this technology
threat intelligence. TDO engineers deploy or new data feed produce?
the detection logic to a range of devices, Who will tune the technology to limit the
appliances, tools, and sensors that make up number of false positives it produces?
an organization’s security stack. The rules, Is the technology filling a gap in detection
signatures, and queries create a threat-based capabilities or adding on to existing
preventative sensor network that generates capabilities?
network and host-based alerts that Tier 1–3 How does the introduction of this new
analysts in the SOC respond to. technology affect the SOC workflow?
TDO analysts will then fine-tune their
detection logic based on SOC feedback, cre- The main point to remember is that more
ating an efficient CFC that won’t waste time technology, tools, and threat feeds do not
investigating false alarms. The TDO team is necessarily enable your SOC to operate more
also responsible for providing in-depth efficiently. Designs that emphasize smooth
179 ■
COMPREHENSIVE APPROACH TO CYBERSECURITY
workflows and “painless” methods of data Instead of looking to new technology first,
collection (e.g., analysts do not need to con- successful organizations will constantly
tact other teams to access certain data) are evaluate their security posture and frequent-
more likely to succeed than those that prior- ly train their analysts on how to react to new
itize technology. Organizations should focus threats. Organizations must carefully con-
on technology that enables SOC investiga- sider how new technology and tools will
tors to spend less time collecting data and impact the analysts’ workflow and their abil-
more time investigating the root cause of the ity to detect and respond to threats while
activity they’ve been alerted to. focusing on processes and procedures.
Implementing 24/7 operations and managing
investigations. Design and implementation ■ Using Cyber Threat Intelligence to anticipate
should focus on standardizing daily opera- threats
tions, case management, and methods of Cyber Threat Intelligence (CTI) has become
“measuring success.” Modern-day threats the security buzzword of 2015. Many prod-
necessitate that SOCs operate 24/7, 365 days ucts and services claim to provide threat
a year, requiring well-thought-out shift intelligence and promise to prevent a major
schedules and defined roles. Leaders with incident. As this term has saturated the mar-
managerial and technical experience can aid ket and security circles, the true meaning
in workflow management and provide ana- and value of threat intelligence has become
lyst training. clouded. As a result, the usefulness of threat
Having a well-integrated, easy-to-use intelligence is, in some cases, dismissed.
case-management system that doesn’t get However, true threat intelligence is incred-
in the way of investigations and seamlessly ibly powerful—it can serve as a force-multi-
interacts with other SOC tools is key. This plier for your CFC, helping to improve aware-
tool ideally provides metrics on how effec- ness of threats and offering the means by
tively your SOC monitors, detects, and which these threats could be prevented or
contains cases and will allow an organiza- detected.
tion to identify gaps in people, processes, So what is threat intelligence? First, and
and technologies. most important, only humans can produce
Standardizing your standard operating pro- threat intelligence through focused research,
cedures. Successful implementation also a synthesis of multiple sources (aka “all-
demands accurate and up-to-date docu- source analysis”), and clear, concise commu-
mentation. This includes documentation on nication that explains the relevance of threats
network architecture, standardized operat- to your organization. Generally, threat intelli-
ing procedures (SOPs), and point-of-contact gence feeds will not provide much intelli-
lists. If the SOC is considered the “heart” gence value unless they are thoroughly vetted
of the CFC, then SOPs act as its beat, guid- by human analysts first; feeds are more likely
ing analysts in situations ranging from col- to generate false alarms than to indicate mali-
lecting forensic evidence to stopping data cious activity. Additionally, good threat intel-
exfiltration. ligence will be implemented in a way that
These procedures change as new technol- demonstrates the following characteristics:
ogy and organizational structures are imple- Cyber Threat Intelligence is timely. Cyber
mented. Many organizations fail to update, intelligence addresses an impending threat
train, and test their staff and leaders on to the business environment. Receiving that
SOPs, hurting their response times and con- intelligence before the threat is realized is
tainment metrics. crucial to the organization. Dissemination of
The bottom line. The SOC provides core strategic and tactical intelligence, including
security functions within the CFC and can indicators of compromise (IOCs), can take
achieve efficiencies through close integration the form of indications and warning (warn-
with other teams such as CTI and TDO. ing of an imminent threat), daily or weekly
■ 180
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
181 ■
COMPREHENSIVE APPROACH TO CYBERSECURITY
a risk to your organization. Your SOC could strained—no SOC likes to lose, and often-
also be a valuable source of input as you times the Red Team has the advantage. This
determine how to implement your Red Team can make after-action review of an incident
operations. What types of threats does your stressful for both teams. However, a healthy,
SOC regularly observe? More important, competitive relationship between the SOC
what types of threats does your SOC typi- and Red Team can foster improvements in
cally not see? Does your SOC find that there the CFC, particularly in detection and
are gaps in detection? What does your SOC response capabilities. Although the SOC and
think they detect/mitigate well and is worth Red Team functions contrast, their missions
testing? Where does your SOC have limited are the same: to protect the organization and
detect/mitigate capabilities? improve its security capabilities.
It is the Red Team’s responsibility to test Implementation of Red Team operations
these questions and the limits of your SOC should therefore emphasize the interde-
and broader CFC. For example, if it is known pendency between the SOC and Red Team
that the SOC rarely encounters web shells— mission. The Red Team should assist the
a type of malware installed on web servers— SOC during remediation efforts to ensure
your Red Team may choose to directly attack any uncovered vulnerabilities are no longer
a web server. susceptible to exploitation.
An important aspect of a Red Team The bottom line. Fundamentally, Red Team
operation is that only select leaders are design and implementation takes a human-
aware of operations (often referred to as centric approach. The benefits of placing your
the “white team”), adding to the realism of “attackers” in close (physical or logical) prox-
the event. This implementation allows imity to your SOC analysts cannot be under-
those who are aware to observe the event stated. SOC analysts learn to develop an
as it unfolds, particularly how teams inter- appreciation for the fact that they are fighting
act with each other, how information is people who make decisions to achieve an
passed along, how stakeholders are objective—it’s not just about the malware.
engaged, and how the teams handle a vari-
ety of attack scenarios. These leaders can ■ Reducing your organization’s attack surface
also help to scope Red Team activities to Efforts to protect your organization will be
ensure no critical data or operations are significantly diminished if your IT systems
actually compromised or exposed. have easily exploitable vulnerabilities, unnec-
(Remember to loop in the legal department essary services, and nonessential assets. On
prior to the exercise as well.) the other hand, shutting down all protocols,
After-action improvements. The end result services, and data resources is not a viable
of a Red Team activity should be valuable option. Thus, the goal of Attack Surface
insight your security team can use to Reduction (ASR) is to close all but the required
improve its capabilities. For example, during doors to your technical infrastructure and
a web server attack exercise, the CFC will limit access to those doors through monitor-
need to evaluate how it handled the inci- ing, vulnerability assessment/mitigation,
dent. At what point did the SOC detect the and access control.
attack? Are there changes that could be The ASR team is dedicated to identifying,
made in how security tools are configured to reducing, and managing critical vulnerabili-
improve future detection of this type of ties, services, and assets, while also focusing
attack? These sample questions frame the on preventing the introduction of vulnera-
improvements that can be implemented bilities via improved hardening procedures.
within the cybersecurity organization. Understanding and prioritizing your “attack
The nature of the Red Team’s operations surface.” Implementing ASR is all about iden-
means that communication between the tifying and understanding your most critical
SOC and Red Team can sometimes be business applications and services—the
■ 182
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
SecurityRoundtable.org 183 ■
Design best practices
Electronic version of this guide and additional content available at: SecurityRoundtable.org
What are they after?
A threat-based approach to
cybersecurity risk management
Intercontinental Exchange & New York
Stock Exchange – Jerry Perullo, CISO
187 ■
DESIGN BEST PRACTICES
address a gap that isn’t relevant to your allow identity theft. Capturing 100 or 1000 is
organization. Vendors cannot be faulted for not, however, alluring enough. Do you have
preying on this tendency, and the result is a bulk card or PII data? Card processors, retail
barrage of solutions to the last headline’s institutions, and health-care providers are
problems: “You desperately need encryp- clear targets for this type of penetration. If
tion.” “You need behavioral technology to this is your world, the major breaches of the
baseline administrator activity and to alert day serve as case studies. Lessons learned in
unusual access times or locations.“ “You these areas lead to an emphasis on the follow-
need to give up on securing everything and ing questions:
only focus on the critical assets.” “You need
stronger passwords.” All of these solutions Do we know all the places where these
have their place, but if they are not respon- sensitive data live, and have we limited
sive to the threats facing your business, they it to the smallest set of systems possible
may cause more distraction than protection (ring-fencing)?
based on your unique requirements. Is access to the systems housing this data
Identifying a relevant and reasonable tightly controlled, audited, and alarmed,
agenda for a governance session requires a including via asset-based controls?
targeted and balanced approach. Let us Is this data encrypted in a manner that
group the major cyber headlines of the last would thwart some of the specific tactics
decade into several large categories. With a observed in major breaches?
finite grouping of threats, we can begin to
model what each threat would look like to If you do not hold easily monetized data,
your organization, which leads to an assess- these questions may not be the right place to
ment of likelihood and impact. With this start. Again, this does not mean that data
picture of viable threats, the board can hone theft is acceptable in any organization.
in on specific questions that will produce the Confidential email, intellectual property,
most value. By all means, all of the threats customer login credentials, and trade secrets
listed below should receive treatment in are some of the many examples of data we
some capacity in any cybersecurity plan, but must protect. Close examination often shows
prioritizing which are most relevant to your that ring-fencing, asset-focused controls,
organization will expose the most valuable encryption, and other concentrations born of
areas to explore with limited time. Further, the rash of recent card and PII breaches may
identifying business practices that expose not be appropriate for more common and
you to a particular threat category may lead less frequently targeted data, however. If
you to reconsider them in light of new costs the data you are protecting are much more
that were not included in previous assess- valuable to you than to an assailant, tradi-
ments. The calculus around maintaining a tional controls such as company-wide access
lower profile or outsourcing targeted data control, permission reviews, and identity
may change when you factor in cybersecu- management are probably the right empha-
rity risk. sis and should not be neglected in pursuit of
stopping a phantom menace.
■ Threat category 1: Data theft
Do you manage assets that can be easily mon- ■ Threat category 2: Activism
etized? Credit numbers and social security Is your organization the target of frequent
numbers—in bulk—are the drivers behind protest or activism? Perhaps the issue is cli-
many newsworthy breaches. Criminals have mate change. Perhaps it is labor relations.
established the proper fencing operations and Perhaps you are caught up in the storm of
can justify enormous risk and effort to cap- anti-capitalism, anti-pharma, anti-farming,
ture millions of card numbers or pieces of or simply high profile. You may or may not
personally identifiable information (PII) that know if there are groups with an ideological
■ 188
WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT
motivation to put a black eye on your busi- If this type of threat is not applicable to your
ness. Cyber opens up a whole new realm of organization, focusing controls and review
ways for people to accomplish this, and on mitigating such attacks may not be the
often with anonymity. When attacks fall into best allocation of resources.
this category, the most likely impact is an
action that can be touted in public. This usu- ■ Threat category 3: Sabotage
ally means one of two things: Denial of Are you a provider of critical infrastructure?
Service (DoS) or defacement. The former Do you or your key executives issue politi-
category will attempt to demonstrate your cally charged statements publicly? Would
powerlessness by rendering a component of the interruption of your business further an
your business unavailable to your customers extremist objective? Although these threats
or the general public. Although attacking require more sophisticated tactics and more
customer access or more internalized sys- time to perpetrate, they often bring highly
tems may be more damaging in reality, motivated and coordinated threat actors.
remember that the goal is to make a splash Adversary objectives in this area usually go
on a big stage with minimal effort or expo- well beyond website attacks. Physical con-
sure. More often than not, that means attack- trol systems, data integrity, or even the func-
ing your public website. The same target tionality of employee workstations may be
(plus social media accounts) is most com- the target in this type of attack. Although
mon for defacement attacks. The only thing there are many vectors for this type of attack
more satisfying to an activist than rendering and several are often used in conjunction, a
your service unavailable is replacing it with common theme quickly becomes targeting
a pointed message. High-profile attacks in employees individually. Social engineering
this category include the near-incessant and phishing preys on common habits and
Distributed Denial of Service (DDoS) attacks assumptions to dupe people into disclosing
against major banks, particularly those with a password, clicking a malicious web link,
names evoking western countries. Targets of or opening an attachment. These attacks can
defacement include Twitter and Facebook be the most difficult to defend against, but
profiles of targeted companies and govern- their reliance on persistent access and a
ment entities. If this type of threat is likely to longer lifecycle to build towards the final
be pointed at your organization, good ques- goal makes detective and corrective controls
tions to ask include the following: more valuable and decreases reliance on
absolute prevention. Additionally, the actors
Can we sustain a DDoS attack on the involved and potential impact to national
order of magnitude recently observed in interests likely make mitigation assistance
the wild? available to you if you focus on detection
If we have a DDoS mitigation plan, how and have the right contacts in place. Good
long would it take to activate during an questions to ask if you are at risk of this
attack? Is an outage for this duration category of attack include the following
acceptable, or would it be considered a (and employees includes contractors and
failure in the public eye? vendors):
Are we continuously scanning our primary
website(s) for common vulnerabilities Do individual employees recognize the
that may allow unauthorized changes? importance of their role in securing the
If our website were defaced, how long organization and what an attack may
would it take to restore? look like?
Are credentials to official company social Are employees routinely reporting
media accounts tightly controlled by a suspicious activity?
group outside marketing that is more Are employees educated and incentivized
security conscious? to act responsibly with regard to cyber?
189 ■
DESIGN BEST PRACTICES
■ Threat category 5: Commoditized hacking Are our file servers backed up and tested
Although specialized threats are associated regularly, and could we recover quickly if
with specific targets, all organizations have all current data were unavailable?
exposure to the most common family of com- Have we, via policy and practice,
moditized threats. These threats are oppor- established the principle that PCs and
tunistic and warrant different controls than laptops are disposable, that data on these
■ 190
WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT
devices should not be relied upon, and around mission critical infrastructure and
that network storage should be used to data. Attention to governance has ramped up
house any critical data? dramatically in a short period, and it can be
difficult to sift through the advice of experts.
■ Conclusion Investing time in analyzing threats and iden-
Although cybersecurity is a relatively new tifying what assets adversaries are truly after
field, it has already grown into an expansive is a critical first step in establishing an effec-
area requiring monitoring and controls tive governance policy around cybersecurity.
SecurityRoundtable.org 191 ■
Breaking the status quo: Designing
for breach prevention
Palo Alto Networks Inc.
193 ■
DESIGN BEST PRACTICES
of a set of highly disjointed technologies that blocking the different techniques attackers
only allow detection of attacks once they are might use to evade detection and establish
already on the network or endpoint. command-and-control channels
Organizations cannot hire their way out preventing installation of malware—
of this problem by throwing more people at including unknown and polymorphic
navigating a legacy architecture or making malware
up for the inherent gaps between the siloed blocking the different techniques that
technologies. Instead, organizations should attackers must follow in order to exploit
be considering next-generation technology a software vulnerability
that natively integrates security to deliver closely monitoring and controlling data
automated results, preventing attackers traffic within the organization to protect
from achieving their ultimate objectives. against the unabated lateral movement
Given the sheer volume and complexity of when legitimate identities are hijacked.
threats, it’s important to use automation to
accelerate detection and prevention with- ■ Cyberattack lifecycle
out the reliance on a security middleman. Despite the headlines, successful cyberat-
Despite the growing cybersecurity chal- tacks are not inevitable, nor do they happen
lenge we are all facing, we cannot give up on by magic. Often it is a ‘window’ that is left
our digital infrastructure. Customers are open or a ‘bag’ that is not screened that lets
becoming more and more reliant on the an attacker slip into a network undetected.
Internet and our networks to do business After they are inside a network, attackers
and access commercial services. They use will sit and wait, patiently planning their
these systems because of the trust they place next move, until they are sure they can
in them. This trust underpins everything reach their objective. Much like a game of
they do online and extends to an organiza- chess, it is only at the end of a long and
tion’s brand and place in the market. Legacy logical series of steps that they will try to
security approaches that focus only on detec- act. Knowing the playbook of a cyberattack
tion and remediation, or rely on a series can help us disrupt and prevent not just
of disjointed tools, abandon this trust and well-understood attacks but also highly
can introduce significant risk by failing to sophisticated new attacks used by advanced
consider how to prevent cyberattacks in the actors.
first place. Despite different tools, tactics, and proce-
A new approach is needed in order to dures used by an attacker, there are certain
prevent modern cyberattacks. This new high-level steps in the attack lifecycle
approach must account for the realities that that most cyberattacks have in common.
today’s attacks are not only multidimensional Traditional approaches to security focus on
in nature but also use an increasingly sophis- installing a feature to disrupt only one point
ticated set of techniques that are constantly in along this lifecycle. This approach often
a state of change. As these techniques evolve, comes from the fact that different parts of an
the risk of breach increases, and, as we all IT security team have different objectives:
know, an organization is only as strong as its network administrators care about connec-
weakest entry point. Therefore, an effective tivity and the firewall, info security analysts
strategy must work to disrupt an attack at care about analytics, and so forth. They
multiple points, including: seldom have to really work together in a
coordinated manner because this approach
developing a Zero Trust security posture was previously useful at stopping low-level
that focuses on only allowing legitimate threats that involved opportunistic target-
users and applications, as opposed to ing, such as the infamous email scam from a
trying to block everyone and everything foreign prince needing to transfer $1 million
that is bad to the U.S.
■ 194
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
However, today’s attacks have become intellectual property and financial informa-
more and more sophisticated as advanced tion, disrupt digital systems, or cause embar-
tools have proliferated and as effective attack rassment. It is against these patient and
strategies have been developed and shared persistent advanced adversaries that tradi-
among criminal and nation-state adversaries. tional single-point approaches fail. However,
These attacks are often called advanced per- by targeting every step of an attacker’s play-
sistent threats (APTs), so named because they book, it is possible to architect a solution that
use advanced tools and persistently target an offers much greater odds at stopping the
organization again and again until they get attacks before they can reach their objective.
in. They are patient and stealthy, preferring At the very least, putting preventative meas-
to forego a quick boom and bust for a longer ures in place that take the complete lifecycle
payoff of high-value information. into consideration will raise the cost for the
While APTs used to be the domain of attacker, potentially forcing him to look else-
nation-state espionage, today organizations where for an easier victim. Let’s take a look
large and small face these high-level threats at the steps an attacker goes through to get
from actors seeking to steal sensitive into and out of a network.
195 ■
DESIGN BEST PRACTICES
■ 196
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
197 ■
DESIGN BEST PRACTICES
■ 198
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
One of the primary strategic failures of This essentially allows adversaries to distrib-
traditional security architectures is their ute malware and steal intellectual property
reactive approach. Following the assembly- through basic applications into which they
line model, security teams work to read data have little or no visibility. We must break
logs about events that happened to their away from the traditional approach to secu-
network in the past. Since most of these rity that has proven ineffective at stopping
teams operate in a siloed manner, these log advanced attacks time and time again.
files are routinely examined in isolation from Over the last several years in particular,
other critical teams and thus lack important there has been a dramatic evolution in both
context that can be used to quickly detect the attackers and the techniques they use. By
and prevent an attack. Relying on a human many estimates cybercrime is now a nearly
in the middle of a network’s defenses is too half-trillion-dollar industry, and like any
slow to be effective against advanced, auto- industry, opportunity fuels more investment
mated hacking tools and creative attackers. and innovation. The best way to get an
A secondary strategic failure is a lack of industry to collapse in on itself is to take
attention toward ‘proactive prevention.’ away that potential for profit. Therefore, we
Organizations often don’t do enough to must make it so unbelievably hard for cyber
reduce their attack surface, allowing certain criminals to achieve their objectives that
classes of applications that are unnecessary their only option is to invest more and more
for their business and leaving doors open on resources to stage a successful attack, to the
their network by using port-based policies. point that it becomes unprofitable.
199 ■
DESIGN BEST PRACTICES
■ 200
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
into a less secure part of the network risk. However, by using an integrated
and then move laterally into more cybersecurity platform that protects
sensitive areas. By segmenting the across your entire enterprise, your
most vital parts of a network from defenses can work together to identify
email or customer-facing systems, you and close gaps that would be exploited
will be building in firebreaks that can by an attacker. Communication is key
prevent the spread of a breach. to any strong defense. If your products
You also can’t neglect to secure the can’t share information on what they
endpoint or individual user. This is are seeing, there is no chance to pick
the final battlefield. Originally, anti- up clues that might aid in preventing
virus software contained signatures for an advanced attack.
malicious software and could, thus, catch The next step is automating prevention
most major infections from common measures. Humans have proven time
threats because it knew what to look for. and again that we are the weakest link
However, as we learned earlier, today’s in security. Advanced actors are faster,
attacks can include unknown malware more persistent, and stealthier than
or exploits that are essentially invisible manual response efforts. It just takes
to antivirus software. This has led to a one overlooked log file or one missed
massive decline in the effectiveness of security alert to bring down an entire
traditional antivirus products and a rise organization. However, if you have an
in a new way of thinking about endpoint integrated platform that communicates
protection. Rather than looking for visibility across your defenses, it can
something that can’t be seen, you can also automatically act on new threats,
reduce the endpoint attack surface by preventing what is malicious and
preventing the type of actions taken by Indeterminate what is unknown.
exploits and malware. Stopping the type Integration should also enable your
of malicious activity associated with organization’s agility and innovation.
an attack is much more effective than Business doesn’t stop at the elevator,
hunting for an attack that, by nature, is as employees take laptops to work
stealthy and hidden. from home or use their personal mobile
Finally, it seems simplistic, but as you devices to access your corporate cloud
make investments to re-architect your on the road. As your data moves to
network and reduce your attack surface, enable your workforce, security should
you have to use all those investments to go with it. Choose a platform compatible
their fullest. Purchasing next-generation with newer technologies such as mobile,
technology is useless if you don’t cloud, and network virtualization.
turn it on and configure it properly. 3. People: participate in a community that
Establishing a process for staying up to shares cyberthreat information.
date on your security investments is one End users cannot be relied upon to
of the most critical habits to form. identify every malicious URL or phishing
2. Technology: integrate and automate attack. Organizations must educate their
controls to disrupt the cyberattack lifecycle. constituents about what they can do on
Don’t use yesterday’s technology their part to stop cyberattacks. However,
to address today’s and tomorrow’s beyond education, to protect against
security challenges. As noted earlier, today’s truly advanced cyberthreats,
legacy security approaches offer we must utilize the global community
individual products to be bolted on to combine threat intelligence from a
for single-feature solutions. This leaves variety of sources to help ‘connect the
gaps that can be broken by new methods dots.’ Real-time, global intelligence feeds
of attack, leaving your organization at help security teams keep pace with
201 ■
DESIGN BEST PRACTICES
threat actors and easily identify new regulatory requirements or mandatory certifi-
security events. cations. IT security personnel are often drafted
As attackers move from target to target, from projects that support core business opera-
they leave digital fingerprints in the tions to work in the ‘dark corners’ of network
form of their tactics, techniques, and security with a gloomy future of scanning
procedures. By analyzing this evidence thousands of false alarms, updating old soft-
and then sharing it, threat intelligence ware, and, of course, getting blamed for the
from other organizations can quickly inevitable cyber incidents that are usually
inoculate you from new attacks as caused by larger organizational problems. This
bad guys seek to move between sad tale is a reality for a shocking number of
organizations and even industries. organizations; it not only guarantees failure, it
Combined with an integrated platform ensures lost opportunity for innovation that
that can act automatically on this comes from having a strong security posture.
intelligence, you can rapidly distribute Adopting a prevention philosophy helps
warnings and make it impossible for create strategies for better security and
attackers to strike twice. The network maximizes the value of an organization’s
effect from vendors with large actions and resources. Viewing cybersecu-
customer bases is extremely powerful rity as a business enabler helps drive appro-
as it builds a security ecosystem, which priate resource allocation by returning
can organically respond to new threats. value to the business based on new oppor-
Many organizations are even coming tunities that would not have been available
together to share threats as an entire without the level of trust afforded by a
sector. Recent policy from the U.S. prevention architecture.
Government has made it easier to Take the case of the IT security team.
collaborate and share cyberthreat When an organization decides to take their
information between companies and security more seriously, usually after a cyber
work together to identify and stop incident, one of the first things they do is
advanced cyber actors. dump more people into IT security positions.
While trained security experts are a boon for
The most significant way to fill in all the any organization, the architecture they are
gaps and truly protect an organization from working in can have them needlessly chasing
advanced and targeted threats is to imple- cycles of work, wasting budget by hunting
ment an integrated and extensible security for cyber needles in digital haystacks of
platform that can prevent even the most alarms, and manually remediating countless
challenging unknown threats across the vulnerabilities. Employing a prevention
entire attack lifecycle. An IT architecture architecture that automates protection capa-
must remain secure while also providing bilities and shares threat intelligence using an
business flexibility and enabling applica- integrated platform means that security
tions needed to run day-to-day operations. teams can operate much more efficiently and
Stopping even the most advanced attacks is effectively. Their time is an organization’s
possible, but we have to begin with a pre- money, and it’s imperative to ensure that
vention mindset. personnel working on core IT functions that
keep business operations running are not
■ Conclusion: Cybersecurity as a business being wasted on outdated security practices.
enabler Strong cybersecurity can also open new
Traditionally, IT security has been seen by opportunities by making organizations
most organizations as a cost center, requiring more flexible and resilient. Today’s work-
continued expenses but not bringing in any force is constantly connected to the Internet
revenue. The attention and resources devoted at home, on the road, and at their desk.
to it are often the bare minimum to meet Users move between applications and
■ 202
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
devices seamlessly and expect that their If organizations continue to view investments
actions will translate between these differ- in cybersecurity simply as cost centers to be
ent environments. However, this tradition- solved by bolting on legacy technology, we
ally has not been the case. Threats from will all continue to suffer the consequences.
third-party applications, unsecured cloud Our most valuable data and the keys to vital
environments, and infected personal mobile pieces of infrastructure will walk out the door
devices have become so prevalent that many in the hands of cyber criminals, while the
traditional security products will either trust we have built between our customers
block them completely or just assume that and our systems continues to degrade. This
they cannot be protected. This old way of will happen time and time again until we are
doing business doesn’t match the reality of forced to change and narrow the way we use
today’s workers, who are expected to be digital systems in our everyday lives. This
more agile and mobile than ever before. must not become the reality for the entire
Architecting a network to wrap these devic- community that receives such unimaginable
es and third-party services into an existing benefits from the Internet. By adopting a pre-
security platform ensures that data will vention mindset it is possible to change the
remain secure as workers go out to meet status quo and take back the control and trust
with customers in the field and expand busi- in systems that enable critical business opera-
ness beyond its office walls. tions. Planning for disaster is always a smart
The security field is stuck today with few move, but preparing for failure will accom-
answers to increasingly challenging problems. plish just that.
Cybersecurity glossary
Advanced persistent threat (APT): An adversary that possesses sophisticated levels of expertise and
significant resources that allow it to create opportunities to achieve its objectives by using mul-
tiple attack vectors (e.g., cyber, physical, and deception). http://niccs.us-cert.gov/glossary
Attack surface: An information system’s characteristics that permit an adversary to probe,
attack, or maintain presence in the information system. http://niccs.us-cert.gov/glossary
Antivirus software: A program that monitors a computer or network to detect or identify
major types of malicious code and to prevent or contain malware incidents, sometimes
by removing or neutralizing the malicious code. http://niccs.us-cert.gov/glossary
Command-and-control channel: Data link for an attacker to communicate with his malicious
software installed on a victim’s system.
Data exfiltration: After an attacker has found sensitive data that he is targeting, he will attempt
to package this data and remove it silently from a victim’s system.
Endpoint: Specific parts of an IT infrastructure that users interact with directly, such as work-
stations or mobile devices.
Exploit: A technique to breach the security of a network or information system in violation
of security policy. http://niccs.us-cert.gov/glossary
Hypertext transfer protocol (HTTP): Technical rules for transferring data over the Internet. Web
browsers use HTTP, and the encrypted variant HTTPS, to allow users to interact directly
with websites in a secure manner.
Malware: Software that compromises the operation of a system by performing an unauthorized
function or process. http://niccs.us-cert.gov/glossary
Network: Joined pieces of an IT infrastructure that transfer and route data to and from endpoints
and other networks.
Polymorphic malware: Malicious software that is designed to continuously change its appear-
ance, allowing it to evade legacy security detection technology such as antivirus software.
Continued
203 ■
DESIGN BEST PRACTICES
Cybersecurity glossary—cont'd
Port-based security: Stateful inspection firewalls block any Internet traffic coming into or out
of a network on a specific line of communication, called a port. However, modern applica-
tions use different ports, and malicious software can change the port it uses.
