A cyber attacker could be anyone. A disgruntled employee with access to data, a ‘hacktivist’ with a social or political axe to grind, an organised criminal seeking profit, or a nation state with a cyber army primed for sophisticated cyberespionage missions. They could be anywhere, silently gathering data before slipping out undetected, or hiding in a gap in the supply chain, waiting to shut down the organisation’s service. Terminology such as ‘phishing’, ‘social engineering’ and ‘advanced persistent threat’ has invaded the lexicon of the modern corporation.
‘Data is the new oil,’ says former ethical hacker and cybersecurity expert Jason Hart. ‘With oil, we learnt to create plastics and core fuel, and we monetised and commoditised it. Bad guys are doing that with data.’ He says that companies are spending more and more money on cybersecurity, yet more and more breaches are happening. Gone are the days of backup tapes locked in a safe. Now we turn to the cloud or other virtual environments for our safety net, without knowing where that data actually ‘is’, or over how many locations it is spread. We’re also generating more data than ever before. Multiple logins means multiple identities to target, making it an easier job for attackers to build up a comprehensive online portrait of an individual with which to bait their phishing nets.
None of this is news to savvy 21st century corporates. But human nature lets us all down – neglecting to read the cyber policy, delaying the online training or software updates, depending on a password scribbled on a post-it note. And the C-suite is not immune. According to Zain Javed, head of penetration testing at Xyone Cybersecurity, members of top level management are common but often unsuspecting targets – insulated by layers of directors, cushioned by a large IT department, but vulnerable due to their greater rights of access to company systems.
Of course, it’s not the job of the legal department to get technical with strings of encryption code. Any large multinational will have a team focused on the fundamentals of cyber defence. But, as today’s most keyed-in GCs know, the idea that cybersecurity is solely the IT department’s problem belongs firmly in the past. Nowadays, the CISO is a prominent and frequent presence in the general counsel’s office, and might even be part of it. But whatever the structure, as Erez Liebermann, senior regulatory counsel at Prudential Financial, puts it: ‘In this day and age, GCs and CISOs should be joined at the hip.’ Information security is an enterprise-wide issue, with the general counsel at the epicentre of both planning cyber breach avoidance and handling the aftermath if the unthinkable occurs.
The right amount of friction
Naturally, there will be other interested parties, involved in multistakeholder working groups and committees. In fact, says Anthony Martin, senior associate GC for privacy and information security at Walmart, ‘increasingly we need a bigger room because there are more people that want to be in these meetings.’ That doesn’t mean there won’t be pushback. But this doesn’t bother Martin: ‘We often refer to it here as the appropriate amount of friction in any conversation. Because if you have too much compliance, oversight and legal, we get in the way of actually transacting business.’
Increasingly though, the balance is shifting in favour of cyber protection over cost-cutting. In particular, says Liebermann, boards are aware that they may be held accountable, which brings useful tone from the top. According to outside counsel friends of his, ‘after the Target data breach and the subsequent departure of the Target CEO, the phone has been ringing off the hook to bring in outside counsel in cybersecurity planning, with the legal teams and the business teams. That was a watershed moment.’
Now that boards are apprised of the cyber threat, they might need to upskill, says BT’s general counsel for the Americas, Richard Nohe. ‘A lot of boards have former accountants, auditors, finance professionals and management experts, but they may not have the technological expertise to know what types of questions they should be asking,’ he says. It’s an opportunity for a tech-savvy GC to lend credible advice and steer them in the right direction.
Assembling the troops
Doug Weiner is Hewlett-Packard’s senior counsel for global cybersecurity, and his advice for those new to the field is to adjust their mindset. ‘No company can be 100% effective in managing its security; you have to be prepared to manage your incidents,’ he says.
The first mistake that many legal directors make when planning for a breach is to underestimate the resources required to handle it, says Anthony Martin. ‘The velocity of the issues will come at them in a way that they’re not able to get at them all like they thought they would. So many conversations will be had throughout an organisation where it would be beneficial to have legal in the room,’ he explains. He recommends researching law firms in each of the company’s major jurisdictions with the bandwidth to come on board at a moment’s notice, but also deputising lawyers in-house. They could be trained to be ‘first responders’ in the absence of the GC, or to cover the day-to-day role of senior lawyers when they get pulled away to fight the fire.
