Description
The Definitive Cybersecurity Guide For Directors And Officers
THE DIGITAL AGE
T HE DEFI NI T I VE CYBERSECURI T Y GUI DE
FOR DI RECTORS AND OFFI CERS
NAVIGATING THE DIGITAL AGE:
The Def nitive Cybersecurity Guide
for Directors and Off cers
Published by
SecurityRoundtable.org
Navigating the Digital Age: The De?nitive
Cybersecurity Guide for Directors and
Of?cers
Publisher: Tim Dempsey
Editor: Matt Rosenquist
Design and Composition: Graphic World, Inc.
Printing and Binding: Transcontinental Printing
Navigating the Digital Age: The Defnitive Cybersecurity Guide for Directors and Offcers
is published by:
Caxton Business & Legal, Inc.
27 North Wacker Drive, Suite 601
Chicago, IL 60606
Phone: +1 312 361 0821
Email: [email protected]
First published: 2015
ISBN: 978-0-9964982-0-3
Navigating the Digital Age: The Defnitive Cybersecurity Guide for Directors and Offcers
© October 2015
Cover illustration by Tim Heraldo
Copyright in individual chapters rests with the authors. No photocopying: copyright licenses do not apply.
DISCLAIMER
Navigating the Digital Age: The Defnitive Cybersecurity Guide for Directors and Offcers (the Guide) contains
summary information about legal and regulatory aspects of cybersecurity governance and is current as of
the date of its initial publication (October 2015). Although the Guide may be revised and updated at some
time in the future, the publishers and authors do not have a duty to update the information contained in
the Guide, and will not be liable for any failure to update such information. The publishers and authors
make no representation as to the completeness or accuracy of any information contained in the Guide.
This guide is written as a general guide only. It should not be relied upon as a substitute for specifc
professional advice. Professional advice should always be sought before taking any action based on the
information provided. Every effort has been made to ensure that the information in this guide is correct at
the time of publication. The views expressed in this guide are those of the authors. The publishers and
authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility
to verify any information contained in the Guide before relying upon it.
iii ?
Introduction
New York Stock Exchange – Tom Farley, President
No issue today has created more concern within corporate
C-suites and boardrooms than cybersecurity risk. With
the ability to shatter a company’s reputation with their
customers and draw criticism from shareholders, lawsuits
from affected parties, and attention from the media, the
threat of cyber risk is ubiquitous and insidious. No com-
pany, region, or industry is immune, which makes the
responsibility to oversee, manage, and mitigate cyber risk
a top-down priority in every organization.
The New York Stock Exchange has long advocated that
exemplary governance and risk oversight is fundamental
to the health of individual companies, as well as to the
sound operation of our capital markets. In other words,
we too take the threat very seriously. Today, managing
cybersecurity risk has expanded far beyond the realm of
IT; it has become a business continuity necessity to ensure
shareholder value remains intact and that privacy and
corporate intellectual property is protected. Accordingly,
those responsibilities are weighing heavily on corporate
executives and directors, making it vital for them to better
understand and prepare for the evolving cybersecurity
landscape.
Cyber risk ultimately poses a threat to confdence, a
foundational aspect of U.S. corporate issuers and markets.
We are taking a leadership role on many fronts, such as
reducing market fragmentation and complexity, as well
as increasing effciency through the highest levels of
intelligence, analytics, and technology. Confdence in the
integrity and security of our assets is concurrent with our
success—as it is for every other company operating in the
public markets today.
Moreover, because the public markets have become
increasingly reliant on interdependent technology sys-
tems, the threat looms even larger. As we witnessed dur-
ing the 2008 fnancial crisis, rarely does any failure happen
in a vacuum; therefore, the threat of systemic disruption
has taken on an even higher level of prominence and
concern among regulators and policymakers worldwide.
It is important that companies remain vigilant, taking
steps to proactively and intelligently address cybersecurity
? iv
INTRODUCTION
risk within their organizations. Beyond the
technological solutions developed to defend
and combat breaches, we can accomplish
even more through better training, aware-
ness, and insight on human behavior.
Confdence, after all, is not a measure of
technological systems, but of the people who
are entrusted to manage them.
With insights from the preeminent
authorities on cybersecurity today, this
groundbreaking, practical guide to cyberse-
curity has been developed to refect a body
of knowledge that is unsurpassed on this
topic. At the heart of effective risk manage-
ment must be a thorough understanding of
the risks as well as pragmatic solutions.
Thank you for your continued partnership
with the New York Stock Exchange, and we
look forward to continuing to support your
requirements in this dynamic landscape.
v ?
Foreword
Visa Inc. – Charles W. Scharf, CEO
For years, cybersecurity was an issue that consumers,
executive management, and boards of directors took for
granted. They were able to do so because the technolo-
gists did not. The technologists worked every day to
protect their systems from attack, and they were quite
effective for many years. We sit here today in a very dif-
ferent position. The threats are bigger than ever before
and growing in frequency and severity every day.
Cybersecurity is now something everyone needs to think
about, whether it’s in your personal or professional life.
What worked in the past is not enough to protect us in the
present and future.
So what has changed?
First of all, the technology platforms of today are big-
ger targets than ever given the breadth and criticality of
items they control. Second, the amount and value of the
data that we all produce and store has grown exponen-
tially. The data is a gold mine for criminals. Third, the
interconnectedness of the world just makes it easier for
more people—regardless of geography—to be able to
steal or disrupt. And fourth, the perpetrators are more
sophisticated, better organized, better funded, and harder
to bring to justice than ever before.
So the problem is different, and what we all do about it
is different.
This is not simply an IT issue. It is a business prob-
lem of the highest level. Protecting our data and our
systems is core to business today. And that means that
having an outstanding cybersecurity program also
can’t detract from our objectives around innovation,
speed, and performance.
Security has been a top priority at Visa for decades. It
is foundational to delivering our brand promise. To be
the best way to pay and be paid, we must be the most
secure way to pay and be paid. We cannot ask people to
use our products unless they believe that we are just that.
Thus we must guard carefully both the security of our
own network and company and the security of the broader
payments ecosystem.
? vi
accounts had been compromised—a pivotal
moment for our industry.
The losses experienced by our clients,
combined with the impact on consumer con-
fdence, galvanized our industry to take
actions that, we believe, will have a mean-
ingful and lasting effect on how the world
manages sensitive consumer data—not just
payments.
We are taking action as an ecosystem, to
collaborate and share information across
industries and with law enforcement and
governments and to develop new technolo-
gies that will allow us to prevent attacks and
respond to threats in the future.
? Protect payments at physical retailers.
Fraudsters have targeted the point-of-
sale environment at leading U.S. retailers,
capturing consumer account information
and forcing the reissuance of millions
of payment cards. As an industry we
are rapidly introducing EMV (Europay,
MasterCard, and Visa) chip payment
technology in the United States. Chip-
enabled payment cards and terminals
work in concert to generate dynamic
data with each transaction, rendering the
transaction data useless to fraudsters.
? Protect online payments. Consumer
purchases online and with mobile devices
are growing at a signifcant rate. In order
to prevent cyberattacks and fraudulent
use of consumer accounts online, Visa and
the global payments industry adopted
a new payment standard for online
payments. The new standard replaces the
16-digit account number with a digital
token that is used to process online
payments without exposing consumer
account information.
? Collaborate and share information.
Sharing threat intelligence is a necessity
rather than a “nice to have,” allowing
merchants, fnancial institutions, and
payment networks like Visa to rapidly
detect and respond to cyberattacks.
Public and private partnerships are
also critical to creating the most robust
There are several elements that we have
found to be critical to ensuring an effective
security program at Visa.
? Be open and honest about the effectiveness
of your security program and regularly
share an honest assessment of your security
posture with the executive team and board.
We use a data-driven approach that scores
our program across fve categories: risk
intelligence, malware prevention, vulner-
ability management, identity and access
management, and detection and response.
Scores move up and down not only as our
defenses improve or new vulnerabilities
are discovered but also as threats change.
The capabilities of the adversaries are
growing, and you need a dynamic
approach to measurement.
? Invest in security before investing
elsewhere. A well-controlled environment
gives you the license to do other things.
Great and innovative products and
services will only help you win if you
have a well-protected business.
? Don’t leave the details to others. Active,
hands-on engagement by the executive
team and the board is required. The risk
is existential. Nothing is more important.
Your involvement will produce better
results as well as make sure the whole
organization understands just how
important the issue is.
? Never think you’ve done enough. The
bad guys are smart and getting smarter.
They aren’t resting, and they have more
resources than ever. Assume they will
attack.
Defending against cyberthreats is not some-
thing that we can solve for our company in a
vacuum. At Visa, we must protect not only
our own network but the whole payments
ecosystem. This came to life for us in late
2013 when some of the largest U.S. retailers
and fnancial institutions in the U.S. reported
data breaches. Tens of millions of consumer
FOREWORD
vii ?
FOREWORD
community of threat intelligence, so we
also work closely with law enforcement
and governments. At the heart of Visa’s
security strategy is the concept of “cyber
fusion,” which is centered on the principle
of shared intelligence—a framework to
collect, analyze, and leverage cyberthreat
intelligence, internally and externally,
to build a better defense for the whole
ecosystem.
Championing security is one of Visa’s six
strategic goals. This is an area where there
are no grades—it is pass or fail, and pass is
the only option. Cybersecurity needs to be
part of the fabric of every company and
every industry, integrated into every busi-
ness process and every employee action.
And it begins and ends at the top. It is job
number one.
? viii
TABLE OF CONTENTS
iii INTRODUCTION
New York Stock Exchange — Tom Farley, President
v FOREWORD
Visa Inc. — Charles W. Scharf, CEO
Introductions — The cyberthreat in the digital age
3 1. PREVENTION: CAN IT BE DONE?
Palo Alto Networks Inc. — Mark McLaughlin, CEO
9 2. THE THREE Ts OF THE CYBER ECONOMY
The Chertoff Group — Michael Chertoff, Executive Chairman
and Former United States Secretary of Homeland Security and Jim
Pfaging, Principal
17 3. CYBER GOVERNANCE BEST PRACTICES
Georgia Institute of Technology, Institute for Information
Security & Privacy — Jody R. Westby, Esq., Adjunct Professor
27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
Institutional Shareholder Services Inc. — Patrick McGurn,
ISS Special Counsel and Martha Carter, ISS Global Head
of Research
33 5. TOWARD CYBER RISKS MEASUREMENT
World Economic Forum — Elena Kvochko, co-author of
Towards the Quantifcation of Cyber Threats report and Danil
Kerimi, Director, Center for Global Industries
37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE
FOR ADDRESSING IT
Internet Security Alliance — Larry Clinton, CEO
43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
Former CIO of The United States Department
of Energy — Robert F. Brese
I. Cyber risk and the board of directors
51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER
OBLIGATIONS
Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner
TABLE OF CONTENTS
ix ?
TABLE OF CONTENTS
57 9. WHERE CYBERSECURITY MEETS CORPORATE SECURITIES: THE SEC’S
PUSH TO REGULATE PUBLIC COMPANIES’ CYBER DEFENSES
AND DISCLOSURES
Fish & Richardson P.C. — Gus P. Coldebella, Principal
and Caroline K. Simons, Associate
65 10. A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
Internet Security Alliance and National Association
of Corporate Directors — Larry Clinton, CEO of ISA
and Ken Daly, President and CEO of NACD
71 11. ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing
Director
79 12. DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING:
HOW BOARDS CAN TEST ASSUMPTIONS
Dell SecureWorks — Mike Cote, CEO
II. Cyber risk corporate structure
87 13. THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT
QUESTIONS
Palo Alto Networks Inc. — Davis Hake, Director
of Cybersecurity Strategy
91 14. ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE
AN EFFECTIVE PROGRAM
Coalfre — Larry Jones, CEO and Rick Dakin, CEO
(2001-2015)
III. Cybersecurity legal and regulatory
considerations
101 15. SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY
AND BIG DATA
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Dean Forbes, Senior Associate, Agatha O'Malley,
Senior Associate, Jaqueline Cooney, Lead Associate and
Waiching Wong, Associate
107 16. OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
Data Risk Solutions: BuckleySandler LLP & Treliant Risk
Advisors LLC — Elizabeth McGinn, Partner; Rena Mears,
Managing Director; Stephen Ruckman, Senior Associate;
Tihomir Yankov, Associate; and Daniel Goldstein, Senior
Director
? x
TABLE OF CONTENTS
115 17. RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED
TO CYBERSECURITY MATTERS
Baker & McKenzie — David Lashway, Partner; John Woods,
Partner; Nadia Banno, Counsel, Dispute Resolution; and
Brandon H. Graves, Associate
121 18. LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
K&L Gates LLP — Roberta D. Anderson, Partner
129 19. CONSUMER PROTECTION: WHAT IS IT?
Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa
Ventrone, Partner and Lindsay Nickle, Partner
137 20. PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
Fish & Richardson P.C. — Gus P. Coldebella, Principal
143 21. CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS
FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
Latham & Watkins LLP — Jennifer Archie, Partner
151 22. INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS,
AND RULES OF THE ROAD
Kaye Scholer LLP — Adam Golodner, Partner
157 23. MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
Pillsbury Winthrop Shaw Pittman LLP — Brian Finch,
Partner
163 24. COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS
FROM MALICIOUS AND NEGLIGENT EMPLOYEES
Littler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group
IV: Comprehensive approach to
cybersecurity
171 25. DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING
THREAT ENVIRONMENT
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate
177 26. DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH
WITH DIVERSE CAPABILITIES
Booz Allen Hamilton — Bill Stewart, Executive Vice President;
Jason Escaravage, Vice President; and Christian Paredes,
Associate
xi ?
V. Design best practices
187 27. WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY
RISK MANAGEMENT
Intercontinental Exchange & New York Stock
Exchange — Jerry Perullo, CISO
193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
Palo Alto Networks Inc.
VI. Cybersecurity beyond your network
207 29. SUPPLY CHAIN AS AN ATTACK CHAIN
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior Associate;
and Laura Eise, Lead Associate
213 30. MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
Covington & Burling LLP — David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate
219 31. A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
Delta Risk LLC — Thomas Fuhrman, President
229 32. THE INTERNET OF THINGS
The Chertoff Group — Mark Weatherford, Principal
VII. Incident response
237 33. WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
U.S. Department of Justice — CCIPS Cybersecurity Unit
243 34. PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE
INCIDENT RESPONSE
Booz Allen Hamilton — Jason Escaravage, Vice President;
Anthony Harris, Senior Associate; James Perry, Senior Associate;
and Katie Stefanich, Lead Associate
249 35. DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
255 36. FORENSIC REMEDIATION
Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
and Ryan Vela, Regional Director, Northeastern North America
Cybersecurity Services
TABLE OF CONTENTS
? xii
TABLE OF CONTENTS
261 37. LESSONS LEARNED—CONTAINMENT AND ERADICATION
Rackspace Inc. — Brian Kelly, Chief Security Offcer
267 38. CYBER INCIDENT RESPONSE
BakerHostetler — Theodore J. Kobus, Partner and Co-Leader,
Privacy and Data Protection; Craig A. Hoffman, Partner;
and F. Paul Pittman, Associate
275 39. COMMUNICATING AFTER A CYBER INCIDENT
Sard Verbinnen & Co — Scott Lindlaw, Principal
VIII. Cyber risk management
investment decisions
283 40. OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
Axio Global, LLC — Scott Kannry, CEO and David White,
Chief Knowledge Offcer
289 41. INVESTMENT IN CYBER INSURANCE
Lockton Companies Inc. — Ben Beeson, Senior Vice President,
Cybersecurity Practice
IX. Cyber risk and workforce development
297 42. CYBER EDUCATION: A JOB NEVER FINISHED
NYSE Governance Services — Adam Sodowick, President
301 43. COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL
AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
Wells Fargo & Company — Rich Baich, CISO
307 44. CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
Booz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez,
Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew
Smallwood, Lead Associate
313 45. BUILDING A CYBER-SAVVY BOARD
Korn Ferry — Jamey Cummings, Senior Client Partner;
Joe Griesedieck, Vice Chairman and Co-Leader, Board and
CEO Services; and Aileen Alexander, Senior Client Partner
319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED
APPROACHES FOR A MORE SOPHISTICATED ROLE
Egon Zehnder — Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick
325 CONTRIBUTOR PROFILES
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Introductions — The
cyberthreat in the digital age
3 ?
Palo Alto Networks Inc. – Mark McLaughlin, CEO
Prevention: Can it be done?
Frequent headlines announcing the latest cyber breach of
a major company, government agency, or organization are
the norm today, begging the questions of why and will it
ever end?
The reason cybersecurity is ingrained in news cycles,
and receives extraordinary investments and focus from
businesses and governments around the world, is the
growing realization that these breaches are putting our
very digital lifestyle at risk. This is not hyperbole. More
and more, we live in the digital age, in which things that
used to be real and tangible are now machine-generated or
only exist as bits and bytes. Consider your bank account
and total absence of tangible money or legal tender that
underlies it; you trust that the assets exist because you can
“see” them when you log in to your account on the fnan-
cial institution’s website. Or the expectation you have that
light, water, electricity, and other utility services will work
on command, despite your having little to no idea of how
the command actually results in the outcome. Or the com-
fort in assuming that of the 100,000 planes traversing the
globe on an average day, all will fy past each other at safe
distances and take off and land at proper intervals. Now,
imagine that this trust, reliance, and comfort could not be
taken for granted any longer and the total chaos that
would ensue. This is the digital age; and with all the eff-
ciencies and productivity that has come with it, more and
more we trust that it will just “work.”
This reliance on digital systems is why the tempo of
concern due to cyberattacks is rising so rapidly. Business
leaders, government leaders, education leaders, and mili-
tary leaders know that there is a very fne line separating
the smoothly functioning digital society built on trust and
the chaotic breakdown in society resulting from the ero-
sion of that trust. And it is eroding quickly. Why is that,
and do we have any analogies? And, more importantly,
can it be fxed?
? 4
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
attack, responses are highly manual in
nature. Unfortunately, humans facing off
against machines have little to no leverage,
and cyber expertise is increasingly hard to
come by in the battle for talent. Flipping the
cost curve on its head with automation and
a next-generation, natively integrated secu-
rity platform is required if there is any hope
of reducing the “breach du jour” headlines.
(See Figure 2.)
It is unlikely that the number of attacks
will abate over time. On the contrary, there is
every reason to expect that their number will
continue to grow. In fact, we can also expect
that the “attack surface” and potential tar-
gets will also continue to grow as we con-
stantly increase the connections of various
things to the Internet.
An understandable but untenable
response to this daunting threat environ-
ment is to assume that prevention is impos-
sible, so we must simply detect and respond
to all intrusions. The fundamental problem
with this approach is that without signifcant
prevention no combination of people, pro-
cess, and technology can prioritize and
respond to every intrusion that could signif-
cantly impact a network and those who rely
on it. The math problem is simply insur-
mountable. Quite simply, detection and
response should be supplements to, instead
of substitutes for, prevention.
? Machine vs. human
At the heart of the cybersecurity battle is a
math problem. It is relatively simple to
understand, but hard to correct. One of the
negative offshoots of the ever-decreasing
cost of computing power is the ability for
cyber criminals and adversaries to launch
increasingly numerous and sophisticated
attacks at lower and lower costs. Today,
bad actors without the capability to develop
their own tools can use existing malware
and exploits that are often free or inex-
pensive to obtain online. Similarly,
advanced hackers, criminal organizations,
and nation-states are able to use these
widely available tools to launch successful
intrusions and obscure their identity. These
sophisticated adversaries are also develop-
ing and selectively using unique tools that
could cause even greater harm. This all
adds up to tremendous leverage for the
attackers. (See Figure 1.)
In the face of this increasing onslaught in
the sheer number of attacks and levels of
sophistication, the defender is generally
relying on decades-old core security tech-
nology, often cobbled together in multiple
layers of point products; there is no true
visibility of the situation, nor are the point
products designed to communicate with
each other. As a result, to the extent attacks
are detected or lessons are learned from an
The attack math
Number of
successful attacks
Cost of launching a
successsful attack
FIGURE As computing power becomes less
expensive,the cost for launching automated
attacks decreases. This allows the number
of attacks to increase at a given cost.
5 ?
PREVENTION: CAN IT BE DONE?
U.S. Suddenly, the very way of life in the
Western world was deemed, appropriately
so, at risk. The comfort and confdence of
living in a well-protected and prosperous
environment was shattered as citizens lost
trust in their ability to follow their daily rou-
tines and way of life. It appeared as though
there was an insurmountable technological
lead, and everywhere people turned there
was anxiety and cascading bad news.
In the years immediately following
Sputnik, the main focus was on how to sur-
vive a post–nuclear-war world. Items like
backyard bomb shelters and nonperishable
food items were in great demand, and
schools were teaching duck-and-cover drills.
In other words, people were assuming
attacks could not be prevented and were
preparing for remediation of their society
post-attack.
However, this fatalistic view was tempo-
rary. America relied on diplomacy and tradi-
tional forms of deterrence while devoting
technological innovation and ingenuity to
breakthroughs such as NASA’s Mercury
program. While it took a decade of resourc-
es, collaboration, trial, and effort, eventually
the Mercury program and succeeding efforts
changed the leverage in the equation. The
space-based attack risk was not eliminated,
but it was compartmentalized to the point of
fading into the background as a possible but
So, the strategy must be to signifcantly
decrease the likelihood, and increase the
cost, required for an attacker to perform a
successful attack. To be more specifc, we
should not assume that attacks are going
away or that all attacks can be stopped.
However, we should assume, and be very
diligent in ensuring, that the cost of a suc-
cessful attack can be dramatically increased
to the point where the incidence of a success-
ful attack will sharply decline.
When this point is reached, and it will not
come overnight, then we will be able to
quantify and compartmentalize the risk to
something acceptable and understood. It’s at
that point that cyber risks will be real and
persistent but that they will leave the head-
lines and fade into the background of every-
day life, commerce, communications, and
interaction. This should be our goal. Not to
eliminate all risk, but to reduce it to some-
thing that can be compartmentalized. There
is a historical analogy to this problem and an
approach to solve it.
? Sputnik analogy
The analogy, which is imperfect but helpful,
is the space race. In 1957 the Soviet Union
launched Sputnik. The result was panic at
the prospect that this technology provided
the Soviets with an overwhelming advan-
tage to deliver a nuclear attack across the
FIGURE Harnessing automation and integrated
intelligence can continually raise the cost
of making an attack successful, eventually
decreasing the number of successful attacks.
The attack math
Cost of launching a
successsful attack
Number of
successsful attacks
? 6
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
not probable event. It was at this stage that
the panic and confusion receded from the
headlines and daily reporting. We will know
we are in good shape in the cyber battle
when we have reached this point. So, how
do we get there?
As with all things in life, ideas and phi-
losophy matter. This is true because if you
do not know what you are trying to get
done, it’s unlikely that you will get it done.
In the space race analogy, the philosophy
shifted over time from one that primarily
assumed an attack was imminent and
unstoppable with the majority of planning
and resources geared toward life in the post-
attack world, to one of prevention where the
majority of resources and planning were
geared to reduce the probability and effec-
tiveness of an attack.
Importantly, the risk of an attack was not
eliminated, but the probability of occurrence
and success was reduced by vastly increas-
ing the cost of a successful attack. It was
previously noted that no analogy is perfect,
so the analogy of “cost” here for space-based
attacks and cyberattacks is, of course, meas-
ured in different ways. Most notably,
cyberthreats are not the sole purview of
superpower nations, and the technological
innovation most likely to reverse the cost of
successful attacks is most likely to come
from industry, not governments. However,
the principle is the same in that a prevention
philosophy is much more likely to result in
prevention capabilities being developed, uti-
lized, and continually refned over time.
? Is prevention possible?
The obvious question then is whether pre-
vention is possible. I think that most security
professionals and practitioners would agree
that total prevention is not possible. This is
disheartening but also no different from any
other major risk factor that we have ever
dealt with over time. So, the real question is
whether prevention is possible to the point
where the incidence of successful attacks is
reduced to something manageable from a
risk perspective. I believe that this is possible
over time. In order to achieve this outcome,
it is an imperative that cost leverage is
gained in the cyber battle. This leverage can
be attained by managing the cyber risk to an
organization through the continual improve-
ment and coordination of several key ele-
ments: technology, process and people, and
intelligence sharing.
Technology
It is very apparent that traditional or legacy
security technology is failing at an alarming
rate. There are three primary reasons for this:
? The frst is that networks have been
built up over a long period of time and
often are very complicated in nature,
consisting of security technology that
has been developed and deployed in a
point product, siloed approach. In other
words, a security “solution” in traditional
network architecture of any size consists
of multiple point products from many
different vendors all designed to do one
specifc task, having no ability to inform
or collaborate with other products. This
means that the security posture of the
network is only as “smart” overall as the
least smart device or offering. Also, to the
extent that any of the thousands of daily
threats is successfully detected, protection
is highly manual in nature because there is
no capability to automatically coordinate
or communicate with other capabilities in
the network, let alone with other networks
not in your organization. That’s a real
problem because defenders are relying
more and more on the least leverageable
resource they have—people—to fght
machine-generated attacks.
? Second, these multiple point solutions are
often based on decades-old technology,
like stateful inspection, which was useful
in the late 1990s but is totally incapable of
providing security capabilities for today’s
attack landscape.
? And third, the concept of a “network”
has morphed continues to do so at a
rapid pace into something amorphous
in nature: the advent of software as a
service (SaaS) providers, cloud computing,
7 ?
PREVENTION: CAN IT BE DONE?
successful leaders understand the need to
assess organizational risk and to allocate
resources and effort based on prioritized
competing needs. Given the current threat
environment and the math behind success-
ful attacks, leaders need to understand both
the value and vulnerabilities residing on
their networks and prioritize prevention
and response efforts accordingly.
Under executive leadership, it is also
very important that there is continued
improvement in processes used to manage
the security of organizations. People must
be continually trained on how to identify
cyberattacks and on the appropriate steps to
take in the event of an attack. Many of the
attacks that are being reported today start or
end with poor processes or human error. For
example, with so much personal informa-
tion being readily shared on social network-
ing, it is simple for hackers to assemble very
accurate profles of individuals and their
positions in companies and launch socially
engineered attacks or campaigns. These
attacks can be hard to spot in the absence of
proper training for individuals, and diffcult
to control in the absence of good processes
and procedures regardless of how good the
technology is that is deployed to protect an
organization.
A common attack on organizations to
defraud large amounts of money via wire
transfers counts on busy people being poor-
ly trained and implementing spotty pro-
cesses. In such an attack, the attacker uses
publicly available personal information
gleaned off social networking sites to iden-
tify an individual who has the authority to
issue a wire transfer in a company. Then the
attacker uses a phishing attack, a carefully
constructed improper email address that
looks accurate on a cursory glance, seem-
ingly from this person’s manager at the
company telling the person to send a wire
transfer right away to the following coordi-
nates. If the employee is not trained to look
for proper email address confguration, or
the company does not have a good process
in place to validate wire transfer requests,
like requiring two approvals, then this attack
mobility, the Internet of Things, and other
macrotechnology trends that have the
impact of security professionals having
less and less control over data.
In the face of these challenges, it is critical
that a few things are true in the security
architecture of the future:
? First is that advanced security systems
designed on defnitive knowledge of
what and who is using the network be
deployed. In other words, no guessing.
? Second is that these capabilities be as
natively integrated as possible into
a platform such that any action by
any capability results in an automatic
reprogramming of the other capabilities.
? Third is that this platform must also
be part of a larger, global ecosystem
that enables a constant and near-real-time
sharing of attack information that can be
used to immediately apply protections
preventing other organizations in the
ecosystem from falling victim to the same
or similar attacks.
? Last is that the security posture is
consistent regardless of where data
resides or the deployment model of the
“network.” For example, the advanced
integrated security and automated
outcomes must be the same whether the
network is on premise, in the cloud, or has
data stored off the network in third-party
applications. Any inconsistency in the
security is a vulnerability point as a general
matter. And, as a matter of productivity,
security should not be holding back high-
productivity deployment scenarios based
on the cloud, virtualization, SDN, NFV,
and other models of the future.
Process and people
Technology alone is not going to solve the
problem. It is incumbent upon an executive
team to ensure their technical experts are
managing cybersecurity risk to the organi-
zation. Most of today’s top executives did
not attain their position due to technological
and cybersecurity profciency. However, all
? 8 SecurityRoundtable.org
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
often succeeds. It is important that technol-
ogy, process, and people are coordinated,
and that training is done on a regular basis.
Intelligence sharing
Given the increasing number and sophistica-
tion of cyberattacks, it is diffcult to imagine
that any one company or organization will
have enough threat intelligence at any one
time to be able to defeat the vast majority of
attacks. However, it is not hard to imagine
that if multiple organizations were sharing
what they are seeing from an attack perspec-
tive with each other in close to real time, that
the combined intelligence would limit suc-
cessful attacks to a small number of the
attempted attacks. This is the outcome we
should strive for, as getting to this point
would mean that the attackers would need
to design and develop unique attacks every
single time they want to attack an organiza-
tion, as opposed to today where they can use
variants of an attack again and again against
multiple targets. Having to design unique
attacks every time would signifcantly drive
up the cost of a successful attack and force
attackers to aggregate resources in terms of
people and money, which would make them
more prone to be visible to defenders, law
enforcement, and governments.
The network effect of defense is why
there is such a focus and attention on threat
intelligence information sharing. It is early
days on this front, but all progress is good
progress, and, importantly, organizations are
now using automated systems to share
threat intelligence. At the same time, analyti-
cal capabilities are being rapidly developed
to make use and sense of all the intelligence
in ways that will result in advanced plat-
forms being able to reprogram prevention
capabilities in rapid fashion such that con-
nected networks will be constantly updating
threat capabilities in an ever-increasing eco-
system. This provides immense leverage in
the cybersecurity battle.
? Conclusion
There is understandable concern and atten-
tion on the ever-increasing incidence of
cyberattacks. However, if we take a longer
view of the threat and adopt a prevention-
frst mindset, the combination of next-
generation technology, improvements in
processes and training, and real-time shar-
ing of threat information with platforms
that can automatically reconfgure the secu-
rity posture, can vastly reduce the number
of successful attacks and restore the digital
trust we all require for our global economy.
9 ?
The Chertoff Group — Michael Chertoff, Executive
Chairman and Former United States Secretary
of Homeland Security, and Jim Pfaging, Principal
The three Ts of the cyber economy
Thanks to rapid advances in technology and thinking, over
the last decade we have seen entire industries and countries
reinvented in large part because of the power of the Internet
and related innovations. Naturally, these developments cre-
ated new opportunities and risks, and none is greater than
cybersecurity. Today, business leaders, academics, small
business owners, and school kids know about hackers,
phishing, identify theft, and even “bad actors.”
In late 2014, the Sony Pictures Entertainment breach
led to debates over data security, free speech, and corpo-
rate management as well as the details of celebrity feuds
and paychecks. The idea of cybersecurity is rising to the
fore of our collective consciousness. Notable cybersecuri-
ty breaches, including those at Target, Anthem BlueCross,
and the U.S. Offce of Personnel Management, have dem-
onstrated that no organization or individual is immune to
cyberthreat. In short, the cybersecurity environment has
changed dramatically over the past several years, and
many of us have struggled to keep up. Many frms now
fnd themselves in an environment where one of their
greatest business risks is cyber risk, a risk that has rapidly
risen from an afterthought to primary focus.
How do we create more opportunity and a safer world
while protecting privacy in an interconnected world? This
question is not just for policy makers in government and
leaders of global Fortune 500 businesses. It affects the
neighborhood small business, the academic community,
investors and, of course, our children.
Answering that question requires an understanding of
the three Ts—technology, threat, and trust. Why? Because
these are big interrelated ideas that have a signifcant
effect on business strategy, policy, and public opinion. For
starters, you need to know about the three Ts, think about
? 10
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
technology and are thriving. Still, the advan-
tage lies with the frms who not only
embraced the Internet but also built their
entire business around it: Amazon, Google,
and Uber. Finally, there is Apple, which
came of age with the Internet and morphed
into a wildly successful global leader with
the introduction of the iPhone.
There have been applications for these
technologies, with signifcant impact, in a
variety of industries. In transportation, Uber
is a great example of transforming a perva-
sive but sedentary sector into a newly reimag-
ined market. Uber used emerging technolo-
gies to disrupt seemingly distinct segments
such as auto rental and even automotive
manufacturing. In the electrical sector, smart
meters, transformers, and switches have
given utilities greater control over their distri-
bution networks while their customers have
gained greater control of their consumption.
However, the golden age of innovation
has a dark side. A new class of "bad guys"
has emerged and is taking advantage of
"holes" in these new technologies and our
online behavior to create new risks. This
leads us to the second T—Threat.
? Threat
Lifecycle
It is almost cliché to talk about the pervasive-
ness and escalating impact of cybersecurity
attacks. However, it is useful to provide a
map that can help us better understand
where we may be heading to help us prepare
and to develop more lasting defenses.
Using a simple x-y graph, we can create an
instructive map, in which x represents the
severity of the impact and y the "actor" or
perpetrator. Impact can be divided into the
following stages: embarrassment, theft,
destruction to a target frm or asset, and wide-
spread destruction. The actors also can be
grouped into four escalating stages: individu-
als, hacktivists, cyber organized crime, and
nation-states. See Figure 1. Given the impor-
tance of understanding threat, business lead-
ers should understand how the map applies
to their business. To aid in this understand-
ing, it is useful to cover a few examples that
illustrate various stages of these threats.
them, and decide how you are going to
embrace the frst, deal with the second, and
shape the last.
? Technology
Today we live in a golden age of innovation
driven by technologies that dominate
headlines—cloud computing, mobility, big
data, social media, open source software, vir-
tualization, and, most recently, the Internet of
Things. These tectonic shifts allow individu-
als, government, and companies to innovate
and reinvent how they interact with each
other. These forces mandate that we redefne
what, how, and where we manage any busi-
ness. We need to challenge core assumptions
about markets, company culture, and the art
of the possible. The winners will be those
who leverage these innovations to reduce
costs and deliver better, lower-priced prod-
ucts. Take Table 1 below, for example:
It is easy to see the relationship between
innovation and valuation. Some companies,
such as Kodak, did not react fast enough
and lost their market as a result. Others,
such as AT&T, have invested heavily in new
TABLE
A good reputation
TABLE
Market capitalization
(or private estimates, USD
in millions)
3/31/2005 3/31/2015
Amazon $13,362 $207,275
Apple $30,580 $752,160
Google $64,180 $378,892
Uber N/A $41,000
AT&T $78,027 $175,108
Citigroup $244,346 $165,488
General
Electric
$388,007 $274,771
Kodak $6,067 $794
Sources: Capital IQ, Fortune
11 ?
THE THREE TS OF THE CYBER ECONOMY
work of criminals operating in Eastern
Europe, netted 40 million credit and debit
card numbers and 70 million customer
records and was largely responsible for the
company’s 46 percent drop in proft in Q4 of
2013 when compared to 2012.
2
The attack
also resulted in a serious decline in the com-
pany’s stock price and led the company’s
board to fre their CEO. The attack is esti-
mated to have netted its perpetrators
approximately $54 million in proft from the
sale of stolen card details on black market
sites—quite the motivation for a criminal
enterprise.
Another high-profle attack, directed
against Sony Pictures Entertainment, is
alleged to have been the work of hackers sup-
ported by the government of North Korea.
The attackers managed to secure not only a
copy of The Interview, which had offended
and motivated the North Korean state, but
also a vast trove of data from the corporate
network, including the personal and salary
In 2011, a high-profle attack was under-
taken by Anonymous, the prominent
“hacktivist” collective, in which it attacked
the security services frm HBGary Federal.
The attack was precipitated by HBGary’s
CEO, Aaron Barr, claiming in a Financial
Times article that his frm had uncovered
the identities of Anonymous leaders and
planned on releasing these fndings at a
security conference in San Francisco the fol-
lowing week.
1
Anonymous responded by
hacking into HBGary’s networks, eventually
posting archives of company executives’
emails on fle-sharing websites, releasing a
list of the company’s customers, and taking
over the frm’s website. Although the attack
did affect HBGary fnancially, Anonymous’
primary motivation was to embarrass
Aaron Barr and HBGary.
More recent attacks have been perpetrat-
ed by better-organized criminal gangs and
have had a greater impact. For instance, the
Target breach, believed to have been the
Nation-
states
Cyber
organized
crime
Hacktivist
Individual
Embarrass Steal
customer
info
Disrupt
operations and
destroy property
Destroy
business and
future earnings
Widespread
disruption
and destruction
INTENT & IMPACT
A
C
T
O
RJPMorganChase
Sony
??
Saudi Aramco
HBGary
Target
FIGURE
? 12
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? Trust
One of the greatest casualties in the ever-
increasing torrent of cyberthreats is trust—
specifcally, the trust consumers have in
business, the trust citizens and business
have in government, and the trust govern-
ment has in business. This should be trou-
bling for all corporate executives and gov-
ernment leaders because trust is precious to
all relationships and is critical to effective
workings of commerce and government. As
we know, it takes years to build, but it is easy
to lose. For instance, a single data breach can
undo years of effort and cause immediate
and lasting reputation loss.
Measuring trust
Recent consumer surveys suggest that con-
sumers are tired of dealing with fraudulent
charges and are raising their expectations for
how their favorite brands and websites pro-
tect consumer data and personally identifa-
ble information. In May 2015, Pew Research
released a study in which 74 percent of
Americans said it was “very important” to
be “in control of who can get info about
you.” Edelman, one of the world’s largest
public relations frms, does an annual study
called The Trust Barometer. The 2015 edition
of this survey showed a huge jump in the
importance consumers place in privacy of
their personal data. The study revealed that
80 percent of consumers, across dozens of
countries and industries, listed this as a top
issue in evaluating brands they trust. Finally,
HyTrust, an emerging technology company,
published a study on the impact of a cyber
breach on customer loyalty and trust. Of the
2,000 consumers surveyed, 52 percent said a
breach would cause them to take their busi-
ness elsewhere.
3
What business can afford to
lose 50 percent of its customers?
What these numbers make clear is that con-
sumers are paying attention to cybersecurity
issues and that failure to address these con-
cerns comes at a company’s own risk. Recent
attacks have served as learning moments for
many companies and consumers, allowing
them to gain a frmer understanding of just
details of tens of thousands of employees,
internal email traffc, and other highly sensi-
tive information. The attack led the company
to delay the release of its big-budget flm, and
it generated weeks of headlines. The attack
also forced the company to take a variety of
computer systems offine. Although the long-
term impact of the attack is unclear, it has had
a dramatic impact on the studio’s reputation,
stock price, and earnings.
What is next? In the future, we can expect
a continued rise in the severity of cyberthreats.
Well-fnanced criminal gangs and well-
resourced nation-states appear to be increas-
ingly capable and willing to engage in attacks
that cause signifcant damage.
Boards and risk
After the initial shock of “how is this possi-
ble,” every business leader has to consider
what it means for his or her business. Just a
few years ago, many viewed cybersecurity
threats as a technical problem best left to the
company CIO or CISO. Increasingly, CEOs
and boards are coming to the realization
cybersecurity threats are a business risk that
demands C-level and board scrutiny.
Corporate boards have begun to look at
cybersecurity risk in much the same way
they would look at other risks to their busi-
ness, applying risk management frame-
works while evaluating the likelihood and
impact of cyber risk. Boards also have begun
to look at ways to transfer their risk, leading
insurance companies to offer cybersecurity
insurance products. In their evaluation of
cyber risk, companies are also taking a hard
look at the second order effects of a cyberat-
tack, notably the ability for a successful
attack to undermine customers’ trust in the
company. A successful attack often leads to
the revelation of sensitive, personally identi-
fable information on customers, eroding
consumer confdence in the frm. Many of
the commonly understood risk management
frameworks and related insurance products
now being used recognize this and make it
clear that corporate boards must have a thor-
ough understanding of the third T, Trust.
13 ?
THE THREE TS OF THE CYBER ECONOMY
develop cyber risk mitigation products. Many
of the insurance industry’s largest players,
including Allstate, Travelers, Marsh, and
Tennant, have moved to offer companies
cyber insurance products, although the imma-
turity of the market has created complications
for insurers and potential customers. Insurers
have had a hard time calculating their risk and
thus appropriate premiums for potential cus-
tomers, while customers have sometimes
found their insurance quotes too expensive.
Fortunately, time and the accompanying set-
tling of industry standards and actuarial data
will help to mature and grow this market.
Role of government
Effective risk management—for govern-
ments or private enterprises—starts with an
honest understanding of the situation and
recognition that information sharing with
partners is essential. Information sharing, of
course, starts with agreeing on common val-
ues, and then trusting vetted, capable, and
reliable partners. Information sharing can be,
and must be, something that takes place at
and across all levels. The Constitution charg-
es the federal government with the responsi-
bility of providing for the defense of the
nation while protecting the privacy and civil
liberties of our citizens, a diffcult balance
that requires trust in the government and
processes by which we reach that balance.
As we discuss the role of government in
information sharing and building trust, we
have to acknowledge the impact the
Snowden revelations have had on public
trust in government. Fundamentally, we
have to determine what we want the role of
government to be and engage in legal
reforms that refect that role. Laws such as
the Computer Fraud and Abuse Act, enacted
in 1986 and amended fve times since then,
and the Electronic Controls Privacy Act
(ECPA), which dates to 1986, have to be
updated to refect the signifcant changes in
technology and practice that have occurred
since they were envisioned.
Beyond these efforts, we need to establish
or reinforce agreed-upon rules and programs
how damaging such an attack can be. However,
with this knowledge comes increased expecta-
tions for how companies safeguard their data
and that of their consumers.
Role of industry
Fortunately, industry is moving in this direc-
tion, and many companies have begun to
consider cyber risk in their corporate plan-
ning. In 2014, the National Association of
Corporate Directors issued a call to action,
which included fve steps that its members
should take to ensure their enterprises prop-
erly address cyber risk. These include the
following:
? Treating cyber risk as an enterprise risk
? Understanding the legal implications of
cyber risks
? Discussion of cyber risk at board
meetings, giving cyber risk equal footing
with other risks
? Requiring management to have a
measureable cybersecurity plan
? The development of a plan at the board
level on how to address cyber risks,
including which risks should be avoided,
accepted, mitigated, or transferred via
insurance.
Although this guidance is an excellent start,
we at The Chertoff Group believe that indus-
try has to go further and move toward a
common cyber risk management framework
that allows everyone to understand the
cyber risks to a business and how the com-
pany intends to address them. This model
would be a corollary to the General Accepted
Accounting Principles (GAAP), the standard
accounting guidelines and framework that
underlies the fnancials and planning of
almost any business. The emergence of
GAAP in the 1950s made it signifcantly
easier for investors, regulators, and other
stakeholders to gain a clear understanding
of a business and its fnancials, allowing for
comparisons across industries and sectors.
In parallel, banks, insurers, and other pro-
viders of risk mitigation are scrambling to
? 14
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
for government data collection on citizens
and the legal frameworks that manage the
transfer of that data between governments
for judicial and law enforcement purposes.
Importantly, this initiative must provide for
mutual accountability for all participants.
These initiatives have to lay out clearly the
roles of all participants and, in our opinion,
reinforce and strengthen the role for NSA in
helping this nation deal with the adversaries
that are using information technology to
harm us.
On the international front, in response to
mounting concerns over data privacy, data
security and the rise of online surveillance,
governments around the world have been
seeking to pass new data protection rules.
Several governments, including Germany,
Indonesia, and Brazil, have considered
enacting “data localization” laws that would
require the storage, analysis, and processing
of citizen and corporate data to occur only
within their borders.
However, many of these proposals are
likely to impose economic harm and sow
seeds of distrust. For example, several of the
proposals under consideration would force
companies to build servers in locations
where the high price of local energy and the
lack of trained engineers could translate into
higher costs and reduced effciencies.
Furthermore, requiring that data reside in a
server based in Germany instead of one in
Ireland will do little to prevent spies from
accessing that data if they are determined
and capable.
So, what should we do? It is critical that
policymakers and technology providers
work together to develop solutions that keep
online services available to all who rely on
them. We must develop principles that can
serve as a framework for coordinated multi-
lateral action between states and across the
public and private sectors. We must be pre-
pared to lead abroad and at home with effec-
tive ideas.
Public private partnerships (PPPs) are
important pieces of the solution and are
good models of trust that we should lever-
age going forward. First, the formation of
Information Sharing and Analysis Centers
(ISACs) was a Clinton Administration initia-
tive to build PPPs across critical infrastruc-
ture sectors. These sector-by-sector ISACs
have proven to be models of trust. The
Financial Services ISAC has truly epito-
mized these ideas and is considered by
many to be the leading ISAC in sharing
threat information. This model has been rep-
licated in other industries and led President
Obama to call for an expansion of the infor-
mation sharing model to smaller groups of
companies through Information Sharing and
Analysis Organizations (ISAOs). Another
example is a U.S. government-industry ini-
tiative to combat botnets, in which the gov-
ernment is working with the Industry Botnet
Group to identify botnets and minimize
their impacts on personal computers.
? Technology, threat, and trust in the
boardroom
What do the three Ts of the cyber economy
mean for you? Here are just a few of the
questions every leader has to consider:
? Are we using technology for competitive
advantage?
? Are we secure? How do you know? Do we
have a framework, a GAAP-equivalent
for cyber risk, that gives me the tools to
understand and measure risk?
? Are we a good steward of the data we
collect about our customers?
Each of us needs answers to these questions.
Your response will have a big impact on the
future of your organization.
A few years ago, there was a common
story in security circles about two types of
companies: those who knew they had been
hacked and those who had been hacked but
did not know it. Going forward, we will talk
about companies in terms of who cares
about cybersecurity: in some companies, it
will be the entire executive suite; in others,
it will just be the CISO or CIO. Your com-
pany doesn’t want to fall into the latter cat-
egory. Use the three Ts to help your organi-
zation manage cyber risk and leverage the
THE THREE TS OF THE CYBER ECONOMY
SecurityRoundtable.org 15 ?
target-profit-falls-46-on-credit-card-
breach-and-says-the-hits-could-keep-
on-coming/.
3. See “Consumers Increasingly Hold
Companies Responsible for Loss of
Confdential Information, HyTrust Poll
Shows,” HyTrust, October 1, 2014, Available
athttp://www.hytrust.com/company/
news /pres s - rel eas es /cons umer s -
increasingly-hold-companies-responsible-
loss-confdential-info, Additional survey
data available athttp://www.hytrust.
com/si t es/defaul t /fi l es/HyTrust _
consumer_poll_results_with_charts2.pdf.
fantastic opportunities in this golden age of
innovation.
Works Cited
1. See Joseph Menn, “Cyberactivists warned
of arrest,” The Financial Times, February
5, 2011, Available athttp://www.ft.com/
cms/s/0/87dc140e-3099-11e0-9de3-
00144feabdc0.html#axzz3cg7emYx4.
2. See Maggie McGrath, “Target Proft Falls
46% On Credit Card Breach And The Hits
Could Keep On Coming,” Forbes, February
26, 2014, Available athttp://www.forbes.
com/sites/maggiemcgrath/2014/02/26/
17 ?
Georgia Institute of Technology, Institute for Information
Security & Privacy – Jody R. Westby, Esq., Adjunct Professor
Cyber governance best practices
? The evolution of cybersecurity governance
Corporate governance has evolved as a means of protect-
ing investors through regulation, disclosure, and best
practices. The United Nations Guidance on Good Practices
in Corporate Governance Disclosure noted:
Where there is a local code on corporate governance,
enterprises should follow a “comply or explain” rule
whereby they disclose the extent to which they fol-
lowed the local code’s recommendations and explain
any deviations. Where there is no local code on corpo-
rate governance, companies should follow recognized
international good practices.
1
The Business Roundtable (BRT), one of America’s most
prominent business associations, has promoted the use of
best practices as a governance tool since it published its
frst Principles of Corporate Governance in 2002. In its 2012
update, BRT noted:
Business Roundtable continues to believe, as we noted
in Principles of Corporate Governance (2005), that the
United States has the best corporate governance,
fnancial reporting and securities markets systems in
the world. These systems work because of the adop-
tion of best practices by public companies within a
framework of laws and regulations that establish
minimum requirements while affording companies
the ability to develop individualized practices that are
appropriate for them. Even in the challenging times
posed by the ongoing diffcult economic environment,
corporations have continued to work proactively to
refne their governance practices, and develop new
practices, as conditions change and “best practices”
continue to evolve.
2
? 18
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
17799 and then ISO/IEC 27001.
8
ISO/IEC
27001 is the most accepted cybersecurity
standard globally.
Today, the ISO/IEC 27000 series of infor-
mation security standards is comprised of
nearly 30 standards. ISO, of which the
American National Standards Institute
(ANSI) is the member body representing U.S.
interests for the development of international
standards, has additional information secu-
rity standards outside of the 27000 series.
9
ISO information security standards cover a
range of topics, such as security controls, risk
management, the protection of personally
identifable information (PII) in clouds, and
control systems. Additional security stand-
ards also have been developed for fnancial
services, business continuity, network secu-
rity, supplier relationships, digital evidence,
and incident response.
10
The U.S. National Institute of Standards
and Technology (NIST) has developed a
comprehensive set of cybersecurity guid-
ance and Federal Information Processing
Standards (FIPS),
11
including a Framework
for Improving Critical Infrastructure
Cybersecurity (Framework).
12
The NIST
guidance and standards are world-class
materials that are publicly available at no
charge. NIST recognized existing standards
and best practices by mapping the
Framework to ISO/IEC 27001 and COBIT.
Other respected cybersecurity standards
have been developed for particular purpos-
es, such as the protection of credit card data
and electrical grids. The good news is that
cybersecurity best practices and standards
are harmonized and requirements can be
mapped. This is particularly important
because as companies buy and sell operating
units or subsidiaries or merge, they may
have IT systems and documentation based
upon several standards or best practices.
Thus, the harmonization of standards ena-
bles companies to blend IT departments and
security programs and continue to measure
maturity.
Some companies may need to align with
multiple standards. For example, electric
transmission and distribution companies
Increases in cybercrime and attacks on corpo-
rate systems and data have propelled discus-
sions regarding governance of cyber risks
and what exactly boards and senior execu-
tives should be doing to properly manage
this new risk environment and protect corpo-
rate assets. The topic reached a crescendo in
May 2014 when the Institutional Shareholder
Service (ISS) called for seven of the ten Target
board members not to be re-elected on the
grounds that the failure of the board’s audit
and corporate responsibility committees “to
ensure appropriate management of these
risks set the stage for the data breach, which
has resulted in signifcant losses to the com-
pany and its shareholders.”
3
Over the past decade, the concept of cyber-
security governance has evolved from infor-
mation technology (IT) governance and
cybersecurity best practices. The Information
Systems Audit and Control Association
(ISACA) has been a frontrunner in IT govern-
ance best practices with the COBIT (Control
Objectives for Information and Related
Technology)
4
framework. ISACA founded the
IT Governance Institute (ITGI) in 1998 to
advance the governance and management of
enterprise IT. The ITGI defnes IT governance:
IT governance is the responsibility of the
board of directors and executive manage-
ment. It is an integral part of enterprise
governance and consists of the leadership
and organisational structures and pro-
cesses that ensure that the organisation’s
IT sustains and extends the organisation’s
strategies and objectives.
5
Gartner has a similar defnition.
6
? Cybersecurity program standards and best
practices
7
As IT systems became vulnerable through
networking and Internet connectivity, secur-
ing these systems became an essential ele-
ment of IT governance. The frst cybersecu-
rity standard was developed by the British
Standards Institute in 1995 as BS 7799. Over
time, this comprehensive standard proved
its worth and ultimately evolved into ISO
19 ?
CYBER GOVERNANCE BEST PRACTICES
important to understand the breadth and
reach of the standard and to choose one that
meets the organization’s security and compli-
ance needs.
ISO/IEC 27001, which can be obtained
from ANSI athttp://webstore.ansi.org, is a
comprehensive standard and a good choice
for any size of organization because it is
respected globally and is the one most
commonly mapped against other stand-
ards. One should not make the mistake of
believing that all standards contain a full
set of requirements for an enterprise secu-
rity program; they do not. Some standards,
such as NERC-CIP or PCI, set forth security
requirements for a particular purpose but
are not adequate for a full corporate secu-
rity program.
will need to meet the North American
Electric Reliability Corporation Critical
Infrastructure Protection (NERC-CIP) stand-
ards, as well as the Payment Card Industry
Data Security Standard (PCI DSS) if they
take credit cards, and some other broad
security program standard, such as ISO/IEC
27001 or NIST for their corporate operations.
Even with harmonization, it is important
that companies choose at least one standard to
align their cybersecurity program with so pro-
gress and security maturity can be measured.
In determining which standard to use as a
corporate guidepost, organizations should
consider the comprehensiveness of the stand-
ard. Although standards requirements may be
mapped, each standard does not contain the
same or equivalent requirements. Thus, it is
Leading cybersecurity standards and best practices include:
? The International Organization for Standardization (ISO), the information security series,http://www.iso.org/iso/home/search.htm?qt=information+security&published=on&
active_tab=standards&sort_by=rel (also available from ANSI athttp://www.ansi.org)
? The American National Standards Institute (ANSI)—the U.S. member body to ISO.
Copies of all ISO standards can be purchased from ANSI athttp://webstore.ansi.org/
? National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800)
series and Federal Information Processing Standards (FIPS),http://csrc.nist.gov/
publications/index.html
? Information Technology Infrastructure Library (ITIL),http://www.itlibrary.org/.
? International Society of Automation (ISA),https://www.isa.org/templates/two-
column.aspx?pageid=131422
? Information Systems Audit and Control Association (ISACA), the Control Objectives
for Information and Related Technology (COBIT),http://www.isaca.org/cobit/pages/
default.aspx
? Payment Card Industry Security Standards Council (PCI SSC),https://www.
pcisecuritystandards.org/
? Information Security Forum (ISF) Standard of Good Practice for Information Security,https://www.securityforum.org/shop/p-71-173
? Carnegie Mellon University’s Software Engineering Institute, Operationally Critical
Threat, Asset, and Vulnerability Evaluation (OCTAVE),http://www.cert.org/resilience/
products-services/octave/
? Health Insurance Portability and Accountability Act (HIPAA) regulations for security
programs,http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/
index.html
? North American Electric Reliability Corporation Critical Infrastructure Protection
(NERC-CIP),http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
? U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs
for Nuclear Facilities,https://scp.nrc.gov/slo/regguide571.pdf
? 20
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
necessarily extends this duty to include the
protection of the organization’s digital assets
(data, networks, and software). As a conse-
quence, the governance of cyber risks has
become increasingly important for boards of
directors and senior management. This
includes exercising good risk management,
validating the effectiveness of controls, and
ensuring compliance requirements are met.
An increase in shareholder derivative
suits against D&Os for failure to protect
against breaches also has heightened atten-
tion on cybersecurity at the board and senior
management level. Target was hit with share-
holder derivative suits for failure to protect
the company and its data from a breach,
13
as
was Wyndham Hotels on similar grounds.
14
In addition, cybersecurity has become an
important compliance issue that carries the
risk of headlines concerning enforcement
actions, investigations, and breaches of per-
sonally identifable information. Several state
and federal laws impose privacy and securi-
ty requirements on targeted industry sec-
tors and types of data. For example, the
Gramm-Leach-Bliley Act (GLBA), the Health
Insurance Portability and Accountability Act
(HIPAA), the Health Information Technology
for Economic and Clinical Health Act
(HITECH Act), and state breach laws impose
specifc requirements pertaining to the secu-
rity and privacy of data and networks.
So, what does cyber governance mean?
What actions should board members be tak-
ing? Who should be involved—the entire
board or just certain committees? Cyber gov-
ernance means more than D&Os periodically
asking interesting questions or receiving
reports regarding the company’s cybersecu-
rity program. There is now an international
standard, ISO/IEC 27014, on the governance
of information security, which sets out roles
and responsibilities for executive manage-
ment and boards of directors and is applica-
ble to all types and sizes of organizations.
The standard notes:
[G]overnance of information security
provides a powerful link between an
organization’s governing body, executive
Some information security standards,
such as NERC-CIP, U.S. Nuclear Regulatory
cybersecurity requirements, PCI standards
for credit card data, and HIPAA security
requirements are mandatory. Portions of
NIST guidance are mandatory for federal
government contractors and U.S. govern-
ment agencies and departments. The remain-
der of the standards listed are voluntary.
In addition to the leading cybersecurity
standards listed in the shaded box, additional
standards have been developed for certain
industry sectors because they require height-
ened security protections. For example, ISO/
IEC 27015 was developed as additional secu-
rity requirements for fnancial organizations;
ISO/IEC 27799 was developed for informa-
tion security in health systems using ISO/IEC
27002 (the controls portion of ISO/IEC 27001);
27011 was developed for telecommunications
systems using ISO/IEC 27002; and ISO/IEC
27019 was developed for industrial control
system security for the energy utility industry.
The value of using a standard as a guide-
post for the development, maintenance, and
maturity of a security program is that it sets
forth best practices for cybersecurity and is
updated as required to meet changing
threats, technological innovation, and com-
pliance requirements. Standards also enable
boards and senior executives to understand
how comprehensive their organization’s
security program is and provide an objective
basis for audits and cybersecurity assess-
ments. Evaluating a cybersecurity program
against a leading standard enables an organ-
ization to measure progress, assess the effec-
tiveness of controls, identify gaps and def-
ciencies, and measure program maturity.
? Cyber governance standards and best practices
Cyber governance standards and best prac-
tices have evolved over the past 20 years as
companies have increased connectivity to the
Internet and networks and as cyberattacks
have continued to rise. Directors and offcers
(D&Os) have a fduciary duty to protect the
organization’s assets and the value of the cor-
poration. The increased dependence on IT
systems and data in corporate operations
21 ?
CYBER GOVERNANCE BEST PRACTICES
and compliance obligations, reputational
risks, business interruption, and fnancial
losses; allocate the resources needed for the
risk-based approach.
3. “Set the direction of investment decisions”:
establish an information security
investment strategy that meets business
and security requirements; integrate
security considerations into existing
business and investment processes.
4. “Ensure conformance with internal and
external requirements”: ensure policies
and procedures incorporate legal,
regulatory, and contractual obligations;
routinely audit such compliance.
5. “Foster a security-positive environment”:
accommodate human behavior and
the needs of users; promote a positive
information security environment through
training and tone from the top.
6. “Review performance in relation to
business outcomes”: ensure the security
program supports business requirements,
review impact of security on business as
well as controls.
18
ISO/IEC 27014 sets forth separate roles and
responsibilities for the board and executive
management within fve processes: Evaluate,
Direct, Monitor, Communicate, and Assure.
These are set forth in abbreviated form in the
following table.
19
management and those responsible for
implementing and operating an informa-
tion security management system. It pro-
vides the mandate essential for driving
information security initiatives through-
out the organization.
15
The objectives of the standard are to align
security program and business objectives
and strategies, deliver value to stakeholders
and the board, and ensure information risks
are adequately managed.
16
The difference between IT governance
and information security governance is that
the latter is focused on the confdentiality,
integrity, and availability of information,
whereas governance of IT is focused on the
resources required to acquire, process, store,
and disseminate information.
17
ISO/IEC
27014 sets forth six principles as foundation
for information security governance:
1. “Establish organization-wide information
security”: information security activities
should encompass the entire organization
and consider the business, information
security, physical and logical security, and
other relevant issues.
2. “Adopt a risk-based approach”:
governance decisions should be based on
the risk thresholds of a company, taking
into account competitiveness issues, legal
Board of directors Executive management
Evaluate
Ensure business initiatives take information
security into consideration
Ensure information security supports
business objectives
Review reports on information security
performance, initiate prioritized actions
Submit new security projects with
signifcant impact for board review
Direct
Establish risk thresholds of organization Ensure security and business objectives are
aligned
Approve security strategy and overarching
policy
Develop security strategy and overarching
policy
Allocate adequate resources for security
program
Establish a positive culture of cybersecurity
Continued
? 22
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
is IT-focused, however, and does not men-
tion the roles and responsibilities of chief
information security offcers (CISOs). The
separation of the role of the chief informa-
tion security offcer from the chief informa-
tion offcer (CIO) (in other words, not having
the CISO report to the CIO), is a best practice
that the Board Briefng ignores. It assigns all
responsibilities to the CIO, IT Strategy
Committee, IT Steering Committee, IT
Architecture Review Board, and Technology
Council. Nevertheless, it is a valuable
resource for boards and executive teams
seeking to implement good cyber govern-
ance practices.
Finally, Carnegie Mellon University’s
Software Engineering Institute developed the
Governing for Enterprise Security Implementation
Guide in 2007 as a guide for boards and execu-
tives on governing enterprise security pro-
grams.
21
It is still quite instructive and includes
a model organizational structure for cyber
? Beyond ISO/IEC 27014: Other best practices
and guidance
At present, the only guidance NIST has
developed that addresses information secu-
rity governance is its 2006 Special Publication
800-100, Information Security Handbook: A
Guide for Managers. This publication, how-
ever, is written for a federal audience and is
more technical than other materials directed
toward boards and senior executives.
ISACA’s IT Governance Institute updated
its Board Briefng on IT Governance in 2014,
20
which sets forth an approach similar to ISO/
IEC 27014, but is based on ISACA’s COBIT
best practices. The Board Briefng includes
questions board members should ask and
also checklists, tool kits, roles and responsi-
bilities, and other helpful materials. The
Board Briefng focuses on fve activity areas:
Strategic Alignment, Value Delivery, Risk
Management, Resource Management, and
Performance Measurement. The publication
Board of directors Executive management
Monitor
Assess effectiveness of security program Determine appropriate metrics for security
program
Ensure compliance and legal obligations
are met
Provide input to board on security
performance results, impacts on
organization
Evaluate changes to operations, legal
frameworks, and impact on information
security
Keep board apprised of new developments
affecting information security
Communicate
Report to investors/shareholders on
whether information security is adequate
for business
Inform board of security issues that require
their attention
Provide results of external audits or reviews
and identifed actions to executive team
Ensure board’s actions and decisions
regarding security are acted upon
Recognize compliance obligations, business
needs, and expectations for information
security
Assure
Order independent reviews/audits of
security program
Support reviews/audits commissioned by
board
23 ?
CYBER GOVERNANCE BEST PRACTICES
members to become inundated in technical
data and issues and lose sight of the major
risks that must be managed. In part, CIOs
and CISOs need to develop better executive
and board communication skills when
reporting on cybersecurity program activi-
ties and incidents. Outside experts can also
help separate which cybersecurity govern-
ance issues should be directed to the execu-
tive management team and which are for
board consideration.
Once the critical vulnerabilities that
require board and executive attention have
been identifed, the next step is to deter-
mine the information fows that are needed
to keep the board and senior management
informed and enable informed decision-
making. These two steps—identifcation of
cyber-related vulnerabilities and associ-
ated information flows—should be fol-
lowed by an analysis of the board’s and
senior management’s roles in incident
response and business continuity/disaster
recovery.
The Target breach revealed how disas-
trous it can be when a company’s executive
team and board are not prepared to manage
a major cybersecurity incident. The breach
was clever but not terribly diffcult to recov-
er from; as ISS pointed out so clearly, it was
Target’s executive team and board who
failed to protect the company’s data and
ensure a robust incident response plan was
in place that involved their participation.
Cybersecurity governance is an area
where an independent adviser can provide
valuable guidance to a board and executive
team by reviewing available reports and
assessing the current state of the security
program, identifying key vulnerabilities
and associated information fows that
should be directed to the board, advising on
the threat environment, and establishing
the proper organizational structures for
effective cybersecurity governance. These
activities should be undertaken in a collab-
orative fashion with IT and security leaders
and in the spirit of helping them gain visi-
bility and support for security program
initiatives.
governance; composition of a cross-
organizational privacy/security committee;
sample mission, goals, and objectives for a
board Risk Committee; and an explanation of
the critical activities in an enterprise security
program, including who should lead and be
involved in them, and the outputs (artifacts)
to be developed. It indicates where the board
has a role for governance oversight and sets
forth roles and responsibilities for the critical
players, as well as shared responsibilities, for
the following:
? chief security offcer/chief information
security offcer
? chief privacy offcer
? chief information offcer
? chief fnancial offcer
? general counsel
? business line executives
? human resources
? public relations
? business managers
? procurement
? operational personnel
? asset owners
? certifcation authority.
? Additional considerations in cybersecurity
governance
Board structure plays a signifcant role in
cybersecurity governance. A Risk Committee
is the best choice for governance of cybersecu-
rity because IT risks must be managed as
enterprise risks and integrated into enterprise
risk management and planning. Many compa-
nies place all oversight for cybersecurity in the
board Audit Committee, which can substan-
tially increase the workload of that committee.
Placing cyber governance with the Audit
Committee also creates segregation of duties
issues at the board level because the Audit
Committee is auditing the security program,
determining remediation measures, and then
auditing this work the following year.
One of the most important aspects of
cybersecurity governance is the identifca-
tion of vulnerabilities that could have a
material impact on corporate operations
and/or bottom line. It is easy for board
? 24
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
12. Evaluate the adequacy of cyber
insurance against loss valuations and
ensure adequate risk strategies are in
place for cyber risks.
Many organizations also are struggling
with how to integrate cybersecurity into
their enterprise risk management process.
Most business operations today are
dependent upon IT systems and the conf-
dentiality, availability, and integrity of their
data. Following are another dozen guiding
points on integrating cyber risks into enter-
prise risk management.:
A dozen best practices for integrating cybersecurity into
enterprise risk management
1. Understand the business’s strategies,
objectives, and needs for IT and data.
2. Inventory assets (data, applications,
hardware), assign ownership,
classifcation, and risk categorization.
3. Map legal requirements to data for all
jurisdictions.
4. Evaluate the security of vendors, business
partners, and supply chain linkages.
5. Align the cybersecurity program with
best practices and standards.
6. Ensure controls are determined and
metrics identifed.
7. Conduct a risk assessment to establish a
baseline for cyber risk management.
8. Develop cyber risk strategies (block the
risk, cyber insurance, other compensating
controls, all of these).
9. Design system architecture to
accommodate business goals and
objectives, meet security and legal
requirements, and detect or prevent
unauthorized usage.
10. Use technical tools and services to
provide integrated data on threats and
attacks.
11. Make cyber training and security
compliance part of annual performance
reviews for all personnel.
12. Stay abreast of innovation and changes
in the threat environment as well as
changing operational requirements.
? Dutiful dozen
There are some actions that boards can take
to ensure they are managing cyber risks
and meeting their fduciary duty. Following
is a list of a dozen actions that are within
best practices, which can be used as a start-
ing point and checklist for governance
activities:
A dozen best practices for cyber governance
1. Establish a governance structure with
a board Risk Committee and a cross-
organizational internal team.
2. Identify the key cyber vulnerabilities
associated with the organization’s
operations.
3. Identify the security program activities
over which boards and executives
should exercise oversight, and identify
the key information fows and reports
that will inform board and executives on
the management of cyber vulnerabilities
and security program activities.
4. Identify legal compliance and fnancial
exposures from IT systems and data.
5. Set the tone from top that privacy and
security are high priorities for the
organization, and approve top-level
policies on acceptable use of technology
and compliance with privacy and
security policies and procedures.
6. Review the roles and the responsibilities
of lead privacy and security personnel,
and ensure there is segregation of duties
between IT and security functions.
7. Ensure that privacy and security
responsibilities are shared, enterprise
issues that apply to all personnel.
9. Review and approve annual budgets for
security programs.
10. Review annual risk assessments, the
maturity of the security program, and
support continual improvement.
11. Retain a trusted adviser to independently
inform the board on changes in the
threat environment, provide assistance
on governance issues, and advise on
response issues in the event of a major
cyber incident.
25 ?
CYBER GOVERNANCE BEST PRACTICES
management of enterprise IT is available
athttp://www.isaca.org/cobit/pages/
default.aspx.
5. Board Briefng on IT Governance, IT
Governance Institute, 2nd ed., 2014 at
10,http://www.isaca.org/restricted/
Documents/26904_Board_Briefing_
fnal.pdf.
6. Gartner, IT Glossary, “IT Governance,”http://www.gartner.com/it-glossary/
it-governance.
7. The term “cybersecurity best practice”
may be used interchangeably with
“standard” in the cybersecurity context,
as the standards embody best practices.
The term “standard” is commonly used
to refer to mandatory requirements.