Remote access tools (RATs): Malicious software that allows an attacker to control a system
where he is not physically present. These functions in IT systems also exist for legitimate
uses, such as support functions.
Zero-day: A software vulnerability that is unknown to the public but is used by an attacker to
gain access and control of a network or system.
■ 204 SecurityRoundtable.org
Cybersecurity beyond
your network
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Supply chain as an attack chain
Booz Allen Hamilton – Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior
Associate; and Laura Eise, Lead Associate
207 ■
CYBERSECURITY BEYOND YOUR NETWORK
FIGURE
Attack methods on the supply chain
Adversaries
Lifecycle Process
• Nation–State
Actors Sustainment
Design Source Build Fulfillment Distribution & Disposal
• Competitors (esp.
Nation–State- Operations
owned)
ASCO To Example Methods: Potential Effects:
• Criminals • Interdiction/Compromise • Halt or slow prodution
• Hacktivists • Theft/Re-route • Prevent sustainment operations
• Break/Fix subversion • Loss of intellectual property
ASCO Through
for weak points, and the impact of this atten- Supply chain traditionally has been seen
tion has the potential to reverberate well as part of internal operations; it is some-
beyond your supply chain. You inherit the thing that happens behind the scenes for
risks of your suppliers. If one of your suppli- your customers. In the past, customers did
ers lacks security controls, you may absorb not care where you made your products or
their vulnerabilities. This is particularly true how you sourced them as long as you deliv-
if you do not comprehensively test their ered them on time, at the appropriate cost,
components during your acceptance pro- and in good condition. However, this is all
cess; once you accept their product, you changing. Companies and governments
accept the risks of being attacked or passing around the world are realizing that the sup-
along an attack to your customers. In the ply chain is an ideal way for attackers to
event that a cyberattack occurs, you own the quietly infiltrate their networks and infect a
impacts as well. This includes brand dam- system well before customers place an order.
age, operational stoppage, legal exposure, Companies, large and small, have to begin
canceled sales, and government sanctions. looking at supply chain security as part of
their overall supply chain risk management
■ Dangerous combination of hidden risks and process.
higher expectations By prioritizing supply chain cybersecurity,
Tackling cybersecurity risk in supply chain you are well on your way to tackling this
may feel like you are trapped between a vir- complex issue. You have an opportunity to
tual rock and a hard place. As companies mitigate cyber risk and transform your sup-
drive to increase supply chain flexibility at ply chain risk management capability into
the lowest overall cost, sourcing decisions a competitive advantage to inform your
expose them to the vulnerabilities of suppli- broader business.
ers and all of their successive networks of
suppliers. This ever-evolving cybersecurity ■ Increasing expectations
threat in the multi-layered supply chain pre- The U.S. government has been a force for driv-
sents a number of challenges when manag- ing higher-level visibility and controls across
ing cybersecurity. See Figure 2. the supply chain. As the future progresses,
■ 208
SUPPLY CHAIN AS AN ATTACK CHAIN
FIGURE
Cybersecurity challenges in the supply chain
Lack of Visibility
Limited visibility across the supply chain regarding exposure and controls
Dynamic Threat
External Dependencies
Companies cannot ensure part integrity on their own—they will need participation
from suppliers and other business partners.
Cross-Functional Challenge
Decision Making
insurance companies will be an even larger and your customers that you have a strong
driver for increasing supply chain standards. supply chain cyber cybersecurity capability.
Business continuity policies are in place to It is not just the U.S. federal government
address threats that disrupt the supply chain. that is raising the stakes. Many clients also
Companies with weak supply chain cyber are demanding to know more about the
security policies and procedures could find supply chain. Private sector clients are real-
their insurers raising their premiums or izing that securing high assurance services
excluding claims in case of a breach. The next on an untrusted hardware platform is the
wave of standards could take shape with same as building a fort on a foundation of
requiring you to maintain a list of all cyber shifting sand. They want to know the depth
sensitive supply chain components as well as of visibility into the components and ser-
develop comprehensive risk frameworks to vices of products, and they want to be reas-
classify, prioritize, and proactively manage sured that there are controls in place to
the sourcing of each of those components. manage a robust supply chain cybersecurity
You need to proactively get ahead of these program. As with the government, many of
standards. Prove to the government, insurers, these requests and requirements are at an
209 ■
CYBERSECURITY BEYOND YOUR NETWORK
all-time high and will become more sophis- could necessitate that your approach be dif-
ticated and comprehensive only during the ferent than that of a competitor. Using a
next several years. If you are their supplier, maturity model also allows you to answer
they know that you are only as trustworthy the questions that are not yet asked by com-
as your supply chain. pliance while aligning your supply chain to
your business strategy. It allows you to focus
■ How to create both a secure and compliant on increasing your overall security and to
capability
Complying with standards and guidelines is stay ahead of the curve.
not enough for securing all of the factors you
need to comprehensively increase your secu- ■ Where do I start?
rity posture. Although standards strive to Developing a robust supply chain cyberse-
create consistency among cybersecurity pro- curity program is complex, but that doesn’t
grams, the fundamental truth is that there is mean your approach has to be. It requires a
no formula for security. Standards and risk-based prioritization approach to changes
frameworks can help identify the landscape in policy, supplier contracts, resource alloca-
of potential areas to address and may let you tion, and investment. Most companies do not
set a minimum level of performance, but have the appetite or the budget for wholesale,
that’s it. You must move beyond merely drastic changes. If you are like most organiza-
striving to be compliant rather than noncom- tions, you face the dilemma of not knowing
pliant. Supply chain cybersecurity is more where to begin.
than an IT problem. If not used in the appro- So the best place to start is to get your
priate context, standards can be a generic arms around what has to be done.
solution to a highly individualized problem
set. Supply chain risk is tied intimately to 1. Conduct a maturity assessment and build
your business strategy and operations, and it a roadmap.
must be tailored to your organization. Your organization needs a plan for the path
Rather than focusing on a standard, look at forward in securing your supply chain. Before
your program with a maturity lens. Understand you transition to developing a roadmap, you
the various degrees of risk you face. Then, must begin with a maturity assessment.
within a well-established structure, decide Supply chain cybersecurity program maturity
where you need to invest and develop. It is assessments are simply gap analyses between
up to you to prioritize the control areas to how well your program operates today com-
address. Focus on your current maturity in pared with how it should operate in a target
state. To evaluate this, you must identify the
those areas and what you must do to increase
key controls that apply to supply chain risk
your maturity. Focusing on your maturity
management—either controls you already use
provides you with an opportunity to identify as part of your corporate cybersecurity pro-
where your program stands today, where it gram or controls that may be more unique to
must be in the future, and how to get there. A supply chain. Even if you use existing con-
maturity approach is not “one size fits all.” trols, you should modify them to apply to your
Special considerations for your organization supply chain operations.
■ 210
SUPPLY CHAIN AS AN ATTACK CHAIN
Next, identify key objectives for each control physical deliveries of products, place malware in
you plan to evaluate. Threat intelligence, for cyber sensitive components, and allow the ship-
example, may have data collection, analysis, ments to continue to end customers. As you
and distribution as key control objectives. For identify risks for each phase, you have to assess
each objective, define a scale as well as the key the likelihood and impact of each risk. This prior-
characteristics for each step in that scale. Taking itized list becomes your risk agenda and helps
the threat intelligence example, a low maturity determine what to address first to enhance your
rating for data collection could be the ad hoc supply chain cybersecurity program.
collection of threat data via unstructured sources,
such as email. A higher maturity implementa- Supply chain
tion of data collection would be a comprehensive Lifecycle
ingestion of multiple formal data feeds that can
be analyzed automatically and efficiently. Design
211 ■
CYBERSECURITY BEYOND YOUR NETWORK
the future, if not already. Once you can obtain advantage in the market. Understanding how
this kind of visibility, you can then assess the to identify risk and then effectively manage
processes, controls, and risks associated with those risks will allow you to be in greater
those cyber sensitive components. control of your supply chain. A robust supply
chain cyber risk management program will
■ Supply chain cybersecurity as a differentiator allow you to close vulnerabilities, making
The risks and expectations of your supply you less of a target for attackers while helping
chain cybersecurity are increasing as threats you meet and even shape your customer
become more sophisticated and customers’ expectations. The trust in your brand and the
expectations rise. As you inherit the vulner- quality of your product depend on the
abilities from your suppliers and the risks of strength of your supply chain cybersecurity.
your customers, you have to be more aware Creating the right balance of security
of how your supply chain can become an and resilience in your supply chain will
attack chain. Compliance is not enough; you allow you to build a foundationally strong-
must develop a robust maturity model to er supply chain cybersecurity program.
help identify your vulnerabilities and devel- This not only will differentiate you from
op a roadmap to reduce your risks. your competitors but also will allow you to
Companies that are able to effectively better understand the opportunities and
manage their supply chain risks will have the advantages that are key to your success.
■ 212 SecurityRoundtable.org
Managing risk associated
with third-party outsourcing
Covington & Burling LLP – David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate
213 ■
CYBERSECURITY BEYOND YOUR NETWORK
The results of the Target breach are well contractual provisions to manage third-
known: the personal information of up to party risk, and, in some cases, to monitor
70 million customers was compromised, and service providers on an ongoing basis
about 40 million customers had their credit (e.g., 12 C.F.R. Pt. 225, App. F at III.D.
or debit card information stolen. By the end [2012])
of 2014, the costs to Target from the breach the HIPAA Privacy Rule, requiring
had exceeded $150 million. These costs specific contractual provisions in dealing
include the litigation and settlement expens- with business associates who handle
es resulting from lawsuits brought by con- protected health information, 45 C.F.R.
sumers and credit card issuers. Further, in the §164.502(e) (2014)
quarter in which the data breach occurred, state regulations, such as the
Target’s year-over-year earnings plummeted Massachusetts Standards for the
46 percent. Ultimately, in the aftermath of the Protection of Personal Information,
breach, Target’s CEO resigned. requiring reasonable steps in selecting
The Target breach was not an isolated third parties and the use of contractual
incident. In 2014, a Ponemon Institute sur- provisions to require their compliance
vey found that in 20 percent of data breach- with Massachusetts law, 201 Mass Code
es, a failure to properly vet a third party Regs. 17.03(2)(f).
contributed to the breach. Even more trou-
bling, 40 percent of the respondents to In addition, the Federal Trade Commission
another Ponemon survey named third-party has applied its authority under Section 5 of
access to or management of sensitive data as the FTC Act, 15 U.S.C. §45 (governing unfair
one of the top two barriers to improving acts and deceptive trade practices) to apply
cybersecurity. Further, the Ponemon to cybersecurity and data security, and has
Institute’s 2015 U.S. Cost of Data Breach taken action against companies that fail to
Study reports that third-party involvement take “reasonable steps to select and retain
in a data breach increased the per capita cost service providers capable of appropriately
of data breaches more than any other factor. safeguarding personal information” a de
However, despite the cybersecurity risks facto regulatory requirement. See, for exam-
posed by third-party service providers, ple, GMR Transcription Servs., Inc., F.T.C.
many companies fail to systematically Docket No. C–4482, File No. 122–3095, 2014
address such risks. Only 52 percent of com- WL 4252393 (Aug. 14, 2014).
panies surveyed in a 2014 Ponemon Institute
report have a program in place to systemati- ■ Sources of third-party cybersecurity risk
cally manage third-party cybersecurity risk. The cybersecurity and privacy risks gener-
ated by third-party engagements include the
■ Legal risks following:
Although there are many commercial and
other reasons to adopt strong third-party risk breaches of personal data—whether the
management processes, a variety of legal personal data of customers or employees—
frameworks require the management of third- and the attendant regulatory obligations
party risk. Examples of such statutory or regu- (e.g., notification requirements), as well as
latory requirements include the following: legal liability, as in the Target breach
breaches of a business’s proprietary data,
the Interagency Guidelines Establishing including the following:
Information Security Standards that competitively sensitive data, privileged
implement Section 501 of the Gramm- information, attorney work product,
Leach-Bliley Act and require financial and trade secrets
institutions to engage in due diligence in business partner data resulting in
the selection of service providers, to use obligations to notify business partners
■ 214
MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
as well as potential contractual liability the sophistication of the vendor and the
to them nature of the IT systems and data at issue.
data that result in financial harm to Nonetheless, three elements are common to
the company, such as bank account all third-party risk management:
information
other confidential, market moving 1. due diligence prior to entering an
insider information in the hands engagement
of third parties such as investment 2. contractual commitments and legal risk
bankers, consultants, and lawyers, such management
as information regarding nonpublic 3. ongoing monitoring and oversight.
M&A activity, clinical trial results, or
regulatory approvals ■ Pre-engagement due diligence
the introduction into internal networks A critical element of managing third-party
of viruses or other malicious code, as risk is the assessment of the third party’s
in the Dairy Queen attack, in which own security practices and posture before
vendor credentials were used to any contract is signed. Such diligence is cru-
gain access to internal networks and cial for the identification and evaluation of
eventually install malware targeting risks, and, in turn, can ensure that such risks
point-of-sale systems are mitigated before the engagement,
the introduction of other vulnerabilities including through the use of contractual
to IT systems, for instance, by the use provisions. The actual evaluation may be
of vulnerable third-party applications more ad hoc (i.e., conversations with key
or code, as occurred in the Heartbleed business or technology stakeholders) or for-
OpenSSL exploit that potentially mal (i.e., through a questionnaire or even
exposed the data transmitted to and on-site assessment), and the extent of an
from secure web servers evaluation may depend on various factors
misuse and secondary use of company in the prospective relationship, including,
data such as for direct marketing or data for example, whether the service provider
mining for the benefit of the vendor will have access to the company’s IT sys-
“fourth-party” risk, that is, the third- tems, the nature of the information that it
party cybersecurity risks introduced may access, and whether it will store such
by a vendor’s relationships with its information.
own third-party service providers and Depending on the extent of the relation-
vendors ship and information that may be accessed
potential director or management liability by the vendor, the following areas of inquiry
for breach of fiduciary duty in the exercise may be necessary to inform a cybersecurity
of cybersecurity oversight. diligence assessment:
To help manage this array of risks effectively, whether and how often the vendor
companies may consider whether they have has experienced cybersecurity
appropriate procedures in place to evaluate incidents in the past, the severity of
and monitor individual vendors, as well as a those incidents, and the quality of the
program to manage and monitor third-party vendor ’s response
relationships. whether the vendor maintains
cybersecurity policies, such as whether
■ Engagement-level management of third-party the vendor has a written security policy
cybersecurity risk or plan
The appropriate measures needed to scruti- organizational considerations, such as
nize and monitor third-party service pro- whether the vendor maintains sufficient
viders will depend to a large extent upon and appropriately trained personnel to
215 ■
CYBERSECURITY BEYOND YOUR NETWORK
protect the data and/or service at issue ■ Contractual risk and negotiation
and respond to incidents In addition to evaluating third parties on the
human resources practices, particularly basis of their cybersecurity practices, anoth-
background screening of employees, er important risk mitigation tool is the actual
cybersecurity training, and the handling contractual language. As with other areas,
of terminations contractual requirements can be an effective
access controls, particularly whether way to allocate risk and responsibility for
controls are in place that restrict access potential breaches of cybersecurity, includ-
to information and uniquely identify ing the investigation and remediation of
users such that access attempts can be such incidents. Commonly negotiated terms
monitored and reviewed include the following:
encryption practices, including whether
information is encrypted at rest, whether a requirement that the vendor have a
information transmitted to or from written information security program
the vendor is properly encrypted, and that complies with applicable law or
whether cryptographic keys are properly other regulatory or industry standards
managed limits and conditions on the use of
evaluation of in what country any data subcontractors and other third-party
will be stored service providers
the vendor’s policies regarding the restrictions on secondary use of data,
secondary use of customer data, and including making clear that the customer
whether IT systems are created in remains the owner of any data transmitted
such a way as to respect limitations on to the vendor and any derivatives of that
secondary use data
physical security, including resilience mandatory and timely notification in case
and disaster recovery functions and of a security incident
the use of personnel and technology to rights to audit or otherwise monitor the
prevent unauthorized physical access to vendor’s compliance with the terms of
facilities the contract
back-up and recovery practices in case of a breach, a requirement that the
change control management, including vendor take on reasonable measures to
protocols on the installation of and correct its security processes and take any
execution of software necessary remediation steps
system acquisition, development, and provisions ensuring an orderly transition
maintenance to manage risk from software to in-house systems or another third
development or the deployment of new party in case of the termination of the
software or hardware relationship.
risk management of the vendor’s own
third-party vendors In addition to such terms, indemnification
incident response plans, including clauses can be used to shift the risk of data
whether evidence of an incident breach onto the third party and to incentiv-
is collected and retained so as to be ize healthy security practices. To accompany
presentable to a court and whether the an indemnification clause, it sometimes can
vendor periodically tests its response be desirable to draft clauses that define
capabilities when the entity is or is not liable, on which
whether the vendor conducts regular, party the burden of proof falls, and how
independent audits of its privacy and root-cause analysis should be conducted. To
information security practices ensure capacity to take on the financial costs
■ 216
MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
217 ■
CYBERSECURITY BEYOND YOUR NETWORK
is helpful to have standardized processes that scales due diligence, contractual obliga-
and documentation. tions, and oversight processes according to
Examples include standardized diligence the nature and extent of the cybersecurity
checklists and questionnaires, template con- risks presented by the vendor relationship.
tract addendums addressing cybersecurity In all events, it is important that organiza-
issues, and standardized schedules for tions periodically review their processes for
audits and other forms of monitoring. evaluating and overseeing third-party rela-
Because there is no one-size-fits-all approach tionships to ensure that such processes are
that is appropriate for every vendor, it is periodically updated and appropriately tai-
appropriate to implement a tiered approach lored to address new and emerging threats.
■ 218 SecurityRoundtable.org
A new look at an old threat
in cyberspace: The insider
Delta Risk LLC – Thomas Fuhrman, President
“
The first thing that business leaders should do about the
insider threat is to take it seriously.“
219 ■
CYBERSECURITY BEYOND YOUR NETWORK
the migration of data outside the security to efficiently screen potential employees, man-
perimeter of the enterprise through age access rights, enforce obligations, detect
the widespread adoption of cloud- malicious tendencies and behaviors, and
based services, increased outsourcing, implement security controls are needed.
increasingly Internet-enabled supply The insider threat is usually thought of as
chain operations, and the ubiquity of having two types: the malicious insider and
mobile communications and computing the unwitting insider. Although these two
devices in the ‘bring your own device’ types of insider are very different in motiva-
(BYOD) environment tions and objectives, they can have similar
the increase in the marketability of ruinous effects on the organization.
sensitive, personal, proprietary, or
confidential data through global cyber The malicious insider. The malicious insider
crime syndicates and hacker networks. is the ‘spy’ or ‘traitor’ who represents
the insider cyberthreat at its most basic.
These developments in combination invest This rogue employee, at most a small
more power—and risk—in the individual percentage of the workforce (Spectorsoft
insider and make ‘keeping a secret while selec- reports that an estimated 10 percent of
tively sharing it’ a harder problem than ever. employees account for 95 percent of
From a cyber perspective, the insider is incidents), uses her or his legitimate access
the person who the enterprise has entrusted to a company’s information resources to
to access and operate with the company’s deliberately harm the organization.
data and information resources in the rou-
tine course of business. Anyone who has Malicious insiders know about the organi-
legitimate (or ‘authorized’) access to the zation’s information, its systems, its struc-
information and the business systems, data- ture and people, and its internal opera-
bases, email, or other information resources tions. They have access to the enterprise
of the enterprise is an insider. network from inside the perimeter defens-
In many companies today, a large number es. They can do damage such as stealing
of legitimate insiders are not actually data, disabling systems, and installing
employees. This group includes former viruses or malware. Those with privileged
employees, contractors, business partners, access can do even more, such as disabling
vendors, suppliers, and others such as cloud accounts, destroying backups, changing
service providers and business application configuration files, and more. Those with-
hosting services that have been granted out privileged access can sometimes get
access to corporate enterprise networks. it through insider trickery, bypassing
Evidence indicates that the access privileges authentication processes or gaining access
of such non-employee insiders are difficult through the credentials of others. Snowden
to manage and thus more easily exploited. In himself reportedly persuaded colleagues
the large data breach at The Home Depot in to share passwords with him to get access
2014, for example, the hackers entered the beyond what he was already allowed.
corporate network through a vendor’s legiti-
mate access credentials. A fundamental and important point to
Can employees and other insiders be recognize is that the insider as a malicious
trusted? The answer, of course, is mostly yes. threat is not limited to the cyber and infor-
It has to be. Business runs on human capital. mation systems realm. Other targets and
Without trustworthy insiders, the organiza- methods are possible, including physical
tion cannot function. However, the residual theft, destruction, or violence, coercion
‘no’ is a cause for serious concern. Seen in and extortion, or other non-cyber actions.
this light the question is more about setting This fact has a direct bearing on the
the limits of trust at the right level. Better ways approaches available to prevent, detect,
■ 220
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
and act against malicious or potentially become unconcerned about the associated
malicious insiders. security and privacy risks. Users sometimes
bring such personal Internet habits into the
The psychology of the malicious insider is workplace, often paradoxically because of
a defined field of study. In short, an insider their zeal to do their jobs. They may insert a
can become a threat for many reasons— thumb drive into a corporate machine to
including for example, anger as a result of transfer a file. (“I needed to work on the
workplace conflicts or disputes, fear of file—what was I supposed to do?”) They
termination, dissatisfaction with work- could sync a personal smartphone to a cor-
place policies, ideology, or financial need. porate computer. (“What’s wrong with
that?”) They may drop a proprietary docu-
The unwitting insider. Almost anyone can ment into a public cloud. (“I need to work
fall into the category of unwitting insider on it while I travel.”) The list continues. All
threat agent, including senior executives. of these actions and many others like them
As a threat actor, the unwitting insider by the unwitting insider create serious
unintentionally and unknowingly enterprise security risks.
makes security blunders that expose the
enterprise to serious cyber risks. The single most common security weak-
ness of most people is a susceptibility to
Because the pool of potential unwitting phishing attacks. Phishing is a form of
actors is so large and their behaviors are ‘social engineering’ that has the goal of
unintentional and hard to predict, the getting information such as usernames,
unwitting insider is one of the most dan- passwords, or credit card numbers.
gerous weak points in the entire enterprise. Phishing usually starts with a fraudulent
email message (although other mecha-
One group of insiders who can pose a nisms are also used) that appears to be
major threat are those who have a lax atti- from a legitimate or known source. The
tude about security. These attitudes are not message may contain an attachment that,
always obvious. Security awareness cam- if opened, installs malware on the victim’s
paigns are so commonplace now that just computer, or the message may direct the
about everyone exercises at least some cau- user to a website that is also designed to
tion in online activities. At the same time, look legitimate, even familiar, to the target
though, we can also observe that a certain victim. This bogus website prompts the
insouciance about the risks in cyberspace user to enter information such as log-in
has crept into the behavior of many people. credentials or account numbers. If the
The same person who would refrain from user’s suspicions have not been aroused,
using the word ‘password’ as a password she or he may enter the requested data—
or from writing it on a sticky note to place and gotcha!—the hacker has succeeded in
on the computer monitor may think noth- capturing information that can be used for
ing of other poor security practices. access later. Alternatively or in addition,
the bogus website may push out a virus,
Today’s culture, for example, seems to remote access software, key-logging soft-
encourage the melding of personal and ware, or other malware. Very often phish-
professional pursuits. People have become ing is the start of a chain of exploits that
so accustomed to online life—being always leads to a very serious breach. The Verizon
connected, using multiple computing plat- 2015 Data Breach Investigations Report
forms, putting their ‘whole life’ (as they (DBIR) states that more than 75% of mal-
say) on their smartphones, or posting pho- ware installs were the result of unwitting
tos and personal information on social users clicking on attachments or web links
websites—that it appears many have contained in emails.
221 ■
CYBERSECURITY BEYOND YOUR NETWORK
Phishing also is used in a more focused in shares of the Brooklyn Bridge, the
way that targets specific people— unwitting person can easily be taken in by
frequently senior executives or people in a well-designed phishing ploy. However,
the organization who have privileged whether the result of inadvertent or delib-
access to information resources. The erate acts, the impact to the organization
hacker will mine the Internet for personal can be the same—financial loss, compro-
information on the target, information mise of intellectual property, theft of cus-
that only the target would know, names tomer personal information and credit
and contact information of colleagues, card data, and reputational harm or loss of
web browsing and purchase history, competitive position.
non-business activities and community
involvement, even writing styles to zoom This highlights a third and more sinister
in on that specific person. When such type of ‘insider ’ that must also be
information is used in a phishing email, considered—the malicious outsider
the look and feel, the text, and the context posing as an insider. Such actors explic-
of the message can appear unexceptional itly seek to exploit insiders by appropri-
and entirely authentic. If this were a game ating their credentials and moving
it would be unfair. The target frequently unnoticed within the network.
falls for the scheme.
Figure 1 illustrates the categories of the
Like the poor soul who sends money to the insider threat, along with typical motiva-
Nigerian prince or the person who invests tions and potential impacts.
FIGURE
export data
• Mix company data with personal Examples
data on moblie devices • Theft of sensitive
information (e.g.,
personally identifiable
information, intellectual
• Financial gain • Use legitimate access for property, proprietary
• Do harm to the company illegitimate purposes information)
Malicious insider
• Advance an ideology or • Financial fraud or theft
other personal agenda • Insertion of malware
and/or establishing a
long-term presence in
the network for repeat
• Financial gain—obtain • Exploit the access of a action
sensistive data that can legitimate user • Damaged or destroyed
be monetized information resources
• Bypass security controls on
Malicious outsider • Fraud or theft of money privilege escalation and lateral • Sabotaged product (the
posing as an movement throughout the merchandise produced
insider • Do harm to the company
network to get to key systems by the enterprise)
• Advance an ideology or for exfiltration and/or • Reputation harm and
other personal agenda insertion of malware customer alienation; loss
of revenue
■ 222
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
223 ■
CYBERSECURITY BEYOND YOUR NETWORK
■ 224
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
225 ■
CYBERSECURITY BEYOND YOUR NETWORK
Resources
The following resources can help enterprises deal with the insider threat. Each provides a wealth of
information on proven approaches and practices that companies can build upon.
Insider Risk Evaluation and Audit Tool. This tool is designed to help the user
gauge an organization’s relative vulnerability to insider threats and adverse behavior
including espionage against the U.S., theft of intangible assets or intellectual property,
sabotage or attacks against networks or information systems, theft or embezzlement,
illegal export of critical technology, and domestic terrorism or collaboration with
foreign terrorist groups.
The tool can be used for a number of purposes, including self-audit of an organization’s
current defenses against insider abuse, the development of a strategic risk mitigation
plan, and employee training and awareness.
http://www.dhra.mil/perserec/products.html#InsiderRisk
CERT Insider Threat Center. Since 2001, the CERT Insider Threat Center has
conducted empirical research and analysis to develop and transition socio-technical
solutions to combat insider cyberthreats. Partnering with the U.S. Department of
Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other
federal agencies, the intelligence community, private industry, academia, and the
vendor community, the CERT Insider Threat Center is positioned as a trusted broker
that can provide short-term assistance to organizations and conduct ongoing research.
https://www.cert.org/insider-threat/
Federal Bureau of Investigation. The Insider Threat: An introduction to detecting and
deterring an insider spy.
This brochure provides an introduction for managers and security personnel on how
to detect an insider threat and provides tips on how to safeguard trade secrets.
https://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
■ 226
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
authorization to access company and infor- occur. Insiders are also the target for care-
mation resources, a rogue insider can do fully scripted phishing tactics; the insider
tremendous harm to the company. The who innocently clicks a link in an email may
effects of an insider attack can be felt as enable damage to the company well beyond
financial loss, erosion of competitive posi- her or his pay grade.
tion, brand degradation, customer aliena- However, there is much that the organi-
tion, and more. The Snowden disclosures of zation’s executive leadership can do to
2013 have, at least for now, sensitized busi- mitigate the insider threat, including estab-
ness leaders to the grave risks posed by the lishing the right culture, implementing
insider threat. security controls, conducting ongoing mon-
The unwitting insider is the equal of the itoring and detection efforts, and being
malicious insider in potential damaging ready to respond quickly if indicators point
impact. A momentary and unintentional to a likely insider threat. The following box
lapse in vigilance regarding security threats summarizes the actions that are recom-
can be all it takes for a major compromise to mended here.
3. Build and operate security controls designed to mitigate the insider risk.
5. Have a plan for what to do in the event of actual or suspected insider malfeasance
Know how and when to contact law enforcement and other authorities regarding
insider threats.
Explore legal remedies.
7. Don’t ‘go at it alone.’ There are many resources available for planning and ongoing
operations. Best practices can be implemented based on another organization’s learning
curve.
