The digital age has brought great leaps in innovation and growth but the heavy reliance of businesses on information technology has exposed them to numerous new threats. The past year has seen many high-profile cases of cyber crime, of which the financial services sector has been a particular target, but still boards are failing to make data security a priority. However, with regulators on the offensive, and customers becoming more aware of the issues than ever before, firms must take the time to assess their cyber crime exposures and revisit their incident response plans.
FW: In your opinion, how important is a company’s information security program to combat the threat of a security breach?
Fischer: A company’s information security program is the cornerstone of its efforts to successfully address the risks associated with security breaches. A comprehensive, written information security program lays the foundation for a company’s efforts to protect both its business and customer data. The program should include administrative controls such as employee training, technical controls such as firewalls, and physical controls such as keycard access to facilities, that are appropriate to the nature and sensitivity of the information that a company handles and the risks to that information. An integral factor in maintaining a meaningful information security program is conducting periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to a company’s information. Based on these risk assessments, the company can take appropriate steps to modify or upgrade the controls in its information security program in order to limit identified risks.
Bouloux: A robust information security program is one of the first critical steps to protecting an organisation against a security breach. Such security programs should identify both internal and external threats to corporate data assets, with security structures aligning with jurisdictional and industry standards such as ISO/IEC 27001 or even PCI-DSS. Robust security programs must be proactive in identifying threats and frequent audits of the company’s security architecture are critical in continuing to ensure system integrity. Unfortunately, despite organisations adopting high levels of security, breaches still occur, and an organisation’s response plan in dealing with such a breach is just as critical a part to managing data as the initial security structure.
Lawson: In short, information security programs are critical. A company’s information security program is one of the cornerstones for good information governance. It provides a data management plan, is critical for combating security breaches, and serves as one of the primary intellectual property protection tools an organisation can deploy. In addition to defining the standard for how data is stored, protected, and made accessible within the enterprise, it serves as the blueprint for responding to incidents.
Raether: An effective security program is a collective effort that must combine strong technology with sound and tested practices. You are only as strong as your weakest link. In the case of security, that is often your employees. Having strong perimeter security – for example, firewalls – will not protect you from the employee who uses a common password, downloads applications or clicks on unknown hyperlinks that enable malware. Recently, we have seen employees providing passwords to callers pretending to be affiliated with the company only to realise the caller is a criminal who uses that password to steal data. Employees must be invested in the importance of good security practices. Likewise, a good program is essential when responding to an incident. Being unprepared and lacking an incident response plan can have costly and disastrous consequences.
Olcott: Information security programs that seek to limit a company’s material cyber risk are crucial tools for senior executives. Given the rising sophistication of threat actors and the expansion of network perimeters, networks will inevitably be breached. But though network security breaches are inevitable, compromise of data need not be. The ultimate goal of an information security program should not be to prevent, but rather to contain network breach and to prevent or limit data compromise. The most effective enterprise information security programs are based on risk rather than compliance. They include a cyber risk analysis consisting of an inventory of key assets, their vulnerabilities, the threats they are likely to face, and the consequence to the enterprise should they be compromised. Armed with this information, a multi-departmental group of senior managers, including the general counsel, CIO, CISO, and others, can identify technology, policy, and process needs in order to structure their information security program accordingly to address their unique needs. Additionally, effective information security programs will include provisions for workforce awareness training, and testing of incident handling and crisis management programs with the executive team.
FW: What trends are you seeing in security breaches occurring within specific sectors? Are there any particularly vulnerable, high-target sectors?
Bouloux: The last couple months have been pretty interesting from a reported security breach perspective. The banking sector has been heavily hit by targeted malware (such as High Roller), hacktivists, suspected government operatives, and even by an individual hacker – Reckz0r – who accessed data in over 79 banks around the world. Data aggregation software operated by SSP suffered a breach which led to Google suspending the use of its service. A malicious attack shut down systems at Saudi Aramco. Denial-of-service attacks have been launched against EL AL, Turkish Airlines, the Swedish government, Paypal, and the list goes on. Politically motivated attacks seem to be causing a lot of issues, but the proliferation of malware and phishing attacks designed to source profit from individuals mean that any organisation that collects or stores data is at risk of a breach.
Schrader: As has historically been the case, the primary targets of cyber criminals are companies that maintain information that can be used to conduct identity theft and fraud, such as Social Security numbers that can be used to open new financial accounts and account numbers and passwords that can be used to commit fraud on existing financial accounts. These targeted companies cross a wide spectrum of sectors, including financial institutions that open and maintain deposit and credit accounts, merchants that accept payment cards and cheques, and government entities that maintain significant amounts of consumer-specific information. More recently, companies that maintain websites for which consumers have user names and passwords have been increasingly targeted, including, for example, social media companies. Because many consumers use the same or substantially similar user names and passwords across various websites, cyber criminals seek to obtain such information in an effort to access a wide variety of websites, including internet banking sites.