With respect to cybersecurity programs,
however, there is no bright line between
best practices and standards. Some
standards, such as NERC-CIP and
HIPAA, are mandatory for certain
organizations, while other standards,
such as ISO/IEC, are voluntary.
Other standards, such as the Federal
Information Processing Standards (FIPS)
and NIST guidance (the 800 Special
Publication series) are voluntary for
some entities and mandatory for others.
8. Wikipedia, “BS 7799,”https://en.
wikipedia.org/wiki/BS_7799.
9. International Organization for
Standardization, Information Security,http://www.iso.org/iso/home/search.
htm?qt=information+security&publis
hed=on&active_tab=standards&sort_
by=rel.
10. Id.
11. National Institute of Standards and
Technology, Computer Security Division,
Computer Security Resource Center,
http: //csrc. nist. gov/publications/
PubsSPs.html.
12. Framework for Improving Critical
Infrastructure Cybersecurity, National
Institute of Standards and Technology,
Version 1.0, Feb. 12, 2014,http://www.
nist.gov/cyberframework/upload/
cybersecurity-framework-021214.pdf.
? Conclusion
Best practices and standards now require
boards and senior management to exercise
governance over cybersecurity programs and
associated risks. Laws such as Gramm-Leach-
Bliley, the Health Insurance Portability and
Accountability Act, and the Federal
Information Security Management Act all
require executive oversight of security pro-
grams. Each organization’s operations, system
architecture, policies and procedures, and
culture vary, thus, cyber risk management has
to be tailored to the organization. Boards
should know what standards/best practices
their organization is using to implement their
security program and determine an approach
for their own governance activities. Checklists
and the use of ISO/IEC 27014, the ISACA
Board Briefng on IT Governance, and the
Carnegie Mellon University’s Governing for
Enterprise Security Implementation Guide are all
useful resources that will help ensure boards
are meeting their fduciary duty and protect-
ing the assets of the organization.
References
1. Guidance on Good Practices in Corporate
Governance Disclosure, United Nations
Conference on Trade and Development
(UNCTAD), New York & Geneva, 2006,http://unctad.org/en/docs/iteteb20063_
en.pdf.
2. Principles of Corporate Governance 2012,
Harvard Law School Forum on Corporate
Governance and Financial Regulation,
Aug. 17, 2012,http://corpgov.law.
harvard.edu/2012/08/17/principles-of-
corporate-governance-2012/.
4. Elizabeth A. Harris, “Advisory Group
Opposes Re-election of Most of Target’s
Board,” The New York Times, May 28,
2014,http://www.nytimes.com/
2014/05/29/business/advisory-group-
opposes-re-election-of-most-of-targets-
board.html?_r=0 (quoting ISS report).
4. COBIT is an acronym for Control
Objectives for Information and Related
Technology. Information on the COBIT
5 framework for the governance and
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 26 SecurityRoundtable.org
16. Id. at 4.2. “Objectives.”
17. Id. at 4.4. “Relationship.”
18. Id. at 5.2. “Principles.”
19. Id. at 5.3. “Processes.” The full
requirements of the standard should be
reviewed prior to use by an organization;
ISO 27014 is available athttp://www.iso.
org/iso/home/search.htm?qt=27014&
sort=rel&type=simple&published=on.
20. Board Briefng on IT Governance, IT
Governance Institute, 2nd ed., 2014,
http: //www. i saca. org/restri cted/
Documents/26904_Board_Briefing_
fnal.pdf.
21. Jody R. Westby & Julia H. Allen, Governing
for Enterprise Implementation Guide,
Carnegie Mellon University, Software
Engineering Institute, 2007, http://
gl obal cyberri sk. com/wp-content/
upl oads/2012/08/Governi ng-for-
Enterprise-Sec-Impl-Guide.pdf.
13. See, e.g., Kevin LaCroix, “Target Directors
and Offcers Hit with Derivative Suits
Based on Data Breach,” Feb. 3, 2014,http://www.dandodiary.com/2014/02/
articles/cyber-liability/target-directors-
and-officers-hit-with-derivative-suits-
based-on-data-breach/.
14. See, e.g., Jon Talotta, Michelle Kisloff, &
Christopher Pickens, “Data Breaches Hit
the Board Room: How to Address Claims
Against Directors & Offcers,” Hogan &
Lovells, Chronicle of Data Protection, Jan.
23, 2015,http://www.hldataprotection.
com/2015/01/articles/cybersecurity-
data-breaches/data-breaches-hit-the-
board-room/.
15. ISO/IEC 27014 (2013), Governance
of Information Security, “Summary,”http://www.iso.org/iso/home/search.
htm?qt=27014&sort=rel&type=simple&
published=on.
27 ?
Institutional Shareholder Services Inc. – Patrick McGurn,
ISS Special Counsel and Martha Carter,
ISS Global Head of Research
Investors’ perspectives on cyber
risks: Implications for boards
Although pundits proclaimed 2014 as the “Year of the
Data Breach” and a signifcant “no” vote at Target’s
annual meeting put directors on notice that sharehold-
ers want to know about potential risks, few 2015 corpo-
rate disclosure documents provide evidence that boards
increased transparency with respect to cyber oversight.
Despite prodding from top regulators and investors’
calls for greater transparency, companies continue to fall
short on disclosure in their key governance disclosure
documents of cybersecurity risks and their board’s over-
sight of them. Equally concerning is the limited infor-
mation regarding cyber risk oversight provided by
boards at a handful of frms that were the targets of
2014’s most widely publicized breaches. Boards would
beneft from an understanding of investors’ perspec-
tives and adoption of best practices in disclosure on
cyber risks.
? Target’s breach led to boardroom backlash
Target’s high-profle data breach made headlines world-
wide. Despite this, neither Target’s 2014 proxy state-
ment nor the company’s initial annual meeting-related
engagement materials discussed in a meaningful way
the massive data theft or the board’s responses to it. As
part of its research process leading up to the annual
meeting, Institutional Shareholder Services (ISS)
engaged with members of the Target board to learn
more about the directors’ oversight of cyber risks before
and after the breach. In the end, ISS opined in its 2014
annual meeting report on Target that the members of the
board’s Audit and Corporate Responsibility committees
had “failed to provide suffcient oversight of the risks
facing the company that potentially led to the data
? 28
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
lack of sharp, downward stock movements
in the wake of disclosures of hacks or other
data breaches (or quick rebounds from such
price drops when they occur) with share-
holders’ apathy over cybersecurity prob-
lems. In a recent Harvard Business Review
article (Why Data Breaches Don’t Hurt Stock
Prices, March 31, 2015), cybersecurity strate-
gist Elena Kvochko and New York Times
Chief Technology Offcer Rajiv Pant dismiss
this easy explanation. They argue that muted
stock price reactions to data breaches refect
the absence of timely information and qual-
ity tools to price cyber risk: “Shareholders
still don’t have good metrics, tools, and
approaches to measure the impact of cyber
attacks on businesses and translate that into
a dollar value . . . The long and mid-term
effects of lost intellectual property, disclo-
sure of sensitive data, and loss of customer
confdence may result in loss of market
share, but these effects are diffcult to quan-
tify.” Faced with this information vacuum,
Kvochko and Pant note that “shareholders
only react to breach news when it has direct
impact on business operations, such as
litigation charges (for example, in the case of
Target) or results in immediate changes to a
company’s expected proftability.”
Indeed, stock prices may not tell the
whole story. Contrary to the conventional
wisdom, recent survey data show investors
understand the long-term risks stemming
from hacks and they may actually shy
away from investing in companies with
multiple breaches. A recent survey—
conducted by FTI Consulting on behalf of
consulting giant KPMG LLP—of more than
130 global institutional investors with an
estimated $3 trillion under management
found that cyber events may affect inves-
tors’ confdence in the board and demand
for the affected companies’ shares.
Investors opined that less than half of
boards of the companies that they currently
invest in have adequate skills to manage
rising cyberthreats. They also believe that
43 percent of board members have “unac-
ceptable skills and knowledge to manage
innovation and risk in the digital world.”
breach.” Accordingly, ISS recommended
votes against the members of those two
board oversight panels. ISS acknowledged
the board’s actions in the wake of the
breach but found that the committees
“failed to appropriately implement a risk
assessment structure that could have better
prepared the company for a data breach.”
After investors’ concerns emerged before
the meeting, the company engaged in a solic-
itation effort to defend the board’s response
to the breach. When the votes were tallied,
none of the members of Target’s audit and
governance panels received support from
more than 81 percent of the votes cast. Target
lead director James A. Johnson received the
lowest support—62.9 percent of the votes
cast. According to ISS’ Voting Analytics data-
base of institutional investors’ voting records,
governance professionals at funds connected
to nearly half of Target’s top 10 largest inves-
tors cast votes against one or more of the
company’s directors.
In the direct wake of the 2014 data
breach issues and the dearth of proxy-
related disclosure on those matters, SEC
Commissioner Luis A. Aguilar fred a shot
across the bow of boards that lack disclo-
sure. In a June 10, 2014, speech (“Boards of
Directors, Corporate Governance and Cyber
Risks: Sharpening the Focus”) delivered at
a New York Stock Exchange (NYSE)–hosted
cybersecurity conference, Aguilar said,
“oard oversight of cyber-risk manage-
ment is critical to ensuring that companies
are taking adequate steps to prevent, and
prepare for, the harms that can result from
such attacks. There is no substitution for
proper preparation, deliberation, and
engagement on cybersecurity issues.”
Noting the wide damage crater caused by
cyber events, Aguilar noted that the board-
room plan should include “whether, and
how, the cyber-attack will need to be dis-
closed internally and externally (both to
customers and to investors).”
? Shareholders care about breaches
Are shareholders apathetic about data
breaches? Some media reports equate the
29 ?
INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
? ISS policy respondents indicate a disclosure
framework
What level of detail do investors expect to
see about these issues in disclosures regard-
ing cyberthreats? In 2014, as part of ISS’
2015 policy-formulation process, we asked
institutional investors to weigh the factors
they assess in reviewing boardroom over-
sight of risk, including cyberthreats. A
majority of the shareholder respondents
indicated that the following are all either
“very” or “somewhat” important to their
voting decisions on individual directors
elections:
? role of the company’s relevant risk
oversight committee(s)
? the board’s risk oversight policies and
procedures
? directors’ oversight actions prior to and
subsequent to the incident(s)
? changes in senior management.
Notably, shareholders do not appear to be
looking for scapegoats. Disclosures about
boardroom oversight action subsequent to
an incident drew more demand than fr-
ings. An eye-popping 85 percent of the
respondents cited such crisis management
and “lessons learned” disclosures as “very
important.” In contrast, only 46 percent of
the shareholders indicated that changes in
senior management are “very important” to
them when it came time to vote on director
oversight.
? 2015 disclosures provide few insights
Despite prodding by the SEC and numerous
indications from investors, many boards
continue to lack disclosure of cyberthreats
in their fagship documents—the proxy
statement and the 10-K. Only a handful of
the companies that drew widespread cover-
age of their data breaches during 2014 men-
tion the events in their proxy statements,
and many cite materiality concerns to avoid
discussing the data breaches in detail in
their 10-Ks.
In sharp contrast to the absence of infor-
mation in Target’s 2014 proxy statement,
More ominously for boards, four of fve
investor respondents (79 percent) suggest-
ed that they may blacklist stocks of hacked
frms. As for a remedy, 86 percent of the
surveyed investors told KPMG and FTI
that they want to see increases in the time
boards spend on addressing cyber risk.
? Investors raise the bar for disclosure
Insights on the gap between investors’
expectations and boardroom practices were
gleaned from PwC’s juxtaposition of two
surveys that it conducted in the summer of
2014, one of 863 directors in PwC’s 2014
Annual Corporate Directors Survey, and the
other of institutional investors with more
than $11 trillion in aggregate assets under
management in PwC’s 2014 Investor Survey.
? Nearly three quarters (74 percent) of
investors told PwC that they believe
it is important for directors to discuss
their company’s crisis response plan in
the event of a major security breach.
Only about half of directors (52 percent)
reported having such discussions.
? Roughly three out of four (74 percent)
investors urged boards to boost cyber
risk disclosures in response to the SEC’s
guidance, but only 38 percent of directors
reported discussing the topic.
? Similarly, 68 percent of investors believe it is
important for directors to discuss engaging
an outside cybersecurity expert, but only
42 percent of directors had done so.
? Fifty-fve percent of investors said it
was important for boards to consider
designating a chief information security
offcer, if their companies did not
have one in place. Only half as many
directors (26 percent) reported that such
a personnel move had been discussed in
the boardroom.
? Finally, 45 percent of investors believe
it is important for directors to discuss
the National Institute of Standards
and Technology (NIST)/ Department
of Homeland Security cybersecurity
framework, but only 21 percent of directors
reported their boards had done so.
? 30
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
and management process to the full
Board.”
Next, the Home Depot disclosure provides
some color on the board’s risk oversight
policies and procedures:
For a number of years, IT and data secu-
rity risks have been included in the risks
reviewed on a quarterly basis by the ERC
and the Audit Committee and in the
annual report to the Board on risk assess-
ment and management. In the last few
years, the Audit Committee and/or the
full Board have also regularly received
detailed reports on IT and data security
matters from senior members of our IT
and internal audit departments. These
reports were given at every quarterly
Audit Committee meeting in fscal 2014,
including an additional half-day Audit
Committee session devoted exclusively to
these matters that was held prior to the
discovery of the Data Breach. The topics
covered by these reports included risk
management strategies, consumer data
security, the Company’s ongoing risk mit-
igation activities, and cyber security strat-
egy and governance structure. . . .
To further support our IT and data
security efforts, in 2013 the Company
enhanced and expanded the Incident
Response Team (“IRT”) formed several
years earlier. The IRT is charged with
developing action plans for and respond-
ing rapidly to data security situations. . . .
The IRT provided daily updates to the
Company’s senior leadership team, who
in turn periodically apprised the Lead
Director, the Audit Committee and the
full Board, as necessary.
The Home Depot board also highlights its
cyber-risk oversight actions prior to the
incident:
Under the Board’s and the Audit
Committee’s leadership and oversight,
the Company had taken signifcant steps
however, another big box retailer provided
investors with a window into the board’s
role in cyber risk oversight in its 2015
proxy materials. Home Depot addressed its
2014 data breach, which affected up to
56 million customers who shopped at the
company’s stores between April 2014 and
September 2014, with a concise (roughly
1000-word) explanation of the steps taken
by the board before and after the company’s
breach.
The proxy statement disclosures include a
brief summary of the depth and duration of
the breach, an explanation of the board’s
delegation of oversight responsibility to the
audit committee, and an outline of remedial
steps that the board took in response to the
event.
Notably, Home Depot’s disclosures gen-
erally align with all the pillars identifed by
investors in their responses to the ISS policy
survey:
First, Home Depot’s board details the
delegation of risk oversight to the audit com-
mittee and describes the directors’ relation-
ship with the company’s internal audit and
compliance team:
The Audit Committee . . . has primary
responsibility for overseeing risks related
to information technology and data pri-
vacy and security. . . . The Audit
Committee stays apprised of signifcant
actual and potential risks faced by the
Company in part through review of quar-
terly reports from our Enterprise Risk
Council (the “ERC”). The quarterly ERC
reports not only identify the risks faced
by the Company, but also identify wheth-
er primary oversight of each risk resides
with a particular Board committee or the
full Board . . . The chair of the ERC, who
is also our Vice President of Internal
Audit and Corporate Compliance, reports
the ERC’s risk analyses to senior manage-
ment regularly and attends each Audit
Committee meeting. The chair of the ERC
also provides a detailed annual report
regarding the Company’s risk assessment
31 ?
INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
Privacy Governance Committee,
to provide further enterprise-wide
oversight and governance over data
security. This committee reports
quarterly to the Audit Committee.
? We are in the process of further
augmenting our IT security team,
including by adding an offcer level
Chief Information Security Offcer and
hiring additional associates focused on
IT and data security.
? We are reviewing and enhancing all
of our training relating to privacy and
data security, and we intend to provide
additional annual data security
training for all of our associates before
the end of Fiscal 2015.
? Our Board, the Audit Committee, and
a special committee of the Board have
received regular updates regarding the
Data Breach. In addition to the IT
and data security initiatives described
above, the Board, supported by
the work of its Audit and Finance
Committees, has reviewed and
authorized the expenditures associated
with a series of capital intensive
projects designed to further harden
our IT security environment against
evolving data security threats.
? Boards would beneft from engagement
and disclosure
Although the good news is that cybersecu-
rity has seemingly come to the forefront for
many directors, the bad news is that share-
holders are not yet getting the transparency
they need to assess the quality of boardroom
oversight. The signifcant “no” vote against
the Target board at its 2014 annual meeting,
coupled with survey data, show that share-
holders are far from apathetic when it comes
to assessing cyber risk oversight.
? Target’s lessons learned
In the wake of its challenging 2014 annual
meeting, Target hosted calls or held meet-
ings with shareholders representing approx-
imately 41% of shares voted. The majority of
to address evolving privacy and cyber
security risks before we became aware of
the Data Breach:
? Prior to the Data Breach and in part
in reaction to breaches experienced
by other companies, we augmented
our existing security activities by
launching a multi-work stream effort
to review and further harden our
IT and data security processes and
systems. This effort included working
extensively with third-party experts
and security frms and has been
subsequently modifed and enhanced
based on our learnings from the Data
Breach experience.
? In January 2014, as part of the efforts
described above, we began a major
payment security project to provide
enhanced encryption of payment card
data at the point of sale in all of our U.S.
stores. . . . Upon discovery of the Data
Breach, we accelerated completion
of the project to September 2014,
offering signifcant new protection for
customers. The new security protection
takes raw payment card information
and scrambles it to make it unreadable
to unauthorized users. . . .
? We are rolling out EMV “chip-and-PIN”
technology in our U.S. stores, which
adds extra layers of payment card
protection for customers who use EMV
chip-and-PIN enabled cards. . . .
Finally, the Home Depot board discusses the
boardroom oversight actions taken subse-
quent to the incident including changes in
senior management:
Following discovery of the Data Breach,
in addition to continuing the efforts
described above, the Company and the
Board took a number of additional
actions:
? We formed an internal executive
committee, the Data Security and
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 32 SecurityRoundtable.org
these conversations were led by Director
Anne Mulcahy. In light of this feedback and
with the assistance of a third-party strategy
and risk management and regulatory com-
pliance consultant, the board “embarked on
a comprehensive review” of risk oversight
at the management, board, and committee
levels. As a result of this comprehensive
review, in January 2015, the Target board
“clarifed and enhanced” its practices to pro-
vide more transparency about how risk
oversight is exercised at the board and com-
mittee levels. As part of this revamp, the
board reallocated and clarifed risk oversight
responsibilities among the committees, most
notably by elevating the risk oversight role
of the corporate risk & responsibility com-
mittee (formerly known as the corporate
responsibility committee).
Examples such as Home Depot and the
Target board’s 2015 disclosures provide
more transparency on risk oversight and are
a good framework for other boards to follow.
Boards would be wise to raise their games
by disclosing more details of their board
oversight efforts and engaging with inves-
tors when cyber incidents occur, or they may
run the risk of a loss of investor confdence.
33 ?
Elena Kvochko, Author, Towards the Quantifcation
of Cyber Threats report; and Danil Kerimi, Director,
Center for Global Industries, World Economic Forum
Toward cyber risks measurement
As most companies in the U.S. already use some form of
cloud-based solutions, the digital footprint of enterprises
is growing, and so are the risks. Technological solutions
have always focused on convenience, transparency, and
an ever-increasing ability to share information and col-
laborate, while built-in security hasn’t been a priority
until recently. Now enterprises are shifting away from
this model. Growing privacy and security concerns affect
customer perception. According to Deloitte, 80% of cus-
tomers are aware of recent cyber breaches, and 50% of
them are ready to switch brands if they feel their informa-
tion may be compromised. Experian reported that now
cyber breaches are as devastating for the reputation of
organizations as environmental disasters and poor cus-
tomer service.
Most executives recognize that cyber risks are no longer
on the horizon but are an imminent cost of doing business.
Companies are actively looking for effective mitigation
actions. Recent surveys show that cybersecurity is already
part of the agenda of 80% of corporate boards (up from
around 30% 4 years ago). Companies are adjusting their
enterprise risk management frameworks and including
cyber risks and accompanying controls as part of the nec-
essary risk management actions. Traditional controls intro-
duced for in-house infrastructure no longer work, as more
and more operations are performed in the cloud. Just as in
any healthy ecosystem, these environments present great
opportunities for stakeholders to interact with each other
and with the content, but they also carry inherent risks.
Risk mitigation approaches and technologies lag
behind the sophistication of the threat. In fact, our ear-
lier research with the World Economic Forum and
McKinsey showed that 90% of executives feel they only
? 34
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
fnancial services industry and describes the
risk appetite and potential losses for a port-
folio that an institution will incur over a
defned period of time and is expressed in a
probability to insure the loss.
In the cyber value-at-risk, we introduced
three major pillars, according to which com-
panies can model their risk exposure: exist-
ing vulnerabilities, value of the assets, and
profle of an attacker. A complete cyber value-
at-risk allows us to answer the question:
“Given a successful cyberattack, a company
will lose not more than X amount of money
over period of time with 95% accuracy.” The
application of these models will depend on
particular industries, companies, and avail-
able data and should be built for an organi-
zation. We discussed specifc indicators that
can potentially be used to populate the
model. Mathematically, these components
can be brought together and used to build a
stochastic model. For example, vulnerabili-
ties can be measured in the number of exist-
ing unpatched vulnerabilities, not up-to-
date software, number of successful compro-
mises, or results of internal and external
audits. They can be benchmarked against
the maturity of existing controls and security
of networks, applications, data, etc. The
maturity of defending systems has to be
benchmarked against the threat environ-
ment, hence the profle of an attacker com-
ponent becomes important. In this model, it
would be important to look into their moti-
vations (e.g., fnancial gain, destruction of
assets, espionage), the tools they are using,
and the innovative approaches. Because
cyber breaches are criminal activity, nontech-
nical factors, such as behavioral motivations,
are to be considered. The component of the
value of assets of many organizations is dif-
fcult to establish. This includes tangible
assets, such as fnancial fows, infrastructure,
and products, and intangible assets, primarily
data assets (customer and employee data,
business strategies, intellectual property),
brand, reputation, and trust of stakeholders.
Although cost of business interruption can
be qualifed easier, the impact on intangible
assets is still subject to approximation. The
have “nascent” and “developing” capabili-
ties to combat cyberthreats. In this situa-
tion when cyber breaches have become an
inevitable reality of doing business, execu-
tives ask themselves, “What does it mean
for my business, how probable is it that a
devastating breach will happen to us, and
how much could it cost us?” Still, very few
organizations have developed ways to
assess their cyber risk exposure and to
quantify them.
In this chapter, we discuss the cyber
value-at-risk framework introduced by the
Partnering for Cyber Resilience initiative of
the World Economic Forum and released at
the Annual Summit in Davos in 2015. More
than 50 organizations, including Wipro,
Deloitte (project advisor), and Aon, have
contributed to this effort. The framework
laid the foundations for modeling cyber
risks and encouraged organizations to take
a quantitative approach toward assessing
their cyber risks exposure, which could
also help make appropriate investment
decisions.
We were delighted to see many spin-off
projects and initiatives that were initiated as
part of this work and hope they will contrib-
ute to better risk management tools. Our
research showed that the aggregate impact
of cybercrime on the global economy can
amount to $3 trillion in terms of slow down
in digitization and growth and result in the
slower adoption of innovation. Multiple
other studies showed signifcant negative
impact of cyber breaches. CSIS established
that the annual cost of economic espionage
reaches $445 billion. Target's breach cost the
company more than $140 million, a large
portion of which went to cover litigation
costs. Interestingly, however, Aon research
shows that more than 80% of breaches cost
the companies less than $1 million.
? Value-at-risk
How can companies defne their risk expo-
sure and the level of investments, as well as
priority areas for these investments? To
answer this question, we turned to the value-
at-risk concept. The concept goes back to the
35 ?
TOWARD CYBER RISKS MEASUREMENT
breach probability distribution”); hacker
model (mapping out motivations of adver-
saries in relation to the organization); attack
model (attack types and characteristics);
asset and loss model (potential loss given a
successful attack); security model (describ-
ing organizations’ security posture), and
company model (modeling organizations’
attractiveness as a target). Cyberpoint’s
Cy-var models looks at “time-dependent
valuation of assets” while taking into
account an organization’s security posture
and includes variables such as the values of
intellectual property assets, IT security con-
trols in place to protect those assets and
other related risks, infrastructure risks, a
time horizon, and a probability of an attack.
At the same time, all stakeholders came to
agreement that quantifying risks is a chal-
lenging task. In a workshop organized togeth-
er with Deloitte, the World Economic Forum
Partnering for Cyber Resilience members
defned the attributes of an ideal model of
cyber risks quantifcation: applicability across
various industries; ease of interpretation by
experts and executives alike; association with
real data and measurable security events;
scalability across organizations or even
across the industry; at the same, not relying
on data that are currently absent within most
organizations.
Although the cyber value-at-risk frame-
work doesn’t specify how to calculate the
fnal number, it presents core components
and gives examples of how these compo-
nents can be quantifed. This complete
model, however, could be characterized by
general applicability across various indus-
tries. For it to be effective, it has to be vali-
dated by the industry stakeholders. Cyber
value-at-risk aimed to bring together “tech-
nical, behavioral and economic factors from
both internal (enterprise) and external (sys-
temic) perspectives.” As a next step, it would
be important to understand dependencies
between various components in the frame-
work and ways to incorporate these models
into existing enterprise risk frameworks. It is
important to remember that organizations
should be wary of new emerging risks and
impact of losing these assets can be unno-
ticed in the short term but may hurt long-
term proftability and market leadership of
an organization.
The cyber value-at-risk model has a num-
ber of limitations, including availability of
data, diffculties in calculating probabilities,
and applicability across various industries,
but it presents a frst step and incentives for
organizations to move toward quantitative
risk management. By publishing the model,
we aimed to encourage more industry stake-
holders to develop comprehensive quantita-
tive approaches to cyber risks measurement
and management. For further examples and
information, please refer to Wipro’s use of
cyber value-at-risk for its clients, Deloitte’s
continuous development cyber value-at-
risk, Rod Becktom’s cybervar model, and
CXOWare’s Cyber Risk application model.
The Institute of Risk Management (IRM)
announced that it will release a cyber risk
quantifcation framework to help companies
assess their cyber risks exposure. The call to
action from the Partnering for Cyber
Resilience effort was that to develop a uni-
fed framework that can be used by indus-
tries to reduce uncertainty around cyber risks
implications on businesses in the absence of
dominant models and frameworks. Aon has
defned important ways in which quantifca-
tion of cyberthreats can lead to better busi-
ness decisions. First, as the conversation has
shifted from technology and information
security departments to boardrooms, the
question of costs and risks becomes ever
more prevalent. It helps show the scale and
the impact that cyberthreats can have on
fnancial targets and overall competitiveness
of organizations; helps defne and narrow
down the investments required to mitigate
those threats; makes it easy to paint compel-
ling pictures, build scenarios, and make busi-
ness cases; and helps make a determination
whether any parts of the risk can be trans-
ferred. Deloitte has put together a compre-
hensive model for modular approach to
cyber risk measurement introducing the
following components: probability model
(“attractiveness and resilience determine
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 36 SecurityRoundtable.org
consider cyber risks in addition to broader
technology or operational risks.
Overall, the goal was to help raise aware-
ness of cyber risks as a standing and regular
cost of doing business and help fnd a way
to measure and mitigate those risks. This
can be done through standardization of
various risk factors and indicators into a
normal distribution.
The components that we looked at in this
chapter help bring together various risk fac-
tors via “measures of risk likelihood and
impact.” To achieve a more granular level of
sophistication, quantifcation and standardi-
zation metrics must mature. Some of the
main cited obstacles are availability of data
to build models, lack of standardized met-
rics and tools, lack of visibility within enter-
prise, and inability to collect data and
dubbed models internally. The variables and
components of the model can be brought
together into a stochastic model, which will
show the maximum loss given a certain
probability over a given period of time. It
was discussed that close to real-time sharing
of data between organizations could address
some of the main challenges of datasets'
availability and provide enough data to
build models.
Although a silver bullet to achieve cyber
resilience doesn’t exist, organizations con-
sider comprehensive frameworks for quanti-
fying and mitigating risk factors, including
cyber risks. Following this model, compa-
nies will assess their assets and existing
controls, quantify vulnerabilities, and know
their attackers and threats. The most signif-
cant challenge so far is the absence of input
variables, quality of existing datasets and,
following these, no standardized measures
to assess cyber risk exposures. Building such
a model would require efforts in data classi-
fcation, encourage a strong organization
leadership, process improvement and col-
laboration, as well improve decision making
across various business areas. For example,
the car industry, mortgage industry, or most
insurances have agreed on a standardized
metrics and data collection; the same should
happen for cyber risks measurement.
Understanding dependencies between these
variables and what they mean for various
industries should be a subject for cross-
industry collaboration so that input varia-
bles are unifed. The main benefts of this
approach are seen in the ability to support
decision-making processes, quantify the
damage at a more granular level, and defne
appropriate investments. This would help
stimulate the development of risk transfer
markets and emergence of secondary risk
transfer products to mitigate and distribute
the risks. For organizations, the focus will
shift from an attacker to assets and how to
secure them in such a distributed digital
ecosystem, where everything is vulnerable.
As more robust quantitative cyber risks
models emerge and the industries are mov-
ing toward a standardized recognizable
model, the confdence of digital ecosystems
stakeholders and their ability to make effec-
tive decisions will also rise.
Based on Towards the Quantifcation of Cyber
Threats report.
37 ?
Internet Security Alliance – Larry Clinton, CEO
The evolving cyberthreat and an
architecture for addressing it
According to the Pentagon’s 2015 Annual Report, “The
military’s computer networks can be compromised by
low to meddling skilled attacks. Military systems do not
have a suffciently robust security posture to repel sus-
tained attacks. The development of advanced cyber tech-
niques makes it likely that a determined adversary can
acquire a foothold in most DOD systems and be in a posi-
tion to degrade DOD missions when and if they choose.”
If the cyber systems of the world’s most sophisticated
and best funded armed forces can be compromised by
“low to meddling skilled attacks,” how safe can we expect
discount retailers, movie studios, or any other corporate
or public systems to be?
That is not even the bad news.
? Things are getting much worse: Three reasons
1. The system is getting weaker.
The bad news is that the cyber systems that have become
the underpinning of virtually all of aspects of life in the
digital age are becoming increasing less secure. There are
multiple reasons for this distressing trend. First, the sys-
tem is getting technologically weaker. Virtually no one
writes code or develops “apps” from scratch. We are still
relying on many of the core protocols designed in the
1970s and 80s. These protocols were designed to be
“open,” not secure. Now the attacking community is
going back through these core elements of the Internet
and discovering still new vulnerabilities. So as new func-
tionalities come online, their own vulnerabilities are sim-
ply added to the existing and expanding vulnerabilities
they are built upon. The reality is that the fabric of the
Internet is riddled with holes, and as we continue to
stretch that fabric, it is becoming increasingly less secure.
Additionally, vulnerabilities in many open source
codes, widely in use for years, are becoming increasingly
apparent and being exploited by modern “zero-day”
? 38
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
new access points to large amounts of data
resulting from the explosion in the number of
mobile devices vastly increases the challeng-
es to securing cyberspace.
However, the rise in use of mobile devices
pales in comparison to the coming Internet
of Things (IoT). The IoT, embedded comput-
ing devices with Internet connections,
embraces a wide range of devices, including
home security systems, cars, smart TVs, and
security cameras. Like the bring-your-own-
device (BYOD) phenomenon, the coming of
the IoT further undermines the overall secu-
rity of the system by dramatically increasing
the vectors, making every new employee’s
internet-connected device, upon upgrade, a
potential threat vector.
2. The bad guys are getting better.
Just after the turn of the century, the NSA
coined a new term, the “APT,” which stood
for the advanced persistent threat. The APT
referred to ultrasophisticated cyberattack
methods being practiced by advanced
nation-state actors. These attacks were char-
acterized by their targeted nature, often
focused on specifc people instead of
networks, their continued and evolving
nature, and their clever social engineering
tactics. These were not “hackers” and “script
kiddies.” These were pros for whom cyberat-
tacks were their day job.
They were also characterized by their
ability to compromise virtually any target
they selected. APTs routinely compromised
all anti-virus intrusion detection and best
practices. They made perimeter defense
obsolete.
Now these same attack methods, once
practiced only by sophisticated nation-states,
are widely in use by common criminals.
Whereas a few years ago these attacks were
confned to nations and the Defense Industrial
Complex, they now permeate virtually all
economic sectors.
The APT now stands for the average persis-
tent threat.
The increasing professionalism and
sophistication of the attack community is
fueled by the enormous profts cyberattacks
attacks, and the patching system we have
relied on to remediate the system can’t keep
pace. Huge vulnerabilities such as
Heartbleed and Shellshock have existed
within open source code for years only to
be revealed recently when scrutinized by
fresh eyes.
Within hours of the Heartbleed vulnerabil-
ity becoming public in 2014, there was a surge
of attackers stepping up to exploit it. The
attackers exploiting the vulnerability were
much faster than the vendors could patch it.
This is a growing trend. In 2014 it took
204 days, 22 days, and 52 days to patch the top
three zero-day vulnerabilities. In 2013 it took
only four days for patches to arrive. Even
more disturbing is that the top fve zero-day
attacks in 2014 were actively used for a com-
bined 295 days before patches were available.
Moreover, because almost no one builds
from scratch anymore, the rate of adoption
for open source programming as a core com-
ponent of new software greatly exceeds the
vetting process for many applications. As
the code gets altered into new apps, the risks
continue to multiply. In 2015 Symantec esti-
mates there are now more than a million
malicious apps in existence. In fast-moving,
early stage industry, developers have a
strong incentive to offer new functionality
and features, but data protection and priva-
cy policies tend to be a lesser priority.
The risks created by the core of the system
becoming intrinsically weaker is being fur-
ther magnifed by the explosion of access
points to the system, many with little or no
security built into their development. Some
analysts are already asserting that there are
more mobile devices than there are people
on the earth. If that is not yet literally true, it
will shortly be.
It is now common for individuals to have
multiple mobile devices and use them inter-
changeably for work and leisure often with-
out substantial security settings. Although
this certainly poses a risk of data being stolen
directly from smartphones, the greater con-
cern is that mobile devices are increasingly
conduits to the cloud, which holds increasing
amounts of valuable data. The number of
39 ?
THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
corporate growth, innovation, and profta-
bility also undermine cybersecurity.
Technologies such as VOIP or cloud com-
puting bring tremendous cost effciencies but
dramatically complicate security. Effcient,
even necessary, business practices such as the
use of long supply chains and BYOD are also
economically attractive but extremely prob-
lematic from a security perspective.
Corporate boards are faced with the
conundrum of needing to use technology to
grow and maintain their enterprises without
risking the corporate crown jewels or hard-
won public faith in the bargain. In addition,
the fears and potential losses from cyber
events tend to be speculative and future ori-
ented, whereas most corporate leaders (as
well as the citizen investors who have their
401(k)s tied up in the stock market) tend to
make their decisions with an eye toward the
next quarter or two.
The national security equation
Finally, from the national security perspec-
tive, Internet economics are also complicated.
This economic puzzle is important to solve
because multiple independent studies indi-
cate that the number one problem with
securing critical infrastructure from cyberat-
tack is economic. As the 2014 National
Infrastructure Protection Plan makes clear,
the public and private sectors have aligned,
but not identical, perspective on cybersecu-
rity based on their differing, and legally
mandated, roles and obligations.
The private sector is legally required to
invest to maximize shareholder value.
Although shareholder value is enhanced to
some degree by security investment, gener-
ally security is considered a cost center in
the corporate world. As with most corporate
investments, security is a mater of cost ben-
eft for the private sector. What this trans-
lates to is that the private sector may legiti-
mately judge that there is a level of security
that goes beyond their commercial interest
and hence their legally mandated obligation
to their shareholders. An example is the
common case of pilfering in many retail
stores, wherein the owner may be aware
are generating—routinely estimated in the
hundreds of billions of dollars and growing.
It is now apparent that attackers are not
going to rely on reusing the same old meth-
ods. Instead, like any smart, successful, and
growing enterprise, they are investing in
R&D and personnel acquisition. They are
seeking to grow their business, including
fnding new vulnerabilities in older infra-
structures and thus widening the surface
available for attack.
3. The economics of cybersecurity favor the attackers.
Cyberattacks are relatively cheap and easy to
access. Virtually anyone can do an Internet
search and fnd vendors to purchase attack
methods for a comparatively small invest-
ment. The attacker’s business plans are
expansive with extremely generous proft
margins. Multiple reports suggest hundreds
of billions of dollars in criminal cyber reve-
nue each year. They can use virtually identi-
cal attack methods against multiple targets.
The vast interconnection of the system
allows attackers to exploit weaker links who
have permitted access to more attractive
targets, and their “market” is accessible to
them worldwide.
Meanwhile, cyber defense tends to be
almost inherently a generation behind the
attackers, as anticipating the method and
point of attack is extremely diffcult. From a
business investment perspective it is hard
to show return on investment (ROI) to
attacks that are prevented, making ade-
quate funding a challenge. Moreover, law
enforcement is almost nonexistent—we
successfully prosecute less than 2% of cyber
criminals, so there is little to discourage the
attackers from being bold. Furthermore, as
we have already illustrated, notwithstand-
ing consumers tend to prefer utility and
function over security, which provides a
disincentive for investors to enhance devic-
es with added security, which often slows
or limits utility.
This little-understood imbalance of the
economic incentives is exacerbated by the
fact that many of the technologies and busi-
ness practices that have recently driven
? 40
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
the Department of Homeland Security
(DHS) be given authority to set minimum
standards for cybersecurity over the private
sector. Subsequently two bills were offered
in the Senate, one by the Chairman of the
Senate Commerce Committee, Senator Jay
Rockefeller (D-WV) with Senator Olympia
Snow (R-ME) and separately by Senate
Homeland Security Chairman Joe Lieberman
(D-CN) and Senator Susan Collins (R-ME).
Both bills largely followed the Obama para-
digm of DHS setting regulatory mandates
for the private sector with substantial penal-
ties available for noncompliance.
Despite strong backing from the Senate
Majority Leader Harry Reid and much of the
military establishment, the bills could not
get out of committee. Even though Reid
exercised his parliamentary power to control
the Senate agenda, there was not enough
support to even get the bills to the foor for
consideration, let alone vote on it.
There was certainly industry opposition to
these bills, but what killed them was the
bipartisan realization that the traditional reg-
ulatory model was an ill ft for cybersecurity.
Government agencies’ ability to craft regula-
tions that could keep up with cyberthreats
was highly questionable. Early efforts to
apply traditional regulation to cyberspace,
such as HIPAA in the health-care industry,
had not generated success. Indeed health
care is widely considered one of the least
cyber secure of all critical infrastructures.
However, with cyber systems becoming
increasingly ubiquitous and insecure threat-
ening economic development and national
security, there was obvious need for an
affrmative and effective approach. The non-
regulatory, collaborative model selected
largely followed the “social contract” para-
digm previously promoted by industry gov-
ernment analysts.
The social contract approach
In 2013 President Obama reversed course
180 degrees. In an executive order on
cybersecurity the president abandoned the
government-centric regulatory approach
that 5% of his inventory is “walking out the
back door” every month. The reason he
doesn’t hire more guards or put up more
cameras or other security measures is that
the cost beneft presumably suggests it will
cost him 6% to do so, and hence the better
business decision is to tolerate this level of
insecurity.
Government doesn’t have that luxury.
The government is charged with providing
for the common defense. Surely, they have
economic considerations with respect to
security; however, they are also mandated to
a higher level of security largely irrespective
of cost to provide for national security, con-
sumer protection, privacy, and other non-
economic considerations.
In the Internet space, government and
industry are using the same networks. This
means the two users of the systems have dif-
fering security requirements—both legiti-
mate and backed by lawful authority.
Moreover, requiring greater cybersecurity
spending, beyond commercial interest as
suggested by some, could run afoul of other
government interests such as promoting
innovation, competitiveness, and job growth
in a world economy (presumably not follow-
ing U.S.-based requirements).
Finally, the presumption that requiring
increased security spending by commercial
entities up to the government risk tolerance
is in the corporate self-interest is complicat-
ed by the data that have emerged after
highly publicized cyber breaches. One year
after the Target breach, which would pre-
sumably damage the company’s image prof-
itability and reputation, Target’s stock price
was up 22%, suggesting such predictions
were incorrect. Similarly, 6 months after the
high-profle cyberattacks on Sony (the sec-
ond high-profle cyberattack for Sony in a
few years), Sony’s stock price was up 26%.
? Some good news: Enlightened policy working
in partnership
Traditional regulatory efforts fail
In 2012 President Obama offered a legisla-
tive proposal to Congress suggesting that
41 ?
THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
telephone service at affordable rates, govern-
ment would guarantee the investment pri-
vate industry would make in building and
providing the service. This agreement
ensured enough funds to build, maintain,
and upgrade the system plus make a reason-
able rate of return on the investment. Thus
were born the privately owned public utili-
ties and the rate of return regulation system.
The result was that the U.S. quickly built
out the electric and communications systems
for the expanding nation, which were gener-
ally considered the best in the world. Some
have argued this decision was foundational
to the U.S.'s rapid expansion and develop-
ment, which turned it from a relatively
minor power in the early part of the twenti-
eth century to the world’s dominant super-
power less than a generation later.
Although the Obama social contract
approach to cybersecurity has different
terms than that of previous infrastructure
development, the paradigm is similar.
Similar modifcations of the incentive model
are also in use in other areas of the economy,
such as environment, agriculture, and trans-
portation, but this is the frst application in
the cybersecurity feld.
Although it is in its formative stages, at
this point early indications for the social con-
tract approach are positive. The cybersecuri-
ty framework development process conduct-
ed by the National Institute of Standards and
Technology (NIST) has been completed and
received virtually unanimous praise. In an
exceedingly rare development, the Obama
approach to cybersecurity closely tracks with
that outlined by the House Republican Task
Force on Cyber Security. Bipartisan bills
using liability incentives, instead of govern-
ment mandates, are moving through
Congress, and additional incentive programs
are under development.
? Conclusion
The cybersecurity problem is extremely
serious and becoming more so. An inher-
ently insecure system is becoming weaker.
The attack community is becoming more
embodied in his previous legislative pro-
posals and the Senate bills. Instead, he sug-
gested a public private partnership—a
social contract—that would address the
technical as well as economic issues that are
precluding the development of a cyber sys-
tem that can become sustainably secure. In
this new partnership, industry and govern-
ment would work together to identify a
framework of standards and practices wor-
thy of industry based on cyber risk assess-
ments conducted by the companies. The
president ordered that the framework be
voluntary, prioritized, and cost effective. If
there were an economic gap between what
ought to be done and what would be
accomplished through normal market
mechanisms, a set of market incentives
would be developed to promote voluntary
adoption of the framework. Although
industry that operates under regulatory
systems would remain subject to regulatory
authority, no new regulatory authority for
cybersecurity would be part of the system.
Instead, a partnership system based on vol-
untary use of consensus standards and
practices and reinforced through market
incentives would be built.
The cyber social contract model has sub-
stantial precedent in the history of infra-
structure development in the United States.
In the early twentieth century the innovative
technologies were telephony and electricity
transport. Initially the private companies
that provided these technologies, because of
natural economies, served primarily high-
density and affuent markets. Policy makers
of the era quickly realized that there was a
broader social good that would be served by
having universal service of these services
but also realized that building out that infra-
structure would be costly and uneconomic
either for industry or government.
Instead of government taking over the
process or mandating that industry make
uneconomic investment, the policy makers
designed a modern social contract with
industry. If industry would build out the
networks and provide universal electric and
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 42 SecurityRoundtable.org
sophisticated and enjoys massive economic
incentives over the defender community.
Traditional government methods to fght
criminal activity have not matured to
address the threat and may be inappropri-
ate to meet the dynamic nature of this
uniquely twenty-frst century problem.
Fortunately, at least the U.S. government
seems to have developed a consensus strat-
egy to better leverage public and private
resources to combat cyberthreats without
excessively compromising other critical
social needs. Although there are some ini-
tial signs of progress, the road to creating a
sustainably secure cyber system will be
long and diffcult.
43 ?
Former CIO of the U.S. Department
of Energy – Robert F. Brese
Effective cyber risk management:
An integrated approach
In its 2015 Data Breach Report, Verizon found that in 60%
of the nearly 80,000 security incidents reviewed, including
more than 2,000 confrmed data breaches, cyber attackers
were able to compromise an organization within minutes.
Alarmingly, only about one third of the compromises
were discovered within days of their occurrence. This is
not good news for C-suites and boardrooms. Data breach-
es, compromises in which data loss is unknown, denial of
service attacks, destructive malware, and other types of
cybersecurity incidents can lead to lost revenue, reputa-
tion damage, and even lawsuits, as well as short- and
long-term liabilities affecting a company’s future.
Although “getting hacked” may seem, or even be, inevita-
ble, the good news is that by taking an integrated
approach to risk management, cybersecurity risk can be
effectively managed.
But who is responsible for this integrated approach,
and what does it include? Although often the case, man-
aging cybersecurity risk should not be left solely to the
chief information offcer (CIO) and chief information
security offcer (CISO). Even though these professionals
are capable, only an integrated information (i.e., data),
information technology, and business approach will ena-
ble a company to effectively manage cybersecurity risk as
a component of an organization’s overarching enterprise
risk program. There is also a movement for board-level
involvement and reporting, resulting in a risk to board
members’ tenure if they are not considered to be suff-
ciently engaged in the oversight of cybersecurity risk
management and incident response. As an example, in
2014, Institutional Shareholders Services (ISS) recom-
mended that shareholders of Target stock vote against all
seven of the directors that were on the board at the time of
the highly publicized 2013 breach. Although somewhat
shocking, it should be inherently obvious that effective
? 44
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
collaboration. They also predict that the digi-
tal industrial economy, and the Internet of
Things (IoT), will result in even greater diff-
culty. However, attempting to scale cyberse-
curity risk management in isolation from an
organization’s enterprise risk program only
exposes the organization to greater risk by
creating a gap in risk oversight.
Nearly every company has established
processes to manage enterprise risk. Larger
companies often have a chief risk offcer
(CRO) or equivalent individual who is inde-
pendent of the business units and is given
the authority and responsibility to manage
the enterprise risk processes. Incorporating
cybersecurity into the mix of corporately
managed risks should be a priority. Some
may argue that cybersecurity is too different
from the other risks a company faces, such as
market risk, credit risk, currency risk, or
physical security risk, to be managed in a
similar manner. However, although cyberse-
curity may seem more “technical,” the
desired outcome of the treatment is the
same, that is to eliminate, mitigate, transfer,
or accept risk affecting the company’s future.
One thing is certain: not all cybersecurity
risk can be eliminated through controls or
transferred through insurance, so residual
risk must accepted. Making good decisions
requires an integrated, formal approach.
? The cybersecurity risk management process
There are several key steps that should be
taken to effectively integrate cybersecurity
risk management into the company’s enter-
prise risk management process. This chapter
doesn’t attempt to explain the details of any
particular process but instead focuses on com-
mon attributes that should be used, including
risk framing and assessment, controls assess-
ment, risk decision-making, residual risk sign-
off, risk monitoring, and accountability. Figure 1
provides a visual of the process. For addi-
tional details on approaches to cybersecurity
risk management, the National Institute of
Standards and Technology (NIST) Computer
Security Resource Center (CSRC), interna-
tional standards organizations, and other
industry sources may be consulted.
cybersecurity risk management is key to
meeting the fduciary responsibilities of cor-
porate offcers and the board.
To ensure success, managing cybersecu-
rity risk must be an ongoing and iterative
process, not a one-time, infrequent, or check-
the-box activity. This area of risk manage-
ment must grow with the company and
change with ever-evolving cyber threats.
Data holdings and information technology
(IT) systems, and the Internet-connected
environment in which they operate, change
at a pace that is more rapid than many of the
other variables affecting enterprise risk. Not
only must the right stakeholders be engaged
at the right levels within an organization,
but also the right automated tools and
processes must be in place to support risk
decision making and monitoring.
? Perfect security is a myth
As in physical security, there is no such thing
as perfect IT (cyber) security. All the fre-
walls, encryption, passwords, and patches
available cannot create a zone of absolute
safety that enables a company to operate
unimpeded and free of concern regarding
the cybersecurity threat. However, perfect
security is not required, or even desired. The
effects of too little security are fairly obvious.
However, too much security unnecessarily
constricts the business’ ability to operate by
reducing the effectiveness and effciency of a
customer’s access to the company’s products
and services and unnecessarily constraining
internal and business-to-business (B2B)
interactions. Effective risk management
fnds the balance between the needs of the
business to operate and the needs and cost of
security. In fnding this balance, the company
will be able to compete successfully in its
market while protecting the critical informa-
tion and assets on which its success relies.
? Enterprise risk management
Gartner, Inc., the world’s leading IT research
and advisory company, has found that cyber-
security risk management programs have
experienced trouble in scaling with corporate
initiatives in mobility, cloud, big data, and
45 ?
EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
a company has to avoid, mitigate, share,
transfer, or accept risk. This means that cor-
porate structure, training and awareness
programs, physical security, and other
options should be considered in addition to
traditional IT controls. Cyber insurance may
also be considered. Again, the CIO and
CISO cannot do this alone, and there should
be active engagement across all the various
business lines, business support, and IT
organizations that can contribute to identi-
fying potential controls and the impact they
may have on cybersecurity risk.
Risk Decision Making: A crucial element
of risk response is the decision-making pro-
cess. Decisions are made regarding what will
be done and what will not be done in
response to each risk. A balance must be
struck between protecting systems and
information and the need to effectively run
the business that relies on them. Other fac-
tors that should be considered include the
amount of risk reduction related to imple-
mentation and maintenance costs and the
impacts on employee training and certifca-
tion requirements.
An acceptable course of action is identi-
fed and agreed to by the business, and then
controls are implemented and initially eval-
uated for effectiveness. If the controls per-
form acceptably, then the sign-off and moni-
toring processes can begin. If not, then a
new course of action must be developed,
which may require further controls assess-
ment to respond to the risk or even addi-
tional framing and assessment to adjust the
risk tolerance.
Risk Framing and Assessment: The ini-
tial activities in risk management include
risk framing and assessment and controls
assessment. CIOs and CISOs have been
assessing the risk to IT systems for many
years and are well informed on the range of
cybersecurity threats and vulnerabilities
that affect corporate risk. However, the con-
sequences (i.e., business impact) may or
may not be well understood, depending on
how close the relationship between IT and
the line of business leaders has been in the
past. The engagement between IT and the
line of business owners is crucial and must
result in clarity about the type and amount
of risk the business is willing to accept with
respect to the
confdentiality (preventing unauthorized
disclosure);
integrity (preventing unauthorized modifca-
tion or destruction); and
availability (ensuring data and systems are
operational when needed)
of the information and systems on which
the business relies. Once IT understands the
business owner’s risk threshold, the CIO
and CISO can begin planning, implement-
ing, and assessing the appropriate security
controls.
Controls Assessment: Preparing an
appropriate response to risk requires the
assessment of potential controls. Controls
include all of the tools, tactics, and processes
Risk
Framing &
Assessment
Controls
Assessment
Risk
Decision
Making
Residual
Risk Sign-off
Risk
Monitoring
Accountability
FIGURE
The cybersecurity risk management process
? 46
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
treatment plan and/or the accepted level of
residual risk may require revision. If so, the
previous process steps should be revisited.
The frequency of review should be in rela-
tion to the likelihood and severity of the risk.
Because most companies have a large num-
ber of systems, each with their own risk
register, an automated system is typically
used to aid monitoring and review.
Accountability: Last and most important,
we have to consider accountability.
Accountability is not about who to blame
when something goes wrong. As stated earli-
er, the likelihood of something going wrong is
high. Accountability ensures a formal risk
management process is followed and that
effective decision-making is occurring. One
person should be accountable for the risk
management process; however, numerous
individuals will be
responsible or
accountable for
the various steps,
and many more
will be consulted
and informed
along the way.
One option to
ensure roles and
responsibilities are
clearly articulated
Residual Risk Sign-Off: The sign-off of
residual risk closes the decision-making pro-
cess. This should be the role of the business
because it is the operational customer of the
risk management process. Additionally, this
should be a formal, documented activity.
The decisions on how each risk will be
treated and/or accepted must be articulated
in a manner such that the signatory and
reviewers (i.e., regulators, etc.) can clearly
understand the risk treatment plan and the
residual risk being accepted. Once the resid-
ual risk is formally accepted, the system is
typically placed into operation. The formal
recognition of the residual risk also helps
build a culture of risk awareness in the busi-
ness units.
Risk Monitoring: Monitoring risk is an
ongoing process. Each monitoring activity is
designed with a purpose, type, and frequen-
cy of monitoring. Typically, a risk register
has been developed during the risk framing
and assessment phase and leveraged
throughout all steps of the risk management
process. The register also serves as a refer-
ence for auditors. The register should con-
tain the risks that matter most and be rou-
tinely updated and reviewed with the busi-
ness over time. If the likelihood or severity
of consequences changes, or if other physical
or IT environmental factors change, the
TABLE
Process Step CIO CISO LOB CRO CEO Board
Risk Framing and
Assessment
A R C C C C
Controls Assessment A R C I I I
Risk Decision-Making C R A C I I
Residual Risk Sign-Off C R A I I I
Risk Monitoring A R C C I I
Accountability R C C A C C
A responsibility assign-
ment matrix (RAM), also
known as RACI matrix/
'reisi:/ or ARCI matrix
or linear responsibility
chart (LRC), describes
the participation by var-
ious roles in completing
tasks or deliverables for
a project or business
process.
47 ?
EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
conduct user acceptance testing or experi-
ence surveys as well.
? Evaluating maturity of an organization’s
cybersecurity risk management program
Cybersecurity risk management programs
aren’t born effective and are not immedi-
ately prepared to scale with the business.
Equally important as making effective risk
management decisions and accepting resid-
ual risk is the continuous evaluation of the
process itself. Numerous IT, cybersecurity,
and business consultants, as well as trade
associations have published guidance,
checklists, and suggested questions for
board members. Although there are many
ways for the C-suite and board to stay
engaged, a company’s cybersecurity risk
management program must continuously
mature to ensure future success. To under-
stand a program’s growing maturity, ques-
tions should be focused on evaluating
improvements in how well risk is under-
stood and treated, the effectiveness of busi-
ness leader and general employee participa-
tion, how responsive the risk management
process is to change, and the capability to
effectively respond to an incident.
How consistent is the understanding of
the company’s tolerance for cybersecurity
risk across the C-suite and senior managers?
How deep in the organization does this
understanding go?
How well do line of business owners
understand the cybersecurity risks associat-
ed with their business? Are sound and effec-
tive risk management and acceptance deci-
sions being made in a timely manner to meet
business needs?
How clearly are roles and responsibilities
understood, and how well do role owners
adhere to and fulfll their responsibilities?
Do employees report cybersecurity issues
and are they incorporated into the risk mon-
itoring process?
When threats, vulnerabilities, or other con-
ditions change, does the risk management
process respond and, when necessary, make
sustainable changes to the risk treatment plan?
is by using a RACI matrix (see insert) to iden-
tify which person or organization is responsi-
ble, accountable, consulted, or informed. Table
1 provides an example but should be adjusted
to align to the enterprise risk management
and governance processes of the company.
? Information supporting cybersecurity risk
management
No risk management is a precise science,
including cybersecurity risk management.
Throughout the risk management process,
the information required for success has to be
“good enough” to recognize and understand
risks to the level necessary to support effec-
tive decision-making. Although complex
mathematical models may work to manage
some risks the company faces, forcibly creat-
ing objectivity when little or none exists can
actually result in poor or ineffective decisions
by creating a focus on the numbers rather
than on the meaning of the risk analysis. So,
using big bucket approach categories such as
low, moderate, and high or unlikely, likely,
and very likely may be adequate.
? Stakeholder engagement
A key success factor of ensuring that fduci-
ary responsibilities are fulflled in a compa-
ny’s cybersecurity risk management pro-
gram is the right level of stakeholder engage-
ment. Leaving the program to the CRO or
the CIO alone should not be considered due
diligence. Framing and assessing risk
requires a clear understanding of corporate
risk tolerance. The line of business lead
should have the responsibility to sign off on
the residual risk, but to make good risk deci-
sions, the perspectives of other individuals
and organizations in the company must be
consulted and taken into consideration.
Depending on the system(s) for which risk is
being evaluated, some potential stakehold-
ers include the CIO, CISO, chief fnancial
offcer (CFO), legal counsel, and other line of
business owners and external partners with
supporting or dependent relationships. If
there is signifcant potential to affect the cus-
tomer experience, there may be a need to
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 48 SecurityRoundtable.org
How effective is the cyber incident
response plan? Is it regularly exercised and
are lessons learned from exercises and prior
incidents leveraged to improve the plan?
? Effective communications
Long-term effectiveness in cybersecurity risk
management requires all employees to fulfll
their responsibilities of the security of the
organization for which they work. Creating
a company culture of cybersecurity risk
awareness is critical and is fostered through
effective communications. Leadership must
understand how risk is being measured
across the enterprise, articulate what level is
acceptable, and balance the cost they are will-
ing incur for this level of security. Employees
must understand the basics of the various
cybersecurity threats and vulnerabilities and
the importance of their daily decisions and
actions as they go about their business.
Regular training and awareness activities are
essential and can be similar to the “see some-
thing, say something” campaigns related to
physical security. Additionally, employees
must be empowered and rewarded for iden-
tifying cybersecurity issues.
Communications are also important to
build strong relationships, not only through
customer assurances but also with external
partners and suppliers. Communicating
cybersecurity requirements and expecta-
tions to business partners can improve risk
decision-making as well as lead to coopera-
tive approaches to mitigating risk.
Cybersecurity risks also exist in the supply
chain, and communicating cybersecurity
requirements and vetting suppliers for cer-
tain critical components or services can effec-
tively reduce risk. Had Target, Home Depot,
and certain other high-profle cyberattack
victims built stronger cybersecurity relation-
ships with external partners, their risk of
becoming a victim may have been reduced.
? Conclusion
C-suites and boards should not fear cyberse-
curity. By integrating cybersecurity risk man-
agement into the enterprise risk management
process and by effectively engaging IT and
business executives, cybersecurity risk can be
understood and managed. Building a risk-
aware culture is important to ensuring the
quality of the ongoing risk monitoring pro-
cess. When cyberthreats and vulnerabilities
are regularly evaluated, employees are
empowered to report issues and business
executives are aware of potential impacts to
their operations, the company’s cybersecuri-
ty defenses become more agile and respon-
sive and the overall risk remains under con-
trol. Finally, continuous evaluation of the risk
management process, including its effective-
ness and responsiveness to change and to
incidents, is necessary to ensure effectiveness
is sustained.
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk and the
board of directors
51 ?
Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner
The risks to boards of directors
and board member obligations
As cyberattacks and data breaches continue to accelerate
in number and frequency, boards of directors are focusing
increasingly on the oversight and management of corpo-
rate cybersecurity risks. Directors are not the only ones.
An array of federal and state enforcement agencies and
regulators, most notably the Department of Justice (DOJ),
Department of Homeland Security (DHS), Securities
and Exchange Commission (SEC), Financial Industry
Regulatory Authority (FINRA), and state Attorneys
General, among others, identify board involvement in
enterprise-wide cybersecurity risk management as a cru-
cial factor in companies’ ability to appropriately establish
priorities, facilitate adequate resource allocation, and
effectively respond to cyberthreats and incidents. As SEC
Commissioner Luis A. Aguilar recently noted, “Boards
that choose to ignore, or minimize, the importance of
cybersecurity responsibility do so at their own peril.”
1
Indeed, even apart from the regulators, aggressive plain-
tiffs’ lawyers, and activist shareholders are similarly
demanding that boards be held accountable for cyberse-
curity. Shareholder derivative actions and activist investor
campaigns to oust directors are becoming the norm in
high-profle security breaches.
Directors have clearly gotten the message. A survey by
the NYSE Governance Services (in partnership with a
leading cybersecurity frm) found that cybersecurity is
discussed at 80% of all board meetings. However, the same
survey revealed that only 34% of boards are confdent
about their respective companies’ ability to defend them-
selves against a cyberattack. More troubling, a June 2015
study by the National Association of Corporate Directors
found that only 11% of respondents believed their boards
possessed a high level of understanding of the risks associ-
ated with cybersecurity.
2
This is a diffcult position to be in:
aware of the magnitude of the risks at hand but struggling
? 52
CYBER RISK AND THE BOARD OF DIRECTORS
action or inaction. To maximize their per-
sonal protection, directors must ensure that,
if the unthinkable happens and their corpo-
ration falls victim to a cybersecurity disaster,
they have already taken the steps necessary
to preserve this critical defense to personal
liability.
In the realm of cybersecurity, the board of
directors has “risk oversight” responsibility:
the board does not itself manage cybersecurity
risks; instead, the board oversees the corpo-
rate systems that ensure that management is
doing so effectively. Generally, directors will
be protected by the business judgment rule
and will not be liable for a failure of oversight
unless there is a “sustained or systemic fail-
ure of the board to exercise oversight—such
as an utter failure to attempt to assure a rea-
sonable information and reporting system
exists.” This is known as the Caremark test,
5
and there are two recognized ways to fall
short: frst, the directors intentionally and
entirely fail to put any reporting and control
system in place; or second, if there is a report-
ing and control system, the directors refuse to
monitor it or fail to act on warnings they
receive from the system.
The risk that directors will face personal
liability is especially high where the board
has not engaged in any oversight of their
corporations’ cybersecurity risk. This is a
rare case, but other risks are more prevalent.
For example, a director may fail to exercise
due care if he or she makes a decision to
discontinue funding an IT security project
without getting any briefng about current
cyberthreats the corporation is facing, or
worse, after being advised that termination
of the project may expose the company to
serious threats. If an entirely uninformed or
reckless decision to de-fund renders the cor-
poration vulnerable to known or anticipated
risks that lead to a breach, the members of
the board of directors could be individually
liable for breaching their Caremark duties.
II. The Personal Liability Risk to Directors
Boards of directors face increasing litigation
risk in connection with their responsibilities
to understand and fnd solutions to address
and mitigate them.
In this chapter, we explore the legal obli-
gations of boards of directors, the risks that
boards face in the current cybersecurity
landscape, and strategies that boards may
consider in mitigating that risk to strengthen
the corporation and their standing as dutiful
directors.
I. Obligations of Board Members
The term “cybersecurity” generally refers to
the technical, physical, administrative, and
organizational safeguards that a corporation
implements to protect, among other things,
“personal information,”
3
trade secrets and
other intellectual property, the network and
associated assets, or as applicable, “critical
infrastructure.”
4
This defnition alone should
leave no doubt that a board of directors’ role
in protecting the corporation’s “crown jew-
els” is essential to maximizing the interests of
the corporation’s shareholders.
Generally, directors owe their corporation
fduciary duties of good faith, care, and loy-
alty, as well as a duty to avoid corporate
waste.
3
The specifc contours of these duties
are controlled by the laws of the state in
which the company is incorporated, but the
basic principles apply broadly across most
jurisdictions (with Delaware corporations
law often leading the way). More specifcal-
ly, directors are obligated to discharge their
duties in good faith, with the care an ordi-
narily prudent person would exercise in the
conduct of his or her own business under
similar circumstances, and in a manner that
the director reasonably believes to be in the
best interests of the corporation. To encour-
age individuals to serve as directors and to
free corporate decision making from judicial
second-guessing, courts apply the “business
judgment rule.” In short, courts presume
that directors have acted in good faith and
with reasonable care after obtaining all mate-
rial information, unless proved otherwise; a
powerful presumption that is diffcult for
plaintiffs to overcome, and has led to dis-
missal of many legal challenges to board
53 ?
THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
by failing to act in the face of a reasonably
known cybersecurity threat. Recent cases
have included allegations that directors:
? failed to implement and monitor an
effective cybersecurity program;
? failed to protect company assets and
business by recklessly disregarding
cyberattack risks and ignoring red fags;
? failed to implement and maintain
internal controls to protect customers’
or employees’ personal or fnancial
information;
? failed to take reasonable steps to timely
notify individuals that the company’s
information security system had been
breached;
? caused or allowed the company to
disseminate materially false and
misleading statements to shareholders (in
some instances, in company flings).
Board members may not be protected from
liability by the exculpation clauses in their
corporate charters. Although virtually all
corporate charters exculpate board mem-
bers from personal liability to the fullest
extent of the law, Delaware law, for exam-
ple, prohibits exculpation for breaches of
the duty of loyalty, or breaches of the duty
of good faith involving “intentional mis-
conduct” or “knowing violations of law.”
As a result, because the Delaware Supreme
Court has characterized a Caremark viola-
tion as a breach of the duty of loyalty,
7
exculpation of directors for Caremark
breaches may be prohibited. In addition,
with the myriad of federal and state laws
that touch on privacy and security, directors
may also lose their immunity based on
“knowing violations of law.” Given the
nature of shareholder allegations in deriva-
tive litigation, these are important consid-
erations, and importantly, vary depending
on the state of incorporation.
Directors should also be mindful of stand-
ard securities fraud claims that can be
brought against companies in the wake of a
data breach. Securities laws generally pro-
hibit public companies from making material
for cybersecurity oversight, particularly in
the form of shareholder derivative litigation,
where shareholders sue for breaches of
directors’ fduciary duties to the corporation.
The rise in shareholder derivative suits coin-
cides with a 2013 Supreme Court decision
limiting the viability of class actions that fail
to allege a nonspeculative theory of con-
sumer injury resulting from identity theft.
6
Because of a lack of success in consumer
class actions, plaintiffs’ lawyers have been
pivoting to shareholder derivative litigation
as another opportunity to proft from mas-
sive data breaches.
In the last fve years, plaintiffs’ lawyers
have initiated shareholder derivative litiga-
tion against the directors of four corpora-
tions that suffered prominent data breaches:
Target Corporation, Wyndham Worldwide
Corporation, TJX Companies, Inc., and
Heartland Payment Systems, Inc. Target,
Heartland, and TJX each were the victims of
signifcant cyberattacks that resulted in the
theft of approximately 110, 130, and 45 million
credit cards, respectively. The Wyndham
matter, on the other hand, involved the theft
of only approximately 600,000 customer
records; however, unlike the other three
companies, it was Wyndham’s third data
breach in approximately 24 months that got
the company and its directors in hot water.
The signs point to Home Depot, Inc., being
next in line. A Home Depot shareholder
recently brought suit in Delaware seeking to
inspect certain corporate books and records.
A “books and records demand” is a common
predicate for a shareholder derivative action,
and this particular shareholder has already
indicated that the purpose of her request is
to determine whether Home Depot’s man-
agement breached fduciary duties by failing
to adequately secure payment information
on its data systems, allegedly leading to the
exposure of up to 56 million customers’ pay-
ment card information.
Although there is some variation in the
derivative claims brought to date, most have
focused on two allegations: that the directors
breached their fduciary duties by making a
decision that was ill-advised or negligent, or
? 54
CYBER RISK AND THE BOARD OF DIRECTORS
III. Protecting Boards of Directors
From a litigation perspective, boards of
directors can best protect themselves from
shareholder derivative claims accusing them
of breaching their fduciary duties by dili-
gently overseeing the company’s cybersecu-
rity program and thereby laying the founda-
tion for invoking the business judgment
rule. Business judgment rule protection is
strengthened by ensuring that board mem-
bers receive periodic briefngs on cybersecu-
rity risk and have access to cyber experts
whose expertise and experience the board
members can rely on in making decisions
about what to do (or not to do) to address
cybersecurity risks. Most importantly, direc-
tors cannot recklessly ignore the information
they receive, but must ensure that manage-
ment is acting reasonably in response to
reported information the board receives
about risks and vulnerabilities.
Operationally, a board can exercise its
oversight in a number of ways, including by
(a) devoting board meeting time to presenta-
tions from management responsible for
cybersecurity and discussions on the subject,
to help the board become better acquainted
with the company’s cybersecurity posture
and risk landscape; (b) directing manage-
ment to implement a cybersecurity plan that
incentivizes management to comply and
holds it accountable for violations or non-
compliance; (c) monitoring the effectiveness
of such plan through internal and/or exter-
nal controls; and (d) allocating adequate
resources to address and remediate identi-
fed risks. Boards should invest effort in
these actions, on a repeated and consistent
basis, and make sure that these actions are
clearly documented in board and committee
packets, minutes, and reports.