SecurityRoundtable.org 227 ■
The Internet of Things
The Chertoff Group – Mark Weatherford, Principal
229 ■
CYBERSECURITY BEYOND YOUR NETWORK
The two concepts—the IoT and M2M— is, in that existential meaning, the latest
are now poised for complete integration, iteration of communication technology.
in what is termed convergence, as we Of course, as soon as we developed the
move into technology’s future. Keep in ability to send information over great
mind that in that future, anything that can distances in just seconds, some people
be connected will be connected. Christian began to look for ways to capture that
Byrnes, a managing vice president information from sources other than
at Gartner, says that “The Internet of their own. Early twentieth century
Things brings a major addition to the wartime code breakers monitoring the
responsibilities of cybersecurity: safety. IoT enemy’s radio communications often are
includes the final convergence of physical mentioned as the first hackers.
and information security practices.
As such, CIOs and CISOs will face the The last aspect of the IoT should cause the
possibility of their failures being the direct most concern. As technology has become
cause of death. Confidentiality, Integrity ever more sophisticated in its march toward
and Availability will be remembered as providing greater capabilities for private
‘the good old days.’” enterprise, governments, and the people
The IoT can also be thought of as just the they serve, so have the tools and strategies of
collected data. With billions of connected the people who would access and use the
devices, all contributing information information for more malicious purposes.
around the clock, it’s more data about The lack of recognition about the seriousness
more machines, operations, and people of this threat to companies and governments
than has ever been collected before— leads to a lack of security sufficient to defend
more in the past year than perhaps has against attacks.
been recorded in all of human history, and
certainly more than was imagined possible ■ IoT benefits
just a few years ago. The intelligent According to John Chambers, CEO of Cisco
management and implementation of that Systems Inc., the Internet of Everything
data make it possible to do such things (which includes the IoT plus the actual
as navigate a driverless car through city networks that support and transmit the
traffic, monitor a person’s anatomical data these devices generate) could be worth
signals and take action to manage his $14.4 trillion in revenue, plus another
or her health, monitor the movement $4.6 trillion in savings to industry and
and health of livestock, provide global government. That’s $19 trillion, greater
tracking and communications, manage than the GDP of many countries. The ben-
energy use in buildings, and even operate efits the IoT provides can be seen in every
sophisticated industrial equipment from area that relies on technology, as well as
remote locations. Our intelligence and many that traditionally have not. A few
industrial abilities in the era of the IoT will examples:
be limited only by our imaginations; we
will have the data we need to accomplish The amount of municipal solid waste
almost anything we can envision. generated around the world is expected
In the philosophical sense, the IoT is also to reach 2.2 billion tons annually by 2025,
part of a movement. It’s been evolving almost double the amount recorded in
for more than a century, from our first 2012. The cost of handling this waste will
ability to communicate with each other be about $375.5 billion per year. However,
instantaneously by radio. The early days by changing the traffic patterns of garbage
of the Information Age quickly showed trucks and installing sensors in garbage
us how important data gathering could cans to identify when they are full and
be to the success of an operation. The IoT should be picked up, U.S. cities alone can
■ 230
THE INTERNET OF THINGS
231 ■
CYBERSECURITY BEYOND YOUR NETWORK
■ 232
THE INTERNET OF THINGS
companies are working on standardization goals because the payoffs, if they are success-
protocols, the issue will not go away anytime ful, are huge—such as global economic or
soon. Sensitive commercial, industrial, and even military dominance. Looking at the sit-
government information is at risk, and that uation in this way helps validate the actual
risk will likely grow as the IoT develops, threat these actors represent and can in turn
before measures sufficient to mitigate that stimulate companies and governments to
risk propagate. As Rod Beckstrom, the former mount a more adequate defense.
CEO of ICANN, said in his Beckstrom’s Law:
■ Addressing the issues
If it’s connected to the Internet it’s hackable. The U.S. Congress, since 2012, has pro-
Everything is being connected to the posed more than 100 pieces of legislation
Internet. related to Internet security and privacy.
Therefore, everything is hackable. Only a couple were actually signed into
law, but continuing security incidents, such
Putting all the security aspects together, as as the breach of Sony’s network and subse-
some cyber criminals apparently already quent hostage-taking of one of its movies,
have, and the risks that accompany the have created greater awareness of security
growth of the IoT can seem frightening. issues that will surely prompt more
Hackers have become so sophisticated in attempts at legislation and regulation. In
their tactics that some are creating databases fact, as of this writing, at least 10 pieces of
from the information gathered in previous legislation are being considered on Capitol
attacks, which can enable them to defeat Hill. In its report, the FTC endorsed strong,
common security measures. For example, in flexible, and technology-neutral general
the successful breach of more than 100,000 legislation but added that IoT-specific leg-
taxpayer returns filed electronically with the islation would be premature, as the field is
IRS in 2014, the attackers were able to cor- still in its early stages of development.
rectly answer security questions that the They would prefer to see industry adopt
taxpayers themselves had selected, simply self-regulatory practices.
by cross-referencing information collected in At the corporate or company level,
previous breaches of other organizations’ though, there is much decision makers can
information. do now to address security and privacy con-
Put a nation-state or other global entity cerns. Much of that involves adopting a
behind such efforts, and the risks to sensitive forward-thinking attitude about the IoT and
information in the IoT mount exponentially. its role.
In commerce, as well as in politics and war,
entities make decisions based on what they First is to understand that the IoT is not a
believe is in their best interests. This is espe- possibility or a projection of the future—it
cially true in the case of state and large non- is a reality. It is here now and will only
state actors. It’s helpful to think of their continue to grow and affect every facet of
efforts to infiltrate technological and security our world.
information not so much as instigated by an The IoT carries with it many risks and
evil intent or ideology, but as motivated by challenges; it’s the companies and
the survival and practical success of their organizations that address those issues
entity—the concept of realpolitik updated for head on that will survive. Conventional
the twenty-first century. They have a vested approaches to network security will likely
interest in hacking information systems that have to be rethought.
goes far beyond simple greed. It means they Companies and organizations should stay
are unfazed by potential punishments or up to date with evolving vulnerability
repercussions and have the willingness to assessments and advancements in
commit resources and effort towards their security solutions. This also applies to
233 ■
CYBERSECURITY BEYOND YOUR NETWORK
■ 234 SecurityRoundtable.org
Incident response
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Working with law enforcement
in cyber investigations
U.S. Department of Justice – CCIPS Cybersecurity Unit
237 ■
INCIDENT RESPONSE
how the incident took place, which can and work with companies on timing. Law
help a company better protect itself. enforcement also has tools, including obtain-
Investigators can work with foreign ing judicial protective orders, that can protect
counterparts to obtain assistance that may sensitive information from disclosure during
be otherwise impossible. investigations and prosecutions.
Early reporting to and cooperation with If an investigation is successful and an
law enforcement will likely be favorably indictment is contemplated, prosecutors will
considered when a company’s response consider victims among other factors when
is subsequently examined by regulators, making charging decisions. If a particular
shareholders, the public, and other charge would place sensitive company infor-
outside parties. mation at risk, for example, prosecutors may
Law enforcement may be able to seek protections from the court or, if appro-
secure brief delays in breach reporting priate, use alternative charges that can
requirements so that they can pursue reduce that risk, while still serving the over-
active leads. all interests of justice.
A successful prosecution prevents the Sometimes, the best available course of
criminal from causing further damage action in a cyber investigation may not be
and may deter others from trying. pursuing an arrest of the perpetrator but
Information shared with investigators rather disrupting the threat in some other
may help protect other victims, or even way. For example, law enforcement has used
other parts of the same organization, from combinations of civil and criminal tools to
further loss and damage. disrupt attacks from ‘botnets’ designed to
steal financial information from companies
Effective partnership with law enforcement and individuals. In other cases, pursuing the
can be built into an overall response plan, financial or technical infrastructure of a
especially when companies understand law criminal organization will be the most effec-
enforcement’s priorities and responsibilities. tive strategy. Other tools may be available to
the government that work best in a particu-
■ Law enforcement’s priorities lar case. Whatever path is chosen, law
and responsibilities enforcement’s aim is to consult regularly
Law enforcement agencies, including the FBI with victims to ensure that the path chosen
and the U.S. Secret Service, prioritize con- advances, rather than harms, the interests of
ducting cyber investigations in ways that the victim as well as the public.
limit disruptions to a victim company’s nor-
mal operations. They work cooperatively ■ Best practices for preparing for work
and discreetly with victims, and they employ with law enforcement
investigative measures that avoid computer Preparing to work with law enforcement is
downtime or displacement of a company’s an essential part of incident planning. The
employees. If they must use an investigative full scope of such preparation goes beyond
measure likely to inconvenience a victim, what this chapter can cover. The CCIPS
they try to minimize the duration and scope Cybersecurity Unit has published a short
of the disruption. guide entitled Best Practices for Victim
Law enforcement agencies also conduct Response and Reporting of Cyber Incidents,
their investigations with discretion and work which covers this topic in greater detail.
with a victim company to avoid unwarranted Some of the recommended preparations
disclosure of information. They attempt to include the following:
coordinate statements to the news media con-
cerning the incident with a victim company Implement appropriate technology, services,
to ensure that information harmful to a com- and authorizations. Investigations will be
pany’s interests is not needlessly disclosed severely hampered if a business lacks key
■ 238
WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
information needed for law enforcement cultivates information sharing that helps
to develop and pursue leads early. victims and law enforcement.
Ensure that intrusion detection systems Law enforcement agencies, including the
and network logging tools are in place, FBI and U.S. Secret Service, have established
as well as the banners and other legal regular outreach channels for companies
authorizations necessary to use them. that may be victims of cyberattacks. These
Identify the information, services, or systems include the following:
that are most essential to your business
operations. Knowing and communicating FBI Infragard chapters and Cyber Task
this information to law enforcement Forces in each of their 56 field offices
early in an investigation will be crucial to U.S. Secret Service’s Electronic Crimes
prioritizing early investigative steps. Task Forces
Determine who will work with law Computer Hacking and Intellectual
enforcement. Law enforcement may Property coordinators and National
need essential information about your Security Cyber Specialists in every U.S.
systems and what you have learned Attorney’s Office
about the attack to pursue ephemeral
leads. Designating a person or group as a Incorporating these resources into your
principal liaison to law enforcement will planning can pay dividends in the hours
ease this process and allow others in your after you discover that you may be a victim
company to focus on other immediate of an attack.
priorities. This person or group should Victims may wonder which law enforce-
be authorized to gather necessary ment agency is best to call when they face a
information and communicate it to law cyberattack. Although agencies have differ-
enforcement agents. ent areas of expertise, they work together to
Ensure that legal counsel are familiar with ensure that there is ‘no wrong door’ for vic-
key legal and technology issues. Cyber tims. As agencies follow leads and develop
investigations often raise difficult legal information about the likely attacker, they
issues relating to privacy and monitoring. understand and can bring together expertise
Legal counsel who are familiar with your from across the government to ensure that
systems and with legal principles in this the investigation is pursued aggressively
area will be able to navigate these issues using all appropriate tools.
with law enforcement counsel more
quickly. These counsel can work with ■ What to expect when law enforcement
your company’s law enforcement liaison knocks on your door
to ensure that information is collected and Often, a company will not be the first to
transferred lawfully and appropriately. know that they have been the victim of an
intrusion or attack. Law enforcement may
■ Calling authorities for assistance discover additional victims as they investi-
Optimally, your first contact with law gate an intrusion into a single entity. When
enforcement will not be in the throes of a this happens, agencies typically reach out to
crisis. Companies should establish relation- these additional victims directly.
ships with their local federal law enforce- A primary goal in such contacts is to
ment offices before they suffer a cyber ensure that additional victims get the infor-
incident. Having a point-of-contact and a mation necessary to mitigate harms and
pre-existing relationship with law enforce- secure their systems. At the same time,
ment facilitates any subsequent interaction understanding the victim’s business, the
that may occur if an organization needs to information that it processes, and its rela-
enlist law enforcement’s assistance. It also tionship with other entities can help agen-
helps establish the trusted relationship that cies better understand the relationship
239 ■
INCIDENT RESPONSE
among a series of thefts and the possible damage and response costs for loss and res-
motivations for a given cyberthreat. titution purposes.
Cyber intrusions are rarely isolated to a When contacting law enforcement or
single victim, and law enforcement collects communicating within the company, compa-
examples of common techniques and prac- nies should avoid using systems suspected
tices from cyberthreats that can assist vic- in the compromise. Such actions may pro-
tims in securing their systems. For example, vide a key tip to attackers that they have
knowing that a particular group of criminals been discovered. To the extent possible,
enters systems through a common vulnera- companies should use trusted accounts and
bility but once inside patches the original systems for communication about the inci-
vulnerability while introducing several more dent and be wary of attempts to gather infor-
can be crucial information for victims. By the mation about the investigation via ‘social
same token, knowing that a group is focused engineering.’
on a specific version of a common software
package or is targeting a particular industry ■ Network forensics and tracing
can help law enforcement narrow down a One way that law enforcement conducts
list of possible perpetrators. investigations is through network forensics
and tracing. Although it is occasionally pos-
■ Realities of cybercrime investigations sible to follow a “hot lead” when an attack is
Not surprisingly, the realities of cyber ongoing, investigations more often depend
investigations differ from their portrayals on a careful examination of network logs.
in movies and television. Agents are rarely, Because company systems are often complex
if ever, able to trace an intrusion in pro- and interrelated, investigators must consult
gress instantly, nor do they often identify a with the system administrators who are
perpetrator from halfway around the world experts on critical systems to identify where
quickly. Instead, such investigations often information necessary to developing leads
require painstaking assessment of histori- will be stored. Such consultations can prove
cal log files, a long-term understanding of difficult if all system personnel are working
key motivations of likely attackers, and intently on rebuilding security or restoring
collection of evidence using exacting legal critical systems.
processes. Companies can help with this by reserv-
ing a few experts whose job it is to work
■ Cooperation with law enforcement with law enforcement and to identify critical
in the investigation logs and other information that can be used
Robust cooperation with law enforcement in to identify leads for law enforcement. These
the early hours and days of an investigation experts will be particularly important if the
is essential to success. Agents likely will threat is believed to be an insider who has
have many questions about the intrusions stolen trade secrets or other sensitive infor-
and the overall configuration of the system. mation, because the most important evi-
Beginning from the time the intrusion is dis- dence is likely to be on internal systems.
covered, companies should make an initial
assessment of the scope of the damage, take ■ Working with outside counsel and private
steps to minimize continuing damage, and forensic firms
begin preserving existing logs and keeping Companies experiencing a severe cyber
an ongoing written record of steps under- incident often turn to outside legal counsel
taken. Such documentation is often essential and private forensic firms to assist them.
to understanding the scope of the intrusion Such entities can provide substantial sup-
at the inception; it can also be essential much port and expertise, based upon their experi-
later in the prosecution, as companies assess ence assisting other victims, and can guide
■ 240
WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
241 ■
INCIDENT RESPONSE
especially when such sharing may implicate ■ Active defense, hacking back, and potential
other victims, companies should expect that liabilities
law enforcement will communicate with Companies undergoing a cyber attack may
them regularly. Information flow should not be tempted to “hack back” and attempt to
be a “one-way street” to law enforcement. access or impair another system that appears
to be involved in a cyber intrusion or attack.
■ Legal considerations when working closely Although that temptation is certainly under-
with law enforcement standable in the heat of an incident, doing so
As useful as it can be to cooperate with law
is often illegal under U.S. and foreign laws
enforcement, it is also crucial that companies
and could result in civil or even criminal
understand and delineate their role in the
liability. Many intrusions and attacks are
investigation and exercise care before they
launched from already compromised sys-
take on roles that may effectively make them
tems, precisely to confuse the identity of the
agents of law enforcement. For example,
true actor. Consequently, hacking back may
companies are generally permitted under
damage or impair another innocent victim’s
U.S. law to monitor their own systems to
system rather than that of the intruder.
protect their rights and property. Usually,
This does not mean, however, that com-
that information can be shared with law
panies cannot engage in “active defense”
enforcement once they arrive on scene. If
within their own systems. For example,
law enforcement begins directing the
reacting to cyberattacks by changing net-
response, however, different authorities and
work configurations or establishing “sand-
limitations typically apply.
boxes,” in which companies place realistic
The law relating to law enforcement
but false data to distract intruders from more
monitoring is complex and goes beyond
sensitive data are active steps that can be
what can be discussed in this chapter. In
taken to help defend systems. Law enforce-
general, companies should carefully delin-
ment agencies can help identify other proac-
eate between actions undertaken by the
tive steps that companies may be able to
provider for its own purposes and those
undertake to protect their systems.
undertaken at law enforcement’s behest. If
possible, companies should set out the
facts and their understandings relating to ■ Conclusion
such monitoring in writing shared with the Effective cybersecurity and cyber investiga-
investigating agency. More information on tions are essential to protecting company
this topic can be found in Chapter 4 of the assets and public safety in our increasingly
Department of Justice’s manual Searching networked world. A close and respectful part-
and Seizing Computers and Obtaining nership between companies and law enforce-
Electronic Evidence in Criminal Investigations, ment when cyberattacks occur is an impor-
which is available from the Department’s tant aspect of both. Planning for such coop-
website. In addition, a sample letter relat- eration in advance and carefully delineating
ing to company monitoring that can be the roles played by company representatives,
used by company counsel is included as law enforcement, and outside experts greatly
Appendix G of that manual. enhances the likelihood of success.
■ 242 SecurityRoundtable.org
Planning, preparation, and testing for
an enterprise-wide incident response
Booz Allen Hamilton – Jason Escaravage, Vice President;
Anthony Harris, Senior Associate; James Perry, Senior
Associate; and Katie Stefanich, Lead Associate
243 ■
INCIDENT RESPONSE
Fill in the blank: During a major cyber breach, the first thing I
do is _______
HINT: The answer is not to wait for instruction from the IT department.
If you can’t answer, imagine whether your legal department could. How about HR de-
partment? Or corporate communications team or VP of sales? They all should; they’re all
impacted by cyber incidents, so they have a role to play.
This chapter will focus on the following: The C-suite must understand and enforce
organization-wide roles in cyber incident
incident response responsibility for the management. Everyone—corporate commu-
C-Suite and the business nications, legal, business unit leaders, and so
key considerations for cyber incident on—has a role to play. They may not even
management plans know it—so it is important for leadership to
testing a plan stress their responsibility in these efforts.
enabling plan adoption across the enterprise In addition to collaborating with the CISO
and truly understanding the incident man-
■ Incident response for the C-Suite and beyond agement capability, stay on top of current
Cyber incident response is often thought of cyber risks. They change all the time—phish-
as an IT department function. This assump- ing becomes spear-phishing becomes pharm-
tion could be a costly mistake. Businesses in ing, for example. Not only that, some are
their entirety are connected to the Internet. exclusive to certain industries. Product secu-
As such, a cyber breach can happen any- rity risks vary from retail. Retail varies from
where within the business, ranging in sever- automotive. However, one thing is certain—
ity, complexity, and impact. Relying on the all parts of the business have evolving cyber
IT department alone to be ready for any risks. By staying on top of cyber risks, you
manifestation of a cyber incident would be can incorporate them as part of your enter-
an unfair if not impossible expectation. prise-wide risk management strategy. Which
IT security, typically led by a chief infor- would do the most harm? Which are most
mation security officer (CISO), needs to be likely? Anticipating and preparing for all
empowered by the C-Suite so they can coor- kinds of cyberthreats doesn’t mean sitting on
dinate cyber incident response activity among edge all the time. It requires simple demon-
all the impacted organizations and staff—this stration of good steady-state behavior—
requires the facilitation of good working rela- which is the first phase of any incident man-
tionships during non-crisis times. One way agement lifecycle, so a key section of an
to do this is for the CISO and the CEO to con- incident management plan.
nect on cybersecurity trends frequently. The
CISO has responsibility for assembling the ■ Putting together the cyber incident
right team, making sure the right technology management plan
architecture is in place, and for reporting Cyber incident management is constant; it
cybersecurity issues upward. In a show of happens in phases, and an actual incident
partnership, C-level leadership should enable lifecycle is only one part of it.
the CISO to improve the organization’s inci- Shown in Figure 1 is a full lifecycle for
dent management capability. incident management.
If you are starting from scratch, the National Institute of Standards and Technology (NIST)
Cybersecurity Framework is a good reference point. It was created in collaboration between
public sector and private industry.
■ 244
PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE
FIGURE
Threat Intelligence
Crisis Communication
Prepare
Communication &
Stakeholder
Prevent
Detect
Respond
Remediate
There is a caveat, however: incident how people, process, and technology work
management lifecycles do not fit neatly together in harmony across the whole enter-
into a calendar. They overlap, phases are prise. And, once the plan is created, it
repeated, and truly, “Preparation” and requires consistent support from the C-level
“Prevention,” or steady-state activities are to ensure adherence by the whole organiza-
happening all the time, even in the midst of tion. The plans must be tested and updated
an incident. frequently to make sure they keep up with
When the steady-state activities are done changes in threats, tools, and resources.
well, it makes an organization resilient and bet-
ter able to bounce back after a breach occurs. ■ Testing the plan
Short of being the victim of an actual intru-
■ Elements of planning sion, testing your incident response pro-
A good cyber incident management plan gram is paramount to understanding how
considers the whole enterprise, and it well your business would fair during a real
considers more than just the technical incident. Many organizations pay for
aspects of incident response. When plan- expensive tools, documentation, and con-
ning for cyber incident management, sultation but are unable to replicate any of
responsibilities and activities can be organ- their strategies because they are not pre-
ized and integrated by three categories: pared to use them. Executives should
people, process, and technology (Table 1). understand that an incident response pro-
Each of these things should be consid- gram with an always vigilant, always ready
ered in the context of your organizational team is the greatest defense to a cyber intru-
philosophy to risk management. Policies sion and will reduce risk and increase con-
that help mitigate risk—such as acceptable fidence.
use policies and data handling policies—can Assessing an organization’s incident
be used as governing authority for cyber response program can provide a clear vision
incident management planning. into their future, showing would happen if a
Although an incident management plan cyberattack occurred and delivering insight
starts with the CISO, the rest of the business into what works and what does not. There
units should follow suit. Drafting an initial are several benefits to testing an organiza-
plan requires substantial effort to integrate tion’s incident response plan:
245 ■
INCIDENT RESPONSE
TABLE
People Process Technology
■ 246
PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE
Keeping the program relevant and at the strategy can apply to an incident response
forefront of cybersecurity: reducing risk program. Although many organizations have
and increasing executive confidence plenty of documentation surrounding their
Understanding current knowledge and program, they sometimes rarely review or
tool gaps update it. The cybersecurity landscape
Increasing work performance and efficiency changes every day, which leaves an under-
to reduce cost and time spent resolving an reviewed program in an incomplete state,
incident. becoming more irrelevant as time passes.
Employing specialized third parties to review
■ Testing methods an organization’s program on a regular basis
Testing entails far more than just making can assist in maintaining an up-to-date, risk-
sure employees are trained on tools and averse program.
procedures, they have to be able to detect, Strategic simulations, also known as war
contain, and remediate active incidents— games, can simulate numerous possible situ-
real or fictional—and the only way to do ations in which their program will be
that is by managing realistic situations. applied. These scenarios ask participants to
There are a variety of ways to provide sce- use their current technological and process
narios that can test an organization’s inci- knowledge to solve situations ranging from
dent response program. the exfiltration of organizational intellectual
Using a “red team,” or a group whose property to a large phishing campaign
purpose is to simulate a cyber adversary, is requesting employee information, to an
a way to covertly test the response to an enterprise-wide denial of service—halting
actual adversary. Only employees with a productivity, sales, or transactions. War
need to know will be aware of a red team’s games also help an organization to craft sce-
activities, so to the organization’s incident narios in which teams that do not typically
responders, the scenario is treated like an communicate with one another have to
actual incident (without the loss of capital). cooperate to solve problems. This is espe-
Results from these exercises can be shared cially helpful when senior leadership is
with executives, providing an overview of involved—it helps illustrate major decision
strengths and weaknesses to tweak the pro- points and clarifies the business impact of
gram and try again. various cyber breach scenarios.
Engaging specialized third parties to Although developing, preparing, and
review an incident response program can implementing the incident response plan is
validate program elements. It’s often said that essential, making sure all of that work is
a second set of eyes can find flaws in a docu- functional and as efficient as possible is vital
ment that the author overlooked. This same to having a successful incident response
247 ■
INCIDENT RESPONSE
program. By implementing tests such as red is why corporate communications can help
team exercises, war games, and regular craft the appropriate messaging.
reviews, an organization can understand In addition to internal messaging, make
what may happen if they are an unfortunate sure cyber incidents are incorporated into
victim of a cyberattack and, maybe, through the organization’s crisis communications
solutions implemented through test find- capability. Just as corporate communications
ings, prevent a real incident. would be on hand to protect the brand’s
image during an emergency, they should
■ Internal and external communications similarly have a crisis communications plan
planning for a cyber incident. As a part of that, ensure
Once the plans have been written and tested, that the right spokespersons are media
it’s important to keep up momentum and trained prior to an incident.
continued awareness about cyber risks. Just
as the IT department is constantly engaged ■ The inevitable cyber breach
in cyber incident management, so too must It’s hard to estimate the cost of a cyber inci-
the staff throughout the organization—albeit dent. Undoubtedly, the longer that busi-
with regard to their own personal role. ness operations are affected—production is
Enlist the help of your corporate commu- stalled, websites are down, IP is stolen, and
nications department to help with cyberse- so on—the cost climbs higher and higher.
curity awareness messaging that is tailored Having a plan that is pervasive enterprise-
for all staff. Messaging should help employ- wide that uses a tested, all-staff approach
ees stay attuned to cyberthreats that could can help resolve cyber incidents quicker.
affect them, as well as how they can play a Given that cyberthreats are present all the
part in keeping the organization secure. time, an incident is all but inevitable.
Keep in mind that “cyber” may not resonate Fortunately, incident response planning
with staff outside the IT department, which can mitigate the impacts of such an event.
■ 248 SecurityRoundtable.org
Detection, analysis, and
understanding of threat vectors
Fidelis Cybersecurity – Jim Jaeger, Chief Cyber Strategist
249 ■
INCIDENT RESPONSE
Organized cyber criminals include couple of years, organizations are now fac-
international crime syndicates targeting ing a new challenge. Cybercrime has
organizations largely in the financial advanced to include cyber warfare and cyber
services and retail industries for financial terrorism as nation-state actors have moved
gain. Although there are a number of from disruptive to destructive attacks.
players, this arena is dominated by Experts predict that cyberattacks will
loosely knit teams of attackers located in intensify as cyber criminals accelerate their
Eastern Europe. activities. Organizations face a world of
State-sponsored espionage threat actors continuous compromise. It is no longer a
deploy targeted malware in stealthy, question of whether the company will be
multi-stage attacks, sometimes called breached, but when. Ponemon research,
advanced persistent threats (APT), however, shows that board members gener-
targeting intellectual property. At risk is ally lack knowledge about cybersecurity
anything that may be of value, including breach activity within their organizations.
business plans and contracts; trading One in five, for example, was unaware if the
algorithms; product designs and business organization had been breached in the
processes; trade secrets; client data; lists recent past.
of employees, customers, and suppliers; Although larger organizations are gener-
and even employee log-on credentials. ally able to recover from a significant breach,
providing that negligence is not a factor and
As attackers have sharpened their skills and excessive liability is avoided, sustaining
expanded their techniques over the last operations over the course of two or more
■ 250
DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
251 ■
INCIDENT RESPONSE
find their way in. Once in, they can go for on the automated threat-detection capabili-
months, even years, without detection. ties of numerous disparate solutions.