Raether: Financial information will always be a prime target. We are seeing a recycling of attacks and criminals are further enhancing these attacks and developing new schemes. An example is the recent Barnes & Noble breach that involved the manipulation of the pin pad reader at the point-of-sale. We first saw this attack four to five years ago and are now seeing it again but in new ways. In the past, the criminal would leave behind a piece of firmware and later return to collect the payment information. Now, criminals are finding software vulnerabilities in a single device at a single store and then replicating that across the organisation. This technique makes it much easier to steal a great deal of data. Similarly, the theft of passwords at Yahoo and LinkedIn reveal another trend. Criminals are willing to build a scheme based on taking several steps. At Yahoo and LinkedIn, clear text passwords were stolen. Knowing that most consumers use the same password across platforms, the criminals could use these passwords to attempt access to online bank accounts.
Lawson: The top dog is clearly the financial services sector. Some others that seem to be ‘top’ targets include energy, government agencies and individual email accounts. In the financial sector in particular, studies show that cyber crime is the second largest crime in the financial sector, second only to asset misappropriation. The financial services sectors see an average of twice as many attacks as other sectors. As a quiet yet emerging trend, we’re seeing an increase in attacks on the legal sector. This sector has not traditionally been seen as a leader in information security, yet it possesses some of the most sensitive materials related to IP, litigation and M&A. This is something to keep an eye on over the next few years.
Olcott: In recent years spear phishing has become the attack vector of choice for targeted attacks, and the sophistication of these attacks has risen considerably. Extensive target reconnaissance – enabled in part by the rise in social websites – allows attackers to leverage publicly available information to craft seemingly authentic emails that are becoming increasingly difficult to identify as fraudulent. Spear phishing allows attackers to target high-ranking officials that likely have access to sensitive information. Recent years have seen the rise of two distinct security breach trends: targeted, sophisticated attacks against high-value targets aimed at acquiring trade secrets and intellectual property; and increased volume of attacks against weaker targets and commoditisation of attack tools to commit cyber crime and financial fraud. The targets of the former attacks tend to be companies and their professional services firms in industries of strategic importance: high-end equipment manufacturing, new energy and oil/natural gas firms, and ICT manufacturers. The targets of the latter tend in recent years to have been in the accommodation and food services and retail trade industries.
FW: Do you believe boards and management teams are committed to addressing the issue of data security, or is there a need for more action?
Lawson: I think boards are emotionally committed and want to do the right thing but it is hard to strike the right balance between investing in security and being fiscally responsible to the organisation. If you spend and avoid attack, did you overspend? If you spend and are attacked you didn’t spend (or prepare) enough. You’re damned if you do, and damned if you don’t. The challenge lies in the fact that technology changes on an almost daily basis. This rolls directly up to the decisions that the c-suite needs to make. Having an information management plan in place is the first step in developing the appropriate knowledge base to make those decisions from. The need for additional resources is driven by the size of an organisation, what IT functions it outsources, and the types of IP it is trying to protect, in addition to others.
Olcott: Boards and management teams have increasingly recognised data security as an important issue, but most are not exercising enough leadership or involvement to manage or oversee a solution to the problem. Reasons for non-action can include underestimating the problem, assuming it won’t happen to you, IT-phobia, a belief that data security can be delegated to a CISO or an IT director and isn’t a job for the board or management, or not knowing where to start. Boards need to exercise oversight by requiring information and status reports on data security and ensuring appropriate communications with shareholders and investors. Managers need to communicate that data security is a priority and requires an enterprise-wide response involving the whole management team. The CEO, general counsel, CFO, CIO/CISO, communications and customer or product leads all have roles to play.
Raether: Data security is seen as a cost centre. As a result, many boards have not made security a priority until compelled to do so. This pressure often comes from an incident, regulators, or a knowledgeable board member. On this last point, it is our responsibility to educate the board on the importance of security and the financial implications of an incident. Avoiding the costs of an incident can be as important to the bottom line as improving revenue. Additionally, it is important for us to educate the board on how strong security and regulatory compliance can improve revenue by being a market differentiator. With the letter sent from Senator Rockefeller and the increased oversight from the Consumer Finance Protection Bureau, we expect to see the chief security officer, and security issues debated and resolved, more often in the boardroom.
Fischer: As national and regional governments have increased efforts to require the implementation of data security protections, and have brought enforcement actions to address compliance failures, the establishment of effective information security programs has become a higher priority for companies. Moreover, data security has become an important contractual focus, including in service provider agreements, as well as agreements governing the processing, transmission and storage of information. At the same time, industry best practice standards have evolved. Further, companies have gained an even greater appreciation of the importance of maintaining fulsome data security controls, including avoiding the costs of security breach incidents addressing reputational risk, protecting proprietary information from competitors and avoiding resulting financial exposure. Together, these factors have collectively led to increased focus by boards of directors and management on data security issues.
Bouloux: There is always a need for more action when it comes to boards and management teams addressing the issue of data security. The key individuals are certainly becoming more aware of the risk and hiring privacy officers, CIOs, CSOs, and so on. But the data security responsibility is very often just dumped on this individual and there is a sense that compliancy is met. Hiring of these individuals is certainly a good idea, and a legal requirement in certain jurisdictions, but boards and management teams must be proactive in making sure that the IT department is aligned with risk management, who are aligned with legal, the CXOs, HR, external specialists, and even back up to the board. Open communication across all levels of a company not only helps ensure that the best security architecture is in place, but further, that employees are being properly trained on security standards, and that there is a well vetted incident response plan in place to help manage through any potential breach.