(a) Awareness. Boards should consider
appointing a chief information security
offcer (CISO), or similar offcer, and
meet regularly with that individual
and other experts to understand the
company’s risk landscape, threat
actors, and strategies to address
statements of fact that are false or mislead-
ing. As companies are being asked more and
more questions about data collection and
protection practices, directors (and offcers)
should be careful about statements that are
made regarding the company’s cybersecurity
posture and should focus on tailoring cyber-
security-related risk disclosures in SEC fl-
ings to address the specifc threats that the
company faces.
Cybersecurity disclosures are of keen
interest to the SEC, among others. Very
recently, the SEC warned companies to use
care in making disclosures about data secu-
rity and breaches and has launched inquiries
to examine companies’ practices in these
areas. The SEC also has begun to demand
that directors (and boards) take a more
active role in cybersecurity risk oversight.
Litigation is not the only risk that direc-
tors face. Activist shareholders—who are
also customers/clients of corporations—
and proxy advisors are challenging the re-
election of directors when they perceive that
the board did not do enough to protect the
corporation from a cyberattack. The most
prominent example took place in connection
with Target’s data breach. In May 2014, just
weeks after Target released its CEO,
Institutional Shareholder Services (ISS), a
leading proxy advisory frm, urged Target
shareholders to seek ouster of seven of
Target’s ten directors for “not doing enough
to ensure Target’s systems were fortifed
against security threats” and for “failure to
provide suffcient risk oversight” over
cybersecurity.
Thoughtful, well-planned director
involvement in cybersecurity oversight, as
explained below, is a critical part of a com-
prehensive program, including indemnifca-
tion and insurance, to protect directors
against personal liability for breaches.
Moreover, it can also assist in creating a com-
pelling narrative that is important in brand
and reputation management (as well as liti-
gation defense) that the corporation acted
responsibly and reasonably (or even more
so) in the face of cybersecurity threats.
55 ?
THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
details of any cybersecurity risk
management plan should differ from
company to company, the CISO and
management should prepare a plan
that includes proactive cybersecurity
assessments of the company’s network
and systems, builds employee
awareness of cybersecurity risk and
requires periodic training, manages
engagements with third parties that
are granted access to the company’s
network and information, builds an
incident response plan, and conducts
simulations or “tabletop” exercises to
practice and refne that plan. The board
should further consider incentivizing
the CISO and management for company
compliance with cybersecurity policies
and procedures (e.g., bonus allocations
for meeting certain benchmarks) and
create mechanisms for holding them
responsible for noncompliance.
(c) Monitor compliance. With an
enterprise-wide cybersecurity risk
management plan frmly in place,
boards of directors should direct
that management create internal and
external controls to ensure compliance
and adherence to that plan. Similar
to internal fnancial controls, boards
should direct management to test and
certify compliance with cybersecurity
policies and procedures. For example,
assuming that management establishes
a policy that software patches be
installed within 30 days of release,
management would conduct a patch
audit, confrm that all patches have
been implemented, and have the
CISO certify the results. Alternatively,
boards can also retain independent
cybersecurity frms that could be
engaged by the board to conduct an
audit, or validate compliance with
cybersecurity policies and procedures,
just as they would validate fnancial
results in a fnancial audit.
(d) Adequate resource allocation. With
information in hand about what the
that risk. Appointing a CISO has an
additional beneft. Reports suggest that
companies that have a dedicated CISO
detected more security incidents and
reported lower average fnancial losses
per incident.
8
Boards should also task a committee
or subcommittee with responsibility
for cybersecurity oversight, and devote
time to getting updates and reports
on cybersecurity from the CISO on
a periodic basis. As with audit
committees and accountants, boards
can improve oversight by recruiting
a board member with aptitude for
the technical issues that cybersecurity
presents, and placing that individual on
the committee/subcommittee tasked
with responsibility for cybersecurity
oversight. Cybersecurity presentations,
however, need not be overly technical.
Management should use established
analytical risk frameworks, such as the
National Institute for Standards and
Technology “Framework for Improving
Critical Infrastructure Cybersecurity,”
(usually referred to as the “NIST
Cybersecurity Framework”) to assess
and measure the corporation’s current
cybersecurity posture. These kinds
of frameworks are critical tools that
have an important role in bridging
the communication and expertise gaps
between directors and information
security professionals and can also
help translate cybersecurity program
maturity into metrics and relative
relationship models that directors are
accustomed to using to make informed
decisions about risk. It is principally
through their use that directors can
become sufficiently informed to
exercise good business judgment.
(b) Plan implementation and
enforcement. Boards should require that
management implement an enterprise-
wide cybersecurity risk management
plan and align management’s incentives
to meet those goals. Although the
CYBER RISK AND THE BOARD OF DIRECTORS
? 56 SecurityRoundtable.org
other government-issued identifcation;
(c) fnancial or credit/debit account
number plus any security code necessary
to access the account; or (d) health or
medical information.
4. Critical infrastructure refers to systems,
assets, or services that are so critical
that a cyberattack could cause serious
harm to our way of life. Presidential
Policy Directive 21 (PPD-21) identifes
the following 16 critical infrastructure
sectors: chemicals, commercial facilities,
communications, critical manufacturing,
dams, defense industrial base, emergency
services, energy, fnancial services, food
and agriculture, government facilities,
healthcare and public health, information
technology, nuclear, transportation, waste,
and wastewater. See Critical Infrastructure
Sectors, Department of Homeland
Security, available athttp://www.dhs.
gov/critical-infrastructure-sector.
5. For Delaware corporations, directors’
compliance with their oversight function
is analyzed under the test set out in In re
Caremark Int’l, Inc. Derivative Litig., 698 A.2d
959 (Del. Ch. 1996).
6. See Clapper v. Amnesty Int’l USA, 133 S. Ct.
1138 (2013). Consistent with Clapper, most
data breach consumer class actions have
been dismissed for lack of “standing”:
the requirement that a plaintiff has
suffered a cognizable injury as a result
of the defendant’s conduct. That has
proven challenging for plaintiffs because
consumers are generally indemnifed
by banks against fraudulent charges on
stolen credit cards, and many courts have
rejected generalized claims of injury in the
form of emotional distress or exposure to
heighted risk of ID theft or fraud.
7. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).
8. Ponemon Inst., 2015 Cost of Data Breach
Study: Global Analysis (May 2015), http://
www-03.ibm.com/security/data-breach/.
company’s cybersecurity risks are,
and an analysis of its current posture,
boards should allocate adequate
resources to address those risks so that
management is appropriately armed
and funded to protect the company.
As criminals continue to escalate the cyber-
war, boards of directors will increasingly fnd
themselves on the frontlines of regulatory,
class plaintiff, and shareholder scrutiny.
Directors are well-advised to proactively ful-
fll their risk oversight functions by driving
senior management toward a well-developed
and resilient cybersecurity program. In so
doing, board members will not only better
protect themselves against claims that they
failed to discharge their fduciary duties, but
will strengthen their respective organizations’
ability to detect, respond, and recover from
cybersecurity crises.
Endnotes
1. SEC Commissioner Luis A. Aguilar,
Remarks at the N.Y. Stock Exchange,
Boards of Directors, Corporate Governance
and Cyber-Risks: Sharpening the Focus
(June 10, 2014).
2. Press Release, Nat’l Assoc. of Corp.
Dir., Only 11% of Corporate Directors
Say Boards Have High Level of Cyber-
Risk Understanding (June 22, 2015)https://www.nacdonline.org/AboutUs/
PressRelease.cfm?ItemNumber=15879.
3. Personal information is defned under a
variety of federal and state laws, as well
as industry guidelines, but is generally
understood to refer to data that may be
used to identify a person. For example,
state breach notifcation laws in the U.S.
defne personal information, in general,
as including frst name (or frst initial)
and last name, in combination with
any of the following: (a) social security
number; (b) driver’s license number or
57 ?
Fish & Richardson P.C. – Gus P. Coldebella,
Principal and Caroline K. Simons, Associate
Where cybersecurity meets
corporate securities: The SEC’s
push to regulate public companies’
cyber defenses and disclosures
The risks associated with cyberattacks are a large and
growing concern for American companies, no matter the
size or the industry. If a company is publicly traded, how-
ever, there’s a signifcant additional impetus for execu-
tives’ cyber focus: the ever-increasing attention the U.S.
Securities and Exchange Commission (SEC) pays to
cybersecurity issues. The SEC, as one of the newest gov-
ernment players in the cybersecurity space, is fexing its
regulatory muscles—including by mandating and scruti-
nizing cybersecurity risk disclosures, prodding compa-
nies to disclose additional information, and launching
investigations after a breach comes to light.
This chapter explores the SEC’s expanding role as
cyber regulator and the growing nexus between cyberse-
curity and corporate securities. It gives companies a
primer on the background and sources of the SEC’s cyber
authority, discusses tricky disclosure and securities regu-
lation-related issues, and provides a potential framework
for companies to think about whether, how, and when
they should publicly disclose cybersecurity risks, and—
when the inevitable happens—cyberattacks.
? The SEC’s authority to regulate cybersecurity
Generally, a company’s duty to disclose material infor-
mation under U.S. securities laws arises only when a
statute or SEC rule requires it, and currently, no existing
laws or rules explicitly refer to disclosure of cyber risks
or incidents. Even so, the SEC has made it clear that it
will use authorities already on the books to promote
cybersecurity in public companies. During the SEC’s
March 2014 “Cybersecurity Roundtable,” Chairman
Mary Jo White said that, although the SEC’s “formal
jurisdiction over cybersecurity is directly focused on
the integrity of our market systems, customer data pro-
tection, and disclosure of material information, it is
? 58
CYBER RISK AND THE BOARD OF DIRECTORS
? Contours of the SEC’s staff guidance
Taking its cues from Regulation S-K, the
Guidance details the key places where cyber-
security disclosures may appear in a com-
pany’s 10-Ks and 10-Qs. The main focuses
are as follows:
? Risk factors. The company’s risk factors
are the central place for cyber disclosure.
If cybersecurity is among the most
signifcant factors making investment
in the company risky, the risk factor
disclosure should take into account
“all available relevant information” from
past attacks, the probability of future
attacks occurring, the magnitude of
the risks—including third-party risk,
and the risk of undetected attacks—
and the costs of those risks coming
to pass, including the potential costs
and consequences resulting from
misappropriation of IP assets, corruption
of data, or operational disruption. The
risk factor should also describe relevant
insurance coverage.
? MD&A. If the costs or other consequences
of a cyberattack represent a material
trend, demand, or uncertainty “that is
reasonably likely to have a material effect
on the registrant’s results of operations,
liquidity, or fnancial condition or would
cause reported fnancial information
not to be necessarily indicative of future
operating results or fnancial condition,”
the company should address cybersecurity
risks and cyber incidents in its
Management’s Discussion and Analysis
of Financial Condition and Results of
Operations (MD&A).
? Description of business. If one or more
cyber incidents materially affected the
company’s products, services, customer
or supplier relationships, or competitive
conditions, the Guidance suggests
disclosure in the “Description of Business”
section.
? Legal proceedings. If any litigation arose as
a result of a cyber incident, the Guidance
suggests disclosure if material.
incumbent on every government agency to
be informed on the full range of cybersecu-
rity risks and actively engage to combat
those risks in our respective spheres of
responsibility.” In other words—formal
jurisdiction notwithstanding—the SEC
will use every tool it has to combat cyber
risks.
To divine the SEC’s position on cyberse-
curity, companies and experienced counsel
may look to a patchwork of non-binding staff
guidance, SEC offcials’ speeches, and espe-
cially staff comment letters on companies’
public flings. Given that cyber disclosures
can have an effect on corporate reputations
and stock price, give would-be attackers
information about vulnerabilities, and trig-
ger shareholder and other litigation and
government investigations, companies
anguish over exactly when, what, and how
much to disclose. To answer these questions,
it is crucial to understand the background
and contours of existing requirements and
the SEC’s expectations.
? History and background of the SEC’s
cybersecurity oversight
In May 2011, Senator Jay Rockefeller sent a
letter to then-SEC Chairman Mary Schapiro
urging the SEC to “develop and publish
interpretive guidance clarifying existing
disclosure requirements pertaining to infor-
mation security risk.” Rockefeller, frustrated
with Congress’s inability to pass cybersecu-
rity legislation, identifed the SEC’s control
over corporate public disclosure as a vehicle
to promote security in the absence of legisla-
tion. Five months after the Rockefeller letter,
in October 2011, the Division of Corporation
Finance (the “Division”) issued CF Disclosure
Guidance: Topic No. 2 (the “Guidance”). Even
though it’s not an SEC rule itself, the
Guidance announced the Division’s view
that—”although no existing disclosure
requirement explicitly refers to cybersecurity
risks and cyber incidents”—existing SEC
rules, such as Regulation S-K, “may impose”
obligations to disclose cybersecurity and cyber
events in a company’s periodic reporting.
59 ?
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
staff comments have consistently urged
companies to disclose past data breaches
that are not material, even in the face of
companies’ well-reasoned positions to the
contrary. For instance, Amazon resisted
disclosing a past cyberattack at its subsidi-
ary Zappos because it said the entire
Zappos operation was not material to
Amazon’s consolidated revenues. SEC
staff pushed Amazon to disclose it any-
way, to place the risk factor “in appropri-
ate context.” A version of this comment
appears in letter after letter. By frst man-
dating cybersecurity risk factors via the
Guidance, and then urging even non-
material incidents to be included in those
risk factors for “context,” the staff appears
to be pushing for disclosure of past cyber
events notwithstanding materiality.
Trend 2: Staff will research cyber incidents—
and ask about them. Division staff is inde-
pendently monitoring breaches and com-
paring them with company disclosures.
When a breach has been reported by a
company or in the press, but there is no
concomitant disclosure in the company’s
flings—especially where the company has
already acknowledged susceptibility to
attack as a risk factor—the staff will likely
notice. Citigroup discovered this when the
staff referred to press reports about a 2011
breach that supposedly affected 360,000
credit card accounts and asked why no
10-Q disclosure was made. The staff’s
practice is to ask for analysis supporting
the conclusion that no further disclosure is
necessary, including a discussion of mate-
riality from a fnancial and reputational
risk standpoint. Moreover, when a compa-
ny discloses that a particular kind of
potential breach may be material, the
staff’s comment letter almost always asks
the company to disclose whether that kind
of breach has already occurred—and if it
has, to disclose it, material or not (see
Trend 1). Taken together, these trends sug-
gest that the SEC may be using its author-
ity to make up for the lack of a federal
breach notifcation law.
? Financial statements. If signifcant costs
are associated with cyber preparedness
or remediation, they should appear in the
company’s fnancial statements.
? SEC post-guidance practice
Of course, guidance is just guidance unless
the SEC, through its actions, gives it teeth.
And the SEC has. Under Sarbanes-Oxley,
the Division reviews every public compa-
ny’s reports at least once every three years,
and the Division has focused intensely
on cyber disclosures since the Guidance—
especially risk factor disclosures.
Responding to a follow-up letter from
Senator Rockefeller requesting that
the SEC enshrine the Guidance as a formal
SEC rule, Schapiro’s successor Mary Jo
White took pains to stress that active staff
review of cybersecurity—using existing
disclosure rules—was an SEC priority.
In her May 1, 2013 letter, White revealed
that the Division had already issued
approximately 50 cyber-related comment
letters. And many more have been sent
since then. Google, Amazon, AIG, Quest
Diagnostics, and Citigroup are just some of
the scores of public companies that
received letters from staff urging enhanced
disclosures of their cyber risks. The lessons
we can learn from those exchanges are
detailed below.
? Tips for preparing 10-K and 10-Q cyber
disclosures
According to a recent survey by Willis,
87% of Fortune 500 companies claim to
have complied with the Guidance. The
SEC’s “enforcement” of it through com-
ment letters has given it the muscle and
imprimatur of a rule. Certain noteworthy
trends that emerge from these letters
follow:
Trend 1: Staff pushes for all cyber incidents
to be disclosed—material or not. Materiality
is the touchstone of disclosure. Even so,
and even though the Guidance calls for
disclosure of “cyber incidents... that are
individually, or in the aggregate, material,”
? 60
CYBER RISK AND THE BOARD OF DIRECTORS
enumerated material corporate events, such
as termination of executive offcers or chang-
es in auditors, must be reported on a “current
basis” on Form 8-K. However, no currently-
existing securities law or rule expressly
requires cyberattacks—material or other-
wise—to be reported on Form 8-K. Generally,
reporting cyber events is entirely voluntary.
Companies that do so use Form 8-K’s Item
8.01, “Other Events,” which is used to volun-
tarily report events that the company consid-
ers to be of importance to investors. Public
companies must navigate issues such as
materiality, selective disclosure, trading, and
effect on stock price, all in an environment
where disclosure of a cyber event is almost
sure to draw a lawsuit, a government investi-
gation, or other unwanted scrutiny. No one-
size-fts-all answer exists—it is almost always
a judgment call. In this section, we detail
some of the questions and analysis that com-
panies should consider regarding whether to
disclose an attack on Form 8-K, and if so,
when. One way to think about these ques-
tions is outlined in the decision tree on the
next page (Figure 1).
Why consider disclosure if you don’t have
to? Even if no rule mandates disclosure,
companies and experienced counsel know
that there are frequently upsides to disclo-
sure—especially in a world where securi-
ties litigation, derivative suits, and enforce-
ment actions are lurking. Instead of pro-
voking shareholder litigation, might an
announcement ward it off? Can an 8-K
eliminate a plaintiff’s or regulator’s argu-
ment that an insider traded on the basis on
material non-public information? The chart
on the next page (Table 1) lays out some of
the possible advantages—along with the
more well-known disadvantages—that com-
panies should consider.
Is the cyberattack material? The determina-
tion of whether a cyber event is material is
not clear-cut. First, the Supreme Court has
rejected a bright-line, quantitative rule for
materiality—instead reaffrming Basic v.
Levinson’s formulation that any nonpublic
information that signifcantly alters the total
Trend 3: Staff is interested not only in the
disclosure, but the pre-disclosure process. As
Chairman White has stated, even with the
absence of a direct law or regulation directly
compelling companies to adopt strict
cybersecurity measure, the SEC is exercis-
ing its power to indirectly prod companies
to analyze and strengthen their cybersecu-
rity programs through issuing disclosure
guidance and bringing investigations,
enforcement actions, and litigation against
companies that fall short. In this way the
SEC has taken on a larger mission than
simply requiring disclosure—it is using its
existing authorities to steer companies to
engage in a deep, searching process to
evaluate cyber risk. Whether or not you
think the SEC is the appropriate regulator
of this area, such a searching analysis is
important to securing a company’s digital
assets. Management should engage in and
document its analysis of the effects of cyber
incidents on the company’s operations,
with special attention to probability of
various types of attacks and their potential
cost, from a quantitative and qualitative
standpoint. It should do so not just to
weather the storm of a possible SEC inquiry,
but because such an analysis brings neces-
sary executive-level oversight to a crucial
area of enterprise risk.
Trend 4: Third-party risk is on the staff’s mind.
Staff is encouraging companies to look
beyond their four walls to the cyber risk
posed by the use of vendors. Staff will ask
whether the company’s vendors have experi-
enced cyberattacks, and request assessment—
and disclosure—if a breach at a third-party
vendor could have a material effect on the
company. The SEC likely believes that if
public companies are required to disclose
risks in their supply chain in addition to their
own, third-party cybersecurity will improve
as a result.
? In the heat of battle: 8-K disclosure
questions during an attack
Of course, 10-Ks and 10-Qs are not the only
reports public companies produce—certain
61 ?
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
Really? Are you sure?
LEAN AGAINST
8-K DISCLOSURE
LEAN TOWARD
8-K DISCLOSURE
Will it trigger securities or
other litigation
or investigations?
Will it compromise
security?
Will the disclosure itself
harm the company?
Will insiders trade
while in possession of
this information?
Does it make prior
statement misleading?
Does the cost and
consequence of the breach
substantially affect you
or your ?nancial outlook?
Yes
Not sure
Not sure
Maybe not
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
No
No
Yes
No
No
No
No
No
No
No
Is it material?
Will you disclose
anyway via website,
to third parties, etc.?
Is discovery of the breach
(by the gov't or public)
likely or inevitable?
Is there a separate
obligation to disclose?
(state PII laws, trading
rules)?
Is there a potential
Regulation FD issue?
FIGURE
Fish & Richardson 8-k Disclosure Decision Tree
Continued
TABLE
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
1. May eliminate potential class
plaintiffs’ argument that
information was not known
to the market or was not
adequately disclosed, cutting
off potential securities claims
to the date of the 8-K
2. May counter allegations that
insiders were trading on
basis of material nonpublic
information about the breach
(so long as insider trades
happen after 8-K issued)
1. If incident is truly not material and
was not going to be discovered,
could needlessly cause reputational
harm and draw litigation and other
unwanted scrutiny
2. May be seen as concession that
incident was material (although
companies frequently disavow
materiality in 8-K), and even if not
material, may make incident seem
bigger than it is
? 62
CYBER RISK AND THE BOARD OF DIRECTORS
mix of information available to shareholders
could well be material. Second, even when
the scope of an attack has come into focus,
the effects of cyberthefts are frequently hard
to quantify. Although it is relatively easy for
a company to decide to announce a breach of
customer personal information (because the
breach will likely have to be disclosed under
state law and because remediation costs may
be signifcant), what should a company do
about, for example, theft of trade secrets,
such as source code for a big-selling software
product? Without more (such as the thieves’
development and marketing of a competing
product), such a theft may not have a mate-
rial effect on the company’s fnancial state-
ments. Adding to the diffcult nature of this
inquiry: companies must be aware that an
initial determination that the event is not
material—if the event later becomes public—
is likely to be critically reexamined with
20/20 hindsight, months or years after the
event, by shareholders, plaintiffs’ lawyers,
regulators, and the press. So careful analysis
and documentation of the company’s deter-
mination are important.
Is there a duty to correct or to update? If the
company made public statements about its
information systems or other aspects of its
operations affected by a cyberattack, and the
statements were inaccurate or misleading
when made, the company has an obligation
to correct the statements—even if it only
learned of the inaccuracy afterwards. Failure
to comply with this “duty to correct” can pro-
vide plaintiffs’ lawyers with fodder for
a suit alleging that purchasers or sellers relied
on the inaccurate statement to their detri-
ment. Moreover, even if the company’s for-
ward-looking statements were accurate when
made, some courts have found a “duty to
update” when circumstances change (such as
when an attack happens), and the forward-
looking statement becomes inaccurate.
Do you have another legal obligation to dis-
close? Other disclosure requirements may be
at play, such as any state notifcation laws that
require companies to inform affected individ-
uals if their personally identifable informa-
tion (PII) was stolen during an attack. If the
company is listed on an exchange such as
NYSE or NASDAQ, the trading markets
themselves may also have rules requiring
timely notifcation of material events. Frankly,
it is easier for a company to decide to announce
a data breach on Form 8-K—and to accrue the
benefts to fling an 8-K—if it is going to dis-
close for another reason, or already has.
TABLE
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
63 ?
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
window for insiders. Even after the inci-
dent’s details are known, if the company is
leaning against declaring the incident
material, the question is whether to dis-
close the incident—material or not—on
Form 8-K, so no later allegation of insider
trading can stick. (Of course, if the incident
is material, no trading by insiders should
occur until information about the incident
is made public.)
When to disclose? The decision to disclose
is only half of the 8-K equation—another
question is, when? Target took two months
after the world knew of its massive data
breach to issue an 8-K; Morningstar, which
releases an 8-K regularly on the frst Friday
of every month, disclosed its 2012 breach a
little more than one month after becoming
aware of it. Some companies, such as health
insurer Anthem, choose instead to wait
until the next periodic report. A challenge
facing a victim company is to balance the
benefts of prompt disclosure against the
potential downsides. Because a disclosure
should be accurate and not misleading
when made, a company should grasp the
scope of the cyber incident before disclos-
ing. In a typical breach, however, it is rare
for an entity to be able to immediately
assess the attack’s scope—investigations
take time. Therefore, a factor to consider in
deciding when to disclose is the pace and
progress of the post-breach investigation,
which will allow the company to under-
stand the extent of the attack. A company
confronts an unenviable disclosure dilem-
ma: disclose based on the state of the world
as you know it right now, and later be
accused of not telling the whole story? Or
disclose when you have a better grasp of
what actually happened, but face accusa-
tions of allowing earlier (and potentially
rosier) cybersecurity disclosures to persist
uncorrected? Generally, companies should
resist falling into the immediate disclosure
trap, because in our experience a cyber
incident looks very different at the end of
the frst week than it does at the end of the
frst day. Furthermore, the company will
Are you going to disclose anyway? Is the
incident likely to become widely known? Absent
a mandatory disclosure requirement, a
company may still have reasons to disclose
the attack to stakeholders. There may be
contractual obligations to customers or
other third parties to communicate about
breaches involving their information. Even
without a contractual obligation, a breach
may affect a company’s vendors, suppliers,
or partners, and the company may choose
to disclose the incident to them. A sound
operating assumption is that once the com-
pany discloses an incident to even a single
third party, it is likely to become widely
known. Thus, the company should have
a coordinated, unifed disclosure strategy
to ensure that all interested parties are
informed in a consistent manner, and very
close in time. Companies can use affrma-
tive disclosure to mitigate any reputational
harm or embarrassment that could arise
from having the narrative created on your
behalf by the media, security researchers,
hackivists, or worse.
Any such disclosure raises potential issues
under the SEC’s Regulation Fair Disclosure,
or Reg FD. Reg FD prohibits companies from
selectively disclosing material non-public
information to analysts, institutional inves-
tors, and certain others without concurrently
making widespread public disclosure. Many
companies that communicate with third
parties—as did J.P. Morgan after its October
2014 breach—will issue a Form 8-K to make
sure their communications do not violate
Reg FD. It is worth considering whether dis-
closures on a company’s website, or other-
wise to customers, vendors, or other parties,
trigger a Reg FD requirement.
What to do about trading? Another reason
that the materiality determination is a
tricky one is that insiders in possession of
material nonpublic information may not
trade while in possession of that informa-
tion. If there is even a chance that the cyber
incident may be material, an early call that
a public company general counsel must
make is whether to close the trading
CYBER RISK AND THE BOARD OF DIRECTORS
? 64 SecurityRoundtable.org
revealed that the SEC was among the gov-
ernment agencies investigating the 2013
data breach, including “how it occurred, its
consequences, and our responses.”
With the growing threat of cyberattacks
and mounting pressure from Congress and
the public, future regulatory and enforce-
ment actions are almost assured. Companies
should be prepared for additional scrutiny,
review their existing disclosures in light of
the Guidance and the SEC’s stated priori-
ties, and apply these principles to the pub-
lic disclosure and related questions that
will arise post-breach.
not want to have to correct itself after mak-
ing its cyber disclosure—it will want to get
it right the frst time.
? SEC cybersecurity enforcement
The SEC has not yet brought an enforce-
ment action against a public company
related to its cybersecurity disclosures. It
has, however, opened investigations look-
ing not only into whether companies ade-
quately prepared for and responded to
cyber incidents but also as to the suffciency
of their disclosures relating to the breaches.
Target’s February 2014 Form 8-K fling
65 ?
Internet Security Alliance, NACD – Larry Clinton, CEO
of ISA and Ken Daly, President and CEO of NACD
A cybersecurity action plan
for corporate boards
With the majority of cyber networks in the hands of the
private sector, and the threats to these systems apparent and
growing, organizations need to create an effective method
to govern and manage the cyber threat. This responsibility
ultimately falls to the corporate board of directors. In fact, the
word cyber is derived from the same Greek word, kybernan,
from which the word govern also derives.
? How is cyber risk different from other corporate risks?
Although corporate boards have a long history of man-
aging risks, the digital age may create some unique
challenges. To begin with, the nature of corporate asset
value has changed signifcantly in the last 20 years.
Eighty percent of the value of Fortune 500 companies
now consists of intellectual property (IP) and other
intangibles.
With this rapidly expanding “digitalization” of assets
comes a corresponding digitalization of corporate risk.
However, many of the traditional assumptions and under-
standings about physical security don’t apply to securing
digital assets.
First, unlike many corporate risks, such as natural dis-
asters, cybersecurity risks are the product of conscious
and often better-resourced attackers, including nation
states and state affliates. This means that the attack
methods, like the technology, will change constantly,
responding to defensive techniques and often in a highly
strategic fashion. This characteristic of cyberattacks
means that the risk management system must be a
dynamic 24/7/365 fexible process—a full team sport—
requiring participation from all corners of the organiza-
tion rather than being the primary responsibility of any
one particular entity.
Second, with many traditional human-based corporate
risks, such as criminal activity, companies can plug into a
? 66
CYBER RISK AND THE BOARD OF DIRECTORS
However, many digital technologies and
business processes that drive business econ-
omies come with major cybersecurity risks,
which as discussed elsewhere (see Chapter 6),
can put the corporation at a long-term cata-
strophic risk.
This means that cyber risk must be con-
sidered not as an addendum to a business
process or asset, but as a central feature of
the business process. In the modern world,
cybersecurity is as central to business
decisions as legal and financial considera-
tions. Thus, a board’s consideration of
fundamental business decisions such as
mergers, acquisitions, new product devel-
opment, partnerships, and marketing
must include cybersecurity.
? Are corporate boards concerned about
cybersecurity?
Although some critics have assumed that the
publicity from high-profle corporate breaches
is prima facie evidence of corporate inatten-
tion to cybersecurity, the evidence does not
support that proposition.
Corporate spending on cybersecurity has
doubled over the past few years and now
totals more than $100 billion a year. By com-
parison, the total annual budget for the U.S.
Department of Homeland Security is only
about $60 billion—including TSA and
immigration—with only $1 billion for cyber-
security. Total U.S. government spending on
cybersecurity is generally estimated to be
near $16 billion. Moreover, recent surveys
indicate cybersecurity now tops the list of
issues corporate boards must face—replacing
leadership succession, and two thirds of
board members are seeking even more time
and attention paid to cybersecurity.
Although the data seems to show conclu-
sively that corporate boards are aware of
and becoming ever more interested in cyber-
security, the novelty and complexity of the
issue has led to a fair amount of uncertainty
as to how to approach it.
One recent survey found that despite the
“spotlight on cyber security getting bright-
er” that nearly half of directors had not dis-
cussed the company’s crisis response plan
well-defned legal superstructure including
enforcement power, which can greatly assist
the organization in defending itself.
Unfortunately, in the cyber world this sys-
tem is dramatically underdeveloped. In
addition to the major problem of many
attackers actually receiving state support,
the international criminal legal system has
not evolved to the point where there is any-
thing close to the cooperation and coordina-
tion generally available in the physical
world. As a result, current estimates are that
law enforcement is able to apprehend and
convict less than 2% of cyber criminals.
Third, corporate cybersecurity is not con-
fned to traditional corporate boundaries.
Whereas in the physical world a particularly
conscientious organization might be able
defend itself by having an especially strong
security perimeter, the cyber world is essen-
tially borderless. A fundamental characteristic
of cyber systems is that they are interconnect-
ed with other, independent systems. For
example, the highly publicized breach of
Target was accomplished by exploiting vul-
nerabilities in Target’s air conditioner vendor.
In another well-publicized case, a well-
defended energy installation was compro-
mised by malware placed on the online menu
of a Chinese restaurant popular with employ-
ees who used it to order lunch. This means
that a board must consider not only their
“own” security but that of all the entities with
whom they interconnect, including vendors,
customers, partners, and affliates.
Fourth, unlike many physical risks, in
which the security effort is to create a perim-
eter around an asset, so many modern corpo-
rate assets are in fact digital. Cyber risk
must be considered as an integral part of the
business process. A good deal of modern
corporate growth, innovation, and profta-
bility is inherently tied to digital technology.
Rare is the entity that has by now not built
the benefts of digitalization into their busi-
ness plan in many different ways, including
online marketing, remote business produc-
tion, employee use of personal mobile
devices, cloud computing, big data, out-
sourced process, and off-site employment.
67 ?
A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
free, even as a goal. The goal is to keep your
system healthy enough so that you can fght
off the germs that will inevitably attack it.
When you do get sick, as we all eventually
do, you detect and understand the infection
promptly and accurately and get access to
the appropriate expertise and treatment so
that you can return to your normal routine as
soon as possible—ideally wiser and stronger.
Thinking of cybersecurity narrowly as an
IT issue to be addressed simply with techni-
cal solutions is a fawed strategy. The single
biggest vulnerability in cyber systems is
people. Insiders, whether they are poorly
trained, distracted, angry, or corrupted, can
compromise many of the most effective tech-
nical solutions.
Building on the NACD model, the Institute
of Internal Auditors (IIA) extended NACD’s
principle 1 by commenting that the board
should receive an internal annual health
check of the organization’s cybersecurity
program that covers all domains of the
organization’s cybersecurity, including an
assessment of if the enterprise risk levels
have improved or deteriorated from year to
year, and comments specifically that
“Sarbanes-Oxley compliance provides little
assurance of an effective security program
to manage cyber risks.”
2. Directors must understand the legal
implications of cyber risk.
The legal situation with respect to cyberse-
curity is unsettled and quickly evolving.
Boards should be mindful of the potential
legal risks posed to the corporation and
potentially to the directors on an individual
or collective basis. For example, high-profle
attacks may spawn lawsuits, including
shareholder derivative suits alleging that the
organization’s board neglected its fduciary
duty by failing to take steps to confrm the
adequacy of the company’s protections
against breaches of customer data. To date
juries have tended not to fnd for the plain-
tiffs in these cases, but that could change
with time and boards need to be aware of the
risk of court suits.
in the event of a breach, 67% had not dis-
cussed the company’s cyber insurance cov-
erage, nearly 60% had not discussed engag-
ing an outside cybersecurity expert, more
than 60% had not discussed risk disclosures
in response to SEC guidance, and slightly
more than 20% had discussed the National
Institute of Standards and Technology
(NIST) cybersecurity framework.
? A corporate board action plan
for cybersecurity
In an effort to fll the gap between awareness
and targeted action, The National Association
of Corporate Directors (NACD), in conjunc-
tion with AIG and the Internet Security
Alliance, published their frst Cyber Risk
Oversight Handbook for corporate boards in
June 2014. The handbook was the frst pri-
vate sector document endorsed by the U.S.
Department of Homeland Security as well as
the International Audit Foundation and is
available free of charge either through DHS
or NACD. It identifed fve core principles
for corporate boards to enhance their cyber
risk oversight.
The fve principles can be conceptualized
into two categories. Principles 1, 2, and 3 deal
with board operations. The fnal two princi-
ples deal with how the board should handle
the senior management.
1. Understand that cybersecurity is an
enterprise-wide risk management issue.
The board has to oversee management in
setting the overall cyber strategy for the
organization, including how cybersecurity is
understood in terms of the business. It is
critical that the board not approach the topic
simply by thinking, “What if we have a
breach?” Virtually every organization will be
successfully breached. The board has to
understand the issue is how to manage the
risks caused by breaches, not to focus solely
on how to prevent them.
One useful metaphor is to think of corpo-
rate cybersecurity in a similar fashion to how
we think of our own personal health.
Obviously, it is impractical to be totally germ
? 68
CYBER RISK AND THE BOARD OF DIRECTORS
some boards are now recruiting cyber pro-
fessionals for board seats to assist in analyz-
ing and judging staff reports. Another tech-
nique is to schedule periodic “deep-dives”
for the full board. Many organizations have
delegated the task to a special committee—
often audit but sometimes a risk or even
technology committee—although no one
approach has been demonstrated clearly
superior. A proliferation of committees can
exacerbate the board time problem, and due
care must be paid to overload any one com-
mittee, such as audit, with issues that are not
inherently in their expertise lane.
Still another technique is to empower the
board with the right questions to ask and
require that the outside or internal experts
answer the questions in understandable ter-
minology. The NACD Cyber Risk Handbook
provides lists of 5 to 10 simple and direct
questions for board members covering the
key issues such as strategy and operation
readiness, situational awareness, incident
response, and overall board “cyber literacy.”
At minimum, boards can take advantage
of the company's ongoing relationships
with law enforcement agencies and regu-
larly make adequate time for cybersecurity
at board meetings. This may be through
interaction with CISOs or as part of the
audit or similar committee reports. More
appropriately, boards, as discussed above,
should integrate these questions into gen-
eral business discussions.
The fnal two principles offered by NACD
focus on how boards should deal with senior
management:
4. Directors need to set an expectation that
management have an enterprise-wide
cyber risk management framework in
place.
It is important that someone be thinking
about cybersecurity, from an enterprise-wide
perspective (i.e., not just IT) every day.
Corporations have introduced a variety of
models, chief risk offcer, chief fnancial
offcer, chief operating offcer as well as the
more traditional CIO and CISO models. The
Prudent steps for directors to take include
maintaining records of discussions related to
cyber risks at the board and key committee
meetings. These records may include updates
about specifc risk as well as reports about
the company’s overall security program and
how it is addressing these risks. Evidence
that board members have sought out special-
ized training to educate themselves about
cyber risk may also be helpful in showing
due diligence.
No one standard applies, especially for
organizations who do business in multiple
jurisdictions. Some countries, including the
U.S. have received specifc guidance from
securities regulators. Many countries have
passed a variety of laws, some of which may
be confusing or conficting with mandates in
other countries. It is critical that organiza-
tions systematically track the evolving laws
and regulations in their markets and analyze
their legal standing.
Again, building on the NACD model, IIA
emphasizes that this legal analysis must be
extended to third parties and recommends
that the board get a report of all the critical
data that are being managed by third-party
providers and be sure the organization has
appropriate agreements in place, including
audits of these providers. The board ought
to communicate that a “chain of trust” is
expected with these third-party providers
that they have similar agreements with their
down-stream relationships.
3. Board members need adequate access to
cybersecurity expertise.
Most board meetings are incredibly pressed
for time, and often there are multiple issues
and people who feel they need more board
time. Add to this the fact that most acknowl-
edge that directors lack the needed expertise
to evaluate cyber risk, and the board is left
with the conundrum of how to get enough
time to become properly educated to address
this serious issue.
One answer is to increase the use of out-
side experts working directly with the board
to provide independent assessments. Indeed,
69 ?
A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
At the people level, it is important to follow
leading practices for managing personnel,
especially with respect to hiring and fring.
Ongoing cybersecurity training is similarly
important and most effective if cybersecurity
metrics are fully integrated into employee
evaluation and compensation methods.
Of special attention is the inclusion of
senior and other executive level personnel
who, research has shown, are highly valued
targets and often uniquely lax in following
through on security protocols.
The asset management process then can
be considered in light of the business prac-
tices that may create liabilities.
For example, the expansion of the number
of access points brought on by the explosion
in mobile devices and the emerging “Internet
of Things” (connecting cars, security camer-
as, refrigerators, etc. to the Internet) really
increases vulnerability (see Chapter 6).
Still a different type of vulnerability can
occur in the merger and acquisition process.
Here management may feel pressure to gen-
erate value through the merging of highly
complex and technical information systems
on accelerated pace. In discussions with
management, the board must carefully
weigh the economics of the IT effciencies
the company seeks with the potential to miss
or create vulnerability by accessing a system
that is not well enough understood or had its
defciencies mitigated.
5. Based on the plan, management needs to
have a method to assess the damage of a
cyber event. They need to identify which
risks can be avoided, mitigated, accepted,
or transferred through insurance.
Organizations must identify for the board
which data, and how much, the organization
is willing to lose or have compromised. Risk
mitigation budgets then must be allocated
appropriately between defending against
basic and advanced risks.
This principle highlights the need for the
“full-team” approach to cybersecurity
advocated under principle 4. For example,
the marketing department may determine
important aspect to ensure, however, is that
the risk management is truly organization
wide, including the following steps:
? establish leadership with an individual
with cross-departmental expertise
? appoint a cross-organization cyber risk
management team including all relevant
stakeholders (e.g., IT, HR, compliance,
GC, fnance, risk)
? meet regularly and report directly to the
board
? develop an organization-wide cyber
risk management plan with periodic
tests reports and refnements. At a
more technical level, the Cyber Security
Framework developed by the National
Institute of Standards and Technologies
(NIST) is a useful model.
? develop an independent and adequate
budget for the cyber risk management
team.
One mechanism to implement the frame-
work is to create a “cybersecurity balance
sheet” that identifes, at a high level, the
company’s cyber assets and liabilities and
can provide a scorecard for thinking through
management progress in implementing the
security system. The balance sheet may
begin with identifying the organization’s
“crown jewels.” This is an important exer-
cise because it is simply not cost effcient to
protect all data at the maximum level.
However, the organization’s most valued
data must be identifed (e.g., IP, patient data,
credit card data). Other corporate data can
be similarly categorized as to its relative
security needs.
The next step is to discuss the strategy for
securing data at each level. This strategy
generally involves a consideration of people,
process, and technology.
At the technology process levels there are
a range of options available with good
research indicating cost-effective methods to
secure lower-level data and thus reserving
deployment of more sophisticated, and
hence costly, measures to be reserved for the
higher valued data.
CYBER RISK AND THE BOARD OF DIRECTORS
? 70 SecurityRoundtable.org
that a particular third-party vendor is ideal
for a new product. The CISO may determine
that this vendor does not have adequate
security. Marketing may, nevertheless,
decide it is worth the risk to fulfll the busi-
ness plan and presumably senior manage-
ment may support marketing, but condition
approval on the ability to transfer some of
this additional risk with the purchase of
additional insurance.
This is an example of the process pro-
ceeding appropriately, wherein cyber risk
is integrated into business decisions con-
sistent and managed on the front end con-
sistent with the organization’s business
plan.
If an organization follows these princi-
ples, it should be well on its way to estab-
lishing a sustainably secure cyber risk man-
agement system.
71 ?
Stroz Friedberg LLC — Erin Nealy Cox,
Executive Managing Director
Establishing a board-level
cybersecurity review blueprint
Over the last two years cybersecurity has leaped to the top
of the boardroom agenda. If you’re like most board mem-
bers, though, you haven’t had enough time to fgure out
how to think about cybersecurity as part of your fduciary
responsibility, and you’re not quite certain yet what ques-
tions to ask of management. You may even harbor a secret
hope that, like many technology-related issues,
cyberthreats will soon be rendered obsolete by relentless
advancement.
Don’t count on it. Cybersecurity is taking its place
among the catalog of enterprise risks that demand board-
room attention for the long term. It comes along with the
digital transformation that is sweeping through virtually
all industries in the global economy. As businesses “digi-
tize” all aspects of their operations, from customer inter-
actions to partner relationships in their supply chains,
entire corporations become electronically exposed—and
vulnerable to cyberattack.
Cybersecurity risk is not new. However, in the last two
years multiple high-profle attacks have hit brands we all
trusted with our personal information, making for big
headlines in the media and signifcant reputational and
fnancial damage for many of the victimized companies.
What’s more, corporate heads have rolled: CIOs and even
CEOs have departed as a direct result of breaches. The
ripple effect continues. Cybersecurity legislation is a per-
ennial agenda item for governments and regulators
around the world, and shareholder derivative lawsuits
have struck the boards of companies hit by high-profle
cyberattacks.
Although directors have added cybersecurity enter-
prise risk to their agendas, there is no standard way for
boards to think about cybersecurity, much less time-tested
guidelines to help them navigate the issue. This chapter’s
goal is to help directors evolve their mindsets for thinking
? 72
CYBER RISK AND THE BOARD OF DIRECTORS
expressed through the following three high-
level questions:
1. Has your organization appropriately
assessed all its cybersecurity-related
risks? What reasonable steps have you
taken to evaluate those risks?
2. Have you appropriately prioritized your
cybersecurity risks, from most critical to
noncritical? Are these priorities properly
aligned with corporate strategy, other
business requirements, and a customized
assessment of your organization’s cyber
vulnerabilities?
3. What actions are you taking to mitigate
cybersecurity risks? Do you have a regularly
tested, resilience-inspired incident response
plan with which to address cyberthreats?
Naturally, these questions are proxies for the
industry-specifc and/or situation-specifc
questions particular to each organization
that will result in that organization’s most
productive cybersecurity review. The key to
formulating the relevant questions for your
organization is to fnd the right balance
between asking enough to achieve the assur-
ance appropriate to board oversight, but not
so much that management ends up spinning
wheels unnecessarily.
The rest of this chapter is a guide to fram-
ing board-level cybersecurity review issues
for your organization by exploring meaning-
ful ways to apply these high-level questions
in a variety of circumstances and industries.
The next step is yours, or your board’s: use
this blueprint to drive cybersecurity enter-
prise risk discussions with management,
critical stakeholders, and external experts.
Doing so will help achieve cyber resilience
for your organization.
? The board’s cyber resilience blueprint
Boards are very comfortable managing fnan-
cial issues and risks. They have audit
committees, they have compensation com-
mittees, their members include former CFOs
(to populate those committees), and they
have plenty of experience reviewing fnancial
about the enterprise risk associated with
cybersecurity and provide a simple blue-
print to help directors incorporate cyberse-
curity into the board’s overall enterprise risk
strategy.
? Establishing the right blueprint for
boardroom cybersecurity review
For boards, cybersecurity is an issue of enter-
prise risk. As with all enterprise risks, the
key focus is mitigation, not prevention. This
universally understood enterprise risk
guideline is especially helpful in the context
of cybersecurity because no one can prevent all
cyber breaches. Every company is a target, and
a suffciently motivated and well-resourced
adversary can and will get into a company’s
network.
Consequently, terms like “cyber defense”
are insuffcient descriptors of an effective
posture because they evoke the image that
corporations can establish an invincible
perimeter around their networks to prevent
access by bad actors. Today, it’s more accu-
rate to think of the board-level cybersecurity
review goal as “cyber resilience.” The idea
behind the cyber resilience mindset is that,
because you know network breaches will
happen, it is more important to focus on
preparing to meet cyberthreats as rapidly as
possible and on mitigating the associated
risks.
Also important to a board member’s
cybersecurity mindset is to be free from fear
of the technology. Remember, the issue is
enterprise risk—not technical solutions. Just
as you need not understand internal com-
bustion engine technology to write rules for
safe driving, you need not be excluded from
the cybersecurity risk discussion based on
lack of technology acumen. Although this is
liberating, in a sense, there is also a price:
directors cannot deny their fduciary respon-
sibility to oversee cybersecurity risk based
on lack of technology acumen.
Given a focus on enterprise risk (not tech-
nology) and risk mitigation (not attack
prevention), the correct blueprint for cyber-
security review at the board level can best be
73 ?
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
review process, and that these discussions
take place regularly—preferably at every
meeting of the board.
A committee responsible for studying
cybersecurity risk can cover both of these
aspects of participation. With such a
committee, someone on the board (i.e., the
committee chair) becomes the stakeholder
charged with becoming educated about cyber-
security risk and educating the broader group.
Although the board will never need to know
how to confgure a frewall, there is much to
learn about the nature of cybersecurity risks,
their potential impacts on your organization,
and successful mitigation approaches. It may
also be appropriate to appoint a director with
cybersecurity expertise for this purpose.
Establishing such a committee also fulflls
the goal of consistent cybersecurity discus-
sion. The chair can give a report, arrange for
reports from the CIO or CISO, or facilitate
talks by outside experts on issues around
which additional subject matter expertise
proves useful. Threat intelligence is an exam-
ple of an excellent topic for an outside expert
because it’s not a specialty most organiza-
tions have in house or that can be justifably
developed. A person or organization steeped
in analyzing the tools, approaches, and
behaviors of threat actors can look at your
organization’s profle and provide custom-
ized insight that accelerates the board’s
cybersecurity education.
To empower all directors to engage in
cybersecurity review, board-level discus-
sions should address issues in the enterprise
risk language with which boards are already
familiar. One requisite, therefore, is that
boards not stand for technical jargon. Even
reports from the CIO should be delivered in
plain language free of specialized terms.
statements and analyzing proft and loss. The
knowns are known and the unknowns are
few, if any.
It is useful to juxtapose this stable, com-
fortable picture with the state of board-level
cybersecurity discussion—that is, you may
not yet be certain what questions to ask, or
know what to expect from management’s
responses. To help accelerate you toward the
same level of stability and comfort you have
managing fnancial issues, the following
board-level cybersecurity review blueprint is
organized into six areas:
1. Inclusive board-level discussion:
empowering all directors to be accountable
for cybersecurity
2. Proactive cyber risk management:
incorporating cybersecurity into all early
stage business decisions
3. Risk-oriented prioritization: differentiating
assets for varying levels of cyber protection
4. Investment in human defenses: ensuring
the organization’s cybersecurity investment
goes beyond technical to include awareness,
education, and training programs for
employees
5. Assessments of third-party relationships:
limiting cyber exposure through business
partners
6. Incident response policies and
procedures: mitigating potential risks
when breaches occur.
1. Inclusive board-level discussion
Given the rapidly growing threat posed by
cybercrime and the potentially devastating
consequences of a major breach, it is critical
that every director have enough of an under-
standing of cyber risk to be able to take an
active part in the board’s cybersecurity
Active inclusion, in sum:
? Establish a cybersecurity risk committee, or add the subject to an existing enterprise
risk committee.
? Discuss cybersecurity risk at every board meeting.
? Empower all directors to become educated and comfortable discussing cybersecurity risk.
? 74
CYBER RISK AND THE BOARD OF DIRECTORS
cybersecurity analysis of the target to their
diligence process; protecting their M&A
process from cyber breaches; and potential
cyber exposure resulting from post-deal
integration.
In both of these examples, it should be
clear how challenging it would be to address
cybersecurity concerns after the initiative
gets underway.
3. Risk-based prioritization
Everyone’s resources are limited. Because
there are an infnite number of cybersecurity
measures in which a company can invest,
the trick is to prioritize such measures based
on a customized assessment of the most seri-
ous threats facing your organization. Such
assessments should be approached along
two primary dimensions: your organiza-
tion’s most valuable assets and its greatest
cyber vulnerabilities.
Often, your most critical assets are obvi-
ous: payment card data for a retailer, the
script of an upcoming franchise sequel for
a movie studio, the source code at the
heart of a software company’s bestselling
product. Every board’s cybersecurity
review must ask management what meas-
ures are being taken to protect a compa-
ny’s most critical assets, beginning with
development and on through production
and distribution. Beyond the most critical
are other assets that require differentiated
gradations of protection. Identifying and
prioritizing those assets is an information
governance challenge, so the board also
has to understand the organization’s infor-
mation governance policy and have a
sense for the quality of its execution. Has
the company identifed what are sensitive
2. Proactive cyber risk management
It is important to incorporate discussion of
cybersecurity risk in all business decisions,
from the beginning, because it is much
harder and far less effective to consider
cybersecurity after the fact. Whether a deci-
sion has to do with corporate strategy, new
product launches, facilities, customer inter-
action, M&A, legal or fnancial issues, man-
agement should always proactively consider
cybersecurity risk.
As an example, take the white-hot omni-
channel marketing trend, which has retailers
using mobile technology to collect data from
their customers, and then exploiting that
knowledge to better target marketing and
promotions—sometimes, at the moment a
customer walks into the store. Obviously,
such retailers are gathering more informa-
tion about their customers than ever before.
How will they protect it? Do the mobile
applications that make these approaches
possible expose their organizations to new
vulnerabilities? No matter how exciting the
revenue-driving opportunity, these are ques-
tions that retail boards should be asking
management as part of the decision to pur-
sue such initiatives. Management should
respond with some variation of, “Our soft-
ware vendor says their security is `X, and in
addition, we’re doing our own testing to see
how vulnerable the software may be before
we introduce it to our customers.”
Boards should extrapolate the thinking in
the above example to all aspects of their
business decision-making. To apply proac-
tive thinking to cyber strategy, consider
growth through M&A. Boards should think
through M&A cybersecurity risks in multi-
ple dimensions. To name three: adding
Proactive cyber risk management, in sum:
? Think about potential cybersecurity risk from the outset of all business initiatives from
corporate strategy to new types of customer interaction.
? Think particularly about new kinds of risk associated with emerging digital business
initiatives.
75 ?
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
awareness. Furthermore, investments in
human defenses should be aligned to the
insights from customized threat intelli-
gence so they are focused on the ‘most
valuable/most vulnerable’ prioritization
discussed in the previous section.
When looking at cybersecurity invest-
ment, board reviews should include classic
IT spending on systems that authenticate
user identity and manage access, as well as
compliance with applicable laws and regula-
tions. However, that’s just the baseline.
Boards need to think further, to issues such as
the following:
How well does our IT knowledge/expertise
align with the kind of challenges suggested by
our threat intelligence reports?
Are we appropriately augmenting our inter-
nal staff with outside expertise?
Should we hire “white hat” hackers to attack
our networks in search of gaps?
Should we test our employees’ anti-phishing
awareness/ability?
No matter how well your security technol-
ogy works, hackers can always go after the
weakest link—humans—through a combi-
nation of tactics known as social engineer-
ing and spear phishing. The only defense
against these phenomena is enterprise-
wide education. Ongoing education and
awareness programs, such as spear phish-
ing training, should be part of the cyberse-
curity investment. Boards should ask
about, support, and ensure these programs
are aligned with business requirements.
data and where they are being held? What
data are not sensitive and where are they
being held? Are your retention policies
ensuring you keep the information that is
important and throw away everything
else? We’ve all read headlines about
breaches that could have been less sensa-
tional if the victims had better retention
practices.
The second dimension—your compa-
ny’s cyber vulnerabilities—is where cus-
tomized threat intelligence plays a role.
Analyzing your network for weaknesses,
learning where sensitive information is
stored and how it is protected, and assess-
ing your environment: the competitiveness
of your industry (e.g., how valuable your
intellectual property is to others) and the
way information fows in concert with
business processes (e.g. whether or how
you store sensitive information about con-
sumers or clients, what countries you do
business in, and what that implies for your
security).
The board’s cybersecurity review should
include discussion of both dimensions, and
the issues should be discussed often—these
risks are not static. They can vary signif-
cantly over time and depend on evolving
Internet connectivity and infrastructure
complexity.
4. Investment in human defenses
Cyber defense and cyber resilience are as
much human matters as they are matters
of products and technology confgura-
tions. Although security technologies for
protection and response are indeed neces-
sary, boards should also ask about enter-
prise-wide cybersecurity education and
Risk-based prioritization, in sum:
? Optimize limited resources by prioritizing along two dimensions: what’s most valuable
and what’s most vulnerable.
? Ensure the quality of policies and practices around the organization’s approach to
information governance so that all assets are protected appropriately.
? 76
CYBER RISK AND THE BOARD OF DIRECTORS
5. Assessments of third-party relationships
Those of us paying close attention to the
stories behind 2014’s cyber breach headlines
know that in many cases the so-called “attack
vectors” came through third-party relation-
ships. Bad actors breached a business part-
ner (that likely had weaker security than the
intended target) and then used that part-
ner’s access credentials to break into the tar-
get company.
But this is only one way in which third-
party relationships create security vulnera-
bilities. As business collaboration surges, for
example, the amount of confdential, trade
secret, and intellectual property information
that is being shared among employees of
business partners skyrockets. This electronic
fow of mission critical information, often
across the open Internet, creates an environ-
ment ready-made for economic espionage. It
used to be such cases were a particular thorn
in the side of only a few sectors, such as
defense, energy, and technology. Today, all
kinds of industries are targeted.
A board’s cybersecurity review should
include an understanding of how the organ-
ization conducts cyber due diligence on
third parties. Boards need a clear under-
standing of the third parties their organiza-
tions do business with and must prioritize
those relationships in terms of high, medi-
um, and low risk. Once a partner is identi-
fed as high risk (e.g., they have access to
your corporate network), that partner’s own
security posture must be understood. How
much visibility does your organization have
into your vendors’ security policies and
practices? Do they respond to your security
questionnaires? Do you have the right to
conduct on-site validations/audits?
Boards also should require IT involve-
ment early in the development of new
business partner relationships. That way,
information access can be better tuned to
the business requirements of the partner-
ship. An HR vendor, for example, may
need access to your employee data, but that
access may not need to be around the clock.
Perhaps it can be controlled and limited to
certain times of the month and/or hours of
the day to limit risk exposure and enable
fnely tuned security monitoring.
6. Incident response policies and procedures
Armed with the knowledge that perfect secu-
rity isn’t achievable and breaches are there-
fore inevitable, boards must ensure their
organizations have well-honed policies for
cyber incident response, and must test these
plans with regular simulation exercises.
Good incident response plans defne the
roles and responsibilities of the response
team (including crisis communications,
human resources, legal, IT, etc.) and estab-
lish clear initial action items, including noti-
fcations to internal and external resources
who will lead an investigation or manage
communications. Remember, preparing for
the worst is not an admission of a weak or
vulnerable network. On the other hand, a
delayed, bumbling response to a security
breach is what often leads to increased data
loss, exposure to regulatory action, and
reputational damage.
Assessments of third-party relationships, in sum:
Review all business partner relationships for potential cybersecurity vulnerabilities.
Empower IT’s involvement earlier in the development of business relationships.
Human investment, in sum:
Supplement appropriate investment in information security products with continuous
enterprise-wide cybersecurity awareness, education, and training programs.
77 ?
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
our risk in a way that is consistent with most
likely attacks?
? Conclusion: No surprises!
No one likes unpleasant surprises, least of all
corporate boards. The goal of a board’s
cybersecurity review is to avoid being unpre-
pared for a cyber incident. Unfortunately,
experience so far suggests that the only com-
panies with truly top-grade, board-level
cybersecurity plans are those that have expe-
rienced an unpleasant surprise in the form of
a bad breach. They felt the pain once and
don’t ever want to go through it again.
If you follow the board-level cybersecu-
rity review thinking and principles dis-
cussed in this chapter, and partner with
external experts that bring domain-specifc
knowledge and skills you may not have in-
house, you can avoid surprises and be pre-
pared to meet risk head on. The review
approach described in this chapter will
enable you to lead your organization’s shift
from a paradigm of discomfort and uncer-
tainty in the cybersecurity risk realm to one
of assurance and comprehensive answers,
facilitated by the board’s regular cyber risk
discussions; from simple perimeter protec-
tion to around-the-clock monitoring and
universally understood incident response;
from lack of cyber risk awareness to enter-
prise-wide awareness led by top-down
C-suite messaging and incentivized
employee behavior.
The blueprint presented in this chapter
can help ensure you truly have your eye on
the cyber risk ball. Obviously, that doesn’t
mean your company won’t be breached.
But if—or when—you are, you will be able
to handle the event with clear-eyed conf-
dence that the risks have been properly
managed.
Two key thoughts boards should keep in
mind when reviewing incident response
plans were noted previously, albeit in a dif-
ferent context. First, it is critical to engage the
entire enterprise in your incident response
plan. IT security professionals can only do so
much if an employee clicks on a spear phish-
er’s link, creating a hole in your network.
Employees can be educated to avoid those
clicks and incented to be frst responders—or,
at least, to notice these attempts to breach
your company’s defenses. Employees are on
the front lines of cybersecurity; prompt notice
of a breach from an alert employee can often
signifcantly mitigate damage. Second, your
organization’s cybersecurity risk environ-
ment is a dynamic, ever-changing thing. Your
incident response plan must be kept up to
date and rehearsed continually, taking evolv-
ing threat intelligence into account.
Appropriate board-level review questions
include the following:
What are the organization’s policies and pro-
cedures to rapidly identify breaches?
How are all employees empowered to monitor
and report/respond?
How are we triaging/escalating once an inci-
dent is detected?
How is incident response integrated into IT
operations?
What are we doing to align our cyber respons-
es to business requirements and to ensure that
all parts of the business understand their roles
in the response plan?
How does our response plan match up with
our threat intelligence? Are we characterizing
Incident response, in sum:
? Because breaches will happen, board review must ensure frst-class incident response.
? All enterprise employees should be part of the incident response plan.
? Incident response must continually evolve—because threats do.
CYBER RISK AND THE BOARD OF DIRECTORS
? 78 SecurityRoundtable.org
Inclusive Board-Level Discussion
CYBER REVIEW blueprint
T
H
E
B
O
A
R
D
’
S
Proactive Cyber Risk Management
Risk-Oriented Prioritization
Investment in Human Defenses
Assessment of Third-Party
Relationships
Incident Response Policies
and Procedures
79 ?
Dell SecureWorks – Mike Cote, CEO
Demystifying cybersecurity
strategy and reporting: How
boards can test assumptions
Cybersecurity is one of those issues that justify the state-
ment, “It’s what you don’t know that can hurt you.”
Although board engagement in cybersecurity risk is on
the rise, corporate directors continue to struggle with the
complexity of the subject matter, making it more diffcult
for them to assess whether the company’s strategy is
effective. As one public company director recently stated,
“I understand the magnitude of the risk, and I know we
have signifcant resources decked against it, but as a
board member how will I know if management has the
right measures in place to keep us from being the next
story in the news?”
This chapter does not explain how to eliminate the risk
of a data breach. In fact, one requirement for being resil-
ient against cyberthreats is to accept that breaches will
happen. Nor does this chapter strive to make an expert of
the reader. After all, the board’s job is to provide reason-
able oversight of the risk, not manage it.
What this chapter does do is provide boards with a
framework of inquiry—elements of a mature security
strategy in plain language—to help directors have discus-
sions with management about the company’s overall
resilience against the threats. By understanding these
concepts, directors will have a better context for testing
assumptions when management reports on metrics such
as the effectiveness of breach prevention, breach frequen-
cy, and response time.
? Background: Who is behind hacking, and why do
they do it?
Before delving into the right strategy for cybersecurity, it
is helpful for boards to frst understand the nature of the
threat. Hacking has become a burgeoning global industry
that generates billions of dollars in illicit trade annually.
It’s fueled by a strong reseller’s market in which hackers
sell stolen data to others who possess the desire but not
? 80
CYBER RISK AND THE BOARD OF DIRECTORS
? Elements of a mature security strategy . . . in
plain language
1. Determine what needs protecting and who
holds the keys.
Companies begin their journey to resiliency
by identifying and prioritizing the assets they
must protect. What do cyber criminals want
that they can get from us and why? Do
employees handle intellectual property that
could make or break us competitively? Do
we collect personally identifable informa-
tion that cyber criminals could sell to iden-
tity thieves? Do we store customer account
information? How would someone take
command and control of our infrastructure
or systems?
It is equally important to know where
those coveted assets are located. Many
boards are surprised to learn that the infor-
mation security team is fending off hackers
across the entire enterprise, even outside it:
for example, in a supplier’s network, on a
home computer, or on an employee’s iPad,
where he or she just reviewed a proprietary
schematic. Hackers are capable of scanning
for vulnerabilities wherever someone con-
nects to the Internet, and business leaders
must operate under the assumption that
even they are a target.
As with sensitive fnancial information,
only those who need access to the assets
should have it, and policies should be in place
to ensure stringent controls. Administrator
passwords are gold to cybercriminals, and
increasing the number of people with access
to them effectively multiplies the ways that
hackers can attack.
2. Prevention is not an endgame.
It’s tempting to think that we can eliminate
breaches if we just put more effort into pre-
vention at the front end, but information
security professionals know that eliminating
the possibility of a breach is an unrealistic
goal in today’s environment. Preventative
tools such as frewalls play an essential role
because they provide the frst layer of
defense: they ‘recognize’ and stop the threats
the tools to harvest valuable intellectual
property. It’s funded by organized crime and
actors within nation-states that not only
operate beyond any jurisdiction but also
have access to billions of dollars of capital to
invest in these criminal operations.
The robust cyber black market offers sto-
len goods—from credit cards to personal
identities—in large quantities at reasonable
cost. Sellers also offer money-back guaran-
tees on the quality of their goods. Buyers can
obtain tutorials for hacking or for using sto-
len data, and they can even hire subcontrac-
tors to do the dirty work.
It’s not always about the money. From
attacks based on sectarian hate between
nation-states to sabotage from a bitter, laid-
off employee, motivations for hacking run
deep and wide. Anger about environmental
policies and resentment against the excesses
of Wall Street are among other examples.
Whatever their reasons, hackers are focused
on stealing, disrupting, or destroying data
every moment of every day. There are thou-
sands of cyber criminals around the globe.
They work around the clock, for free or for
hire, on speculation or with a known pur-
pose, trying to invent new ways to steal or
harm a company. They have the funding and
technology to be not only persistent but also
highly adaptable, and the barrier to replicat-
ing their cyber weapons is low in contrast to
the physical world. They have the luxury of
always being anonymous, always on offense,
and seldom prosecuted.
Companies, on the other hand, are highly
visible, and by virtue of being connected to
the Internet must operate in an environment
where being attacked by hackers is the
norm. Companies must prevent, detect,
defend against, and take on the threat with-
out the luxury of knowing when they’ll be
attacked, by whom, or on what front.
A mature cybersecurity strategy prepares
for and responds to this challenging envi-
ronment. Breaking that strategy down into
its core elements provides boards with a use-
ful framework for discussing risk assump-
tions with the chief information security
offcer.
81 ?
DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS
4. Stay a step ahead: The future won’t look like
the past.
To stay one step ahead of the threat, an infor-
mation security program should also be able
to predict what the adversary will do next.
To make fnancial predictions, business lead-
ers apply internal and environmental intel-
ligence to test assumptions. In the case of
cybersecurity, security teams should apply
“threat intelligence,” which tells them the
intent and capabilities of current, real-world
hackers who may want to harm them.
Gathered from a company’s own environ-
ment and often supplemented with much
broader environmental intelligence from a
third party, threat intelligence can be applied
to cybersecurity technologies and human
procedures. As a result, the enterprise is able
to anticipate the nature of forthcoming
attacks and more effectively allocate limited
resources to stop them.
Companies with the ability to predict can
also defend earlier with less effort and recov-
er faster when a breach occurs. When boards
and management discuss metrics like breach
frequency, response time, and potential
impact, it’s helpful to know if the security
team is applying threat intelligence to help
them make their assumptions.
5. Educate and train vigilant employees.
One of the most important defenses against
cyberattack is an informed, vigilant employ-
ee population. Employees and executives are
often targeted with carefully crafted emails
designed to be relevant to the employee’s
personal or work life. In reality, these phish-
ing emails are often loaded with malicious
code. One click by a less careful individual
can deploy a cyber weapon into the compa-
ny’s network and execute various actions
that shut down critical business functions or
steal information and accounts. Similar tac-
tics may be used over the phone to get
employees to divulge confdential informa-
tion such as client lists, which can then be
paired with other stolen data to complete a
set of stolen identities.
we already know about. As we already
established, however, hackers are highly
adaptive. No one piece of technology can
provide a complete defense. A good security
program assumes that at some point preven-
tion will fail and the business will have to
deal with threats in its network.
Detection then becomes the focus.
Companies need the right technology, pro-
cesses, programs, and staff to help them
detect what has happened so that they can
fnd the threat and respond more quickly
to contain and eradicate it. The question is
not if the hackers will get in but when.
Board members may test this assumption
by asking their security team, “Do we
know if hackers are inside our defenses
right now? How do we know when they
get in?”
3. You can’t defend with your eyes closed.
No one wants to be blindsided. If a compa-
ny’s security team can’t “see” what is hap-
pening on the network and across all of the
endpoints such as work stations, point-of-
sale terminals, and mobile devices, then the
company will have little chance to detect or
respond quickly to an attack when preven-
tion fails. Visibility across the enterprise is an
essential attribute of the cybersecurity strat-
egy because it helps companies respond to
unusual activity more quickly, reducing
down time and related costs.
Business leaders should know that hav-
ing visibility means collecting large amounts
of data from all of those places. Unfortunately
those data are useless if the security team
doesn’t have the bandwidth to analyze and
act on it. The information security industry
has responded to this problem, and services
are available to manage the data, do the
heavy lifting, and sort out what is actionable.
The actionable data can then be fed back to
the information security team to more eff-
ciently zero in on the threats that need their
immediate attention. Boards may ask if their
security team is managing all the data itself,
and, if so, does it still have the bandwidth to
focus on the actual threats.
? 82
CYBER RISK AND THE BOARD OF DIRECTORS
7. Measure effectiveness, not compliance.
It is impossible for a company to know how
effective its security program is against real-
world attackers unless it conducts real-world
exercises to test its defenses. Compliance
frameworks can improve rigor in many
areas of cybersecurity, but it is folly to
assume that following a compliance man-
date (or even passing a compliance inspec-
tion) is commensurate with resilience. No
matter how well architected a security pro-
gram is against recommended standards, no
two companies’ environments are alike.