Because deeply embedded hackers can be However, this overreliance on technology
extremely difficult to eradicate, the challenge alone to address security threats can cause
is to detect these threats as soon as possible. organizations to lose sight of the bigger threat
Unfortunately, organizations are hard picture.
pressed to match resources with cyber crimi- Organizations also jeopardize their ability
nals. Similar to a game of “whack-a-mole,” to detect advanced threats through a failure
once organizations get on top of one type of to fully integrate the security solutions into
attack, the cyber criminals simply evolve the entire network defense infrastructure.
their tactics. Often security technologies are deployed
A solid cybersecurity governance pro- with default settings, resulting in many false-
gram is vital to getting ahead of cybercrime. positive alerts. Many times organizations
Unfortunately, there is a gap in the percep- overlook the human element. Organizations
tion of governance effectiveness between can’t depend on technology alone to defend
board members and security professionals. networks. Detecting advanced threats
Ponemon research indicates that 59 per- requires a risk management program that
cent of board members believe the corpora- includes technology, people, and processes.
tions’ cybersecurity governance practices Board members should ensure that security
are very effective, whereas only 18 percent budgets include funding for security experts
of security professionals believe so. This who can understand the risk, interpret the
gap in perspective has to be closed if organ- alerts, and act on the intelligence.
izations are to improve their ability to face
increasingly stealthy and sophisticated ■ Anticipate attacks
cyber risks. Today’s threat actors conduct detailed recon-
naissance and develop custom malware in
■ Robust, constant monitoring is key to detection an effort to penetrate networks. It’s difficult
The saying, “You don’t know what you don’t to know when an attack will happen. A
know” is especially true in cybersecurity. dynamic threat intelligence capability helps
Robust, constant network monitoring is vital to ensure that organizations can anticipate
to uncovering threats. Any number of solu- breaches before they occur and adjust their
tions are available that enable organizations defensive strategies.
to monitor network activity. Because the vol- Widespread sharing of threat intelli-
ume of network traffic combined with gence among security professionals can
increasingly complex networks defies manual empower organizations to detect threats
threat analysis, many organizations often rely more efficiently and effectively and avoid
■ 252
DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
cyber attacks. At one end of the threat intel- on cybersecurity matters into the boardroom
ligence spectrum are indicators of compro- include the following:
mise (IOC). Integrated from several sources
and typically shared through an automat- Periodic briefings from in-house
ed, continuous, real-time threat intelligence specialists
data stream, IOCs provide information on “Deep dive” briefings from third-party
malicious code and malicious web pages experts, including cybersecurity firms,
that hackers are using. government agencies, and industry
At the other end of the threat intelligence associations
spectrum are threat advisories, which pro- Guidance from the board’s existing
vide big picture analysis of current security external auditors and outside counsel,
issues posing risks to enterprises. Such advi- who will have a multi-client and industry-
sories typically feature an overview of the wide perspective on cyber risk trends
threat, a risk assessment, indicators, and and how the organizations’ cyber defense
mitigation strategies. program compares with others in the
industry
■ Build board cyber literacy Director education programs, whether
As boards become more involved in cyberse- provided in house or externally
curity, they should address cybersecurity Periodic exercise of the incident response
risk as they would other types of business plan to include board members.
risk. To be effective in leading their organiza-
tions with the right knowledge, oversight, ■ Empower the chief information security
and actions, boards need a base level of officer
understanding of cybersecurity risks facing Boards have a responsibility to manage
the organization. However, organizations cyber risks as thoroughly as possible. One
are challenged with what is the best way to critical element in providing effective over-
build this board cyber literacy. sight is to empower the chief information
Many boards already have some form of security officer (CISO) to drive security
oversight when it comes to cyber exposure, throughout the organization. In many organ-
generally in the audit committee or risk izations the CISO’s role is subordinate to
committees specifically tasked with enter- that of the chief information officer (CIO).
prise IT security and emerging risks. To Directors should be mindful that the agenda
gain a deeper understanding of the relevant of the CIO is sometimes in conflict with that
issues surrounding cyber risk, some organi- of the CISO. Whereas the CISO is focused on
zations are adding cyber expertise directly data and network security, the CIO is focused
to the board via the recruitment of new on supporting business processes with
directors. However, because nominating applications and networks that have high
and governance committees must balance availability.
many factors in filling board vacancies, Recognizing that business strategies that
there is a concern that it may take a long lack a security component increase vulner-
time for boards to achieve the proper board abilities and place the organization at risk,
composition. the CISO must have a strong, independent
In addition to board composition, direc- voice within the organization. To accom-
tors point to a lack of available time on the plish this, the board must ensure that the
agenda to discuss cybersecurity as a road- CISO is reporting at the appropriate levels
block in becoming cyber literate. Although within the organization. Although there is
board members are not expected to be cyber- no single right answer, the trend has been
security experts, they need access to exper- to migrate reporting lines to other officers,
tise to help inform boardroom discussions. including the general counsel, the chief
Ways to bring knowledgeable perspectives operating officer, the chief risk officer, or
253 ■
INCIDENT RESPONSE
even the chief executive officer, depending cybersecurity as part of the organization’s
on the industry, size, and scope of the com- strategy will leave their firms open to signifi-
pany, and the organization’s dependency cant financial, reputational, and competitive
on technology. risk.
The overwhelming number of cyber inci-
■ Conclusion dents has forced board members to become
The threat landscape is rapidly evolving as more involved in cybersecurity, which is as it
well-funded cyber criminals continue to should be. However, to be effective, much
launch increasingly sophisticated attacks education is still needed. Board members
through multiple threat vectors. Cybersecurity don’t need to be cyber experts, but they
will continue to pose a serious risk that will should have a thorough knowledge of the
demand corporate management and board risks their organization faces and provide
attention and oversight. Boards that fail to the support needed to the IT security profes-
actively measure and continuously monitor sionals to protect against those risks.
■ 254 SecurityRoundtable.org
Forensic remediation
Fidelis Cybersecurity – Jim Jaeger, Chief Cyber
Strategist and Ryan Vela, Regional Director,
Northeastern North America Cybersecurity Services
255 ■
INCIDENT RESPONSE
■ 256
FORENSIC REMEDIATION
257 ■
INCIDENT RESPONSE
those who are engaged in cybercrime. If there terms of money, time, resources, and distrac-
is any indication that the investigation may tions. Because regulators will have to be
have an international aspect, federal law satisfied that the data breach has been com-
enforcement may be able to expedite the pletely resolved, organizations should
investigation. Law enforcement’s expertise in engage with regulators as early as possible
gathering evidence and conducting forensic during the remediation process.
analysis can be leveraged to ensure that the
data can be used in future court proceedings. ■ Notify insurance providers
Also, in some cases, organizations may be After a data breach, organizations can expect
able to delay notification requirements if it to see significant costs arising from forensic
would impede or interfere with a law enforce- investigations, outside counsel, crisis com-
ment investigation. munications professionals, data breach noti-
fication expenses, regulatory investigations
■ Alert industry regulators and fines, lawsuits, and remedial measures.
Threat actors are neither attacking one insti- Such costs can quickly reach tens of millions
tution at a time, nor are they quickly chang- of dollars in a few weeks.
ing their methods. They often use the same Once an incident is determined to be a
techniques on multiple institutions in multi- breach, it’s important to engage with the
ple sectors. With the increasing number of firm’s insurance providers to evaluate the
data breaches comes a renewed push for the insurance coverage and determine which
sharing of cyber risk information between existing policies may cover the event; as
the United States government and the pri- well as identify the necessary reporting
vate sector to help individual organizations requirements.
and industries as a whole better defend One of the challenges with cyber insur-
against attacks. Because of their position in ance is the lack of standardization in terms
the industry, regulators can be an important of coverage. From a broad standpoint most
source of information on cyber threats, policies cover the initial incident response
attacks, and trends. Information sharing and and investigation. Few, however, cover
analysis organizations have made a resur- remediation. Because the policies vary
gence and organizations can benefit by seek- widely, general counsel and outside coun-
ing their aid for insight on indicators of sel have to understand the details of the
compromise during a data breach. policies to tailor an incident response
Regulatory investigations have the poten- approach that maximizes the coverage.
tial to represent a significant challenge in Here, the outside forensics response team
■ 258
FORENSIC REMEDIATION
can also be invaluable in helping organiza- attack as hackers disperse their tools
tions to articulate and justify cyber insur- throughout the network. This is especially
ance claims. true in advanced persistent threat attacks, in
which malware can remain dormant and
■ Conduct complete, focused digital forensics undetected for months. The remediation
analysis phase is therefore critical to remove malware
When a data breach occurs, organizations from infected hosts and prevent future reoc-
need answers fast: Who was involved? How currences of the same or similar breaches.
did they do it? What data was compromised? At one end of the remediation spectrum is
What are the risks? Answers depend on the sequential eradication. Here, incident
forensic analysis of digital evidence. Further, responders work to eliminate malware as
the proper preservation of digital evidence is soon as it is discovered. This traditional
crucial to demonstrate to regulators that rea- approach has the benefit of lower costs and
sonable security controls are in place or to reducing the risk of data loss. However, the
prove wrongdoing in criminal prosecution. drawback is that the organization forfeits the
However, organizations all too often are opportunity to learn about the hacker’s
thrown into panic. Hasty decisions are made tactics and runs the risk of retaliation. Also,
and evidence is lost. Here, directors should attackers may go quiet, making it more dif-
look to outside counsel for guidance. Their ficult to find their tools and requiring that
experience and focus on minimizing legal forensic investigators shift their efforts to
liability make their advice about what should eradication.
be considered evidence, and thus preserved, At the other end of the spectrum is
invaluable. aggressive remediation, in which all reme-
In the course of its forensics efforts, diation actions are executed simultaneously
organizations typically encounter two across the entire network. If executed prop-
challenges: erly, aggressive remediation precludes the
hacker from detecting and reacting to the
Limited scope of forensics. Many times remediation actions. This approach is called
organizations fail to look beneath the for when an organization experiences
surface in the hopes that a simple review repeated breaches by the same advanced
will fix the problem. Alternatively, they attackers or a breach has gone undetected
may limit the scope of the investigation for weeks or months. Aggressive remedia-
to mitigate the high cost of forensics. Such tion provides a better understanding of the
actions may fail to uncover the true cause attacker’s tools, tactics, targets, and motiva-
and extent of the breach. By exploring tions. Because this method fully removes all
all potentially compromised systems, traces of the attacker’s tools, threats, and
organizations can reduce the risk of vulnerabilities, including the attacker’s
overlooking exposed system components. ability to re-enter the network, it minimizes
Improper handling of evidence. retaliatory risk.
A company’s internal IT staff may This approach allows the attacker to
compromise the evidence even before remain active in the network during investi-
forensic experts can preserve it. gation. Should they become aware of foren-
Organizations must ensure that the sic activities, they could move quickly to a
internal IT staff is mindful of proper destructive attack. Special forensic skills,
evidence-handling protocol. extensive planning, and sophisticated exe-
cution therefore are required to avoid inter-
■ Focus on aggressive remediation fering with or alerting the attacker as to the
When an organization experiences a data forensic efforts underway, as well as to
breach, it is often difficult to determine the minimize the potential for damage and
nature of the attack cycle and pathways of data loss.
259 ■
INCIDENT RESPONSE
■ The critical importance of network monitoring executing incident response activities, organ-
If determined attackers want to get in, they izations are placing a priority on robust
will find a way. The real question is whether network monitoring to detect the extraordi-
the organization will detect the breach. narily complicated threats hidden in the
Unfortunately, the answer is, “Probably network. Once identified, these threats
not.” Advanced, targeted attacks focus on demand a host of remediation responses that
quiet reconnaissance and infiltration of their include forensic preservation, containment,
victims’ network. Professional cyber crimi- expulsion, and remediation. Responding to a
nals are so adept at cloaking their activities major breach correctly requires a team of
that they routinely go unnoticed for months, outside forensic and legal experts partnered
even years, without detection. with their internal incident response team. A
Although defense-in-depth has long been well-defined incident response team includes
hailed as a best practice, organizations are key staff functions and line of business man-
now urged to improve their abilities to detect agers as well as C-level executives and cor-
attacks that have succeeded. Robust network porate directors.
monitoring is a strategically important ele- Experiencing a cyberattack is disruptive,
ment in IT security and is crucial to deter- and combating the malware behind large
mining if anything was stolen. By employing data breaches remains a constant challenge.
robust network monitoring organizations Getting the right people involved and under-
can maintain control, limit the damage, and standing the best way to efficiently use them
plan for an appropriate response. is essential to properly investigating and
remediating the event while managing costs
■ Summary and extent of business impact. Board direc-
Organizations have reached a pivot point, tors and C-level leadership must ensure that
realizing that it is no longer a question of if their organizations are ready with a well
the firm has been hacked, but an assump- thought out breach incident response plan to
tion that it has. Faced with the new reality help minimize the organization’s liability
of operating the business while potentially and exposure.
■ 260 SecurityRoundtable.org
Lessons learned—containment
and eradication
Rackspace Inc. – Brian Kelly, Chief Security Officer
261 ■
INCIDENT RESPONSE
■ Seek unity of command The exercises also provide insights into the
Unity of command is vital to respond to a following:
cyberattack. However, not every incident
requires the same command and control how and when to engage external
structure. Careful planning should deter- partners
mine in advance the level of management what can potentially go wrong during
required based on the severity of the event the phases
and identify those that require board atten- what types of communications are needed
tion and corporate officer leadership. how to protect the incident response
Similar to military operations, in which information flow that is for the response
the general commands the day-to-day oper- team’s exclusive use
ations of the military during peacetime, a how to bring other departments into the
CISO oversees the day-to-day responsibili- investigation.
ties and projects. During times of war, com-
mand shifts to the Joint Chiefs of Staff and Armed with such information, leadership
designated war fighting commanders. The and board directors are better enabled to for-
same holds true in a cyberattack. The inci- mulate questions and act on the information
dent response leader takes control and to provide proper governance and oversight.
leads the team through the steps necessary
to respond to the incident. ■ Retain incident response teams and
Effective command and control during outside counsel experienced in managing
these times of crisis is critical. However, cybersecurity incidents
when an incident is declared, people often When it comes to containment and eradica-
come out of the woodwork to get involved. tion, it is vital that internal security teams
Because time is critical, nothing can be understand their strengths and weaknesses.
worse than senior executives trying to Often internal teams assume they can handle
influence activity or wrestle control when the event and try to fix the problems them-
an attack is in progress. Slow response and selves, only to make matters worse by acci-
uncoordinated containment activities can dentally destroying or tainting crucial evi-
provide attackers with the time necessary dence. Organizations are therefore turning
to move laterally in the network, creating to external counsel and forensic response
an even more serious breach. It is therefore teams that can step in on a moment’s notice
vital that command and control be clear, to respond to cyberattacks.
understood, disciplined, and followed with Selecting the right counsel and forensic
precision. team—especially those experienced in inter-
To increase leadership’s understanding actions with law enforcement—can be the
of the workings of command and control difference between success and failure. In
and provide insight into the protocols and addition to benefiting from their expertise,
procedures of incident response, it is imper- involvement of an attorney allows organiza-
ative that organizations rehearse the inci- tions to maintain attorney-client privilege.
dent response plan at least annually. Because different phases of the incident
Whether the activity is a mock tabletop response lifecycle require different capabili-
exercise or a live-fire drill, the rehearsal ties, such as evidence collection, forensic
gives company leadership and directors a analysis, and malware reverse engineering,
baseline understanding of the criteria used organizations should select teams that have
to determine the severity of an event, the broad expertise. Established relationships
lifecycle of an attack and incident response, with several teams is wise because the scope
and the goals for each phase of the lifecycle. and magnitude of an incident may require
■ 262
LESSONS LEARNED—CONTAINMENT AND ERADICATION
more than one forensics team. Having rela- interact with internal personnel, query the
tionships with several partners provides a forensic investigators, analyze the findings,
fallback. and provide the perspective that the board
The worst time to find a partner is during and senior management need for decision
an incident. In addition to running the risk making. Many firms use outside counsel with
of no firm being available, the breached experience in guiding incident response oper-
company is faced with paying rates that are ations to perform this trusted advisor role.
non-negotiable and entering into a difficult
relationship that often leads to protracted ■ Employ good case management practices
investigations. Selecting and vetting cyber No one ever fully knows how an investiga-
response teams in advance allows the team tion will evolve. Even if it is unlikely that a
an opportunity to learn about the firm’s security event will become public or that the
operational practices and environment. The investigation will end up in a court of law,
forensics team can come up to speed quickly directors should assume that it could and
and hit the ground running. In addition to take the appropriate actions from day one. It
the qualitative advantage, selecting partners is vital to follow good case management
in advance provides a quantitative advan- practices and do everything possible to pre-
tage in that you can pre-negotiate rates and serve forensics evidence—from the first indi-
terms that are acceptable to both parties and cation of the event through to the comple-
begin the relationship on a positive note. tion of the investigation.
Organizations also should look to engage a Evidence is perishable and can be tainted.
trusted advisor to provide independent Organizations that are slow to engage the
advice to directors and officers regarding the appropriate forensics partners run the risk of
security incident. Faced with pressure to potentially destroying, tainting, or missing
deflect accusations or make things look better key evidence that could be crucial in the
during an event, internal staff may report later stages of the investigation. By asking
only what is necessary or skew information. the question, “Should this go to court; what
An impartial trusted advisor knows how to do we need to do from the moment we start
263 ■
INCIDENT RESPONSE
this investigation to present a solid case?” customers, answer to the press, respond to
organizations can limit their liability down regulators, and defend the company’s con-
the road and better position themselves for duct in parallel actions, such as a civil suit
successful litigation. and a regulatory investigation.
A company’s internal public relations
■ Adopt an outcome-based approach team knows much about the organization
Some forensics organizations take a checklist but is not an expert in directing cyber breach
approach to incident response. However, no communications. When multi-billion dollar
two cyber events are the same, and incident payments and corporate reputations are at
response is not a scripted process. Security risk, board directors and senior management
teams operate under the fog of cyberwar, must take care to turn to independent,
and decisions will be made under conditions impartial crisis communications experts.
of stress, fatigue, and confusion in response Cyberattacks are distressing events.
to seemingly random events. What is needed Those involved often have an emotional
is an outcome-based approach to incident attachment or are too close to the incident to
response, recognition that there are multiple be viewed as impartial in their communica-
ways to achieve the outcome, and an under- tions. Independent experts provide the clear
standing of what can go wrong. Normally, thinking and unbiased perspective that is
outcomes are based on a specific list of ques- required to assist the company in all dia-
tions that must be answered by the incident logues and announcements—from initial
response team based on initial attack indica- notification to worst-case communications.
tions and regulatory responsibility. The team Further, the external team will be able to
should be focused on answering these ques- ensure that once communications are initi-
tions during the investigation. Investigators ated, such as notifying customers of a breach,
who are experienced in outcome-based inci- follow-up communications occur on a timely
dent response are better able to focus on schedule. Often overlooked is the need to
what matters, form hypotheses, take action manage negative nonverbal communica-
based on the type of attack and observable tions that may be sent to internal and exter-
facts, and pivot should something go wrong. nal parties as a result of actions taken by the
During the course of containment and response team. For example, shutting down
eradication, it is expected that attackers will a website or requiring password changes
take new action based on the security team’s sends a clear message that something has
efforts. One model that can be used to pre- happened. The communications team must
vent enemies from gaining the upper hand manage these types of communications as
is the “O-O-D-A Loop”: Observe, Orient, well. Finally, in addition to being able to
Decide, and Act. This model provides a articulate what is happening, it is vital that
method for making informed decisions and the crisis communications team stands firm
acting based on feedback from various in its mission to protect the company by
sources. Recognizing that attackers are doing advancing the facts in the face of unjustified
the same, the key is to tighten and accelerate assertions or incorrect accusations.
the OODA Loop, leveraging people, process,
and technology to move faster than the ■ Be prepared for containment
adversaries. to affect business activities
Incident containment has two major compo-
■ Hire impartial, independent spokespersons nents: stopping the spread of the attack and
for crisis communications preventing further damage to hosts. During
The stakes for immediate and effective cri- the containment effort, organizations should
sis communications throughout an investi- be prepared to shut down or block services,
gation have never been higher. During a revoke privileges, increase controls, and
cyber crisis, a company may need to notify place restrictions on network connectivity
■ 264
LESSONS LEARNED—CONTAINMENT AND ERADICATION
and Internet access. Such activities can affect people and processes into consideration,
business processes dramatically by restrict- technology actually can create more com-
ing organizational functions and work plexity, consume more resources than it
flows; therefore, the decision to perform returns, and deliver only incremental value.
such actions should never be one sided. In short, complexity is the enemy of security.
Because business activities are dynamic, the Organizations must take a holistic
decision to implement controls during con- approach to eradicating and closing the
tainment always should include a two-way security gaps. This may necessitate new
discussion with business process owners processes and policies, new services and
and company leadership. It is vital that technologies, and additional personnel.
organizations have strategies and proce- Skimping on cybersecurity may result in
dures in place for making containment- much higher costs down the line. Board
related decisions that reflect the level of directors should be prepared to increase
acceptable risk to the organization. security budgets and can be firm but fair in
maintaining their fiduciary responsibility by
■ Focus on people, process, and technology requiring the right justification from the
during eradication security team.
Malware detection and eradication can be an
expensive and time-consuming process, as ■ Share information with others
malware can lie dormant in a system for who can benefit
months and then activate again. Although it The fact that hackers have breached the com-
is easy and tempting to apply a quick fix in puter systems is the kind of news that no
the heat of the incident, attention must be organization wants to reveal. Corporate
given to finding and fixing the true root leadership worries about attrition of custom-
cause. Here, the natural tendency is to lead ers, negative press, and difficulties with
with a technology solution. With new secu- partners that may occur if news of an inci-
rity tools comes the belief that the problem is dent leaks out. However, for the good of the
solved. The reality is that, without taking industry, the sharing of incident details may
265 ■
INCIDENT RESPONSE
■ 266 SecurityRoundtable.org
Cyber incident response
BakerHostetler – Theodore J. Kobus, Partner and
Co-Leader, Privacy and Data Protection; Craig A. Hoffman,
Partner; and F. Paul Pittman, Associate
267 ■
INCIDENT RESPONSE
potential incidents along with best practices to ensure that the various team members
developed from our experience in helping understand their role and authority to
companies respond to more than 1,000 make decisions.
potential events. Although these laws are a Categorization. Provide a simple structure
critical part of a response, responding to an for classifying events by severity (e.g.,
incident is not just a legal issue. Being low, medium, high) and risk to “level set”
viewed as handling the incident well the team regarding urgency, escalation to
involves also an effective communications the C-suite, and level of engagement of
response. the representative groups on the incident
response team.
■ Incident response best practices Response protocol. Provide a flexible frame-
A company’s incident response should be work for executing the eight key steps
guided by a plan that has been tailored to the of incident response: (1) preparation,
company’s industry and fine-tuned through (2) identification, (3) assessment,
mock breach exercises. The response plan is (4) communication, (5) containment,
a critical element of the crisis management (6) eradication, (7) recovery, and
strategy—not because it provides a prescrip- (8) post-incident.
tive, detailed list of action items, but because Third parties. Identify key third parties
it has been refined and practiced through that will assist the company, including
tabletop drills. A good plan outlines a flexi- external privacy counsel, forensics, crisis
ble framework of the general steps that must communications, mail and call center
be taken to prepare for, respond to, and vendor, and credit monitoring.
recover from a security incident. An incident
response plan must be flexible enough to Once the plan is created, test the plan for
adapt to the particular security incident the gaps and provide training for the incident
company is facing (e.g., network intrusion, response team. External privacy counsel
denial of service, account takeovers, mal- often conducts these exercises, sometimes in
ware, phishing, loss of paper, employee conjunction with the primary forensic firm
data, security vulnerabilities detected by and crisis communications firm. Most com-
third parties, or theft of assets). panies choose to use a hypothetical scenario
that they would consider to be the most
Identify the internal incident response likely catastrophic incident they may face
team. Identify team members from (e.g., a payment card event for a retailer) fol-
critical departments (e.g., IT, IS, legal, lowed by subsequent, periodic testing using
communications, internal audit, HR, risk different scenarios (e.g., service disruption,
management, business lines), describe employee data).
their roles, and define how and when No two incident scenarios are the same,
they will be activated when a potential so there is not a one-size-fits-all, turnkey
incident is identified. solution to incident response. There are,
Identify who will lead the incident response however, critical factors that drive a success-
team. Companies approach this in different ful response.
ways. For some, the IT and IS groups play
a significant role. At highly regulated Notify and assemble incident response team
companies, legal and regulatory members members and begin the investigation. Don’t
will be integral to the response. Because panic when a security incident arises. Be
some issues go beyond the technical methodical, but swift, in your response.
response, being a good project manager is Assemble the incident response team
probably one of the key traits a company members and notify them of the security
should look for when deciding who will incident. If a member of the C-suite is
lead the group. Practice drills also help not on the team, there must be a direct
■ 268
CYBER INCIDENT RESPONSE
connection to the C-suite so that decisions such helpful information when filing a
can be approved in a timely fashion and motion to dismiss.
the response team can move forward with Determine any legal obligations and comply.
the investigation. It is useful to appoint a Experienced outside privacy counsel that
security incident manager; often this is is well versed in incident response can
someone with strong project management help the company quickly and accurately
skills who can move the process forward determine the state, federal, and
in a productive way working alongside international privacy and security laws
outside privacy counsel. Once the team and regulations that may be implicated
is assembled, it should initiate an internal by the security incident. Complying with
investigation into the security incident, these laws is sometimes a balancing act
and depending on the potential severity that requires a company to consider other
of the incident, daily progress calls should factors. Engaging outside privacy counsel
be scheduled. who understands how the regulators
Identify and fix the issue. Conduct an initial view these laws, as well as the challenges
analysis of the reported incident and companies face in responding to these
focus on getting quickly to a point where types of incidents, is critical. Outside
the internal and/or external computer privacy counsel must be a partner with
security firm can develop and implement the company in the response. There is no
an effective containment plan. If news of one-size-fits-all approach.
the incident is going to become public, at Communicate with the public and report
least the company will be in a position to the incident response team. During the
to say that it identified and blocked the course of the investigation and response,
attack from continuing. The company can there should be constant communication
then turn to identifying the full nature among incident response team members.
and extent of the attack. Working with Periodic reporting meetings are useful.
internal resources, at least initially, is very In addition, officers and directors should
common; however, consider bringing in receive reports that provide essential facts
external security firms when the company and plans for responding to the security
is facing capability, credibility, or capacity incident. It is critical to have outside
issues. counsel involved in the communications
Gather the facts and let them drive the plan to preserve any privileges that
decision-making. Resist the pressure to may attach to communications. Further,
communicate about the incident too early develop a ‘holding statement’ for
or to be overly reassuring. Focus on the executives to use when communicating
investigation. Institute a plan early on with the media, affected individuals, and
for collecting all available forensic data— shareholders. Also, consider creating
hardware, devices, database activity, and a website and using a call center to
system logs—and transfer it to a safe keep affected individuals apprised of
location for subsequent analysis. Create developments.
a timeline of events surrounding the Eradicate remnants of the security incident
security incident and the actions taken and recover business operations. When
by the company. Structure additional the security incident and any resulting
investigation and response efforts damage have been contained, develop
based on the information gathered a plan to eliminate the vestiges of the
and the scope of the incident. Work to security incident, restore the company’s
include any favorable findings in public assets, and return your business to
communications; notification letters are normal operations. Ensure that the
often attached to class action complaints threat created by the security incident is
and therefore a company can rely on any eradicated.
269 ■
INCIDENT RESPONSE
■ Potential legal issues and obligations In addition, certain federal laws such as
The issues caused by the ‘patchwork quilt’ the Health Insurance Portability and
of state breach notification laws in the Accountability Act (HIPAA) and the
United States receive a lot of attention and Gramm-Leach Bliley Act (GLBA) require
feed calls for a single federal law that pre- companies to notify affected individuals.
empts any inconsistent state laws. However, Under HIPAA, notification is required with-
in most incidents, especially for incidents in 60 days and a failure to provide timely
that affect individuals across the country, notice will likely result in an investigation
differences across state breach notification that may lead to a fine. Timely notification
laws rarely make a difference in how the enables consumers to exercise self-help in
company responds. Complications do arise monitoring their payment card, bank
when only a few state laws are implicated, accounts, and credit reports to prevent fraud.
such as when one state does not have a By reducing the likelihood that consumers
“risk of harm” trigger that allows a compa- will be subject to fraud, a company can also
ny to determine that notification is not reduce the likelihood of future suits based
required but the other states do. There are on the data breach.
no decisions from courts describing how to
interpret and apply these laws. There are Reporting
state attorneys general who have certain In addition to providing notification of a
interpretations regarding the timing of noti- data breach to affected individuals, a com-
fication and others who have well-known pany also may be required to report a data
‘hot button’ issues, neither of which are breach to other individuals and entities
evident from reading the text of the notifi- under certain state and federal laws and
cation law. industry guidelines.
Law enforcement: Law enforcement can
Notification be helpful during an investigation, but it
Typically, a security incident becomes a data should be brought in at the appropriate time.
breach when there is unauthorized access to Telecoms and financial institutions have spe-
unencrypted personally identifying infor- cific guidelines regarding reporting to law
mation (PII), which is generally a person’s enforcement, but most industries do not
name associated with his or her Social have similar regulations. Typically, compa-
Security number, driver’s license number, nies engage either the Federal Bureau of
health and medical information, and finan- Investigation (FBI) or the United States
cial information, depending on the state or Secret Service (USSS), although local law
federal law. When a data breach occurs, all enforcement can be helpful in certain situa-
states (except Alabama, New Mexico, and tions. Your outside privacy counsel should
South Dakota) require that a company notify have established relationships with law
the affected individuals that their PII has enforcement and understand when they
been compromised. The breach notification should be contacted. Although law enforce-
laws of each state and the type of data that ment can be helpful with the investigation
are considered PII vary between states and and communications with regulators, keep
can create multiple and sometimes inconsist- in mind that its goal is very different from
ent obligations on the company required to the company’s: law enforcement wants to
provide notice. Most state laws require catch the ‘bad guy’ and the company must
notice as soon as reasonably possible, where- figure out the appropriate way to respond to
as a few require notification within 30 or the incident.