FW: What insights can we derive from recent events and high profile cases of security breaches at multinational corporations?
Raether: There are two main lessons here. First, we need to address the obvious: to avoid incidents. Encrypt sensitive data, including passwords. The negative effect of numerous incidents involving lost laptops, flash drives and other mobile devices could have been avoided. Likewise, improve employee training and test them. In one recent incident, a helpdesk employee provided an administrator ID and password to a caller who he thought was the company’s CIO; this should never happen. Second, we need to improve our communication strategies following an incident. Each incident requires a unique plan. I have seen companies overreact and create a story and drive attention. I also have seen different companies not take the incident seriously and then have to explain the lack of a timely or complete response. Both approaches can have disastrous consequences in the form of harm to goodwill and unnecessary attention from regulators and class counsel. Enlisting an experienced data breach coach is important to finding the proper balance.
Olcott: Although it occurred in 2009, the sophisticated and targeted campaign against Coca-Cola recently detailed in Bloomberg BusinessWeek typifies the threats currently facing multinational corporations. First, major corporations are the victims of targeted attacks launched by well-funded, well-staffed and sophisticated threat actors. Second, spear phishing is the preferred attack vector for these attacks and corporations often are unaware that they have been breached and their sensitive data has been compromised until notified by third-party groups. Finally, once the compromises are discovered, corporations are hesitant to disclose the events to regulators and investors for fear of losing market value, in spite of legal obligations that may require their disclosure. There are three principal lessons to be learned from cases such as the Coca-Cola hack. First, companies should take steps to reduce their attack surface. Activities to this end include keeping software up to date, investing in workforce training to raise awareness of spear phishing as well as defensive technologies to detect and contain network security breaches, and segmenting networks to limit how much data employees can access. Second, faced with state-sponsored adversaries, companies must be smarter about how and where they focus their security investments. Investments should be made according to risk assessments and should be part of an overall enterprise cyber security strategy. Finally, investors need to express concerns to firm management about the ability of a firm to deliver shareowner value if its sensitive information has been compromised. Once shareowners start to demand cyber security action from firm management, we could start to see shifts in firm behaviour to mitigate these risks appropriately.
Schrader: Given the carried nature of the information that has been targeted in recent data breaches, one should assume that no company that maintains personally identifiable information relating to individuals is immune from being targeted. The days of safely concluding that since we don’t maintain financial information, we are not of interest to cyber criminals are likely over. In addition, many recent cyber attacks have not been designed to obtain information from a company, but to slow or shutdown the company’s website. These denial-of-service attacks are becoming more common. Essentially, unscrupulous individuals compromise thousands of unrelated servers or computers, link the machines into a network and then use those machines to make logon attempts on the targeted website, essentially overwhelming the website with volume. As a result, companies must consider not only the security of their information, but also the maintenance of their business continuity.
Bouloux: Multinational organisations need to be aware of not just the laws within their headquartered jurisdiction, but also the laws of any other jurisdiction they have operations in. Information security becomes much more complex once your network is opened to multiple jurisdictions. The company must implement strict protocols for a multitude of functions inclusive of: collecting and managing data, working with outside vendors, and even training employees on how to report and escalate a breach incident. Organisations must further look to develop relationships with IT and legal specialists who have international capabilities to handle an incident that occurs in any of the organisation’s jurisdictions, including dealing with the local regulators. Having a well vetted breach response plan can help mitigate many of the costs associated with a security breach, inclusive of any churn related to reputational damage.
FW: In what ways are data security laws changing? Is it becoming more difficult for companies to keep up to date and maintain legal and regulatory compliance?
Olcott: Changes in data security laws, along with the continuous evolution of the threat and technology landscape, pose challenges to most companies. Companies increasingly face legal and regulatory exposure but also business risk, if they fail to properly implement an information security program. The number of companies facing legal obligations to protect data now extends to virtually every sector, from electricity to healthcare to financial to retail. Longstanding legal and quasi-legal obligations to protect personally identifiable information (PII) continue to change in the US and internationally, as do the standards and implementation requirements associated with these obligations. Technologies like smart grid, cloud, and mobile devices introduce new efficiencies but also make compliance difficult. Breach notification requirements will continue to expand beyond the PII realm. For instance, the Securities and Exchange Commission (SEC) guidance in 2011 establishes a legal obligation to disclose material cyber risks and events. This obligation requires publicly traded companies to provide notice of material events that affect not only PII, but sensitive business information and trade secrets. Companies should avoid focusing solely on ‘compliance’ in developing an information security program, instead building a program on ‘risk’. Compliance-driven security programs usually emphasise security of non-essential information, instead of key corporate assets and information that is the lifeblood of the company.