That’s why it is so important to battle-test
one’s own environment. Network security
testing emulates actual hackers using real-
life tactics such as phishing to validate how
well defenses work against simulated
attacks. By learning how hackers penetrate
security defenses, companies can determine
actual risk and resource cybersecurity opera-
tions accordingly. Testing also helps compa-
nies meet compliance mandates. Compliance
should be a by-product of an effective secu-
rity program, not the other way around.
8. Emphasize process as much as technology.
Technology is only half the solution to mak-
ing a company resilient. Breaches can occur
as the result of human and process errors
throughout the enterprise. Take the example
of recent high-profle cases in which weak-
nesses in a supply chain or a business part-
ner’s security allowed hackers to access the
parent company’s network and do signif-
cant damage. Leading practice today is for
companies to insist, by contract, that their
business partners meet the same security
requirements.
However, what if a business line leader
fails to insist on contract requirements in the
interest of going to market quickly? What
happens when business enablement trumps
security in the far reaches of the business,
where people think, “No harm done”?
Adequate checks and balances should be in
place to ensure that IT security and business
procedures are being executed, and policies
The bottom line is that human behavior
is equally as important as security tech-
nologies in defending against the threat.
Boards should know whether employee
awareness and training programs are in
place and how effective they are. The best
programs will simulate how hackers may
trick an employee and provide on-the-spot
training if the employee falls victim. An
open dialog in these cases helps employees
and the organization as a whole learn from
mistakes. It also builds a culture of security
awareness.
6. Organize information security teams for
success.
Defending and responding effectively
against cyber adversaries also depends on
manpower and expertise. Technologies
cannot be used to full advantage without
highly skilled people to correlate, analyze,
prioritize, and turn the data into actiona-
ble intelligence that can be used to increase
resilience. A properly organized and
staffed security team needs people with
many different types of expertise and
skills. It requires people to deploy the
technologies, understand what the threats
are, determine what hackers are doing, fix
system and software vulnerabilities, and
counter active threats. Although these
professional capabilities are interdepend-
ent, they are not all interchangeable,
requiring different training and certifica-
tions. Information security leaders also
need the management skills to put the
right governance processes and proce-
dures in place, advocate for security
requirements, and communicate risk to
senior management.
Boards are encouraged to inquire as to
whether the security team has the band-
width and manpower to be able to respond
and remediate a crisis, as well as to handle
day-to-day operations. Security teams
should be organized to focus on what mat-
ters most—immediate threats—and other
resources should be considered where there
are gaps.
DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS
SecurityRoundtable.org 83 ?
element of cybersecurity, but it is a by-product
of a good program, not the measure of effec-
tiveness. Nor is it a guarantee of security, as
illustrated by many recent high-profle
breaches in which companies had already
met the requirements for one compliance
mandate or another.
Diffcult decisions about funding can be
made more easily by discussing how exist-
ing resources are allocated. Many business
leaders fear that “we’ll never spend enough,”
but experience shows that a pragmatic
approach to funding the security program is
to focus on effectiveness and prioritization:
? Determine actual vulnerabilities by
regularly testing defenses.
? Detect the perpetrators more quickly by
increasing visibility.
? Predict and mitigate risks more quickly and
effciently by applying threat intelligence.
? Apply time, attention, and funding
accordingly.
Companies may also want to consider third-
party providers to monitor, correlate, and
analyze the massive quantity of data that a
mature security program generates. This
allows valuable, and sometimes scarce,
human resources to focus on the actual
threats. A reputable third party can also pro-
vide the testing that determines effectiveness
and be a helpful validator of the program.
Armed with an understanding of what a
mature security program looks like and how
it plays out across the entire enterprise,
boards will be better equipped to discuss the
company’s current strategy and inquire
about assumptions in the metrics.
should hold relevant business leaders and
employees accountable for implementation.
How do you know when procedure isn’t fol-
lowed? Real world testing confrms not only
the effectiveness of your defenses but also
the process, policies, and procedures that
keep those defenses in place, operational
and optimized for resilience.
? Summary: A framework for oversight
By the very nature of being connected to
the Internet, companies are targeted 24/7,
365 days a year by anonymous, sophisti-
cated hackers who strive to steal from or
harm the business and its employees. That
ongoing challenge is taking place across
the entire enterprise, not just on the net-
work, so it’s important to remember that
we all play a role in managing the risk:
employees, business partners, and even
board members. There is no silver bullet
piece of technology that will eliminate all
danger, and being resilient is just as
dependent on people and process as it is on
technology. A cybersecurity ‘win’ in this
environment is defned as how effectively
and effciently the company fnds and
removes threats from its environment and
whether it remains fully operational in the
process.
Cybersecurity risk is an enterprise risk,
not a function of IT. For boards to provide
reasonable oversight they’ll have to under-
stand what the company is protecting,
inquire about how well the company is
organized to defend those assets, and explore
whether it has the manpower and capabili-
ties to respond and remediate in the event
of a breach. Compliance is an important
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk corporate
structure
87 ?
Palo Alto Networks Inc. – Davis Hake,
Director of Cybersecurity Strategy
The CEO’s guide to driving better
security by asking the right questions
I recently met with a chief information offcer (CIO)
whose chief executive offcer (CEO) had just taken a strik-
ing and dramatic interest in cybersecurity. He had read an
article in the paper about cyberthreats to major corpora-
tions and wanted to know what his own company was
doing to solve the specifc problem described in the arti-
cle. The CIO was incensed, because the question would
inevitably force him to shift priorities for his already
overworked team to an issue that had little to no effect on
their actual security efforts. There is an old saying in the
disaster response community that you shouldn’t exchange
business cards during an emergency. In essence, you need
to familiarize yourself with the risks and relevant people
before an emergency so security teams are not blown in
different directions depending on the new security scare
of the day.
Similarly, CEOs cannot familiarize themselves with
cybersecurity narrowly through the lens of a single inci-
dent that occurs on their network or with one of their
competitors. The danger in responding to a singular event
or threat in isolation—or daily incidents we read about in
the press—is that this is a reactive approach rather than a
holistic, risk-based approach. Cybersecurity is the poster
child for this phenomenon. Executives know that there is
a newfound focus on cybersecurity at the boardroom
level—incidents like Target’s 2013 data breach have been
a wake-up call for many—but there is often still a severe
lack of understanding about the real risks behind the
headlines. The statistics also back up the magnitude of
these anecdotes.
A recent New York Stock Exchange (NYSE) and
Veracode survey looking at boardroom attention to cyber-
security found 80 percent of participants said it is dis-
cussed in most or every boardroom meeting. They noted
specifcally that “responsibility for attacks is being seen as
? 88
CYBER RISK CORPORATE STRUCTURE
common problems such as a lack of invest-
ment, absence of high-level strategy, and
failure to integrate into business operations
still plagued many organizations struggling
to address cyberthreats. Seeing this tension
in many of the organizations they were brief-
ing on cyberthreats, the U.S. Department of
Homeland Security worked with current
and former executives to help capture fve
simple questions that a CEO could ask his or
her technical team, which would also drive
better security practices. They are:
1. What is the current level and business
impact of cyber risks to our company?
What is our plan to address identifed
risks?
2. How is our executive leadership informed
about the current level and business
impact of cyber risks to our company?
3. How does our cybersecurity program
apply industry standards and best
practices?
4. How many and what types of cyber
incidents do we detect in a normal week?
What is the threshold for notifying our
executive leadership?
5. How comprehensive is our cyber incident
response plan? How often is the plan
tested?
The team that coordinated the Cybersecurity
Framework also provided key recommenda-
tions to leadership, to align their cyber risk
policies with these questions. First and fore-
most, it is critical for CEOs to lead incor-
poration of their cyber risks into existing risk
management efforts. Forget the checklist
approach; only you know the specifc risk-
reward balance for your business, so only
you can understand what is most important
to your company. It seems simple, but with
cybersecurity, the default practice tends to
be for organizations to silo considerations
about risks into a separate category apart
from thinking about their valuable assets.
You have to start by identifying what is most
critical to protect and work out from there.
The process of aligning your core value with
your top IT concerns is a journey and is not
a broader business issue, signaling a shift
AWAY from the chief information security
offcer (CISO) and the IT security team.”
Where is this shift moving to? “When a
breach does occur, boards are increasingly
looking to the CEO and other members of
the executive team to step up and take
responsibility,” said the authors.
Yet despite this shift in perceived respon-
sibility to the executive level, there does not
appear to be the same drive to connect tech-
nical teams to the board-level focus on con-
cerns about cybersecurity risk. A 2015
Raytheon and Ponemon Institute study of
those with the day-to-day technical respon-
sibility for cybersecurity, CIOs, CISOs, and
senior IT leaders, found that 66 percent of
respondents believe senior leaders don’t
perceive cybersecurity as a priority. What
this means is that while CEOs are increas-
ingly on the hook from their boards for being
savvy about cyber risks, many are not yet
engaging with the necessary parts of their
organization to address cybersecurity issues.
Our hope is that this guide can prime you
to ask productive questions that drive better
people, processes, and technological change
to reduce the risk of successful breaches of
your organization. As the CEO, it is your job
to balance risk and reward within your com-
pany. Cyberthreats are not magic, hackers
are not wizards, and the risks to your spe-
cifc organization from a breach can be man-
aged just like any other risks that you make
decisions about every day. In fact, these risks
can even be turned into opportunities for
new innovation.
But where to begin? You want to avoid
causing unnecessary work, but you are
required to participate, and often lead, the
conversation around addressing cyber risks.
When the U.S. Government began working
with members of the IT and critical infra-
structure industry on a Cybersecurity
Framework for improving critical infrastruc-
ture cybersecurity, a key point that arose was
the need for nontechnical tools that could be
used at an executive level. Technical best
practices have existed in international stand-
ards and government agencies for years, but
89 ?
THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT QUESTIONS
not having a cybersecurity background, you
will certainly be able to make valuable con-
tributions about which cyber risks are
acceptable. You will fnd situations where
the operational priorities that you are
responsible for as CEO, outweigh cybersecu-
rity risks. Your perspective on these matters
is what makes you core to leading cyberse-
curity efforts in your organization.
Finally, as with any risk management
effort, you must plan for the best but prepare
for the worst. Cyberthreats are very real, and
advanced hacking tools once available only
to nation-states are regularly sold on the
online black market. There are technical
architectures that can prevent and limit
damage done by cyberattacks (see Palo Alto
Network’s other chapter, “Designing for
breach prevention”), but no solution is ever
100 percent. Developing an incident response
plan that is coordinated across your enter-
prise and regularly tested is vital for even
the most well-defended organizations. Use
your existing risk management practices and
your leadership team to identify your most
important assets; then plan for what would
happen to your company if those assets were
shut off or inaccessible for a sustained peri-
od of time. Similar to fre drills, regular prac-
tice also helps you stay aware of cybersecu-
rity’s constantly changing environment and
shows a personal interest that will signal the
issue’s importance throughout your compa-
ny. There are also excellent chapters in this
book to get you started in setting up an inci-
dent response plan, and there are many
good companies that specialize in the sticky
problems of rebuilding your network when
you need to call in the cavalry.
While risk management is a strong
approach to tackling the challenges of
cybersecurity, the bottom line is that it will
often require some investment in new peo-
ple, processes, or technology. A common
myth is that security must be a cost center
for every organization. This view has plagued
IT security experts for years, as their efforts
are viewed as drains on resources that would
otherwise be bringing in revenue. But as
you start to lay out cybersecurity from a
something that can be solved in one lump
investment or board meeting. Just like any
risk analysis, it requires serious considera-
tion and thought about what is most impor-
tant to your core business practices.
Which brings me to the second recom-
mendation to come out of the Cybersecurity
Framework effort: don’t begin your journey
alone! Bring your leadership team, especially
your CIO, chief security offcer (CSO), and
CISO, into the conversation from the start, to
help determine how your IT priorities match
to your business goals. Building a diverse
team that includes other leaders, such as
your head of human resources, will help
foster a culture that views cyberthreats not
as “someone else’s problem” but as chal-
lenges that should be addressed and dealt
with as an entire organization. For example,
cyber criminals still continue to successfully
use fake emails as a primary method for
gaining access to a company’s network.
Stopping these attacks requires not just a
technical solution but also strong training,
which is often the responsibility of human
resources and not your IT security team.
As more signifcant challenges arise, and
they will do so often and unexpectedly, lean
on your leadership team to evaluate prob-
lems in relation to the impact to your other
business risks. Then let your team address
them based on your existing business goals.
For example, if you experience a cyber
breach or accidental disclosure of sensitive
information, a diverse leadership team is
incredibly helpful at not just responding to
the technical problems but also ensuring
other areas such as public image, legal
ramifcations, and revenue impact are taken
into consideration in any mitigation and
remediation efforts. It is your job to help
frame the problem for your team and pro-
vide oversight and guidance, not microman-
age a crisis.
As with normal business operations, you
should also be asking your team to assist
you in day-to-day requirements of your
cybersecurity, such as reviewing IT budgets
and personnel security policies. None of this
is surprising, and you will fnd that despite
CYBER RISK CORPORATE STRUCTURE
? 90 SecurityRoundtable.org
know these as web-based email or online
storage services. They are incredibly popular
for their low cost, fexibility, and availability
across multiple platforms, but they also exist
on servers outside your control and can pre-
sent a huge risk from users accidentally
making company resources available to
external parties. There are now innovative
solutions that can manage these programs
just like any normal application that lives on
your network and even block their use for
only malicious purposes.
True leadership in any issue doesn’t
involve simply throwing more money at the
problem; you must always balance the risks
and rewards of your decisions and invest-
ments into a coherent strategy. Cybersecurity
is no different. Unfortunately, today’s reality
is such that cyberthreats will remain an issue
of fear for boardrooms in the foreseeable
future, leading to default knee-jerk reactions
as new threats evolve. Ultimately, we must
get to a place where cybersecurity is a nor-
mal part of any business’s operational plan.
With cool-headed, rational leadership, you
have the unique ability to help transform
this issue in your company from a crisis to
an opportunity for real innovation.
risk management perspective, you will
be forced to identify your most valuable
assets, pressing vulnerabilities, and core
motivations. This introspective approach
can also drive new ideas applicable to your
core business lines. It is imperative that
you recognize these innovations and make
the right investments to reap both the
benefts of better security and new business
opportunities.
For example, take a company that wants
to enable its sales staff to securely meet with
customers face to face away from the offce
for consultations. Using mobile devices and
phones to access internal company data,
such as customer accounts, from the feld
can open serious cyber risks. In this case you
could ensure that when purchasing a mobile
platform, you also choose a security vendor
that can provide mobile device management
capabilities. This allows your IT department
to secure lost or stolen devices and limit
malicious software that could be accidental-
ly downloaded by employees (or often their
kids), limiting cyber risks and enabling fex-
ibility of your sales team.
Another great example is the use of soft-
ware as a service (SaaS) products. You may
91 ?
Coalfre – Larry Jones, CEO and Rick
Dakin, CEO (2001-2015)
Establishing the structure,
authority, and processes to
create an effective program
Cybersecurity program oversight is currently an unsettling
process for many C-suites and boardrooms. Establishing
structure, authority, and program oversight should be
aligned to existing management processes and structure for
other critical programs. However, cybersecurity programs
remain unsettling. Why?
Simply put, cybersecurity programs address a different
type of risk. Typically, the risk that is being addressed
includes sophisticated attacks that are intended to interrupt
operations or steal sensitive data. In either case, organiza-
tions fnd themselves under attack. In the case of Sony, a
nation-state attacked the company for the sole purpose of
disrupting the distribution of media. In the case of
JP Morgan Chase, a highly sophisticated adversary launched
a denial of service attack against the service delivery plat-
form to disrupt the fow of transactions. Both cases provide
business justifcation to manage cybersecurity initiatives as
a bet-your-business type of risk management program.
The connection between the boardroom and those
managing the technical infrastructure is critical. However,
no board or C-Suite has the skills or knowledge of the
threat landscape or technologies involved in cybersecu-
rity programs to fatten the management structure for
top to bottom direct management. Each level of the
organization must participate in an integrated and col-
laborative fashion. The structure and risk management
responsibilities have been documented many times by
well-respected cybersecurity organizations such as the
National Institute of Standards and Technology (NIST) in
a series of special publications. Coalfre has specifcally
supported the local adoption and application of these
general principles for the electric utility, fnancial servic-
es, health-care, and retail sectors. As a result, this chapter
leverages the lessons learned from those previous engage-
ments to provide a condensed but effective approach to
? 92
CYBER RISK CORPORATE STRUCTURE
cyber risk management and cybersecurity
program creation and oversight.
First, the nature of the threat landscape is
evolving, while the underlying technology
platforms that hold sensitive data are also
changing. In this fuid environment, man-
agement must create a nimble program of
active cyber defenses informed by an itera-
tive risk management process. For the fore-
seeable future, cybersecurity program over-
sight will not be one that can be reduced to
an annual review process. When cyberat-
tacks go undetected for months and then
bring a company to its knees overnight, the
level of vigilance and communication is
heightened. To be effective, the structure has
to be distributed throughout the organiza-
tion, and risk thresholds have to be set that
cause unplanned alerts to drive manage-
ment action on a regularly scheduled review
and ad hoc incident-response basis.
Often the primary risks to cyber assets is a
cyberattack. The sophistication and determi-
nation of known threat actors drives the exec-
utive team to put on war paint and respond in
kind. Unlike other enterprise risks that can be
managed with traditional controls, cybersecu-
rity requires the mindset of a warrior. Think in
terms of Sun Tzu’s guiding principles pub-
lished in 473 BC, The Art of War: “we must
know ourselves and our enemies and select a
strategy to positively infuence the outcome of
battle. There is no reason to fear the attack but
there is reason to be concerned about our
readiness to defend ourselves from the attack
and respond appropriately.”
The most common approach for creating
and maintaining an enterprise cybersecurity
program follows a fve-step risk manage-
ment process. The process is iterative and
constantly informed by new information.
I am often asked, “When will the cybersecu-
rity program be completed?” Unfortunately,
the answer is never. Cybersecurity has to be
viewed as a process and not an end point,
the proverbial marathon versus sprint.
Each of the steps in the process requires
participation at multiple levels across an
organization.
Respond
Detect
Protect
Plan Adjust
1. Plan
i. Cyber asset inventory and environment
characterization
ii. Risk assessment and risk management
strategy
iii. Governance and organization structure
2. Protect
i. Program control design, control
selection, and implementation
ii. Training
iii. Maintenance
3. Detect
i. Threat and program effectiveness
monitoring and reporting
ii. Incident alerting and response
planning
4. Respond
i. Event analysis and escalation
ii. Containment, eradication, and recovery
5. Adjust
i. Lessons learned and program
adjustment
ii. Communications
The rest of the chapter addresses each step of
the cybersecurity program development
process and highlights responsibilities for
stakeholders throughout the organization.
FIGURE
Cybersecurity Program
Benchmarks
93 ?
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
many times that it is more realistic to expect
that vendors have done little to inherently
protect systems or data in the native design
of their systems. In many cases, unless
deployed appropriately, new cloud and
mobile applications can actually decrease
the level of cybersecurity already deployed
on legacy systems. It is the responsibility of
each executive to fully defne his or her
operating environment and include critical
third parties in the assessment.
Although lack of cybersecurity integration
by vendors is not universal, we’re seeing some
enlightenment in a few security-focused ser-
vice providers. However, it remains a serious
concern for the majority of new system acqui-
sition and support processes, and cybersecurity
typically shifts to an add-on feature after pro-
curement of a major new system in many
cases. In short, the process of identifying criti-
cal cyber assets and the systems that support
those assets will remain a key part of the cyber-
security program oversight function for the
long term. The process of ‘knowing thyself’
has been expanded to knowing your partners
and vendors and where your sensitive data
has been shared or managed by third parties.
The following is a quick test:
? What are your top 3 most important
business processes, and what systems
support those functions?
? Does the way your CIO answers
the previous question match your
understanding of critical systems?
Risk assessment and risk management strategy
After a solid understanding of the battlefeld
is established and executives appreciate the
critical cyber assets being protected, an
assessment of risk to those cyber assets is
critical to the design of the cybersecurity pro-
gram. The ability to adjust the program to
meet the evolving threat landscape and tech-
nology architecture shifts is an important
component of organizational security matu-
rity. Responsibilities for conducting an effec-
tive cyber risk assessment are distributed at
three levels, as shown in Figure 2.
? Plan
Cyber asset inventory and environment characterization
In accordance with the principles of Sun Tzu,
“know thyself.” When cybersecurity pro-
grams are managed at only a technical level,
the focus of the program is at risk of being
misdirected. Sensitive data hosted on an inex-
pensive platform may bely the true value to
the organization. Only senior executives and
business unit managers understand the rela-
tive importance of specifc operations or data.
Simple cybersecurity program designs
often include some level of network and data
segmentation, encryption, or levels of access.
As a senior executive, one of the things you
should be asking is if your most important
systems and most sensitive data are properly
deployed in the protected zones within your
system architecture. However, the IT team will
never know how to answer that question if
senior management (specifcally business unit
management) does not specifcally provide
guidance on the relative importance of busi-
ness functions and their associated systems.
The new generation CIOs and CISOs
understand this principle completely, and
the best of them have structured the operat-
ing environment and security programs to
focus on the most important cyber assets.
However, to assume all CIOs or CISOs
understand this principle of critical asset
classifcation and environment characteriza-
tion is dangerous, because many do not. The
most important part of this discussion is,
“Does every business unit manager under-
stand what his or her most critical cyber
assets are and where they are deployed?”
Even if the CIO and CISO understand the
relative priorities, senior executives cannot
effectively participate in either cyber risk
management or cybersecurity program over-
sight without frst understanding the extent
of the environment being protected.
As a quick warning, many of my clients
have the false expectation that cybersecurity
has become a critical part of the design for
new or more modern platforms being pur-
chased from large vendors and hosting pro-
viders. This expectation has proven false so
? 94
CYBER RISK CORPORATE STRUCTURE
increasingly popular means of transferring
risk but comes with the requirement that
you understand risk in ways that may not
have been previously considered. It is impor-
tant that the business units and security staff
are able to communicate the constraints as
well as the risk mitigation alternatives for
senior executives to make reasonable deci-
sions on risk management strategies.
Governance and organization structure
The risk assessment management duties and
responsibilities are typically allocated in
accordance with Table 1.
? Protect
Program design and implementation
The outcome for any cybersecurity program
is the expectation that an organization can
defend its critical cyber assets from irrepara-
ble damage resulting from a cyberattack.
The impact of cyberattack is different for
every organization. As a result, the cyberse-
curity strategy and associated program
must be considered against the potential
impact.
The primary objective for a risk assess-
ment is to drive selection of adequate and
rational controls and then assign responsi-
bilities to manage those controls. During the
process the environment will be character-
ized to bring context and the existing system
vulnerabilities, and weaknesses will be
evaluated to select controls to offset the
probability of compromise during an attack.
A comprehensive cybersecurity program
addresses administrative, physical, and
technical controls as an integrated suite.
Once the inherent threats and vulnerabili-
ties are understood within the context of the
impact they could have on the organization,
its clients, and partners, senior executives
must approve the risk management strategy.
Many executives want to see all risk either
mitigated or transferred. However, the bulk
of companies in critical infrastructure indus-
tries end up accepting some level of risk in
their strategy. Cost, continuity of operations,
or other concerns may drive the formation of
the cybersecurity program to mitigate what
is reasonable and accept the residual risk.
Cybersecurity insurance is becoming an
• Actionable policy
and procedures
• Guidance and
constraints
• Corporate strategy
• Policy
• Results of
monitoring
• Feedback
• Results of
monitoring
• Feedback
TIER 3:
Systems
Management
TIER 1:
Executive
Leadership
TIER 2:
Business
Management
FIGURE
Cyber Risk Organizational Structure
and Responsibilities
95 ?
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
TABLE
Executive Business Unit Systems Management
? Prioritize critical assets
? Establish risk appetite
? Approve risk
Management strategy
? Mitigate the risk
? Transfer the risk
? Accept the risk
? Approve the program
and policies
? Assign responsibilities
? Provide oversight
? Defne boundaries
? Design use case
scenarios to understand
impact from system
attack and compromise
? Identify constraints for
mitigating all risk
? Develop a justifed risk
management strategy
? Identify all required
users of systems or
delegates to receive data
on a “need to know”
basis
? Recommend technical
and physical controls
? Identify threats and
system vulnerabilities
? Evaluate the likelihood
and probability of
impact for each threat
and vulnerability
? Estimate the impact on
systems and operations
from a fnancial,
legal, and regulatory
perspective
Although security programs are different
for every company, the principles for devel-
oping the program are fairly consistent. NIST
Special Publication 800-53 has done a good
job in describing the selection of controls for
high-, medium-, and low-level impacts.
Every organization needs access controls, but
only those that result in national security
impact are realistic candidates for deploying
the high-level version of that control. Many
executives are “sold” a package of controls
because they are used by the NSA, but the
question to ask is, “How does the NSA
mission relate to our operations?”
As discussed in the risk assessment seg-
ment, executives have to defne their risk
appetite. This is hard during the early days
of cybersecurity program development
because most of the C-suites have an inher-
ently low risk appetite and do not yet under-
stand the impact of lowering the threshold
for control selection. As a result, cybersecu-
rity programs are often a work in process for
several years.
Training
The best cybersecurity programs are the
ones that staff and partners will actually
execute. Contrary to what many vendors
and partners will tell you, the magic is not in
the security solutions selected. Rather, the
magic is in the ability of the organization to
manage those solutions to mitigate risks.
Because the security skills available in the
industry today are low and growing increas-
ingly rare, companies should expect to spend
a disproportionate amount of training dol-
lars on cybersecurity.
Maintenance
Anyone working in forensic response will tell
you that system compromise and data breach
are rarely the result of some sophisticated
attack that no one has ever been seen before.
The bulk of effective attacks use vulnerabili-
ties that have been known for years. Cross-
site scripting, shell or SQL injection, shared
administrator accounts, lack of patching, and
other standard security hygiene issues are
normally the culprits. There are two signif-
cant operations that go dramatically under-
funded in most organizations: maintenance
of systems and security controls, which leaves
organizations vulnerable to attack.
? Detect
Program monitoring and reporting
The days of ‘acquire, deploy, and forget’ are
over. For years, senior executives did not
have to participate in cybersecurity program
Levels of Authority and Responsibility
? 96
CYBER RISK CORPORATE STRUCTURE
oversight, because a combination of fre-
walls, malware protection, and light access
controls were adequate to defend against
previous generations of relatively static
cyberattacks. Today, continuous monitoring
is critical to see the evolving threat and tech-
nology landscape.
Cybersecurity programs have moved from
a period of static defenses to active defenses,
and we must become more nimble to success-
fully protect critical systems and sensitive
data. From a military perspective, think of
this shift as moving from multiple armored
divisions with signifcant force and frepower
protecting cities or regions to the more recent
Special Forces mindset, in which quick detec-
tion and reaction are the key to success.
In the previous section, we mentioned
two areas for increased investment. The sec-
ond area is to develop cybersecurity pro-
grams with a much higher focus on threat
intelligence, monitoring, and alerting. This
requires new security solutions and specially
trained security professionals. The old line
of frewalls, malware protection, and access
controls are still required, but much more
active system patching, vulnerability man-
agement, and monitoring are driving mod-
ern security programs.
To avoid the perception of negligence,
senior executives often reinforce old line
security controls that are audited for regula-
tory compliance. However, focusing only on
compliance will not secure an organization.
Cyberthreats are ongoing, while compliance
is a point-in-time review. What is needed to
address increasing cyberthreats is a nimble
program that can suffer an intrusion but
repel the intruder and recover operations
quickly. Just like a good boxer needs to be
able to take a punch and stay in the ring,
companies today must be able to absorb a
cyber punch and keep operating while at the
same time mitigating and recovering.
Incident alerting and escalation
Identifying a potential attack is only half the
solution. Cybersecurity programs must alert
the technology teams and business units
to respond appropriately. One potential
response is to take systems off line. Without
executive and business unit involvement, a
poor decision could be made.
? Respond
Response capabilities vary after discovery of a
cybersecurity incident, and organizations are
typically faced with two unappealing options:
1. Pull up the drawbridge and stop the
hoards from overrunning the castle.
2. Keep the drawbridge down while trying
to fgure out where the bad guy is.
The most immediate, and some say rational,
response is to “pull up the drawbridge” to
eliminate whatever access hackers have.
Unfortunately, this alerts the bad guy that you
know he’s inside, so whatever systems and
accounts he may have compromised or what-
ever backdoors he’s created will be unknown.
On the other hand, if a company decides to
take option two, to play it low-key and con-
tinue with business as usual to determine the
scope of the problem, the organization can
determine what systems have been compro-
mised, what new privileged accounts have
been created, and what back doors may exist.
This will give the company a better chance of
long-term success in eliminating the breach
and repairing lost or damaged information.
One response is not necessarily better
than the other, because situations vary.
However, these critical decisions must be
made almost immediately.
? Adjust
No program is ever perfect. Continuous
monitoring and reporting will enable all
three tiers of responsibility to constantly
adjust the program and inform the other
tiers of actions.
? Summary
Effective cybersecurity program develop-
ment and oversight requires executives
to implement and manage a distributed
process at three levels within an organiza-
tion: executive level; business unit level;
and operational level (Table 2).
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
SecurityRoundtable.org 97 ?
TABLE
Executive Business Unit Systems Management
Plan ? Prioritize systems
and functions for
protection
? Establish risk
appetite
? Inventory critical
systems
? Risk assessment
? Select justifed
controls
? Develop an
architecture to
integrate controls
? Provide periodic
updates to executives
to help them
understand context
for the program
Protect ? Approve
cybersecurity
program strategy
? Approve standards
and metrics for
control oversight
? Approve policies
? Train users
? Enforce controls
? Design and
manage physical
and logical
controls
? Design, deploy, and
manage technical
controls
Detect ? Receive periodic
threat briefngs
and controls
effectiveness
reports
? Receive periodic
education on
changes to the
threat landscape
and emerging
controls
? Incident and
event reporting
form staff,
partners and
third parties
? Operate system and
control monitoring
? Actively participate
in threat intelligence
functions
Respond ? Lead Incident
Response Team
? Participate in the
Incident Response
Team
? Containment
? Recovery
Adjust ? Allocate resources
for program
enhancements
? Deploy enhanced
training
? Deploy updated
administrative
and physical
controls
? Provide advice
for control
enhancements
If Sun Tzu lived today, he would clearly
see the nature of current cybersecurity pro-
grams and responsibilities and recognize that
criticality of executive level management. We
have to take a warrior’s attitude in develop-
ing strategies and programs to be successful
in combatting the cybersecurity challenges
we face today.
Levels of Authority and Responsibility
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cybersecurity legal and
regulatory considerations
101 ?
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Dean Forbes, Senior Associate; Agatha
O'Malley, Senior Associate; Jaqueline Cooney,
Lead Associate; and Waiching Wong, Associate
Securing privacy and proft in the era
of hyperconnectivity and big data
Companies increasingly use consumer data, including
personal information, to stay competitive; this includes the
capability to analyze their customers’ demographics and
buying habits, predict future behaviors and business
trends, and collect and sell data to third-parties. Consumers’
willingness to share their data centers on trust, however,
and 91% of adults believe that they have lost control over
how their personal information is collected and used (2014
Pew Research Center). So how do companies effectively
manage consumer data while simultaneously building
trust? It has been said that you cannot have good privacy
without good security. A frst step is to build an effective
security program while also better understanding what
privacy means and how it can be a strategic business ena-
bler in our era of hyper-connectivity and “big data”.
? Why does this matter? The data economy
The power and insights driven by consumer data has
changed the corporate landscape. This has created the
91%
of adults “agree” or “strongly agree” that
consumers have lost control over how their
personal information is collected and used by
companies
? 102
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? Privacy defnitions vary
“Privacy” may have different meanings to
stakeholders due to factors such as the con-
text, prevailing societal norms, and geo-
graphical location. There is no consensus
defnition of privacy, which makes it chal-
lenging to discuss, and act upon, a need for
privacy. However, an important central
concept regarding privacy recurs, which is,
the appropriate collection, use, and sharing
of personal information to accomplish busi-
ness tasks. Determining what appropriate
and limited means for your customer is key
to gaining trust and unlocking the potential
of the data economy.
? What is personal data?
Personal information comes in variations
such as: (1) self-reported data, or information
people volunteer about themselves, such as
their email addresses, work and educational
history, and age and gender; (2) digital
exhaust, such as location data and browsing
history, which is created when using mobile
devices, web services, or other connected
technologies; and (3) profling data, or per-
sonal profles used to make predictions about
individuals’ interests and behaviors, which
are derived by combining self-reported, digi-
tal exhaust, and other data. According to
research, people value self-reported data the
least and profling data the most (2015
Harvard Business Review). For many compa-
nies, it is that third category of data, used to
make predictions about consumer needs, that
truly provides the ability to create exciting,
thrilling products and experiences. However,
that same information is what consumers
value the most and seek to protect.
data economy—the exchange of digitized
information for the purpose of creating
insights and value. Companies are building
entire businesses around consumer infor-
mation, including building data-driven
products and monetizing data streams. This
is a supply-driven push made possible by
widespread digitization, ubiquitous data
storage, powerful analytics, mobile technol-
ogy that feeds ever more information into
the system, and the Internet of Things. This
also has a demand-driven effect as more
consumers expect their products to be
“smart” and their experiences to be target-
ed to delight them on an individual basis.
The data economy goes beyond the tech
industry. For example, many supermarkets
now record what customers buy across their
stores and track the purchasing history of
loyalty-card members. The most competitive
companies will sift through this data for
trends and then, through a joint venture, sell
the information to the vendors who stock
their shelves. Consumer product makers are
often willing to purchase this data in order to
make more informed decisions about prod-
uct placement, marketing, and branding.
The enabler of the data economy is data
itself. Individuals generate data. They do
this every time they “check in” to a location
through a mobile app, when they use a loy-
alty card, when they purchase items online,
and when they are tracked through their
Internet searches. Companies gain consum-
ers’ trust and confdence through transpar-
ency about the personal information that
they gather, providing consumers control
over uses and sharing of such information,
and offer fair value in return.
Facebook users share nearly 2.5 million pieces of content.
Every minute
Twitter users tweet nearly 300,000 times.
YouTube users upload 72 hours of new video content.
Amazon generates over $80,000 in online sales.
103 ?
SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA
Gmail service scans emails in order to target
and tailor advertising to the user. In 2013
Microsoft ran TV ads that claim that “your
privacy is [Microsoft’s] priority.”
Companies are also competing to be pri-
vacy champions against government surveil-
lance. For the last few years, the Electronic
Frontier Foundation has published the “Who
Has Your Back” list—highlighting compa-
nies with strong privacy best practices, par-
ticularly regarding disclosure of consumer
information to the government.
? Challenges and trends
Maintaining compliance
Beyond the moneymaker of the data econo-
my, there is also a need to comply with a
swirl of conficting regulations on privacy.
For global companies, this task is made more
diffcult as privacy regulations vary by region
and country. Although international accords
often serve as the basis of national laws
and policy frameworks,
1
the local variations
complicate compliance. For example, the
May 2014 ruling of the European Court of
Justice on the “right to be forgotten” set a
precedent for removing information from
search results that are deemed to be no
longer relevant or not in the public interest
by affrming a ruling by the Spanish Data
Protection Agency. Countries across Europe
have applied the ruling at a national level,
which means that they are not exactly the
same.
2
Compliance with this decision has yet
to be fully understood. Google has felded
about 120,000 requests for deletions and
granted approximately half of them.
3
Compliance is costly and complicated.
Beyond technical issues (which were easier
to solve), Google’s main issue with compli-
ance was administrative—forms needed to
be created in many languages, and dozens
of lawyers, paralegals, and staff needed to
be assembled to review the requests. Issues
? Privacy and security intersect through
breaches
Although privacy and security are two sepa-
rate concepts, the importance of these two
ideas intersect for the consumer if personal
information is not safeguarded. In a nut-
shell, consumers are more likely to buy from
companies they believe protect their privacy.
Large-scale security breaches, such as the
recent theft of credit card information of
56 million Home Depot consumers (2015)
and 40 million Target shoppers (2013), pro-
vide consumers with plenty to worry about.
Breach-weary consumers need to know who
to trust with their personal information, to
ensure that only the company that they pro-
vided the information to can use it. Risk
management for data privacy and security
of that data should guard against external
malicious breaches and inadvertent internal
breaches and third-party partner breaches.
? Privacy is linked to trust—differentiate
with it
Trust, and the data that it allows companies
to have access to, is a critical strategic asset.
Privacy issues that erode trust can disman-
tle the goodwill that a brand has spent dec-
ades building with consumers. Forward-
leaning companies are already moving
toward proactively gaining the trust of their
customers and using that as a differentiator.
Learning from its issues with the lack of
security on iCloud, Apple now markets all
of the privacy features of their products and
apps. With an eye toward the desires of its
customers, the iPhone’s iOS 8 is encrypted
by default. This makes all “private” infor-
mation such as photos, messages, contacts,
reminders, and call history inaccessible
without a four-digit PIN and numeric pass-
word. In 2012 Microsoft launched its “Don’t
get Scroogled” campaign as a direct attack
on its rival, Google, by highlighting that its
Privacy is very often confated with security. While privacy is about the appropriate collec-
tion, use, and sharing of personal information, security is about protecting such information
from loss, or unintended or unauthorized access, use, or sharing.
? 104
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
remain, such as the possibility of removing
links from Google.com as well as from
country-specifc search engines.
Compliance with established laws in the
U.S. is often topic- and industry-specifc. For
example, Congress has passed laws prohib-
iting the disclosure of medical information
(the Health Insurance Portability and
Accountability Act), educational records
(the Buckley Amendment), and video-store
rentals (a law passed in response to revela-
tions about Robert Bork’s rentals when he
was nominated to the Supreme Court).
4
Growing data = growing target for hackers
As data availability increases, the attractive-
ness of datasets for hackers increases as well.
Companies in all sectors—health care, retail,
fnance, government—all have datasets that
are attractive to hackers. Just a few of the con-
frmed cyberattacks that targeted consumer
information in 2014 include: eBay, Montana
Health Department, P.F. Chang’s, Evernote,
Feedly, and Domino’s Pizza.
5
Beyond personal information
Personal information (PI) is described in
privacy and information security circles as
information that can be used on its own or
with other information to identify, contact or
locate a single person, or to identify an indi-
vidual in context. With the advent of rich
geolocation data, and powerful associative
analysis, such as facial recognition, the
extent of PI is greatly expanded. Regulations
are struggling to keep up with the changes,
and companies can maintain consumer con-
fdence by collecting, using, and sharing
consumer data with privacy in mind.
? What to do? Build consumer trust
To unlock the data economy, companies will
need to tune in to their customer’s needs
and move quickly to earn and retain cus-
tomer trust. Privacy can be a competitive
differentiator for your business—and this
goes beyond lip service. Appropriate privacy
policies are needed internally, this means
building privacy considerations into busi-
ness operations and expected employee
conduct, along with a clearly defned means
of enforcement. Externally, this means
building privacy considerations into the
products and services offered to customers.
Some of the ways to do this include the
following.
Create easy-to-understand consumer-facing policies
The average website privacy policy averages
more than 2,400 words, takes 10 minutes to
read, and is written at a university-student
reading level.
6
No wonder half of online
Americans are not even sure what a privacy
policy is.
7
Writing clear, easy-to-understand
consumer-facing policies can help you
increase the number of people who will
actually read them, and you will gain the
trust of your consumers. No company has a
perfect solution, but many organizations
have come closer. Facebook has recently
rewritten its privacy policy for simplicity
and included step-by-step directions for
users.
8
To increase trust,
privacy policies
should clearly state the following:
1. the personal information that you will
collect
2. why data is collected and how it will
be used and shared
3. how you will protect the data
4. explanation of consumer beneft from the
collection, use, sharing, and analysis of
their data.
Additionally, companies should give a clear
and easy opt-out at every stage and only use
data in the ways stated. To ensure that the
data is used in the ways stated, develop clear
internal data use and retention guidelines
across the entire enterprise, limit internal
access to databases, create a procedure for
cyberattacks, and link it directly to the con-
sumer privacy policy.
Go “privacy by design”
The concept of “privacy by design” is inte-
grating and promoting privacy require-
ments and/or best practices into systems,
services, products, and business processes
at the planning, design, development, and
SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA
SecurityRoundtable.org 105 ?
Building consumer trust includes keeping
information safe from hackers, creating easy-
to-understand consumer-facing policies,
and applying the principle of “privacy by
default”. Companies that reframe these
actions as business enablers instead of busi-
ness costs will thrive—and fnd it easier to
comply with an increasingly complex web of
regulations. Finally, communicating your
good work to consumers will elevate the
profle of your organization as a trusted part-
ner, and pave the way for future gains.
References
1.https://www.eff.org/issues/international-
privacy-standards.
2.http://www.hitc.com/en-gb/2015/07/
07/facebook-questions-use-of-right-to-be-
forgotten-ruling/.
3.http://www.newyorker.com/magazine/
2014/09/29/solace-oblivion.
4.http://www.newyorker.com/magazine/
2014/09/29/solace-oblivion.
5. ht t p: //www. f o r be s . c o m/s i t e s /
jaymcgregor/2014/07/28/the-top-5-most-
brutal-cyber-attacks-of-2014-so-far/.
6. ht t p: //www. comput erworl d. com/
article/2491132/data-privacy/new-
software-targets-hard-to-understand-
privacy-policies.html.
7.http://www.pewresearch.org/fact-tank/
2014/12/04/half-of-americans-dont-
know-what-a-privacy-policy-is/.
8.https://www.washingtonpost.com/
blogs/the-switch/wp/2014/11/13/
facebook-rewrites-its-privacy-policy-so-
that-humans-can-understand-it/.
9.https://fortunedotcom.files.wordpress
. com/2014/11/pri vacyandsecuri t y
principlesforfarmdata.pdf.
implementation stages, to ensure that busi-
nesses meets their customer and employee
privacy expectations, and policy and regula-
tory requirements. The approach is a market
differentiator that is intended to reduce
privacy and security risks and cost by
embedding relevant company policies into
such designs. As such, privacy settings are
automatically applied to devices and ser-
vices. Privacy by design and default is
recognized by the U.S. Federal Trade
Commission as a recommended practice for
protecting online privacy, and is considered
for inclusion in the European Union’s Data
Protection Regulation, and was developed
by an Ontario Information and Privacy
Commissioner.
Communicate your good work
Privacy policies and actions are more than
legal disclosure; they are marketing tools.
All the actions you take to protect consum-
ers’ privacy should be communicated so
they know you can be trusted. The Alliance
of Automobile Manufacturers, representing
companies such as Chrysler, Ford, General
Motors, and Toyota, publicly pledged more
transparency about how they will safe-
guard data generated by autonomous vehi-
cle technologies. Many groups have pub-
lished data principles that communicate
how data is gathered, protected, and
shared.
9
? Conclusion
Our current data economy brings exciting
opportunities for companies to grow by
enhancing their products and services. These
innovations rely on consumers to trust your
organization with their personal information.
107 ?
Data Risk Solutions: BuckleySandler LLP &
Treliant Risk Advisors LLC – Elizabeth McGinn,
Partner; Rena Mears, Managing Director; Stephen
Ruckman, Senior Associate; Tihomir Yankov,
Associate; and Daniel Goldstein, Senior Director
Oversight of compliance
and control responsibilities
For too long, cybersecurity has been considered the realm
of the Information Technology (IT) Department, with
corporate executives assuming that the goal of cybersecu-
rity is simply to make sure IT is secure enough to allow
the company to use data reliably to do its business. In
today’s economy, however, data are not only a tool for
doing business but also a core asset of the business itself.
The collection, analysis, and sale of rich data about one’s
products and customers inform decision-making and
business strategy and provide a key revenue generator
for many companies. Because data are now so valuable,
the increasingly pervasive and debilitating nature of
cyberthreats poses an existential threat to the company’s
success. Data’s value to cyber criminals also has the
attention of federal and state regulators concerned with
consumer privacy and safety, posing new legal and com-
pliance challenges.
This is why companies can no longer afford to approach
the oversight of cybersecurity as an IT issue. Simply
because a cyberthreat’s mode of attack usually exploits
vulnerabilities in a company’s IT infrastructure does not
mean that oversight should rest purely with the team that
maintains and repairs that infrastructure. Certainly, a
secured IT infrastructure is crucial and an important frst
line of defense. However, the enterprise risk created by
cyberthreats requires a holistic approach that considers
the management of an entire array of impacts—from rep-
utational to regulatory to fnancial—that transcend core IT
competencies and functions. Because securing today’s
data is central to securing the company’s future, effective
? 108
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
encompasses the risks of fnancial loss; busi-
ness or operational disruption; loss or com-
promise of assets and information; failure to
comply with legal, regulatory, or contractual
requirements; or damage to the reputation of
an organization because of the unauthorized
access to or exploitation of data assets.
Cybersecurity is the protection of data assets
from unauthorized electronic access or
exploitation risks through processes
designed to prevent, detect, and respond to
these risks.
1
Effective oversight of cybersecu-
rity is therefore essential to a company’s
oversight of risk management.
Two core components of the company’s
cybersecurity program must be overseen at
the highest levels of management: compli-
ance and controls. Compliance here means
the company’s program for ensuring actual
adherence to internal cybersecurity policies
as well as external privacy and data protec-
tion laws and regulations in the jurisdictions
where the company operates. Controls mean
the company’s systems and processes for
protecting its data infrastructure and carry-
ing out incident response. These components
should be overseen actively to confrm that
compliance and controls are going beyond
mechanical application of generic cybersecu-
rity rules and standards, which may just
establish a regulatory foor for corporate
practices, not a set of industry-leading prac-
tices, and which may not be appropriate or
relevant to the threat landscape and unique
regulatory requirements for the company’s
industry. Moreover, even industry-leading
practices quickly may become dated, because
regulators’ views on “reasonable” cybersecu-
rity are changing all the time.
2
The legal risks
from inattentive oversight are limited only
by plaintiffs’ imagination and regulators’
zeal, and the practical risks are limited only
by hackers’ ambition and creativity.
From a risk management perspective, the
key inquiry revolves around the value of
each data asset. For example, data assets
whose business usefulness has long passed
may still be rich in information that may be
embarrassing to the organization if released
publicly. So in a way, cybersecurity risks are
oversight of cybersecurity compliance and
controls requires leadership from the C-suite
and the boardroom.
Critically, this leadership must be coordi-
nated. For a company’s cybersecurity com-
pliance and control programs to be effective,
efforts must be structured in ways that ensure
the board and senior management, including
the C-suite, work together to achieve its risk
objectives. Each has distinct cybersecurity
responsibilities: senior management is
responsible for determining relevant cyber-
related risks and implementing a compliance
program that incorporates appropriate pro-
cesses and controls to mitigate them, whereas
the board is responsible for overseeing the
risk identifcation process and independently
evaluating whether the program is designed,
implemented, and operating effectively to
meet the company’s cybersecurity risk miti-
gation objectives. Meeting these responsibili-
ties well requires a formalized integrated
approach to cybersecurity risk evaluation,
defned roles and responsibilities, implemen-
tation of a program that is supported by the
board, clearly articulated by the C-suite, and
effectively implemented by operational
resources. Disconnect between the board,
C-suite, and operations poses as much of a
challenge to corporate cybersecurity as
cyberthreats themselves.
? Cybersecurity oversight is risk management
oversight
To understand why coordinated C-suite and
board oversight of cybersecurity is essential,
one must understand cybersecurity as a
means of managing and responding to cor-
porate risk. The purpose of risk management
in general is to identify and mitigate the
risks a company faces to a level acceptable to
the enterprise as determined by the board, a
level known as a company’s “risk appetite.”
The strategies and objectives for managing
risks and responding to threats are articu-
lated in the policies, procedures, and con-
trols of the organization and are the respon-
sibility of senior management.
One signifcant and growing area of risk
for most companies is data risk. Data risk
109 ?
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
of the organization’s risk management
efforts.
The board also has to be sure to engage in
oversight of cybersecurity compliance and
controls at all phases of the company’s data
risk management “lifecycle.” See Figure 1.
The lifecycle involves, frst, identifcation—
looking at the company’s cybersecurity risk
profle, identifying the key data assets that
have to be protected (the “crown jewels”),
and determining the applicable laws and
regulations governing their protection; next,
design and implementation—creating and
implementing operational controls and com-
pliance processes to manage the risks to those
data assets; next, monitoring—actively over-
seeing the compliance processes and controls;
next, evaluation—evaluating the effectiveness
and management of the controls and compli-
ance processes implemented; and fnally
reporting and reassessment—documenting how
the controls and compliance processes are
working, and reassessing to the extent that
there are gaps. The last phase of the lifecycle
involves internal reporting on capabilities to
respond to threats, external reporting on
those capabilities to stakeholders (e.g., SOC 2
reporting), and adjusting management to
respond to internal drivers (e.g., business
changes) and external drivers (e.g., con-
stantly evolving regulatory requirements
and guidance). Strong C-suite supervision
and board oversight are needed at every
phase.
The oversight and compliance need not
rest on the entire board—a standing commit-
tee comprising knowledgeable board mem-
bers, armed with outside expertise where
appropriate, often can provide a more
focused and better informed oversight.
However, whatever oversight activities are
undertaken must be documented so that the
board can show that it is carrying out its
fduciary duties.
? Building blocks of effective oversight
of cybersecurity compliance
An organization’s cybersecurity compliance
efforts must support the company’s busi-
ness units and management in their efforts
partially an extension of data retention
risks, for what the organization does not
have (and has no obligation to keep) cannot
be hacked.
Thus, the board and senior management
must approach the oversight of cybersecuri-
ty compliance and control from a broader
risk management vantage point: one that
weighs the value of the data as an asset class
to the organization, the value that may be
assigned by the threat actors who may seek
the asset, and the broader impact and costs—
including but not limited to legal and com-
pliance costs—stemming from the potential
compromise of data.
In this vein, perhaps the board’s most
critical inquiry to senior management is
whether the organization has adopted suff-
cient processes to inventory and value its
various data assets. From a cybersecurity
perspective, senior management should
then weigh under what circumstances,
through what channels, and on what plat-
forms the organization’s most critically val-
ued data assets should be made accessible.
? Board of directors’ role in oversight
of compliance and controls
Too often, boards have exercised limited
oversight of cybersecurity, yet monitoring
the management of data risk associated with
cybersecurity is part of the board’s fduciary
duty to the corporation. The time for the
board to begin to play an oversight role is not
the moment when data actually are put at
risk, through a breach or corporate theft; the
board must build cybersecurity oversight
into its general strategy for overseeing risk
management from day one.
Managing the risks associated with
cybersecurity compliance and control
involves determining one’s risk appetite in a
variety of areas and requires senior manage-
ment to make fundamental judgment calls
about the design of the control environment,
the scope and depth of the compliance
program, and the resource allocation for
each. The board must be well informed of
how the corporate leadership is managing
these risks and able to assess the adequacy
? 110
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
obtaining outside review for defciencies or
improvements. A mechanism for periodic
updates to the Plan should be included in
the Plan; many companies get into trouble
with regulators for failing to update their
cybersecurity approach as their business
model changes or as regulations or enforce-
ment strategies change.
If the company is operating in the United
States, the Plan must be neither aspiration-
al nor hyper-specifc. An aspirational
plan—one that sets out where the organiza-
tion envisions its cybersecurity program to
be at some point in the future—may end up
causing the company to look like it is fall-
ing short if regulators come calling.
Similarly, a hyper-specifc Plan may put the
company at risk of technical noncompli-
ance. In short, the Cybersecurity Risk
Management Plan should match what the
company actually does.
to achieve compliance with government
rules and regulations as well as the organi-
zation’s internal policies and procedures by
(1) identifying risks; (2) preventing risks
through the design and implementation of
controls; (3) monitoring and reporting on the
effectiveness of those controls; (4) resolving
compliance diffculties as they occur; and
(5) advising and training.
3
There are several steps the board and
C-suite should take to provide effective
oversight of the cybersecurity compliance
program’s execution of all of these functions.
First and most important, the C-suite should
implement an enterprise-wide approach to
compliance risk management. As part of this
approach, the organization should create a
formalized Cybersecurity Risk Management
Plan that is reviewed by the board. If the
Plan is developed internally by the corporate
leadership, the board should consider
Identify
Monitor
Evaluate
Design
&
Implement
Report
&
Reassess
FIGURE
Data risk management lifecycle
111 ?
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
well-developed monitoring and assessment
processes that encourage timely internal
communication of potential risks to the
compliance team.
Fourth, consistent with the risk manage-
ment lifecycle, the C-suite should make sure
it has effective means to test compliance in
practice and communicate the results to the
board. It is critical for updates to cybersecu-
rity compliance policies to translate actually
into updated implementation, and the board
must be able to see—and where needed
spur—this implementation. (See the next
section). The C-suite also has to be able to
test to see that cybersecurity compliance is
taking root across the company’s operations
and prevent ‘siloing’ within business lines
or cost centers.
Fifth and fnally, the board should make
cybersecurity compliance a priority, plain
and simple. None of the above measures will
be prioritized at the senior management
level and below unless they are also the
board’s priority.
? Building blocks of effective oversight
of cybersecurity controls
Board and C-suite oversight of cybersecurity
controls relates to the control of associated
enterprise risks: legal, fnancial, regulatory,
and reputational, to name a few. None of
these risks can be fully avoided, but effective
controls can reduce their impact on the
organization, and effective oversight can
ensure that these controls are thorough.
One step a board can take to provide
effective oversight of cybersecurity controls
is to ensure that the controls implemented
by the C-suite contain prevention, detection,
and rapid remediation components. Many
companies focus on prevention and detec-
tion, but not remediation, and then are
caught off guard when they learn of an
intrusion requiring immediate remediation
that went undetected. Prevention measures
include data inventorying, data loss preven-
tion planning, strong perimeter and internal
defenses, and processes for timely patching
core software to plug security holes. Many of
these are IT measures, but prevention is not
Second, the C-suite should extend the
enterprise-wide approach to compliance
risk management to the company’s entire
ecosystem—its vendors and other third-party
partners (e.g., cloud services providers, out-
side data processors). This means ensuring
that oversight is robust for the corporate vet-
ting of cybersecurity practices at third par-
ties and that the contractual relationships
with third parties allow for monitoring and
oversight. Many technological innovations
are leading companies to outsource aspects
of their business involving data, but this
comes with risks of the partners not securing
data to the degree the company is.
Third, the C-suite should ensure—and
the board should monitor—the independ-
ence of the cybersecurity compliance team
from the company’s IT and business units.
Given silos that frequently develop around
the compliance, IT, and business teams, the
C-suite ought to ensure that the compliance
team has the resources and skills to inde-
pendently evaluate the suffciency of the
company’s cybersecurity program. If the
compliance team is not equipped to under-
stand what technological steps the IT team is
or should be taking to advance the organiza-
tion’s cybersecurity, and so defers entirely to
their judgment, it may fail to apprehend the
compliance implications of the steps ulti-
mately taken.
Of course, independence should not
mean isolation. It is critical that these teams
can and do speak to each other regularly:
compliance risks arise in the IT and busi-
ness lines, and the compliance team must
be involved in assessing those risks. For
example, if a new business line involves
collection of new pieces of customer data,
failure to ensure that data are properly
secured and kept private from the start cre-
ates compliance risks. Likewise, the IT
Department’s failure to patch software in a
timely manner creates compliance risks.
The compliance team must be suffciently in
the loop to ensure steps are being taken to
prevent these failures, without being opera-
tionally involved in the actual prevention
efforts. This can be achieved through
? 112
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
As with cybersecurity compliance, for the
above measures to be prioritized, they must
be a board priority. In this vein, the board
should check to see that cybersecurity con-
trols are appropriately funded; none of these
controls can be prioritized without adequate
funding.
? Implementation challenges
Even the best designed data security initia-
tives are prone to failure if not implemented
correctly. A common problem that can occur
even after apparently successful program
implementation is a disconnect between
appropriately drafted policies and proce-
dures on the one hand, and operational
practices and technology infrastructure on
the other (in-house and third party-man-
aged), and a failure of the board to notice.
Cybersecurity policies and procedures
are effective only if they are tailored to the
company’s unique business environment,
applicable regulatory requirements, and
known security risks. However, too often,
boards and C-suite leadership oversee the
development and adoption of boilerplate
policies and procedures that, although per-
haps built on generally appropriate founda-
tions, are either insuffciently customized or
implemented inappropriately. The resulting
disconnects may lead not only to damaging
data breaches and unauthorized disclosure
of personal information but also to scrutiny
from regulators and actions from the plain-
tiffs’ bar. For example, the Federal Trade
Commission (FTC) currently views the dis-
connects between cybersecurity policies
and procedures and their actual implemen-
tation as unfair or deceptive trade practices
under Section 5 of the FTC Act, and this is a
trend that senior executives should expect
to continue.
It is critical to the success of a cybersecu-
rity program that the operational uptake
of—and ongoing adherence to—program
requirements are measured effectively.
Monitoring of the program not only enables
effective reporting up to the board but also,
more importantly, identifes vulnerabilities
in the program and areas for improved
limited to IT and includes building a corpo-
rate culture that is mindful of data risk, as is
discussed more below.
Detection measures include analysis of
operational data and anomaly detection as
well as systems for logging, monitoring, and
testing data moving into and out of the corpo-
rate IT environment and across various devic-
es (e.g., from computer to cloud service or
external storage devices), where legally per-
missible. Rapid remediation measures include
incident response plans that are rehearsed,
implementation of forensic recovery tools,
and measures to quickly restore failed sys-
tems from back-ups. Boards should recom-
mend appointment of a permanent incident
response team—comprising senior manage-
ment from IT, legal, compliance, vendor man-
agement, PR, investor relations, and business
lines—to lead the incident response efforts,
report incidents and remediation plans to the
C-suite and the board, and notify external
regulators and customers when necessary.
In line with the previous point, a key step
the C-suite should take is to oversee lines of
communication among the various parts of
the company that either manage or make use
of the company’s cybersecurity controls. If a
business line is experiencing occasional bugs
in its online customer order processing, for
example, and IT is not informed of the issue
in a timely manner, malware may go unde-
tected. If an employee with database access
quits and HR does not timely inform IT, then
user credentials may remain active long after
they should.
Another key step the C-suite can take is to
prioritize regular training of employees—at
a minimum annually—on cybersecurity
threats and how to avoid them. A surprising
number of threats can be thwarted by
employee education about suspicious
emails, strong password practices, and cau-
tious use of personal devices. The more
employees at every level learn to treat data
as a valuable asset, the more careful they will
be. Conversely, no matter how strong a com-
pany’s cybersecurity controls, it only takes
one employee mistake to expose sensitive
company data.
113 ?
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
business asset is clearly established; its value
is verifed on a daily basis by those who seek
to gain access to business networks and
view, remove, or otherwise exploit the data
residing there. However, resources allocated
to cybersecurity are still frequently an IT line
item, rather than an enterprise-wide issue.
Businesses operating in this environment of
perpetually evolving digital risks must rec-
ognize that data security is no longer a cost
of doing business; it is a core component of
remaining in business. As such, budgets
must be allocated appropriately to meet the
risks. Budgets vary according to business
type, data types and sensitivity, volume of
data, sharing with third parties, and any
number of other of risk factors that must be
considered by the board and executives. The
budgeting process has to enable the compa-
ny to do more than get the right people and
processes in place but also to implement
technology that truly addresses the security
needs of the organization. This process
requires commitment from the C-suite and
oversight from a board that understands the
importance of cybersecurity.
Cybersecurity budgeting also must
include dedicated resources for training of
personnel. As mentioned above, the human
element is frequently the weakest link in an
otherwise solid data security program. Staff
must have the resources they need to be
trained not only to be proactive in taking
steps to safeguard data but also to recognize
attempts by unauthorized parties trying to
gain network access. Phishing, for example,
remains a remarkably effective tool for gain-
ing credentials that open a door to the net-
work and the data therein, and inadequate
training may increase a company’s vulnera-
bility to phishing attacks. Regulators know
this and expect board members providing
cybersecurity oversight to know, too.
The board and C-suite also must bear in
mind that successful initial implementation of
a cybersecurity program does not necessarily
lead to a cybersecurity program that has lon-
gevity. Ongoing success is largely dependent
on top-down involvement by the board and
active management by the C-suite. The board
security. Although evaluating the effective-
ness of a cybersecurity program would
appear to be a core component of any suc-
cessful implementation, many organizations
fail to adequately address this need, often
leading to exploited weaknesses, data
breaches, and programmatic failure.
Effective metrics for evaluation can be
broken down into several categories to ena-
ble more targeted application across the
enterprise. Programmatic metrics measure
the progress of various organizational com-
ponents of the information protection pro-
gram, such as overall program development,
implementation, and maintenance (e.g.,
cybersecurity policies are updated to meet
new regulatory requirements). Operational
metrics measure the performance of (as the
name implies) various operational compo-
nents of the information protection program;
the number of cybersecurity incidents per
reporting period is an excellent example.
And compliance metrics measure individu-
als’ compliance with program requirements.
Such metrics may measure, for example,
whether employees are observing required
data security protocols when sending sensi-
tive customer information to a third party
for processing. In general, the trend for
many of these metrics is toward the meas-
urement of outcomes; metrics that demon-
strate a company’s frequent intrusion detec-
tion scanning are not helpful if the outcome
is still a high number of intrusions each year.
Regardless of whether your organization
is seeking to measure programmatic, opera-
tional, or compliance aspects of your cyber-
security program, the metrics that you
design must be clearly defned and meaning-
ful and measure progress against a clearly
stated objective. A properly implemented
metrics program helps leadership ascertain
initial uptake and improve the compliance
with—and performance of—a well-designed
cybersecurity program.
Another challenge for effective imple-
mentation of cybersecurity compliance and
controls—and one that must be closely mon-
itored by the board—is resource allocation.
The recognition of data as a highly valued
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 114 SecurityRoundtable.org
ensure that these measures are being adopt-
ed. Only with consistent C-suite involve-
ment and strong board oversight—informed
by an understanding of data risk as a central
enterprise risk—can cybersecurity challeng-
es be handled effectively.
References
1. See NIST, “Framework for Improving
Critical Infrastructure Cybersecurity”
(2014) (defning “cybersecurity”). Of
course there are many defnitions of
“cybersecurity”; the NIST defnition
adapted here is just a recent American
example.
2. For example, some regulators require
certain data to be encrypted while many
others do not. See, e.g., 201 Mass. Code
Regs. § 1700 (2009).
3. See International Compliance Association,
“What is Compliance?,” available at http://
www.int-comp.org/faqs-compliance-
regulatory-environment.
should be apprised regularly of data security
incidents and emerging data risks, as well as
changes to the regulatory environment. An
actively informed and involved board, work-
ing in harmony with the C-suite, enables agile
enterprise-wide response to evolving threats
and appropriate upkeep and improvement of
a robust cybersecurity program.
? Conclusion
Today’s cybersecurity risks affect organiza-
tions of all sizes and across industries
and lead to not only IT headaches but also
headaches for the entire business. Companies
are increasingly put into the unenviable
position of needing to put up shields against
a variety of cyberthreats, knowing that no
defense can provide perfect protection.
However, the C-suite nevertheless must
strive to employ strong cybersecurity com-
pliance and control measures that go beyond
mechanical satisfaction of applicable legal
rules, and the board has an obligation to
115 ?
Baker & McKenzie — David Lashway, Partner; John
Woods, Partner; Nadia Banno, Counsel, Dispute
Resolution; and Brandon H. Graves, Associate
Risks of disputes and regulatory
investigations related to
cybersecurity matters
Disputes and regulatory investigations are two of the
more important risk categories related to cybersecurity
matters. These risk categories can create signifcant fnan-
cial exposure, brand risk, and distraction. In the worst
case, some of these risks could result in bankruptcy.
The risks related to disputes are traditional (e.g., litiga-
tion, arbitration, and negotiation of contract terms) and
novel (e.g., data ownership disputes). They arise not only
in the context of data breaches but in everyday operations.
Regulatory investigations are another source of risk.
This risk is hard to quantify because there is not clear
statutory authority for all regulatory investigations begun
or threatened. This creates uncertainty for regulated enti-
ties. The costs for non-compliance can be extensive, with
fnes in the millions of dollars and consent decrees author-
izing audits for 20 years.
These risks affect businesses even in the absence of a
data breach incident. More businesses recognize this fact
and are accounting for these risks in all aspects of their
businesses. Businesses that attempt to deal with risk
related to cybersecurity matters as an afterthought may be
left behind.
Many businesses are international in scope and must
comply with cybersecurity rules and regulations in a vari-
ety of countries. This can create a highest-common-
denominator situation: businesses end up attempting to
comply with the strictest regime in which they operate.
The dynamic nature of cybersecurity matters makes it
impossible to completely enumerate every risk associated
with such matters. This chapter provides a short survey of
some of the most high-profle risks that all businesses will
face in our current economy.
? 116
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? Risks of disputes
Businesses have a growing awareness of
cybersecurity matters. As a result, cyberse-
curity matters will increasingly impact tradi-
tional business activities, such as contract
negotiation.
Plaintiffs also have an increasing aware-
ness of cybersecurity-related causes of
action. Courts have been receptive to some
of these causes of action and skeptical of oth-
ers, but plaintiffs continue to make threats in
pursuit of a lucrative settlement.
Dispute risks in business activities
Cybersecurity matters will impact every tra-
ditional business activity, if they do not
already. Two activities, contract negotiation
and data processing, are already subject to
dispute in many industries.
1. Contract negotiation. Contractual parties,
especially government agencies,
are becoming more sophisticated
about requesting provisions related
to cybersecurity during contract
negotiations. Frequently, these provisions
will place additional burdens on the
counterparty, leading to disputes during
negotiation. Many businesses are also
attempting to apply existing contract
provisions to cybersecurity matters.
When this reinterpretation is put forward
in the wake of a security breach, the
reinterpretation can lead to costly litigation.
a) Flow-down provisions. Federal agencies,
especially the Department of Defense,
are including more flow-down
provisions related to cybersecurity in
their contracts with suppliers. Often,
the agency requires its contractors
to include these provisions in their
contracts with subcontractors and
other contractual counterparties. As
these fow-down provisions expand
through the supply chain, businesses
with no direct connection with the
federal agency will see requests—or
demands—that they comply with
provisions drafted without their input.
These provisions can include security
standards and breach disclosure require-
ments. For instance, Defense Federal
Acquisition Regulation Supplement
(DFARS) 204.7300 requires “adequate
security” for all contractors and subcon-
tractors with systems on which con-
trolled technical information is resident
on or transits. As with many of these
provisions, “adequate security” is not
defned with a checklist but as “protec-
tive measures that are commensurate
with the consequences and probability
of loss, misuse, or unauthorized access
to, or modifcation of information.”
These same provisions include report-
ing requirements for both actual and
potentially adverse effects on an infor-
mation system, which is a more strin-
gent requirement than many state
data breach requirements.
Compliance with these provisions will
be diffcult, and the set language creat-
ed by such provisions prevents busi-
nesses from negotiating more concrete
terms, forcing businesses to accept
uncertainty as a cost of entering into
such a contract.
b) Liability/indemnity. Cybersecurity creates
risk, and more businesses are looking
to affrmatively allocate that risk
through contractual terms. Actuaries
are still developing tables related
to cybersecurity risk (Congress is
discussing legislating on this issue), so
the allocation of risk in a contract may
not be based on methods as rigorous
as those in other risk allocations. This
will create tension between parties
who value the risk differently.
Cybersecurity incidents and the atten-
dant response can be very expensive,
with some sources placing the average
fnancial cost of a data breach in the
millions of dollars. The allocation of
117 ?
RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS
press, which can create tension with
notifcation provisions.
2. Data ownership/data processing. Most state
breach notifcation laws differentiate
between data owners and data processors,
but existing contracts do not always
explicitly define these roles. Some
businesses have attempted to understand
these issues and have asserted ownership
(or, in some cases, denied ownership) of
data in the absence of a specifc ownership
allocation. This can lead to disputes in
long-standing business relationships. One
business may seek to sell information it is
collecting while a contractual counterparty
is attempting to safeguard the same data.
Not all businesses seek to clarify this
relationship prior to selling data, which
can lead to signifcant disputes when such
sales come to light.