45 days of discovery. Providing notification Federal regulators: Certain industry-
within 30 days of initial discovery is often a specific laws also require reporting of a
significant challenge. breach to federal regulators. Under HIPAA,
■ 270
CYBER INCIDENT RESPONSE
a company must report any data breach to affected by the incident for their costs associ-
the Secretary for the Department of Health ated with fraudulent charges and the reissu-
and Human Services, although the timing ing of cards. The liability assessments can be
of that reporting differs depending on one of the largest financial consequences of
whether the number of affected individuals an incident.
exceeds 500. Under the GLBA, financial In certain circumstances, a company may
institutions must report a security incident be required to report a data breach to the
to their primary federal regulator as soon media. Under state notification laws, if the
as possible. company does not have sufficient contact
State attorneys general and agencies: information to mail notification letters to
Some state laws require a company to report affected individuals, the company has to
a data breach to the state attorney general, provide notice through substitute means,
depending on the number of affected indi- which involves posting a link in a conspicu-
viduals, which may range from 1,000 in ous location on the company’s website, issu-
some states to only one person in others. ing a press release to major statewide media,
Other states require notification to state and sending an email to the individuals (if
agencies, such as state consumer protection the company has their email addresses).
agencies, departments of health, or cyberse- HIPAA requires a press release if a data
curity agencies. The form of the notice may breach involves more than 500 affected indi-
also vary. Some states require simply that a viduals. In other circumstances, a company
copy of the breach notification letter that was may have no legal obligation to report a
sent to the affected individuals be filed with security incident or data breach to the media
the state attorney general. Other states may but may feel compelled to do so in an effort
require more, such as written notice identify- to control the story and prevent inaccurate
ing the nature of the breach, the number of or misleading information from being con-
affected individuals, any steps taken to veyed to the public by the hacker, affected
investigate and prevent future breaches, and individuals, or other sources. Accordingly,
the content of the notice intended for the careful thought should be given to develop-
affected individuals. Working with regula- ing a communications strategy as part of a
tors can be one of the most critical pieces of company’s incident response—one that con-
an incident response. Ensure that your out- siders not only the message but also the tim-
side privacy counsel has a working relation- ing of the message and the medium in which
ship with your regulators and can guide you it is distributed.
on the timing and content of communica- Board of directors: Although reporting a
tions. In most cases, if this piece is handled security incident to the board of directors is
appropriately, there is a greater chance of not required by any specific state or federal
very little fallout. law, a director’s duty to shareholders
Other entities: When payment card data requires that the director be informed of
are at risk, the response is governed by pay- important topics that significantly affect the
ment card network operating regulations overall business of the company. Consequently,
that merchants have agreed to follow as part directors may (and should) require that an
of the merchant services agreement with incident response team member (preferably
their acquiring bank and payment processor. counsel) provide reports on any security
The card network regulations define a spe- incidents or data breach, and the progress of
cific security standard that merchants must any incident response efforts. Some compa-
comply with (PCI DSS). They also dictate the nies are establishing a special audit commit-
investigatory process and provide for the tee for cyber incidents and even engaging a
recovery of noncompliance fines and assess- “cyber advisor” to brief the board on these
ments to reimburse banks that issued cards issues.
271 ■
INCIDENT RESPONSE
■ 272
CYBER INCIDENT RESPONSE
Regardless of the external parties retained to derivative suits. This is particularly impor-
assist in an incident response, it is important tant because communications to directors
to ensure that they are retained by outside that are not made at the direction of, or by,
counsel to enable the assertion of the attor- counsel may not be privileged and could be
ney-client privilege and work-product doc- discoverable in subsequent litigation.
trine to protect documents and communica- Should a security incident or data breach
tions generated in the investigation and be made public, executives should be pre-
during the response to a security incident. pared to comment on the incident. When
necessary, a holding statement should be
■ Role of officers and directors in a company’s developed and vetted by counsel.
incident response Communications by officers or directors
The C-suite and boardroom play a small but with the public should be accurate, com-
important part in a company’s actual inci- plete, and truthful, but also simple, so as not
dent response: they mainly ensure that criti- to be misleading or admit liability. Any fil-
cal executive-level decisions concerning ings or disclosures with the federal regula-
impact to the business and expenditures are tors, such as the Securities and Exchange
made promptly. This is best facilitated by Commission, should be carefully vetted to
having a C-suite representative serve as a ensure accuracy, which may prove difficult
member of the incident response team. It is when the facts surrounding a security inci-
also important for officers and directors to be dent are being determined. This can be par-
engaged in the incident response process, ticularly problematic in quarterly (or peri-
because in the event that another security odic) earnings calls with analysts that may
incident occurs, the officers and directors occur while investigation and response
could be held accountable by consumers, efforts are taking place.
shareholders, and regulators for any lack of
familiarity with the company’s cybersecurity ■ Conclusion
program. In this ‘cyber climate,’ companies must be
Given the potential liability and impact prepared for a security incident. Officers and
to a company’s reputation posed by a data directors cannot sit on the sideline; they
breach, directors should have procedures in must be aware of cyberthreats and engaged
place to ensure that they receive timely in developing and implementing an incident
updates on any incident response. response plan to limit the amount of damage
Communications with the board regarding that can be caused by a data breach. An
the incident response and the findings of effective incident response can help preserve
any investigation should be carefully craft- the company’s reputation and limit its expo-
ed and limited to factual information if pos- sure, allowing it to continue and grow its
sible, because of the prospect of shareholder business operations.
SecurityRoundtable.org 273 ■
Communicating after a cyber incident
Sard Verbinnen & Co – Scott Lindlaw, Principal
275 ■
INCIDENT RESPONSE
Sard Verbinnen & Co. found that share price increased customer acquisition activities,
impact is hard to measure because of a mul- reputation losses, and diminished goodwill,
titude of factors affecting stocks. Still, a com- cost the victimized companies an average of
pany should anticipate that revenue and $3.72 million per incident.
profits may take a hit after a breach. A pri- Companies have an opportunity to miti-
mary goal of a post-breach communications gate each of these classes of loss through
strategy should be to mitigate this impact as effective communications. This means fol-
much as possible. lowing the law on all notifications required
Because breaches can have a substantial to consumers and investors, of course.
effect on the bottom line, preparing for and However, a company should not stop there.
responding to such incidents fall squarely in Communicating about a cyber incident to
the director’s fiduciary duties. As explained customers and investors as required by law
in Chapter 8, directors owe their companies should be the bare minimum from a commu-
certain obligations, such as the duties of care, nications standpoint. To preserve goodwill
good faith, and loyalty. In the context of and stanch reputational losses, companies
cybersecurity incidents, these duties require must move beyond mere compliance and
directors to ensure the company develops a operate from a perspective of stewardship.
reasonable crisis-management plan for use in They must demonstrate leadership, integrity,
the event a breach occurs. This calls for board and responsibility through thoughtful com-
members to have at least a high-level under- munications. To achieve that, these princi-
standing of communications strategies and ples should guide any communications relat-
tactics, for internal and external audiences. ing to a cyber incident:
For example, almost all states have laws
requiring companies to notify customers Preserve the company’s credibility with
when a breach compromises sensitive per- all constituencies, including consumers,
sonal data. Directors and companies have customers, partners, regulators, employees,
been sued on the ground that they failed to investors, journalists, and analysts.
take reasonable steps to notify consumers Maintain control of the communications
that a company’s systems had been breached. process by establishing concise, agreed-
When the law requires it, notifying customers upon messages so that the company speaks
about a breach is fundamentally a legal func- with one voice.
tion but also a communications function. Provide pertinent, confirmed facts
Plaintiffs will try to hold directors accounta- without jeopardizing any internal or law
ble for a perceived failure of notification. enforcement investigations.
Likewise, regularly disseminating accurate Coordinate all public communications
information to shareholders may be a regula- with legal counsel to (1) ensure accuracy;
tory requirement but also requires effective (2) avoid compromising any investigation
communications. The Securities and Exchange or increasing legal exposure; and
Commission has put companies on notice as (3) preserve attorney-client privilege.
to the reputational harms of breaches and Prepare for potential negative legal,
companies’ disclosure obligations regarding financial, and customer scenarios.
cyber incidents. “Reputational damage
adversely affecting customer or investor con- These should be the tactical goals of com-
fidence” may cause an attacked company to munications responding to a cyber incident:
sustain “substantial costs and suffer other
negative consequences,” the Commission Reassure all constituencies that you are
wrote in disclosure guidance in 2011. The taking steps to contain and fix the issue.
Ponemon Institute reported that in 2014, Manage how the breach is portrayed in
breach-related lost business costs, including news and social media—where possible,
the abnormal turnover of customers, position company as victim, not villain.
■ 276
COMMUNICATING AFTER A CYBER INCIDENT
Confine public comments to what you prepared to respond very quickly to any
know. Do not speculate. cyber incident and to communicate the com-
Avoid prolonging news media coverage pany’s position. As part of this, the board
unnecessarily. should review the company’s budget for
Do and say nothing to heighten the security risk management, ensuring the
interest of regulators. availability of the funds necessary to hire
Provide no fodder to plaintiffs’ attorneys. outside law firms, IT and forensics experts,
Minimize damage in the eyes of remediation support services, and commu-
consumers, customers, and investors. nications consultants.
Protect share price.
■ Audiences to consider when responding
Companies must integrate these communi- to a breach
cations principles and goals into a coherent A company responding to a breach must
incident-response plan before a breach communicate with myriad audiences. It
strikes. An effective plan will position the must coordinate and calibrate its messaging
victimized company to communicate quick- with each while recognizing that messages
ly and effectively in the event of a data aimed at investors may end up in news sto-
breach or other security incident. Important ries, that news stories will shape investors’
decisions will have to be made in real time, perceptions, and that everything the com-
but the tools and guidelines in a cyber inci- pany says could end up on Twitter.
dent response plan should ensure immedi-
ate engagement of the proper personnel, the Consumers, customers, and partners: In
proper process for obtaining and reviewing addition to legally required notifications,
information needed to determine the appro- the breached company must be prepared
priate communications response, and align- to communicate what it is doing to
ment on all appropriate steps to communi- contain an incident; provide assurances,
cate to employees and external audiences. if applicable, regarding safety of
A company’s incident-response plan customer information and recourse on
should identify members of several sub- future fraudulent activity; give front-
teams, including legal, IT, and communica- line customer service representatives
tions. Anyone who will be directly involved guidance on how to communicate with
in making communications decisions or in customers; provide a dedicated call
the dissemination of internal and/or exter- center and/or website to handle
nal communications must read and under- customer inquiries; and provide third-
stand this plan. Press releases, key messages, party credit monitoring, if appropriate.
question-and-answer documents, contact Journalists and social media
lists, and letters to stakeholders such as communities: It will not be sufficient
investors and employees should be prepared to issue prepared public statements at
in advance, leaving blank spaces to fill in as the company’s convenience. The victim
facts emerge. The plan should contemplate company must be prepared to react
the establishment of a dedicated website and to a deluge of media inquiries and be
whether the company’s existing corporate prepared for leaks. The company may
blogs and social media presence may be use- also have to proactively engage reporters,
ful communications instruments after a including regional, national, and
breach. The communications plan, and espe- cybersecurity beat reporters. This requires
cially its contacts lists, should be treated as a developing a process for engaging the
living document. It should be kept up to news media, including designating
date and reviewed and tested regularly. media spokespersons, preparing key
Directors must make clear to manage- executives for direct exposure to news
ment that they expect the company to be media, correcting inaccurate reports,
277 ■
INCIDENT RESPONSE
and monitoring traditional and social typically comprise two main arguments.
media on an ongoing basis. The company First, they allege directors failed to prevent
must also prepare to use social media to the breach. Second, they contend directors
distribute messages. covered it up and/or failed to notify inves-
Investors and analysts: The breached tors and consumers. This latter class of argu-
company must be prepared to answer ments essentially alleges failures of commu-
questions about the impact of the incident nication. The cases against Target and
on financial outlook and about the costs Heartland show how the plaintiffs use deriv-
of response and security upgrades. It ative and securities suits to blame directors
can expect to face such questions on its and officers for these alleged sins of commu-
first earnings call after the incident, and nications, or lack thereof:
thereafter. A Form 8-K may be required
if shareholders would view the impact of Target Corp.: On December 18, 2013,
the incident as material. the blog Krebs on Security broke the
Internal audiences: Employees need to news of a major breach at the retailer.
hear from the company about what has The next day the company confirmed
transpired, and what changes in security it was investigating a security breach
policies and protocols are coming. They involving stolen credit card and debit
must be alert to future attacks and avoid card information of 40 million customers
talking publicly about the incident. who shopped in its stores. A few weeks
Human resources should prepare to later, the company disclosed that the data
involve itself if employees had a possible theft was significantly more extensive
role in causing the incident or failing to and affected millions more shoppers than
detect it. it had initially reported.
Four sets of shareholders filed
In addition to the above audiences, the derivative lawsuits against Target
breached company must carefully weigh officers and directors. Later these were
and coordinate each statement with a sec- consolidated into one derivative action.
ondary set of audiences in mind. Plaintiffs’ The plaintiffs alleged that directors
attorneys will be circling and will race to the breached their fiduciary duties by failing
courthouse to sue the company on behalf of to “timely notify customers of the theft of
purportedly aggrieved customers and share- their personal and financial information
holders. Banks and credit card companies [and] to accurately notify customers
who may have lost money on fraudulent regarding the scope and substance of the
transactions will expect to be made whole. data breach.” The amended complaint
Insurance companies will also be monitoring chronicled a series of statements in which
public statements if the victimized company Target provided shifting information. As
has a cyber incident or other relevant policy a matter of media relations, this had
and moves to file a claim. the effect of continually adding fuel to
the fire: each time the company updated
■ Lawsuits against directors: communications the number of affected customers, the
issues coverage spiked anew.
As if the breaches themselves weren’t The plaintiffs also pre-emptively
enough to keep directors up at night, board argued that the directors’ actions in
members have an additional and unique set managing the response did not constitute
of worries: shareholder derivative and secu- decisions under the business judgment
rities lawsuits after an incident. Directors of rule, which would have protected them
Target, the TJX Companies, and Heartland against such a lawsuit. “The Board caused
Payment Systems, among others, have each Target to disseminate false and misleading
seen these actions after breaches. These suits public statements concerning, among
■ 278
COMMUNICATING AFTER A CYBER INCIDENT
other things, the true nature and extent investors, the plaintiffs claimed, was that
of the data breach at the Company,” the “Defendants’ misrepresentations and
amended complaint stated. (A separate omissions obfuscated the Company’s true
action brought by consumers similarly financial condition and future business
alleges that “Target failed to disclose and prospects, artificially inflating the price of
provide timely and accurate notice of the Heartland’s common stock.”
data breach to the public...”)
Heartland Payment Systems, Inc.: On ■ Conclusion
December 26, 2007, hackers broke into Cybersecurity is the number one fear keep-
Heartland’s corporate computer network ing directors up at night, but they can rest a
and stole about 130 million credit and little easier by holding management account-
debit card numbers and related card data. able and requiring a current, useful prepar-
The SQL injection attack on its corporate edness plan before a crisis. Critical to any
network resulted in malware being placed company’s breach-response plan must be
on its payment processing system. communications. A breached company can-
Plaintiffs brought a securities class not assume a defensive crouch and issue
action against the company after the U.S. reactive statements at the times of its choos-
Department of Justice indicted several ing. On the other hand, it should not say
individuals for what was reportedly more than it is confident of, or more than is
then the largest data security breach necessary to safeguard its interests and those
in U.S. history. They accused CEO of its customers and investors. An effective
and Chairman of the Board Robert O. communications plan helps protect the com-
Carr and CFO Robert H.B. Baldwin of pany after a cyber incident by blunting the
concealing the breach for more than a loss of reputation and customers and by
year—of “lying about the very existence keeping plaintiffs at bay.
of the breach.” They also contended Every breach starts with an event outside
the defendants knowingly made false a company’s control, and the Target and
and misleading statements about Sony Pictures attacks underscore how
the breach in a 10-K annual report to unfolding events can further buffet a com-
the SEC, during interviews with the pany. However, with a communications plan
media, in press releases, and in other that is carefully conceived and rehearsed, a
public presentations and speeches. The company can meet its legal obligations to
plaintiffs alleged that Carr and Baldwin communicate and help limit the secondary
concealed the incident and made a harms of a cyber incident, such as loss of
series of materially false and misleading reputation and customers. It is incumbent on
statements on an earnings call, “outright directors to ensure that the plan’s communi-
den[ying] that a security breach had even cations components are ready to activate
occurred at Heartland.” The harm to when the cyber crisis strikes.
SecurityRoundtable.org 279 ■
Cyber risk management
investment decisions
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Optimizing investment to
minimize cyber exposure
Axio Global, LLC – Scott Kannry, CEO and
David White, Chief Knowledge Officer
“
We are living in the Dark Ages of security. We cling to
outmoded world views and rely on tools and tactics from
the past, and yet we are surprised to find ourselves living
in an era of chaos and violence.”
Amit Yoran, President of RSA;
2015 RSA Conference Keynote
283 ■
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
inside,” which starts to balance perimeter weather the storm. This point supports the
controls with those that focus on behavioral relevance of the insurance industry, not only
monitoring, segmentation, and simulated as a provider of financial certainty but also
internal environments. This trend is defi- as an industry that can provide insight and
nitely one that is taking hold. Many firms data to support thoughtful cybersecurity
still spend the majority of their security investments. We’ll now explain all of these
budgets on perimeter-focused controls, but elements and how this approach stands the
spending is now being shared with internal greatest chance of minimizing exposure to
and reactive controls. the organization.
However, despite the improved strategy, The approach is best evidenced by Figure 1,
events over the past year and those that which depicts the relationship between
undoubtedly have happened since this chap- cyber risk and cybersecurity capability.
ter was written should easily debunk any Organizations that have minimal cybersecu-
notion that the defense-in-depth era has rity capability face an extraordinary degree
been substantially more successful than the of risk. For these organizations, investments
castle-wall era. Arguably, it has gotten worse, in basic controls will produce meaningful
in large part because of improvements and downward movement on the risk curve. It’s
industrialization of the tools and techniques also the reality that organizations on the far
used by adversaries. This has led not only to left side of the curve will be given harsh treat-
calls for a rethinking of how security is ment by the insurance industry—premiums
approached but also to the practical reality will be extraordinarily high or coverage may
that security leaders’ jobs are more difficult not be available at all—which is a signal that
than ever: their rate of success at protecting the organization must bolster its capability
the enterprise seems to be precipitously through traditional controls. At a certain
declining, along with their job longevity. point, however, the curve begins to flatten
Plus, the castle-wall and defense-in-depth and the relative reduction in risk per dollar
eras exacerbated a problem central to secu- invested pales in comparison to that which
rity leader decision making; they facilitated was previously achieved. Beyond this point
a monumental buildup in the availability firms would be wise to invest more substan-
and use of technological controls. Evidence tially in insurance because of its dispropor-
of this is apparent at the RSA conference, tionate effect on the risk curve. Unlike a tra-
where a landscape of thousands of security ditional control, insurance actually reduces
providers displays their wares, each claim- (or eliminates) the cost of an event and
ing to be the ultimate solution or silver bul- therefore shifts the entire risk curve down-
let. Security leaders ask where to start. What ward. An organization that adopts this
should I spend my next dollar on? How can approach is one that is more thoughtfully
I justify this investment and intended return protected and better able to withstand the
to the board? How can I keep my job when impact of that inevitable event.
an event inevitably occurs? Welcome to the To better understand the elements, let’s
modern reality for security leaders. look at the risk calculus, which can be
We propose that it is time to evolve into explained with the following equation:
what we’ll call the cybersecurity enlighten-
Business Impact ⫻ Likelihood
ment era. It’s an era that focuses on risk Risk =
Capability
management, not risk elimination, and
where cybersecurity strategy is acknowl- where business impact is a measure of
edged as an investment challenge. It’s also impact to the enterprise from a cyber event,
an era that highly values impact minimiza- likelihood is an estimate of an event actually
tion because cyber events are inevitable and occurring, and capability is a measure of the
ultimately, the organization’s resilience organization’s ability to detect, protect,
depends on having the financial resources to respond, and recover from an event.
■ 284
OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
FIGURE
Risk
Cybersecurity Capability
It is important to understand that organi- to detect events. Many of these controls will be
zations may have very little control over the technological or administrative, but the
numerator in this equation, as these elements human element is also critical and can’t be
are largely influenced by the constantly overlooked, nor can the protocols surround-
evolving threat climate, the capability and ing third-party vendors, outsourced parties,
desire of adversaries to carry out an attack, and subcontractors. The denominator is also
and the ever-increasing complexity of the where the positive impact of insurance takes
technologies controlling operations, which hold, because successfully responding to and
can fail unexpectedly in ways that result in recovering from an event depends not only on
damage. For example, various recent reports technical capabilities but also on the financial
pegged the cause of a cargo plane crash on a ability to cover the costs and losses involved.
failure in software configuration, evidencing How does an organization put actual
the reality that cyber events aren’t only those numbers into the equation? Our recommen-
with malicious connotations. It’s also impor- dation is to start with developing and ana-
tant to recognize that neither business impact lyzing organization-specific cyber loss sce-
nor likelihood can ever equal zero, even for narios. Gather a group of individuals that
the most capable organizations. represent key functions and insights into the
Organizations can influence the denomina- organization—information technology and
tor by implementing, sustaining, and matur- operational technology security, safety, risk
ing a capable cybersecurity program. This management, treasury, and legal— and brain-
measure reflects the controls that an organiza- storm about the likelihood and impact of
tion has in place to protect its cyber assets and cyber events across the critical functions of the
285 ■
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
organization. It’s important to capture as much Benchmarking is also a critical and strongly
of the loss spectrum as possible—first- and recommended element of the capability
third-party financial damages and first- and factor. We recognize that many security
third-party tangible damages, the latter half leaders may be wary of supplying cyber
being critically important for organizations program information for benchmarking pur-
that use industrial control systems. poses as to not create additional vulnerabili-
In our experience, this type of exercise ties by giving away the proverbial keys to
proves to be very fruitful. We’ve found that the back door, but resources that do so in an
most of the informational insight actually entirely de-identified manner can provide
resides within the organization—it’s simply powerful comparative insight that is other-
a matter of getting the right stakeholders at wise unavailable. From a security leader’s
the table. In some instances, organizations perspective, this information may actually
are surprised at how much they already be the most powerful, because it can provide
know and can bake into the calculations. For justification for additional investment in
example, we’ve worked with energy firms controls and, in the worse case event of a
that had already commissioned numerous breach, exculpability.
loss engineering studies based on traditional This is an appropriate place to introduce
perils such as earthquake, fire, or mechanical the final detail and insight for the denomina-
breakdown, each with fully developed tor and right side of the risk curve—the
impact estimates. All it took in this instance importance of insurance coverage and rele-
was confirmation from operational and vance of the insurance industry to deploying
cybersecurity leaders that a cyber event an enlightened cybersecurity strategy. One
could produce many of the same outcomes, of the roles that the industry can serve, and
coupled with a technical discussion about will increasingly serve, is a resource for
the likelihood of such an event to very effi- benchmarking intelligence via the under-
ciently compile enough data for the numera- writing and premium pricing process. This
tor in the equation. capability is candidly in its infancy for a few
Using the loss scenario approach also reasons: the scope of coverage is evolving
helps inform the numbers in the denomina- and therefore the depth of information
tor, because the technical part of the discus- required to underwrite is not truly compre-
sion helps determine the organization’s hensive, many insurers are happy to deploy
capability to protect its operations from, a nonintrusive approach as a competitive
detect signs of, and effectively respond to a lever, and correlation information lacks in
particular scenario. For example, if we are areas where claims or losses have not yet
working with a retailer and a scenario involv- occurred. Despite this evolving capability,
ing the theft of credit card information, we firms can find meaningful value in the pro-
may start with the financial impact if the cess, because even an extraordinarily high
event occurs and then work backward to dis- premium or a denial of coverage does have
cuss where the information resides and how informative value. Additionally, for areas in
it is processed, and most critically, how each which cyber coverage is relatively more
access point is or could be protected from mature, top insurers do have enough data to
known and conceivable threats. Here, it is provide a “risk engineering” benefit similar
useful to compare an organization’s current to other well-established areas of insured
capabilities against any applicable standards risk, and the industry is continually evolving
or regulatory frameworks, ensure that appro- to provide greater capabilities in this respect.
priate threat intelligence for that particular Another area of insurance industry rele-
area of risk is being used, and continually vance requires a more nuanced dive into
monitor the performance of the organiza- coverage, but one that is important for its
tion’s protective mechanisms in its own envi- informative value and relevance to security
ronment and the environment at large. investment decisions. Security leaders
■ 286
OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
should familiarize themselves with their Beyond the continually evolving risk engi-
own firm’s insurance portfolio as well as neering capabilities of the insurance industry
industry trends relating to coverage availa- and the insight provided by simply under-
bility and pricing. The exercise should not be standing the complete insurance landscape
limited to cyber insurance, because despite for cyber exposures, the biggest benefit pro-
what many in the insurance industry would vided by insurance is the aforementioned
profess, there is currently no such thing as an ability to meaningfully reduce the risk curve.
all-encompassing, all-risk cyber insurance Here too it is critically important to under-
policy. Cyber insurance, as it is commonly stand the entire insurance landscape, because
known, covers many first-party financial firms that purchase a single cyber insurance
losses and resultant financial liabilities from policy may be disappointed in how it per-
a cyber event, but not tangible losses such as forms. This point is not intended as criticism
property damage and bodily injury. Therefore, of the insurance industry—the industry does
firms also must be attentive to property, casu- offer coverage for the vast majority of the
alty, environmental, terrorism, and any other cyber exposure spectrum—it’s a point recog-
type of insurance that could provide coverage nizing that comprehensive coverage for com-
for losses resulting from a cyber event. plex cyber events can involve multiple types
What type of actionable insight does this of policies.
provide? On one hand, simply knowing Ultimately, our hope is that this process
what cyber exposures the insurance industry and balanced approach provides a higher
is willing to cover can help security leaders likelihood of minimizing cyber risk, espe-
make investment decisions. For example, the cially in comparison to any of the legacy
insurance industry currently does not offer strategies deployed to date. If nothing else, it
much, if any, coverage for losses attributable helps to more effectively minimize cyber risk
to the theft of intellectual property such as through the effective deployment of insur-
trade secrets and R&D. Knowing this may ance as a complementary control, but the
prompt overweight investment into controls process overall does produce defendable
and protocols protecting trade secrets, insight and a means by which security lead-
whereas investment into other areas of risk ers can optimize investment while minimiz-
where coverage is readily available can be ing risk, thus allowing cybersecurity to start
more balanced. to evolve out of the dark ages.
SecurityRoundtable.org 287 ■
Investment in cyber insurance
Lockton Companies Inc. – Ben Beeson, Senior
Vice President, Cybersecurity Practice
289 ■
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
management strategy. Many in the legal attack by a third party. This will not
community see the launch in February extend to an act involving the board of
2014 of a federal cybersecurity framework directors or executive team.