A risky business
For Chris Dancey, former general counsel for Hays in Asia, cybersecurity planning should be treated in the same way as any other crisis management situation, and subject to the same level of risk analysis. General counsel are uniquely placed as legal risk manager, possessed (as they often are) of formal risk management qualifications, analytical skills, a commitment to process, and an aptitude for handling a crisis. But crucially, says Dancey, the GC has a helicopter view of the information flow of the business which enables them to spot issues and identify pockets of risk. ‘The chief information officer’s horizon might only be immediate issues to do with quarantining systems and getting them back into play,’ he says. ‘The general counsel will join the dots for a number of different parts of the organisation, whether it’s the compliance team, the CEO who has to go out and give a press briefing, a notification to the market, or reporting to regulators.’
This often makes the GC ideally situated to draft the compliance programme, albeit with clear reporting lines to a risk committee and senior management. The GC is often the liaison point between stakeholders, facilitating informed decision-making on acceptable levels of risk, including where risk should sit in the supply chain, and what liability should sit with customers or suppliers. This raises the issue of cyber insurance – or rather the lack thereof, according to Richard Nohe. ‘Insurance policies tend to be very narrowly drafted, with a lot of gaps,’ he says. Ali Parvin, counsel and senior consultant at Dell, observes that cyber insurance providers are becoming more sophisticated, however. ‘In some cases, companies won’t be insured unless the applicant can demonstrate that they’ve got some strong data governance measures in place. Insurance companies are starting to conduct a real risk assessment of their customers.’ But in a less than fully-evolved market, says Nohe, ‘it’s not correct to place that insurability issue in a commercial contract on the supplier. So working with the CISO and working with finance, you’re able to come up with the right balance as to how much risk the organisation is prepared to take.’
A central function of the GC is to identify the company’s crown jewels, and then work with business continuity to prepare for that worst-case-scenario shutdown of core services. The legal department can play a vital role in formalising relationships with technical, administrative, forensic and external legal service providers and contractors, so that in the event of a problem, key figures can leap into action without delays caused by last-minute contract negotiation. It’s a two-way street though, and those service providers must be held to the same compliance standards as internal functions, to ensure the integrity of the supply chain. This will include contractual provisions for securing the audit rights for the information security group to go onsite and conduct appropriate testing where necessary.
Meet the regulators
A key role of counsel is keeping abreast of regulatory changes and certification requirements across jurisdictions in which the company is present. Although not all territories compel reporting of cyber breaches, Doug Weiner acknowledges that it is ‘getting harder for a company that does business and manufacturing around the world to be compliant with the individual mandates of every government.’ In Asia, Chris Dancey notes that most governments are also ‘jumping on the bandwagon’, with both China and Singapore recently putting cyber provisions in place, alongside ‘an absolute tsunami of data protection law changes in Asia.’
Nevertheless, says Richard Nohe, it’s not enough. He argues that even in the US, legislative structure is probably 100 paces behind technological advances, and although some lag is inevitable, lawyers could be doing more to bridge the gap. ‘I don’t think the legal community is communicating nearly enough about it. It’s something we should be driving forward, not only from the practical level of: how should we be communicating with other legal departments? But: what do we want the law to be?’ He advocates taking part in any forum – events, roundtables, focus groups, blogs – if it gets likeminded counsel together discussing the issues.
Even if they are avoiding each other, in today’s climate in-house lawyers cannot avoid regulators, with whom they must often co-ordinate inquiries and maintain relationships both before and during a breach. Such increased regulatory scrutiny ‘puts the general counsel’s office right in the middle of cybersecurity in a way that it never was before,’ says Liebermann. This gives the GC the authority to create an escalation point in the case of a lack of business engagement, he says, and also thrusts the in-house team further into a leadership role in the event of a breach. ‘I heard a presentation from a general counsel who led a Fortune 500 firm through a massive breach, who spoke at length about how it was her leading the phone calls and taking on the leadership role, with daily phone calls about the data breach and how to respond to it. And that’s because of that coordination function, because of the constant inquiries that a regulator is going to be making during a breach,’ he adds. His top tip? Get to know relevant law enforcement officials by name. In the US, at least, they want to work with you.