In the context of a data breach
Data breaches expose businesses to many
additional disputes. At times, these disputes
can be more problematic than the intrusion
itself. Contractual counterparties, customers,
and other impacted businesses may all seek
some compensation in the wake of a data
breach. Insurance companies may seek to
avoid payment under policies that arguably
apply, leading to additional litigation.
1. Contractual counterparties. Most contracts
have provisions that are either directly
or indirectly implicated by a data breach.
Some of these provisions are triggered
by a breach, such as obligations to
notify consumers whose information
is exposed. A counterparty may allege
that other provisions are broken by
an intrusion, such as a requirement to
have adequate or reasonable security.
Businesses often struggle with whether a
particular provision requires notifcation,
either because the provision itself is not
clear or because the business believes
that the intrusion does not rise to the
level contemplated in the contract.
such cost, combined with an increas-
ing chance of an incident triggering
these clauses, is an area likely to be
subject to dispute both during con-
tract negotiation and in the wake of
a breach.
Many contracts already contain liabil-
ity allocation provisions, but those
provisions do not explicitly address
cybersecurity matters. In the wake of a
cybersecurity incident, interpreting
the liability allocation provisions will
be a matter of some dispute.
c) Data security and notifcation. Laws,
regulations, and political and
consumer pressure have increased
businesses’ focus on the security of
consumer data. At the same time,
consumer data have become a more
valuable commodity. For instance,
AT&T and Apple both contested Radio
Shack’s ability to sell consumer data
during Radio Shack’s bankruptcy.
Recognizing these trends, businesses
are placing more provisions in contracts
that dictate security requirements.
Because the underlying consumer data
are valuable, these provisions may be
subject to signifcant disputes during
negotiations. Other businesses are
attempting to read existing provisions
as covering security requirements and
privacy responsibility.
Many businesses that entrust sensitive
data to counterparties are including
breach notifcation provisions in con-
tracts. These provisions vary greatly,
even within a single industry, and cre-
ate various thresholds for notifcation.
For instance, some provisions require
notifcation in the event of a breach.
Others require notifcation if there is
an indication of a breach. Many vic-
tims of a security breach seek to keep
the existence of a breach out of the
? 118
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
press, but business customers have also
pressed for indemnifcation in the wake
of an intrusion.
Disputes with business partners over data
breaches can disrupt normal operations,
above and beyond the disruption caused
by the data breach itself. The need to
resume normal operations can pressure
the victim to quickly agree to a settlement.
Customers will often fle class actions in
the wake of a data breach. Plaintiffs’ law-
yers are growing more sophisticated in
how and where they fle these actions.
Both individual consumers and fnancial
institutions have fled class actions, and,
in some cases, these class actions are con-
solidated into complicated multidistrict
litigation with multiple tracks for the dif-
fering plaintiffs. This creates expensive
and cumbersome litigation.
3. Other impacted businesses. Contractual
counterparties are not the only businesses
that may sue in the wake of a data breach.
Banks that issued cards implicated in
Target’s data breach are suing Target, even
if they lack any traditional relationship to
Target. Our more interconnected society has
spread the effects of cybersecurity problems,
and affected parties are developing more
creative methods to fle suit against the
original victim of the intrusion.
4. Insurance. More and more insurance
companies are offering cyber policies,
and more businesses are attempting to
make claims for intrusions under general
policies. Insurance companies are, in
turn, attempting to limit the scope of
coverage. Some insurance companies are
denying claims, while others are carefully
reviewing invoices for services related to
data breaches. The cost to respond to a
breach can be expensive, and insurers will
continue to dispute claims and charges.
In some cases, this will lead to additional
litigation after the data breach response is
complete.
Counterparties may disagree with this
interpretation, leading to disputes if the
intrusion does come to light.
Notifcation provisions often have an
abbreviated time frame for notifcation.
Attempting to identify and comply with
notifcation provisions of impacted coun-
terparties can create additional stress
beyond the already signifcant stress
related to a data breach. Reviewing and
attempting to interpret these provisions
after an intrusion also creates risk of con-
tractual breach, as a business may not
discover the notifcation provision until
after the required time frame has passed.
In the wake of a breach, a victim’s securi-
ty will come under scrutiny, and a con-
tractual counterparty may argue that the
security was inadequate under the con-
tract. For instance, in the DFARS provi-
sion discussed previously, “adequate
security” is ripe for protracted litigation
in the wake of a cybersecurity incident. It
is diffcult to defne such terms adequate-
ly and still provide fexibility in the face
of changing threats.
In some industries, such as those that deal
with payment cards, many security
requirements are codifed and subject to
audit. The victim of a data breach may be
subject to a more intrusive audit to con-
frm its security.
Many contracts that involve confdential
data have a provision for certifying that
the confdential data have been destroyed.
A counterparty may rightly inquire how
such a certifcation was made in the wake
of a cybersecurity incident.
2. Customers. Many intrusions lead to
lawsuits by customers, whether they be
individual consumers or large businesses.
Recent card breaches have resulted in
signifcant class-action litigation, and
these cases have received much of the
119 ?
RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS
? Risks of regulatory investigations
Certain regulators have explicit statutory
jurisdiction over cybersecurity matters.
Other regulatory agencies do not, but they
attempt to regulate such matters under
their existing, general jurisdiction. As pub-
lic and congressional scrutiny of cybersecu-
rity measures increases, regulators will be
more aggressive in asserting jurisdiction
over their regulated entities’ cybersecurity
matters.
Federal regulators
1. Industry regulators. Traditional regulators
have already applied or are planning to
apply standards related to cybersecurity
matters to their regulated entities.
The Federal Financial Institutions
Examination Council (FFIEC), the Federal
Trade Commission (FTC), the Federal
Communications Commission (FCC),
the Department of Health and Human
Services (HHS), and the Department
of Homeland Security (DHS) are some
of the regulators that have sought to
regulate cybersecurity matters among
their regulated entities. In addition,
the National Institute of Standards and
Technology (NIST) publishes documents
that plaintiffs and regulators apply in
analyzing a business’s cybersecurity.
The FFIEC has been one of the leading
regulators with regard to cybersecurity.
The FFIEC has had an IT examination
handbook for several years and is devel-
oping a tool to help fnancial institutions
assess risk. In addition, the FFIEC requires
fnancial institutions to require certain
cybersecurity measures of the institu-
tions’ third-party service providers, effec-
tively expanding the FFIEC’s jurisdiction.
The FFIEC has experience in investigating
data breaches and imposing punishments
based on insuffcient security. Other regu-
lators look to the FFIEC’s examination
handbook to inform their own regula-
tions and investigations.
The FTC has been aggressive in fling
administrative complaints against busi-
nesses that, in the eyes of the FTC, do not
adequately protect sensitive consumer
information. The FTC requires, among
other things, “reasonable security” but pro-
vides no formal defnition. This creates
uncertainty for businesses seeking to
understand their obligations. The FTC is
involved in litigation in federal court
concerning both its jurisdiction over data
security and the standards it applies to
businesses. Congress is considering a bill to
formalize FTC jurisdiction over data secu-
rity, which may further empower the FTC.
The FCC’s Cybersecurity and
Communications Reliability Division
works to maintain the reliability of commu-
nications infrastructure in the face of vari-
ous cyberthreats. In 2014 the FCC began
imposing substantial fnes on wireless carri-
ers for insuffcient secured sensitive con-
sumer information.
HHS regulates cybersecurity matters
under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA).
Under this authority, HHS has imposed
multimillion-dollar fnes for insuffcient
data security.
DHS is involved in coordinating informa-
tion sharing, securing critical infrastruc-
ture, and protecting federal cybersecurity
assets. Currently, its programs for most
private businesses are voluntary, but as
Congress continues to focus on informa-
tion sharing as a key component of reduc-
ing cybersecurity incidents, plaintiffs and
courts will see these programs less as
voluntary and more as the minimum
standard of care.
NIST publishes an array of standards
related to cybersecurity. Although none of
these standards are binding on private
entities (at least as of publication), they
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 120 SecurityRoundtable.org
are often cited as what is reasonable secu-
rity or as industry standard. In addition,
plaintiffs and regulators look to NIST
standards to inform allegations made in
complaints and investigations.
2. Securities and Exchange Commission. The
Securities and Exchange Commission
(SEC), under pressure from Congress, has
focused on public statements concerning
data breaches. This focus encompasses
both disclosures made after breaches and
risk factors made in market reports. To
date, the SEC has stated that the materiality
analysis for data breaches is the same as for
other risk factors, but there is little formal
notice or adjudication on these statements,
creating uncertainty and risk.
The SEC released guidance on cybersecu-
rity risks in 2011. According to the SEC,
registrants “should disclose the risk of
cyber incidents if these issues are among
the most signifcant factors that make
an investment in the company specula-
tive or risky.”
The SEC, in conjunction with the Financial
Industry Regulatory Authority, has
engaged in enforcement actions against
the entities they regulate for insuffcient
security for both customer data and
market data.
State regulators
State regulators and attorneys general are
also involved in cybersecurity matters;
indeed, state attorneys general have been
active in investigating data breaches. Each
state has a different legal environment con-
cerning data breaches. These attorneys gen-
eral typically assert jurisdiction when the
state’s citizens are impacted, potentially
exposing a business to an investigation even
if the business does not typically operate in
the state.
California has generally been the frst
state to impose data breach notifcation
requirements. California passed its data
breach notifcation law in 2003. In the time
since, California has expanded what data are
covered by the statute, including most
recently usernames and passwords. Most
other states have similar statutes.
Several other states, including Vermont,
New York, and Michigan, have been par-
ticularly active in investigations. For certain
larger breaches, some state attorneys gen-
eral will work together in a coordinated
investigation.
? Conclusion
Cybersecurity matters create extensive risks
for business. Foremost among these are risks
related to disputes and regulatory investiga-
tions. These risks are not fully defned and
likely never will be.
121 ?
K&L Gates LLP – Roberta D. Anderson, Partner
Legal considerations for
cybersecurity insurance
? Legal, regulatory, and additional concerns driving
the purchase of cybersecurity insurance
Legal liability, regulatory and other exposures surrounding cybersecurity
and data privacy-related incidents
In addition to a seemingly endless stream of data breaches
and other serious cybersecurity and data protection-
related incidents, the past several years have seen signif-
cantly amplifed legal liability surrounding cybersecurity
and data privacy, a remarkable proliferation and expan-
sion of cybersecurity and privacy-related laws, and
increasingly heightened regulatory scrutiny.
In the wake of a data breach of any consequence, an
organization is likely to face myriad different forms of legal
and regulatory exposure, including class action litigation,
shareholder derivative litigation, regulatory investigation,
the costs associated with forensic investigation, notifcation
to persons whose information may have been compro-
mised, credit monitoring, call center services, public rela-
tions expenses, and other event management activities.
Beyond third-party liability and event management
activities, organizations face substantial frst-party losses
associated with reputational injury and damage to brand in
the wake of a serious breach event. They also face substan-
tial business income loss if an event disrupts normal day-
to-day business operations. Even if an organization’s own
system is not compromised, the organization may suffer
signifcant losses if an incident affects a key vendor, cloud
provider, or any key third party in the organization’s prod-
uct and service supply chain. Also at stake is the organiza-
tion’s digital assets, the value of which in some cases may
eclipse the value of the organization’s other property.
Cybersecurity insurance can play a vital role in an
organization’s overall strategy to address, mitigate, and
maximize protection against the legal and other exposures
fowing from data breaches and other serious cybersecu-
rity, privacy, and data protection-related incidents.
? 122
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
SEC’s cybersecurity risk factor disclosure guidance and
cybersecurity insurance
In October 2011, in the wake of what it
phrased “more frequent and severe cyber
incidents,” the Securities and Exchange
Commission’s (SEC’s) Division of Corporation
Finance issued disclosure guidance on cyber-
security, which advises that companies
“should review, on an ongoing basis, the
adequacy of their disclosure relating to
cybersecurity risks and cyber incidents.” The
guidance advises that “appropriate disclo-
sures may include,” among other things, a
“[d]escription of relevant insurance cover-
age” that the company has in place to address
cybersecurity risk.
SEC comments in this area have regularly
requested information regarding “whether
[the company] ha obtained relevant insur-
ance coverage,” as well as “the amount of [the
company]’s cyber liability insurance.” More
recently, the SEC is asking not only whether
the company has cybersecurity insurance and
how much the company has but also how
solid the company’s coverage is:
“We note that your network-security insur-
ance coverage is subject to a $10 million
deductible. Please tell us whether this
coverage has any other signifcant limita-
tions. In addition, please describe for us the
‘certain other coverage’ that may reduce
your exposure to Data Breach losses.”
(Emphasis added.)
“We note your disclosure that an unau-
thorized party was able to gain access to
your computer network ‘in a prior fscal
year.’ So that an investor is better able to
understand the materiality of this cyber-
security incident, please revise your dis-
closure to identify when the cyber inci-
dent occurred and describe any material
costs or consequences to you as a result of
the incident. Please also further describe
your cyber security insurance policy,
including any material limits on cover-
age.” (Emphasis added.)
The SEC’s guidance provides another com-
pelling reason for publicly traded companies
to carefully evaluate their current insurance
program and consider purchasing cyberse-
curity insurance.
? The exclusion of cybersecurity and data
privacy-related coverage from traditional
insurance policies
In response to decisions upholding coverage
for cybersecurity and data privacy-related
risks under traditional lines of insurance cov-
erage, such as Commercial General Liability
(CGL) coverage, the insurance industry has
added various limitations and exclusions to
traditional lines of coverage.
By way of example, Insurance Services
Offce (ISO), the insurance industry organi-
zation that develops standard insurance pol-
icy language, recently introduced a new
series of cybersecurity and data breach exclu-
sionary endorsements to its standard-form
CGL policies, which became effective in May
2014. One of the endorsements, entitled
“Exclusion - Access Or Disclosure Of
Confdential Or Personal Information And
Data-Related Liability - Limited Bodily Injury
Exception Not Included,” adds the following
exclusion to the primary CGL policy:
This insurance does not apply to:
p. Access Or Disclosure Of Confdential Or
Personal Information And Data-related
Liability
Damages arising out of:
(1) Any access to or disclosure of any
person’s or organization’s confdential
or personal information, including
patents, trade secrets, processing
methods, customer lists, fnancial
information, credit card information,
health information or any other type
of non public information; or
(2) The loss of, loss of use of, damage to,
corruption of, inability to access, or
inability to manipulate electronic data.
This exclusion applies even if damages
are claimed for notifcation costs, credit
123 ?
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
? Types of cybersecurity insurance
Established coverages
There are a number of established third-
party coverages (i.e., covering an organiza-
tion’s potential liability to third parties) and
frst-party coverages (e.g., covering the
organization’s own digital assets and income
loss) as summarized in Table 1:
Emerging markets
In addition to the established coverages,
three signifcant emerging markets provide
coverage for the following:
? frst-party losses involving physical asset
damage after an electronic data-related
incident
? third-party bodily injury and property
damage that may result from an electronic
data-related incident
monitoring expenses, forensic expenses,
public relations expenses or any other
loss, cost or expense incurred by you or
others arising out of that which is
described in Paragraph (1) or (2) above.
In connection with its fling of the endorse-
ments, ISO stated that “when this endorse-
ment is attached, it will result in a reduction
of coverage. . . .”
Although there may be signifcant poten-
tial coverage for cybersecurity and data
privacy-related incidents under an organiza-
tion’s traditional insurance policies, includ ing
its Directors’ and Officers’ Liability,
Professional Liability, Fiduciary Liability,
Crime, CGL, and Commercial Property poli-
cies, the new exclusions provide another
reason for organizations to carefully consider
specialty cybersecurity insurance products.
Continued
TABLE
THIRD-PARTY COVERAGES
Type Description
Privacy liability Generally covers third-party liability, including defense and
judgments or settlements, arising from data breaches, such as
the Target breach, and other failures to protect protected and
confdential information
Network security
liability
Generally covers third-party liability, including defense and
judgments or settlements, arising from security threats to
networks, e.g., inability to access the insured’s network
because of a DDoS attack or transmission of malicious code
to a third-party network
Regulatory liability Generally covers amounts payable in connection with
administrative or regulatory investigations and proceedings,
including regulatory fnes and penalties
PCI DSS liability Generally covers amounts payable in connection with payment
card industry demands for assessments, including contractual
fles and penalties, for alleged noncompliance with PCI Data
Security Standards
Media liability Generally covers third-party liability arising from infringement
of copyright or other intellectual property rights and torts such
as libel, slander, and defamation, which arise from media-related
activities, e.g., broadcasting and advertising
? 124
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? reputational injury resulting from an
incident that adversely affects the public
perception of the insured organization or
its brand.
Because privacy and electronic data-related
exclusions continue to make their way into
traditional property and liability insurance
policies, and given that an organization’s
largest exposures may fow from reputational
injury and brand tarnishment, these emerg-
ing coverages will be increasingly valuable.
? Strategic tips for purchasing cybersecurity
insurance
Cybersecurity insurance coverage can be
extremely valuable, but choosing the right
insurance product presents signifcant chal-
lenges. A diverse and growing array of prod-
ucts is in the marketplace, each with its own
insurer-drafted terms and conditions that
vary dramatically from insurer to insurer—
and even between policies underwritten by
the same insurer. In addition, the specifc
needs of different industry sectors, and dif-
ferent organizations within those sectors, are
far-reaching and diverse.
Although placing coverage in this dynam-
ic space presents a challenge, it also presents
substantial opportunity. The cyber insurance
market is extremely competitive, and cyber
insurance policies are highly negotiable.
This means that the terms of the insurers’
off-the-shelf policy forms often can be sig-
nifcantly enhanced and customized to
respond to the insured’s particular circum-
stances. Frequently, very signifcant enhance-
ments can be achieved for no increase in
premium.
The following are fve strategic tips for
purchasing cyber insurance:
Adopt a team approach.
Successful placement of cybersecurity insur-
ance coverage is a collaborative undertak-
ing. Because of the nature of the product and
the risks that it is intended to cover, success-
ful placement requires the involvement and
input not only of a capable risk management
department and a knowledgeable insurance
broker but also of in-house legal counsel and
IT professionals, resources, and compliance
personnel—and experienced insurance cov-
erage counsel.
TABLE
FIRST-PARTY COVERAGES
Type Description
Crisis management Generally covers “crisis management” expenses that typically
follow in the wake of a breach incident, e.g., breach notifcation
costs, credit monitoring, call center services, forensic
investigations, and public relations efforts
Network
interruption
Generally covers the organization’s income loss associated
with the interruption of the its business caused by the failure of
computer systems/networks
Contingent
network
interruption
Generally covers the organization’s income loss associated with
the interruption of the its business caused by the failure of a
third-party’s computer systems/networks
Digital assets Generally covers the organization’s costs associated with
replacing, recreating, restoring, and repairing damaged or
destroyed computer programs, software, and electronic data
Extortion Generally covers losses associated with cyber extortion, e.g.,
payment of an extortionist’s demand to prevent a cybersecurity
or data privacy-related incident
125 ?
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
TABLE
Understand risk profle and tolerance.
A successful insurance placement is facili-
tated by having a thorough understanding
of an organization’s risk profle, including
the following:
? the scope and type of data maintained by
the company and the location and manner
in which, and by whom, such data are
used, transmitted, handled, and stored
? the organization’s network infrastructure
? the organization’s cybersecurity, privacy,
and data protection practices
? the organization’s state of compliance
with regulatory and industry standards
? the use of unencrypted mobile and other
portable devices.
Many other factors may warrant considera-
tion. When an organization has a grasp on its
risk profle, potential exposure, and risk tol-
erance, it is well positioned to consider the
type and amount of insurance coverage that
it needs to adequately respond to identifed
risks and exposure.
Ask the right questions.
It is important to carefully evaluate the cov-
erage under consideration. Table 2 shows ten
of the important questions to ask when con-
sidering third-party and frst-party cyber
insurance.
The list is not exhaustive, and many other
questions should be considered, including,
for example, the extent to which the policy
Third-Party First-Party
Does the policy:
cover the acts, errors, and omissions of
third parties, e.g., vendors, for which
the organization may be liable?
Does the policy:
cover business income loss resulting from
system failures in addition to failures of
network security, e.g., any unplanned
outages?
cover data in the care, custody, or
control of third parties, e.g., cloud
providers?
cover business income loss resulting from
cloud failure?
cover new and expanding privacy laws
and regulations?
cover contingent business income loss resulting
from the failure of a third-party network?
cover personally identifable information
in any form, e.g., paper records?
cover data restoration costs?
cover confdential corporate data, e.g.,
third-party trade secrets?
cover business income loss after a network
is up and running, but before business
returns to full pre-incident operation?
cover wrongful or unauthorized
collection of data?
contain hourly sublimits?
cover regulatory fnes and penalties? contain an hourly “waiting period”?
cover PCI DSS-related liability? contain a sublimit applicable to the
contingent business income coverage?
exclude the acts of “rogue” employees? exclude loss for power failure or blackout/
brownout?
exclude unencrypted devices? exclude software programs that are
unsupported or in a testing stage?
? 126
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
an organization’s cybersecurity and data
protection practices, seeking detailed informa-
tion surrounding technical, complex subject
matter. These questions are often answered by
technical specialists who may not appreciate
the nuances and idiosyncrasies of insurance
coverage law. For these reasons, it is advisable
to have insurance coverage counsel involved
in the application process.
? Tips for prevailing in cyber insurance
coverage litigation
As CNA’s recently fled coverage action in the
Columbia Casualty case illustrates, cybersecu-
rity insurance coverage disputes and litigation
are coming. In the wake of a data breach or
other privacy, cybersecurity, or data protection-
related incident, organizations should antici-
pate that their insurer may deny coverage for
a resulting claim against the policy.
Before a claim arises, organizations are
encouraged to proactively negotiate and
place the best possible coverage to decrease
the likelihood of a coverage denial. In con-
trast to many types of commercial insurance
policies, cybersecurity policies are extremely
negotiable, and the insurer’s off-the-shelf
forms can usually be signifcantly negotiated
and improved for no increase in premium. A
well-drafted policy will reduce the likeli-
hood that an insurer will be able to success-
fully avoid or limit insurance coverage in the
event of a claim.
Even where a solid form is in place, how-
ever, and there is a solid claim for coverage
under the policy language and applicable
law, insurers can and do deny coverage.
When facing coverage litigation, organi-
zations are advised to consider the following
fve strategies to prevail:
Tell a concise, compelling story.
In complex insurance coverage litigation,
there are many moving parts and the issues
are typically nuanced and complex. It is criti-
cal, however, that these nuanced, complex
issues come across to a judge, jury, or arbitra-
tor as simple and straightforward. Getting
overly caught up in the weeds of policy inter-
pretive and legal issues, particularly at the
covers, or excludes, cyberterrorism. In all
cases, the organization should request a ret-
roactive date of at least 1 year prior to the
policy inception, given that advanced attacks
go undetected for a median of 229 days.
Beware the fne print.
Like any other insurance policy, cybersecuri-
ty insurance policies contain exclusions that
may signifcantly curtail and undermine the
purpose of the coverage. Some insurers, for
example, may insert exclusions based on
purported shortcomings in the insured’s
security measures. One case recently fled in
the California federal court on May 7, 2015,
highlights the problems with these types of
exclusions. The case is Columbia Casualty
Company v. Cottage Health System, in which
Columbia Casualty, CNA’s non-admitted
insurer, seeks to avoid coverage under a
cybersecurity insurance policy for the defense
and settlement of a data breach class action
lawsuit and related regulatory investigation.
CNA relies principally upon an exclusion,
entitled “Failure to Follow Minimum
Required Practices,” which purports to void
coverage if the insured fails to “continuously
implement” certain aspects of computer
security. These types of broadly worded,
open-ended exclusions can be acutely prob-
lematic and impracticable. If enforced liter-
ally, they may vaporize the coverage that the
policy is intended to provide. The good news
is that, although certain types of exclusions
are unrealistic given the nature of the risk an
insured is attempting to insure against,
cybersecurity insurance policies are highly
negotiable. It is possible to cripple inappro-
priate exclusions by appropriately curtailing
them or to entirely eliminate them—and
often this does not cost additional premium.
Pay attention to the application.
CNA in the Columbia Casualty case also seeks
to deny coverage based upon alleged misrep-
resentations contained in the insured’s insur-
ance application relating to the risk controls.
The important takeaway is that cybersecurity
insurance applications can, and usually
do, contain a myriad of questions concerning
127 ?
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
CNA represented in its marketing materials
that the policy at issue in Columbia Casualty
offers “exceptional frst-and third-party cyber
liability coverage to address a broad range of
exposures,” including “security breaches”
and “mistakes”:
Cyber liability and CNA NetProtect
products
CNA NetProtect fills the gaps
by offering exceptional frst- and third-
party cyber liability coverage to address a
broad range of exposures. CNA
NetProtect covers insureds for exposures
that include security breaches, mistakes,
and unauthorized employee acts, virus
attacks, hacking, identity theft or private
information loss, and infringing or dis-
paraging content. CNA NetProtect cover-
age is worldwide, claims-made with
limits up to $10 million.
It is important to use the discovery phase
to fully fesh out the context of the insur-
ance and the entire insurance transaction in
addition to the meaning, intent, and inter-
pretation of the policy terms and condi-
tions, claims handling, and other matters
depending on the particular circumstances
of the coverage action.
Secure the best potential venue and choice of law.
One of the frst and most critical decisions
that an organization contemplating insur-
ance coverage litigation must make is the
appropriate forum for the litigation. This
decision, which may be affected by whether
the policy contains a forum selection clause,
can be critical to potential success, among
other reasons because the choice of forum
may have a signifcant impact on the related
choice-of-law issue, which in some cases is
outcome-determinative. Insurance contracts
are interpreted according to state law and
the various state courts diverge widely on
issues surrounding insurance coverage.
Until the governing law applicable to an
insurance contract is established, the policy
can be, in a fgurative and yet a very real
sense, a blank piece of paper. The different
outset, risks losing the organization’s critical
audience and obfuscating a winningly con-
cise, compelling story that is easy to under-
stand, follow, and sympathize with. Boiled
down to its essence, the story may be—and in
this context often is—something as simple as
the following:
“They promised to protect us from a cyber
breach if we paid the insurance premium. We
paid the premium. They broke their promise.”
Place the story in the right context.
It is critical to place the story in the proper
context because, unfortunately, many insur-
ers in this space, whether by negligent defcit
or deliberate design, are selling products that
do not refect the reality of e-commerce and
its risks. Many off-the-shelf cybersecurity
insurance policies, for example, limit the
scope of coverage to only the insured’s own
acts and omissions, or only to incidents that
affect the insured’s network. Others contain
broadly worded, open-ended exclusions such
as the one at issue in the Columbia Casualty
case, which, if enforced literally, would large-
ly if not entirely vaporize the coverage osten-
sibly provided under the policy. These types
of exclusions can be acutely problematic and
impracticable. A myriad of other traps in
cyber insurance policies—even more in those
that are not carefully negotiated—may allow
insurers to avoid coverage if the language
were applied literally.
If the context is carefully framed and
explained, however, judges, juries, and arbi-
trators should be inhospitable to the various
“gotcha” traps in these policies. Taking the
Columbia Casualty case as an example, the
insurer, CNA, relies principally upon an
exclusion, entitled “Failure to Follow
Minimum Required Practices,” which pur-
ports to void coverage if the insured fails to
“continuously implement” certain aspects of
computer security. In this context, however,
comprising the extremely complex areas of
cybersecurity and data protection, any insured
can reasonably be expected to make mistakes
in implementing security. This reality is, in
fact, a principal reason for purchasing cyber
liability coverage in the frst place. In addition,
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 128 SecurityRoundtable.org
Importantly, it will give the organization
unique access to compelling arguments based
upon the context, history, evolution, and
intent of this line of insurance product.
Likewise, during the discovery phase, cover-
age counsel with unique knowledge and
experience is positioned to ask for and obtain
the particular information and evidence that
can make or break the case—and will be able
to do so in a relatively effcient, streamlined
manner. In addition to creating solid ammu-
nition for trial, effective discovery often leads
to successful summary judgment rulings,
thereby, at a minimum, streamlining the case
in a cost-effective manner and limiting the
issues that ultimately go to a jury. Likewise,
counsel familiar with all of the many different
insurer-drafted forms as they have evolved
over time will give the organization key
access to arguments based upon obvious and
subtle differences between and among the
many different policy wordings, including
the particular language in the organization’s
policy. Often in coverage disputes, the multi-
million dollar result comes down to a few
words, the sequence of a few words, or even
the position of a comma or other punctuation.
? Conclusion
Cyber insurance coverage can be extremely
valuable. Although placing coverage in this
dynamic space presents challenges, it also
presents substantial opportunities. Before a
claim arises, organizations are encouraged to
proactively negotiate and place the best pos-
sible coverage in order to decrease the likeli-
hood of a coverage denial and litigation. In
contrast to many other types of commercial
insurance policies, cyber insurance policies
are extremely negotiable, and the insurers’
off-the-shelf forms typically can be signif-
cantly negotiated and improved for no
increase in premium. A well-drafted policy
will reduce the likelihood that an insurer
will be able to successfully avoid or limit
insurance coverage in the event of a claim. If
a claim arises, following sound litigation
strategies and refusing to take “no” for an
answer will greatly increase the odds of
securing valuable coverage.
interpretations given the same language
from one state to the next can mean the dif-
ference between a coverage victory and a
loss. It is therefore critical to undertake a
careful choice of law analysis before initiat-
ing coverage litigation or selecting a venue
or, where the insurer fles frst, before taking
a choice of law position or deciding whether
to challenge the insurer’s selected forum.
Consider bringing in other carriers.
Often when there is a cybersecurity, privacy,
or data protection-related issue, more than
one insurance policy may be triggered. For
example, a data breach like the Target breach
may implicate an organization’s cybersecu-
rity insurance, CGL insurance, and Directors’
and Offcers’ Liability insurance. To the
extent that insurers on different lines of cov-
erage have denied coverage, it may be ben-
efcial for the organization to have those
insurance carriers pointing the fnger at each
other throughout the insurance coverage
proceedings. Again considering the context,
a judge, arbitrator, or jury may fnd it offen-
sive if an organization’s CGL insurer is argu-
ing, on the one hand, that a data breach is
not covered because of a new exclusion, and
the organization’s cybersecurity insurer also
is arguing that the breach is not covered
under the cyber policy that was purchased
to fll the “gap” in coverage created by the
CGL policy exclusion. Relatedly, it is impor-
tant to carefully consider the best strategy
for pursuing coverage in a manner that will
most effectively and effciently maximize the
potentially available coverage across the
insured’s entire insurance portfolio.
Retain counsel with cybersecurity insurance expertise.
Cybersecurity insurance is unlike any other
line of coverage. There is no standardization.
Each of the hundreds of products in the mar-
ketplace has its own insurer-drafted terms
and conditions that vary dramatically from
insurer to insurer—and even between poli-
cies underwritten by the same insurer.
Obtaining coverage litigation counsel with
substantial cybersecurity insurance expertise
assists an organization on a number of fronts.
129 ?
Wilson Elser Moskowitz Edelman & Dicker LLP –
Melissa Ventrone, Partner and Lindsay Nickle, Partner
Consumer protection: What is it?
From a legal perspective, consumer protection is the
application of rules and regulations to agencies, busi-
nesses, and organizations that require them to protect
their customers from intentional and unintentional harm.
Instead of caveat emptor, or buyer beware, the business
entity has a mandate to protect its customers from the bad
things that may befall them. In essence, the government
has decided it is the business’s responsibility to protect
the least sophisticated consumers from themselves and
what may happen to them.
The intersection of consumer protection and cyber-
security imposes a responsibility on businesses to
protect their consumers’ information. Unlike many
areas of business, when an organization is the victim
of a criminal attack, such as being hacked, the busi-
ness is not considered a victim. Instead, the customers
are considered the victims, and the business becomes
a potential scapegoat—the target of inquiries, investi-
gations, irate customers, reputational harm, and lost
business, even though it was the business that suf-
fered the criminal activity. Leading experts agree that
no organization is immune from cyberattacks and that
impenetrable data security is not possible. Nevertheless
the media and the public continue to vilify and hold
businesses responsible for failing to do what experts
agree cannot be done.
Consumers demand that organizations safeguard
their privacy and protect their information from data
breaches; however, those same consumers are impatient
and intolerant when security measures slow services or
degrade usability. Some may terminate their relation-
ships as a result, jumping ship to underfunded start-ups
simply because consumers want what they want, and
they want it now.
? 130
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
What does this mean? Well, according to an
FTC report, this means that an organization’s
data security measures must be “reasonable
and appropriate in light of the sensitivity and
volume of consumer information it holds, the
size and complexity of its data operations, and
the cost of available tools to improve security
and reduce vulnerabilities.” In other words,
the FTC can choose to investigate an organiza-
tion simply because the FTC believes the
organization is doing a poor job protecting
consumers’ information. Confused? You are
not alone. Frankly, it appears that the FTC
views poor cybersecurity practices a bit like
courts view pornography—they know it
when they see it.
Organizations looking for guidance
from the FTC on appropriate security
measures to protect consumer information
may fnd themselves twisting in the wind
like the last leaf on a tree. The FTC has not
issued any detailed guidelines on what
constitutes “reasonable security measures.”
To be fair, the FTC most likely struggles, as
do many agencies, with establishing guide-
lines that are fexible enough to apply to a
wide range of organizations in a variety of
industries, yet structured enough to set a
standard.
The FTC addressed this argument by
instructing companies to review its previous
consent decrees to identify “reasonable”—
or more appropriately, what it considered to
be unreasonable—security standards. Thus,
in the midst of day-to-day operations, the
FTC apparently expects an organization to
carefully review a multitude of previous
consent decrees to identify what it should be
doing to reasonably protect consumers’
information.
Organizations can also review a 15-page
guide the FTC published in 2011, Protecting
Personal Information: A Guide for Business.
This guide informs organizations that a
“sound business plan” is based on fve
principles:
? Know what information you have and
who has access to the information.
Adding to the diffculty of trying to bal-
ance data privacy and security with innova-
tion and usability, organizations must con-
currently maintain compliance with the
myriad of state and federal data privacy
and security laws, regulations, and guide-
lines. It would take several books to outline
all the laws, regulations, and guidelines
that affect consumer protection and cyber-
security. This chapter is designed to pro-
vide organizations with an understanding
of those laws that have the most signifcant
impact on privacy and security from a con-
sumer protection perspective. There is no
better place to start this discussion than by
examining the recent activities of the
Federal Trade Commission (FTC).
? Cybersecurity, consumer protection,
and the FTC
The FTC has deemed itself the enforcer of
data privacy and security, the ultimate
authority responsible for protecting con-
sumer privacy and promoting data security
in the private sector. In fact, the FTC com-
monly is considered the most active agency
in the world in this area. Although the
debate continues on whether the FTC has
authority to police data privacy and security
under section 5 of the FTC Act, organizations
must be aware that the FTC and other regu-
lators are monitoring practices and investi-
gating and enforcing various laws under the
guise of privacy and cybersecurity as a con-
sumer protection issue.
The FTC regulates this space under sec-
tion 5 of the FTC Act, which prohibits unfair
or deceptive practices. The FTC may choose
to investigate an organization if it believes
that the organization has made materially
misleading statements or omissions regard-
ing the security provided for consumers’
personal data. Further, according to a pre-
pared statement by the FTC, “a company
engages in unfair acts or practices if its data
security practices cause or are likely to cause
substantial injury to consumers that is nei-
ther reasonably avoidable by the consumer
nor outweighed by countervailing benefts
to consumers or to competition.”
131 ?
CONSUMER PROTECTION: WHAT IS IT?
priority is the strengthening of cybersecurity
in the marketplace, particularly as it pertains
to the fnancial industry and those businesses
and organizations that provide services in the
fnancial sector. To that end, in the summer of
2014, the FFIEC completed a cybersecurity
assessment involving more than 500 commu-
nity fnancial institutions with the goal of
determining how prepared those institutions
were to mitigate cyber risks. The results are
instructive as potential standards for the
efforts an organization should take when its
operations interact with or are tangential to
the fnancial industry, or simply when a busi-
ness collects, stores, or shares consumers’
private information.
Cyber preparedness—which is the crux
of consumer protection—encompasses the
following:
? Risk management and oversight:
Organizations should proactively train
employees, allocate resources, and exercise
control and supervision of cybersecurity
operations. This includes involving upper-
level management and boards.
? Threat intelligence: A business should
undertake processes to educate, identify,
and track cyber activities, vulnerabilities,
and threats.
? Cybersecurity controls: Businesses
should implement controls to prevent
unauthorized access or exposure of
information, to detect attacks or attempts
to compromise systems, and to correct
known and identifed vulnerabilities.
As the industry begins to more fully
recognize the futility of keeping malicious
attackers outside the network perimeter,
companies also should implement
controls that more quickly identify when
malicious activity takes place inside the
network.
? External dependency management:
Organizations should have processes in
place to manage vendors and third-party
service providers and help ensure that
connections to systems are secure, as well
as processes to audit and evaluate the
third-party’s cybersecurity protections.
? Keep only that information needed to
conduct business.
? Protect the information in your control.
? Properly dispose of information that is no
longer needed.
? Prepare a plan for responding to security
incidents.
Although this may have been an accurate list
in 2011, any company that limits its cyberse-
curity program to these fve principles will
quickly discover its inadequacies. The FTC
claims to recognize that there is no one-size-
fts-all data security program, no program is
perfect, and the mere fact that a breach
occurs does not mean a company has vio-
lated the law.
Organizations must be aware of the
FTC’s heightened activity in this space.
Right now, data privacy and protection of
consumer information has the public’s
attention and is sometimes used as a politi-
cal platform. Organizations must have an
in-depth understanding of their cybersecu-
rity posture, identify key vulnerabilities,
and have a plan to either mitigate or remedi-
ate problems. Failure to place consumer
protection and cybersecurity at the top of its
priority list may land an organization in the
FTC’s crosshairs.
? Cybersecurity, consumer protection,
and the fnancial industry
As in other industries, cybersecurity and
consumer protection in the fnancial sector
are a patchwork of federal statutes, regula-
tions, agencies, and enforcers. There are fve
federal banking regulatory agencies: the
Offce of the Comptroller of the Currency
(OCC), the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit
Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), and
the Consumer Financial Protection Bureau
(CFPB). A representative from each of them
sits on the Federal Financial Institutions
Examination Council (FFIEC), which is
empowered to set out principles, standards,
and forms for the uniformity of the supervi-
sion of fnancial institutions. A top FFIEC
? 132
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
regulatory agencies and state insurance
authorities.
Those entities governed by the SEC
(Securities and Exchange Commission) and
FINRA (Financial Industry Regulatory
Authority) are expressly required to devel-
op written identity theft prevention pro-
grams and, in the face of a breach, will
likely face questions regarding cybersecu-
rity policies and efforts. Further, the regula-
tions imposing these requirements mandate
that upper-level management signs off on
any written program and participates in its
administration. As the goal of these require-
ments is to protect customer information,
an organization should be mindful to
design programs that consider the nature of
the organization’s operations, as well as its
size and complexity, so that the plan can be
effectively implemented to achieve its
desired goals.
The OCC recommends all banks and
fnancial institutions implement incident
response and business continuity plans
and test those plans regularly. It also sets
supervisory expectations about how fnan-
cial institutions and third-party service
providers in the fnancial sector can and
should safeguard sensitive information.
The OCC conducts on-site audits of fnan-
cial institutions and certain third-party ser-
vice providers to confrm compliance. The
OCC also gets involved in the aftermath of
cyberattacks to assess the corrective actions
that fnancial institutions take in response.
The OCC is vested with the authority to
require the banks subject to their regulation
and the banks’ service providers to take
steps to protect systems, prevent loss or
theft of sensitive information, and mitigate
identity theft.
In 2007, under the terms of the Fair and
Accurate Credit Transactions Act, the OCC,
FRB, FDIC, NCUA, and FTC issued regula-
tions requiring creditors and fnancial insti-
tutions to develop and implement formal
written programs aimed at identifying and
preventing identity theft (the Red Flags
Rule). Large banks have resident OCC
investigators trained to assess cybersecurity
? Cyber incident management and
resilience: Organizations should have
procedures and processes to detect incidents,
respond to those incidents, mitigate the
impact of the incidents, document and
report on the incidents, and provide for
recovery and business continuity.
Within the fnancial sector, and regarding
businesses that interact with the fnancial
sector, these can reasonably be considered
the components of due diligence. Efforts to
protect consumers from the dangers of the
exposure of personal information entrusted
to a business involve guiding the organiza-
tion through these steps on a scale appropri-
ate to the size of the business and the scope
of the information involved.
Adding to the complexity of compliance,
there are multiple statutes and regulations
that expressly require businesses to under-
take security measures and notify consumers
regarding privacy and information-sharing
practices. The Gramm-Leach-Bliley Act
(GLBA) and the corresponding regulations
adopted to implement its requirements are
aimed at protecting consumer interests.
Similar to other regulations, businesses are
required by the GLBA Safeguard Rule to
use “reasonable security measures” to pro-
tect consumer information that they collect
and store. In the fnancial services industry,
this often includes highly sensitive infor-
mation, such as Social Security numbers,
fnancial account numbers, and income and
credit histories.
Fortunately, the GLBA outlines, at least in
some fashion, what constitutes “reasonable
security measures.” For instance, the GLBA
Safeguard Rule requires the development
and implementation of a written informa-
tion security plan. In addition, the Rule
requires companies to provide an annual
written privacy notice to its customers that
clearly, conspicuously, and accurately
explains its information-sharing practices
and provides customers the right to opt out
of the organization’s sharing practices. Both
of these consumer protections are enforced
by the FTC along with several other federal
133 ?
CONSUMER PROTECTION: WHAT IS IT?
other organizations that may receive health
information from covered entities while
performing various services. HIPAA is
enforced primarily by the U.S. Department
of Health and Human Services Offce of
Civil Rights (OCR). State attorneys general
also have the authority to enforce HIPAA.
OCR’s authority to enforce HIPAA
encompasses covered entities regardless of
size and their “business associates,” a term
that includes frst-tier vendors that contract
directly with covered entities and all down-
stream entities that receive PHI in the course
of their business. Perhaps the most helpful
aspect of HIPAA is that it specifes privacy
requirements that covered entities must fol-
low, as well as identifes security elements
for covered entities to consider.
The HIPAA Privacy Rule outlines stand-
ards for the use and disclosure of all forms
of PHI and categorizes PHI into three major
“usage” categories: treatment, payment,
and health care operations and sets up rules
associated with each use. Uses that fall out-
side of these categories or that do not
qualify as any of the exceptions described in
the rule require an authorization from the
affected individual. Meanwhile, the HIPAA
Security Rule establishes standards for pre-
serving the confdentiality, integrity, and
availability of electronic PHI. Specifcally,
the Security Rule requires covered entities
to have appropriate administrative, physi-
cal, and technical safeguards in place to
protect PHI and contains detailed security
requirements for protecting PHI. For
instance, covered entities must conduct an
assessment of the risks to and vulnerabili-
ties of the protected health information.
These guidelines provide organizations
with concrete examples of steps needed to
protect PHI and hence the consumer infor-
mation in their systems. However, organiza-
tions should be aware that compliance with
HIPAA is a minimum standard. As technol-
ogy continues to change and develop, cir-
cumstances may require organizations to
exceed the minimum HIPAA compliance
requirements to effectively protect consumer
information.
issues. Smaller banks face on-site visits
every 12 to 18 months. In 2013, the OCC
updated its Third-Party Relationship Risk
Management Guidance to set out expecta-
tions for risk assessment and management
of third-party relationships. The senior
management and boards of banks retain
responsibility for cybersecurity even when
third parties are involved. As a result, the
OCC mandates comprehensive oversight
and management of third-party relation-
ships throughout the life of each relation-
ship. This requires extensive due diligence
prior to establishing a relationship, execu-
tion of written contracts that should include
the right to audit the third party, ongoing
monitoring, documentation, and reporting
regarding risk management processes, and
independent review of processes. Further,
the OCC requires that third-party contracts
stipulate that the OCC has the authority to
examine and regulate the services provided
to the bank by the third party.
The fnancial industry is highly regulat-
ed, and its consumer protection and cyber-
security aspects are no exception. Identity
theft, at its heart, is a consumer protection
issue. Enforceable security guidelines set
out by regulators and aimed at the protec-
tion of consumer information trickle down
to service providers, as the fnancial institu-
tions are affrmatively charged with manag-
ing risks associated with vendors and
service providers. The recommendations
and requirements of the fnancial regulators
make clear that extensive due diligence,
monitoring, planning, and management are
required in the quest to take reasonable
security measures.
? Health care, cybersecurity, and consumer
protection
Any discussion of consumer protection and
cybersecurity must include a discussion of
the health care industry. The Health
Insurance Portability and Accountability
Act of 1996 (HIPAA) governs protected
health information (PHI) maintained by
various organizations that fall under the
jurisdiction of HIPAA (covered entities) and
? 134
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
This is an important point, because in
addition to OCR, the FTC considers itself
empowered to regulate organizations that
are covered by HIPAA. According to the
FTC, HIPAA does not preempt the FTC’s
authority to also regulate covered entities.
Furthermore, in 2010 the FTC issued the
Health Breach Notifcation Rule, which man-
dates that entities not covered by HIPAA
that experience a breach of a “personal
health record” provide notifcation to the
affected consumer.
Covered entities and their business asso-
ciates must do more than merely “check the
box” on cybersecurity compliance. If an
organization faces an OCR investigation, it
will be required to provide information
related to its entire data privacy and security
program, not just information related to the
“incident” that triggered the investigation.
Often, organizations are required to provide
evidence of policies and procedures going
back several years.
As part of its efforts to enforce compli-
ance with HIPAA, OCR conducted security
audits of covered entities in 2011 and 2012,
commonly referred to as Phase 1. Although
Phase 2 was delayed until OCR imple-
ments a web portal that enables covered
entities to submit information, in May 2015
OCR began sending the frst surveys of
Phase 2 audits, so covered entities and their
business associates should be prepared for
this next phase. Similar to other agencies,
OCR intends to audit the cybersecurity
practices of the organizations that fall
under its jurisdiction. OCR previously
announced that it would conduct a pre-
audit survey of 800 covered entities and
400 business associates, and from that pool
select 350 covered entities and 50 business
associates for a full audit.
The audits will take place over three years
and will focus on:
? Risk analysis and risk management (the
Security Rule)
? Notice of privacy practices and access
rights (the Privacy Rule)
? Content and timeliness of breach
notifcation (the Breach Notifcation Rule).
Phase 2 audits will likely not be as compre-
hensive as the audits in Phase 1 and will
focus on key high-risk areas OCR learned of
in its Phase 1 audits.
Health care information is commonly con-
sidered the most sensitive and personal
information a consumer has, and it therefore
deserves increased security controls. This is
perhaps recognized by the authority of the
state attorneys general to enforce HIPAA, a
provision not found in all federal statutes.
Numerous states have passed laws specif-
cally intended to protect personal health
information, regardless of whether the
organization holding such information is
considered a “covered entity” under HIPAA.
As health care breaches continue to increase
in number, organizations should expect
greater regulatory scrutiny and activity relat-
ed to their efforts to protect consumer health
information.
? State laws and regulations
In addition to the federal landscape, busi-
nesses should be aware that state laws and
regulations affect consumer protection obli-
gations. Various states have laws that affect
specifc industries and general consumer
protection laws that may be implicated in
business practices. This is a growing concern
with the increase in e-commerce. Businesses
that in the past would have limited their
footprint to the jurisdiction of a single state
now are more likely to encounter customers
across state lines. Because the applicability
of state laws affecting consumers and
because cybersecurity is often triggered by
the residence of the consumer, even small
businesses can fnd that they face unexpect-
ed multijurisdictional questions.
? Recommendations and conclusion
Given the wide range of laws, regulations,
and guidelines—only a few of which could
be covered here—how do organizations
begin to navigate these treacherous waters?
CONSUMER PROTECTION: WHAT IS IT?
SecurityRoundtable.org 135 ?
Organizations must build privacy and secu-
rity into their systems, processes, and ser-
vices from the ground up and from the top
down. Education and training for all employ-
ees should start on day one and be continu-
ous. The time and effort required to assess
cyber risk and understand data is minimal
compared with the potential implications of
failing to do so. Technology is constantly
evolving, which means cybersecurity does
as well, and an organization’s efforts to pro-
tect consumer information must similarly
adapt. It is better to have considered a tool
and rejected it because it substantially
degrades the service offered than to ignore
the vulnerability entirely. Organizations
must face cybersecurity risks as an enter-
prise and leverage industry experts to guide
them through this quagmire of laws, regula-
tions, and threats.
137 ?
Fish & Richardson P.C. – Gus P. Coldebella, Principal
Protecting trade secrets in the
age of cyberespionage
The cybertheft of intellectual property (IP) from U.S. com-
panies has, in the words of former NSA director and Cyber
Command chief General Keith Alexander, resulted in the
“greatest transfer of wealth in human history.” And the
data bear that out: by some estimates, the value of IP stolen
from U.S. businesses over the Internet alone is $300 billion
per year—a whopping 6% of our $5 trillion total intellec-
tual property assets. For certain nations, cyber espionage is
a central component of their growth strategies: for exam-
ple, the Report of the Commission on the Theft of U.S.
Intellectual Property (the IP Commission Report) found
that “national industrial policy goals in China encourage
IP theft, and an extraordinary number of Chinese in busi-
ness and government entities are engaged in this practice.”
Cyber espionage of IP assets allows companies and coun-
tries to circumvent the expense and hard work of basic
research and product development—which could take
years or even decades—and instead quickly pursue their
economic agendas based on stolen IP, all to the detriment
of U.S. businesses, jobs, and economic growth.
On May 1, 2014, a federal grand jury brought criminal
charges of hacking, economic espionage, and trade secrets
theft against fve offcers of China’s military. The hackers
are alleged to have penetrated the networks of important
American companies to acquire proprietary and confden-
tial technical and design specifcations, manufacturing
metrics, attorney-client discussions about upcoming trade
litigation, economic strategies, and other forms of sensi-
tive, nonpublic information. What was the object of this
indictment? Certainly not to get a conviction: the likeli-
hood of China extraditing the defendants to the U.S. is
negligible. Instead, the U.S. used the indictment to trans-
mit two strong signals. First, it sent a message to China:
that we are aware of this aberrant behavior—in which a
nation-state aims its espionage apparatus not at another
country, but at another country’s companies—and that the
? 138
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
patent, the registration of a trademark, and the
creation/publication of copyrighted material.
Cyberthieves generally set their sights on
a company’s trade secrets—the one type of
IP that is not readily available for the world
to see.
Some companies keep their trade secrets
offine. Legend has it that one of the most sto-
ried trade secrets, the formula for Coca-Cola,
is on a handwritten piece of paper in a safe in
Coke’s Atlanta headquarters. But air-gapped
trade secrets are rare in the Internet age. Given
this, it is crucial for a company to identify and
locate the trade secrets on its networks, and
those that are being deposited there in the
ordinary course of business. Every company
has such mission-critical secrets: design speci-
fcations, chemical formulas, computer code,
fnancial algorithms, customer lists, and busi-
ness plans, to name a few. Finding them is a
key, and sometimes overlooked, part of a top-
to-bottom network vulnerability analysis.
Unless a company knows what trade secrets it
has and where they are located, it cannot
begin to secure them.
Once a company catalogs its online trade
secrets, it should ask several high-level stra-
tegic questions: How are they currently safe-
guarded? Who may access them? What sys-
tems are in place to alert the company that
the trade secrets have been exfltrated or
altered? These questions and the protective
measures developed in response are not only
important to thwart cyber attackers—but
also help to prevent all types of attempted
trade secret theft, whether conducted via the
Internet or the old-fashioned way. They also
help to best position the company if it brings
litigation seeking damages, injunctive relief,
or other recompense for the theft. Although
the cybertheft of trade secrets has not yet
yielded many judicial decisions, law books
are rife with cases of companies seeking
damages resulting from current or former
employees spiriting off trade secrets to their
next employer or to a competitor. One of
the central questions in any such litigation
is: did the company make reasonable efforts
under the circumstances to protect the
secrecy of its confdential information? The
U.S. will expose this misconduct to the
world. Second, the indictment sent a mes-
sage to U.S. companies that, although past
breaches and legal and reputational risk may
have convinced boards and management to
shore up defenses against cyberattacks
involving ‘personally identifable informa-
tion,’ or PII, the most sophisticated attackers
are interested in other, more mission-critical
data on companies’ networks—intellectual
property. The loss of trade secrets could
cause more harm to a company’s reputation,
value, and future prospects than a PII breach
ever could. The U.S. government is signaling
that companies should focus on taking
immediate, reasonable steps to defend their
intellectual property assets.
In a world where countries persistently
attack companies and compromise of a com-
pany’s networks seems inevitable, manage-
ment may be tempted to throw up their hands
and concede defeat. There are, however,
important legal and practical reasons to fght.
In this chapter, we explore reasonable steps
companies can take to prevent the cybertheft
of their IP assets, to mitigate the harm of such
thefts if they occur, and to challenge competi-
tors that use stolen IP assets to unfairly gain
an advantage in the marketplace.
? Conducting a trade secrets risk analysis
So what types of IP are cyber spies after?
Intellectual property has four broad catego-
ries: patents, trademarks, copyrights, and
trade secrets. A trade secret—according to the
Uniform Trade Secrets Act, or UTSA, adopted
in some form by 48 states and the District of
Columbia—is information that gains its actual
or potential economic value from being not
generally known and reasonably protected
from disclosure. Of the four IP types, only
trade secrets maintain their value, and their
legal protection as trade secrets, through non-
disclosure. If a trade secret is not disclosed, the
economic beneft it provides and the legal
protection it enjoys can theoretically last
forever. If it is disclosed, those advantages can
be destroyed. Trade secrets stand apart from
other IP, which gains and maintains its legal
protection through disclosure: the fling of a
139 ?
PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
the full set of information needed to replicate
a targeted invention, product, or service.” A
company can achieve segmentation in two
ways detailed by Villasenor: frst, by divid-
ing a trade secret into modules, distributing
the modules across multiple networks, and
ensuring that there is no easy path from one
network to the next; and second, once the
trade secrets are broken up into modules,
by allowing employees access only to the
modules that are relevant to them. Some
modules can be separated physically and
allow nearly no user access. For example,
‘negative information’—valuable secrets
about what does not work and is often the
result of meticulous collection of data through
extensive, costly research—is not frequently
accessed in a company’s day-to-day opera-
tions and therefore can be segmented and
stored in an extremely limited set of locations.
Implementing robust access control alongside
segmentation makes it more diffcult for an
adversary to steal a company’s crown jewel
trade secrets in a single attack, and to ‘spear-
phish’ its way into accessing some or all of a
company’s crown jewel data under the guise
of an authorized user.
Monitor data fow, not just authorization
Instead of monitoring only for unauthorized
access, companies should fag and investi-
gate instances and activity of high-volume or
suspicious data transfers, whether or not the
transferor is ‘authorized.’ Systems that look
only for suspicious behavior by unauthor-
ized users can blind the company to critical
and common cyberattacks. History shows
that trade secret theft frequently is carried
out by authorized users—think about a dis-
gruntled employee downloading the master
customer list, or the trading algorithm, right
before he or she quits to work for a competi-
tor. In another common scenario, when
hackers obtain privileged user credentials to
infltrate a company’s network, activity that
appears attributable to ‘Mike in Accounting’
may actually be malicious. Systems should
be designed to monitor the fow of key data,
whether or not it is being accomplished by
someone with apparent trust.
reasonable measures identifed in these deci-
sions—such as training employees on trade
secret protection, requiring employee conf-
dentiality agreements prior to granting
access, and revoking access upon termina-
tion from the company—apply with equal
force in the cyber context, and companies
should employ them. Below, we discuss
additional cyber-specifc protective meas-
ures that companies can consider taking.
? Planning for the worst
Certain adversaries—especially nation-
states and state-sponsored groups targeting
U.S. trade secrets—are highly skilled, tech-
nologically savvy, and persistent. They are
not trolling for just any IP, and they will not
be put off by even best-in-class technical
defenses and move onto the next target
when their mission is to steal your compa-
ny’s secrets. Even with reasonable defenses
in place, companies should assume that an
attack will eventually be successful, and that
a company’s IP and trade secrets may be
compromised as a result. One way compa-
nies can protect themselves is to consider
ways, such as the following suggestions, to
reduce the likelihood that even a successful
intrusion leads to IP theft.
Access controls and segmentation
Companies should implement access con-
trols on crown jewel data. Although almost
every employee requires access to certain
parts of the company’s network, not all of
them need access to fles containing trade
secrets. Not even all employees that require
access to some trade secrets need access to all.
A smart access control system makes it clear
that secrets actually are treated as secrets—
i.e., only those with a need to know (as
opposed to everyone with a network pass-
word) are given access to the data.
Another related layer of protection is
‘trade secret segmentation,’ which, accord-
ing to John Villasenor in his article Corporate
Cybersecurity Realism (Aug. 28, 2014), is dis-
tributing information “so that no single
cybersecurity breach exposes enough of a
trade secret to allow the attacker to obtain
? 140
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
exercised it. Under such a plan, the frst call
should be to experienced outside counsel,
who can hire the forensics and crisis PR
teams to investigate and respond to what
happened, and who give the results of the
investigation the greatest chance of being
considered privileged, which is important as
the legal and regulatory consequences of
breaches continue to grow. It is also impor-
tant—especially with potential trade secret
theft—to preserve all information surround-
ing the incident in a forensically sound way.
For example, collecting and analyzing log
information may allow a company to deter-
mine what data were lifted and where they
were sent, which could be critical in investi-
gations by law enforcement and in post-
breach litigation.
? Taking on the IP thieves and their
benefciaries
Adversaries want to steal your trade secrets
for a simple reason: to use, sell, and proft
from them. Every IP theft contains the
seeds of unfair competition based upon the
stolen secrets. Assume the worst has hap-
pened, and you begin to see the company’s
hard work or research emerge in the mar-
ketplace, embedded in a competitor’s
product or across the negotiating table.
What options do you have? We discuss
fve here:
Misappropriation of trade secrets. The victim
of trade secret theft may bring an action
under state law to enjoin the benefciary
of the theft and recover damages. (There
currently is no federal private right of
action for misappropriation of trade
secrets.) As already discussed, most states
have adopted a version of the Uniform
Trade Secrets Act, or UTSA. UTSA pre-
vents using a trade secret of another with-
out consent if the defendant employed
improper means to appropriate the secret,
or “knew or had reason to know that
his knowledge of the trade secret was
derived from or through a person who
had utilized improper means to acquire
it.” UTSA §§ 1(2)(ii)(A); 1(2)(i). UTSA,
Mark and tag secrets
Even in the bygone days of trade secrets
on paper, companies knew to clearly mark
their secrets with a legend. This accom-
plished two things: employees would
know to handle those secrets consistent
with the company’s trade secrets policies,
and if they were stolen, they could be iden-
tifed as the company’s property. Just like
cartographers of old intentionally included
fake shortcuts, streets, and even towns to
immediately recognize misappropriated
copies of their maps, tagging digital assets
provides a way to defnitively prove that
the IP was originally yours. Today, with an
array of technological means at hand, com-
panies can do more, including tagging
digital IP with code that could, say, render
stolen fles inoperable. The IP Commission
Report correctly recommended that “pro-
tection...be undertaken for the fles them-
selves and not just the network, which
always has the ability to be compromised.”
It suggested that:
Companies should consider marking
their electronic fles through techniques
such as “meta-tagging,” “beaconing,”
and “watermarking.” Such tools allow for
awareness of whether protected informa-
tion has left an authorized network and
can potentially identify the location of
fles in the event that they are stolen.
Additionally, software can be written that
will allow only authorized users to open
fles containing valuable information. If
an unauthorized person accesses the
information, a range of actions might then
occur. For example, the fle could be ren-
dered inaccessible and the unauthorized
user’s computer could be locked down,
with instructions on how to contact law
enforcement to get the password needed
to unlock the account. (IP Commission
Report at 81.)
Collect forensic leads as part of incident response
Of course, executives must make sure that
the company has created a robust incident
response plan and has practiced and
141 ?
PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
bureaucratic, that was in the context of
arguing for a quicker method for U.S.
companies to seek exclusion. Our experi-
ence is that § 337 actions tend to be much
quicker than currently available alterna-
tives, including state and federal court
litigation. The ITC process offers U.S.
companies a powerful weapon against
importation of goods containing stolen
trade secrets.
Computer Fraud and Abuse Act (CFAA).
Under certain circumstances, the CFAA
provides a private right of action for com-
panies to bring suit against a party who
knowingly and intentionally accesses a
protected computer without authoriza-
tion, obtains information, and causes
harm. 18 U.S.C. § 1030(g). The victim may
be able to seek damages from not only the
individual who accessed the computer
and stole the information but also the
company profting from the stolen trade
secret so long as the victim can plead and
prove that the competitor “conspire[d] to
commit” such an offense (18 U.S.C. §
1030).
Call the feds. A company may refer the
theft to federal criminal authorities, which
can bring charges under 18 U.S.C. §§ 1831-
32 for theft of trade secrets and economic
espionage. The economic espionage and
trade secret theft statutes reach not only
parties who steal the trade secret but also
anyone who “receives, buys, or possesses
a trade secret, knowing the same to have
been stolen or appropriated, obtained,
or converted without authorization.”
18 U.S.C. §§ 1831(a)(3); 1832(a)(3). In addi-
tion to imposing hefty fnes ($5 million for
organizations, unless the theft was intend-
ed to beneft a foreign government, in
which case it is $10 million), the law also
allows judges to force the criminals to
forfeit “any property, or proceeds derived
from the stolen or misappropriated trade
secrets, as well as any property used or
intended to be used to help steal trade
secrets.” 18 U.S.C. §§ 1834, 2323(b).
therefore, allows an action against the
hacker and the company seeking to ben-
eft from the stolen trade secrets, if the
plaintiff can show that the competitor had
reason to believe that the data it was
using were stolen from someone else’s
network. The remedies available under
UTSA are powerful and encompass dam-
ages and injunctive relief. UTSA author-
izes a court to award damages for actual
loss and unjust enrichment, including
multiple damages if the misappropriation
was “willful and malicious.” UTSA §§
3(a); 3(b). A court also may enjoin actual
or threatened misappropriation or may
condition the competitor’s future use of
the trade secret on payment of a reasona-
ble royalty. UTSA §§ 2(a); 2(b).
Section 337 of the Tariff Act of 1930. To sty-
mie competitors that import their prod-
ucts into the U.S., a potent option is to
initiate a process at the International Trade
Commission (ITC) under Section 337 of
the Tariff Act of 1930. A company may
petition the ITC to investigate whether
imported goods are the result of “unfair
methods of competition”—which includes
incorporating stolen trade secrets—so
long as the unfairness has the potential
to injure or destroy a domestic industry.
19 U.S.C. § 337. Because § 337 investiga-
tions are brought against goods, not par-
ties, there is no need to prove that the
specifc company profting from the stolen
data was actually behind the cyberattack,
only that the product was made or devel-
oped using misappropriated trade secrets.
Even though the ITC cannot award dam-
ages under § 337, the remedy it can issue
is potent against any company seeking to
import misappropriated products in the
U.S.: it can issue an order, enforceable
by Customs and Border Protection, pre-
venting goods from entering the country
and enjoining sale of such products
already here.
Although the IP Commission has criti-
cized the § 337 process as too lengthy and
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 142 SecurityRoundtable.org
Of course, there are always pros and cons to
be weighed before bringing civil litigation
or involving federal law enforcement
authorities. For example, law enforcement
has a greater array of tools to compel pro-
duction of evidence quickly, unlike in a civil
suit, although a parallel criminal action
may affect the company’s ability to seek
civil discovery if the defendants seek a stay
or exercise their Fifth Amendment right not
to testify. There are also practical and busi-
ness considerations that may argue for or
against such a suit, including its potential to
affect existing or future commercial rela-
tionships and continued access to foreign
markets.
Future action: Report cyberspies and their
benefciaries under Executive Order 13694.
In response to high-profle cyberattacks,
the President and the federal government
recognized that cyber espionage is a seri-
ous threat to the nation’s economy and
national security but acknowledged that
it is not always possible to take criminal
or civil action against perpetrators
because they are often outside the juris-
dictional reach of U.S. courts. For that
reason, the U.S. has devised another
method for reaching these malefactors,
punishing them for their actions, and
deterring future attacks. On April 1, 2015,
the President signed Executive Order
13694, authorizing the Offce of Foreign
Assets Control, or OFAC, within the
Treasury Department, to (i) identify for-
eign hackers, the parties who aid them,
and the parties who beneft from their
activity by using their stolen information
to proft and (ii) respond by freezing their
U.S. assets and imposing sanctions. OFAC
will add foreign individuals identifed as
being responsible for, contributing to,
complicit in, or profting from signifcant
malicious cyber-enabled activities to its
list of Specially Designated Nationals
(SDNs). To earn a spot on the SDN list, the
associated attack has to be “reasonably
likely to result in, or have materially con-
tributed to, a signifcant threat to the
national security, foreign policy, or eco-
nomic health or fnancial stability of the
United States.” Although OFAC cannot
assist a company with recovering lost
information or barring products from
entering the market, reporting the perpe-
trators of particularly serious cyberat-
tacks to OFAC can serve as a powerful
deterrent. It is important to note that E.O.
13694 is, at the writing of this chapter, so
new that OFAC has yet to promulgate
fnal regulations governing the SDN-
designation process, so companies should
consult with counsel to understand their
options once fnal rules are in place.
? Conclusion
Trade secrets are high on the list of assets
that cyber spies are interested in stealing.
Careful planning will help your company do
its best to prevent the theft of these valuable
assets and to thwart a competitor’s attempt
to proft from its crimes if an attack is suc-
cessful. If the worst-case scenario material-
izes and you discover that your company’s
IP has been stolen, take immediate steps to
engage experienced outside counsel to assess
your best options to investigate the breach,
recover damages, enjoin unfair competition,
and seek justice.
143 ?
Latham & Watkins LLP – Jennifer Archie, Partner
Cybersecurity due diligence in M&A
transactions: Tips for conducting
a robust and meaningful process
To begin with a tautology, when you buy a company, you
buy their data—and the attendant risks to that data.
Cybersecurity risks are not limited to consumer-facing
businesses, whose recent losses of cardholder or patient
data grab news headlines. Indeed, few businesses today
have assets and liabilities that are not in some sense data
driven. For most business combinations—whether M&A,
joint venture, or leveraged buyout—cybersecurity should
be a risk category in its own right. Buyers should review
not just historic breaches but also cybersecurity risk man-
agement. Even though these risks are hard to quantify, the
analysis will inform deal terms, deal value, and post-deal
indemnity claims.
? First step: Get an early read on cyber readiness
at the engagement stage
Buyers should begin all cybersecurity risk assessments
early in the engagement process, with the goal of clearly
articulating as early as possible the target company’s
most important information assets, systems, and busi-
ness processes. Every target business should be able to
readily identify which information technology (IT) sys-
tems and data sets are most valuable to the business and
explain at a high level how the company protects and
exploits them. Even at the earliest stages, the seller
should be prepared to identify and discuss the following
at a high level:
? What types of information or computer systems and
operations are most important to your business? What
sensitive types of data do you handle or hold relating
to natural persons (which data elements in particular)?
? Where is sensitive information stored?
? How is it protected in transit, at rest, and in motion?
? What are the most concerning threats to information,
networks, or systems?
? 144
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
government investigations from the Federal
Trade Commission (FTC) or other agencies
may be poorly understood. Federal investi-
gations tarnish brands, especially if enforce-
ment results. Investigations are expensive
and distracting, and may lead to a sweeping
10- or 20-year permanent injunction dictat-
ing how future information security will be
managed and monitored. Compliance with
such a decree is expensive and limits a com-
pany’s independence and fexibility in sig-
nifcant ways. After a breach, management is
often surprised to learn how persistent and
aggressive the FTC or state attorneys general
can be, even if the company sees itself as a
victim of harm, not a perpetrator of con-
sumer injury. If the target’s legal or business
representatives are not knowledgeable about
the regulatory and enforcement environ-
ments, buyers should not place much weight
on a seller’s lulling statements or assurances
that there have been no incidents or that risk
of a cyber event is low.