(known as the NIST framework) as 7. Security is not about compliance
creating a standard of care to be used by Treating security as a compliance
plaintiff attorneys to allege negligence or exercise only will result in failure. For
worse. example, many organizations that are
4. A financial incentive compliant with payment card industry
Legislators are giving greater prominence data security standards have been
to the role of cyber insurance. The failure breached.
to pass laws to drive stronger enterprise 8. Monetizing the cost of cybersecurity
security has demonstrated the challenges One of the biggest challenges to the
in trying to enforce minimum standards. CISO is to quantify cybersecurity risk in
There is growing support for market-based dollar terms to the executive team. The
incentives such as insurance that can premium charged by an insurance
reward strong cybersecurity through company can help solve this problem.
discounted premium or broader coverage. 9. Merger and acquisition activity
However, the insurance market for cyber The difficulty in evaluating the
risks is young, if not embryonic in some cybersecurity posture in any acquisition
respects, and faces significant challenges target leaves the acquirer vulnerable.
if it is to continue to grow. Reversing the 10. Operational technology
lack of actuarial data to model risk and Industry sectors dependent on
an underwriting process that must operational technology and industrial
change to meet ever-evolving threats sit control systems are particularly
at the top of the insurance industry’s vulnerable. Built primarily to be available
priorities. 24/7 and to operate in isolation, these
5. Vicarious risk to vendors and business devices are increasingly being connected
associates to the corporate information technology
Adversaries are focusing increasingly on network and the Internet.
third parties that have access to sensitive
information and other critical assets of the ■ The cyber insurance marketplace today
target enterprise. Professional service It is estimated that more than 50 insurers
firms or cloud-based solution providers domiciled mainly in the U.S. and London
are examples of business associates whose insurance market provide dedicated cyber
security may be weaker than that of their products and solutions today. Buyers are
client and consequently provide an easier concentrated overwhelmingly in the U.S.
back door for the attacker. Liability for with little take up to date internationally,
a breach of personally identifiable with low demand in the rest of the world.
information (PII) or protected health Annual premium spending at the end of 2014
information (PHI) typically still rests with was estimated to be in excess of $2 billion.
the enterprise data owner, even though Total capacity (the maximum amount of
a breach may have occurred to the insurance available to any single buyer) is
vendor’s network. Cyber insurance currently at about $300,000,000, although this
addresses costs of responding to a breach is now contracting substantially in certain
and possible privacy regulatory action or sectors such as retail and health care. Cyber
civil litigation. insurance first emerged at the end of the
6. Insider threat 1990s, primarily seeking to address loss of
Attacks from the inside continue to be revenue and data restoration costs from
hard to prevent. Cyber insurance covers attacks to corporate networks. However,
the employee as perpetrator as well as an the underwriting process was seen as too
■ 290
INVESTMENT IN CYBER INSURANCE
intrusive and the cost prohibitively expen- Certain insurers will also extend coverage
sive. It was not until 2003, and the passage to downtime of vendors on whom a
of the world’s first data breach notification policyholder is reliant. This is commonly
law in California, that demand started known as “contingent business
to grow. interruption.”
Costs to restore compromised data
What does cyber insurance cover? Reimbursement for costs associated with
Insurers do not address all enterprise assets an extortion threat
at risk. The majority of premium spent by Operational technology
buyers was intended to address increasing A few insurers have begun to extend
liability from handling personally identifia- coverage for the information technology
ble information (PII) or protected health network to also include operational
information (PHI) and the costs from either technology such as industrial control
unauthorized disclosure (a data breach) or a systems.
violation of the data subject’s privacy. Physical assets
Insurable costs range from data breach Cybersecurity is no longer just about risks
response expenses such as notification, to information assets. A cyberattack can
forensics, and credit monitoring to defense now cause property damage that also
costs, civil fines, and damages from a pri- could lead to financial loss from business
vacy regulatory action or civil litigation. interruption as well as liability from
Insurers also continue to address certain bodily injury or pollution, for example.
first party risks, including the impact on Understanding where coverage lies in a
revenue from attacks on corporate net- corporate insurance policy portfolio is
works, extortion demands, and the costs to challenging and at times ambiguous. An
restore compromised data. assumption that coverage should rest
Insurable assets include the following: within a property or terrorism policy may
not be accurate. Exclusionary language
PII and/or PHI of employees or consumers has begun to emerge and is expected to
Data breach response costs to include the accelerate across the marketplace as losses
following: occur. Dedicated products also have
Notification started to appear.
Credit monitoring Reputation and brand
IT forensics Insuring reputational risk from some
Public relations form of cyber event remains out of the
Defense costs and civil fines from a scope of the majority of insurers. At the
privacy regulatory action time of writing, the London market has
Defense costs and damages from civil begun to innovate to address the financial
litigation loss after adverse media publicity.
Corporate confidential information However, capacity remains constrained at
Addresses defenses costs and damages $100,000,000 at best.
incurred for a breach of third-party
corporate confidential information. What does cyber insurance not cover?
Certain insurers will extend to address Intellectual property assets
misappropriation of a third party’s trade Theft of one’s own corporate intellectual
secret, but first-party loss of intellectual property (IP) still remains uninsurable
property remains uninsurable. today as insurers struggle to understand its
Corporate information technology intrinsic loss value once compromised. The
network increasing difficulty in simply detecting an
Addresses the loss of income as a attack and, unlike a breach of PII or PHI, the
consequence of network downtime. frequent lack of a legal obligation to
291 ■
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
disclose, suggest that a solution is not in the assets. However, the ever-evolving nature of
immediate future. the threat, particularly the emergence of APTs,
undermines the reliability of these statistics.
■ Leveraging cyber insurance as a risk Pricing risk to physical assets is a bigger prob-
management tool lem because this has begun to emerge only
Since 2009 the marketplace has evolved to since 2010, and actuarial data are extremely
also provide services to help buyers manage thin on the ground.
risk. Focused mainly on post-event response, Fundamentally insurers continue to look
turnkey products have emerged, which pro- for a strong security culture within the firm
vide a panel of legal, forensics, and public as a first step in risk triage. Additional fac-
relations specialists. Popular with smaller tors such as industry, revenue size, and
enterprises that lack the resources or rela- actual assets at risk also contribute to how
tionships, this innovation has been a key risk is priced.
component in increasing the relevance of
cyber insurance and consequently its growth. ■ How to engage the insurance market
Larger firms typically seek products based Once a decision has been made to explore a
on breadth of coverage and the flexibility to suitable solution, the first step is to choose a
use their own vendor network. broker. The lack of consistency in policy lan-
Services that help mitigate risk before an guage from one insurer to the next means
event occurs have started to emerge. Insurers that a broker with dedicated expertise is vital
likely will begin to incentivize buyers to for a successful outcome. First class brokers
adopt these services with rewards such as work with their clients to understand the
discounted premiums. assets at risk and how best to address them
either under the existing insurance program
■ How do insurers underwrite cyber risks? or through a new dedicated product. An
Historically, underwriters have sought to existing Directors and Officer’s policy form
understand the controls that enterprises lev- (D&O) addressing management liability
erage around their people, processes, and from a cyber event probably offers sufficient
technology. However, the majority of assess- coverage. However, more often than not, lia-
ments are “static,” meaning a snapshot at a bility to the enterprise requires a new dedi-
certain point in time through the completion cated product.
of a written questionnaire, a phone call inter- A broker should understand that insur-
view, or a presentation. A consensus is grow- ers seek to understand the security culture
ing that this approach is increasingly redun- of a firm and will work to position their
dant and that insurers will seek to partner clients as best as possible. For many larger
with the security industry to use tools that organizations this does not involve com-
can help predict and monitor the threat as pleting a written questionnaire and staying
part of the underwriting process to adopt a divorced from the process. Rather, an inves-
more threat intelligence led capability as tor-style presentation to the marketplace by
part of the underwriting process. In fact, this key stakeholders in IT, legal, and risk man-
already has started to happen, as certain agement in particular, which involves ques-
insurers have started to use technology to tions and answers, ensures the best possible
underwrite vendor and M&A activity risks. outcome. Top-tier underwriters appreciate
that cybersecurity is not a tick-box exercise.
■ How do insurers price risk? They understand that the risk is dynamic
Pricing cybersecurity risk remains a challenge. and will not necessarily penalize a buyer
An insurance market that is only 15 years old today for shortcomings if a roadmap is
has begun to build up a profile for frequency spelled out as to how these shortcomings
and severity of loss with regard to PII and PHI will be addressed in the next 12 months.
■ 292
INVESTMENT IN CYBER INSURANCE
A broker must then negotiate competi- upon up front. Forensics are not
tive terms and conditions with competing inexpensive and can form a significant
insurers with a final recommendation as to part of the overall cost.
whom their client should choose. 7. Law enforcement
10 key coverage items to negotiate: Law enforcement typically is involved in
a major security breach. In fact, many
1. Full prior acts coverage times the FBI, the agency leading
Insurers try to limit coverage to acts from cybersecurity corporate defense, notifies
the first day that the policy begins, known the enterprise before it becomes aware of
as the retroactive date. However, in the the breach. A claim should not be
context of the challenges in detecting an excluded by an insurer for failure to
attack, buyers should seek to remove this disclose as soon as practicable if law
exclusion and avoid the risk of a claim enforcement had advised nondisclosure
denial. during the investigation.
2. Restrict knowledge and notice of a 8. War and terrorism
circumstance to the executive team Many insurance policies exclude acts of
Again, an insurer should not be allowed war and terrorism which must be deleted
to impute liability to the whole enterprise with the emergence of the nation-state
because detection has proven to be such a adversary in particular.
challenge. 9. Intentional act
3. Security warranty Ensure that coverage addresses the
Remove any language that tries to warrant employee or insider as perpetrator
that security is maintained to the same acting in isolation of the executive team.
level as represented in the underwriting 10. Continuity of coverage
submission. The dynamic nature of the When renewing the insurance policy
risk leaves this too open to insurer with the same insurer, avoid signing a
interpretation in the event of a loss. warranty regarding a circumstance or
4. Operational technology claim.
The majority of insurance policies provide
coverage only to the corporate IT network. ■ Conclusion
If relevant, ensure that language is Cyber insurance has a broader role to play
broadened to also address operational than simply reimbursing costs associated
technology such as industrial control with a loss. Fundamentally, engaging in an
systems. underwriting process that forces collabora-
5. Outside counsel tion from stakeholders across the enter-
Choice of counsel must be agreed upon prise can drive stronger cybersecurity
up front. In the event of a security breach, resilience. Increasing regulator and share-
a dedicated legal expert must take holder scrutiny means that the case for
the response lead not least for attorney investment will continue to grow. In addi-
client privilege. Negotiating with an tion, insurers will start to provide premi-
insurer during the event would be um- and coverage-based incentives for
counterproductive. adopting best practices such as the NIST
6. IT forensics framework and leveraging preferred tech-
In a similar vein to choice of counsel, the nology tools.
preferred forensics firm must be agreed
SecurityRoundtable.org 293 ■
Cyber risk and workforce
development
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Talking about
awareness
Cyber education: A job never finished
NYSE Governance Services – Adam Sodowick, President
■ Overview
Cybercrime is one of the most prevalent economic crimes
today according to PwC’s Global Economic Crime Survey.
The damages continue to grow with 24% of the more than
5,000 organizations represented in the 2014 PwC study
reporting being a victim of cybercrime. A recent study by
Verizon Enterprise Solutions points to another significant
issue, noting that 66% of cybercrimes are not detected for
at least six months.
The trajectory of costs continues to rise. According to
the Ponemon’s Cost of Cybercrime 2014 report, cyberat-
tacks cost the average U.S. company more than $12.7 mil-
lion. With some companies experiencing more than $61
million in losses, this average is an increase of more than
9% from the prior year.
Attacking the problem means understanding the
source. As one of the top five most reported crimes
against businesses, cybercrime is not merely a technology
problem anymore. “It is a strategy problem, a human
problem, and a process problem,” according to the PwC
report. The Online Trust Alliance’s (OTA) 2015 Data
Protection & Breach Readiness Guide reports that employ-
ees caused 29% of data breaches between January and
June of 2014, proving that internal weaknesses are a sig-
nificant area of vulnerability for every organization. The
297 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
OTA guide further reports that data leaks by A vast number of cases are actually a result
employees who lost documents or used of error, employee ineptitude, or apathy.
social engineering or fraud to access and These situations can cause severe holes in the
leak information were caused by a lack of system and are cases for organizations to
internal controls. Therefore, educating and change behavior so that employees become a
cultivating true employee buy-in to a culture defensive tool against cyber risk.
of responsibility is crucial to mitigating pos- The computer manufacturer Dell Inc., for
sible damaging breaches. example, boasts a “culture of security” that
is fostered by the following four fundamen-
■ Types of insider threats tal principles: security awareness training,
The genesis of insider threats is not always proper access management, mobile security,
malicious; however, the malicious or politi- and securing and monitoring the organiza-
cally driven acts tend to be the ones that tion’s networks, according to the company’s
make headlines. Media did not ignore white paper, The Human Side of IT Security.
instances such as Home Depot’s former secu- Kevin Hanes, executive director, Security
rity architect who sabotaged his previous and Risk Consulting, Dell SecureWorks,
employer’s computer network and the April describes how Dell’s information security
2015 case in which the Department of Justice unit works with other organizations to deal
indicted a Nuclear Regulatory Commission with cybersecurity issues. “My view is
employee for attempting to deliver nuclear organizations need to keep in mind that the
secrets to a foreign government via spear- bad actors are going to typically follow a
phishing tactics. path of least resistance, and often that path is
Although not intentionally malicious, a the people,” he notes. Dell’s approach to
related form of insider abuse stems from a imparting a cyber-aware culture at an organ-
sense of privilege, when someone abuses the ization begins at the top and involves con-
trust he or she is given to safeguard sensitive sistent communication at all levels to ensure
and valuable data. The 2014 Verizon Enterprise employees understand why the vigilance,
Solutions report found that in 55% of cases inconvenient though it may be, is necessary
involving insider incidents, the primary moti- in all aspects of what they do.
vator was privilege abuse; the primary moti- Interestingly, not all employees view the
vator in 40% of cases was financial gain. threats in the same light. In a June 2015 global
A 2012 survey of global employees by study commissioned by Dell SecureWorks
Boston-based data storage and information and the Ponemon Institute, 56% of the IT
management company Iron Mountain found security/IT staff surveyed consider ‘negligent
that workers often develop a feeling of per- insiders’ a serious threat, whereas only 37% of
sonal ownership when they are involved the IT Security/IT corporate leaders surveyed
with the collection of data. The study found considered such insiders a serious threat. This
that in Europe, for example, many office difference, the study’s authors note, points to
workers are likely to take data with them a need to listen more carefully to those in the
when they switch jobs, which, for certain “security trenches who are dealing with these
subgroups, such as millennials, happens threats.”
with more frequency than with previous
generations. The study found that of those ■ Taking action
who did steal company information, 51% Once companies have better awareness of
exited with confidential customer databases, the root causes of insider threats, what steps
46% with presentations, 21% with company can be taken? OTA recently reported that
proposals, 18% with strategic plans, and 90% of data breaches occurring in the first
another 18% with product/service road half of 2014 could have been prevented eas-
maps—all of which represent highly sensi- ily by adhering to commonly accepted best
tive, valuable assets. practices for data protection. For companies
■ 298
CYBER EDUCATION: A JOB NEVER FINISHED
that are behind the curve, this means there is Although Teradata works diligently to
a lot of work to be done. train employees and maintain awareness of
In addition to implementing stringent best cyber issues, Carver concedes the job is
practices and requiring employees to follow never finished. He continually takes the les-
them, self-reporting is a key component. Each sons learned and the new angles and feeds
company should have a clear understanding them back into the funnel, honing and sharp-
about its reporting guidelines as well as what ening the employee education program.
items or activities are suspicious. Even with that level of attentiveness, Carver
Each organization’s management and cul- assumes his company will encounter a
ture are unique, but looking to what works at breach and is planning for that eventuality.
other companies can help in understanding He also feels it’s important to help employ-
and making recommendations on sound ees understand what to do if they think
starting places that help to benchmark prac- they’ve made a cyber-related error and how
tices and measure success of respective cyber- to report any questionable or erroneous
security defense and mitigation programs. activity.
Carver suggests three tips for chief compli-
■ Case study perspectives ance officers who are working to implement a
Taking a look at a few case studies often can more robust cyber awareness program. First,
help pull blue sky ideals down to earth. At begin with including everybody. “It’s all
Teradata, a leading data analytics provider, employees’ job to assure data protection,” he
Chief Compliance Officer Todd Carver says says. Second, it’s an issue for all companies
cyber awareness is viewed as a funnel, with across all sectors and needs to be prioritized
new information continually feeding into no matter what the industry. Finally, remem-
the top and recirculating in the form of ongo- ber that what makes an organization vulner-
ing education to keep employees aware of able is the human aspect. “You could do eve-
the latest developments. Carver says his rything [right] technology-wise, but could
company’s program spans from the board of still be vulnerable because people are
directors to 11,000 employees in 43 coun- involved—employees, third-party vendors,
tries. Protecting data and assets is one of the customers, and the bad guys.”
commitments in Teradata’s code of conduct, At Dell, Hanes’ SecureWorks group han-
and if anything isn’t specifically covered in dles security monitoring, consulting, and
the training, or if employees come up with threat intelligence gathering for itself as well
their own questions, Carver explains, there’s as its many clients. Although SecureWorks
also an ethics helpline so that employees can has the capacity to test “crazy amounts of
ask questions, request guidance, or say, “I malware samples” in a lab, according to
screwed up. What do I do now?” Hanes, most companies can take steps on
Annual ethics and compliance education their own to mitigate risks from such activi-
covers a host of issues at Teradata, including ties as phishing and vishing (hacking
cyber-related modules for intellectual prop- attempts made via phone call). Creating,
erty, privacy, phishing, and mobile-device communicating, and monitoring protocols
awareness. The company also has policies in can go a long way toward keeping the
place regarding keeping a clean computer, human element in check, according to
password practices, and email usage, to name Hanes.
a few. In addition, Teradata uses role-specific In his experience, Hanes says people gen-
training. It’s all about getting employees truly erally have two mentalities: those who want
engaged, Carver explains. “It’s important to to check a compliance box by doing annual
explain why we have these rules.” Carver training at their companies and those who
says his company has shared scenarios of want to transform employee behavior with
attempted hacks to better help employees programmatic changes. The former is much
understand the need for the procedures. easier, but the latter has the potential to offer
299 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
■ 300 SecurityRoundtable.org
Collaboration and communication
between technical and nontechnical
staff, business lines and executives
Wells Fargo & Company – Rich Baich, CISO
“
You can have brilliant ideas, but if you can’t get them
across, your ideas won’t get you anywhere.”
Lee Iacocca
301 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
weekly. As a result, cyber leaders continue to How vulnerable are their products and
be asked if their organizations are spending solutions to this exploit?
enough to address cyberthreats. To answer Is there any potential for business impact
this question, cyber leadership must have to customers or suppliers?
the facts to establish a decision framework to Do they need to contact their third parties
guide them. Having a firewall, purchasing to see if they are secure?
the latest technologies, growing the number Will this affect their ability to service their
of cyber professionals, and having informa- own third-party relationships?
tion security policies do not adequately pro-
vide all the information needed to answer Using the following framework formula to
this question. Knowing what data to collect, explain an approach could be helpful:
demonstrating the ability to get the data in a
timely fashion, operationalizing the data, Risk = Vulnerability ⫻ Threat ⫻ Asset
and ensuring the data get to the right deci- Value ⫻ Probability of Occurrence
sion maker can provide an actionable frame-
work. The following are a few examples of Having the trustworthy data readily avail-
what information is needed to enable a able can allow cyber executives to quickly
framework: and confidently communicate throughout
the organization and the third parties. For
What risks will be mitigated if these example, a quick query of the asset inven-
additional funds are provided tory indicates there are 50 instances of this
Specific cyberthreats are known, exploit in the current infrastructure and
monitored, and integrated into the risk five within the third-party ecosystem. Of
prioritization decision process. those 50 internal instances, only three are
Vulnerabilities are identified, prioritized, external facing, and the remaining 47 are
remediated, and validated in a timely internal to the network. All the third-party
manner. instances are internal to the partner ’s
Critical assets are well known, network. The associated vendor to the
accountability is clear, and responsibility to zero-day exploit has provided a patch and
ensure those assets meet defined protection recommended an immediate application of
criteria are met. the patch. The internal cyberthreat team
The likelihood of a specific exploit, attack, has reviewed the external intelligence, and
or significant occurrence is understood there are already indications of potential
and utilized in the cyber risk prioritization miscreants scanning for the newly identi-
framework. fied vulnerabilities. Additional intelligence
and analysis suggest exploit code is already
Having trustworthy data is the foundation being crafted to take advantage of this new
to all cybersecurity decision frameworks. exploit. If successful, the exploit can be
It is important to have a framework to help used to deliver malicious code throughout
support the fundamental changes required the organization providing kinetic and
to enhance cyber practices and enable nonkinetic damage to an organization.
communication. Armed with this information, cyber leader-
ship can quickly move to gain consensus,
Scenario: Cyber risk decision framework communicate recommendations, and influ-
Today, the media announces a new zero-day ence the mitigation activities required to
exploit that has been identified. Business address the threat.
executives want to know:
■ Defining your stakeholders
What do they need to do to respond to Trustworthy data are a key foundation to
the exploit? establishing cybersecurity creditability.
■ 302
COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
Jako bitno!!!
chief technology officer (CTO) leader to provide information regarding a
line of business leaders, CIO, CTO, risk third party before a contract is signed. Due
leaders diligence is done for third parties before any
contracts are signed; that is a leading indus-
In addition to individual stakeholders, try practice. However, what if you and your
establishing a cybersecurity steering com- cybersecurity team were able to provide
mittee with cross-organizational representa- cyber intelligence that suggests the potential
tion can provide an additional platform for third-party partner is on a top-five easiest-
collaboration and communication. The pur- to-hack organization list being posted in
pose of the committee should be to promote credible underground forums? Having
cybersecurity awareness, provide a forum in information without being able to make it
which cybersecurity topics can be discussed, actionable often results in a very heavy
and to solicit cyber feedback to help evolve paper weight being created. In this scenario,
cyber practices and mature over time. In having the cyber intelligence to provide the
addition, the committee will seek to identify stakeholders helped provide transparency
cybersecurity topics that may affect the into cyber risks that can produce measured
broader applicable industry and the emerg- results. Maintaining a results-oriented men-
ing trends that may affect the organization. tality coupled with the right stakeholder
The cybersecurity committee could: group can help enable a cyber support
culture.
1. review cybersecurity strategic direction
and planned initiatives ■ Delivering the message
2. discuss major milestones for cybersecurity Effective communication, especially during a
initiatives that are in process of being time of change, requires frequent touchpoints.
deployed Having a communicator or a communication
303 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
team specifically aligned with the cybersecu- help build collaboration by demonstrating
rity team can provide immense benefits. how individuals can partner with cyberse-
There is delicate balance associated with the curity to address customer needs. Regardless
frequency and content that is communicated of the industry, customers want to know
to stakeholders. The fundamental goal is to their information is safe and the organiza-
tell the cybersecurity story throughout the tion that has their data has a clear plan to
organization through clear, concise, targeted achieve that goal. Adding cybersecurity
communications through the most effective reminders in existing individual customer
dissemination channels. Some will want more communications begins to demonstrate that
frequent communications, whereas others commitment to the customer. It takes a long
will desire less communication. Some will time to earn trust, but it only takes a second
prefer “pull” communications and others will to lose it.
want the information pushed to them. This also holds true for internal stake-
Cultural appetite, tone from the top, and holders. Often the information and measure-
organizational commitment help drive the ment of results reported by the cybersecurity
various required communication delivery team may not be perceived as positive news.
techniques to ensure stakeholders are aware. For example, the cybersecurity team may
Some examples include the following: implement new technology that provides an
enhanced visibility into the health and
publish monthly newsletters to various hygiene of various technology assets. If these
stakeholders assets have never had this improved visibil-
create a robust intranet presence with ity, it is possible that the results may provide
tools and communications awareness of critical vulnerabilities or
celebrate success stories of collaborative weakness associated with the platform.
achievements Consequently, when reporting these results,
provide platforms for cyber champion others may take offense to these perceived
recognition negative results. However, this is a great
track, measure, and report the opportunity to educate leadership by
effectiveness of the communications explaining that it is far better to find these
through a cyber communication opportunities internally rather than be told
dashboard about these vulnerability gaps from a law
enforcement representative. Don’t pass up
Having a venue into the corporate commu- the opportunity to build a champion; one
nications team provides cybersecurity the champion can quickly lead to two, which, in
opportunity to align, influence, and enable turn, can often grow to thousands.
the influx of cybersecurity into normal busi-
ness communications. It is critical that the ■ Conclusion
corporate crisis communication team be part During times of conflict it is proven those
of the cybersecurity incident response team countries that have aligned themselves with
because of the potential reputational impact the right allies have prevailed and overcome
associated with a significant cyber incident. grave challenges. These are challenging times;
During a time of crisis, concise and timely cyberthreats are real and present significant
communications to key stakeholders and risks for most organizations. Communicating
customers can often be the difference these risks to technical and nontechnical exec-
between an incident being managed and an utives can often be a daunting task that
incident being exaggerated. requires additional background and context to
Tactically positioning the cybersecurity successfully communicate the message.
story within the organization through effec- Executives are results driven and appreciate
tive education and awareness while address- other executives who are proactive when
ing the latest trends in cybersecurity can dealing with risks. The ability to provide
■ 304
COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
trustworthy data and a cyber decision support time to include, educate, and collaborate with
framework enables cyber executives to trans- stakeholders can build alliances. Having the
late a new language to other executives. These right information is powerful, and those
actions can positively enhance cybersecurity’s stakeholders who get accurate, timely, and
internal reputation by strengthening trust and meaningful data will have the opportunity to
credibility across the organization. Taking the lead change.
SecurityRoundtable.org 305 ■
Cybersecurity readiness through
workforce development
Booz Allen Hamilton – Lori Zukin, Principal; Jamie
Lopez, Senior Associate; Erin Weiss Kaya, Lead
Associate; and Andrew Smallwood, Lead Associate
307 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
In addition, the talent management chal- environmental factors for their cyber work-
lenges for cyber operations are much more force are better prepared to adapt to chang-
complex because there is a major crisis to ing threats.
backfill cyber talent. Even once your organi- Global business trends have shown suc-
zations recruits top cyber professionals, cessful cyber practices have five key traits:
there is no guarantee you will retain them. they are agile, multifunctional, dynamic,
As such, it is not enough for cybersecurity to flexible, and informal.
be relegated to a subset of people, as with
the IT function. Every employee in your Agile: Cyber work requires agility. Employees
organization faces cyberthreats, and talent act like chameleons shifting quickly and deci-
management for IT and cyber operations sively as threat warrants change course
should not be combined. By shifting this and as a unit, the capability is alert to new
mindset and developing strategies that circumstances.
reflect these realities, your ability to develop
an effective workforce will immediately Multifunctional: Cybersecurity is a team
improve. sport. A strong cyber practice is built of teams
with diverse knowledge sets who can execute
■ Develop alternative talent management a variety of activities at once. Your employees
strategies do not have to be good multitaskers, but your
Most cybersecurity professionals are per- overall capability does.
sonified by their love for cutting-edge tech-
nology, casual work environments, and crea- Inquisitive: Cyber professionals embrace
tive mindsets. These unique tendencies help learning and they will be curious; they will
them excel under the constantly changing want to solve problems regardless of how hard
cyber environment but differentiate them it is to find the solution. Because threat actors
from the rest of your company in a number across the globe are offering an array of new
of ways—fundamentally, their atypical char- threats to consider, your cybersecurity work
acteristics of (1) work environment, (2) work practice will change based on evolving infor-
preferences, and (3) nontraditional career mation. By taking on new endeavors, your
paths. capability will be ready to solve new problems.
Recruiting, developing, and retaining this
unique workforce requires alternative talent Flexible: Cyberthreats move fast. With con-
management strategies—strategies that are stantly changing work requirements, your
often connected to but distinct from those practice must be enabled to adapt to new areas
applied across the rest of your company. of focus. Your cyber organization must be
infused with a strategy that allows for employ-
Develop an appealing work environment ees to expand or change their roles to increase
Not every business has a culture of prevalent your capability’s flexibility.
ping-pong tables, free food, and a dress code
involving flip-flops and jeans. However, Informal: Cybersecurity professionals thrive
there are environmental factors that compa- in a nontraditional environment. Your
nies must account for in attracting—and recruits and team members will likely look
keeping—the necessary talent for accom- for unconventional working hours and shift-
plishing cyber work. ing duties. Creating this type of environment
The nature of cyber work means that it is for your cybersecurity professionals allows
often executed in an environment that dif- your cyber organization to adjust quickly to
fers from that of its parent organization. tackle any challenge. Your cybersecurity
Think of your cybersecurity practice as the practice may have different work locations,
fast moving, quickly adapting branch of matrixed reporting lines, around-the-clock
your organization. Businesses that consider shifts, and a more relaxed dress code than the
■ 308
CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
majority of your workforce. The budget pro- of difficulty, and present opportunities to
cess for your cyber organization may be work with emerging technologies.
centered around technological investments
or on a different timeline to meet shifting Create nontraditional career paths
threats. Given the work requirements, it is Placing two cybersecurity resumes side by
especially important that your cyber envi- side can sometimes feel like you are compar-
ronment has leaders who not only share a ing an apple to an orange. Cyber profession-
competitive nature and passion for technolo- als have a variety of experiences, only some
gy but also have success operating in dynam- with an educational background in cyber
ic, multifunctional environments. and many with certifications to designate
proficiency. Although it would be nice if
Understand work preferences cyber professionals could be ‘cyber warri-
Like the work environment, your cybersecu- ors,’ or experts in all areas of cyber opera-
rity professionals also have unique work tions, your cybersecurity professional’s
traits. These traits, or work preferences, make diverse backgrounds more likely match the
them the perfect candidates to tackle the diversity of the cybersecurity field.
daily challenges from threat actors around Booz Allen has found that instead of
the globe but also can separate them from the ‘cyber warriors,’ it is much more likely that
rest of your organization. Recognizing these your organization’s cyber workforce will be
work preferences, for your capability as a composed of three types with many subsets
whole as well as on an individual level, is in each: senior leadership, specialized
critical to developing your cyber talent man- experts, and generalist staff. Instead of
agement strategies. imposing linear career paths on these cyber
If your cybersecurity professional had a types, our work has shown that cybersecu-
social media profile, it may look like this: rity professionals work better under a ‘build-
your-own’ career path option.