Bouloux: Data security laws are being driven by e-commerce and the need for the protection of clients’ personal data in cross-border data sharing. The newest legislation that is developing around the world is centred on transparency. The regulators want to allow individual data subjects to be more proactive in protecting their personal information – but notification requirements are just the surface of the issue. For instance, the pending EU legislation mandates the need for organisations that process data to employ Data Protection Officers and suggests monetary sanctions of up to 2 percent of global revenue. The concern is that EU legislation could be perceived as reactionary to a global landscape that has become much more active in pursuing organisations who suffer security breaches. However, there is no harmonisation of penalties, and they vary greatly. For example, in Mexico there are criminal implications if your organisation is breached, in the UK the ICO and FSA has become much more aggressive in levying fines against negligent parties, Australia has introduced very rigorous data protection laws, and in the US we have seen the FTC require the audit of security systems for over a 20 year period. The constantly evolving landscape makes it very difficult for companies to stay on top of data protection laws, but compliance is becoming mandatory.
Lawson: Security regulations are changing, and with society more aware and focused on the risk and exposure to their own personal finances, companies are seeing a paradigm shift in the regulations and compliance that are starting to emerge from Capitol Hill. Whereas older regulations required companies to report data breaches, this is now framed in a way that requires steps to be taken to protect personal data. Requirements for data protection standards and new technologies such as heightened encryption can put undue strain on an IT budget.
Fischer: There are a growing number of national and regional laws that require the protection of information. For example, in the United States, 46 states, as well as the District of Columbia, Puerto Rico and the US Virgin Islands, have enacted security breach notification laws. And, at least 30 US states have enacted laws that require businesses to safeguard personal information in some way. In addition, at least 31 US states, Guam and Puerto Rico have enacted laws restricting or prohibiting the collection, use or disclosure of Social Security numbers. With the proliferation of such state data security laws and with the passage of time since many of these laws were enacted, many state legislatures have begun to modify their existing laws. For example, over the past two years, a number of states have amended their security breach notification laws to add new requirements, for the content of consumer notices and new requirements to notify state agencies following security breaches. All of these additional statutes and changed requirements have made it ever more difficult for companies to keep up to date and to maintain legal compliance.
Raether: At the US federal level, we are not seeing movement. Congress recently failed to pass cyber security legislation. We will continue to see activity from the FTC and CFPB in the form of guidelines and enforcement actions. While not officially controlling, this activity will continue to provide insight into some baselines for compliance. Likewise, the states will pass legislation in response to highly publicised issues. One recent example this past year was the passage of laws by Maryland, Illinois and California prohibiting employers from requiring access to social media accounts of employees. The state Attorney Generals also will add to the complexity. Layer on top of that the changing international regulations, and you can see the complex maze that companies will need to navigate.
FW: What steps do companies need to take to mitigate potential security breaches? Are there established methods of identifying and prioritising technology risks?
Schrader: A company’s information security program is the cornerstone of its efforts to prevent security breaches and to reduce the impact when a breach occurs. An integral factor in maintaining a successful information security program is conducting periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the company’s information. In order to adequately protect its business and customer information, a company must understand the types of information it maintains, the sensitivity of that information, where and how such information is maintained, and to whom the information is disclosed. The manner in which a company conducts this risk assessment will have a significant impact on the company’s risk profile.
Fischer: While every company should take steps to develop meaningful data security controls and practices, the importance of having an incident response program in place cannot be overstated. Because there is no such thing as ‘perfect’ security, incidents will happen, and a company will need a flexible plan for responding to an incident should it occur. An effective response program usually involves a core response team responsible for receiving reports of potential incidents and determining whether to commence a broader inquiry and response. The response team should investigate the cause and circumstances of an incident, assign appropriate personnel to remediate an ongoing incident, engage third-party resources, where appropriate, and manage public communications relating to the incident.
Raether: Have a plan and the right people in place to implement and manage the plan. Companies need to remain vigilant and constantly engaged in security. Security is not an event on a project chart that can be completed and then ignored as the team moves on to the next project. The risks are constantly changing and often unique to each organisation. One common issue is the vulnerabilities created by the weakest link – people. Having the right policies is only a good start. Training and testing are essential. Technical solutions are being developed, for example disabling USB ports, usage auditing to detect misuse and the like. ISSA and SANs provide good resources for identifying common attack vectors and solutions being implemented by others.
Bouloux: Organisations need to begin by identifying what their data assets are, where those data assets are stored, and then develop a strategy for protecting that data which combines technology with audited information security programs. ISO/IEC 27001 and ISO/IEC 27002 outline a base platform for IT security that can be implemented, but these standards should not be the only form of corporate governance an organisation should follow when it comes to information security. IT departments and outsourced vendors can design security platforms for organisations, and will use penetration and intrusion testing to expose external facing weaknesses, but the internal risk presents a significant risk to organisations and must be addressed as part of any strategy to mitigate a security breach.
Lawson: Awareness and commitment from the top would be priorities. Without these a company cannot be truly ready to respond to information security breaches. Getting a little more practical, from industry to industry, the specifics will differ depending on whether or not credit card, intellectual property, personally identifiable, litigation, or top secret information exists in the enterprise. Companies need to have an established and well documented methodology for handling security risks. Establishing and enacting appropriate controls and having systems in place is the core of mitigating growing cyber crime threats. In general terms, companies should start with security assessments that identify existing policies and procedures; classify business data by value and sensitivity; identify areas of potential vulnerabilities and threats (applications and infrastructure); identify the gaps in existing policies and procedures; and document security defence and remediation recommendations.