? Check for integrated cyber risk awareness
and mitigation and a comprehensive security
management program
Another sign of a mature security program
is a management team with cross-function-
al awareness on these points at the CEO
and board levels, as refected in board min-
utes or other documentation. A security
program will not be effective if it is a silo
inside the IT or information security func-
tions. All substantial stakeholder depart-
ments should be involved in cybersecurity
risk management, including business unit
leaders, legal, internal audit and compli-
ance, fnance, human resources, IT, and risk
management.
Diligence questionnaires should ask the
target company to generally summarize the
administrative, technical, and physical infor-
mation security controls currently in place to
safeguard the most critical business data sets.
Such controls include technical measures
(such as boundary and malware defense,
data encryption, intrusion detection systems,
anomalous event monitoring, and access
controls), administrative measures, and
? Have there been prior incidents?
? What is the cybersecurity budget?
? What are your recovery plans if
critical information or systems become
unavailable?
If the front line deal-facing personnel
respond, “I don’t know, I’d have to ask,” this
is a telling and interesting sign that the target
company’s security management program is
likely not well integrated into the senior
leadership ranks. Sellers thus should be pre-
pared in early discussions to showcase a
sophisticated understanding of data security
risks and how those risks may materially
affect the company’s operations, reputation,
and legal risks (or not). A buyer’s key dili-
gence objective should be to probe and test
whether the target company has imple-
mented a mature risk management organiza-
tion to evaluate the accuracy of management
assurances about lack of historical breaches,
payment card industry (PCI) compliance,
protections against competitor or insider
theft, and business continuity. Too often in
hindsight, a target’s statements made in dili-
gence turn out to have been good faith
impressions, or even merely aspirational or
refective of paper policy, but not operational
reality.
? Tailor diligence to what types of information
are handled and how important is
information security to the bottom line
Beyond these general questions, the buyer
should directly probe whether the target
management has a sophisticated under-
standing of potential cyber-related liabilities
and the regulatory environment. Unlike
environmental or traditional fre or natural
disaster scenarios, cyberattack-related liabil-
ities are multi-faceted and unique. In some
industries—such as energy, transportation,
fnancial institutions, health care, defense
contracting, education, and telecommunica-
tions—government oversight can be active
and intrusive, and the target’s subject matter
expertise will likely reside within the legal,
compliance, and/or IT functions. In other
industries, however, exposure to costly
145 ?
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
been adopted, budgeted and scheduled, or
already implemented.
For companies whose vendors hold com-
pany-sensitive data or access systems, the
company should have implemented—prior
to engaging in a business relationship—a
formal vendor management program that
specifcally assesses risk and identifes
potential security or data privacy concerns
and appropriate remediation next steps.
After a decision to engage, the company
should mitigate data security risks through
written agreements and supervision. These
third parties should have data security
insurance coverage and/or the agreements
should require such a party to defend and
indemnify the target company for legal lia-
bility arising from any release or disclosure
of the information resulting from the negli-
gence of the vendor or other third party.
Third-party agreements involving data
exchange or access also should articulate
breach notifcation procedures, cooperation
levels, information sharing, and expressly
assign incident control and reporting
responsibilities.
Cloud-based or other software-as-a-
solution (SAAS) solutions as well as mobile
devices present their own cybersecurity risks
and should not be overlooked in diligence.
Does the company permit employees to use
cloud-based fle-sharing services? Does it
rely on SAAS solutions for critical or other
business needs such as contact relationship
management or HR? Email? How are the
security and compliance risks presented
being managed? Companies that issue or
support mobile devices should have policies
and procedures in place designed to protect
sensitive information in those environments.
? Use subject matter experts to assess cyber
readiness and liabilities
Given the importance of the above ques-
tions, the buyer should pay careful atten-
tion to who asks these questions on behalf
of the buyer or underwriters, in what set-
tings, and with what time allowances. Put
simply, deal teams ideally should embed
subject matter experts on the business side,
physical security. The company should have
a current documented crisis management/
incident response plan in place, including
pre-staging of legal and forensic experts and
a public relations strategy, all approved by
senior management. A seller should specif-
cally inquire about and assess what fnancial
resources are applied to data security, in the
context of the target’s overall approach to
risk containment and specifc to its industry.
Also, sellers should ask the following to
gather detailed information about how the
company has organized the management of
cybersecurity and risk:
? Is there a single designated person with
overall responsibility? To whom does he
or she report? (Risk Offcer? CTO? CIO?
CEO?)
? Describe board oversight. Have directors
and senior managers participated in data
security training/been involved in the
development of data security protocols?
? Does the company have legal counsel
regularly advising on data security
compliance? Is counsel internal or
external, and if external, who?
? How does the company educate and train
employees and vendors about company
policies, information security risks, and
necessary measures to mitigate risk?
? How can employees or members of the
public (such as independent security
researchers) report potential vulnerabilities/
breaches, including irregular activity or
transactions?
? What is the plan to recover should critical
or other necessary systems become
unavailable? What are the recovery point
and recovery time objectives? How have
these and other elements of the plan been
correlated to business needs?
If the company has in the last year or two
completed an internal or external audit or
assessment to determine compliance with
company security policies and/or external
security standards, this should be requested,
or at a minimum the target company should
report whether all recommendations have
? 146
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
network. The attacker then acquired elevat-
ed rights that allowed it to navigate portions
of the company’s systems and to deploy
unique, custom-built malware on self-check-
out systems to access the payment card
information of up to 56 million customers
who shopped at U.S. and Canadian stores
between April 2014 and September 2014. In
fscal 2014, alone, Home Depot recorded $63
million in pretax expenses related to the data
breach, partially offset by $30 million of
expected insurance proceeds for costs
believed to be reimbursable and probable of
recovery under insurance coverage, result-
ing in pretax net expenses of $33 million.
What this sort of fnancial and reputa-
tional exposure means for M&A diligence
within the retail sector is that buyers should
devote expert and highly substantive atten-
tion to how cardholder data are collected,
stored, handled, and secured. Payment pro-
cessing services are material to all retail
businesses, and all payment processing
agreements have PCI compliance as a mate-
rial term. So just as the SEC always wants to
know about where that relationship stands
in its review of risk factors, buyers too want
to pay special attention in this area. If PCI
compliance is lacking, the seller should at
least be able to disclose a specifc remedia-
tion timeline and a budgeted plan that is
hopefully supervised and accepted by the
payment processor.
PCI compliance handled correctly is costly
and involves constant adaptation and opti-
mization to new threats and new standards.
It is not an annual “check-a-box” process.
Within the data security space—as was true
for Home Depot, Target, and many others—
good business practice assumes that a com-
promised merchant will have a recent,
valid, self-certifcation or even third-party
certifcation of PCI compliance. However, a
buyer should not rely simply on the inclusion
of such a report or certifcate in a virtual data
room. Many a breached retailer has held a
current PCI certifcation. Accordingly, the
buyer should always test the security of
cardholder data independently, at a process
the technical side, and even the legal side
early on—to do the following:
? Pose questions orally
? Follow up with document requests
? Assess the documentation
? Conduct on-site testing and analysis
where appropriate
? Assess and advise on the maturity
and suitability of the program to the
underlying data risks
? Review and advise on deal terms or costs
to remediate gaps in compliance or risk
management.
Very importantly, the deal team also must be
nimble and focused upon the specifc indus-
try, because cybersecurity risks are highly
variable across industry sectors; threats,
liabilities, and government expectations for
adequate security are evolving constantly.
For example, if hackers acquire and then re-
sell large databases of cardholder data to
identity thieves—as happened to Target and
Home Depot—the types of expenses and
liabilities a buyer could expect are well doc-
umented in SEC flings. Expenditures
include the following:
? Costs to investigate, contain, and remediate
damaged networks and payment systems
and to upgrade security
? Liability to banks, card associations, or
payment processors for fnes, penalties,
or fraudulent charges
? Card reissuance expenses
? Expense of outside legal, technical, and
communications advisors.
? For retail sector, diligence surrounding
PCI compliance should seek more than
a “yes” or “no” response
Buyers of companies who accept, process,
store, or handle cardholder payment data
streams of course will want to pay particular
attention to compliance with current PCI
standards. At Home Depot, for example, an
attacker used a vendor’s username and
password to gain access to Home Depot’s
147 ?
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
email and no way to process employee
benefts or time cards (Source:http://www.
cbsnews.com/news/north-korean-cyberat-
tack-on-sony-60-minutes/). To add insult to
injury, much of the exfltrated material is
now readily available (and free text search-
able) on WikiLeaks.
The potential for outright theft of intellectu-
al property by competitors should not be over-
looked. In DuPont v. Kolon (United States v.
Kolon Industries, Inc. et al.), for example, the
manufacturer of Heracron, a competitor prod-
uct to DuPont’s Kevlar, misappropriated
DuPont’s confdential information by hiring
former DuPont employees as consultants and
pressuring them to reveal Kevlar-related trade
secrets. DuPont sued the competitor, Kolon, in
2009, and in 2012 the Department of Justice
brought criminal trade secret misappropriation
charges against Kolon and fve of its executives
pursuant to 18 U.S.C. § 1832. In light of the
parallel charges, Kolon settled, paying $360
million in damages—$85 million in fnes and
$275 million in restitution. (Source: Department
of Justice Offce of Public Affairs,http://www.
justice.gov/opa/pr/top-executives-kolon-
industries-indicted-stealing-dupont-s-kevlar-
trade-secrets). To assess these sorts of risks,
acquirers should ask:
? Are there former employees who had
access to critical intellectual property or
other company confdential information
who have recently left for competitors?
? What agreements are in place to protect
the proprietary information they have?
U.S.-based businesses, academic institutions,
cleared defense contractors, and government
agencies increasingly are targeted for eco-
nomic espionage and theft of trade secrets by
foreign competitors with state sponsorship
and backing. In the last fscal year alone,
economic espionage and theft of trade
secrets cost the American economy more
than $19 billion. According to the FBI,
between 2009 and 2013, the number of
arrests related to economic espionage and
theft of trade secrets—which the FBI’s
level if necessary. The same security consult-
ants who arrive post-breach to assess root
cause and damage can examine card-related
data security very meaningfully in the M&A
setting, even with only a few days of on-site
interviews and document collection. If PCI
compliance concerns arise in diligence, deal
terms can be arranged that mandate and
appropriate funding for third-party inde-
pendent assessments and implementation of
recommendations. Moreover, many retailers
now are migrating to new payment systems,
and this is a unique technology risk because
of the likelihood of delay, interruptions, and
budgetary over-runs.
? Understand and assess awareness
and mitigation of risks of trade secret
theft, nation-state espionage, and denial
of service attacks
Beyond payment card security risks, theft of
trade secrets by competitors and insiders,
state-sponsored espionage that is exploited
for economic advantage, and cyberattacks
that disable or cripple corporate networks
are less publicized but can be equally dam-
aging to a target business. For example, the
high-profle, studio-wide cyberattack at
Sony Pictures in November 2014 at the
hands of a group calling itself #GOP, aka
the Guardians of Peace, starkly illustrates
the potential to cripple a business. The
attack, which the FBI attributed to North
Korea, resulted in the theft of terabytes of
company internal email and documents,
release of unreleased movies to fle-sharing
networks, deletion of documents from Sony
computers, threatening messages to the
company and individual employees, theft
and apparent exploitation of sensitive
human resources data, and a near complete
and prolonged disruption of the company’s
ability to transact business and communi-
cate electronically over its networks and
systems. In an interview with CBS News,
Sony’s outside cyber investigator, Kevin
Mandia, disclosed that 3,000 computers and
800 servers were wiped, and 6,000 employ-
ees were “given a taste of living offine”—no
? 148
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? What is known about the attackers and
the attack vector?
? What data do you suspect or know were
taken?
? How long between the frst known
intrusion and discovery of the incident?
? Do you suspect or know whether the thief
or intruder attempted or made fraudulent
or competitive use of exfltrated data?
? During the past three years, have you
experienced an interruption or suspension
of your computer system for any reason
(not including downtime for planned
maintenance) that exceeded four hours?
A buyer should assess a target’s measures to
prevent and detect insider threats, including
whether basic protections are in place to
identify and mitigate insider threats, such as
the following:
? Pre-employment screening via dynamic
interviews, background checks, and
reference checking
? Workforce education on warning signs
? Internal network security measures such
as website monitoring, blocking access
to free (unauthorized) cloud-storage sites
such as Dropbox, turning off USB drives
? Automated monitoring of Web, deep
Web, or peer-to-peer network searching
for leaked data.
Private and state actors have made use of
denial of service attacks to disrupt the busi-
ness of a company that meets with their disap-
proval (or as an extortion scheme). Material
impact on ecommerce, on-line entertainment,
email, and other critical systems are the result.
An acquirer might reasonably ask:
? Has the target company evaluated its
exposure to such attacks?
? What measures does it have in place to
defend itself?
? How would it know if such an attack was
occurring?
? Have any such attacks occurred?
Economic Espionage Unit oversees—at least
doubled, indictments more than tripled, and
convictions increased sixfold. These num-
bers grossly understate the frequency of
such attacks or losses. Last year, the United
States Department of Justice indicted fve
Chinese military hackers on charges includ-
ing computer hacking, identity theft, eco-
nomic espionage, and trade secret theft
from 2006 to 2014. The alleged actions
affected six U.S.-based nuclear power,
metal, and solar product companies. The
indictment, fled May 1, 2014, alleges that
the defendants obtained unauthorized
access to trade secrets and internal commu-
nications of the affected companies for the
beneft of Chinese companies, including
state-owned enterprises. Some defendants
allegedly hacked directly—stealing sensi-
tive, nonpublic, and deliberative emails
belonging to senior decision makers, as
well as technical specifcations, fnancial
information, network credentials, and stra-
tegic information in corporate documents
and emails—while others offered support
through infrastructure management. Charges
were brought under 18 U.S.C. §§1028, 1030,
1831, and 1832. (Source: Department of Justice
Offce of Public Affairs,http://www.justice.
gov/opa/pr/us-charges-five-chinese-
military-hackers-cyber-espionage-against-us-
corporations-and-labor).
Many companies choose not to publicly
disclose or discuss these sorts of attacks or
disruptions, which may go undiscovered for
many months and often years. Even when
attacks are discovered, breaches may not be
reported to law enforcement or even to
affected commercial partners. Questions
about historical incidents during due dili-
gence therefore should be open-ended but
also very direct:
? Have you suffered thefts of confdential
data (wherever stored)?
? Has your network suffered an intrusion?
? Did you retain outside experts to
investigate?
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
SecurityRoundtable.org 149 ?
buyers should closely examine policies for
what is covered, deductibles, coverage peri-
ods, and limits. Diligence experts should
also evaluate post-closing opportunities to
enhance the insurance program if signif-
cant unmitigated risks of third-party liabili-
ties or direct expense from an attack have
been identifed.
? Conclusion
If there was ever an era when minimizing
or commoditizing assessment of cybersecu-
rity risks in the M&A space was sensible,
that time has surely passed. Expertise in
assessing data-driven risks should be
embedded on the front end of every transac-
tion and tracked throughout the deal, so
that deal terms, deal value, and post-closing
opportunities to strengthen security can
be considered against a fully developed
factual picture of the target company’s
cyber readiness and exposure.
? Assessing cyber insurance
Finally, buyers should evaluate the extent
to which cyber risks are mitigated by
insurance coverage, including whether
enhancements to the cyber program may be
available post-closing. Most cyber insur-
ance policies today cover the data breach
and privacy crisis management expenses
associated with complying with data breach
notifcation laws. Those costs include the
costs of expert legal, communications, and
forensic advisors, benefts such as credit
repair or monitoring to affected individu-
als, and even costs of responding to govern-
ment investigations or paying fnes. Cyber
coverage is also widely available for extor-
tion events, defacement of website, infringe-
ment, and network security events, even
arising from theft of data on third-party
systems or malicious acts by employees.
Because of the volatility and variability of
the cyber insurance market at this time,
151 ?
Kaye Scholer LLP – Adam Golodner, Partner
International infection point—
companies, governments,
and rules of the road
In the attorney general’s conference room at the United
States Department of Justice is a mural on the ceiling—on
one end a heavenly depiction of justice granted, and on
the other a depressing tableau of justice denied. These
images help remind us that principles matter, choices
matter, and in many situations divergent outcomes are
possible. We are at this kind of infection point in global
cyber. Technology, software, hardware, and physical and
social networks are embedded everywhere today. Into the
future the Internet of Things and the Industrial Internet
will bring the next wave of global hyper connectedness
and drive business innovation, new markets, effciency,
and consumer benefts globally. Every business today is a
technology business, and every society increasingly a
technology society. We all beneft from it. It is good. The
world has changed, but it has also stayed the same.
In some sense, cyber issues are not new. They are the
same issues countries and societies have been dealing
with for centuries—theft, fraud, vandalism, espionage,
and war. Over time, societies have created rules to deal
with these domestically and globally. But cyber presents
new facts. Activities and incidents happen at machine
speed, and distance hardly matters. Masking who you are
is easier. Some seemingly anonymous person can reach
out and touch you instantaneously from anywhere. The
kind of information we collect is quantitatively and quali-
tatively different than the past. We must appreciate and
understand these facts and what they mean.
With a future of embedded everything and hyper con-
nectivity, we have to create acceptable ‘rules of the road’
that ensure we get the promise of the future, not a world
where governments or individuals turn that promise on
its head and abuse the very same connectedness. Countries
and companies have to defne acceptable ‘rules of the
road’ for behavior in cyberspace—what’s okay and not
okay for governments to do to each other, companies, and
? 152
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
strategies, and next generation innovation
from U.S. companies, with that very same
stolen intellectual property being given by
the governments that stole it to favored
domestic champions for the purpose of com-
peting against that very same victim of the
theft. Companies share these concerns. No
company wants to have its operations,
brand, or competitive advantage under-
mined or destroyed. Despite these concerns,
nation-state, non-nation-state, hacktivist,
and criminal activity continues. In fact by all
accounts it’s increasing in all categories
across the governmental and commercial
sectors.
Although some policy makers have begun
to talk about cyber ‘norms,’ there has not
been sustained multi-lateral head-of-state to
head-of-state work to set rules of the road.
However, it has to begin. The issues are big
enough and complex and signifcant enough
that we have to set the right path now. We
can build rules that the majority of the fam-
ily of nations can agree to and then bring the
outliers along. Most commentators are of the
view that a formal treaty is premature, if it
ever makes sense. This sounds right to me.
However, the time is right to up-lever the
conversation to the head of state level and
convene the heads of state of some core
countries (such as U.S., U.K., Germany, France,
Sweden, Estonia, India, Brazil, Japan, Korea,
Australia, Canada) to start to build out
offensive, defensive, law enforcement, and
commercial rules of acceptable behavior. Of
course, other countries, such as China, could
join in short order if it turns out they are in
fast agreement, but the work of building out
the core should move ahead without waiting
for everyone to be on board. An additional
beneft of doing this is that it reduces the
impulse of countries to complain about the
activities of other countries when the activity
at issue is one that all countries fnd to be
acceptable, and in the converse, gives weight
to complaints about activities outside of the
acceptable.
Why should companies care? Why should
they be integral to these discussions? First,
companies own the enterprise networks and
individuals in cyberspace. Analogies can
and should be made to longstanding princi-
ples relating to theft, fraud, vandalism, espi-
onage, and war—and how countries deal
with each other on these issues. After all,
technology is a tool; we have had tools in the
past, and we have applied age-old principles
to new tools throughout history. However,
the pace of change is accelerating. That
means we need to move fast to apply new
facts to old principles now and help shape
the future. Like the mural on the ceiling on
the attorney general’s conference room, dif-
ferent future outcomes are possible. What
principles and rules will secure goodness
into the global technology future? What are
the roles of companies, boards of directors,
and CEOs in shaping that future? We discuss
these questions in this chapter.
There are three areas in which companies
and their leaders can help: rules of the road,
cyber laws globally, and security and privacy.
? Rules of the road
Cyber is a top issue for the U.S., E.U. Member
States, China, India, Russia, Brazil, Australia,
and Japan, and the heads of state in each of
these countries spend signifcant time on the
issue. For the last three years the U.S. has
said that cyber is the number one national
security threat to the U.S.—not nuclear, bio-
logic, or chemical, but cyberthreat. All these
countries view cyber as a national security
and economic security issue. In national secu-
rity, cyber is both an offensive and a defensive
issue. On the offensive side, cyber tools and
techniques can be a means of espionage, war,
or deterring a threat. On the defensive side,
conversely, countries are concerned that
companies in critical infrastructure sectors
(fnancial, communications, defense, electric,
energy, transportation, health care, chemical,
public services) can have their operations
affected, data compromised or destroyed,
or public safety threatened—in effect, bring-
ing important segments of the economy
to a halt.
U.S. policy leaders also are highly con-
cerned about other nation-states stealing
core intellectual property, business and deal
153 ?
INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD
security? What tools in the toolbox are
acceptable to curb behavior—prosecution,
sanctions, trade, covert action? Is it OK for
national security services to steal intellectual
property of companies? Is it OK for intelli-
gence services to give it to competitors?
What collection of information of or about
individual citizens of another country is
acceptable or unacceptable? What is the
standard? What collection on other govern-
ments and their leaders is acceptable?
Most of these questions have some
grounding in existing principles and laws,
but the cyber facts have to be understood
and applied to start to enunciate these
rules of the road. Although work has cer-
tainly begun on cyber ‘norms,’ the time is
right for taking the work to the next level.
Furthermore, because the playing feld is
made up of private networks and elements
of technology services and products, the
outcomes should by defnition be of inter-
est to companies, CEOs, and boards of
directors. Good rules of the road should
help build trust in networks and technolo-
gy globally. So, companies should engage
in helping set the global rules of the road
today. It affects their future.
? Cyber laws globally
Given that cyber runs the gamut from
national security concerns to consumer pro-
tection, and countries around the world
have different values and interpretation of
what laws protect their country and citizens,
it should come as no surprise that companies
doing business globally will face a myriad of
sometimes divergent laws on a range of
cyber topics.
An in-depth review of these laws is
beyond the scope of this chapter, but it is
important to note the categories in which a
company, CEO, general counsel, and per-
haps even the board must understand that
their activity may trigger a compliance issue
or affect their ability to provide a product or
service.
With regard to compliance and security,
there is a saying that ‘compliance does not
equal security.’ There is no doubt that driving
databases in which cyber activity takes
place—domestic companies and global com-
panies. Companies own the software, hard-
ware, the information, and the upstream and
downstream relationships where this contest
takes place. Think of the Internet—every lit-
tle bit of it is owned by somebody, and the
vast majority is owned by public companies
globally. Although cyber is the ffth fghting
domain (along with land, sea, air, and space),
it is the only one owned essentially by pri-
vate companies. Second, information tech-
nology and communications services and
products are created and sold by the private
sector. If a government acts on those services
or products, it acts on services and products
with a private sector brand. The same brand
used by other companies. Third, the future
of the global interoperable, open, secure,
network is at stake. Will companies be able
to continue to drive innovative business
models, or will they be stifed by the rules
and activities of governments, hacktivists,
and criminals playing in their playing feld?
Here are some ‘rules of the road’ that
should be in play. What cyber activity is an
act of war? What cyber activity is acceptable
espionage? What is cyber vandalism, and
what is the appropriate response? What
activity by a nation-state is acceptable on a
bank, stock exchange, energy, transporta-
tion, electric, or life sciences company? What
if it’s a non-nation-state activity? What action
is acceptable to proactively stop a planned
cyber activity? What principles should ani-
mate the decision to use a cyber tool of war
on a target connected to the Internet? Is it
OK to deliver cyber means through private
networks or technologies? What is an accept-
able response to another country’s cyber or
kinetic act? What are the principles for dis-
closing or stockpiling zero-day vulnerabili-
ties or interdicting a supply chain? How can
we make global assurance methodologies
such as the Common Criteria for Information
Technology Security Evaluation (Common
Criteria) for products even more useful?
Should there be requirements for govern-
ments to share cyberthreat information with
other countries and companies to improve
? 154
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
data localization (Russia), U.S.-E.U. Safe
Harbor (allowing for transfer of E.U.
privacy information to U.S.)
? speech and content: protection (U.S.
Constitution), limits (France, Germany,
Russia, China)
? consumer protection: unfair or deceptive
security practices (U.S. FTC)
? criminal law: laws against hacking
(U.S. CFAA, Budapest Convention on
Cyber Crime, many countries), mutual
legal assistance (MLATs) (U.S. and many
countries for cross-border investigation
and extradition)
? multilateral agreements: Wassenaar
arrangement (obligation to limit export
of dual-use technologies, including
security), mutual defense treaties (e.g.,
NATO and Article 5 cyber obligations),
WTO and technical barriers to trade
agreement (obligation of WTO members
to use international standards, including
technology), WTO government procurement
agreements (many countries, rules opening
government procurement markets for
foreign tech products).
Over the past decade there have been many
skirmishes to try to limit the impact of pro-
posed laws that would splinter the global
market for technology products and servic-
es and protect the ability of companies to
continue to drive innovation in products
and services. Particularly in the post-
Snowden world, where trust of countries
and technologies has been strained, compa-
nies must pay particular attention to legis-
lative and regulatory proposals that would
undermine the global interoperability or
security of the network, or use security as a
stalking horse to protect or promote domes-
tic manufacturers.
? Security and privacy
As technology and economics continues to
drive connectivity, cloud, mobility, data ana-
lytics, the Internet of Things, and the
Industrial Internet, we must deal effectively
with security and privacy. It’s not just the
Snowden effect. People are still working
to ‘real security’ is the goal, and one that will
likely get you where you need to be for com-
pliance as well.
Here is a list of categories of laws to be
concerned about and a few specifc-use
cases:
? infrastructure security: voluntary public-
private partnerships (U.S., U.K.), regulation
of critical infrastructure (China, pending
in E.U., pending in Germany), sector-
specifc regulation (India telecoms, U.S.
chemical, Russia strategic industries)
? incident notifcation: data breach (U.S.
in 47 states, E.U. telecoms, pending new
E.U. Privacy Directive), SEC disclose
material adverse events (U.S. SEC)
? tort, contract, product liability: in the
absence of specifc regulation, a company
must use ‘reasonable care’ to secure
their and third-party data, continue to
provide service, build secure products,
and protect IP (U.S., E.U., India and for
contract, globally)
? board of directors corporate: the board
must use its ‘business judgment’ to secure
the assets of the company and provide
reasonable security (U.S.)
? acquisition of information by nation-
states: lawful intercept telecoms (most
countries), requests from non-telecoms by
judicial or administrative process (most
countries), collection outside of home
country (most countries)
? technology controls, national security
reviews, and certifications: export
control commercial technologies (U.S.),
export control of military technologies
ITAR (U.S.), certifcation of IT product
(26 countries Common Criteria evaluation,
China own requirements, Russia own
requirements, Korea pending), import
restriction on encryption (China, Russia),
in-country use of encryption (China,
Russia), national security reviews for
M&A (U.S. CFIUS & FCC, China).
? privacy: economy-wide limits on
collection and transfer of information
about individuals (E.U.), sector specifc
(U.S. health care HIPAA, fnancial GLB),
INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD
SecurityRoundtable.org 155 ?
questions companies can and should ask
when providing service, domestically, but
particularly globally. There no doubt is com-
petitive advantage in providing solutions
that don’t raise privacy concerns.
? Conclusion
Cyber is by defnition a global issue for any
company, CEO, and board. The company’s
networks are global, products are global,
and adversaries are global. Furthermore, the
company must have relationships with gov-
ernments globally. Many companies are
‘global citizens’ and have a majority of their
sales outside their home country. Where the
cyber issue is in the top of the mind in each
of the major markets these companies serve
and where governments have not yet sorted
out acceptable global ‘rules of the road,’ it is
incumbent on company leadership to help
fgure out what the future is going to look
like. Without common ground about what’s
OK and not OK for governments to do with
regard to each other, companies, and citi-
zens, we will face an uncertain technology
future. I am optimistic about the future and
about the ability to master the cyber issue.
However, it will take moving through the
problem set. We are at an infection point—
as we continue to embed devices, software,
and hardware into everything, we need to
have a view, a path, a structure that gives us
confdence. Therefore, when we sit down in
an offce such as the attorney general’s or a
board of directors and ponder the better and
lesser proclivities of mankind, we must be
confdent we are driving rules-based deci-
sions to the happier side of the ledger—one
that ensures we reap the benefts of this
terrifc, accelerating, age of technology.
through what they think about security and
privacy. Most want both. Some regions have
differing views. In the U.S., we limit what the
government can do through Constitutional
Fourth Amendment restrictions on unrea-
sonable searches and seizures, but we freely
give personal information to commercial
companies in exchange for free content and
other services we like. In Europe, it’s the
opposite. The E.U. presumptively limits
what information relating to individuals the
private sector can collect and share but often
has minimal legal procedures regulating
government activities to collect information
about its citizens. China has its own view on
national security and information, as does
Russia. In any event, companies have an
important role to play in the future of the
intersection of security and privacy.
Most people talk in terms of balancing
security and privacy. This may be a false
dichotomy. I think the better approach is to
drive to security and privacy. Try to get both
right. Do what you need to secure a system
or crown jewels or an enterprise, and use
techniques and technologies that help
ensure privacy. I think this is the challenge
for the future and likely an area that will
spur great innovation. How can we work
effectively with anonymized data? How can
we implement machine-to-machine anoma-
ly detection without identifying the indi-
vidual or that a device belongs to a particu-
lar individual? How can we manipulate
encrypted data at scale? Can we know
enough from encrypted data streams across
the enterprise or network to understand and
stop an exfltration or an attack? How can
we share cyberthreat information that is
anonymous and actionable? These are the
157 ?
Pillsbury Winthrop Shaw Pittman LLP – Brian Finch, Partner
Managing third-party liability
using the SAFETY Act
One of the most pressing questions directors and offcers
of publicly listed companies is how to manage third-party
liability in the post 9/11 era. In particular, directors and
offcers continually struggle with the issue of whether
‘enough’ security measures have been deployed to protect
not only corporate assets and employees but also innocent
bystanders.
Before 9/11, courts typically would not hold makers of
items such as ammonium nitrate fertilizer liable for the
misuse of their product by terrorists (fnding that such
terrorist acts were ‘unforeseeable’ and that the fertilizer
manufacturers did not have a duty to protect the unfortu-
nate victims of the attacks).
Unfortunately, a series of decisions completely changed
the legal landscape post 9/11. In one case stemming from
the 1993 World Trade Center attack, New York state courts
initially held the Port Authority of New York and New
Jersey partially liable for the losses suffered by the victims
of the 9/11 attacks. In that particular case, the Port
Authority was held to a standard in which if it knew or
should have been aware of the possibility of a terrorist
attack, then it was obligated to take all reasonable meas-
ures necessary to mitigate the possibility of said attacks.
Even considering that the decision was ultimately
overturned on a technicality (the Port Authority was
found to have a unique form of ‘sovereign immunity’
and therefore could not be held liable under any circum-
stances), the initial decision set forth a blueprint that
other courts are sure to follow in future cases involving
terrorist or cyberattacks.
Similarly, claims fled against the manufacturers of
airplanes used in the 9/11 attacks were also allowed to
proceed, leading to signifcant costs for those companies.
In that instance, a federal court in New York allowed
claims alleging that the cockpit doors on planes made by
Boeing were negligently designed—thereby allowing
? 158
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
receive liability protections under the
SAFETY Act.
In addition, entities that purchase or
deploy SAFETY Act approved security prod-
ucts and/or services also will have the ben-
eft of immediate dismissal of third-party
liability claims arising out of, related to, or
resulting from a declared ‘act of terrorism’
(a term that encompasses physical or cyber-
attacks, regardless of whether there is any
motive or intent that could be deemed ‘polit-
ical’ in nature).
The reader should remember that at the
time of the drafting of this article, no litiga-
tion specifcally involving the SAFETY Act
has occurred, and so there is no established
legal precedent interpreting the statute itself.
However, the fundamental principles of the
SAFETY Act are based on the “government
contractor defense,” a well-established com-
mon law affrmative defense to third-party
litigation that has been reviewed and upheld
by the U.S. Supreme Court.
Accordingly, this article is based on inter-
pretations of the SAFETY Act, the Final Rule
implementing the SAFETY Act, and the
underlying theory of the government con-
tractor defense.
? Background of the SAFETY Act
The SAFETY Act provides extensive liability
protections to entities that are awarded either
a ‘Designation’ or a ‘Certifcation’ as a
Qualifed Anti-Terrorism Technology (QATT).
Under a ‘Designation’ award, successful
SAFETY Act QATT applications are entitled
to a variety of liability protections, including
the following:
? All terrorism-related liability claims must
be litigated in federal court.
? Punitive damages and pre-judgment
interest awards are barred.
? Compensatory damages are capped at
an amount agreed to by the Department
of Homeland Security (DHS) and the
applicant.
? That damage cap will be equal to a set
amount of insurance the applicant must
carry, and once that insurance cap is
terrorists to gain control of the planes—
were allowed to proceed. The court’s ration-
ale in that case was that a jury could fnd
that Boeing should have foreseen that a ter-
rorist would want to breach the cockpit and
hijack the plane, and thus its cockpit doors
should have been more strongly designed.
Because those claims were allowed to
proceed, Boeing on average paid 2
1
?2 times in
settlement fees what the plaintiffs (here the
families of persons killed in the 9/11 attacks)
would have received if they had elected to
participate in the 9/11 Victims Compensation
Fund.
In light of the above, it is obvious that
directors and offcers of publicly listed com-
panies must be very concerned about post-
attack litigation. Even if a court or jury ulti-
mately fnds that there is no culpability on
the part of a director, offcer, or the company
itself, the stark reality is that the legal fght to
reach that decision will be expensive and
protracted.
So, the key question that directors and
offcers of publicly listed companies must
ask themselves is, ‘How do we manage/
minimize third-party liability in a post 9/11
world?’ Insurance is certainly an option, but
obtaining a comprehensive policy can be
very expensive, and further coverage is
uncertain. Again using 9/11 as an example,
many companies paid immense amounts in
legal fees to force their insurance carriers to
honor terrorism-related claims under the
policies they issued.
Understanding the limits of insurance,
the question then becomes what other risk
mitigation tools exist that could limit by stat-
ute or eliminate third-party claims? Based on
a review of existing statutes, regulations,
and alternative options such as insurance
coverage, the best opportunity for limiting
liability is the Support Anti-Terrorism By
Fostering Effective Technologies Act
(‘SAFETY Act’). Under the SAFETY Act,
‘sellers’ of security products or services
(a term that also includes companies that
develop their own physical or cybersecurity
plans and procedures and then uses them
only for internal purposes) are eligible to
159 ?
MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
loss to citizens or institutions of the United
States.
The Secretary has broad discretion to declare
that an event is an “act of terrorism,” and
once that has been declared, the SAFETY Act
statutory protections will be available to the
seller of the QATT and others.
A cursory review of this defnition reveals
that there is no need to divine a motivation
for the attack and that the language used can
be interpreted to include physical attacks as
well as cyberattacks. The only ‘intent’ that
must be demonstrated under the SAFETY
Act then is that the attack is intended to
cause destruction, injury, or other loss to the
U.S. or its interests. This is important to
remember because it means that cyberat-
tacks also trigger the protections of the
SAFETY Act.
? SAFETY Act protections available
to customers and other entities
One of the most signifcant additional bene-
fts of the SAFETY Act is that the liability
protections awarded to the seller of the
QATT fow down to customers, suppliers,
subcontractors, vendors, and others who
were involved in the development or deploy-
ment of the QATT. In other words, when a
company buys or otherwise uses a QATT
that has been either SAFETY Act ‘Designated’
or ‘Certifed,’ that customer is entitled to
immediate dismissal of claims associated
with the use of the approved technology or
service and arising out of, related to, or
resulting from a declared act of terrorism.
The bases for these expanded protections
are clearly set forth in the SAFETY Act stat-
ute and in the Final Rule implementing the
SAFETY Act. Both are detailed below:
With respect to the protections offered to
entities other than the Seller of the QATT,
the SAFETY Act statute states as follows:
IN GENERAL.—There shall exist a
Federal cause of action for claims arising
out of, relating to, or resulting from an act
of terrorism when qualifed anti-terrorism
reached no further damages may be
awarded in a given year.
? A bar on joint and several liability
? Damages awarded to plaintiffs will be
offset by any collateral recoveries they
receive (e.g., victims compensation funds,
life insurance).
Should the applicant be awarded a
‘Certifcation’ under the SAFETY Act for their
QATT, all of the liability protections awarded
under a ‘Designation’ are available. In addi-
tion, the seller of a QATT will be entitled to an
immediate presumption of dismissal of all
third-party liability claims arising out of, or
related to, the act of terrorism.
This presumption of immunity can be
overcome in two ways: (1) by demonstrat-
ing that the application was submitted with
incorrect information and that that informa-
tion was provided though fraud or willful
misconduct or (2) by showing that the
claims asserted by the plaintiff related to a
product or service are not encompassed by
the QATT defnition as written by the
Department of Homeland Security. Absent
a showing of element, the attack-related
claims against the defendant will be imme-
diately dismissed.
For the SAFETY Act protections to be trig-
gered, the Secretary of Homeland Security
must declare that an “act of terrorism” has
occurred. The defnition of an “act of terror-
ism” is extremely broad, and includes any
act that:
(i) is unlawful;
(ii) causes harm to a person, property, or
entity, in the United States, or in the case of a
domestic United States air carrier or a United
States-fag vessel (or a vessel based principally
in the United States on which United States
income tax is paid and whose insurance cover-
age is subject to regulation in the United
States), in or outside the United States; and
(iii) uses or attempts to use instrumentalities,
weapons or other methods designed or intend-
ed to cause mass destruction, injury or other
? 160
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
DHS, as set forth in the preamble to the
SAFETY Act Final Rule, agrees with this
interpretation, stating:
Further, it is clear that the Seller is the only
appropriate defendant in this exclusive
Federal cause of action. First and foremost, the
Act unequivocally states that a “cause of
action shall be brought only for claims for
injuries that are proximately caused by sellers
that provide qualifed anti-terrorism technol-
ogy.” Second, if the Seller of the Qualifed
Anti-Terrorism Technology at issue were not
the only defendant, would-be plaintiffs could,
in an effort to circumvent the statute, bring
claims (arising out of or relating to the perfor-
mance or non-performance of the Seller’s
Qualifed Anti-Terrorism Technology) against
arguably less culpable persons or entities,
including but not limited to contractors, sub-
contractors, suppliers, vendors, and custom-
ers of the Seller of the technology.
Because the claims in the cause of action
would be predicated on the performance or
non-performance of the Seller’s Qualifed
Anti-Terrorism Technology, those persons or
entities, in turn, would fle a third-party
action against the Seller. In such situations,
the claims against non-Sellers thus “may
result in loss to the Seller” under 863(a)(2).
The Department believes Congress did not
intend through the Act to increase rather than
decrease the amount of litigation arising out
of or related to the deployment of Qualifed
Anti-Terrorism Technology. Rather, Congress
balanced the need to provide recovery to plain-
tiffs against the need to ensure adequate
deployment of anti-terrorism technologies by
creating a cause of action that provides a cer-
tain level of recovery against Sellers, while at
the same time protecting others in the supply
chain.
Within the Final Rule itself, the Department
also stated:
There shall exist only one cause of action for
loss of property, personal injury, or death for
performance or non-performance of the
technologies have been deployed in
defense against or response or recovery
from such act and such claims result or
may result in loss to the Seller. The sub-
stantive law for decision in any such
action shall be derived from the law,
including choice of law principles, of the
State in which such acts of terrorism
occurred, unless such law is inconsistent
with or preempted by Federal law. Such
Federal cause of action shall be brought only
for claims for injuries that are proximately
caused by sellers that provide qualifed anti-
terrorism technology to Federal and non-
Federal government customers.
The SAFETY Act statute also reads:
JURISDICTION.—Such appropriate district
court of the United States shall have original
and exclusive jurisdiction over all actions for
any claim for loss of property, personal injury,
or death arising out of, relating to, or result-
ing from an act of terrorism when qualifed
anti-terrorism technologies have been deployed
in defense against or response or recovery
from such act and such claims result or may
result in loss to the Seller.
The key language, which comes from 6
U.S.C. Section 442(a)(1), states that the claims
arising out of, relating to, or resulting from
an act of terrorism “shall be brought only for
claims for injuries that are proximately
caused by sellers that provide qualifed anti-
terrorism technology to Federal and non-
Federal government customers.”
Furthermore, in Section 442(a)(2), the
SAFETY Act states that U.S. district courts
shall have original and exclusive jurisdiction
for claims that “result or may result in loss to
the seller.”
The language in 6 U.S.C. Section 442(a)(1)
and (a)(2) reads such that terrorism-related
claims that have or could have resulted in a
loss to the seller may only be brought in U.S.
district courts against the seller. Nothing in
the statute would give rise to claims against
other parties who use or otherwise partici-
pate in the delivery and use of the QATT.
161 ?
MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
Further, based on the extensive analysis con-
ducted above regarding the applicability of
the SAFETY Act statute and Final Rule, buy-
ers of security QATTs will be considered
‘customers’ for SAFETY Act purposes, and
therefore entitled to immediate dismissal of
claims related to an approved security tech-
nology or service. Thus, the SAFETY Act can
and should serve as an excellent tool to miti-
gate or eliminate said liability.
Accordingly, sellers and customers of
‘QATTs’ are entitled to all appropriate pro-
tections offered by the SAFETY Act, whether
those offered by Designation, the presump-
tion of dismissal offered by Certifcation, or
the fow-down protections offered to cus-
tomers and others. QATT customers and
sellers could still face security-related litiga-
tion should the Homeland Security Secretary
not declare the attack to be an “act of terror-
ism” or if the claims do not relate to the
QATT as defned by DHS.
? Conclusion
Entities that are potentially at risk for third-
party liability claims after an attack can be
materially protected through the SAFETY
Act. Users of SAFETY Act-approved security
products or services will also receive direct
and tangible benefts.
The SAFETY Act provides strong liability
protections that will fow down to such cus-
tomers per the language of the SAFETY Act
statute and Final Rule. A wide variety of
attacks, products, and services, including
cyberattacks and cybersecurity products and
services, are covered by the language of the
SAFETY Act, and thus, such products and
services are also eligible to provide dramati-
cally limited litigation and for such litigation
to be limited to ‘sellers,’ not ‘customers.’
Certainly not every attack will result in
liability for security vendors or their custom-
ers, particularly with respect to third-party
liability. Should such liability occur, howev-
er, it can be mitigated or eliminated using
the SAFETY Act.
Perhaps most importantly for directors
and offcers of publicly listed companies, the
SAFETY Act should always be considered
Seller’s Qualifed Anti-Terrorism Technology
in relation to an Act of Terrorism. Such
cause of action may be brought only against
the Seller of the Qualifed Anti-Terrorism
Technology and may not be brought against
the buyers, the buyers’ contractors, or down-
stream users of the Technology, the Seller’s
suppliers or contractors, or any other person
or entity.
Thus, the SAFETY Act statute and the Final
Rule implementing the law make it clear that
when there is litigation involving a SAFETY
Act QATT (whether Designated or Certifed)
alleging that the QATT was the cause, direct-
ly or indirectly, of any alleged losses, the
only proper defendant in such litigation is
the Seller of the QATT. Customers and oth-
ers are not proper defendants and are enti-
tled to immediate dismissal, because allow-
ing litigation to proceed against customers
would be contrary to the SAFETY Act statute
and Congressional intent.
? Practical application of SAFETY Act
protections to limit third-party claims
Considering the above, companies that sell
or deploy security QATTs, as well as their
customers, are entitled to extensive benefts.
Sellers of cybersecurity QATTs are entitled to
the broad protections from third-party liabil-
ity claims offered under a ‘Designation’ and
a ‘Certifcation.’
As explicitly set forth in the SAFETY Act
statute and the SAFETY Act Final Rule, the
only proper defendant in litigation following
an act of terrorism allegedly involving a
SAFETY Act Designated and/or Certifed
QATT is the seller itself. In this case, the
‘Seller’ would be the security vendor or
company that deploys its own internally
developed security policies, procedures, or
technologies with the QATT being said
Certifed or Designated security policies,
procedures, or even technologies.
The basis for this analysis rests upon the
fact that sellers of security QATTs will have
received the QATT Designation or
Certifcation, thus conferring upon them
specific statutory liability protections.
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 162 SecurityRoundtable.org
Given the relative paucity of case law
defning what constitutes ‘adequate’ or ‘rea-
sonable’ security, directors and offcers
should look to the SAFETY Act as a way to
help determine whether their company’s
security plans and programs could be con-
sidered to have achieved those benchmarks.
Doing so will not only help improve security
but also almost assuredly decrease the com-
pany’s risk exposure.
when examining risk mitigation strategies
associated with the company’s internal secu-
rity programs (physical and/or cyber) as
well as security goods and services pur-
chased from outside vendors. The SAFETY
Act offers powerful liability protections and
can doubly serve as evidence that the com-
pany exercised ‘due diligence’ and ‘reason-
able care’ when designing and implement-
ing its security programs.
163 ?
Littler Mendelson P.C. – Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group
Combating the insider threat:
Reducing security risks from
malicious and negligent employees
“Edward Snowden,” the affair that bears his name dem-
onstrates the extreme damage that a privileged insider
can cause, even to an organization with the most sophis-
ticated security technology and one of the largest cyber-
security budgets. Although Snowden may have been a
contractor, survey after survey demonstrates that
employees, whether through negligence or malice, are
the most common cause of security incidents. According
to the Vormetric Insider Threat Report 2015, 89% of
respondents globally stated that their organization was
more at risk than ever from the insider threat, and 55%
identifed employees as the #1 internal threat. PwC’s
Global State of Information Security 2015 found that
current employees are the most frequently cited cause of
security incidents, well ahead of contractors, hackers,
organized crime, and nation-states.
These studies confrm that there has been no abatement
in the insider threat in recent years. Just as PwC’s study
found in 2015, a 2013 Ponemon Institute study, entitled
the “Post-Breach Boom,” also reported that negligent and
malicious insiders were the cause of 61% of security
breaches experienced by respondents, substantially
exceeding other causes, such as external attacks and sys-
tem error or malfunctions.
Employers can take a wide range of relatively low-cost,
low-tech steps to reduce the risk of insider threats. These
steps track the stages of the employment lifecycle, ranging
from pre-employment screening at the outset of the
employment relationship to exit interviews when that rela-
tionship ends. Between those endpoints, employers can
reduce the insider threat by implementing and managing
access controls, securing mobile devices (whether employ-
er-owned or personal) used for work, carefully managing
remote work, providing effective training, and following a
myriad other steps discussed in more detail below.
? 164
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
check adequately protects their organiza-
tion. Currently, the vast majority of employ-
ers do not conduct background checks after
the job application process has been com-
pleted. However, several service providers
now offer “risk alerts,” either directly to
employers or indirectly through the employ-
er’s background check vendor. These risk
alerts notify the employer and/or the back-
ground check vendor of post-hire risk fac-
tors available through public records
sources, such as pending criminal charges,
criminal convictions, and bankruptcies.
Employers may consider using such “con-
tinuous monitoring” services to help iden-
tify employees who become security risks
over time.
? Employee-oriented safeguards for sensitive
corporate data
Even employees who have been thoroughly
screened and have proven their trustworthi-
ness can expose an organization’s sensitive
data to loss or theft. Organizations and the
employees themselves can take the basic
precautions described below to mitigate
these risks.
A. Safeguarding electronic data
1. Access control lists: Restricting access
to information, particularly sensitive
customer, employee, and business
information, on a need-to-know basis is
a fundamental principle of information
security. Employees in the accounts
payable department, for example,
should be barred from accessing
human resources information. In
addition, access to information by
employees with a need to know should
be limited to the minimum necessary
to perform their job responsibilities.
Organizations should implement
a process for establishing the access
rights of new hires based on their
job responsibilities, for modifying
access rights when job responsibilities
change, and for promptly terminating
access rights when the employment
relationship ends.
? Pre-employment screening and post-hire
risk alerts
Effective background screening can eliminate
the insider threat before it ever occurs by
identifying job applicants who pose a
threat to the employer’s information assets.
Employees responsible for evaluating back-
ground reports should be looking not only
for prior convictions for identity theft but
also for other crimes involving dishonesty,
such as fraud and forgery, which indicate an
applicant’s propensity to misuse informa-
tion. Employers that rely on staffng compa-
nies should consider not hiring temporary
workers for positions involving access to
sensitive employee, customer, or business
data, such as positions in the human resourc-
es or R&D departments or those responsible
for processing credit card payments. If such
hiring is imperative, the employer should
impose on the staffng company, by contract,
background check criteria for temporary
placements that are at least as stringent as the
employer’s own background check criteria.
Employers should beware that pre-
employment screening can itself expose an
employer to signifcant risks. In the past few
years, the plaintiffs’ class action bar has
aggressively pursued employers for alleged
violations of the federal Fair Credit Reporting
Act (FCRA), which regulates the procure-
ment of background checks from third-party
consumer reporting agencies. As of mid-
2015, nearly 20 jurisdictions—states, coun-
ties, and municipalities—have enacted “ban-
the-box” legislation to restrict private
employers’ inquiries into criminal history. At
the same time, the U.S. Equal Employment
Opportunity Commission (EEOC) has fled
several lawsuits against large employers,
alleging that their pre-employment screen-
ing practices have a disparate impact on
African American and Hispanic job appli-
cants. Consequently, organizations should
carefully review their pre-employment
screening practices for compliance with the
many federal, state, and local laws aimed at
helping ex-offenders secure employment.
Employers also should consider whether
a one-time, pre-employment background
165 ?
COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES
password protection, automatic log-
out after a short period of inactivity,
automatic log-out after a small number
of unsuccessful log-in attempts, and
remote wipe capability. In addition,
employees should be routinely
reminded of the need to physically
safeguard their mobile device, for
example, by not sharing the device
with others and by securing the device
(for example, in a hotel safe) when the
device is left unattended. In addition,
employees should be instructed to
immediately report the loss or theft
of the device to a person or group
designated to respond to such reports.
5. Remote work security: Corporate spies
can tap into unsecured WiFi connections
to steal sensitive data. To reduce this
risk, employees should be required to
use a secure/encrypted connection,
such as a virtual private network
(VPN), to access the corporate network
when working remotely. In addition,
employees should generally be required
to use that secure remote connection to
conduct business involving sensitive
data rather than storing the sensitive
data on a portable storage medium,
such as a thumb drive or a laptop’s
hard drive. Where local storage is a
business imperative (e.g., when work
must get done during a long fight),
employees should be required to use an
encrypted portable storage medium to
store sensitive data.
6. No storage in personal online
accounts: Once an organization’s
sensitive data move to an employee’s
personal email or cloud storage
account, the organization effectively
loses control of the information.
Absent the employee’s prior written
authorization, the email or cloud
service provider generally cannot
lawfully disclose the organization’s
data to the organization. At the same
time, employees often will hesitate
to sign such an authorization out of
concern that the employer will gain
2. Protecting log-in credentials:
Employees should be regularly
reminded of the importance of
protecting their log-in credentials.
They should be instructed not to share
their log-in credentials with anyone.
Hackers may pose as IT professionals
on the phone or send phishing emails
purporting to originate with the
employer’s IT Department, to trick
(“social engineer”) employees into
revealing log-in credentials. Employees
also should be instructed not to write
down their log-in credentials and
to immediately change their log-
in credentials when they suspect the
credentials have been compromised.
Finally, each employee should be
required to acknowledge that only he
or she is the authorized person to access
and view the organization’s information
through his or her log-in credentials and
is personally responsible for all activity
using those log-in credentials.
3. Screen security: Employees can reveal
sensitive data to “shoulder surfers”
in airplanes, at coffee shops, and
even at work by failing to adequately
protect their computer monitor or
screen. Employees should be reminded
to position their monitor or screen
to reduce the risk of viewing by
unauthorized individuals. In locations,
such as airplanes, where that may
not be possible, employees should
use a privacy screen to prevent
unauthorized viewing. Regardless of
location, employees should activate a
password-protected screen saver when
they leave their screen unattended.
4. Mobile device security: One of the
most common causes of security
breaches is the exposure of sensitive
data through the loss or theft of
employees’ mobile devices. To reduce
this risk, organizations should push
security controls to all mobile devices—
whether employer-issued or personally
owned—that are used for work. These
controls should include encryption,
? 166
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
secure remote connection. When there
is a business need, employees should be
required to keep the paper documents
with them at all times or to secure the
documents when unattended, just as
employees should do with a mobile
device.
4. Require secure disposal of paper
documents: Pharmacies and other
health care providers around the
country have been the subject of
scathing publicity and government
investigations after journalists-
cum-dumpster-divers discovered
unshredded patient records discarded
in bulk behind the facility. Whether
working from the offce or from
home, employees should be required
to shred paper documents containing
sensitive data or to discard them in
secure disposal bins.
5. Private conversations are meant for
private places: In today’s world of
mobile telephony, employees often
can end up discussing sensitive
information while walking down the
street, riding in public transportation,
or sitting in a crowded restaurant. Even
when working at the corporate offce
or the home offce, employees must
be aware that they are not discussing
sensitive data over the phone where
unauthorized individuals can
overhear them.
? Employee monitoring
Monitoring technology has become increas-
ingly sophisticated and can now help employ-
ers root out the insider threat. For example,
recently developed email and Internet moni-
toring software uses “Big Data” techniques to
identify patterns of conduct for the workforce
as a whole, for particular groups, or for par-
ticular individuals to establish a norm for
expected online conduct. When an employee
deviates from the norm—for example, by
downloading an unusually large number of
fles to an external storage device or by send-
ing an unusual number of emails to a per-
sonal e-mail account—the software alerts the
access to private information stored
in the account, and employees almost
always will fatly refuse to sign if
they are disgruntled or after they have
left the organization. Consequently,
employers should unambiguously
communicate to their workforce that
storage of the organization’s sensitive
data in a personal online account is
prohibited.
B. Safeguarding sensitive data in paper and
oral form
1. Clean desk policy/secure storage:
Whether employees are working at the
employer’s offce or their home offce,
paper documents containing sensitive
data can easily be viewed or stolen
by those not authorized to access the
information, such as maintenance
personnel at the offce or those making
repairs at the home. Employees
should be reminded to secure paper
documents containing sensitive data
in locked offces, desk drawers, fling
cabinets, or storage areas and to
remove papers containing sensitive
data from their physical desktop when
it is unattended.
2. Beware of printers, scanners, and
fax machines: Office equipment
located in unrestricted areas poses a
risk to sensitive data in paper form.
Employees should be instructed to
promptly remove print jobs, scans,
and faxes from these machines so that
sensitive data cannot be viewed by
unauthorized individuals.
3. Avoid off-site use of paper documents:
Massachusetts General Hospital agreed
to pay $1 million to settle alleged
HIPAA violations after one of its
employees left the medical records of
192 HIV patients on the Boston subway.
Organizations can avoid incidents like
this by prohibiting employees from
taking paper documents with sensitive
data off-site unless there is a strong
and legitimate business need to do so.
Typically, employees will be able to
access the same information through a
167 ?
COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES
Millennials admitted to compromising their
organization’s IT security as compared to
5% of Baby Boomers. Given this “culture of
noncompliance,” employers should consid-
er three methods for reminding employees
of their responsibilities as stewards of the
employer’s sensitive data.
First, employers should consider requir-
ing that all new hires whose responsibilities
will involve access to sensitive data execute
a confdentiality agreement. In addition to
identifying those categories of information
that employees must keep confdential, the
agreement should summarize some of the
key steps employees are required to take to
preserve confdentiality, require return of the
employer’s sensitive data upon termination
of the employment relationship, and confer
on the employer enforcement rights in the
event the employee breaches the agreement.
Employers should note that several federal
regulators, including the Securities &
Exchange Commission (SEC), the National
Labor Relations Board (NLRB), and the
EEOC, have been fnding unlawful overly
broad confdentiality agreements that effec-
tively restrict employees’ rights to engage in
legally protected conduct, such as whistle-
blowing or discussing the terms and condi-
tions of employment with co-workers.
Consequently, any confdentiality agreement
should be scrutinized by legal counsel before
it is distributed to new hires for signature.
Second, educating employees on informa-
tion security is critical. Training should
address a range of topics, including (a) the
employer’s legal obligations to safeguard
sensitive data, (b) the types of information
falling within the scope of this legal duty,
(c) the consequences for the employer’s bot-
tom line of failing to fulfll those legal obliga-
tions, (d) the steps employees can take to
help the employer fulfll its legal obligations,
and critically (e) the situations that consti-
tute a security incident and to whom the
incident should be reported. Training should
be recurring and supplemented with peri-
odic security awareness reminders. These
reminders could take the form of email,
posts on an internal blog, or text messages
employer of the deviation from the norm, so
the employer can investigate further.
Employers concerned about the insider threat
should consider investing in monitoring soft-
ware that can perform this type of “user-
based analytics.”
Employers also should consider installing
data loss prevention (DLP) software on their
networks. This software fags communica-
tions, such as outbound emails containing
sensitive data, for further action. For exam-
ple, DLP software may identify strings of
digits resembling Social Security numbers in
an outbound email, quarantine the email
before it leaves the organization’s network,
and alert the employer’s IT department of a
potential data theft.
Although network surveillance software
can substantially enhance other information
security measures, implementation can pose
risks for the organization. Although case
law applying the Federal Wiretap Act to
real-time email interception is somewhat
sparse, the cases suggest that employers
who capture email content in real time with-
out robust, prior notice to employees may
be exposed to civil lawsuits and even crimi-
nal prosecution. Multinational employers
face broader, potential exposure for violat-
ing local data protection laws, particularly
in the European Union. Consequently,
employers should conduct a thorough legal
review before implementing new monitor-
ing technology.
? Confdentiality agreements, employee
training, and exit interviews
Although many of the safeguards described
above may appear to be common sense,
they likely will appear to be inconveniences
to many employees, especially to the Gen-Y
members and Millennials in the workforce
for whom the broad disclosure of sensitive
information through social media has
become natural. Cisco’s 2012 Annual
Security Report bears this out, reporting
that 71% of Gen-Y respondents “do not obey
policies” set by corporate IT. Similarly,
Absolute Software’s 2015 U.S. Mobile
Device Security Report found that 25% of
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 168 SecurityRoundtable.org
the one hand, and the groups responsible for
information security—the IT Department, the
Chief Information Security Offcer, and/or
the Chief Privacy Offcer—on the other. The
former group views information security as
the sole responsibility of the latter, and the
latter group views employees (and employee
data) as the sole responsibility of the former.
However, HR professionals and in-
house employment counsel can play a criti-
cal role in enhancing an organization’s
information security. They typically are
responsible for evaluating whether to reject
applicants based on information reported
by the employer’s pre-employment screen-
ing vendor. They routinely train new hires
and current employees on a wide range of
topics and could easily partner with infor-
mation security professionals to conduct
information security training. They often
negotiate contracts with service providers
who receive substantial quantities of
employees’ sensitive data. They regularly
receive and investigate complaints of sus-
pected employee misconduct, which may
include reports generated by DLP software
or other online surveillance software or
about employees’ otherwise mishandling
sensitive data. They also typically are
involved in disciplinary decisions, includ-
ing those based on employees’ mishan-
dling of sensitive data.
In sum, by making human resources pro-
fessionals and in-house employment counsel
valued members of the organization’s infor-
mation security team, organizations can sig-
nifcantly enhance the effectiveness of their
overall information security program.
and can include critical alerts, such as notif-
cation of a recent phishing email sent to
members of the employer’s workforce or
warnings against clicking on links or open-
ing attachments that could result in the
downloading of malicious code.
Third, employers should consider modi-
fying their exit interview process to specif-
cally address information security. At the
exit interview, the employer can accomplish
the following:
? provide the employee with a copy of his
or her executed confdentiality agreement
and remind the employee of his or her
ongoing obligation not to disclose the
employer’s sensitive data to unauthorized
third parties;
? obtain the return of all employer-owned
computers, mobile devices, and portable
storage media on which sensitive data
may be stored;
? arrange for the remote wiping, or other
removal, of the employer’s sensitive data
from any of the employee’s personal
mobile devices allowed to access corporate
information systems;
? confrm that the employee has not stored
any of the employer’s sensitive data in
personal email accounts, personal cloud
storage accounts, personal external
storage media, or anywhere else.
? HR and in-house employment counsel need
a seat at the “information security table”
In many, if not most, organizations, there is a
chasm between the Human Resources depart-
ment and in-house employment counsel, on
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Comprehensive approach
to cybersecurity
171 ?
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate
Developing a cybersecurity
strategy: Thrive in an evolving
threat environment
The Internet and ‘always on’ connectivity is transforming
how we live, work, and do business. Game-changing
technology, powered by our increasingly connected soci-
ety, offers more effcient workers, new revenue streams,
and stronger customer relationships. Technology is not
optional; it is a core business enabler. That means it must
be protected.
Cybersecurity was once widely considered just another
item in a long list of back-offce functions. Vulnerability
patching? Device confguration? These were IT problems
for the IT team to worry about. However, that has
changed. A series of high-profle cybersecurity attacks—
from Stuxnet to Target—demonstrate that cybersecurity
represents a business risk of the highest order. The C-suite
and board are taking notice.
However, as cybersecurity makes its way onto the
executive agenda, it is simultaneously time to rethink
our strategies. The ‘Internet of Things’ is more than a
fad. Suddenly, and increasingly, everything is connected.
Business leaders get it: to fend off emerging players
and ensure market competitiveness, companies are re-
architecting their business models around this concept.
It will drive success. It also requires new cybersecurity
strategies that take a broader view of risk. Developing
strategies that recognize risk beyond back-end IT sys-
tems is critical, to include products, customer interfaces,
and third-party vendors. Above all, the new challenges
in cybersecurity demand an organizational-wide
approach to protecting, and ultimately enabling, the
business. It is time to cast the net wider, and more effec-
tively, than ever before.
? 172
COMPREHENSIVE APPROACH TO CYBERSECURITY
3. Product/service development: the research,
design, testing, and manufacturing
environments for your products and
services
4. Customer experience: the operational
realms where customers use and interact
with your products or services
5. External infuencers: all external entities
that affect how you guide your business
to include regulators, law enforcement,
media, competitors, and customers.
A cybersecurity strategy at this scale requires
enterprise-wide collaboration. It will take
the whole organization to manage cyber
risk, so it is imperative to cast a wide net
and include representatives from across
business units in strategy formulation dis-
cussions. It requires a multidisciplinary
team effort to develop a security strategy
that refects the scale and complexity of the
business challenge.
? Elements of cyber strategy at scale
Building a cybersecurity strategy can seem
overwhelming, but it doesn’t have to be.
Start with a vision, understand the risk,
identify controls, and build organizational
capacity. Every element builds on each other.
1. Set a vision: It all starts with a creative
vision. It’s critical to paint a high-level
landscape of the future that portrays
how cybersecurity is intertwined with
the most critical parts of your business.
Think about the how value is created
within your company. Is it a cutting-edge
product? Is it by delivering world-class
customer service? Craft a short story on
how cyber protects and enables that.
2. Sharpen your priorities: You have
limited resources, just like every other
company. You can’t protect everything, so
you better be certain you’re focusing on
the most critical business assets. The frst
step is to fgure out what your company
determines to be its ‘crown jewels.’ Once
you’ve defned what truly matters, it’s
time you evaluate how exposed—or
at-risk—these assets are. That will give
? The value of getting cybersecurity right
An effective cybersecurity strategy must
start with placing it in the context of the
business—what your company uniquely
provides as products or services really deter-
mines how to approach the challenge. For
old-school IT security hands, this is a differ-
ent way of thinking. It means getting out of
the IT back offce and learning the nuances
of what makes the business go. Take the
view of the CEO and board. It isn’t just that
it is the right thing to do or because compli-
ance matters. There are more meaningful
answers to uncover.
The right cybersecurity strategy is guided
by two related considerations: (1) ‘How does
cybersecurity enable the business?’ and
(2) ‘How does cyber risk affect the business?’
From this perspective, cybersecurity breaks
out of its technical box and IT jargon. It
focuses on competitive advantage, and it
positions cybersecurity as an enabler and
guarantor of the core business, whatever
business you’re in. If done right, cybersecu-
rity helps drive a consistent, high-quality
customer experience.
? It takes an enterprise
A cybersecurity strategy grounded in your
unique business ecosystem will quickly
reveal what must be protected. Enterprise IT
still matters; it moves, analyzes, and stores
so much of your business-critical data.
However, a cybersecurity strategy must now
go further. Your industry should shape the
fne-tuning of the scope here, but we can boil
the components of your ecosystem ‘map’
down into several key features:
1. Enterprise IT: the back-end technology
infrastructure that facilitates company-
wide communications; processes, stores
corporate, and transfers data; and enables
workforce mobility
2. Supply chain: the fow of materials
and components (hardware and
software) through inbound channels
to the enterprise, where they are
then operationalized or used in the
development of products and services
173 ?
DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT
undesirable will most certainly happen.
Incident response is more than just having
the right technology capabilities in place,
such as forensics and malware analysis. In
fact, real success in cyber incident response
usually comes down to the people aspect.
How plugged in are you with your
company’s legal, privacy, communications,
and customer sales units? They are all
critical to success; and with this expanded
scope of players, you can imagine how a
cyber matter can quickly rise to become a
top-line business matter.
7. Transform the culture: The best
organizations out there today do this
well. Because people are the core of your
business, it comes down to them ‘buying
in’ to cybersecurity as something that they
care about. From your dedicated cyber
workforce, to business unit leaders, to
those that manage your company’s supply
chain, you’ll need all hands on deck, each
doing their part in advocating for and
implementing cybersecurity measures. A
security organization can make this easier
by fnding ways to make cyber relevant
for each part of the business by sharing
innovations that excite and enable the
business.
? Bringing the strategy to life
Perhaps the best measure of an effective
cybersecurity strategy is its ability to be
implemented and make a visible change in
how the business is operated. With a strate-
gy in hand, the next move is to build momen-
tum with ‘quick wins’ while investing in
long-term capability development.
The frst step is to use your strategy’s risk
framework to assess where you must apply
new or enhanced controls. Look broadly. The
biggest cybersecurity challenges may not be
where your organization usually expects to
see them. There are multiple ways to assess
how well the organization is performing,
including workshops, external assessments,
tabletop exercises, or war games.
To appropriately assess the organization,
you need to know what ‘good’ looks like.
you a basis for right-sizing your security
program around these assets.
3. Build the right team: Once you defne
what matters and how much security
makes sense, think about the people. What
does your direct and extended workforce
have to look like to be uniquely successfully
at your company? These days, you can’t
get by with your security program being
flled with technologist majority. Time to
weave in an accompanying set of skill
sets that will help you propel you to
success, to include organizational change
management, crisis management, third-
party risk management, and strategic
communications.
4. Enhance your controls: This is largely
about scope. With your company’s
quickly expanding ‘map,’ you’ll need to
adopt new methods for treating risk.
For example, if you deliver a ‘connected’
product to consumers, you’ll have to
ensure strong embedded device security,
as well as protections over the airwaves.
Without this, your brand could be at
stake. Fortunately there’s a great deal
of momentum in the world today, with
new methodologies, technologies, and
skill sets continuously being developed to
meet the challenge of today’s expanding
cyberattack surface.
5. Monitor the threat: Unfortunately,
cybersecurity isn’t only about reducing
risk behind your frewalls. It must also
include maintaining awareness of the
threat landscape—external and internal.
Because the threat is always changing
and always determined, you have to take
on that same adaptive mindset. Whether
that’s employing strong monitoring and
detection capabilities, consuming threat
intelligence feeds, or participating in
an industry-level information sharing
forum, there many avenues that you
should strongly consider using.
6. Plan for contingencies: No one can ever
be 100% secure, so it’s vital to have a
strong incident response capability in
place to manage the ensuing events when
something happens, because something
? 174
COMPREHENSIVE APPROACH TO CYBERSECURITY
This is different for each organization and
industry, but relying on industry bench-
marks and existing standards/frameworks
(e.g., NIST Cyber Framework) is a good
place to get a quick read on your maturity.
However, don’t adopt these standards
blindly; fgure out what’s applicable to
your needs and what’s relevant for your
organization.
Once you’ve assessed your priorities and
set a maturity target, the next move is to
build a roadmap that pairs ‘quick wins’ with
more strategic and enduring capabilities.
Right away, you’ll want to ensure that you
are doing the basic blocking and tackling of
cybersecurity. Many call this instilling prop-
er ‘cyber hygiene,’ or putting a foundational
layer of protections and capabilities in place.