Lover and early adopter of new technologies, Senior leadership cyber professionals are
as a cybersecurity professional my passion a rare breed of combined expertise and lead-
for technology fuels my curiosity to solve ership who can manage teams and opera-
complex problems. I am a systems thinker tions. With specialized experts, their deep
with confidence in my ability to put things know-how within a specific group of cyber-
together and learn new techniques while security capabilities often makes them the
using my competitive nature to fuel my center of the talent war. Your generalist staff
work as well as engage in office competitions. are early in their cyber careers or have cho-
As a natural problem solver and abstract sen a broad role, making them equally high
thinker, I tend to look ‘outside the box’ and in demand but commonly part of a larger
evaluate challenges from many different supply pool.
angles and perspectives before acting. For most of your company, established
career paths diagram career progression
As one method, try offering applicants an options through linear lines of technical expe-
on-the-spot challenge while testing their rience or managerial ranks. However, attract-
ability to solve problems using senario- ing and retaining cyber professionals requires
based challenges. Capitalize on your alternative pathways that reflect the diversity
employees’ problem solving skills by allow- of positions within the field. For cybersecurity
ing them to be a part of strategy, offense, and professionals, try providing a nonlinear
defense and by fostering a culture that career path—one that can be horizontal, verti-
encourages every level of employee to sug- cal, and diagonal. Show cybersecurity profes-
gest solutions. Reward your employees for sionals a set of attributes that describe how to
forward thinking, provide them with con- progress using their experience, unconven-
stantly changing tasks with different levels tional education, and industry certification.
309 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
■ 310
CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
FIGURE
Cybersecurity as a central business function
Finance
Technology Operations
Cyber
Function
Human
Resources Marketing
Supply Chain
■ Finally, invest in cyber human capital An effective way to improve the long-
Most leaders in today’s business world agree term security of your company is by
cybersecurity is important. However, when investing in your cyber leaders and cyber
the meeting is over, will they truly buy in workforce. Investments in technology and
and embrace cybersecurity as a key priority processes go unrealized unless your organ-
for their divisions? This is the tough ques- ization has strong cyber leaders along with
tion CEOs, CIOs, and CSOs encounter. An a capable workforce to defend your net-
organizational cybersecurity plan can only works and improve your security.
be as strong as the weakest commitment Successful organizations will invest in
from any key leader. It doesn’t matter how their workforce, give their CISO a seat at
strong your security posture is for individual the table, and foster integrated lines of
departments; if one division is vulnerable, communication for the sharing of cyber-
your entire organization is at risk. related information.
Consider
within
relevance of
the topic
SecurityRoundtable.org 311 ■
Alignment on the
top
■ Startling statistics
PwC’s Global State of Information Security Survey 2015 of
more than 9,700 security, IT, and business executives
found that the total number of security incidents detected
by respondents climbed to 42.8 million this year, an
increase of 48% over 2013. That is the equivalent of
117,339 incoming attacks per day, every day. The Identity
Theft Resource Center reported a record high of 738 U.S.
data breaches, a 28% year-over-year increase.
If you’re thinking you can build a modern-day “moat”
to keep the bad guys out, consider that the 2014 U.S. State
of Cybercrime Survey, co-sponsored by PwC, CSO maga-
zine, the CERT Division of the Software Engineering
Institute at Carnegie Mellon University, and the U.S.
Secret Service, found that almost one-third of respondents
said insider crimes are more costly or damaging than inci-
dents perpetrated by outsiders. In a virtual ecosystem that
increasingly includes the Internet of Things (IoT), tradi-
tional firewalls do not ensure protection, as employees
come and go each day with connected devices, such as
smartphones and computers, which may wittingly or
unwittingly introduce threats that can threaten the sur-
vival of the organization.
313 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
This greatly expanded cyberattack sur- importance of cybersecurity has shifted from
face and resulting breaches add up to a something of marginal interest to the board
huge price tag. The annual cost of cyber- to a high priority that resides within the
crime to the global economy is estimated to board’s risk management framework.
be between $375 billion and $575 billion, This is a new role for CEOs and directors,
according to a June 2014 study by the many of whom feel unequipped to deal with
Center for Strategic and International it because cybersecurity does not remotely
Studies; Gartner Inc. estimates that total relate to traditional areas of director exper-
spending will grow 8.2 percent in 2015 to tise. Armed with a tested protocol to combat
reach $76.9 billion. cyberthreats and the right resources, how-
If that’s not a wake-up call, we don’t ever, every board should be able to imple-
know what is. But, the challenge remains: ment a preparedness and response plan that
translating awareness into an action plan. will give the board and management team,
Although CEOs and boards are alert to the as well as investors, the reassurance that the
issue and the devastating, long-lasting company is as well positioned as reasonably
effects of security breaches, there is surpris- possible to confront these ever-evolving
ingly little knowledge of recommended challenges.
practices to best position organizations In practical, operational terms, what does
defensively and enable quick and effective all this mean for the C-suite and the board,
response when the inevitable occurs. Let’s and how can they get started on overseeing
be blunt: There is no foolproof way of pre- the many-headed beast that is cybersecu-
venting security breaches, but a systematic, rity? For one thing, it starts with ensuring
proven approach can make the difference everyone on the board is speaking the same
between the survival and the demise of an language when it comes to cyberthreats.
enterprise. Because directors are generally business
people, the common language should be the
■ Alignment at the top language of business.
Cybersecurity is an insidious threat, all the
more so because breaches, including the ■ The right questions
most disastrous ones, often are not detected According to Melissa Hathaway, private
until the damage is done. One cybersecurity sector cybersecurity expert and former
firm recently estimated that close to three cybersecurity “czar” under Presidents
quarters of security breaches go undetected. George W. Bush and Barack Obama, “Until
No board or management team can afford to cybersecurity is reflected in balance sheet
become complacent. If you haven’t yet fallen terms, it’s never going to be fully embraced
victim, you may have been smart, but most by the board.” She emphasizes that once
likely lucky. You should assume it’s just a cybersecurity has been identified as a criti-
matter of time, perhaps there already has cal risk, it must be managed with the same
been a breach that has gone undetected, so rigor and processes applied to other risks
plan accordingly. and remain visible on directors’ dashboards
In a relatively short time cybersecurity with key, comprehensible metrics. “Tech
has gone from something that was compart- speak,” or any jargon that obfuscates the
mentalized and handled by the IT depart- issues for directors, has no place in the
ment to something that is regularly on the boardroom.
agenda at board meetings. At the same time The reality of boardrooms, however, is
“major threats” have been redefined, from that the scale of that impact is often obscured
identifying a Trojan horse and upgrading or lost in translation. Unless directors can cut
anti-virus software to threats that strike at through the technical jargon in what are
the very heart of organizations and are capa- often massive amounts of information they
ble of taking them down. The view and receive, the size of the risk and the steps to
■ 314
BUILDING A CYBER-SAVVY BOARD
mitigate it may not be clear. Companies industry in which it operates, so each board
depend on a functioning Internet, which was should decide on a case-by-case basis.
never invented with security in mind, and Shortfalls in board experience often can be
all that is linked to it. Therefore, related risks made up by retaining the appropriate addi-
and costs must be made known to the board tional expertise to advise on an as-needed
so that the cost of potential breaches can be basis; however, we are starting to see more
calculated in capital and operational terms, demand for this specific sort of talent on
rather than remaining hidden. boards.
Among the questions directors should be Sometimes, as noted above, the board’s
asking regularly to ensure alignment as a most important role lies in asking the right
team and a firm grasp on cybersecurity, says questions, which may require business
Hathaway, are the following: smarts and good old-fashioned common
sense but not necessarily technical cyberse-
Is cyber risk accounted for in our overall curity expertise.
corporate planning process? The board As overseer-in-chief of the CEO and the
must be assured that cyber risk is an business, the board has a responsibility for
element of a broader risk framework managing the company’s risk portfolio, of
and that exposures are recognized and which cybersecurity is now a key compo-
planned for. nent. Proper oversight entails remaining at a
What is the process for evaluating high, supervisory level—not getting dragged
security and measuring liabilities? down into the management weeds—and
Boards should know not only what boards can properly perform their fiduciary
controls are in place but also how they duties by focusing on a few main areas.
are evaluated. The board must be reassured by the CEO
Do we have directors with relevant that the most capable people are in the criti-
expertise? Although boards may not cal positions, and this extends to the leader-
require general technology expertise, ship and team managing cybersecurity. With
it may be advisable to have one or so much at stake, this is not a place to cut
more directors who understand IT and corners.
its associated risks, or have a security Directors should be kept abreast of main
background. cybersecurity risks, as well as the remedia-
Have we identified executive ownership tion process and timeline for effectively
of the issue? The CEO should have dealing with them. Certainly no one expects
controls in place that indicate how directors to be technology wizards, but they
cybersecurity is being managed and the should be inquiring about safeguards the
true costs to the business, which should company has in place to guard against
be part of an internal and external audit. intrusion and be satisfied by management
What will we do in the event of a breach? that protection along with response and
If and when a problem arises, a process recovery capabilities are adequate. In addi-
should be in place for communicating tion, they will want to be informed about
effectively, internally and externally, and education for everyone throughout the
dealing with attendant costs. organization, to ensure awareness of threats,
and a step-by-step response plan to follow
■ Overseeing cyber risk in the event of a breach.
Boards are increasingly adding directors
with cybersecurity backgrounds and, more ■ The board at the nexus
generally, security expertise, but boards Cybersecurity has expanded well beyond
should not assume that they need to add a the confines of IT and emerged as a concern
director with this specialized background. at the highest enterprise level, primarily
Much depends on company specifics and the because of the devastating potential effects
315 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
on shareholder value, market share, reputa- can always be made available should direc-
tion, and long-term survival. Cybersecurity tors need bolstering in this area.
is an issue that crosses all organizational In fact, directors owe it not only to their
silos and boundaries top to bottom, encom- shareholders to ensure a comprehensive
passing people, culture, and risk manage- approach to monitoring and developing a
ment and must bridge security, technology, proactive approach to tackling cybersecurity
privacy, and compliance. Cybersecurity is, but also to themselves. With cybersecurity in
therefore, taking its rightful place on a short the spotlight—where it is likely to remain—
list of the board’s crucial responsibilities, directors could also face personal risks,
which now include protecting a company’s because D&O insurance may not be suffi-
assets, particularly digital, as part of an cient if boards don’t take what are deemed
organization’s overall risk portfolio. appropriate actions. Boards should consider
In fact, managing cyber risk doesn’t differ adding cyber insurance as part of a compre-
significantly from managing more tradition- hensive approach to enterprise risk manage-
al forms of risk and must be managed in a ment if they are to continue to recruit the
similar way, remaining visible on directors’ best directors. According to a recent post on
dashboards so that it is tracked and the Harvard Law School Forum on Corporate
addressed regularly. Governance and Financial Regulation, “no
Those boards that do not have a cyberse- company in the U.S. should forego buying
curity expert as a member of their team cyber insurance to protect against the real,
should not assume they need a director with ever-present risk of a major cyber-attack and
this experience, but they should seriously the massive costs associated with such a
evaluate that potential need based on their breach.”
situation and needs. Some boards have
determined that they do require this exper- ■ A framework to meet the cybersecurity
tise on their audit committee—where risk challenge
oversight generally lives—on a special Perhaps most important in properly meeting
cybersecurity subcommittee, or on a dedi- the cybersecurity challenge, ensuring pre-
cated cybersecurity committee. While some paredness and a ready response to any
boards have recruited this expertise, many breaches, directors need a framework, which
have not and may not, accessing what they can be tailored to the needs of their organiza-
require to keep them informed and able to tion, in which to operate. A deep dive into
make key decisions either from internal tech- each area will link to additional responsibili-
nology experts or from external consultants ties and timeframes, most of which will be
to the board. These solutions are varied and the responsibility of management.
tailored and continue to evolve. The baseline for board involvement in
CEOs and those who serve as directors overseeing cybersecurity should comprise
on their boards are generally a smart group the six following components:
of people, and they don’t have to be subject
matter experts to provide oversight for the 1. Security strategy. The board must ensure
few crucial areas—including strategy for- that the company has a strategic vision
mulation, succession planning, and risk and a tactical road map that proactively
management—in which they exercise their protect assets and keep pace with
fiduciary duties. Cybersecurity is yet another escalating threats and evolving regulatory
form of risk, but it is a dynamic, still-emerging requirements.
form that is new to most directors. We are 2. Policy and budget review. Company
likely years away from the point where security policies, and roles and
boards as a whole consider managing cyber responsibilities of all relevant leadership,
risk familiar terrain, so additional resources should be evaluated, along with data
■ 316
BUILDING A CYBER-SAVVY BOARD
SecurityRoundtable.org 317 ■
Evaluating and attracting your next
CISO: More sophisticated approaches
for a more sophisticated role
Egon Zehnder – Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick
319 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
with the appropriate perspective. A consoli- to get the right things done. Audits are
dation of the three elements provides a responded to in a timely fashion, the
holistic view of the CISO candidate that board of directors is clear on the impact
corresponds with the multi-faceted nature of information security investments, and
of the role today. core data assets are well protected.
2. Strategic orientation: As mentioned
The past: What has the candidate done? earlier, the CISO must be a strategically
A candidate’s credentials, work history, oriented partner with critical thinking
and track record have always been a cen- skills. He or she must process disparate
tral part of the evaluation process, and for information and generate valuable
good reason. This component includes insight regarding external issues such
examining the types of organizations in as shifts in threats and countermeasures
which the candidate has worked, their size and internal matters such as business
and complexity, and which markets they implications of information security
served, and then seeing what the candi- policies and protocols.
date accomplished in each role, what 3. Transformational leadership: Regardless
transformations the candidate has led, and of the context into which the new CISO
the security record of the organizations is taking the helm—after a major breach,
under the candidate’s watch. These find- under the glare of heightened board
ings provide the raw material, basic facts, scrutiny, or with an acquisition that must
and context for measuring the fit between be integrated—he or she will need to
the candidate and role. Although the CISO transform systems to address current
role has grown significantly beyond its challenges, creating a vision others buy
technical roots, the technical expertise into and moving the organization forward
indicated by work history are essential while keeping day-to-day operations
“table stakes” for a candidate to warrant running smoothly.
further consideration. 4. Relationship management: The CISO
must be able to lead in a matrixed
The present: What can the candidate do? environment, working diplomatically
Until about a decade or so ago, exploring a with a range of constituencies with
candidate’s work history generally consti- different perspectives on information
tuted the bulk of the assessment process. security, including the board, the CEO,
Then the realization emerged that what a the CFO, the COO, and general counsel.
candidate had done so far is a mere subset of In addition to managing internal
what a candidate could do, because one’s relationships, the CISO must also
work experience can never be so broad as to leverage external networks that include
capture everything of which someone is peers at other organizations, Internet
capable. Looking at competencies is a way of service providers, third-party security
taking an inventory of an executive’s full solution vendors, and law enforcement
leadership toolbox. and intelligence agencies. The CISO must
The key is to evaluate for the right com- have the gravitas and influence necessary
petencies given the demands of the posi- to communicate effectively with each of
tion. In our experience, five competencies these internal and external groups in a
are particularly important when evaluating range of conditions, from off-site strategy
CISO candidates. They are listed here in sessions to emergency response.
order from the most common to the most 5. Team leadership: Most organizations
elusive: focus all their attention on filling the
CISO position, leaving relatively little
1. Results orientation: The successful energy for establishing a pipeline of
candidate must be able to move quickly internal talent. This is understandable but
■ 320
EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE
321 ■
CYBER RISK AND WORKFORCE DEVELOPMENT
are able to effectively evaluate candidates 3. “What key performance indicators will I
against current and future requirements, be measured against?” Given that every
they must also be prepared from the start to large organization must assume that it is
actively sell the opportunity to an audience continually under cyberattack, it follows
that is naturally skeptical. that security breaches are a matter of
In our experience, every CISO candidate not “if” but “when.” Therefore, it is not
asks four overarching questions when evalu- realistic for a company to hold its CISO to
ating an opportunity: a “one strike and you’re out” performance
benchmark. The conversation about
1. “Who is my sponsor and how much expectations is just as important as the
influence does he or she have?” This ones about resources, reporting lines, and
is likely to be the first question on the compensation.
CISO candidate’s mind, and he or she is 4. “Where will I be in five years?” Those
thinking about this issue in at least two who lead the information security function
specific ways. First, although the CISO is are like other functional leaders in their
likely to have some interaction with the range of career ambitions. For some, the
board and C-suite, there will still be many opportunity to lead the function at a quality
conversations that affect the information organization is the goal; others, however,
security function to which the CISO are looking ahead to a CIO role or even a
will not be privy. As a result, the CISO broader role in organizational leadership. It
will have to rely his or her supervisor is important to understand each candidate’s
to act as an effective intermediary in desires against what the organization can
advocating for resources and policy offer. Remember that the CISO’s reporting
initiatives and in educating the board relationship will be one factor that frames
and CEO on information security issues this issue in his or her mind.
as they unfold. Second, when the CISO
needs to take an unpopular position to Long gone are the days when an argument
strengthen an organization’s information had to be made regarding the strategic
security profile, he or she has to know importance of information security. In most
there will be support in high places. organizations, the CISO role now has the
2. “How deep is the organization’s weight and sophistication its responsibilities
commitment to information security?” require. Organizations can assess the state of
This is more than a question of staff their CISO recruitment and assessment strat-
and budget allocation, although those egies by asking themselves the following
elements are certainly important. The four questions:
CISO wants to know that the C-suite and
the board appreciate the complexity and 1. Have we identified the CISO’s full range
uncertainty at the core of the information of strategic responsibilities and the
security function and the need for making competencies needed to be successful?
everyone in the organization, top to 2. Do we have a consistent methodology
bottom, responsible for security. For the for evaluating a candidate against those
CISO to be successful, he or she must be responsibilities?
empowered to act and be armed with 3. Have we reviewed the CISO reporting
the necessary resources to deploy both in relationship against the information
times of normalcy and crisis. Although security context of the organization
the CISO expects organizations to have to ensure that the CISO is adequately
high standards, he or she will avoid empowered to accomplish the
enterprises who reflexively cycle through organization’s information security
security teams. goals?
■ 322
EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE
SecurityRoundtable.org 323 ■
Contributor Profiles
Electronic version of this guide and additional content available at: SecurityRoundtable.org
CONTRIBUTOR PROFILES
327 ■
CONTRIBUTOR PROFILES
Intercontinental Exchange
5660 New Northside Drive NW
3rd Floor
Atlanta, Georgia 30328
Tel +1 770 857 4700
Web www.intercontinentalexchange.com
Palo Alto Networks Inc.
JERRY PERULLO 4401 Great America Parkway
Chief Information Security Officer Santa Clara, California 95054
Email jerry.perullo@theice.com Tel +1 408 753 4000
Jerry Perullo has led the Information Web www.paloaltonetworks.com
Security program at Intercontinental
Exchange, Inc. (NYSE:ICE) since 2001. As MARK D. MCLAUGHLIN
Chief Information Security Officer, he is Chairman, President, and CEO
responsible for the security of ICE’s Mark D. McLaughlin joined as president and
heavily regulated exchanges and clearing- CEO of Palo Alto Networks in August of
houses, including the New York Stock 2011 and became Chairman of the Board in
Exchange. 2012. Previously Mr. McLaughlin served as
Mr. Perullo is an active participant in the President and CEO of Verisign. Prior to
Financial Services Sector Coordinating Verisign, he was the Vice President of Sales
Council (FSSCC) and Financial Services and Business Development for Signio and
Information Sharing and Analysis Center was instrumental in driving the acquisition
(FS-ISAC), where he serves as Chair of the of Signio by Verisign in 1999. Before joining
Clearinghouse and Exchange Forum Signio, he was the Vice President of Business
(CHEF). He also co-founded the Global Development for Gemplus, the world’s lead-
Exchange Cyber Security (GLEX) working ing smart-card company. Previous to
group under the World Federation of Gemplus, he also served as General Counsel
Exchanges and serves on several industry of Caere Corporation and practiced law as
and customer advisory boards within the an attorney with Cooley Godward Kronish
cybersecurity industry. LLP. In 2014 President Obama appointed Mr.
Prior to ICE, Mr. Perullo was a Principal McLaughlin as the Chairman of the National
Consultant at Digital Consulting and Security Telecommunications Advisory
Software Services providing information Committee (NSTAC). He received his JD,
security testing and consulting services to magna cum laude, from Seattle University
the health-care, energy, and data service School of Law and his BS degree from the
industries and built an Internet Service U.S. Military Academy at West Point.
Provider in the mid 1990s.
Mr. Perullo studied Computer Engineering
at Clemson University and earned a BS
degree in Legal Studies from the University
of Maryland and an MBA from Georgia State
University.
■ 328
CONTRIBUTOR PROFILES
329 ■
CONTRIBUTOR PROFILES
■ 330
CONTRIBUTOR PROFILES
on incident response matters and related Chambers USA and was one of only three
disputes. Mr. Graves was formerly a attorneys named an MVP by Law360 for
law clerk for Judge J. L. Edmondson of the Privacy & Consumer Protection in 2013.
United States Court of Appeals for the
Eleventh Circuit. Before graduating from CRAIG A. HOFFMAN
the University of Virginia School of Law, Partner
he was an infantry officer in the Email cahoffman@bakerlaw.com
25th Infantry Division with service in Craig A. Hoffman provides proactive coun-
Iraq. He holds a BS degree in Computer sel on the complex regulatory issues that
Science from the United States Military arise from data collection and use, including
Academy at West Point. customer communications, data analytics,
emerging payments, cross border transfers,
and security incident response prepared-
ness. He uses his experience as a litigator
and works with hundreds of companies who
BakerHostetler have faced security incidents to help clients
45 Rockefeller Plaza develop a practical approach to meet their
New York, New York 10111-0100 business goals in a way that minimizes regu-
Tel +1 212 589 4200 latory risk. Mr. Hoffman conducts incident
Web www.bakerlaw.com response workshops—built upon applicable
notification laws and guidelines, “good” and
THEODORE J. KOBUS “bad” examples from other incidents, and a
Partner and Co-Leader, Privacy and Data tabletop exercise—to prepare companies
Protection to respond to security incidents quickly,
Email tkobus@bakerlaw.com efficiently, and in a manner that complies
Theodore J. Kobus is national leader of the with applicable law while mitigating risk
BakerHostetler’s Privacy and Data Protection and preserving customer relationships.
team. Mr. Kobus focuses his practice in the Mr. Hoffman also serves as the editor of
area of privacy and data security. He advises BakerHostetler’s Data Privacy Monitor blog,
clients, trade groups, and organizations providing commentary on developments in
regarding data security and privacy risks, data privacy, security, social media, and
including compliance, developing breach behavioral advertising.
response strategies, defense of regulatory
actions, and defense of class action litigation.
Mr. Kobus counsels clients involved in F. PAUL PITTMAN
breaches implicating domestic and interna- Associate
tional laws, as well as other regulations Email ppittman@bakerlaw.com
and requirements. Having led more than F. Paul Pittman provides guidance to clients
800 data breach responses, Mr. Kobus has in responding to data security incidents and
respected relationships with regulators data breaches, ensuring that they meet their
involved in privacy concerns as well as deep response and notification obligations under
experience to help clients confront privacy state and federal data privacy laws.
issues during the compliance risk manage- Mr. Pittman also advises clients on data pri-
ment stages. He is invested in his client rela- vacy and security issues that may arise in
tionships and approaches engagements their business and assists them with the
practically and thoughtfully. He is ranked in development of data privacy notices and
331 ■
CONTRIBUTOR PROFILES
policies to ensure compliance with applica- (COE) with more than 3000 staff members,
ble laws and industry standards. In addition, and he built a large Technology Consulting
he counsels clients on the permissible collec- and Integration Business focused on the
tion of data and usage in online advertising U.S. government.
in compliance with online and mobile data Before joining Booz Allen, Mr. Stewart
standards. Mr. Pittman also offers his clients worked for a major electronics firm, where he
extensive experience defending against com- developed communications security and key
plex class action and state attorney general management devices. He also served as a
litigation. Signal Officer, Battalion Commander, Brigade/
Battalion S-3, and Company Commander in
the U.S. Army.
He holds a BS degree in Engineering from
Widener University and an MS degree in
Electrical Engineering from Drexel University.
Booz Allen Hamilton
8283 Greensboro Drive
Hamilton Building JASON ESCARAVAGE
McLean, Virginia 22102 Vice President
Tel +1 703 902 5000 Email Escaravage_Jason@bah.com
Web www.boozallen.com Jason Escaravage is a leader in the Strategic
Innovation Group for Booz Allen Hamilton.
With a focus on Digital Services and Solutions,
WILLIAM (BILL) STEWART he drives the integration of Global Threat
Executive Vice President
solutions for the firm’s Predictive Intelligence
Email Stewart_William@bah.com
division. He is an expert in the systems devel-
William (Bill) Stewart currently leads the opment lifecycle, software solution design
Commercial Cyber Business for Booz Allen and development, and intelligence support to
Hamilton. In this role he leads teams that real-world mission operations.
develop strategies and implement solutions Mr. Escaravage is recognized for leading
for the most complex issues facing Private large-scale, complex information technology
Sector Organizations. He has more than (IT) and analytical support programs support-
25 years of professional experience building ing government and commercial clients and in
consulting and systems integration businesses. multiple focus areas, including conventional
Mr. Stewart is responsible for providing operations, counter-terrorism, anti-money
services that appropriately balance risk and laundering, and cyberthreat analysis. He has
resource expenditure. Current clients include led teams of global/cyberthreat intelligence
C-suite executives as well as senior govern- analysts in support of U.S. government and
ment officials. Mr. Stewart has extensive commercial customers focused on collecting,
experience envisioning, designing, and processing, and fusing data to create action-
deploying solutions that enhance business able intelligence. He holds a degree in Military
performance. He helps clients create cutting History and Computer Science from Rutgers
edge strategies that optimize and secure University and is a certified Project
critical business systems. Management Professional (PMP).
Mr. Stewart and his team help clients
develop state-of-the-art cyber solutions,
including Threat Intelligence, Advanced SEDAR LABARRE
Adversary Hunt, Incident Response, Insider Vice President
Threat, and Identity and Access Control. Email Labarre_Sedar@bah.com
Mr. Stewart also led Booz Allen Hamilton’s Sedar LaBarre is a Vice President with Booz
Cyber Technology Center of Excellence Allen Hamilton, where he leads the firm’s
■ 332
CONTRIBUTOR PROFILES
333 ■
CONTRIBUTOR PROFILES
■ 334
CONTRIBUTOR PROFILES
Psychology from the College of the Holy teams achieve significant organizational
Cross, and an Advanced Graduate Certificate transformations. She is an Associate Business
in Counterintelligence from Mercyhurst Continuity Manager with Disaster Recovery
University. Institute International, a Certified Information
Privacy Professional, and received a gradu-
JAMES PERRY ate certificate from University of Maryland in
Senior Associate Cyber Security.
Email Perry_James@bah.com
James Perry is a Chief Technologist in Booz KATIE STEFANICH
Allen Hamilton’s Strategic Innovation Lead Associate
Group, where he leads the commercial cyber Email Stefanich_Katie@bah.com
incident response planning, investigation, Katie Stefanich is a management consultant
and remediation services offerings, includ- that specializes in cyber incident management
ing our National Security Cyber Assistance strategy, cyber education and outreach, and
Program Certified Incident Response capa- crisis communication. She has strong experi-
bility. Mr. Perry works with chief informa- ence in authoring enterprise-wide cyber
tion security officers, security operations incident management strategies for retail,
center directors, and incident response teams energy, and high-tech commercial organiza-
across finance, retail, energy, health, manu- tions. Ms. Stefanich helps clients understand
facturing, and public sectors. In this role, cybersecurity in terms of risk management, as
he helps organizations to design and imple- well as identify and build cross-organization
ment Cyber Security Operations capabilities relationships for smooth incident response.
to protect from, detect, and respond to She also has extensive experience providing
advanced cyberthreats. Mr. Perry leverages strategic counsel to startups, entrepreneurs,
his experience supporting incident response and organizations interested in using lean
investigations across multiple sectors to help startup methodology. Prior to her time at Booz
these organizations prepare for and rapidly Allen, Ms. Stefanich implemented integrated
contain cyber incidents. marketing campaigns for high-tech commer-
cial organizations.