Olcott: Each company needs to assess its unique risk profile. What information and operations are most important to protect? Who is likely to attack, and what vulnerabilities will they exploit? What are the likely consequences or worst-case scenarios of a successful attack? Protecting all information against all threats is impossible and doesn’t use scarce resources to manage the most important risks, so beginning with understanding risk is essential. Even well protected companies have been breached, so being ready to manage a breach is key: companies need a cyber security strategy and governance structure to manage response; they need the right policies, procedures and technology systems to know when a breach happens and how to respond. They also need to have a crisis management plan and practice it through table-top drills, exercises, and continual improvement of the plan.
FW: To what extent are internal risks just as dangerous as external attacks? How can access management and privilege restrictions help protect a company’s information networks and systems?
Bouloux: There is a common misconception within organisations that outside attacks are the biggest threat to their security infrastructure. As a result, robust external facing security parameters are implemented, ignoring the internal threat. Employees are still the biggest risk to organisations. Even if there is an external attack, often it requires an internal point to trigger the attack – an employee opening the wrong email. In such cases it is often difficult to decipher between negligence and malicious behaviour. Lost hardware still represents an overwhelming cause of loss. However, in both instances, encryption combined with well managed data access and privilege restrictions can mitigate the amount of data that can be released at any one time.
Schrader: In many ways, internal factors could pose a greater risk to a company’s information than external factors. Most of a company’s security controls often are designed to protect a company’s information from external threats. As a result, many security controls will have a greatly diminished effect when an employee attempts to access or obtain the company’s information from within the organisation. For example, a firewall that is designed to limit external access to a company’s network will not limit internal attempts to access information maintained on the network. As a result, a company must take precautions against both inadvertent and intentional breaches, and disclosures of the company’s information by its own employees or by its contractors and vendors. It is important for a company to establish meaningful access controls designed to limit its employee, and service provider, access to the company’s information based on the need to know to perform relevant job duties, or to provide the relevant services. In addition to technological protections, a company should consider the use of confidentiality and non-disclosure agreements with employees, as well as training employees on appropriately limiting access to company information.
Fischer: A company also should utilise access controls necessary to guard against the risk of unauthorised access by a former employee or vendor. Thus, for example, a company should establish procedures and security controls designed to prevent a terminated employee, or a vendor whose service contract has ended, from accessing records or computer systems used to store or transmit company information.
Lawson: Not only are these risks just as dangerous, they could be more dangerous. Theft of intellectual property, insider corporate espionage, and unaware employees drive as many issues as do external components. Of these, IP theft seems to be the most prolific. In this case, access management is key to mitigating the risk. Too many organisations don’t apply role based authentication to files servers, business applications and corporate intellectual property. In essence, everyone can see anything. This means that the entire company has keys to the IP treasure chest and can walk with that information any time. Diligent and well thought out policies and procedures that compartmentalise and protect sensitive and valuable information can make the difference.
Olcott: Insider threats pose one of the greatest challenges to information security. The insider threat is hard to predict, hard to stop, hard to even detect, and can have major consequences. Access controls and privilege restrictions are an important part of the solution and should be revisited periodically. Companies need to assess who requires access and authority for different activities and which activities could cause the greatest harm. The most important activities could require ‘dual key’ sign-off by multiple parties. Logging activity and reviewing it, even when there is no known problem, also helps. Setting alerts for certain activities so that multiple people know when a specific transaction or activity has happened also creates useful checks. Incorporating security into recruitment and hiring is also important. Managers and ‘inner circle’ personnel are among the greatest risks for insider threat activities, so policies and procedures such as ‘dual key’, reporting lines, and activity alerts should apply universally and create checks on all personnel, not just mid- or lower-level employees.
Raether: Internal risks not only include the criminal employee, but also the careless employee. As such, internal risks can far exceed the threat from hacking or brute force attacks, at least in terms of the initial unlawful entry. There is a key difference, however. Criminal employees often are not as sophisticated as external criminals. As a result, the scope of the breach – what the criminal does once behind the wall – may be different. Employees may not take as much data or the most valuable data. Since employees are already behind the firewall, companies must develop other lines of defence. Access management and privilege restrictions are a good start. These practices also help defend against external threats. If an employee compromises a password, then less damage can be done. More needs to be done, however. Training, monitoring and audits of employees that have access to sensitive information are key.
FW: What unique challenges are posed by information-sharing arrangements between companies? Indeed, is the process of transferring data – especially across borders – set to become increasingly sensitive in the months and years ahead?
Lawson: With encryption and homogeneous data file types like XML, the concept of the secure sharing of data does not pose the issues it once did. The lack of awareness and diligence, however, propagates the historical challenges into present day concerns. Generally speaking, policies and training that would make secure data transfer second nature are lacking at best. One challenge driving this is the different levels of encryption technology being used when transferring data across governmental lines.