It’s a privilege
Depending on the jurisdiction, having a crisis response led by the legal team (internal or external) often ensures the attachment of legal privilege. ‘It at least gives the organisation the ability to have candid conversations to find out the actual facts,’ says Anthony Martin. Privilege must be protected, agrees Ali Parvin, and so those candid conversations need not be shared with everyone and, where there are no reporting regulations, it makes sense to form a small core team of legal and communications professionals to control information flow, brief appropriate people internally, ensure everyone is aware of confidentiality, and avoid the creation of unnecessary documents.
If word gets out and the comms team becomes focused on the message transmitted externally with a 24/7 news infrastructure training its lens on the company, ‘there really is an important role we play as legal counsel to work with them on the image and the brand projected outwards,’ says Doug Weiner. ‘The main thing is to get the facts straight. It’s not that anyone wants to hide anything.’
Training up
There are some elements of cybersecurity planning that the legal department may or may not be involved in rolling out, depending on the cybersecurity reporting structure. Training for individuals on topics such as social engineering or using social media is one area that might sit with the GC, particularly when it comes to internal policy housekeeping. Even if not, says Weiner, the general counsel can play an effective role by championing the cause, perhaps even tying cybersecurity in with other types of training, such as ethics and compliance or standards of business conduct. The GC should certainly ensure that training is covered from the legal perspective, says Ali Parvin, not least because of the potential regulatory fall-out in some jurisdictions should a breach occur and it transpires that appropriate training programmes have not been implemented. ‘[Regulators] would certainly take a very dim view,’ she says, ‘and that would be something that would indicate the fine would be higher.’
Another area that could fall within the GC’s remit is coordinating ‘penetration testing’ (hiring a cybersecurity company to ‘hack’ the systems) or ‘table top’ exercises (practice runs of a cyber emergency situation) to expose vulnerabilities in the company’s defences or crisis response plan. After all, says Parvin, the response plan is a live document: ‘There’s no point in having a plan, shoving it inside your drawer and pulling it out as and when there’s an event. It needs to be practised, refined and updated.’
The term ‘table top’ is not popular with everyone. ‘I personally don’t like it,’ says Richard Nohe, ‘because it implies that people will get around a table for an exercise, whereas in reality, when these things happen it’s not when senior management is sitting around the boardroom.’ Anthony Martin recommends involving different levels of the organisation, to get as many perspectives as possible. If one cross-company exercise is held, he says, ‘you’ll find that a lot of times, the lower-ranking folks won’t necessarily pipe up.’ Erez Liebermann agrees that the exercise should be as inclusive as possible. ‘Too often you hear of table tops for the tech folk, but if it stops there, you’re missing an opportunity to really practise the crisis management that comes with a massive data breach. A real table top should include the control function, the business heads and it should emulate a real scenario.’ He cites the example of an event he attended run by the US-based Securities Industry and Financial Markets Association (SIFMA) that simulated an attack over the course of one day: ‘It was from eight in the morning till about four in the afternoon, with real-time interjects, and we were expected to respond in real time. We had a conference call bridge open the whole day in which people were talking, as well as chat rooms.’
Sharing knowledge
Events that bring in-house lawyers together to brainstorm are a great way of increasing connectivity across the in-house legal cybersecurity defence space. Because although work is being done, says Liebermann, ‘on the lawyer side, because of privilege fears, there is less information-sharing. I’ve yet to go to a conference and have anyone roll out their response plan as a template for everyone.’ Ali Parvin believes that sharing threat information in particular is something that all companies should be doing. ‘It’s not bespoke information,’ she says. ‘We all need to know what’s going on, and if we can share that knowledge, I think we’ll all be in a better position.’