Once you’ve gained a solid foothold, time to
take the next step, such as establishing pre-
dictive intelligence mechanisms that help
you anticipate the next threat, instead of
reacting to it when it hits.
Perhaps the best way—and the biggest
challenge—to bringing your strategy to life
is to remember it isn’t policy or technology
that matters most, but people. Once you’ve
embraced this idea and put the person at the
center of all of your decisions, you can really
start to envision what it’ll take for cybersecu-
rity ‘change’ to happen in your organization.
? What getting it right looks like
It is easier to write about the concepts of a
good cyber strategy than it is to deliver one
for your organization. However, getting
cybersecurity right for the organization has
benefts far beyond IT. A strong cyber strategy
drives security capability development and
ultimately has the power to transform the
business into a more successful one. An effec-
tive cyber strategy looks different depending
on the industry and individual business, but
they all share some key features.
It’s driven from the top. First, a strong cyber
strategy won’t be locked away in a fle cabinet,
buried in a hard drive, or lost in the cloud.
Instead, it will be part of your organization’s
core message, and it will feel alive. That tone
will be set from the top, with senior executives
explaining how cyber will drive the future suc-
cess of the business.
It’s at the beginning of every new story.
Whether you’re designing a new product or
launching into a fresh multinational joint
venture, cyber is a conversation that will
always take place. Requirements are built in
from the beginning and brought to life as the
venture evolves. Remember, it’s always easier
and cheaper to implement cyber earlier rather
than later in the lifecycle.
Cyber is communicated in simple busi-
ness language. Don’t be paralyzed by those
who only want to ‘speak geek.’ Simple, easy-
to-understand logic should prevail when com-
municating how cybersecurity is enabling
your business.
You’ve established a predictive edge. If
you’ve evolved your strategy in a disciplined
manner, some really amazing things start to
come to life. One powerful aspect is that
you’re using multiple sources of intelligence
to understand the world around you, and you
are able to anticipate the adversary’s next
move. Sometimes this can feel like playing a
fun video game, but it could really mean sav-
ing the lifeblood of your business.
The puzzle pieces come together. With all
that you’ve invested in cybersecurity, the real
payoff comes when you see the component ele-
ments work in harmony as a system. A unifed
construct that links constituent technologies,
processes, and people together will prove
highly effective in monitoring and responding
to events and engaging the broader business
ecosystem to get things done.
You play a role in the community.
Cybersecurity is not something you should
attempt alone as an organization. The com-
plexity of vulnerability and the highly
resourced threats today are simply over-
whelming for any one entity. Cybersecurity
DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT
SecurityRoundtable.org 175 ?
the ‘map’ of your business, and you now
understand all the points where cybersecuri-
ty must play a part. Success at this point
means that you’ve carefully and deliberately
initiated dialogue and worked with different
elements of the business to embed security in
places beyond Enterprise IT and extended it
into broader touchpoints across the external
world.
Your enterprise embraces it. From senior
leadership to customer-facing sales teams,
cybersecurity is integrated as part of your
cultural DNA. You hear about it all the time,
and you see how it’s factored into all major
business decisions. Your organization has
evolved to the point where your organization
is now living the principles of good cybersecu-
rity without even thinking about it.
requires the power of community, new ideas,
and security capabilities coming to life. When
successful, your organization is an active part
of key dialogues with industry and govern-
ment. Threat intelligence and best practices
are shared two ways, but more importantly,
you integrate into the fabric of a very impor-
tant and very valuable community.
‘Change agents’ are swarming. You’ll need
these thought leaders to move across all ele-
ments of the business to shift mindsets and
anchor new behaviors. These advocates help
spread the cybersecurity vision broadly and
provide ‘on the ground’ feedback to make your
security strategy stronger.
Security is now embedded across your
ecosystem. You’ve taken a long, hard look at
177 ?
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Jason Escaravage, Vice President; Ernie
Anderson, Principal; and Christian Paredes, Associate
Designing a Cyber Fusion
Center: A unifed approach
with diverse capabilities
Since the early 2000s, organizations have focused cyberse-
curity efforts around a preventative, “defense-in-depth”
approach. The multiple layers of security are intended to
thwart attackers; this trend has become known as the
“moat-and-castle” defense: higher walls, a deeper moat,
and other fortifcations to deter or prevent the enemy
from breaching the castle grounds.
Within the past several years, high-profle breaches
across the fnancial, government, retail, health-care,
defense, and technology sectors have spotlighted the need
for a better incident response (IR) capability to detect,
contain, and remediate threats. These breaches are evi-
dence that prevention alone is no longer a suffcient
approach. However, many organizations lack a mature IR
capability and end up spending millions of dollars to out-
source IR services. Furthermore, once the incident is
remediated, organizations are still left wondering how to
effectively secure themselves for the highest return on
investment (ROI).
Prevention remains a critical component of an effective
security program. And organizations are increasingly
investing in native detection and response capabilities, or
a Security Operations Center (SOC). But the people, pro-
cesses, and technologies that are the backbone of SOC
must be integrated within one Cyber Fusion Center (CFC)
that also combines functions such as Cyber Threat
Intelligence (CTI), Red Teaming, and Attack Surface
Reduction (ASR).
The Cyber Fusion Center. The CFC is a comprehensive,
integrated approach to security. The CFC mission is to
protect the business—its assets, people, clients, and
reputation—so that it can thrive and operate without
costly disruptions.
? 178
COMPREHENSIVE APPROACH TO CYBERSECURITY
centralize threat knowledge and analysis,
unify the organization’s security strategy,
and ultimately maximize the value of invest-
ments in cybersecurity.
Although the security functions that
make up the CFC are not new, the CFC
approach represents a complex interaction
between the security teams with multiple
“touch points,” parallel workfows, and con-
stant feedback mechanisms. With the right
design and implementation considerations
organizations can:
? increase operational effectiveness by
orchestrating the security functions and
information fow from threat intelligence,
through security and IT operations
? improve security readiness by enabling
stronger detection mechanisms and
awareness of threats
? accelerate security maturation by
reducing the costs associated with
coordinating complex security functions
across multiple teams.
The CFC is distinguished not by its individ-
ual parts but by the integration and interde-
pendencies across its functions. More than
just a security approach, the CFC is a secu-
rity mind-set that organizations can imple-
ment to better secure themselves, protect
their customers, and reduce costly business
disruptions.
? Building a robust SOC to detect and respond
to threats
Organizations are quickly recognizing the
need to detect and respond to a variety of
threats; simply blocking threats isn’t
enough. The Security Operations Center
(SOC) is the organization’s frst line of
defense against all forms of threats and is
the heart of the CFC. The SOC will handle
any suspected malicious activity and work
closely with the other teams in the CFC. A
well-designed and maintained SOC will
focus on gaining effciencies though contin-
uous analyst training and mentoring, and
constant evaluation of the organization’s
security technologies.
The CFC approach does not guarantee
that there will be no security incidents; this is
an impossible feat. Rather, it ensures that all
security efforts are coordinated effciently by
leveraging the benefts of proximity (either
physical or logical) and easy communication
between security teams.
The CFC is designed to integrate key
security functions into a single unit without
stovepipes or prohibitive bureaucracy:
? Security Operations Center (SOC): the
heart of the CFC and the frst line of
an organization’s defense responsible for
detecting, responding to, containing, and
remediating threats, as well as proactively
identifying malicious activity. The SOC is
also home to Threat Defense Operations
(TDO), the dedicated “hunting” arm
of security and intelligence operations
responsible for actioning intelligence,
conducting in-depth malware analysis,
and continually building and improving
prevention and detection methods.
? Cyber Threat Intelligence (CTI): the
“forward observers” responsible for
identifying threats to the organization
and disseminating timely, relevant, and
actionable reporting to the SOC, C-Suite,
and other stakeholders.
? Red Team: the “attackers” who simulate
the tactics, techniques, and procedures
(TTP) of threats relevant to your
organization. The Red Team will
continually “stress test” your SOC, driving
improvements in detection, response, and
SOC analyst threat understanding.
? Attack Surface Reduction (ASR): the
proactive defense group responsible
for identifying and mitigating
vulnerabilities, unnecessary assets, and
nonessential services. More than just
patch management, optimized ASR
teams focus on continually improving an
organization’s hardening and deployment
procedures to eliminate vulnerabilities
before systems go live.
By integrating these functions, the CFC aims
to break down communication barriers,
179 ?
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
malware analysis that yields valuable techni-
cal intelligence (TECHINT) that can be used in
detection logic and further enriched by CTI.
Managing all the security alerts (aka “alert
fatigue”). This process—building detection
solutions and then identifying and mitigat-
ing threats—is where many organizations
struggle. Oftentimes, implementation of eff-
cient and effective SOC processes are stifed
by an overwhelming number of consoles,
alerts, threat feeds, and tools that prohibit
seamless workfows for analysts. While
security managers should continually iden-
tify potential feeds and technologies to
invest in, their impact on the SOC analyst
should always be a primary consideration:
? How many new alerts will this technology
or new data feed produce?
? Who will tune the technology to limit the
number of false positives it produces?
? Is the technology flling a gap in detection
capabilities or adding on to existing
capabilities?
? How does the introduction of this new
technology affect the SOC workfow?
The main point to remember is that more
technology, tools, and threat feeds do not
necessarily enable your SOC to operate more
effciently. Designs that emphasize smooth
A tiered SOC structure. The SOC can be
designed around a simple detect, identify,
and mitigate model. Analysts at various tiers
investigate malicious activity (aka alerts or
events) with these three stages in mind: Tier
1 analysts are charged with classifying the
severity of the event and correlating the
event with any historical activity. If neces-
sary, Tier 1 analysts will escalate incidents to
Tier 2 and 3 analysts, who will conduct in-
depth investigations and perform root-cause
analysis to determine what happened.
Threat Defense Operations (TDO).
Additionally, specialized analysts within the
SOC—Threat Defense Operations (TDO)
analysts—are responsible for creating detec-
tion logic in the form of signatures, rules,
and custom queries based on CTI-provided
threat intelligence. TDO engineers deploy
the detection logic to a range of devices,
appliances, tools, and sensors that make up
an organization’s security stack. The rules,
signatures, and queries create a threat-based
preventative sensor network that generates
network and host-based alerts that Tier 1–3
analysts in the SOC respond to.
TDO analysts will then fne-tune their
detection logic based on SOC feedback, cre-
ating an effcient CFC that won’t waste time
investigating false alarms. The TDO team is
also responsible for providing in-depth
Case Management Approach
Manage Standardize Measure
• Case Mgt. Dashboard
• Monitor, Detect, and
Contain Metrics
• Real-Time Improvements
• Formal Shift Change Process
• Process and Procedures
Documentation
• Business Process Reengineering
Capabilities
Enable Detection
Mitigate Threats
Identify Threats
SOC 24/7 Organizational Framework
Description
First-level responder responsible for detecting and assessing cybersecurity
threats and incidents across the environment
“Operationlize” threat intelligence to enable automated detection and
manual analysis within and across prevention and detection technology
Conducts in-depth analyses of security incidents with speci?c ability to
identify Indicators of Compromise, perform root-cause analysis, and execute
containment strategies
• Shift Leader Oversight
• Case Mgt. Tracking Tool
• 24/7 Structure
? 180
COMPREHENSIVE APPROACH TO CYBERSECURITY
Instead of looking to new technology frst,
successful organizations will constantly
evaluate their security posture and frequent-
ly train their analysts on how to react to new
threats. Organizations must carefully con-
sider how new technology and tools will
impact the analysts’ workfow and their abil-
ity to detect and respond to threats while
focusing on processes and procedures.
? Using Cyber Threat Intelligence to anticipate
threats
Cyber Threat Intelligence (CTI) has become
the security buzzword of 2015. Many prod-
ucts and services claim to provide threat
intelligence and promise to prevent a major
incident. As this term has saturated the mar-
ket and security circles, the true meaning
and value of threat intelligence has become
clouded. As a result, the usefulness of threat
intelligence is, in some cases, dismissed.
However, true threat intelligence is incred-
ibly powerful—it can serve as a force-multi-
plier for your CFC, helping to improve aware-
ness of threats and offering the means by
which these threats could be prevented or
detected.
So what is threat intelligence? First, and
most important, only humans can produce
threat intelligence through focused research,
a synthesis of multiple sources (aka “all-
source analysis”), and clear, concise commu-
nication that explains the relevance of threats
to your organization. Generally, threat intelli-
gence feeds will not provide much intelli-
gence value unless they are thoroughly vetted
by human analysts frst; feeds are more likely
to generate false alarms than to indicate mali-
cious activity. Additionally, good threat intel-
ligence will be implemented in a way that
demonstrates the following characteristics:
Cyber Threat Intelligence is timely. Cyber
intelligence addresses an impending threat
to the business environment. Receiving that
intelligence before the threat is realized is
crucial to the organization. Dissemination of
strategic and tactical intelligence, including
indicators of compromise (IOCs), can take
the form of indications and warning (warn-
ing of an imminent threat), daily or weekly
workfows and “painless” methods of data
collection (e.g., analysts do not need to con-
tact other teams to access certain data) are
more likely to succeed than those that prior-
itize technology. Organizations should focus
on technology that enables SOC investiga-
tors to spend less time collecting data and
more time investigating the root cause of the
activity they’ve been alerted to.
Implementing 24/7 operations and managing
investigations. Design and implementation
should focus on standardizing daily opera-
tions, case management, and methods of
“measuring success.” Modern-day threats
necessitate that SOCs operate 24/7, 365 days
a year, requiring well-thought-out shift
schedules and defned roles. Leaders with
managerial and technical experience can aid
in workfow management and provide ana-
lyst training.
Having a well-integrated, easy-to-use
case-management system that doesn’t get
in the way of investigations and seamlessly
interacts with other SOC tools is key. This
tool ideally provides metrics on how effec-
tively your SOC monitors, detects, and
contains cases and will allow an organiza-
tion to identify gaps in people, processes,
and technologies.
Standardizing your standard operating pro-
cedures. Successful implementation also
demands accurate and up-to-date docu-
mentation. This includes documentation on
network architecture, standardized operat-
ing procedures (SOPs), and point-of-contact
lists. If the SOC is considered the “heart”
of the CFC, then SOPs act as its beat, guid-
ing analysts in situations ranging from col-
lecting forensic evidence to stopping data
exfltration.
These procedures change as new technol-
ogy and organizational structures are imple-
mented. Many organizations fail to update,
train, and test their staff and leaders on
SOPs, hurting their response times and con-
tainment metrics.
The bottom line. The SOC provides core
security functions within the CFC and can
achieve effciencies through close integration
with other teams such as CTI and TDO.
181 ?
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
Oftentimes, business decisions have to be
made without all the information. An under-
standing of the threat landscape can help to
make these business decisions, however. For
example, attacks on organizations in related
industries can serve as an indication that
your business might soon be targeted (or has
already been targeted).
Although the SOC team is your organiza-
tion’s frst line of defense, it can operate more
effectively and effciently with the support of
CTI. Your security team will handle a wide
array of potential threats and must be able to
quickly triage events, determine the threat
level, and mitigate incidents. CTI can help
SOC analysts to prioritize these alerts, can aid
in investigations, and can help SOC analysts
attribute malicious activity to specifc threats
or threat groups. Over time, by leveraging
technical intelligence the SOC will develop a
stronger understanding of the threats they
face, enabling them to act more quickly. The
TDO component of SOC will also closely
coordinate with CTI to conduct analysis and
develop creative detection mechanisms.
The bottom line. Real, human-developed
Cyber Threat Intelligence will enable your
organization to pre-empt threats, assess
risk, and take appropriate defensive actions.
Benefts such as avoiding the cost of poste-
vent recovery and remediation, and pre-
venting the theft, destruction, and public
release of critical data, make Cyber Threat
Intelligence critical to your organization.
? Conducting Red Team exercises to “stress-
test” and strengthen your Cyber Fusion
Center
A fundamental question for every business
is: Will your cybersecurity organization be
ready when an attack comes? An important
means of assessing and “stress-testing” your
CFC is to actively attack it. Through coordi-
nated Red Team exercises, your CFC per-
sonnel can learn to detect and respond to a
variety of threats.
Simulate threat actors’ TTP. Red Team oper-
ations will ideally be designed to simulate
the tactics, techniques, and procedures of
threats that your CTI team has assessed to be
reports (highlights on relevant threats), and
executive briefs (assessments on major and
specifc cyber issues for C-suite stakehold-
ers). Depending on the audience, other tech-
nical or nontechnical reports can also be
produced.
Cyber Threat Intelligence is relevant. For
many organizations thresholds for relevan-
cy are tricky to defne, especially when
media reports constantly warn about a
range of threats. A cyber breach in a distant
industry—even a major one—may not con-
cern you as much as a breach within your
own sector; a vulnerability in a technology
platform you don’t use is obviously less
important than a potential zero-day vulner-
ability in your enterprise-enabling plat-
form. Relevant threat intelligence produces
valuable insights on not only issues occur-
ring in the global business environment but
also on specifc issues within your industry
and related to your IT environment. Even
further, it strives to give you unique insight
into specifc adversaries targeting your
organization or peers, by assessing their
intentions and capabilities.
Cyber Threat Intelligence is actionable.
Actionable threat intelligence is created
when analysts flter through large volumes
of data and information (from human sourc-
es, technical feeds, criminal forums, etc.),
analyze why specifc pieces of information
are relevant to your organization, and com-
municate how that information can be used
by various stakeholders. C-suite executives
need strategic “big picture” intelligence to
inform business decisions such as risks asso-
ciated with an increasingly global IT foot-
print. On the other hand, your SOC, TDO,
and ASR teams need tactical and technical
intelligence to support current investiga-
tions, create detection logic, and prepare for
potential attacks. Technical intelligence will
also be used to determine if certain mali-
cious actions or indicators have already been
present on your network.
Strategic and tactical threat intelligence.
Today’s corporate leaders face a serious
challenge in that it is not always possible to
accurately predict a cyberattack or its effects.
? 182
COMPREHENSIVE APPROACH TO CYBERSECURITY
strained—no SOC likes to lose, and often-
times the Red Team has the advantage. This
can make after-action review of an incident
stressful for both teams. However, a healthy,
competitive relationship between the SOC
and Red Team can foster improvements in
the CFC, particularly in detection and
response capabilities. Although the SOC and
Red Team functions contrast, their missions
are the same: to protect the organization and
improve its security capabilities.
Implementation of Red Team operations
should therefore emphasize the interde-
pendency between the SOC and Red Team
mission. The Red Team should assist the
SOC during remediation efforts to ensure
any uncovered vulnerabilities are no longer
susceptible to exploitation.
The bottom line. Fundamentally, Red Team
design and implementation takes a human-
centric approach. The benefts of placing your
“attackers” in close (physical or logical) prox-
imity to your SOC analysts cannot be under-
stated. SOC analysts learn to develop an
appreciation for the fact that they are fghting
people who make decisions to achieve an
objective—it’s not just about the malware.
? Reducing your organization’s attack surface
Efforts to protect your organization will be
signifcantly diminished if your IT systems
have easily exploitable vulnerabilities, unnec-
essary services, and nonessential assets. On
the other hand, shutting down all protocols,
services, and data resources is not a viable
option. Thus, the goal of Attack Surface
Reduction (ASR) is to close all but the required
doors to your technical infrastructure and
limit access to those doors through monitor-
ing, vulnerability assessment/mitigation,
and access control.
The ASR team is dedicated to identifying,
reducing, and managing critical vulnerabili-
ties, services, and assets, while also focusing
on preventing the introduction of vulnera-
bilities via improved hardening procedures.
Understanding and prioritizing your “attack
surface.” Implementing ASR is all about iden-
tifying and understanding your most critical
business applications and services—the
a risk to your organization. Your SOC could
also be a valuable source of input as you
determine how to implement your Red Team
operations. What types of threats does your
SOC regularly observe? More important,
what types of threats does your SOC typi-
cally not see? Does your SOC fnd that there
are gaps in detection? What does your SOC
think they detect/mitigate well and is worth
testing? Where does your SOC have limited
detect/mitigate capabilities?
It is the Red Team’s responsibility to test
these questions and the limits of your SOC
and broader CFC. For example, if it is known
that the SOC rarely encounters web shells—
a type of malware installed on web servers—
your Red Team may choose to directly attack
a web server.
An important aspect of a Red Team
operation is that only select leaders are
aware of operations (often referred to as
the “white team”), adding to the realism of
the event. This implementation allows
those who are aware to observe the event
as it unfolds, particularly how teams inter-
act with each other, how information is
passed along, how stakeholders are
engaged, and how the teams handle a vari-
ety of attack scenarios. These leaders can
also help to scope Red Team activities to
ensure no critical data or operations are
actually compromised or exposed.
(Remember to loop in the legal department
prior to the exercise as well.)
After-action improvements. The end result
of a Red Team activity should be valuable
insight your security team can use to
improve its capabilities. For example, during
a web server attack exercise, the CFC will
need to evaluate how it handled the inci-
dent. At what point did the SOC detect the
attack? Are there changes that could be
made in how security tools are confgured to
improve future detection of this type of
attack? These sample questions frame the
improvements that can be implemented
within the cybersecurity organization.
The nature of the Red Team’s operations
means that communication between the
SOC and Red Team can sometimes be
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
SecurityRoundtable.org 183 ?
Organizations require continuous scans and
costly-to-maintain confguration manage-
ment databases (CMDB) to track and ensure
the attack surface hasn’t expanded beyond
the organization’s acceptable risk level. And,
new exposures often emerge throughout the
course of normal business as new IT systems
are introduced or upgraded.
While there are many technologies avail-
able to aid organizations in managing vul-
nerabilities and assets, human analysts can
leverage contextual understanding of vul-
nerabilities and the attack surface in ways
that scanning software cannot provide.
Experienced ASR security professionals—
who possess a deep understanding of network
engineering, IT concepts, and security—are
able to synthesize disparate pieces of informa-
tion that can point to a previously undetected
or contextually important attack vector.
The bottom line. Attack Surface Reduction
enables organizations to proactively reduce
security vulnerability-related risk prior to
implementation and to mitigate existing and
other inevitable risks. Importantly, the ASR
function is designed so that humans comple-
ment the technology to minimize the attack
surface to an optimized level that balances
security risks and day-to-day realities of
enterprise business operations.
? Cyber Fusion Center attention
The seemingly endless string of breaches
across major U.S. sectors—fnance, technol-
ogy, manufacturing, and others—leaves
C-suite executives wondering, “Will we be
next?” or even, “Have we already been
breached?” New tools, technologies, and
data sources may help in preventing an
attack, but threat actors are clearly capable of
scaling the castle walls, or forging the castle
moat. Yet by developing a Cyber Fusion
Center, organizations develop the speed, col-
laboration, coordination, information fows,
and C-suite awareness necessary to not only
survive but thrive.
“crown jewels”—including their functions,
supporting infrastructure, scope, and inherent
vulnerabilities. This process entails a series of
vulnerability scans, security documentation
review, architecture assessments, host discov-
ery scans, nonintrusive penetration tests, and
targeted interviews with IT personnel.
Next, the ASR team should prioritize each
asset, considering their critical value to oper-
ations and the ability for the most relevant
threat actors—as assessed by your CTI
team—to leverage these assets in an intru-
sion. In addition, the impact of these attacks
must be considered. The assets that are most
likely to be the victim of a high-impact attack
or leveraged in a high-impact attack (such as
Adobe Flash) should receive the highest pri-
ority, most robust security controls, and
attention from the CFC.
More than just patch management. While
vulnerability and patch management is a core
ASR function, achieving a vulnerability-free
organization is not a realistic goal.
Vulnerabilities must be identifed and man-
aged appropriately—keeping a focus on pre-
venting and quickly responding to the most
critical. Continually improving deployment
and hardening procedures, especially for
publicly facing services and services that may
permit attackers to access high-trust zones, is
a critical ASR process for facilitating preven-
tive measure and effective mitigation timing.
As such, the ASR function should be
ongoing. ASR closely collaborates with other
CFC functions, especially CTI and TDO,
which can develop rules to detect exploita-
tion of new vulnerabilities. For example, CTI
may become aware of new vulnerabilities
that threat actors are leveraging. ASR will
work with CTI to prioritize the most relevant
vulnerabilities based on reports of their
exploitation “in the wild.”
A highly technical function that demands
strong human analysis. Maintaining complete
asset awareness is increasingly diffcult in
today’s dynamic business environment.
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Design best practices
187 ?
Intercontinental Exchange & New York
Stock Exchange – Jerry Perullo, CISO
What are they after?
A threat-based approach to
cybersecurity risk management
Given fnite resources and the ongoing threat of the “next
big hack,” cybersecurity is not the place to let a thousand
fowers bloom. How does a governance body that is bal-
ancing this complex topic with so many other complex
risks pick the right questions to ask? The spectrum of
popular guidance ranges from an end-to-end program
that generates hundreds of inspection points to a kneejerk
reaction to the latest headlines. Distilling the truly critical
areas of focus requires a balanced approach that is well
served by beginning with the end in mind and asking,
“What are they really after?”
Traditional guidance has centered security program
construction and audit on comprehensive standards-based
frameworks. Although the popularity of specifc standards
has waxed and waned, general principles have revolved
around identifying assets, establishing a risk management
program around those assets, and establishing preventa-
tive, detective, and corrective controls to protect those
assets. There is nothing wrong with this recipe at the tacti-
cal level. In fact, boards should expect a continuous pro-
gram cadence around this type of strategy and expect to
see third-party auditors, customers, vendors, and regula-
tors use this approach in examination. Controls should be
mapped to an established framework and any gaps or
vulnerabilities identifed. The challenge, however, is that
this produces a massive corpus of focus areas and controls
that cannot be digested in a single targeted governance
session. And fnally, it does not produce a ready answer to
the top board concern: “How could we be hacked?”
Likewise, reacting to headlines and rushing to establish
the controls and technology cited in the latest news story
will divert all resources to someone else’s vulnerability,
whereas yours may be very different. Simply asking,
“Could what happened last week happen to us?” may at
best result in a false sense of confdence or a mad dash to
? 188
DESIGN BEST PRACTICES
allow identity theft. Capturing 100 or 1000 is
not, however, alluring enough. Do you have
bulk card or PII data? Card processors, retail
institutions, and health-care providers are
clear targets for this type of penetration. If
this is your world, the major breaches of the
day serve as case studies. Lessons learned in
these areas lead to an emphasis on the follow-
ing questions:
? Do we know all the places where these
sensitive data live, and have we limited
it to the smallest set of systems possible
(ring-fencing)?
? Is access to the systems housing this data
tightly controlled, audited, and alarmed,
including via asset-based controls?
? Is this data encrypted in a manner that
would thwart some of the specifc tactics
observed in major breaches?
If you do not hold easily monetized data,
these questions may not be the right place to
start. Again, this does not mean that data
theft is acceptable in any organization.
Confdential email, intellectual property,
customer login credentials, and trade secrets
are some of the many examples of data we
must protect. Close examination often shows
that ring-fencing, asset-focused controls,
encryption, and other concentrations born of
the rash of recent card and PII breaches may
not be appropriate for more common and
less frequently targeted data, however. If
the data you are protecting are much more
valuable to you than to an assailant, tradi-
tional controls such as company-wide access
control, permission reviews, and identity
management are probably the right empha-
sis and should not be neglected in pursuit of
stopping a phantom menace.
? Threat category 2: Activism
Is your organization the target of frequent
protest or activism? Perhaps the issue is cli-
mate change. Perhaps it is labor relations.
Perhaps you are caught up in the storm of
anti-capitalism, anti-pharma, anti-farming,
or simply high profle. You may or may not
know if there are groups with an ideological
address a gap that isn’t relevant to your
organization. Vendors cannot be faulted for
preying on this tendency, and the result is a
barrage of solutions to the last headline’s
problems: “You desperately need encryp-
tion.” “You need behavioral technology to
baseline administrator activity and to alert
unusual access times or locations.“ “You
need to give up on securing everything and
only focus on the critical assets.” “You need
stronger passwords.” All of these solutions
have their place, but if they are not respon-
sive to the threats facing your business, they
may cause more distraction than protection
based on your unique requirements.
Identifying a relevant and reasonable
agenda for a governance session requires a
targeted and balanced approach. Let us
group the major cyber headlines of the last
decade into several large categories. With a
fnite grouping of threats, we can begin to
model what each threat would look like to
your organization, which leads to an assess-
ment of likelihood and impact. With this
picture of viable threats, the board can hone
in on specifc questions that will produce the
most value. By all means, all of the threats
listed below should receive treatment in
some capacity in any cybersecurity plan, but
prioritizing which are most relevant to your
organization will expose the most valuable
areas to explore with limited time. Further,
identifying business practices that expose
you to a particular threat category may lead
you to reconsider them in light of new costs
that were not included in previous assess-
ments. The calculus around maintaining a
lower profle or outsourcing targeted data
may change when you factor in cybersecu-
rity risk.
? Threat category 1: Data theft
Do you manage assets that can be easily mon-
etized? Credit numbers and social security
numbers—in bulk—are the drivers behind
many newsworthy breaches. Criminals have
established the proper fencing operations and
can justify enormous risk and effort to cap-
ture millions of card numbers or pieces of
personally identifable information (PII) that
189 ?
WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT
If this type of threat is not applicable to your
organization, focusing controls and review
on mitigating such attacks may not be the
best allocation of resources.
? Threat category 3: Sabotage
Are you a provider of critical infrastructure?
Do you or your key executives issue politi-
cally charged statements publicly? Would
the interruption of your business further an
extremist objective? Although these threats
require more sophisticated tactics and more
time to perpetrate, they often bring highly
motivated and coordinated threat actors.
Adversary objectives in this area usually go
well beyond website attacks. Physical con-
trol systems, data integrity, or even the func-
tionality of employee workstations may be
the target in this type of attack. Although
there are many vectors for this type of attack
and several are often used in conjunction, a
common theme quickly becomes targeting
employees individually. Social engineering
and phishing preys on common habits and
assumptions to dupe people into disclosing
a password, clicking a malicious web link,
or opening an attachment. These attacks can
be the most diffcult to defend against, but
their reliance on persistent access and a
longer lifecycle to build towards the fnal
goal makes detective and corrective controls
more valuable and decreases reliance on
absolute prevention. Additionally, the actors
involved and potential impact to national
interests likely make mitigation assistance
available to you if you focus on detection
and have the right contacts in place. Good
questions to ask if you are at risk of this
category of attack include the following
(and employees includes contractors and
vendors):
? Do individual employees recognize the
importance of their role in securing the
organization and what an attack may
look like?
? Are employees routinely reporting
suspicious activity?
? Are employees educated and incentivized
to act responsibly with regard to cyber?
motivation to put a black eye on your busi-
ness. Cyber opens up a whole new realm of
ways for people to accomplish this, and
often with anonymity. When attacks fall into
this category, the most likely impact is an
action that can be touted in public. This usu-
ally means one of two things: Denial of
Service (DoS) or defacement. The former
category will attempt to demonstrate your
powerlessness by rendering a component of
your business unavailable to your customers
or the general public. Although attacking
customer access or more internalized sys-
tems may be more damaging in reality,
remember that the goal is to make a splash
on a big stage with minimal effort or expo-
sure. More often than not, that means attack-
ing your public website. The same target
(plus social media accounts) is most com-
mon for defacement attacks. The only thing
more satisfying to an activist than rendering
your service unavailable is replacing it with
a pointed message. High-profle attacks in
this category include the near-incessant
Distributed Denial of Service (DDoS) attacks
against major banks, particularly those with
names evoking western countries. Targets of
defacement include Twitter and Facebook
profles of targeted companies and govern-
ment entities. If this type of threat is likely to
be pointed at your organization, good ques-
tions to ask include the following:
? Can we sustain a DDoS attack on the
order of magnitude recently observed in
the wild?
? If we have a DDoS mitigation plan, how
long would it take to activate during an
attack? Is an outage for this duration
acceptable, or would it be considered a
failure in the public eye?
? Are we continuously scanning our primary
website(s) for common vulnerabilities
that may allow unauthorized changes?
? If our website were defaced, how long
would it take to restore?
? Are credentials to offcial company social
media accounts tightly controlled by a
group outside marketing that is more
security conscious?
? 190
DESIGN BEST PRACTICES
advanced threats. At a minimum, automated
attacks look to procure access to your IT envi-
ronment so that your computing resources
can be made available for more nefarious
aims. Even if you do not host critical infra-
structure or easily monetized data, commod-
ity threats look to compromise your comput-
ers so that they can be used as agents of more
sophisticated attacks. Malware looks to enlist
your computing, storage, and bandwidth to
help criminals blast out junk email, store
pirated media, or contribute to a Denial of
Service attack. Attackers in this category do
not care (or often know) if your computers
belong to a fnancial services frm, manufac-
turer, university, home network, or hospital.
Protecting your organization from these
common attacks requires being less exposed
than the next target. Ask yourself:
? Have we identifed a role in our
organization that is responsible for
cybersecurity?
? Are only absolutely required services
exposed to the Internet?
? Are PCs and email servers protected
from common viruses and malware in an
automated fashion?
? Does our corporate email employ controls
to flter out the most common virus and
spam campaigns?
? Does our corporate Internet access
incorporate controls to block access to
malicious websites?
One special form of opportunistic attack
involves ransom. Some malware encrypts
the content of infected computers so that it
becomes unavailable until a payment is
made. This type of attack can be crippling. In
addition to the preventative controls out-
lined above, you should ask the following:
? Are our fle servers backed up and tested
regularly, and could we recover quickly if
all current data were unavailable?
? Have we, via policy and practice,
established the principle that PCs and
laptops are disposable, that data on these
? Are systems detecting suspicious employee
behavior that may indicate credentials
under the control of an outsider?
? Has contact been established with incident
response frms and law enforcement, and
could they quickly be mobilized if a
compromise is detected?
? Threat category 4: Fraud
Do you operate a system that makes or pro-
cesses payments? Although any pay-for-
service you offer may be the target of some-
one looking for a free ride, nothing attracts
the sophisticated criminal element like cash.
If you offer the ability to move money, you
should have a focus here. Although fraud is
certainly not a new challenge, Internet con-
nectivity has certainly brought it to new
levels. If this is relevant to your organiza-
tion, you have likely been dealing with the
ramifcations long before cyber considera-
tions were added. The following questions,
however, may be helpful to ensure cyberse-
curity efforts are aligned with traditional
fraud protections:
? Have we deployed and enforced two-
factor authentication such as text
messages, mobile phone apps, or physical
tokens to require our customers to have
more than a username or password to
authenticate?
? Are we using adaptive authentication
to identify suspicious locations, access
times, or transaction patterns in addition
to classic credentials?
? Are we tracking and trending the sources,
frequency, and value of losses?
? Are we working closely with peer
institutions and competitors to share
threat intelligence and identify common
patterns we should detect and/or block?
? Threat category 5: Commoditized hacking
Although specialized threats are associated
with specifc targets, all organizations have
exposure to the most common family of com-
moditized threats. These threats are oppor-
tunistic and warrant different controls than
WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT
SecurityRoundtable.org 191 ?
around mission critical infrastructure and
data. Attention to governance has ramped up
dramatically in a short period, and it can be
diffcult to sift through the advice of experts.
Investing time in analyzing threats and iden-
tifying what assets adversaries are truly after
is a critical frst step in establishing an effec-
tive governance policy around cybersecurity.
devices should not be relied upon, and
that network storage should be used to
house any critical data?
? Conclusion
Although cybersecurity is a relatively new
feld, it has already grown into an expansive
area requiring monitoring and controls
193 ?
Palo Alto Networks Inc.
Breaking the status quo: Designing
for breach prevention
? Today’s reality and commoditization of threats
The statistics regarding the success of advanced
cyberthreats paint a very grim picture. The increasing
speed at which new security threats appear, and the
growing sophistication of criminal hackers’ techniques,
make fghting cybercrime a constant challenge. A recent
study by Cyber Edge found that 71 percent of the secu-
rity professionals polled said their networks had experi-
enced a breach, up signifcantly from the previous year
(62 percent). And half of those respondents felt that a
successful cyberattack against their network was likely in
the next 12 months, compared to just 39 percent in 2013.
Unfortunately, there isn’t a week that goes by these
days when we aren’t learning about some new data
breach. To say that keeping up with attackers’ evolving
techniques and advanced threats is diffcult is an under-
statement. These attacks come from multiple angles,
through the edge of the network and directly at the users
of our digital infrastructure. Not only are they more tar-
geted in nature, the mechanisms that attackers use increas-
ingly utilize a growing pool of software vulnerabilities.
Some vulnerabilities are known only to the attacker,
referred to as zero-days. Others are known to the general
public but have yet to be fxed by the software vendor. A
fact attackers are very much aware of.
Additionally, new attack methods and malware are
shared readily on the black market, each more sophisticat-
ed than the last. The cat-and-mouse game between attack-
ers and defending organizations is no longer a competition.
Attackers have not only pulled ahead, they’ve gained so
much distance that most security teams have given up on
the notion that they can prevent an attack and are instead
pouring investment into trying to quickly detect attacks,
and defning incident response plans rather than trying to
stop them. Why? Because legacy security offerings consist
? 194
DESIGN BEST PRACTICES
? blocking the different techniques attackers
might use to evade detection and establish
command-and-control channels
? preventing installation of malware—
including unknown and polymorphic
malware
? blocking the different techniques that
attackers must follow in order to exploit
a software vulnerability
? closely monitoring and controlling data
traffc within the organization to protect
against the unabated lateral movement
when legitimate identities are hijacked.
? Cyberattack lifecycle
Despite the headlines, successful cyberat-
tacks are not inevitable, nor do they happen
by magic. Often it is a ‘window’ that is left
open or a ‘bag’ that is not screened that lets
an attacker slip into a network undetected.
After they are inside a network, attackers
will sit and wait, patiently planning their
next move, until they are sure they can
reach their objective. Much like a game of
chess, it is only at the end of a long and
logical series of steps that they will try to
act. Knowing the playbook of a cyberattack
can help us disrupt and prevent not just
well-understood attacks but also highly
sophisticated new attacks used by advanced
actors.
Despite different tools, tactics, and proce-
dures used by an attacker, there are certain
high-level steps in the attack lifecycle
that most cyberattacks have in common.
Traditional approaches to security focus on
installing a feature to disrupt only one point
along this lifecycle. This approach often
comes from the fact that different parts of an
IT security team have different objectives:
network administrators care about connec-
tivity and the frewall, info security analysts
care about analytics, and so forth. They
seldom have to really work together in a
coordinated manner because this approach
was previously useful at stopping low-level
threats that involved opportunistic target-
ing, such as the infamous email scam from a
foreign prince needing to transfer $1 million
to the U.S.
of a set of highly disjointed technologies that
only allow detection of attacks once they are
already on the network or endpoint.
Organizations cannot hire their way out
of this problem by throwing more people at
navigating a legacy architecture or making
up for the inherent gaps between the siloed
technologies. Instead, organizations should
be considering next-generation technology
that natively integrates security to deliver
automated results, preventing attackers
from achieving their ultimate objectives.
Given the sheer volume and complexity of
threats, it’s important to use automation to
accelerate detection and prevention with-
out the reliance on a security middleman.
Despite the growing cybersecurity chal-
lenge we are all facing, we cannot give up on
our digital infrastructure. Customers are
becoming more and more reliant on the
Internet and our networks to do business
and access commercial services. They use
these systems because of the trust they place
in them. This trust underpins everything
they do online and extends to an organiza-
tion’s brand and place in the market. Legacy
security approaches that focus only on detec-
tion and remediation, or rely on a series
of disjointed tools, abandon this trust and
can introduce signifcant risk by failing to
consider how to prevent cyberattacks in the
frst place.
A new approach is needed in order to
prevent modern cyberattacks. This new
approach must account for the realities that
today’s attacks are not only multidimensional
in nature but also use an increasingly sophis-
ticated set of techniques that are constantly in
a state of change. As these techniques evolve,
the risk of breach increases, and, as we all
know, an organization is only as strong as its
weakest entry point. Therefore, an effective
strategy must work to disrupt an attack at
multiple points, including:
? developing a Zero Trust security posture
that focuses on only allowing legitimate
users and applications, as opposed to
trying to block everyone and everything
that is bad
195 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
intellectual property and fnancial informa-
tion, disrupt digital systems, or cause embar-
rassment. It is against these patient and
persistent advanced adversaries that tradi-
tional single-point approaches fail. However,
by targeting every step of an attacker’s play-
book, it is possible to architect a solution that
offers much greater odds at stopping the
attacks before they can reach their objective.
At the very least, putting preventative meas-
ures in place that take the complete lifecycle
into consideration will raise the cost for the
attacker, potentially forcing him to look else-
where for an easier victim. Let’s take a look
at the steps an attacker goes through to get
into and out of a network.
However, today’s attacks have become
more and more sophisticated as advanced
tools have proliferated and as effective attack
strategies have been developed and shared
among criminal and nation-state adversaries.
These attacks are often called advanced per-
sistent threats (APTs), so named because they
use advanced tools and persistently target an
organization again and again until they get
in. They are patient and stealthy, preferring
to forego a quick boom and bust for a longer
payoff of high-value information.
While APTs used to be the domain of
nation-state espionage, today organizations
large and small face these high-level threats
from actors seeking to steal sensitive
Advice along the cyberattack lifecycle
Reconnaissance. Just like burglars and thieves, advanced attackers carefully plan their attacks.
They research, identify, and select targets, oftentimes using phishing tactics or extracting
public information from an employee’s public online profle or from corporate websites.
These criminals also scan for network vulnerabilities and services or applications they can
exploit.
? Even job websites can be a gold mine of information. If you are looking to hire a new
engineer who is familiar with a certain security product, an attacker can deduce what
you are using to protect your network and will know where common gaps are in your
security.
? You can’t stop all reconnaissance activity, but you certainly shouldn’t make it any
easier for the attacker! People and processes are just as important to security as
technology. Good training and strong security practices will help limit reconnaissance
and harden your security profle. You should be aware of what your adversary can
learn from your corporate website and ensure that members of your organization with
high-level access receive training to be security conscious.
? Finally, there are many services that offer advanced ‘red-team’ exercises to help you
identify weaknesses in your security posture. These simple steps can also put in place
policy ‘trip wires’ that can alert you to unusual activity that may indicate an advanced
actor is interested in you.
Weaponization and delivery. As we move to the next stage of the cyberattack lifecycle, tech-
nology becomes even more critical to preventing advanced threats. The hacker must choose
his method for gaining access onto your network. This access can be digital, or even physical,
but is primarily intended to gain a foothold from which to plan the assault and achieve the
attacker’s objectives.
Spear phishing
? With the information gained from their reconnaissance, the attackers have to determine
which methods they must use to penetrate your network. They often choose to embed
intruder code within seemingly innocuous fles like a PDF document or email message.
They may also seek to use highly targeted attacks to catch specifc interests of an
individual.
Continued
? 196
DESIGN BEST PRACTICES
Advice along the cyberattack lifecycle—cont'd
? Spear phishing is by far the most commonly used tactic because it’s simple and
effective. An attacker will use information gathered during the reconnaissance phase
to craft an email with a malicious attachment for a specifc user he believes has access
to sensitive credentials or information.
? Many organizations have begun training their employees to spot these attacks by
sending test emails that can track who opens them. Over time they can see which
departments continually fall for these attacks and target training there.
? However, we are all conditioned to read emails and open attachments if they seem
relevant to our positions. Even with the best training, a well-crafted spear phishing
email that appears to come from a family member, friend, or boss can trick the
most seasoned security veteran. It’s vital to ensure that you have technical security
measures as well to mitigate any malicious malware that might ride email into your
networks.
Watering hole
? Another approach to gaining access is known as watering hole attacks. In this
method the attacker will set up a fake website that downloads malicious code to
any visitor, then direct their victims to it. When a user visits the website, a software
exploitation kit installs malware on the victim’s computer, which then reports
back to the attacker so he knows who he’s infected and can access their system to
steal data.
? Watering hole attacks are harder to pull off because they require compromising a
separate web server, but they can be very effective if a company is watching for
malicious fles in email. Traditional security products do not always prevent their
users from visiting malicious websites. However, advanced approaches will flter
known malicious addresses to keep users from becoming a victims of a ‘drive-by
download.’
Exploitation. Once attackers gain access ‘inside’ an organization, they can activate attack
code on the victim’s computer (also known as a ‘host’) and ultimately take full control.
? To gain full control over a victim, specialized programs exploit vulnerabilities in
existing software to install themselves as legitimate users. Vulnerabilities are usually
old bugs that were not caught during the original writing of the code. Sometimes they
are known bugs that have not been repaired, or ‘patched’; sometimes they are as of
yet unknown to anyone except the attacker. These unknown vulnerabilities are called
zero-days because they are not found by the victim until the frst day he realizes he has
been penetrated by an attacker.
? As noted earlier, zero-days are the most nefarious of threats. Luckily, true zero-
days are also the most rare. When they are used, however, it generally means that
no one else is protected from them. Because no one is patched for it, if an attacker
moves quickly, he can take advantage of the same vulnerability on many, many
systems.
? If you can’t catch an unknown threat, you can at least prevent an attacker from
using that vulnerability to cause damage. Because attackers have similar goals, such
as stealing or damaging important fles, there are only so many techniques they
can use after they have penetrated a system to achieve their end goals. Advanced
security software will hunt for malware that uses zero-days by searching for and
stopping common techniques attackers use after they have gained access to your
network.
197 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
Advice along the cyberattack lifecycle—cont'd
? Common vulnerabilities are being found and fxed every day. Your organization
should also have a process in place to regularly update and patch all your software
and hardware. However, sometimes these new versions and updates can cause
existing systems to malfunction. This will often leave IT teams hesitant to update
systems until a new patch can be tested and can cause delays that leave you with
vulnerabilities known to the entire world. While you should always lean toward
patching and updating as soon as possible, the balance of security and operability
must be viewed through your own business risk management practices.
Installation. As a frst order of business, advanced attackers will seek to establish themselves
as securely and quietly as possible across your network.
? They do this by taking advantage of the trust of the digital systems they are working
in. Often an attacker will make himself an administrator on a computer and then try
to infect other users in order to steal their digital identities. He will play this game
of laterally escalating access privileges to gain a higher and higher level of control of
your systems. Along the way the attacker will also open backdoors that allow him to
connect back into your network even if he is eventually caught and shut out. This is
why it can be especially diffcult to fully remove an advanced actor from a network.
? It seems strange, but many of the tools attackers use can be found freely online or for sale
on the Internet. Tools are viewed just like a hammer and nails, where on the one hand
security professionals use them to test systems and build stronger security, but on the
other hand they can be used as weapons. These ‘off-the-shelf’ security tools, while highly
capable, can often be found by traditional security methods such as antivirus software.
? However, more advanced actors will build their own custom tools, such as remote
access tools (RATs), that are undetectable by antivirus software. In fact, some tools
commonly shut off antivirus software as one of the frst steps of installation. These
tools require a larger investment from the attacker and will primarily be designed to
gain a foothold as a seemingly legitimate user on the network. From there the attacker
can act like a normal employee and use authorized applications such as fle-sharing
software or internal email to cause mischief.
Command and control. Gaining a foothold in a network is of no use to attackers if they can’t
control their attack.
? An advanced actor knows that he is likely to be discovered at some point and must be
ready to improvise by hiding and running from security teams or software. To do this,
an attacker establishes a command-and-control channel back through the Internet to a
specifc server so he can communicate and pass data back and forth between infected
devices and his server.
? The most commonly used channel for attackers to communicate to their tools is
through regular Internet traffc (using hypertext transfer protocol, or HTTP). Usually
their communications will pass through defenses of traditional security tools as they
blend in with the large volume of traffc from legitimate users.
? The attacker’s tools will periodically phone home, typically referred to as beaconing,
to obtain the next set of commands. Beacons can also contain reconnaissance
information from the compromised target, such as the operating system confguration,
software versions, and the identity of users who are logged on to the network. In
very complicated networks, this information can allow an attacker to quietly burrow
deeper and deeper. Clever malware also moves beyond simple requests for command
and control and tries to emulate human behavior by using email or social networking
applications to receive its attacker commands.
Continued
? 198
DESIGN BEST PRACTICES
Advice along the cyberattack lifecycle—cont'd
? If you treat your network with zero trust, as though it might already be breached, you
can start to lock down unnecessary pathways for attackers to communicate and move
around. Segmenting networks and building internal controls on applications can act
like a frebreak, keeping an attacker from spreading to other parts of your network.
Actions on the objective. Attackers may have many different motivations for breaching your
network, and it’s not always for proft. Their reasons could be data exfltration, defacement
of web property, or even destruction of critical infrastructure.
? The most common goals of attackers often involve fnding and exfltrating your data
without getting caught. During this late stage, the work is usually done by an active
person issuing commands to his tools on your network. He has a goal and a script that
is followed in a complex process that may last days, weeks, or months, but ends with
all your sensitive data slipping through a backdoor in your network.
? This is one of the most diffcult steps to stop, as an active person can improvise and
adapt to your security response efforts. While it may seem counterintuitive, it’s
important to respond with patience when trying to stop an active intruder. A common
tactic of advanced attackers when they are caught is to ‘smash and grab’; this means
they will forget about remaining quiet and do whatever they can to achieve their
objectives, potentially damaging your systems in the process. They can also choose
to slip deeper into your systems, burrowing in and waiting to reuse one of their
backdoors to gain entry after you believe you have patched all your vulnerabilities.
For these reasons, it is critical to have a response plan in place ahead of time so that
the adversary doesn’t detect signs of panic and get tipped off. If you can discover
the attacker before he realizes he is caught, you can work to clean up his tools, while
closing doors and windows he may have used to get in.
? A strong response plan will also help you prepare in advance for any mitigation efforts
needed, including the vital step of external relations if it becomes public that you have
had an incident. Depending on the data that was accessed or stolen, you may have
regulatory or legal reporting requirements that you will need to be prepared to deal
with. Even if the attacker is not successful at actually taking data, these requirements
may still be in place as in many cases you may not be able to determine if data was
stolen, exposed, or remained untouched.
Trying to stop an advanced adversary at
only one point in this lifecycle is an exercise
in futility. Just like a network has vulnerabil-
ities and weaknesses, so too does the attacker.
He will reuse tactics, techniques, and proce-
dures on multiple victims, establishing pat-
terns that can be recognized, studied, and
exploited. But to gain this leverage, a new
approach to security is needed.
? Why legacy approaches fail
Most security architectures today resemble a
set of siloed organizations, processes, and
technical infrastructure. They have largely
been assembled like a manufacturing pro-
duction line, where a series of security events
roll down a conveyor belt of individual
point products, while different staff mem-
bers perform their individual duties. This
has been the traditional approach to security,
and historically we’ve been able to use it to
fend off low-level threats. However, these
architectures are beginning to show their
weaknesses as attackers have learned to slip
between silos. Today we see how costly leg-
acy systems can be both in their inability to
prevent targeted attacks and in their unnec-
essary expense to the organization.
199 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
This essentially allows adversaries to distrib-
ute malware and steal intellectual property
through basic applications into which they
have little or no visibility. We must break
away from the traditional approach to secu-
rity that has proven ineffective at stopping
advanced attacks time and time again.
Over the last several years in particular,
there has been a dramatic evolution in both
the attackers and the techniques they use. By
many estimates cybercrime is now a nearly
half-trillion-dollar industry, and like any
industry, opportunity fuels more investment
and innovation. The best way to get an
industry to collapse in on itself is to take
away that potential for proft. Therefore, we
must make it so unbelievably hard for cyber
criminals to achieve their objectives that
their only option is to invest more and more
resources to stage a successful attack, to the
point that it becomes unproftable.
One of the primary strategic failures of
traditional security architectures is their
reactive approach. Following the assembly-
line model, security teams work to read data
logs about events that happened to their
network in the past. Since most of these
teams operate in a siloed manner, these log
fles are routinely examined in isolation from
other critical teams and thus lack important
context that can be used to quickly detect
and prevent an attack. Relying on a human
in the middle of a network’s defenses is too
slow to be effective against advanced, auto-
mated hacking tools and creative attackers.
A secondary strategic failure is a lack of
attention toward ‘proactive prevention.’
Organizations often don’t do enough to
reduce their attack surface, allowing certain
classes of applications that are unnecessary
for their business and leaving doors open on
their network by using port-based policies.
Tenets of a traditional security architecture
Limited visibility. You can’t secure what you can’t see. Traditional sensors only seek out what
they know to be bad, rather than inspect all traffc to only allow what is good. Your security
architecture must eliminate blind spots by having the ability to see all applications, users,
and content across all ports and protocols (the doors and windows of your network) even
if they are encrypted. It must also have the ability to see and prevent new, targeted attacks
that are utilizing threats that have never been seen before, such as malware and zero-day
vulnerability exploits.
Lacking correlation. If attacks are multidimensional, your defense must be as well. Today’s
attackers shift techniques while they are working their way into a network in order to step
over traps laid by them for traditional defenses. In order to fnd the clues they leave behind,
your architecture must act like a system of systems where individual technologies work in
concert to identify and then automatically prevent attacks. Correlating sensors and protec-
tion makes each element within the system smarter. For example, if a thief has hit multiple
houses using the same techniques, you will need to adjust your burglar alarm for those
techniques. In cyberspace, however, this process can be automated to increase the speed of
detection and prevention.
Manual response. With attacks evolving at a rapid pace, it’s critical that we wean ourselves
from relying on the ‘man in the middle.’ Systems focused on detection often throw up
mountains of alerts and warnings for low-threat items, overwhelming your IT security team.
An advanced security architecture must employ a system of automation that’s constantly
learning and applying new defenses without a requirement for any manual intervention. It
must weed out the congestion automatically, handling 99 percent of low-level threats so you
can focus your team’s attention on the 1 percent of the highest priority incidents.
? 200
DESIGN BEST PRACTICES
enabler. By preventing damage to networks
and theft of sensitive information, vital IT
resources, people, and time are freed up to
tackle core business functions. In order to
shift from a ‘detect and remediate’ stature
to preventing attacks, business leaders need
to consider three cybersecurity imperatives:
1. Process: organize to reduce your attack
surface.
? Modern networks can be a rat’s nest
of systems and users cobbled together
from mergers, legacy architectures,
and prior acquisitions. This confusion
leaves many points of entry for
attackers to slip in unnoticed and
reside on your network for months
or even years. A critical step to
preventing advanced cyberattacks is
to know your network better than the
attacker does. To do this you must
work at simplifying your architecture
down to manageable pieces that can
be controlled, watched, and defended.
? A key step in reducing your attack
surface is to only allow network
traffc and communications that are
required to operate your business by
utilizing technology that understands
the applications, users, and content
transiting your network. This seems to
be common sense that any unknown
traffc could also be hiding malicious
activity, but often when organizations
take a deep look at their traffc, they
fnd high-risk applications that they
had no idea were running on their
network. Legacy approaches often only
search to block what is bad, rather
than allowing only what is good. This
approach is also known as ‘white
listing’ and will immediately reduce
the scope of your security challenge by
eliminating opportunities for malware
to get into your network.
? Another step to reducing your attack
surface is to segment important
components of your networks, such
as data centers. As described earlier,
advanced actors often seek to break
Stopping today’s advanced threats lies in
turning the economics of our reality on its
head by preventing threats in multiple places
at each step of the cyberattack lifecycle. This
requires creating an architecture that can
detect attacks at every point around and
within a network, closing any gaps and pre-
venting them from successfully launching in
the frst place.
? Prevention architecture
No organization today is immune to cyber-
attacks. Cyber criminals are ramping up
activity across the globe and utilizing new
methods to evade traditional security meas-
ures. An effective security architecture must
not only prevent threats from entering and
damaging the network but also take full
advantage of knowledge about threats in
other security communities. Traditional
solutions typically focus on a single threat
vector across a specifc section of the organi-
zation. This lack of visibility is leaving
multiple areas vulnerable to attack. In addi-
tion, these legacy solutions are made up of a
‘patchwork’ of point products that make it
very diffcult to coordinate and share intel-
ligence among the various devices.
As a result, security teams are forced to
invest more and more time and money in
detection and remediation efforts, under the
assumption that prevention is a lost battle.
These efforts require a time-consuming
process of piecing together evidence from
different devices, combing through them to
discover unknown threats, and then manu-
ally creating and deploying protections. By
the time this happens—often days or weeks
later—it’s too late because minutes or hours
are all an attacker needs to accomplish his or
her end goal. This Band-Aid approach
doesn’t fx the fundamental problem of
accounting for the new threat landscape.
While nothing will stop every attack,
designing a security architecture with a pre-
vention mindset (and following some of the
risk management best practices outlined in
our chapter, “The CEO’s guide to driving
better security by asking the right ques-
tions”) can make cybersecurity a business
201 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
risk. However, by using an integrated
cybersecurity platform that protects
across your entire enterprise, your
defenses can work together to identify
and close gaps that would be exploited
by an attacker. Communication is key
to any strong defense. If your products
can’t share information on what they
are seeing, there is no chance to pick
up clues that might aid in preventing
an advanced attack.
? The next step is automating prevention
measures. Humans have proven time
and again that we are the weakest link
in security. Advanced actors are faster,
more persistent, and stealthier than
manual response efforts. It just takes
one overlooked log fle or one missed
security alert to bring down an entire
organization. However, if you have an
integrated platform that communicates
visibility across your defenses, it can
also automatically act on new threats,
preventing what is malicious and
Indeterminate what is unknown.
? Integration should also enable your
organization’s agility and innovation.
Business doesn’t stop at the elevator,
as employees take laptops to work
from home or use their personal mobile
devices to access your corporate cloud
on the road. As your data moves to
enable your workforce, security should
go with it. Choose a platform compatible
with newer technologies such as mobile,
cloud, and network virtualization.
3. People: participate in a community that
shares cyberthreat information.
? End users cannot be relied upon to
identify every malicious URL or phishing
attack. Organizations must educate their
constituents about what they can do on
their part to stop cyberattacks. However,
beyond education, to protect against
today’s truly advanced cyberthreats,
we must utilize the global community
to combine threat intelligence from a
variety of sources to help ‘connect the
dots.’ Real-time, global intelligence feeds
help security teams keep pace with
into a less secure part of the network
and then move laterally into more
sensitive areas. By segmenting the
most vital parts of a network from
email or customer-facing systems, you
will be building in frebreaks that can
prevent the spread of a breach.
? You also can’t neglect to secure the
endpoint or individual user. This is
the fnal battlefeld. Originally, anti-
virus software contained signatures for
malicious software and could, thus, catch
most major infections from common
threats because it knew what to look for.
However, as we learned earlier, today’s
attacks can include unknown malware
or exploits that are essentially invisible
to antivirus software. This has led to a
massive decline in the effectiveness of
traditional antivirus products and a rise
in a new way of thinking about endpoint
protection. Rather than looking for
something that can’t be seen, you can
reduce the endpoint attack surface by
preventing the type of actions taken by
exploits and malware. Stopping the type
of malicious activity associated with
an attack is much more effective than
hunting for an attack that, by nature, is
stealthy and hidden.
? Finally, it seems simplistic, but as you
make investments to re-architect your
network and reduce your attack surface,
you have to use all those investments to
their fullest. Purchasing next-generation
technology is useless if you don’t
turn it on and confgure it properly.
Establishing a process for staying up to
date on your security investments is one
of the most critical habits to form.
2. Technology: integrate and automate
controls to disrupt the cyberattack lifecycle.
? Don’t use yesterday’s technology
to address today’s and tomorrow’s
security challenges. As noted earlier,
legacy security approaches offer
individual products to be bolted on
for single-feature solutions. This leaves
gaps that can be broken by new methods
of attack, leaving your organization at
? 202
DESIGN BEST PRACTICES
regulatory requirements or mandatory certif-
cations. IT security personnel are often drafted
from projects that support core business opera-
tions to work in the ‘dark corners’ of network
security with a gloomy future of scanning
thousands of false alarms, updating old soft-
ware, and, of course, getting blamed for the
inevitable cyber incidents that are usually
caused by larger organizational problems. This
sad tale is a reality for a shocking number of
organizations; it not only guarantees failure, it
ensures lost opportunity for innovation that
comes from having a strong security posture.
Adopting a prevention philosophy helps
create strategies for better security and
maximizes the value of an organization’s
actions and resources. Viewing cybersecu-
rity as a business enabler helps drive appro-
priate resource allocation by returning
value to the business based on new oppor-
tunities that would not have been available
without the level of trust afforded by a
prevention architecture.
Take the case of the IT security team.
When an organization decides to take their
security more seriously, usually after a cyber
incident, one of the frst things they do is
dump more people into IT security positions.
While trained security experts are a boon for
any organization, the architecture they are
working in can have them needlessly chasing
cycles of work, wasting budget by hunting
for cyber needles in digital haystacks of
alarms, and manually remediating countless
vulnerabilities. Employing a prevention
architecture that automates protection capa-
bilities and shares threat intelligence using an
integrated platform means that security
teams can operate much more effciently and
effectively. Their time is an organization’s
money, and it’s imperative to ensure that
personnel working on core IT functions that
keep business operations running are not
being wasted on outdated security practices.
Strong cybersecurity can also open new
opportunities by making organizations
more fexible and resilient. Today’s work-
force is constantly connected to the Internet
at home, on the road, and at their desk.
Users move between applications and
threat actors and easily identify new
security events.
? As attackers move from target to target,
they leave digital fngerprints in the
form of their tactics, techniques, and
procedures. By analyzing this evidence
and then sharing it, threat intelligence
from other organizations can quickly
inoculate you from new attacks as
bad guys seek to move between
organizations and even industries.
Combined with an integrated platform
that can act automatically on this
intelligence, you can rapidly distribute
warnings and make it impossible for
attackers to strike twice. The network
effect from vendors with large
customer bases is extremely powerful
as it builds a security ecosystem, which
can organically respond to new threats.
? Many organizations are even coming
together to share threats as an entire
sector. Recent policy from the U.S.
Government has made it easier to
collaborate and share cyberthreat
information between companies and
work together to identify and stop
advanced cyber actors.
The most signifcant way to fll in all the
gaps and truly protect an organization from
advanced and targeted threats is to imple-
ment an integrated and extensible security
platform that can prevent even the most
challenging unknown threats across the
entire attack lifecycle. An IT architecture
must remain secure while also providing
business fexibility and enabling applica-
tions needed to run day-to-day operations.
Stopping even the most advanced attacks is
possible, but we have to begin with a pre-
vention mindset.
? Conclusion: Cybersecurity as a business
enabler
Traditionally, IT security has been seen by
most organizations as a cost center, requiring
continued expenses but not bringing in any
revenue. The attention and resources devoted
to it are often the bare minimum to meet
203 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
If organizations continue to view investments
in cybersecurity simply as cost centers to be
solved by bolting on legacy technology, we
will all continue to suffer the consequences.
Our most valuable data and the keys to vital
pieces of infrastructure will walk out the door
in the hands of cyber criminals, while the
trust we have built between our customers
and our systems continues to degrade. This
will happen time and time again until we are
forced to change and narrow the way we use
digital systems in our everyday lives. This
must not become the reality for the entire
community that receives such unimaginable
benefts from the Internet. By adopting a pre-
vention mindset it is possible to change the
status quo and take back the control and trust
in systems that enable critical business opera-
tions. Planning for disaster is always a smart
move, but preparing for failure will accom-
plish just that.
devices seamlessly and expect that their
actions will translate between these differ-
ent environments. However, this tradition-
ally has not been the case. Threats from
third-party applications, unsecured cloud
environments, and infected personal mobile
devices have become so prevalent that many
traditional security products will either
block them completely or just assume that
they cannot be protected. This old way of
doing business doesn’t match the reality of
today’s workers, who are expected to be
more agile and mobile than ever before.
Architecting a network to wrap these devic-
es and third-party services into an existing
security platform ensures that data will
remain secure as workers go out to meet
with customers in the feld and expand busi-
ness beyond its offce walls.
The security feld is stuck today with few
answers to increasingly challenging problems.
Cybersecurity glossary
Advanced persistent threat (APT): An adversary that possesses sophisticated levels of expertise and
signifcant resources that allow it to create opportunities to achieve its objectives by using mul-
tiple attack vectors (e.g., cyber, physical, and deception).http://niccs.us-cert.gov/glossary
Attack surface: An information system’s characteristics that permit an adversary to probe,
attack, or maintain presence in the information system.http://niccs.us-cert.gov/glossary
Antivirus software: A program that monitors a computer or network to detect or identify
major types of malicious code and to prevent or contain malware incidents, sometimes
by removing or neutralizing the malicious code.http://niccs.us-cert.gov/glossary
Command-and-control channel: Data link for an attacker to communicate with his malicious
software installed on a victim’s system.
Data exfltration: After an attacker has found sensitive data that he is targeting, he will attempt
to package this data and remove it silently from a victim’s system.
Endpoint: Specifc parts of an IT infrastructure that users interact with directly, such as work-
stations or mobile devices.
Exploit: A technique to breach the security of a network or information system in violation
of security policy.http://niccs.us-cert.gov/glossary
Hypertext transfer protocol (HTTP): Technical rules for transferring data over the Internet. Web
browsers use HTTP, and the encrypted variant HTTPS, to allow users to interact directly
with websites in a secure manner.
Malware: Software that compromises the operation of a system by performing an unauthorized
function or process.http://niccs.us-cert.gov/glossary
Network: Joined pieces of an IT infrastructure that transfer and route data to and from endpoints
and other networks.
Polymorphic malware: Malicious software that is designed to continuously change its appear-
ance, allowing it to evade legacy security detection technology such as antivirus software.
Continued
DESIGN BEST PRACTICES
? 204 SecurityRoundtable.org
Cybersecurity glossary—cont'd
Port-based security: Stateful inspection frewalls block any Internet traffc coming into or out
of a network on a specifc line of communication, called a port. However, modern applica-
tions use different ports, and malicious software can change the port it uses.
Remote access tools (RATs): Malicious software that allows an attacker to control a system
where he is not physically present. These functions in IT systems also exist for legitimate
uses, such as support functions.
Zero-day: A software vulnerability that is unknown to the public but is used by an attacker to
gain access and control of a network or system.
Cybersecurity beyond
your network
Electronic version of this guide and additional content available at: SecurityRoundtable.org
207 ?
Booz Allen Hamilton – Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior
Associate; and Laura Eise, Lead Associate
Supply chain as an attack chain
The supply chain ecosystem reaches farther and wider than
ever before. The growing range of suppliers provides sig-
nifcant competitive advantages for companies that strate-
gically and securely source from this global network. Yet
this complex footprint comes with an equally complex
range of cyberthreats, and the majority of organizations do
not realize the breadth and depth of these challenges.
However, hackers are well aware of existing supply chain
vulnerabilities and are moving aggressively to take advan-
tage of these exposures.
Threat actors typically target organizations’ supply
chains through two vectors: the frst type of attack is
known as “adversarial supply chain operations to,” or
“ASCO To,” and the second is known “adversarial sup-
ply chain operations through,” or “ASCO Through”
(Figure 1). In an ASCO To attack, your organization is
the direct target. In the latter, the adversary uses your
supply chain as a means to target one of your customers.
Although the intent is different, both have the potential
for devastating impact to your revenue, reputation, and
end consumer.
To compound this issue, today’s attackers are often
well funded and extremely organized. These attackers
have the resources, skills, and patience to conduct
sophisticated attacks on your supply chain. For exam-
ple, a supply chain cyber adversary may clandestinely
intercept delivery of your products and switch cyber
sensitive components with a malware-infused copycat.
These attacks are often so sophisticated that the end
users may not realize that they did not receive the origi-
nal version.
Nation-states, hacktivists, organized criminal groups,
and lone wolves are constantly scanning supply chains
? 208
CYBERSECURITY BEYOND YOUR NETWORK
Supply chain traditionally has been seen
as part of internal operations; it is some-
thing that happens behind the scenes for
your customers. In the past, customers did
not care where you made your products or
how you sourced them as long as you deliv-
ered them on time, at the appropriate cost,
and in good condition. However, this is all
changing. Companies and governments
around the world are realizing that the sup-
ply chain is an ideal way for attackers to
quietly infltrate their networks and infect a
system well before customers place an order.
Companies, large and small, have to begin
looking at supply chain security as part of
their overall supply chain risk management
process.
By prioritizing supply chain cybersecurity,
you are well on your way to tackling this
complex issue. You have an opportunity to
mitigate cyber risk and transform your sup-
ply chain risk management capability into
a competitive advantage to inform your
broader business.