Raether: Security becomes more complicated anytime you add more parties and transfer points. There are more opportunities for things to break. Logistics, accountability and compliance increase in complexity exponentially when you add another company. Initially, the laws and regulations at issue might change. A practice permitted for an internal transfer might be prohibited only because it has been outsourced. Outsourcing agreements need to address ownership of the data and responsibilities for data security, limitations on data usage, and roles in the event of an incident. Two key provisions often overlooked are the requirement of proof of insurance and the inclusion of security metrics in service level agreements. One of the more interesting current issues is outsourcing software development or firmware production and the risk of the third-party embedding malware in the code or device. The threat of nation-sponsored attacks – or corporate espionage – may impede cross-border transfers, and outweigh short term cost savings, as much as the law.
Olcott: Cross-border information sharing presents a number of challenges. From a commercial perspective, limitations on cross-border data flow poses a particular threat to cloud service providers, who can face restrictive national requirements regarding the location of citizen information. Several cloud providers now find themselves building clouds within certain countries – at great cost – in order to establish legal compliance with these provisions. From a defensive standpoint, threat and vulnerability information sharing among corporations and with national governments is increasingly suggested as a way of enhancing the cyber security posture of private actors. However, the notion of company-to-company threat information sharing has brought with it concerns from privacy and civil liberties groups. Without clear protections accompanying these efforts, these types of relationships will face significant pushback.
Bouloux: More and more companies are sharing information across networks, opening up their infrastructure and data sets to foreign parties. Contracts between organisations that share data are constructed to limit liability that could arise if a breach of data occurs while the data is outside of the company’s care or custody. Data protection agreements designed for cross-border sharing, such as those outlined by the Safe Harbour Agreement, have been instrumental in driving these contractual agreements. Moving forward, information sharing agreements will span well beyond business-to-business data processing. For example, cloud computing has completely revolutionised data sharing agreements as more and more platforms and processes are moved to the virtual world – a world that is hosted completely out of an organisation’s control. Cloud providers work to limit any liability that arises due to a system or security failure, meaning that as data originators, organisations are liable for any lost data with no ability to subrogate against their cloud provider.
Schrader: Any time data moves outside of a secure environment, whether the information is provided to an affiliate, a third-party service provider or another third-party, security issues will arise regardless of whether it moves within the country or across national borders. Data can be vulnerable when it is ‘in motion’, particularly when data is moved by electronic means in large quantities. In addition, as a company’s data becomes more fragmented and is maintained in multiple locations, including locations around the globe, the company will need greater diligence to ensure that it is maintained securely regardless of where it resides.
FW: Despite a company’s best efforts, it may experience a security breach. How should a company respond if it identifies a security breach resulting in data leaks or theft?
Fischer: The first 72 hours following a security incident can be a challenging and stressful time for a company’s personnel. Nonetheless, the first 72 hours are critical to limiting the potential harm related to a security incident. During this critical period the importance of having an appropriate incident response program cannot be overstated. When a company has an effective response program with appropriate personnel roles and responsibilities, the response to the incident will be more coordinated, more timely and, ultimately, more effective. For this to occur, a company must have in place an effective mechanism to receive notice of potential incidents in a timely fashion, such as a toll-free hotline or security email address through which an employee, or service provider, can report potential incidents to the company. But having a reporting mechanism alone is not enough; reports of potential incidents must be promptly routed to the response team or other decision makers. Companies can find themselves in a difficult compliance position when notice of a potential incident has been provided, but the notice is initially ignored or lost in email traffic. Among the steps that a company can take during the first 72 hours, two obvious and simple steps stand out: first, determine what happened, and second, stop the breach or recover the data. Upon learning of a potential incident, it is important for the company to identify the nature and scope of the incident – who, what, where, when, why and how? A company cannot effectively respond to an incident without asking these questions and trying to determine the answers. In addition, it is important for a company to respond promptly to an ongoing security incident in an effort to stop the breach, such as malicious software identified on a web server or a customer service representative stealing credit card information. A company also should initiate steps to recover lost data as promptly as possible, such as recovering a company laptop left in a taxi cab or sensitive records mistakenly placed in a dumpster.
Schrader: While a company’s initial focus should be on determining what happened and stopping the incident, ultimately the company will have to address whether or not notice to consumers is necessary. In order to answer this question, a company must determine the media, such as computerised data or paper records, and the types of information potentially affected, such as names and SSNs. It must also establish the facts and circumstances of the incident and identify the number of individuals potentially affected and where they reside. These facts will help resolve whether a ‘breach of security’, within the meaning of the applicable law or laws, has occurred, who must be notified – the individuals and possibly regulators or other parties – and the appropriate method, content and timing of any required notices.
Lawson: Security breaches are quite often complex and no two exploits are the same. However, with a good security plan and established lines of communications, a company should simply follow that plan and initiate the appropriate response resources based on the breach. If you don’t have one of these, go make one. If a breach hits before you get there, the cost and pain to remediate and recover will be far greater than the cost to prepare for such a breach.
