General Counsel (GC) address myriad legal and business challenges, but none may be as harrowing as dealing with a cyber attack. Even before dealing with an incident, there is the stress of simply not knowing when a successful attack may occur – especially since there is no guaranteed method of preventing it and any organization can be in the crosshairs. Data from our most recent M-Trends 2019 report shows that businesses in nearly every industry or market experienced a breach last year.
Before a GC can focus on developing an appropriate incident response (IR) plan, they must fully understand what is at stake when it comes to a breach. Today’s attackers are not only more sophisticated than ever before at penetrating networks, they have also refined their craft to be stealthier and more difficult to discover once inside a corporate network. M-Trends 2019 revealed that the global median dwell time – the time an attacker remains inside a network before being discovered – is 78 days in 2018, which is more than enough time to acquire sensitive data such as intellectual property, personal identifiable information, trade secrets, and more.
Another aspect of a breach that a GC must consider is the cost. A study reported on in mid-2018 revealed that the global average cost of a data breach is $3.86 million. Of course, what also needs to be considered are the intangibles: the hit to a company's brand and reputation, loss of customer and shareholder confidence, and the time, distraction and costs of subsequent lawsuits and settlements. Other costs may need to be factored in as well, including regulatory fines, costs to improve IT security, audit requirements and staff productivity implications.
The GC cannot and should not do it alone – after all, cyber security is a team sport. Developing and executing a strong IR plan requires cooperation between the GC and the CISO, and coordination across various internal groups such as Finance and Marketing. It also involves both the C Suite and the Board, and will likely include outside specialists as well.
In this new world of cyber risk, perhaps the most critical issue facing GCs is overall preparedness and knowing how to respond to a crisis. The following are some key steps a GC can take to ensure their organization is prepared for a cyber incident.
Connect. Develop relationships with leaders throughout the company. In particular, partner with the CISO, as it is important to know about the company's data, what's important, how it is protected, where it is located and from where it can be accessed, and what levels of visibility does the security team have into their IT assets. Work with the CISO to determine what assets and data are most likely to be targeted, and for what purposes (e.g. financial gain, trade secret theft, insider trading, etc.). Cyber security is no longer an issue for the CISO to manage on their own. A strong partnership between the CISO and the GC is essential given today’s cyber landscape.
Plan. Develop an IR plan and identify the team needed to execute that plan. The response team may include the CEO, CISO, CMO, internal/external legal counsel, communications professionals (PR, Investor Relations, etc.) and external incident responders/forensic specialists.
Once the core team members have been identified, put retainers in place with everyone so the group is ready to act fast should there be a breach. Having a forensic provider in place will be invaluable in order to determine the details of the breach (such as how the breach occurred, what was actually stolen, what other assets were compromised, and what can be done to shore up cyber security defenses) as quickly as possible. The more that is done in advance, the more quickly the team can move in a time of crisis.
A separate but equally important part of planning is to examine the company’s contractual relationships with vendors that have access to sensitive information or data, to understand what cyber security measures and breach procedures are in place. As a go-forward practice, work with the CISO’s office to conduct a security review of prospective vendors before entering any new contractual relationships. This includes outside law firms, which hold some of a company’s most sensitive data and documents such as communications and drafts related to litigation, merger and acquisition activity, patent filings, and HR issues. Create a standard data privacy and security addendum that can be attached to vendor contracts to ensure that the organization’s data is being protected, and include risk allocation provisions that apply should the vendor be subject to a leak or breach.
Also be aware of breach notification requirements and other obligations that the organization may have to customers in the event that their sensitive data is potentially compromised in a breach.
Practice. Test the IR plan. Conduct tabletop crisis exercises and ensure that internal response team members and external experts are pre-identified and “on call.” In today's mobile and social world, managing crisis response in a timely manner is critical, especially with short regulatory deadlines such as the GDPR’s 72-hour notice requirement. Plan a communications approach with the CMO and CEO in advance and practice various responses. Note that there should always be takeaways from practice sessions – ways to refine and improve the overall process. If the team is walking away without having identified weaknesses or asked any questions, it’s likely there are gaps in the plan.
Protect. Establish and protect attorney-client privilege before (if possible) and at a minimum immediately after a breach by coordinating communications and incident response through the GC’s office. Given that litigation, investigations and government inquiries often follow a breach, having a three-way MSA in place with external counsel, IR consultants and others in advance can be quite valuable.
Involve. Provide the Board (or a committee of the Board) with regular updates from the CISO. Fiduciary duties related to cyber security require Boards to be aware, educated and involved, and to meet a “reasonableness” standard akin to the business judgement rule. These standards include ensuring that the company employs commonly used methods for user IDs and passwords, engages third parties to perform penetration testing, and remedies known security vulnerabilities.
Consider. Think about getting cyber insurance, and do so in the context of the company’s overall insurance program. Knowing the costs of a breach and evaluating the risk of a loss to the company may warrant the use of cyber insurance. A Cyber Insurance Risk Assessment provides a quick, high-level analysis of an organization’s risk level based on their technology, processes and people to facilitate the identification and classification of cyber risk for insurance underwriting.
Over the past few years, we have witnessed cyber security move from a back-office, IT challenge to a high-profile, Board-level issue. For most companies, a breach is no longer a matter of if, but when. Armed with these steps to take to prepare for a breach, GCs will have a solid starting point to help prepare for and mitigate the inevitable.