LAURA EISE
Lead Associate ERIN WEISS KAYA
Email Eise_Laura@bah.com Lead Associate
Laura Eise is a cybersecurity consultant in Email Weiss_Kaya_Erin@bah.com
Booz Allen’s commercial practice. In this Erin Weiss Kaya is a Lead Associate with
role, she works with leaders across multiple Booz Allen Hamilton. She has more than
industries in aligning cybersecurity pro- 15 years of experience designing and manag-
grams to manage risk and meet the needs of ing strategic transformation programs, most
the business. She specializes in program- recently serving as an external consultant on
matic assessment, incident response, enter- cybersecurity workforce and organization
prise risk management, strategy setting, and issues to the Department of Homeland
organizational design. Recently, she has led Security and a number of large financial
teams across the financial, retail, and manu- services institutions.
facturing industries to create three-year Ms. Weiss Kaya has served as an external
strategy roadmaps to improve their cyberse- consultant to Fortune 500 companies, state
curity programs. Ms. Eise is a co-author of government agencies, and non-profits and
the CyberM3 maturity model and co-leads as an internal strategic advisor and execu-
the firm’s internal investment in the capabil- tive. She has led large projects for effective
ity. She is also an Executive Coach and change implementations as well as cyberse-
focuses on helping leaders and leadership curity human capital strategies, including
335 ■
CONTRIBUTOR PROFILES
CHRISTIAN PAREDES
Associate
Email Paredes_Christian@bah.com
Christian Paredes is an Associate on Booz
Allen Hamilton’s Predictive Intelligence team
within the firm’s Strategic Innovation’s Group BuckleySandler LLP
(SIG), where he focuses on cyberthreat intel- 1250 24th Street NW, Suite 700
ligence (CTI) and CTI program development Washington, DC 20037
for commercial clients. Mr. Paredes has expe- Tel +1 202 349 8000
rience helping commercial clients to produce Web www.buckleysandler.com
actionable threat intelligence for internal
stakeholders at the operational and strategic ELIZABETH E. MCGINN
levels. He has expertise in analytic tradecraft Partner
and production standards; technical threat Email emcginn@buckleysandler.com
intelligence; intelligence workflow integra-
Elizabeth E. McGinn is a partner in the
tion with security operations; and threat intel-
Washington, DC, office of BuckleySandler
ligence program development. He has also
LLP, where she assists clients in identifying,
worked with global organizations to assess
evaluating, and managing risks associated
their information security capabilities.
with privacy and information security prac-
His emphasis on improving analytic qual-
tices of companies and third parties.
ity by maximizing analyst time, resources,
Ms. McGinn advises clients on privacy and
workflows, tools, and data sources has helped
data security policies, identity theft red flags
clients to realize value in their cyberthreat
programs, privacy notices, safeguarding and
intelligence programs. Mr. Paredes holds an
disposal requirements, and information
MS degree in International Affairs from
sharing limitations. She also has assisted
Georgia Institute of Technology and a BA
clients in addressing data security incidents
degree in Political Science from Georgia
and complying with the myriad security
College & State University.
breach notification laws and other U.S.
state and federal privacy requirements.
WAICHING WONG Ms. McGinn is a frequent speaker and author
Associate
on a variety of topics, including privacy and
Email Wong_Waiching@bah.com
data security, consumer financial services
Waiching Wong is part of Booz Allen litigation, electronic discovery, and vendor
Hamilton’s high-tech manufacturing practice, management. Ms. McGinn received her JD,
■ 336
CONTRIBUTOR PROFILES
cum laude, from The American University, data security, as well as federal and state
Washington College of Law in 2000, and investigations and enforcement actions.
received the Mooers Trial Practice Award. Mr. Ruckman joined BuckleySandler from
She received a BS from St. Lawrence the Federal Communications Commission,
University. Ms. McGinn has been recognized where he served as Senior Policy Advisor to
with the firm’s Privacy, Cyber Risk, and Data Commission’s Enforcement Bureau Chief,
Security practice group in Legal 500 (2013 advising him on enforcement strategies in
and 2015). the areas of privacy and data security.
Prior to his time at the FCC, Mr. Ruckman
spent five years as an Assistant Attorney
RENA MEARS General at the Maryland Attorney General’s
Managing Director
office, where he was the first Director of the
Email rmears@buckleysandler.com
office’s Internet Privacy Unit. The Unit played
Rena Mears is a Managing Director at a leading role in several multistate investiga-
BuckleySandler LLP, where she focuses on tions into practices that threatened consum-
data risk, cybersecurity, and privacy. She has ers’ online privacy and security, including the
more than 25 years’ experience advising largest privacy settlement in AG history.
financial services, hospitality, technology, Mr. Ruckman is a graduate of Yale Law
bio-tech, and consumer-focused companies School and Yale Divinity School.
and boards on effective methods for address-
ing data asset risks while operating in com-
plex business and regulatory environments. TIHOMIR YANKOV
Prior to joining BuckleySandler, Ms. Mears Associate
was a partner in a Big Four advisory firm’s Email tyankov@buckleysandler.com
Enterprise Risk Services practice, where she Tihomir Yankov is an associate in the
founded and led the Global and U.S. Privacy Washington, DC, office of BuckleySandler
and Data Protection practice. She has signifi- LLP. Mr. Yankov represents clients in a
cant experience building and implementing wide range of litigation matters, including
multinational and enterprise data risk, priva- class actions and complex civil litigation, as
cy and security programs, performing com- well as government enforcement matters.
pliance assessments, developing cybersecuri- His government enforcement experience
ty initiatives, and leading breach response includes representing clients before the
teams. Ms. Mears has served on industry Consumer Financial Protection Bureau
standards committees and company advisory (CFPB), the New York Department of
boards for privacy and security. She regularly Financial Services (DFS), and various state
researches, speaks, and publishes on data regulators and attorneys general, as well as in
risk, privacy, and cybersecurity and holds the cases involving unfair, deceptive, and abusive
CISSP, CIPP, CISA, and CITP certifications acts and practices (UDAAP).
Mr. Yankov also counsels clients on elec-
STEPHEN (STEVE) M. RUCKMAN tronic discovery issues, including matters
Senior Associate related to document and data retention, data
Email sruckman@buckleysandler.com assessment, data extraction strategies, and
Stephen (Steve) M. Ruckman is a senior pre-litigation discovery planning.
associate in the Washington, DC, office of Mr. Yankov received his JD from American
BuckleySandler, where his practice focuses University (cum laude) and his BA from the
on privacy, cyber risk, mobile payments, and University of Virginia.
337 ■
CONTRIBUTOR PROFILES
JIM PFLAGING
Principal
Email jim.pflaging@chertoffgroup.com
Jim Pflaging is the global lead for The Chertoff
Group’s business strategy practice. Based in
The Chertoff Group Menlo Park, California, Mr. Pflaging works
1399 New York Avenue, NW
closely with leading technology companies,
Suite 900
private equity investors, and system integra-
Washington, DC 20005
tors to identify, diligence, acquire and build,
Tel +1 202 552 5280
exciting companies. Based on dozens of suc-
Web www.chertoffgroup.com
cessful client engagements, Mr. Pflaging has
become a trusted advisor on technology and
MICHAEL CHERTOFF security to many in the U.S. Government
Co-Founder and Executive Chairman
and private industry. Mr. Pflaging has more
Email Emily.Dumont@chertoffgroup.com
than 25 years of Silicon Valley experience
(assistant)
including 15 years as chief executive officer of
Michael Chertoff is Co-Founder and cybersecurity and data management compa-
Executive Chairman of The Chertoff Group, nies. He serves on the board of several secu-
a premier global advisory firm that focuses rity companies and is a frequent speaker on
exclusively on the security and risk man- technology and security issues.
agement sector by providing consulting,
mergers and acquisitions (M&A), and risk
management services to clients seeking to MARK WEATHERFORD
secure and grow their enterprises. In this Principal
role, Mr. Chertoff provides high-level stra- Email mark.weatherford@chertoffgroup.com
tegic counsel to corporate and government or andrea.katzer@chertoffgroup.com
leaders on a broad range of security issues, (assistant)
from risk identification and prevention to Mark Weatherford is a Principal at The
preparedness, response, and recovery. Chertoff Group, where he advises clients on a
From 2005 to 2009, Mr. Chertoff served as broad array of cybersecurity services. As one
Secretary of the U.S. Department of Homeland of the nation’s leading experts on cybersecuri-
Security (DHS), where he led the federal gov- ty, Mr. Weatherford works with organizations
ernment’s efforts to protect our nation from a around the world to effectively manage today’s
wide range of security threats, including cyberthreats by creating comprehensive
blocking potential terrorists from crossing the security strategies that can be incorporated
United States border or allowing implemen- into core business operations and objectives.
tation of their plans on U.S. soil. Before lead- Prior to joining The Chertoff Group,
ing DHS, Mr. Chertoff served as a federal Mr. Weatherford served as the U.S.
judge on the U.S. Court of Appeals for the Department of Homeland Security’s first
Third Circuit and earlier headed the U.S. Deputy Under Secretary for Cybersecurity.
Department of Justice’s Criminal Division. In In this position, he worked with all critical
this role he investigated and prosecuted cases infrastructure sectors as well as across the
of political corruption, organized crime, and federal government to create more secure
corporate fraud and terrorism—including the network operations and thwart advanced
investigation of the 9/11 terrorist attacks. persistent cyber threats. He previously
■ 338
CONTRIBUTOR PROFILES
served as the Chief Information Security public and private companies in the busi-
Officer for the states of Colorado and ness process outsourcing, marketing servic-
California and as Vice President and Chief es, enterprise software, smart-grid, informa-
Security Officer for the North American tion, and IT services industries. He has
Electric Reliability Corporation (NERC). a proven track record as the CEO of six
companies and has served as director of
13 private equity, public, and VC-backed
companies and executive chairman of two
others. Prior to his leadership role with
Coalfire, from 2007 to 2011, Mr. Jones was
CEO of Denver-based StarTek, Inc. (NYSE:
SRT), a provider of global outsourced call
Coalfire center and customer support services. He
361 Centennial Parkway, Suite 150
has also served as CEO of Activant Solutions,
Louisville, Colorado 80027
an enterprise software company; chairman
Tel +1 303 554 6333
of WebClients, an internet affiliate marketing
Web www.coalfire.com
firm; CEO of Interelate, Inc., a marketing
services firm; CEO of MessageMedia (NASD:
RICK DAKIN MESG), an email marketing services com-
Chief Executive Officer (2001-2015) pany; CEO of Neodata Services, Inc., a direct
Rick Dakin provided strategic manage- marketing services firm; and was founding
ment IT security program guidance for CEO of GovPX, a provider of government
Coalfire and its clients. After serving in the securities data. Mr. Jones also was a senior
U.S. Army after graduation from the U.S. vice president at Automatic Data Processing
Military Academy at West Point, Mr. Dakin and held various positions at Wang
began his management career at United Laboratories between 1977 and 1987.
Technology Corporation. Prior to co-found- Mr. Jones currently also serves as a direc-
ing Coalfire, he was President of Centera tor of Diligent Corporation (NZX: DIL) and
Information Systems, a leading eCommerce Essential Power, LLC. He is also active mem-
and systems integration firm. He was a ber and Fellow in the National Association
past president of the FBI’s InfraGard pro- of Corporate Directors (NACD). Over the
gram, Denver chapter, and a member of a past 10 years, Mr. Jones has served as
committee hosted by the U.S. Secret Service director of numerous public and private
and organized by the Joint Council on companies including Work Options Group,
Information Age Crime. StarTek, Exabyte, Activant Solutions, Realm
Mr. Dakin passed away June 20, 2015. Solutions, SARCOM, WebClients, DIMAC,
and Fulcrum Analytics. Mr. Jones graduated
LARRY JONES from Worcester Polytechnic Institute with
Chief Executive Officer a degree in computer sciences in 1975
Email Larry.Jones@Coalfire.com and earned his MBA from Boston University
Larry Jones has served as Chairman of the in 1980.
Board of Coalfire since 2012 and became
CEO in 2015. He has more than 25 years of
experience building, operating, and growing
339 ■
CONTRIBUTOR PROFILES
NIGEL L. HOWARD
Partner
Email nhoward@cov.com
Covington & Burling LLP Nigel L. Howard, a partner in Covington’s
One City Center New York office, helps clients execute their
850 Tenth Street, NW most innovative and complex transactions
Washington, DC 20001-4956 involving technology, intellectual property,
Tel +1 202 662 6000 and data. Mr. Howard has been at the fore-
Web www.cov.com front of initiatives to protect data assets for
his clients, helping them achieve a competi-
DAVID N. FAGAN tive advantage or fend off a competitive
Partner threat. He advises clients on their proprie-
Email dfagan@cov.com tary rights to data and global strategies for
David N. Fagan, a partner in Covington’s protecting these assets. He has represented
global privacy and data security and inter- companies in transactions covering the full
national practice groups, counsels clients on spectrum of data-related activities, including
preparing for and responding to cyber- data capture and storage, business and oper-
based attacks on their networks and infor- ational intelligence, analytics and visualiza-
mation, developing and implementing tion, personalized merchandizing, and the
information security programs, and com- related cloud computing services, such as
plying with federal and state regulatory Data as a Service and Analytics Infrastructure
requirements. Mr. Fagan has been lead as a Service.
investigative and response counsel to com-
panies in a range of cyber- and data security ELIZABETH H. CANTER
incidents, including matters involving mil- Associate
lions of affected consumers. Email ecanter@cov.com
Elizabeth H. Canter is an associate in the
KURT WIMMER Washington, DC, office of Covington. She
Partner
represents and advises technology compa-
Email kwimmer@cov.com
nies, financial institutions, and other clients
Kurt Wimmer is a Washington partner and on data collection, use, and disclosure prac-
U.S. chair of Covington’s privacy and data tices, including privacy-by-design strate-
security practice. Mr. Wimmer advises gies and email marketing and telemarket-
national and multinational companies on ing strategies. This regularly includes
privacy, data security, and digital technology advising clients on privacy and data secu-
issues before the FTC, the FCC, Congress, rity issues relating to third-party risk man-
the European Commission, and state attor- agement. Ms. Canter also has extensive
neys general, as well as on strategic advice, experience advising clients on incident
data breach counseling and remediation, preparedness and in responding to data
and privacy assessments and policies. He is security breaches.
chair of the Privacy and Information Security
Committee of the ABA Antitrust Section and
is a past managing partner of Covington’s
London office.
■ 340
CONTRIBUTOR PROFILES
THOMAS FUHRMAN
Dell SecureWorks President
One Concourse Pkwy NE Thomas Fuhrman is President of Delta Risk.
#500 In this capacity he is a practicing cybersecu-
Atlanta, Georgia 30328 rity consultant and the leader of the Delta
Tel +1 404 929 1795 Risk business.
Web www.secureworks.com Prior to joining Delta Risk, Mr. Fuhrman
was the founder and president of 3tau LLC, a
MICHAEL R. COTE specialized consulting firm providing infor-
Chief Executive Officer mation security and technology advisory,
Email info@secureworks.com analysis, and strategy services to senior clients
in commercial industry and government, in
Michael (Mike) R. Cote became chairman
the United States and internationally. He is a
and CEO of SecureWorks in February of 2002
former Partner at Booz Allen Hamilton, where
and led the company through an acquisition
he led a $100 million consulting practice in
by Dell in February of 2011. Under his
cybersecurity and science and technology
leadership Dell SecureWorks has become a
serving Department of Defense clients.
recognized global leader in information
Mr. Fuhrman has more than 35 years of
security services, helping organizations of
military and government experience and has
all sizes protect their IT assets, reduce costs,
expertise in many areas including cyberse-
and stay one step ahead of the threats.
curity strategy, policy, and governance;
Previously Mr. Cote held executive positions
cybersecurity controls and technology; and
with Talus Solutions, a pricing and revenue
risk management.
management software firm acquired by
Mr. Fuhrman has degrees in electrical
Manugistics in 2000. He joined Talus from
engineering, mechanical engineering, and
MSI Solutions, where he was Chief Operating
mathematics and is a Certified Information
Officer, and his early career included
Systems Security Professional (CISSP).
international assignments with KPMG. He
341 ■
CONTRIBUTOR PROFILES
■ 342
CONTRIBUTOR PROFILES
343 ■
CONTRIBUTOR PROFILES
At Fish & Richardson, he focuses on help- Previously, Ms. Westby launched In-Q-Tel,
ing companies plan for and respond to was senior managing director at
cyberattacks. As a securities litigator, he is PricewaterhouseCoopers, was senior fellow
well positioned to advise public companies and director of IT Studies for the Progress
on SEC disclosures regarding cybersecurity and Freedom Foundation, and was director
and boards of directors’ corporate govern- of domestic policy for the U.S. Chamber of
ance responsibilities to oversee and manage Commerce. Ms. Westby practiced law at
this important enterprise risk. Shearman & Sterling and Paul, Weiss,
Mr. Coldebella is a graduate of Colgate Rifkind, Wharton & Garrison.
University, where he currently serves as She is co-chair of the American Bar
audit committee chair on its Board of Association’s Privacy & Computer Crime
Trustees; he received his JD, magna cum laude, Committee (Science & Technology Law
from Cornell. He is on Twitter at @g_co. Section) and co-chair of the Cybercrime
Committee (Criminal Justice Section) and
CAROLINE K. SIMONS served three terms on the ABA President’s
Associate Cybersecurity Task Force. Ms. Westby speaks
Email simons@fr.com globally and is the author of several books
Caroline K. Simons is a litigation associate at and articles on privacy, security, cybercrime,
Fish & Richardson P.C. Her practice focuses and enterprise security programs. She has
on white collar defense, cybersecurity and special expertise in the governance of privacy
trade secret theft, internal investigations, and and security and responsibilities of boards
complex commercial litigation, including sig- and senior executives. She is author of the
nificant state and federal appellate experience. 2008, 2010, 2012, and 2015 Governance of
In 2013 Ms. Simons was selected by the Boston Enterprise Security Reports and was lead
Bar Association to participate in the Public author of Carnegie Mellon University’s
Interest Leadership Program. Ms. Simons is a Governing for Enterprise Security Implementation
graduate of Harvard College and Columbia Guide. She graduated magna cum laude from
Law School. Georgetown University Law School and
summa cum laude from the University of Tulsa
and is a member of the Order of the Coif,
American Bar Foundation, and Cosmos Club.
■ 344
CONTRIBUTOR PROFILES
team that analyzes companies in more than Corporate Directors. He was named to the
110 markets around the world, provides 2011 National Association of Corporate
institutional investors with customized Directors’ Directorship 100 list.
research, and produces studies and white
papers on issues and topics in corporate
governance. In addition, Ms. Carter serves
as the head of the ISS Global Policy Board,
which develops the ISS Global Proxy Voting
Policies. Named for five years in a row to
the National Association of Corporate
Directors’ Directorship 100 list of the most Internet Security Alliance
influential people in the boardroom com- 2500 Wilson Boulevard
munity (2008–2012), Ms. Carter has been Arlington, Virginia 22201
quoted in media around the world and is a Tel +1 703 907 7090
frequent speaker for corporate governance Web www.isalliance.org
events globally. Ms. Carter holds a
PhD in finance from George Washington LARRY CLINTON
University and an MBA in finance from the President
Wharton School, University of Pennsylvania. Email lclinton@isalliance.org
Larry Clinton is President of the Internet
PATRICK MCGURN Security Alliance (ISA). He is the primary
Executive Director and Special Counsel author of ISA’s “Cyber Social Contract,”
Email patrick.mcgurn@issgovernance.com which articulates a market-based approach
Patrick McGurn is executive director and to securing cyber space. In 2011 the House
special counsel at ISS. Considered by indus- leadership GOP Task Force on cybersecurity
try constituents to be one of the leading embraced this approach. In 2012 President
experts on corporate governance issues, he is Obama abandoned his previous regulatory-
active on the U.S. speaking circuit and plays based approach in favor of the ISA Social
an integral role in ISS’s policy development. Contract model. The ISA document is the
Prior to joining ISS in 1996, Mr. McGurn was first and most often referenced source in the
director of the Corporate Governance Service President’s “The Cyber Space Policy
at the Investor Responsibility Research Review.” He is also the primary author of
Center, a not-for-profit firm that provided the Cyber Security Handbook for corporate
governance research to investors. He also boards published by the National Association
served as a private attorney, a congressional of Corporate Directors (NACD) in 2014. In
staff member, and a department head at the 2015 Mr. Clinton was named one of the
Republican National Committee. He is a nation’s 100 most influential persons in the
graduate of Duke University and the field of corporate governance by NACD. He
Georgetown University Law Center. He is a has published widely on various cybersecu-
member of the bar in California, the District rity topics and testifies regularly before
of Columbia, Maryland, and the U.S. Virgin Congress and other government agencies
Islands. Mr. McGurn serves on the Advisory including the NATO Center for Cyber
Board of the National Association of Excellence.
345 ■
CONTRIBUTOR PROFILES
■ 346
CONTRIBUTOR PROFILES
347 ■
CONTRIBUTOR PROFILES
■ 348
CONTRIBUTOR PROFILES
Mr. Beeson is also engaged in the devel- executive director of KPMG’s Audit
opment of Cybersecurity Policy in the U.S. Committee Institute. He routinely lends his
and U.K.. In March 2015 he testified before regulatory expertise to counsel audit com-
the Senate Commerce Committee on the mittees in critical areas, and he has extensive
evolving cyber insurance marketplace. experience as an auditor and consulting with
A frequent public speaker, in April 2015 companies in the banking and insurance
Mr. Beeson was one of the first panelists to industries. Mr. Daly is a frequent speaker
present on the topic of Cyber Insurance at and writer on many issues confronting
the world’s largest Cyber Security today’s corporate board, including executive
Conference, RSA, San Francisco. compensation. He regularly appears in
Prior to moving to Washington, DC, media and has been quoted in the Wall Street
Mr. Beeson was based in Lockton’s London Journal, the New York Times, and Fox News
office for seven years, where he cofounded Radio, among others.
and built one of the leading cybersecurity
teams within the Lloyd’s of London
marketplace.
Mr. Beeson holds a BA (Hons) degree in
modern languages from the University of
Durham, U.K., and a certification in Cyber
Security Strategy from Georgetown Orrick, Herrington & Sutcliffe LLP
University, Washington, DC. 51 West 52nd Street
New York, New York 10019-6142
Tel +1 212 506 5000
ANTONY KIM
Partner
Email akim@orrick.com
National Association of Corporate Antony Kim is a partner in the Washington,
Directors DC, office of Orrick, Herrington & Sutcliffe
2001 Pennsylvania Ave. NW and serves as Global Co-Chair of its
Suite 500 Cybersecurity and Data Privacy practice.
Washington, DC 20006 Mr. Kim represents clients in federal and state
Tel +1 202 775 0509 regulatory investigations, private actions, and
Web www.nacdonline.corg crisis-response engagements across an array
of cybersecurity, data privacy, sales and
KEN DALY
marketing, and consumer protection matters,
Chief Executive Officer
on behalf of private and public companies.
Ken Daly is the Chief Executive Officer of
the National Association of Corporate
Directors (NACD). As head of the nation’s ARAVIND SWAMINATHAN
largest member-based organization for Partner
board directors, Mr. Daly is a recognized Email aswaminathan@orrick.com
expert on corporate governance and board Aravind Swaminathan is a partner the
transformation. Prior to NACD, Mr. Daly Seattle office of Orrick Herrington & Sutcliffe
was an audit partner at KPMG, where he LLP and serves as the Global Co-Chair of its
also served as the partner-in-charge of the Cybersecurity and Data Privacy practice.
national risk management practice. After Mr. Swaminathan advises clients in proac-
retiring from the firm, he assumed the role of tive assessment and management of internal
349 ■
CONTRIBUTOR PROFILES
and external cybersecurity risks, breach inci- cyber and physical security matters, focusing
dent response planning, and corporate gov- his practice on providing proactive liability
ernance responsibilities related to cybersecu- mitigation advice to clients.
rity and has directed dozens of data breach Mr. Finch is also a leading authority on
investigations and cybersecurity incident the SAFETY Act, a federal statute that can
response efforts, including incidents with provide liability protection to companies fol-
national security implications. A former lowing a terrorist or cyberattack.
Cybercrime Hacking and Intellectual He is a senior advisor to the Homeland
Property Section federal prosecutor, Security and Defense Business Council,
Mr. Swaminathan also represents companies serves on the National Center for Spectator
and organizations facing cybersecurity and Sports Safety and Security’s advisory board,
privacy-oriented class action litigation that and is an adjunct professor at The George
can often follow a breach. Washington University Law School.
Mr. Finch regularly speaks and writes on
DANIEL DUNNE security issues and has written articles for
Partner the Wall Street Journal, Politico, The Hill, and
Email ddunne@orrick.com other publications.
Dan Dunne, a partner in the Seattle office of
Orrick, Herrington & Sutcliffe LLP, repre-
sents corporations, financial institutions,
accountants, directors, and officers in com-
plex litigation in federal and state courts.
Mr. Dunne defends directors and officers in Rackspace Inc.
shareholder derivative suits, securities class 1 Fanatical Place
actions, SEC, and other state and federal City of Windcrest
regulatory matters. San Antonio, Texas 78218
Tel +1 860 869 3905
Web www.rackspace.com
BRIAN KELLY
Chief Security Officer
Email brian.kelly@rackspace.com
Pillsbury Winthrop Shaw Pittman LLP Brian Kelly brings three decades of leader-
1200 Seventeenth Street, NW ship in security, special operations, investi-
Washington, DC 20036 gations and intelligence to Rackspace.
Tel +1 202 663 8062 In the Air Force, Mr. Kelly rose to the rank
Web www.pillsburylaw.com of lieutenant colonel. He led teams involved
in satellite surveillance, cybersecurity, and
special operations; as a Department of
BRIAN FINCH Defense Senior Service Fellow, advised the
Partner Joint Chiefs of Staff and the Secretary of
Email brian.finch@pillsburylaw.com Defense; and received a Department of
Brian Finch is a partner in the Washington, Defense meritorious service medal.
DC, office of Pillsbury Winthrop Shaw In the private sector, Mr. Kelly held the
Pittman LLP. He has been named by Law360 positions of vice president with Trident Data
as one of its “Rising Stars” in Privacy Law in Systems, principal (select) at Deloitte, and
2014 and a “Rising Star” by National Law CEO of iDefense. He led the Giuliani
Journal D.C. He is a recognized authority on Advanced Security Center and served as
■ 350
CONTRIBUTOR PROFILES
351 ■
CONTRIBUTOR PROFILES
U.S. Department
of Justice
Treliant Risk Advisors LLC Cybersecurity Unit
1255 23rd Street NW 1301 New York Ave NW
Suite 500 Suite 600
Washington, DC 20037 Washington, DC 20530
Tel +1 202 249 7950 Tel +1 202 514 1026
Web www.treliant.com Web www.justice.gov
Email cybersecurity.ccips@usdoj.gov
DANIEL J. GOLDSTEIN In December 2014 the Criminal Division
Senior Director created the Cybersecurity Unit within the
Email dgoldstein@treliant.com Computer Crime and Intellectual Property
Daniel J. Goldstein is a Senior Director with Section to serve as a central hub for expert
Treliant Risk Advisors. He advises clients advice and legal guidance regarding how
operating in complex business and regulatory the criminal electronic surveillance and
environments on data risk mitigation strate- computer fraud and abuse statutes impact
gies and solutions. His career has centered on cybersecurity. Among the unit’s goals is to
guiding U.S. and multinational clients ensure that the powerful law enforcement
through complex international data protec- authorities are used effectively to bring per-
tion requirements to provide business solu- petrators to justice while also protecting the
tions that can be implemented across large privacy of every day Americans. In pursu-
organizations. ing that goal, the unit is helping to shape
Prior to joining Treliant, Mr. Goldstein cybersecurity legislation to protect our
was the Director of International Data nation’s computer networks and individual
Privacy for Amgen GmbH in Switzerland. victims from cyberattacks. The unit also
At Amgen, he initiated and led privacy and engages in extensive outreach to the private
data protection efforts across Amgen’s glob- sector to promote lawful cybersecurity
al affiliates, while managing an international practices.
privacy office and a network of data protec-
tion officers.
Mr. Goldstein is a graduate of the UCLA
and the Golden Gate University School of
Law and a member of the State Bar of
California. He is a Certified Information
Systems Security Professional (CISSP) and a
Certified Information Privacy Professional
(CIPP–US and Europe).
■ 352
CONTRIBUTOR PROFILES
353 ■
CONTRIBUTOR PROFILES
■ 354
CONTRIBUTOR PROFILES
SecurityRoundtable.org 355 ■