Olcott: Though breach response is highly fact-specific, there are a number of best practices that an affected company should consider. For executives, the most important thing to do first is to put together the right team – for most companies, this requires a mix of internal and external expertise with the goal of investigating the breach from both a technical and business perspective in order to determine the damage to the organisation. The most effective teams include a mix of legal, forensics, business, and operational personnel. Other best practices include hiring a reputable forensics firm to help identify the root cause and know your disclosure obligations, particularly in light of the new SEC guidance; assigning one executive the responsibility and authority to speak on behalf of the company in order to control messaging; and after identifying vulnerabilities that led to the breach, mitigate them so they cannot be used against you the next time. Above all, develop a strategy for technical response and crisis management to handle future events based on the lessons learned from the breach. Though cyber attacks are inevitable, the damage to an organisation is not. We tell our corporate clients that your first crisis shouldn’t be a real one. We advocate the use of executive-level tabletop exercises as a method of simulating a cyber event, gauging the effectiveness of a company’s existing response mechanisms, and making the appropriate changes to the policies and procedures to prepare for the real thing.
Raether: Follow your incident response plan. It is not only important that a company has a plan but also that employees know about the plan and follow the protocols. I have seen numerous incidents where a salesperson reaches out to a third-party to get forgiveness for a breach before the response team is even notified. The response team should include an individual who is experienced at responding to breaches – sometimes referred to as a ‘breach coach’. Contact your insurer, they likely can introduce you to a qualified individual. Remember that incident response is not ‘out of the box’. Each incident will require a unique plan that builds on prior experience. You need to react quickly in the investigation and communication plan, but also make sure what you are saying is accurate. Make sure you consider all relevant audiences and provide appropriate and timely communications to each. I have equated a breach response to defending against a temporary restraining order combined with responding to an FTC civil investigation demand. A measured, controlled response, and understanding the myriad goals and moving parts, are requirements.
Bouloux: Security breaches can occur for a multitude of reasons – someone loses a laptop, an individual sends an email to the wrong person, a third-party gains access, an outsourcer loses your data, a rogue employee sells your data assets, and so on. Each situation requires a unique response, however there is one overwhelming point that must be stressed: a security or data breach must be escalated to management and the breach response team. Identify a clear response plan that includes the IT department, legal department, risk manager, and someone who can make financial decisions on behalf of the company, such as the CFO. Managing a security breach may often require outside specialists to help navigate a forensic investigation and electronic data recovery or to handle the array of notification requirements, reputational damage, and other fallout. Time management is critical and the first 48 hours are the most important in dealing with a security breach. Determine the cause of loss, what data has gone missing, and take your time to develop a strategy for dealing with the regulators and draft the message you will convey to the affected data subjects, keeping in mind any reputational harm that could arise.
FW: Given the heightened risk profile of security breaches, what insurance solutions are available on the market to help manage the downside?
Raether: The insurance market is beginning to mature in this area. While some may argue that an errors and omissions or general liability policy might provide coverage, you should check with your risk manager or broker to review the terms of your policy – they likely do not cover data breach events or at least all of the possible costs and consequences of an incident. Insurers are offering cyber risk or data breach policies. However, not all are created equal. For example, does the policy cover business interruption? What about costs associated with responding to a government investigation or complying with the injunctive relief that is often included in the order resolving those investigations? In sum, the details are important, so make sure whoever provides advice in the space is knowledgeable. Switching to a related issue, do you require outsource vendors to have insurance covering such loses? This should be a requirement in your agreement. The vendor agreement should also require that your company be a named insured and proof of insurance, such as a copy of the declarations page, be provided.
Bouloux: Understanding that sometimes even the most robust security systems can be breached, the products in the market have been developed to offer protection from the financial burdens that arise in the wake of a data breach. Data protection and network security insurances have developed beyond coverage for traditional liability claims that arise from the theft of personal or corporate information. Costs associated with notification, investigations, data reconstitution, and reputational damage, means that ‘cyber liability’ products have become proactive in connecting forensic, legal, and marketing experts with clients to help navigate through a security breach. Companies looking for insurance must consider their risk and seek a product tailored to their needs. That is, where a bank might be concerned about an insurance product that covers it from the costs of losing financial information and the potential for a cyber extortion incident, a widget manufacturer might be much more concerned about the lost revenue that arises from a computer system failure that leads to disruption in its production chain. All these perils can be covered, but not all providers can provide the multinational solution the client of the 21st century needs. As part of their risk management strategy, organisations are much more aware of their insurance needs when it comes to a security breach, which is why we are seeing a huge interest in this product globally and a trending rise in sales.
Olcott: Cyber insurance policies have become an increasingly attractive method for companies to transfer risk. Years ago, these policies were thought to be unreasonably expensive; now, they are becoming a standard cost of doing business. Government policies will continue to promote the use of insurance to mitigate cyber risk, growing the market for cyber insurance policies. Recent guidance issued by the SEC, for instance, suggests that publicly traded companies should assess the adequacy of their insurance coverage to protect against cyber attacks. There are significant limitations in cyber insurance coverage. Most ‘cyber security’ policies pertain to breaches of PII and cover standard costs associated with these events, such as legal fees, crisis management, and forensics. We expect that coverage offerings will evolve over time, to eventually include reputational damage caused by cyber events and coverage to insure against theft of business-sensitive information or intellectual property. Insurance companies face challenges in developing actuarial data for these events in order to expand future coverage.
FW: Looking ahead, how do you expect the risk in this area to unfold? In your view, are companies prepared to meet the growing threat?
Olcott: Cyber events can have significant legal, operational, financial and reputational harm to companies, making cyber risk an issue that must be managed by senior executives and not just by the technology staff. Executives are beginning to understand these risks and respond accordingly, through changes to governance structure, risk remediation, risk transfer, and crisis management planning. Though some are better than others, no company today can say that they are adequately prepared to meet this threat. Changes in information technology, including the emergence of cloud computing and the use of personal devices, present opportunities for greater economic efficiencies, but also new risks. The focus for attackers is shifting from PII to business secrets and intellectual property for theft; in a globally competitive world, companies must shift or make resources available to combat these threats or risk losing market share and business opportunities.
Bouloux: The threats organisations face in the cyber realm are numerous, with current news and industry reports indicating that perpetration of such attacks will not slow down. Consider that Norton’s 2011 crime report indicated the total bill, time lost and direct cash costs for cyber crime topped US$388bn. Beyond the realised cost associated with dealing with a data breach, the exposure of digital assets can cause damaging reputational harm for any organisation. Not knowing your enemy or their sophistication makes the fight that much harder. Robust security systems are certainly the beginning, but effective planning in the event of a breach can be the difference between complete disaster, and managing through an event that was out of the company’s control.
Lawson: The cyber risks of tomorrow will be as novel, complex and just as different as the denial-of-service attack once was. The bad guys are constantly evolving and the good guys are always trying to keep up. One major area that we are going to see a significant amount of exploits is in the mobile application market. As the smart phone grows in capabilities, so does the inherent risk of allowing them in the enterprise.
Raether: We will continue to see the same sources of risk as in the past and some new ones. Unfortunately, many companies still have not embraced privacy by design – that is, baking security and privacy into product development and organisational practices. Likewise, employees will continue to be the weakest link in most security programs. Having good written policies and procedures is not enough. Education, awareness, and audit compliance are essential but often ignored components of good security practices. This risk will be heightened by the introduction of employee-owned devices. Many companies have been allowing this practice without modifying their policies and procedures – a big mistake. One particularly disturbing trend involves threats originating from state sponsored attacks, attacks from competitors, and hacktivist groups. Many security programs look to defend against the criminal who is looking for financial gain. These groups present a new threat profile that most companies are not yet addressing. For example, what process is in place to make sure that the overseas vendor is not inserting malware into the code they are writing or the firmware they are manufacturing?
Fischer: Cyber criminals will always evolve with changes in technology and security practices. As a result, companies should expect new and creative attacks. This is an integral fact of modern data security efforts – companies must continue to adjust to new risks that arise when cyber criminals have adjusted their techniques and practices in response to new security systems and procedures developed by companies to protect their information. This is not to say that risks will increase over time or become more severe, but that risks will be constantly changing.
Jamie Bouloux is Cyber Liability manager for Europe at AIG. He joined the European team from New York, where he was an Executive Liability Underwriter & Cyber Product Leader, focused on the US and Canada. Mr Bouloux previously worked on AIG’s International Home Office team as a professional associate and helped develop the international rollout of the Cyber product and strategy. He holds a B.A. in Economics and History from Franklin and Marshall College.
Ron Raether is a partner at Faruki Ireland & Cox P.L.L. Mr Raether's experience with technology‑related issues has spanned a broad array of substantive legal areas, including patent, antitrust, licensing and contracts, employment, trademark, domain name disputes, and federal and state privacy statutes. He not only works as a data breach coach and defending companies in class actions and before regulators, but also advises companies in proactively developing data security practices and policies.
Jacob Olcott is a principal at Good Harbor Security Risk Management where he develops programs for senior corporate executives, investment professionals, and government leaders to identify and mitigate cyber risk. Mr Olcott previously served in senior counselor positions in the US Senate and House of Representatives where he received several national awards for his work in cybersecurity. He is a graduate of the University of Virginia (J.D.) and the University of Texas at Austin.
Neal Lawson is an expert in e-Discovery strategic consulting services focusing on structured data, social networking, and cloud computing. With over 17 years of experience in both the technology and litigation industries, he specialises in the assessment, implementation, and procedural analysis of complex systems as well as application development, data analysis, ESI preservation, computer imagery, and e-Discovery within complex commercial disputes.
L. Richard Fischer is a partner in the Washington office of Morrison & Foerster. His practice focuses on retail financial services, privacy and data security. For over 40 years, he has advised a wide variety of companies, including banks, retailers, insurers, technology and other companies, across the US on the full range of financial services, payment system and data security issues. His practice has a special emphasis on privacy, e-commerce, technology and joint venture issues.
Russell Schrader is Chief Privacy Officer and Associate General Counsel – Global Enterprise Risk for Visa Inc. He is responsible for privacy, risk, and payment systems policies and issues at Visa and a principal legal liaison for Visa financial institutions attorneys on regulatory issues. Mr Schrader began building the Global Privacy Office using a systematic approach over several years to create a comprehensive framework, principles, and knowledge base that were flexible to meet the business strategy as it evolved.
© Financier Worldwide
Faruki Ireland & Cox P.L.L.
Good Harbor Security Risk Management
Intelligent Discovery Solutions, Inc.
L. Richard Fischer
Morrison & Foerster