? Increasing expectations
The U.S. government has been a force for driv-
ing higher-level visibility and controls across
the supply chain. As the future progresses,
for weak points, and the impact of this atten-
tion has the potential to reverberate well
beyond your supply chain. You inherit the
risks of your suppliers. If one of your suppli-
ers lacks security controls, you may absorb
their vulnerabilities. This is particularly true
if you do not comprehensively test their
components during your acceptance pro-
cess; once you accept their product, you
accept the risks of being attacked or passing
along an attack to your customers. In the
event that a cyberattack occurs, you own the
impacts as well. This includes brand dam-
age, operational stoppage, legal exposure,
canceled sales, and government sanctions.
? Dangerous combination of hidden risks and
higher expectations
Tackling cybersecurity risk in supply chain
may feel like you are trapped between a vir-
tual rock and a hard place. As companies
drive to increase supply chain fexibility at
the lowest overall cost, sourcing decisions
expose them to the vulnerabilities of suppli-
ers and all of their successive networks of
suppliers. This ever-evolving cybersecurity
threat in the multi-layered supply chain pre-
sents a number of challenges when manag-
ing cybersecurity. See Figure 2.
Adversaries
• Nation–State
Actors
• Competitors (esp.
Nation–State-
owned)
• Criminals
• Hacktivists
Design
ASCO To
ASCO Through
Customer Operations
Example Methods:
• Interdiction/Compromise
• Theft/Re-route
• Break/Fix subversion
Example Methods:
• Malware shotgun infection
• Malicious component insertion
• Repair part compromise
• Trojan insertion/Design to fail
• Fraud
Potential Effects:
• Halt or slow prodution
• Prevent sustainment operations
• Loss of intellectual property
Potential Effects:
• National security risk
• Customer compromise
• Impaired customer operations
• Brand/Legal/Market impact
• Loss of customer intellectual property
Lifecycle Process
Source
Build
Sustainment
&
Operations
Disposal Ful?llment Distribution
FIGURE
Attack methods on the supply chain
209 ?
SUPPLY CHAIN AS AN ATTACK CHAIN
and your customers that you have a strong
supply chain cyber cybersecurity capability.
It is not just the U.S. federal government
that is raising the stakes. Many clients also
are demanding to know more about the
supply chain. Private sector clients are real-
izing that securing high assurance services
on an untrusted hardware platform is the
same as building a fort on a foundation of
shifting sand. They want to know the depth
of visibility into the components and ser-
vices of products, and they want to be reas-
sured that there are controls in place to
manage a robust supply chain cybersecurity
program. As with the government, many of
these requests and requirements are at an
insurance companies will be an even larger
driver for increasing supply chain standards.
Business continuity policies are in place to
address threats that disrupt the supply chain.
Companies with weak supply chain cyber
security policies and procedures could fnd
their insurers raising their premiums or
excluding claims in case of a breach. The next
wave of standards could take shape with
requiring you to maintain a list of all cyber
sensitive supply chain components as well as
develop comprehensive risk frameworks to
classify, prioritize, and proactively manage
the sourcing of each of those components.
You need to proactively get ahead of these
standards. Prove to the government, insurers,
Lack of Visibility
External Dependencies
Dynamic Threat
Companies cannot ensure part integrity on their own—they will need participation
from suppliers and other business partners.
Cross-Functional Challenge
Requires change and collaboration from various internal business functions
to collectively manage cyber risk throughout the supply chain
Decision Making
Increased information requires new strategic and tactical decision-
making processes.
The evolving capabilities of well-resourced and determined adversaries means
that “point in time” solutions are insuf?cient.
Limited visibility across the supply chain regarding exposure and controls
FIGURE
Cybersecurity challenges in the supply chain
? 210
CYBERSECURITY BEYOND YOUR NETWORK
could necessitate that your approach be dif-
ferent than that of a competitor. Using a
maturity model also allows you to answer
the questions that are not yet asked by com-
pliance while aligning your supply chain to
your business strategy. It allows you to focus
on increasing your overall security and to
stay ahead of the curve.
? Where do I start?
Developing a robust supply chain cyberse-
curity program is complex, but that doesn’t
mean your approach has to be. It requires a
risk-based prioritization approach to changes
in policy, supplier contracts, resource alloca-
tion, and investment. Most companies do not
have the appetite or the budget for wholesale,
drastic changes. If you are like most organiza-
tions, you face the dilemma of not knowing
where to begin.
So the best place to start is to get your
arms around what has to be done.
1. Conduct a maturity assessment and build
a roadmap.
Your organization needs a plan for the path
forward in securing your supply chain. Before
you transition to developing a roadmap, you
must begin with a maturity assessment.
Supply chain cybersecurity program maturity
assessments are simply gap analyses between
how well your program operates today com-
pared with how it should operate in a target
state. To evaluate this, you must identify the
key controls that apply to supply chain risk
management—either controls you already use
as part of your corporate cybersecurity pro-
gram or controls that may be more unique to
supply chain. Even if you use existing con-
trols, you should modify them to apply to your
supply chain operations.
all-time high and will become more sophis-
ticated and comprehensive only during the
next several years. If you are their supplier,
they know that you are only as trustworthy
as your supply chain.
? How to create both a secure and compliant
capability
Complying with standards and guidelines is
not enough for securing all of the factors you
need to comprehensively increase your secu-
rity posture. Although standards strive to
create consistency among cybersecurity pro-
grams, the fundamental truth is that there is
no formula for security. Standards and
frameworks can help identify the landscape
of potential areas to address and may let you
set a minimum level of performance, but
that’s it. You must move beyond merely
striving to be compliant rather than noncom-
pliant. Supply chain cybersecurity is more
than an IT problem. If not used in the appro-
priate context, standards can be a generic
solution to a highly individualized problem
set. Supply chain risk is tied intimately to
your business strategy and operations, and it
must be tailored to your organization.
Rather than focusing on a standard, look at
your program with a maturity lens. Understand
the various degrees of risk you face. Then,
within a well-established structure, decide
where you need to invest and develop. It is
up to you to prioritize the control areas to
address. Focus on your current maturity in
those areas and what you must do to increase
your maturity. Focusing on your maturity
provides you with an opportunity to identify
where your program stands today, where it
must be in the future, and how to get there. A
maturity approach is not “one size fts all.”
Special considerations for your organization
Maturity Assessment Tip
The set of controls you select for your maturity assessment should incorporate the compli-
ance standards that customers might use as part of their Request for Proposal requirements
(e.g., NIST SP 800-161). You likely will cover more controls than these standards, but map-
ping them will allow you to kill two birds with one stone.
211 ?
SUPPLY CHAIN AS AN ATTACK CHAIN
3. Decompose your key product lines.
To assess the visibility, control, and risks in your
supply chain, select a few key product lines and
decompose them into their cyber sensitive com-
ponents. Then see how much information you
can collect on their manufacturing sources,
acceptance testing, suppliers, and intended cus-
tomers. You will likely fnd that your internal
systems and policies are prohibiting you from
this level of visibility; however, it is this level of
visibility that customers will be demanding in
physical deliveries of products, place malware in
cyber sensitive components, and allow the ship-
ments to continue to end customers. As you
identify risks for each phase, you have to assess
the likelihood and impact of each risk. This prior-
itized list becomes your risk agenda and helps
determine what to address frst to enhance your
supply chain cybersecurity program.
Next, identify key objectives for each control
you plan to evaluate. Threat intelligence, for
example, may have data collection, analysis,
and distribution as key control objectives. For
each objective, defne a scale as well as the key
characteristics for each step in that scale. Taking
the threat intelligence example, a low maturity
rating for data collection could be the ad hoc
collection of threat data via unstructured sources,
such as email. A higher maturity implementa-
tion of data collection would be a comprehensive
ingestion of multiple formal data feeds that can
be analyzed automatically and effciently.
Next, conduct a baseline assessment of your
current state—an honest assessment, backed by
examples. This will help you surface risks asso-
ciated with each control. After the baseline,
defne the target state for each control. The tar-
get state should be a balance between high
effectiveness and practical costs, keeping in
mind that not all controls need the highest level
of maturity. Comparing the target state with the
baseline provides you the gap you need to
address.
The outcome of your maturity assessment will
be a robust roadmap designed to transform your
supply chain cybersecurity program. This
equates to quick wins and key priorities for your
organization. It should also help address the key
requirements your customers demand.
2. Identify key risks throughout your supply
chain lifecycle.
Breaking down your supply chain lifecycle into
discrete phases can help you identify key risks for
each phase. Each phase presents its own vulner-
abilities and risks. For example, during the dis-
tribution phase, threat actors can intercept
Five Common Early Wins
Below are fve common ways you can gain early traction with your supply chain cybersecurity program:
? Integrate/enhance component tracking
? Include cyber in your supply chain risk management framework
? Enhance acceptance testing
? Conduct supply chain vulnerability penetration testing
? Enhance monitoring of supplier network access points
Supply chain
Lifecycle
Design
Source
Ful?ll
Build
Distribute
Dispose
Sustain & Operate
CYBERSECURITY BEYOND YOUR NETWORK
? 212 SecurityRoundtable.org
advantage in the market. Understanding how
to identify risk and then effectively manage
those risks will allow you to be in greater
control of your supply chain. A robust supply
chain cyber risk management program will
allow you to close vulnerabilities, making
you less of a target for attackers while helping
you meet and even shape your customer
expectations. The trust in your brand and the
quality of your product depend on the
strength of your supply chain cybersecurity.
Creating the right balance of security
and resilience in your supply chain will
allow you to build a foundationally strong-
er supply chain cybersecurity program.
This not only will differentiate you from
your competitors but also will allow you to
better understand the opportunities and
advantages that are key to your success.
the future, if not already. Once you can obtain
this kind of visibility, you can then assess the
processes, controls, and risks associated with
those cyber sensitive components.
? Supply chain cybersecurity as a differentiator
The risks and expectations of your supply
chain cybersecurity are increasing as threats
become more sophisticated and customers’
expectations rise. As you inherit the vulner-
abilities from your suppliers and the risks of
your customers, you have to be more aware
of how your supply chain can become an
attack chain. Compliance is not enough; you
must develop a robust maturity model to
help identify your vulnerabilities and devel-
op a roadmap to reduce your risks.
Companies that are able to effectively
manage their supply chain risks will have the
213 ?
Covington & Burling LLP – David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate
Managing risk associated
with third-party outsourcing
? Third-party outsourcing and cybersecurity risk
Businesses increasingly work with third parties in ways
that can render otherwise well-guarded data vulnerable
to attack or accidental disclosure. These third parties can
include technology service providers; other major busi-
ness function vendors, such as payroll, insurance, and
benefts companies; and accounting and fnance, advertis-
ing, delivery and lettershop, legal, and other consulting
services.
Many of these commercial relationships require sensi-
tive information—whether the business’ own confdential
business information or the personal information of its
employees or customers—to be shared with, or stored by,
the third parties. Such relationships also may entail third-
party access to a company’s networks. There is, in turn, an
inherent risk in the third-party services: they can create
new avenues of attack against a company’s data or its
systems and networks—and those avenues require appro-
priate mitigation.
Perhaps no data security breach highlighted this risk
more than the incident incurred by Target. That incident
began not with a direct attack on the Target network but
with a phishing attack on a Pennsylvania HVAC contrac-
tor that had access to Target’s external billing and project
management portals. The HVAC contractor depended on
a free version of consumer anti-malware software that
allegedly failed to provide real-time protection. Once the
phishing campaign succeeded in installing key-logging
malware, the hackers obtained the HVAC contractor’s
credentials to Target’s external billing and project man-
agement systems and from there infltrated Target’s inter-
nal network, eventually reaching Target’s customer data-
bases and point-of-sale systems.
? 214
CYBERSECURITY BEYOND YOUR NETWORK
contractual provisions to manage third-
party risk, and, in some cases, to monitor
service providers on an ongoing basis
(e.g., 12 C.F.R. Pt. 225, App. F at III.D.
[2012])
? the HIPAA Privacy Rule, requiring
specifc contractual provisions in dealing
with business associates who handle
protected health information, 45 C.F.R.
§164.502(e) (2014)
? state regulations, such as the
Massachusetts Standards for the
Protection of Personal Information,
requiring reasonable steps in selecting
third parties and the use of contractual
provisions to require their compliance
with Massachusetts law, 201 Mass Code
Regs. 17.03(2)(f).
In addition, the Federal Trade Commission
has applied its authority under Section 5 of
the FTC Act, 15 U.S.C. §45 (governing unfair
acts and deceptive trade practices) to apply
to cybersecurity and data security, and has
taken action against companies that fail to
take “reasonable steps to select and retain
service providers capable of appropriately
safeguarding personal information” a de
facto regulatory requirement. See, for exam-
ple, GMR Transcription Servs., Inc., F.T.C.
Docket No. C–4482, File No. 122–3095, 2014
WL 4252393 (Aug. 14, 2014).
? Sources of third-party cybersecurity risk
The cybersecurity and privacy risks gener-
ated by third-party engagements include the
following:
? breaches of personal data—whether the
personal data of customers or employees—
and the attendant regulatory obligations
(e.g., notifcation requirements), as well as
legal liability, as in the Target breach
? breaches of a business’s proprietary data,
including the following:
? competitively sensitive data, privileged
information, attorney work product,
and trade secrets
? business partner data resulting in
obligations to notify business partners
The results of the Target breach are well
known: the personal information of up to
70 million customers was compromised, and
about 40 million customers had their credit
or debit card information stolen. By the end
of 2014, the costs to Target from the breach
had exceeded $150 million. These costs
include the litigation and settlement expens-
es resulting from lawsuits brought by con-
sumers and credit card issuers. Further, in the
quarter in which the data breach occurred,
Target’s year-over-year earnings plummeted
46 percent. Ultimately, in the aftermath of the
breach, Target’s CEO resigned.
The Target breach was not an isolated
incident. In 2014, a Ponemon Institute sur-
vey found that in 20 percent of data breach-
es, a failure to properly vet a third party
contributed to the breach. Even more trou-
bling, 40 percent of the respondents to
another Ponemon survey named third-party
access to or management of sensitive data as
one of the top two barriers to improving
cybersecurity. Further, the Ponemon
Institute’s 2015 U.S. Cost of Data Breach
Study reports that third-party involvement
in a data breach increased the per capita cost
of data breaches more than any other factor.
However, despite the cybersecurity risks
posed by third-party service providers,
many companies fail to systematically
address such risks. Only 52 percent of com-
panies surveyed in a 2014 Ponemon Institute
report have a program in place to systemati-
cally manage third-party cybersecurity risk.
? Legal risks
Although there are many commercial and
other reasons to adopt strong third-party risk
management processes, a variety of legal
frameworks require the management of third-
party risk. Examples of such statutory or regu-
latory requirements include the following:
? the Interagency Guidelines Establishing
Information Security Standards that
implement Section 501 of the Gramm-
Leach-Bliley Act and require fnancial
institutions to engage in due diligence in
the selection of service providers, to use
215 ?
MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
the sophistication of the vendor and the
nature of the IT systems and data at issue.
Nonetheless, three elements are common to
all third-party risk management:
1. due diligence prior to entering an
engagement
2. contractual commitments and legal risk
management
3. ongoing monitoring and oversight.
? Pre-engagement due diligence
A critical element of managing third-party
risk is the assessment of the third party’s
own security practices and posture before
any contract is signed. Such diligence is cru-
cial for the identifcation and evaluation of
risks, and, in turn, can ensure that such risks
are mitigated before the engagement,
including through the use of contractual
provisions. The actual evaluation may be
more ad hoc (i.e., conversations with key
business or technology stakeholders) or for-
mal (i.e., through a questionnaire or even
on-site assessment), and the extent of an
evaluation may depend on various factors
in the prospective relationship, including,
for example, whether the service provider
will have access to the company’s IT sys-
tems, the nature of the information that it
may access, and whether it will store such
information.
Depending on the extent of the relation-
ship and information that may be accessed
by the vendor, the following areas of inquiry
may be necessary to inform a cybersecurity
diligence assessment:
? whether and how often the vendor
has experienced cybersecurity
incidents in the past, the severity of
those incidents, and the quality of the
vendor’s response
? whether the vendor maintains
cybersecurity policies, such as whether
the vendor has a written security policy
or plan
? organizational considerations, such as
whether the vendor maintains suffcient
and appropriately trained personnel to
as well as potential contractual liability
to them
? data that result in fnancial harm to
the company, such as bank account
information
? other confdential, market moving
insider information in the hands
of third parties such as investment
bankers, consultants, and lawyers, such
as information regarding nonpublic
M&A activity, clinical trial results, or
regulatory approvals
? the introduction into internal networks
of viruses or other malicious code, as
in the Dairy Queen attack, in which
vendor credentials were used to
gain access to internal networks and
eventually install malware targeting
point-of-sale systems
? the introduction of other vulnerabilities
to IT systems, for instance, by the use
of vulnerable third-party applications
or code, as occurred in the Heartbleed
OpenSSL exploit that potentially
exposed the data transmitted to and
from secure web servers
? misuse and secondary use of company
data such as for direct marketing or data
mining for the beneft of the vendor
? “fourth-party” risk, that is, the third-
party cybersecurity risks introduced
by a vendor’s relationships with its
own third-party service providers and
vendors
? potential director or management liability
for breach of fduciary duty in the exercise
of cybersecurity oversight.
To help manage this array of risks effectively,
companies may consider whether they have
appropriate procedures in place to evaluate
and monitor individual vendors, as well as a
program to manage and monitor third-party
relationships.
? Engagement-level management of third-party
cybersecurity risk
The appropriate measures needed to scruti-
nize and monitor third-party service pro-
viders will depend to a large extent upon
? 216
CYBERSECURITY BEYOND YOUR NETWORK
? Contractual risk and negotiation
In addition to evaluating third parties on the
basis of their cybersecurity practices, anoth-
er important risk mitigation tool is the actual
contractual language. As with other areas,
contractual requirements can be an effective
way to allocate risk and responsibility for
potential breaches of cybersecurity, includ-
ing the investigation and remediation of
such incidents. Commonly negotiated terms
include the following:
? a requirement that the vendor have a
written information security program
that complies with applicable law or
other regulatory or industry standards
? limits and conditions on the use of
subcontractors and other third-party
service providers
? restrictions on secondary use of data,
including making clear that the customer
remains the owner of any data transmitted
to the vendor and any derivatives of that
data
? mandatory and timely notifcation in case
of a security incident
? rights to audit or otherwise monitor the
vendor’s compliance with the terms of
the contract
? in case of a breach, a requirement that the
vendor take on reasonable measures to
correct its security processes and take any
necessary remediation steps
? provisions ensuring an orderly transition
to in-house systems or another third
party in case of the termination of the
relationship.
In addition to such terms, indemnifcation
clauses can be used to shift the risk of data
breach onto the third party and to incentiv-
ize healthy security practices. To accompany
an indemnifcation clause, it sometimes can
be desirable to draft clauses that defne
when the entity is or is not liable, on which
party the burden of proof falls, and how
root-cause analysis should be conducted. To
ensure capacity to take on the fnancial costs
protect the data and/or service at issue
and respond to incidents
? human resources practices, particularly
background screening of employees,
cybersecurity training, and the handling
of terminations
? access controls, particularly whether
controls are in place that restrict access
to information and uniquely identify
users such that access attempts can be
monitored and reviewed
? encryption practices, including whether
information is encrypted at rest, whether
information transmitted to or from
the vendor is properly encrypted, and
whether cryptographic keys are properly
managed
? evaluation of in what country any data
will be stored
? the vendor’s policies regarding the
secondary use of customer data, and
whether IT systems are created in
such a way as to respect limitations on
secondary use
? physical security, including resilience
and disaster recovery functions and
the use of personnel and technology to
prevent unauthorized physical access to
facilities
? back-up and recovery practices
? change control management, including
protocols on the installation of and
execution of software
? system acquisition, development, and
maintenance to manage risk from software
development or the deployment of new
software or hardware
? risk management of the vendor’s own
third-party vendors
? incident response plans, including
whether evidence of an incident
is collected and retained so as to be
presentable to a court and whether the
vendor periodically tests its response
capabilities
? whether the vendor conducts regular,
independent audits of its privacy and
information security practices
217 ?
MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
Although relatively uncommon outside
of certain regulated industries, such as the
fnancial and health-care industries, provi-
sions in vendor contracts for regular secu-
rity audits by an independent third party
provide a robust but intrusive form of
periodic monitoring. However, it is not
always possible to obtain audit rights from
a vendor. Alternatively, the vendor could
be required to provide up-to-date certifca-
tions of compliance with industry stand-
ards or regular, third-party audit reports.
In addition, to manage fourth-party risk,
vendors could be required to perform ini-
tial and periodic assessments of their own
service providers and vendors if they will
be handling sensitive information. If, in
the course of an audit, vulnerabilities are
identifed or practices are found that are
not in compliance with industry practices
or regulatory requirements, the vendor
may be required to notify the customer
and correct any outstanding issues in a
timely fashion.
As part of ongoing monitoring of vendor
cybersecurity, it is useful if the contract with
a third-party service provider also includes
notifcation and remediation provisions if
the vendor becomes aware of defciencies in
its cybersecurity posture. In addition, as part
of the remedies, the outsourcing party may
seek the right to terminate the agreement
immediately and to receive a pro rata refund
of any fees paid or payable. In addition to
contractual provisions dealing with the ter-
mination, contingency plans to facilitate an
orderly end to the third-party relationship
and a smooth transition to an in-house solu-
tion or another a third-party provider may
prove useful.
? Conclusion
The measures described above—diligence,
contractual terms, and continued monitor-
ing and oversight—are critical elements of a
comprehensive cybersecurity program that
includes managing third-party relationships.
To effectuate these elements, in turn, it often
of a breach, third parties are frequently
required to obtain a cybersecurity insurance
policy.
From the business’s perspective a third-
party vendor should be fully responsible for
any liability for data breaches that occur
while the data are under the vendor’s con-
trol. However, vendors often push for caps
on their cybersecurity liability. To guide
negotiations as to appropriate caps on liabil-
ity, consider the type of data processed or
accessed by the third party (e.g., how sensi-
tive is it, does it relate to employees, con-
sumers, or is it not personally identifying
information), the volume of records to be
handled by the third party, the ability for the
customer to implement security controls
such as encryption, the nature and extent of
the third-party promises on cybersecurity,
and the brand and reputation of the third
party with respect to data security. Based on
those inputs, a company can then consider
the potential losses and sources of third-
party liability to evaluate what constitutes
an acceptable level of risk in terms of exclu-
sions for indemnifcations and caps on liabil-
ity. A business also may consider offsetting
any contractual concessions with corre-
sponding increases in their own cybersecu-
rity insurance coverage.
? Ongoing monitoring and oversight
Ongoing monitoring and oversight of third-
party service providers is essential given the
rapidly changing landscape of cybersecurity
threats. Whereas due diligence provides a
snapshot of a third party’s cybersecurity
stance at a specifc point in time, continual
monitoring and the right to such monitoring
are necessary to help ensure that the third
party responds and adapts to secure its sys-
tems against new threats. Over the life of the
relationship, periodic checks, including on-
site reviews of vendor, can be important
oversight mechanisms. Other monitoring
requirements include access to timely and
accurate records and reports of the third-
party provider’s cybersecurity posture.
CYBERSECURITY BEYOND YOUR NETWORK
? 218 SecurityRoundtable.org
that scales due diligence, contractual obliga-
tions, and oversight processes according to
the nature and extent of the cybersecurity
risks presented by the vendor relationship.
In all events, it is important that organiza-
tions periodically review their processes for
evaluating and overseeing third-party rela-
tionships to ensure that such processes are
periodically updated and appropriately tai-
lored to address new and emerging threats.
is helpful to have standardized processes
and documentation.
Examples include standardized diligence
checklists and questionnaires, template con-
tract addendums addressing cybersecurity
issues, and standardized schedules for
audits and other forms of monitoring.
Because there is no one-size-fts-all approach
that is appropriate for every vendor, it is
appropriate to implement a tiered approach
219 ?
Delta Risk LLC – Thomas Fuhrman, President
A new look at an old threat
in cyberspace: The insider
“
The frst thing that business leaders should do about the
insider threat is to take it seriously.“
People are, without doubt, the most consequential part
of cybersecurity. They design the hardware, write the
software, build the systems, confgure and manage the
boxes, install the software patches, and, obviously, use
the computers. At every point in cyberspace, people create
vulnerabilities. Whether they realize it, people are a major
security risk. The insider threat, however, is not just a
product of conscientious but fallible humans: the dark side
of human nature is also in play. The idea of the ‘enemy
within’ is as old as the hills, and its cyber equivalent is too.
The insider threat to computer systems and networks
has been a recognized reality for decades. It was a topic in
1970 in the landmark report by the RAND Corporation,
Security Controls for Computer Systems, and its roots go
back even further. However, since 2013 when defense
computer systems contractor Edward Snowden—an
insider—carried out one of the largest and most signif-
cant unauthorized disclosures of classifed government
information in U.S. history, the issue was brought home to
business executives. They realized, “If that can happen to
the National Security Agency, it can happen to me.”
? What’s new with the insider threat?
In this, the post-Snowden era, the potential impact of the
insider has become a much more tangible issue to compa-
nies and organizations of every kind. However, although
this heightened awareness is new, there are also other
recent developments that make the current insider threat
challenge more diffcult than ever. Key among such devel-
opments are the following:
? the vast amount of vital business and personal data
that is online
? 220
CYBERSECURITY BEYOND YOUR NETWORK
to effciently screen potential employees, man-
age access rights, enforce obligations, detect
malicious tendencies and behaviors, and
implement security controls are needed.
The insider threat is usually thought of as
having two types: the malicious insider and
the unwitting insider. Although these two
types of insider are very different in motiva-
tions and objectives, they can have similar
ruinous effects on the organization.
? The malicious insider. The malicious insider
is the ‘spy’ or ‘traitor’ who represents
the insider cyberthreat at its most basic.
This rogue employee, at most a small
percentage of the workforce (Spectorsoft
reports that an estimated 10 percent of
employees account for 95 percent of
incidents), uses her or his legitimate access
to a company’s information resources to
deliberately harm the organization.
Malicious insiders know about the organi-
zation’s information, its systems, its struc-
ture and people, and its internal opera-
tions. They have access to the enterprise
network from inside the perimeter defens-
es. They can do damage such as stealing
data, disabling systems, and installing
viruses or malware. Those with privileged
access can do even more, such as disabling
accounts, destroying backups, changing
confguration fles, and more. Those with-
out privileged access can sometimes get
it through insider trickery, bypassing
authentication processes or gaining access
through the credentials of others. Snowden
himself reportedly persuaded colleagues
to share passwords with him to get access
beyond what he was already allowed.
A fundamental and important point to
recognize is that the insider as a malicious
threat is not limited to the cyber and infor-
mation systems realm. Other targets and
methods are possible, including physical
theft, destruction, or violence, coercion
and extortion, or other non-cyber actions.
This fact has a direct bearing on the
approaches available to prevent, detect,
? the migration of data outside the security
perimeter of the enterprise through
the widespread adoption of cloud-
based services, increased outsourcing,
increasingly Internet-enabled supply
chain operations, and the ubiquity of
mobile communications and computing
devices in the ‘bring your own device’
(BYOD) environment
? the increase in the marketability of
sensitive, personal, proprietary, or
confdential data through global cyber
crime syndicates and hacker networks.
These developments in combination invest
more power—and risk—in the individual
insider and make ‘keeping a secret while selec-
tively sharing it’ a harder problem than ever.
From a cyber perspective, the insider is
the person who the enterprise has entrusted
to access and operate with the company’s
data and information resources in the rou-
tine course of business. Anyone who has
legitimate (or ‘authorized’) access to the
information and the business systems, data-
bases, email, or other information resources
of the enterprise is an insider.
In many companies today, a large number
of legitimate insiders are not actually
employees. This group includes former
employees, contractors, business partners,
vendors, suppliers, and others such as cloud
service providers and business application
hosting services that have been granted
access to corporate enterprise networks.
Evidence indicates that the access privileges
of such non-employee insiders are diffcult
to manage and thus more easily exploited. In
the large data breach at The Home Depot in
2014, for example, the hackers entered the
corporate network through a vendor’s legiti-
mate access credentials.
Can employees and other insiders be
trusted? The answer, of course, is mostly yes.
It has to be. Business runs on human capital.
Without trustworthy insiders, the organiza-
tion cannot function. However, the residual
‘no’ is a cause for serious concern. Seen in
this light the question is more about setting
the limits of trust at the right level. Better ways
221 ?
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
become unconcerned about the associated
security and privacy risks. Users sometimes
bring such personal Internet habits into the
workplace, often paradoxically because of
their zeal to do their jobs. They may insert a
thumb drive into a corporate machine to
transfer a fle. (“I needed to work on the
fle—what was I supposed to do?”) They
could sync a personal smartphone to a cor-
porate computer. (“What’s wrong with
that?”) They may drop a proprietary docu-
ment into a public cloud. (“I need to work
on it while I travel.”) The list continues. All
of these actions and many others like them
by the unwitting insider create serious
enterprise security risks.
The single most common security weak-
ness of most people is a susceptibility to
phishing attacks. Phishing is a form of
‘social engineering’ that has the goal of
getting information such as usernames,
passwords, or credit card numbers.
Phishing usually starts with a fraudulent
email message (although other mecha-
nisms are also used) that appears to be
from a legitimate or known source. The
message may contain an attachment that,
if opened, installs malware on the victim’s
computer, or the message may direct the
user to a website that is also designed to
look legitimate, even familiar, to the target
victim. This bogus website prompts the
user to enter information such as log-in
credentials or account numbers. If the
user’s suspicions have not been aroused,
she or he may enter the requested data—
and gotcha!—the hacker has succeeded in
capturing information that can be used for
access later. Alternatively or in addition,
the bogus website may push out a virus,
remote access software, key-logging soft-
ware, or other malware. Very often phish-
ing is the start of a chain of exploits that
leads to a very serious breach. The Verizon
2015 Data Breach Investigations Report
(DBIR) states that more than 75% of mal-
ware installs were the result of unwitting
users clicking on attachments or web links
contained in emails.
and act against malicious or potentially
malicious insiders.
The psychology of the malicious insider is
a defned feld of study. In short, an insider
can become a threat for many reasons—
including for example, anger as a result of
workplace conficts or disputes, fear of
termination, dissatisfaction with work-
place policies, ideology, or fnancial need.
? The unwitting insider. Almost anyone can
fall into the category of unwitting insider
threat agent, including senior executives.
As a threat actor, the unwitting insider
unintentionally and unknowingly
makes security blunders that expose the
enterprise to serious cyber risks.
Because the pool of potential unwitting
actors is so large and their behaviors are
unintentional and hard to predict, the
unwitting insider is one of the most dan-
gerous weak points in the entire enterprise.
One group of insiders who can pose a
major threat are those who have a lax atti-
tude about security. These attitudes are not
always obvious. Security awareness cam-
paigns are so commonplace now that just
about everyone exercises at least some cau-
tion in online activities. At the same time,
though, we can also observe that a certain
insouciance about the risks in cyberspace
has crept into the behavior of many people.
The same person who would refrain from
using the word ‘password’ as a password
or from writing it on a sticky note to place
on the computer monitor may think noth-
ing of other poor security practices.
Today’s culture, for example, seems to
encourage the melding of personal and
professional pursuits. People have become
so accustomed to online life—being always
connected, using multiple computing plat-
forms, putting their ‘whole life’ (as they
say) on their smartphones, or posting pho-
tos and personal information on social
websites—that it appears many have
? 222
CYBERSECURITY BEYOND YOUR NETWORK
in shares of the Brooklyn Bridge, the
unwitting person can easily be taken in by
a well-designed phishing ploy. However,
whether the result of inadvertent or delib-
erate acts, the impact to the organization
can be the same—fnancial loss, compro-
mise of intellectual property, theft of cus-
tomer personal information and credit
card data, and reputational harm or loss of
competitive position.
This highlights a third and more sinister
type of ‘insider’ that must also be
considered—the malicious outsider
posing as an insider. Such actors explic-
itly seek to exploit insiders by appropri-
ating their credentials and moving
unnoticed within the network.
Figure 1 illustrates the categories of the
insider threat, along with typical motiva-
tions and potential impacts.
Phishing also is used in a more focused
way that targets specific people—
frequently senior executives or people in
the organization who have privileged
access to information resources. The
hacker will mine the Internet for personal
information on the target, information
that only the target would know, names
and contact information of colleagues,
web browsing and purchase history,
non-business activities and community
involvement, even writing styles to zoom
in on that specifc person. When such
information is used in a phishing email,
the look and feel, the text, and the context
of the message can appear unexceptional
and entirely authentic. If this were a game
it would be unfair. The target frequently
falls for the scheme.
Like the poor soul who sends money to the
Nigerian prince or the person who invests
Threat Actors
Unwitting insider
Malicious insider
Malicious outsider
posing as an
insider
Methods Motivations
• Ef?ciency and
convenience
• Customer service
• `Getting the job done´
• Financial gain
• Do harm to the company
• Fraud or theft of money
• Exploit the access of a
legitimate user
• Bypass security controls on
privilege escalation and lateral
movement throughout the
network to get to key systems
for ex?ltration and/or
insertion of malware
• Do harm to the company
A
l
l
i
n
s
i
d
e
r
t
h
r
e
a
t
s
c
a
n
h
a
v
e
t
h
e
s
a
m
e
o
u
t
c
o
m
e
s
• Advance an ideology or
other personal agenda
• Advance an ideology or
other personal agenda
• Financial gain—obtain
sensistive data that can
be monetized
Cyber
Incident
Examples
• Use legitimate access for
illegitimate purposes
• Theft of sensitive
information (e.g.,
personally identi?able
information, intellectual
property, proprietary
information)
• Financial fraud or theft
• Damaged or destroyed
information resources
• Sabotaged product (the
merchandise produced
by the enterprise)
• Reputation harm and
customer alienation; loss
of revenue
• Insertion of malware
and/or establishing a
long-term presence in
the network for repeat
action
• Move sensitive internal data to a
public cloud
• Lose a laptop
• Use a memory stick to import or
export data
• Mix company data with personal
data on moblie devices
Results
FIGURE
Insider threat actors and their effects
223 ?
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
cybercrime is exhibited in the tradecraft
that is applied once the initial breach is
achieved.
The outsider-posing-as-insider is not
interested in impersonating a particular
person other than to use the person’s net-
work or system credentials. Through
password cracking and other techniques,
a hacker can exploit the credentials of
more than one authorized user or admin-
istrator in the course of an attack. Unlike
the true insider, the only observables that
the outsider leaves are those network
footprints and fngerprints that may show
up in system logs or the actual malware
code or other digital fragments they
leave behind.
? The dimensions of the insider threat
The insider threat is easy to understand in
concept but very hard to quantify in prac-
tice. How big of a threat is it? Hard data and
statistics on the frequency of occurrence and
the impact of insider threats have histori-
cally been elusive and remain so. Lack of
detection and discovery of insider events,
and an unwillingness to share or report
them, are two of the primary reasons for the
paucity of data. Nevertheless, recent insider
threat surveys and breach data analyses are
consistent in their main fndings, including
the following:
? There has been an increase in insider
threat events in the last few years.
? Most organizations do not have adequate
controls in place to prevent or thwart
insider attacks.
? Insider attacks are believed to be more
diffcult to detect than external attacks.
? Third parties and other non-employee
insiders represent a major risk, and
insuffcient attention is devoted to
managing them. Most contracts and
service level agreements with external
vendors, suppliers, and business partners
do not include robust security provisions.
? Insider policy violations and inappropriate
activity are often discovered only during
? The outsider posing as an insider. This
type of insider is not an insider in the
true sense, but rather an imposter who
uses the legitimate credentials of others
to access the network in ways the real
user would not. This actor seeks to get
legitimate credentials using a variety of
tactics and techniques. He then uses these
acquired credentials to access password
fles, directories and access control lists,
and other network resources—which is
made easier if the credentials are already
those of a system administrator or other
privileged user.
As described above, the unwitting insider
is very commonly exploited by sophisti-
cated hackers as a soft point of entry for
advanced attacks. Elaborate penetration
techniques are hardly needed when a rel-
atively simple phishing email is likely to
serve the purpose. Upon achieving initial
access, the hacker may try to move later-
ally within the network or to escalate
access privileges to implant advanced
malware deeply in the network fabric.
Phishing is the dominant mechanism
used today to penetrate networks by even
the most sophisticated hackers because it
has a high success rate for very low cost.
Other social engineering tactics include
in-person deceit, such as impersonating
someone in authority, pretending to rep-
resent the Help Desk, asking someone for
assistance, or claiming to have left an
access badge inside the restricted area of a
facility. It can be a particularly effective
tactic because people usually try to be
courteous and helpful.
Hackers have tricks other than social engi-
neering to obtain the access they desire.
Most of the time, though, social engineer-
ing can be found somewhere along the
attack chain because it is a powerful and
effcient way of getting past perimeter
defenses. The sophistication we hear
about in reports of state-sponsored espio-
nage, hacker networks, and organized
? 224
CYBERSECURITY BEYOND YOUR NETWORK
? Provide regular insider threat awareness
training as well as realistic phishing
training exercises. An organized
phishing awareness exercise program
can raise the company’s standard of
performance in this critical area.
? Establish a set of institutional values
refecting the desired culture, select
leaders based on their adherence
to these values, and include
demonstration of these values as
an item on employee performance
assessments.
? Building a multi-disciplinary program.
Establish an executive committee to
manage an integrated multidisciplinary
program designed to deter, prevent,
detect, and respond to insider threats
and to limit their impact. The program
should have the active participation of
the functional organizations across the
business such as Risk, IT, Cybersecurity,
Physical Security, Human Resources,
Fraud, and General Counsel, as
well as company-specific verticals
(manufacturing, operations, etc.).
The program should include the following:
? creation and oversight of policies
related to the management of insider
risk
? regularized workfow, processes, and
meetings to actively and collectively
review threat intelligence, the internal
threat landscape, internal indicators of
risk, insider events, sponsored activities,
and trends from each subdiscipline
? implementation and oversight of
personnel reliability processes from
pre-employment background checks
to off-boarding procedures to assess
and act upon personnel security
risks, behavioral risk indicators,
and individual vulnerability to
compromise
? decision-making authority pertaining
to the integration of programs within
each vertical, the aggregation of insider
risk data across the verticals, and the
corporate response to insider events
examination of user devices after
individuals have left the organization.
? Most incidents are handled internally
with no legal nor law enforcement action.
? What to do
The frst thing that business leaders should
do about the insider threat is to take it seri-
ously. Although there is widespread recogni-
tion that the threat is very serious, in most
sectors there is insuffcient follow-through to
build the threat-specifc plans, organization-
al structures, and controls to deal with it.
What is needed is a comprehensive approach
that addresses and leverages the unique
aspects of the insider threat. Technology by
itself is not the answer; the critical human
dimension of the insider threat must also be
addressed.
A comprehensive approach would
include the following:
? Establishing a threat-aware culture of
institutional integrity and personal reliability.
Company culture is a product of many
factors, but one of the most decisive
is the behavior of senior leadership
and the values they model. A culture
of institutional integrity and personal
reliability is conducive to success in almost
any enterprise. Factors for achieving this
include the following:
? Create an environment in which self-
directed employee actions refect a
high degree of institutional integrity
and personal reliability.
? Articulate clear expectations in an
enterprise Acceptable Use Policy
governing IT resources. This should
be a formal signed agreement between
the company and each employee and
external party who has access to the
enterprise IT resources or facilities.
? Create a safe environment in which
to self-report accidental actions
that jeopardize security. Removing
the stigma of having inadvertently
committed a security violation can help
minimize impact and help everyone
learn.
225 ?
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
(SIEM) systems, pinpoint potentially
illicit activities by identifying
anomalies in a person’s IT resource
and data access patterns.
? Non-technical. Unique to the insider
threat is the availability of a large
amount of relevant non-technical
behavioral observables. Integrating
operational intelligence information at
the intersection of cybersecurity, fraud
detection, and physical security can
yield critical insights about potential
insider threats.
? Examples of non-technical cyber data
include the following:
? email behavior: volume, content,
and addressees; presence and type
of attachments
? workday activities: patterns of on/
off duty time, including weekdays,
weekends, and holidays; location
? job performance: performance
reviews, productivity, and time
accountability
? indicators of affliation: degree
of participation in company-
sponsored activities; indications of
discontent through online behavior
and social media usage.
Analysis of this type of data through auto-
mated and manual processes can identify
patterns of behavior that indicate at-risk
employees or imminent insider attacks.
There may also be value in integrating
external threat intelligence for factors that
could infuence at-risk insiders.
It is important that the company’s legal
counsel advise the executive committee
on informing employees of ongoing
monitoring and how the data will be
used. Oversight by the executive com-
mittee is essential to ensure it is operat-
ed within the bounds of policy.
? Having a plan. The executive committee
should develop a detailed (though
confdential) action plan for what to do
in the event of actual or suspected insider
? defnition of requirements for employee
training and awareness of insider
threats and prevention measures.
? Building and operating security controls.
Many of the security controls that already
exist (or should exist) within the enterprise
can be effective in detecting, preventing,
or mitigating the results of insider threat
activity. Key technical controls include the
following:
? access controls, particularly for
privileged users (those with
administrative authority)
? data protection, including encryption,
data loss prevention technology, data
backups, and exfltration monitoring
? confguration management and secure
confgurations
? vulnerability and patch management
? internal network segmentation.
? Monitoring and detecting insider behavior.
The program should seek to prevent
insider attacks by capturing observable
indicators of potential activity before
insiders act. Intelligence on the insider
threat generally comes from within the
enterprise through either technical data
or behavioral indicators:
? Technical. The most signifcant sources
of cyber-related technical intelligence
are the real-time alerts and outputs
of security appliances, network-
and host-based sensors, and data
loss prevention tools, as well as the
network- and system-level logs that
are generated automatically (if so
confgured) throughout the enterprise.
In most enterprises these sources
provide so much data that managing
and effectively integrating it with
operations become serious challenges.
In addition, the volume of data drives
a need for storage that can become
acute depending on policy decisions
regarding what logs are maintained
and for how long.
Insider threat-tracking tools in use
today, such as data loss prevention,
threat intelligence, and security
information and event management
? 226
CYBERSECURITY BEYOND YOUR NETWORK
and conducting operations pertaining to
the insider threat. Proven approaches and
practices for addressing this threat are
available, allowing the company to build
on the learnings of other organizations.
(See inset box.)
? Summing up
Companies often declare that people are
their greatest asset. Surely the human
resource is what propels a company for-
ward. However, the insider threat will
always be present. Commitment, loyalty,
and general affliation with the organization
cannot be taken for granted. Personal ethics
and allegiance to the employer collide with
the chance for selfsh gains in those who
have become security risks or who are
vulnerable to compromise. With legitimate
misbehavior or law-breaking. The plan
should describe how and when to contact
law enforcement and other authorities
regarding insider threats or actions. It
should provide a framework of possible
legal remedies to pursue in the event of
an insider attack. This action plan should
be tested on a regular basis through
scenario-based exercises involving the
company offcials who would actually be
involved if a real event were to occur.
? Evolving the approach. The executive
committee should refne the program as
the organization matures in the use of
this capability within the specifc business
environment.
? Not ‘going it alone.’ The executive
committee should take advantage of the
many resources available for planning
Resources
The following resources can help enterprises deal with the insider threat. Each provides a wealth of
information on proven approaches and practices that companies can build upon.
? Insider Risk Evaluation and Audit Tool. This tool is designed to help the user
gauge an organization’s relative vulnerability to insider threats and adverse behavior
including espionage against the U.S., theft of intangible assets or intellectual property,
sabotage or attacks against networks or information systems, theft or embezzlement,
illegal export of critical technology, and domestic terrorism or collaboration with
foreign terrorist groups.
The tool can be used for a number of purposes, including self-audit of an organization’s
current defenses against insider abuse, the development of a strategic risk mitigation
plan, and employee training and awareness.
http://www.dhra.mil/perserec/products.html#InsiderRisk
? CERT Insider Threat Center. Since 2001, the CERT Insider Threat Center has
conducted empirical research and analysis to develop and transition socio-technical
solutions to combat insider cyberthreats. Partnering with the U.S. Department of
Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other
federal agencies, the intelligence community, private industry, academia, and the
vendor community, the CERT Insider Threat Center is positioned as a trusted broker
that can provide short-term assistance to organizations and conduct ongoing research.
https://www.cert.org/insider-threat/
? Federal Bureau of Investigation. The Insider Threat: An introduction to detecting and
deterring an insider spy.
This brochure provides an introduction for managers and security personnel on how
to detect an insider threat and provides tips on how to safeguard trade secrets.
https://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
SecurityRoundtable.org 227 ?
occur. Insiders are also the target for care-
fully scripted phishing tactics; the insider
who innocently clicks a link in an email may
enable damage to the company well beyond
her or his pay grade.
However, there is much that the organi-
zation’s executive leadership can do to
mitigate the insider threat, including estab-
lishing the right culture, implementing
security controls, conducting ongoing mon-
itoring and detection efforts, and being
ready to respond quickly if indicators point
to a likely insider threat. The following box
summarizes the actions that are recom-
mended here.
authorization to access company and infor-
mation resources, a rogue insider can do
tremendous harm to the company. The
effects of an insider attack can be felt as
fnancial loss, erosion of competitive posi-
tion, brand degradation, customer aliena-
tion, and more. The Snowden disclosures of
2013 have, at least for now, sensitized busi-
ness leaders to the grave risks posed by the
insider threat.
The unwitting insider is the equal of the
malicious insider in potential damaging
impact. A momentary and unintentional
lapse in vigilance regarding security threats
can be all it takes for a major compromise to
Summary of actions to address the insider threat
1. Establish a culture of threat awareness, institutional integrity, and personal reliability
? Provide regular insider threat awareness training as well as realistic phishing
training exercises.
? Articulate clear expectations in an enterprise Acceptable Use Policy governing IT
resources.
? Create a safe environment in which to self-report accidental actions that jeopardize
security.
2. Build a multi-disciplinary program to deter, prevent, detect, and respond to insider
threats and to limit their impact.
3. Build and operate security controls designed to mitigate the insider risk.
4. Monitor insider behavior:
? multiple interdisciplinary dimensions
? draw on outside resources
? look inside the network for observables of potential insider threat activity
5. Have a plan for what to do in the event of actual or suspected insider malfeasance
? Know how and when to contact law enforcement and other authorities regarding
insider threats.
? Explore legal remedies.
6. Be ready to develop your approach as conditions continue to change.
7. Don’t ‘go at it alone.’ There are many resources available for planning and ongoing
operations. Best practices can be implemented based on another organization’s learning
curve.
229 ?
The Chertoff Group – Mark Weatherford, Principal
The Internet of Things
In the time it takes you to read this sentence—about eight
seconds—approximately 150 new devices will have been
added to the Internet of Things (IoT). That’s 61,500 new
devices per hour, 1.5 million per day. There are currently
about 7.4 billion devices connected to the IoT, more than
there are human beings on the planet. By 2020, according
to Gartner, there will be 26 billion. Cisco puts the number
at 50 billion, and Morgan Stanley says it will be 75 billion.
By any estimation, it will be a lot more devices than are in
existence today.
People are beginning to notice this phenomenal rate of
growth, and some companies are seeing incredible eco-
nomic opportunities. However, the fact that the feld has
grown so quickly and so dynamically means that some of
the lessons we’ve learned in the past about security and
privacy are not being employed—in the interest of frst-to-
market opportunities—and the lack of oversight has
many wondering about the unknown unknowns.
These three defnitions together provide a starting
point for understanding the IoT and its implications for
our future:
? In the physical sense, the IoT is all of those billions of
devices, installed on apparel, appliances, machines,
vehicles, electronics—most of them incorporating
sensors to gather bits of data and then sharing that
information via the Internet through central servers. The
concept of the IoT was introduced in 1999 and evolved
from the Machine-to-Machine (M2M) technology that
originated in the 1980s, in which computer processors
communicated with each other over networks. The
major difference is that most of the new devices cannot
be considered processors but rather sensors and relays
that simply facilitate the aggregation of data. Analogous
to the shift to “cloud” computing, it may be useful to
consider this new data-generating aspect as “the fog.”
? 230
CYBERSECURITY BEYOND YOUR NETWORK
is, in that existential meaning, the latest
iteration of communication technology.
Of course, as soon as we developed the
ability to send information over great
distances in just seconds, some people
began to look for ways to capture that
information from sources other than
their own. Early twentieth century
wartime code breakers monitoring the
enemy’s radio communications often are
mentioned as the frst hackers.
The last aspect of the IoT should cause the
most concern. As technology has become
ever more sophisticated in its march toward
providing greater capabilities for private
enterprise, governments, and the people
they serve, so have the tools and strategies of
the people who would access and use the
information for more malicious purposes.
The lack of recognition about the seriousness
of this threat to companies and governments
leads to a lack of security suffcient to defend
against attacks.
? IoT benefts
According to John Chambers, CEO of Cisco
Systems Inc., the Internet of Everything
(which includes the IoT plus the actual
networks that support and transmit the
data these devices generate) could be worth
$14.4 trillion in revenue, plus another
$4.6 trillion in savings to industry and
government. That’s $19 trillion, greater
than the GDP of many countries. The ben-
efts the IoT provides can be seen in every
area that relies on technology, as well as
many that traditionally have not. A few
examples:
? The amount of municipal solid waste
generated around the world is expected
to reach 2.2 billion tons annually by 2025,
almost double the amount recorded in
2012. The cost of handling this waste will
be about $375.5 billion per year. However,
by changing the traffc patterns of garbage
trucks and installing sensors in garbage
cans to identify when they are full and
should be picked up, U.S. cities alone can
The two concepts—the IoT and M2M—
are now poised for complete integration,
in what is termed convergence, as we
move into technology’s future. Keep in
mind that in that future, anything that can
be connected will be connected. Christian
Byrnes, a managing vice president
at Gartner, says that “The Internet of
Things brings a major addition to the
responsibilities of cybersecurity: safety. IoT
includes the fnal convergence of physical
and information security practices.
As such, CIOs and CISOs will face the
possibility of their failures being the direct
cause of death. Confdentiality, Integrity
and Availability will be remembered as
‘the good old days.’”
? The IoT can also be thought of as just the
collected data. With billions of connected
devices, all contributing information
around the clock, it’s more data about
more machines, operations, and people
than has ever been collected before—
more in the past year than perhaps has
been recorded in all of human history, and
certainly more than was imagined possible
just a few years ago. The intelligent
management and implementation of that
data make it possible to do such things
as navigate a driverless car through city
traffc, monitor a person’s anatomical
signals and take action to manage his
or her health, monitor the movement
and health of livestock, provide global
tracking and communications, manage
energy use in buildings, and even operate
sophisticated industrial equipment from
remote locations. Our intelligence and
industrial abilities in the era of the IoT will
be limited only by our imaginations; we
will have the data we need to accomplish
almost anything we can envision.
? In the philosophical sense, the IoT is also
part of a movement. It’s been evolving
for more than a century, from our frst
ability to communicate with each other
instantaneously by radio. The early days
of the Information Age quickly showed
us how important data gathering could
be to the success of an operation. The IoT
231 ?
THE INTERNET OF THINGS
personal information) to data entered
actively during the site visit. In addition,
most transactions a person conducts while
out in the world have the potential to be
recorded and added to databases, and these
transactions, when merged with other col-
lected information, can be interpreted using
computer algorithms. Even when the data
are anonymized, many people believe their
privacy is violated by such usage. In his
book Future Crimes, Mark Goodman writes,
“Data brokers get their information from
our Internet service providers, credit card
issuers, mobile phone companies, banks,
credit bureaus, pharmacies, departments of
motor vehicles, grocery stores, and increas-
ingly, our online activities. All the data we
give away on a daily basis for free to our
social networks . . . are tagged, geo-coded,
and sorted for resale to advertisers and
marketers.”
? For example, in a well-publicized case
from 2012, mega-retailer Target analyzed
purchasing records to predict when
women may be pregnant and even
when they were due. The company then
mailed pregnancy-related coupons to
the women’s addresses. The program
came to national attention when a high
school student received the coupons at
her family’s home, alerting her father
to her condition. Although embarrassing
for the young woman, Target’s use of the
information gathered was legal under
the Fair Credit Reporting Act, which
allows “frst parties” to perform in-house
analytics on collected data.
? During the Women’s Mini Marathon held
in Dublin, Ireland, last year, Symantec
security researcher Candid Wueest stood
on the street and stealthily monitored
data from the activity trackers worn by
hundreds of runners. The data included
everything from their names and
addresses to the type of device they were
wearing and the passwords for those
devices.
? In a 2013 case, a British man discovered
that his LG smart TV was clandestinely
save $10 billion in waste management
costs.
? Unscheduled maintenance events are
responsible for about 10 percent of all fight
cancellations and delays in commercial
aviation, costing $8 billion per year.
According to Marco Annunziata, chief
economist at General Electric, preventive
maintenance systems can allow airplanes,
while in fight, to communicate with
technicians on the ground so that when
the plane lands, the technicians already
know what needs attention. These systems
are self-learning and can predict issues
that a human operator may never see,
helping prevent more than 60,000 delays
and cancellations every year.
? On the personal scale there’s Amazon’s
Dash button. The idea is a perfect example
of how the IoT works at the micro
level. The buttons are simple wireless
devices with the logos of consumables
manufacturers, about the size and shape
of a thumb drive. A Dash button for a
detergent could be attached to a washing
machine. When the supply of detergent
is low, the consumer need only press
the button, and another bottle is ordered
through Amazon Prime. Amazon and
other developers are also working on IoT
devices that sense when the supply of a
consumable is low, and order the item
automatically, without the consumer even
being aware of the act.
? IoT privacy issues
One of the keys to IoT advancements, of
course, is the interconnectivity of informa-
tion sources and their recipients. The infor-
mation is often used in the commercial
realm for monetization strategies, and by
the government to target security threats,
each of which leads inevitably to concerns
about privacy. In many cases when human
beings are the sources of this information,
they do not even know they are acting as
such. Virtually every site a person visits on
the Internet in return gathers information
about that person, from data stored on the
computer being used (such as location and
? 232
CYBERSECURITY BEYOND YOUR NETWORK
our networks.” As connectivity grows expo-
nentially, so do the possibilities for security
breaches. Any device in the IoT that stores
information, whether it contains Internet or
TV viewing preferences, credit card num-
bers, health information, etc., can become a
target. The proliferation of devices that are
part of the IoT means that the number of
access points to a system is limitless.
Don’t think that just because a device has
a limited function—such as a smart light-
bulb, a FitBit, a smart toilet, or a thermostat—
that it holds no attractiveness for hackers. Put
enough of these connected devices together
and cyber criminals can create a botnet, a
network of processors that can be used to
facilitate large, repetitive tasks, such as gen-
erating passcode possibilities.
Also of great concern is the potential to
cause physical damage and harm to indi-
viduals and property. The FTC report con-
tains claims by company researchers of the
ability to hack into a self-driving automo-
bile’s built-in telematics unit and control the
vehicle’s engine and braking. Another claim
involves the ability to access computerized
health equipment and change the settings so
that they are harmful to the patient. Through
the medical device hijack attack vector
(MEDJACK), the TrapX Labs security team
has identifed that in many cases, medical
devices themselves are the key entry points
for health-care network attacks. Devices as
diverse as diagnostic equipment such as CT
scanners and MRI machines, life support
equipment including medical ventilators
and dialysis machines, and even medical
lasers and LASIK surgical machines are typi-
cally delivered to medical facilities wide
open for attacks that can compromise device
readings and operations, not to mention put-
ting people’s health and lives at risk.
A recent Hewlett-Packard report noted
that 70 percent of IoT devices contain security
vulnerabilities. Some of these weaknesses
pertain to the current differences in commu-
nication standards, as developers seek to
make their devices compatible with all types
of systems—an aspect of the convergence
factor mentioned earlier. Although many
transmitting viewing information back to
the South Korean manufacturer, as well
as reporting the contents of devices, such
as a USB drive, that were connected to
the TV. LG claimed the information was
used, as in the Target case, “to deliver
more relevant advertisements and to
offer recommendations to viewers based
on what other LG smart TV owners
are watching.” However, the man, an
IT consultant, discovered that the TV
transmitted the information whether the
system setting for “collection of watching
info” was set to on or off.
According to a report on privacy and security
released by the Federal Trade Commission in
January of 2015, one company that makes an
IoT home automation product indicated that
fewer than 10,000 households can “generate
150 million discrete data points a day,” or
approximately one data point every six sec-
onds for each household. Another participant
in the report noted that “existing smartphone
sensors can be used to infer a user’s mood;
stress levels; personality type; bipolar disor-
der; demographics (e.g., gender, marital
status, job status, age); smoking habits; over-
all well-being; progression of Parkinson’s
disease; sleep patterns; happiness; levels of
exercise; and types of physical activity or
movement.” Such “sensitive behavior pat-
terns could be used in unauthorized ways or
by unauthorized individuals.”
? IoT security issues
The IoT is subject to the same security risks
as traditional computer systems, but the
issues, unfortunately, don’t stop there. Like
any storage aspect of the Internet, security
vulnerabilities can be exploited to compro-
mise sensitive information. Rick Dakin, CEO
of Coalfre in Boulder, Colorado, says that
“while headlines about cybersecurity usually
focus on the changing threat landscape, a
greater concern is the evolving technology
landscape. Most people rapidly connect
unsafe devices to their networks with no
thought to security, and the Internet of
Things will accelerate the contamination of
233 ?
THE INTERNET OF THINGS
goals because the payoffs, if they are success-
ful, are huge—such as global economic or
even military dominance. Looking at the sit-
uation in this way helps validate the actual
threat these actors represent and can in turn
stimulate companies and governments to
mount a more adequate defense.
? Addressing the issues
The U.S. Congress, since 2012, has pro-
posed more than 100 pieces of legislation
related to Internet security and privacy.
Only a couple were actually signed into
law, but continuing security incidents, such
as the breach of Sony’s network and subse-
quent hostage-taking of one of its movies,
have created greater awareness of security
issues that will surely prompt more
attempts at legislation and regulation. In
fact, as of this writing, at least 10 pieces of
legislation are being considered on Capitol
Hill. In its report, the FTC endorsed strong,
fexible, and technology-neutral general
legislation but added that IoT-specifc leg-
islation would be premature, as the feld is
still in its early stages of development.
They would prefer to see industry adopt
self-regulatory practices.
At the corporate or company level,
though, there is much decision makers can
do now to address security and privacy con-
cerns. Much of that involves adopting a
forward-thinking attitude about the IoT and
its role.
? First is to understand that the IoT is not a
possibility or a projection of the future—it
is a reality. It is here now and will only
continue to grow and affect every facet of
our world.
? The IoT carries with it many risks and
challenges; it’s the companies and
organizations that address those issues
head on that will survive. Conventional
approaches to network security will likely
have to be rethought.
? Companies and organizations should stay
up to date with evolving vulnerability
assessments and advancements in
security solutions. This also applies to
companies are working on standardization
protocols, the issue will not go away anytime
soon. Sensitive commercial, industrial, and
government information is at risk, and that
risk will likely grow as the IoT develops,
before measures suffcient to mitigate that
risk propagate. As Rod Beckstrom, the former
CEO of ICANN, said in his Beckstrom’s Law:
? If it’s connected to the Internet it’s hackable.
? Everything is being connected to the
Internet.
? Therefore, everything is hackable.
Putting all the security aspects together, as
some cyber criminals apparently already
have, and the risks that accompany the
growth of the IoT can seem frightening.
Hackers have become so sophisticated in
their tactics that some are creating databases
from the information gathered in previous
attacks, which can enable them to defeat
common security measures. For example, in
the successful breach of more than 100,000
taxpayer returns fled electronically with the
IRS in 2014, the attackers were able to cor-
rectly answer security questions that the
taxpayers themselves had selected, simply
by cross-referencing information collected in
previous breaches of other organizations’
information.
Put a nation-state or other global entity
behind such efforts, and the risks to sensitive
information in the IoT mount exponentially.
In commerce, as well as in politics and war,
entities make decisions based on what they
believe is in their best interests. This is espe-
cially true in the case of state and large non-
state actors. It’s helpful to think of their
efforts to infltrate technological and security
information not so much as instigated by an
evil intent or ideology, but as motivated by
the survival and practical success of their
entity—the concept of realpolitik updated for
the twenty-frst century. They have a vested
interest in hacking information systems that
goes far beyond simple greed. It means they
are unfazed by potential punishments or
repercussions and have the willingness to
commit resources and effort towards their
CYBERSECURITY BEYOND YOUR NETWORK
? 234 SecurityRoundtable.org
security measures and to guard against
the unauthorized access of sensitive
information.
Remember that IoT security is not a battle
that can be won and left behind. It is a war
that will be fought for the foreseeable future—
the proverbial marathon versus a sprint.
Keep in mind also that the IoT challenges
we face mean a tremendous opportunity for
fresh thinking. The future of the Internet,
which carries with it the future of our world, is
ours for the making. If you’ve read Isaac
Asimov, you know that he was visionary
about the future of technology. In his science
fction composed in the 1940s, he wrote, “No
sensible decision can be made any longer with-
out taking into account not only the world as it
is, but the world as it will be.” That realization
is more important now than ever before
because someday soon we’ll almost certainly
ask why things aren’t connected to the Internet
rather than why they are connected.
administrators and executives, who
should become fuent in the language that
describes IoT capabilities, trends, and risks
so that they can make more relevant and
responsive decisions for their shareholders
and customers. Administrators should
attend conferences and industry events
when possible as well.
? Standardization of security protocols in
the IoT space must be made an industry-
wide priority.
? When breaches to networks do occur, it’s
important to notify consumers quickly so
that they can protect themselves from the
misuse of their data.
? Such breaches should also prompt
industry-coordinated action to address
the vulnerabilities exposed and propagate
industry standards.
? Companies can give themselves some
degree of protection also by entering into
legal agreements with IoT vendors to
provide adequate, tested, and updated
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Incident response
237 ?
U.S. Department of Justice – CCIPS Cybersecurity Unit
Working with law enforcement
in cyber investigations
The decision to call law enforcement, or to respond to a
law enforcement inquiry, during a cyber incident can be a
harrowing moment for a company’s executives and board
members. Fear of losing control of key systems, of the
investigation’s course, or over sensitive company infor-
mation are often given as reasons for caution or even to
forego cooperation altogether. However, working with
law enforcement need not be fearsome. With early plan-
ning, clear communications, and an understanding of law
enforcement’s roles and responsibilities, law enforcement
and private companies can partner successfully on cyber
investigations.
? Law enforcement’s role in cyber investigations
Law enforcement’s roles and responsibilities in a cyber
incident vary depending on the nature of the incident,
the suspected perpetrators, and the desires of the victim.
Although every investigation is different, law enforce-
ment agencies working on cyber investigations are
trained to understand company concerns and to incor-
porate their needs into the investigation’s goals.
Although a primary law enforcement goal is to protect
public safety and national security, agencies have
evolved to do this in a way that does not cause further
harm to the victims of a cyberattack.
? Why work with law enforcement?
The frst question that may come to mind in the hours
after a cyber incident is why a company should work with
law enforcement at all. After all, it introduces another
source of management challenges to an already diffcult
working environment. However, working with law
enforcement can have signifcant benefts:
? Agencies can compel third parties to disclose data
(such as connection logs) necessary to understanding
? 238
INCIDENT RESPONSE
and work with companies on timing. Law
enforcement also has tools, including obtain-
ing judicial protective orders, that can protect
sensitive information from disclosure during
investigations and prosecutions.
If an investigation is successful and an
indictment is contemplated, prosecutors will
consider victims among other factors when
making charging decisions. If a particular
charge would place sensitive company infor-
mation at risk, for example, prosecutors may
seek protections from the court or, if appro-
priate, use alternative charges that can
reduce that risk, while still serving the over-
all interests of justice.
Sometimes, the best available course of
action in a cyber investigation may not be
pursuing an arrest of the perpetrator but
rather disrupting the threat in some other
way. For example, law enforcement has used
combinations of civil and criminal tools to
disrupt attacks from ‘botnets’ designed to
steal fnancial information from companies
and individuals. In other cases, pursuing the
fnancial or technical infrastructure of a
criminal organization will be the most effec-
tive strategy. Other tools may be available to
the government that work best in a particu-
lar case. Whatever path is chosen, law
enforcement’s aim is to consult regularly
with victims to ensure that the path chosen
advances, rather than harms, the interests of
the victim as well as the public.
? Best practices for preparing for work
with law enforcement
Preparing to work with law enforcement is
an essential part of incident planning. The
full scope of such preparation goes beyond
what this chapter can cover. The CCIPS
Cybersecurity Unit has published a short
guide entitled Best Practices for Victim
Response and Reporting of Cyber Incidents,
which covers this topic in greater detail.
Some of the recommended preparations
include the following:
? Implement appropriate technology, services,
and authorizations. Investigations will be
severely hampered if a business lacks key
how the incident took place, which can
help a company better protect itself.
? Investigators can work with foreign
counterparts to obtain assistance that may
be otherwise impossible.
? Early reporting to and cooperation with
law enforcement will likely be favorably
considered when a company’s response
is subsequently examined by regulators,
shareholders, the public, and other
outside parties.
? Law enforcement may be able to
secure brief delays in breach reporting
requirements so that they can pursue
active leads.
? A successful prosecution prevents the
criminal from causing further damage
and may deter others from trying.
? Information shared with investigators
may help protect other victims, or even
other parts of the same organization, from
further loss and damage.
Effective partnership with law enforcement
can be built into an overall response plan,
especially when companies understand law
enforcement’s priorities and responsibilities.
? Law enforcement’s priorities
and responsibilities
Law enforcement agencies, including the FBI
and the U.S. Secret Service, prioritize con-
ducting cyber investigations in ways that
limit disruptions to a victim company’s nor-
mal operations. They work cooperatively
and discreetly with victims, and they employ
investigative measures that avoid computer
downtime or displacement of a company’s
employees. If they must use an investigative
measure likely to inconvenience a victim,
they try to minimize the duration and scope
of the disruption.
Law enforcement agencies also conduct
their investigations with discretion and work
with a victim company to avoid unwarranted
disclosure of information. They attempt to
coordinate statements to the news media con-
cerning the incident with a victim company
to ensure that information harmful to a com-
pany’s interests is not needlessly disclosed
239 ?
WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
cultivates information sharing that helps
victims and law enforcement.
Law enforcement agencies, including the
FBI and U.S. Secret Service, have established
regular outreach channels for companies
that may be victims of cyberattacks. These
include the following:
? FBI Infragard chapters and Cyber Task
Forces in each of their 56 feld offces
? U.S. Secret Service’s Electronic Crimes
Task Forces
? Computer Hacking and Intellectual
Property coordinators and National
Security Cyber Specialists in every U.S.
Attorney’s Offce
Incorporating these resources into your
planning can pay dividends in the hours
after you discover that you may be a victim
of an attack.
Victims may wonder which law enforce-
ment agency is best to call when they face a
cyberattack. Although agencies have differ-
ent areas of expertise, they work together to
ensure that there is ‘no wrong door’ for vic-
tims. As agencies follow leads and develop
information about the likely attacker, they
understand and can bring together expertise
from across the government to ensure that
the investigation is pursued aggressively
using all appropriate tools.
? What to expect when law enforcement
knocks on your door
Often, a company will not be the frst to
know that they have been the victim of an
intrusion or attack. Law enforcement may
discover additional victims as they investi-
gate an intrusion into a single entity. When
this happens, agencies typically reach out to
these additional victims directly.
A primary goal in such contacts is to
ensure that additional victims get the infor-
mation necessary to mitigate harms and
secure their systems. At the same time,
understanding the victim’s business, the
information that it processes, and its rela-
tionship with other entities can help agen-
cies better understand the relationship
information needed for law enforcement
to develop and pursue leads early.
Ensure that intrusion detection systems
and network logging tools are in place,
as well as the banners and other legal
authorizations necessary to use them.
? Identify the information, services, or systems
that are most essential to your business
operations. Knowing and communicating
this information to law enforcement
early in an investigation will be crucial to
prioritizing early investigative steps.
? Determine who will work with law
enforcement. Law enforcement may
need essential information about your
systems and what you have learned
about the attack to pursue ephemeral
leads. Designating a person or group as a
principal liaison to law enforcement will
ease this process and allow others in your
company to focus on other immediate
priorities. This person or group should
be authorized to gather necessary
information and communicate it to law
enforcement agents.
? Ensure that legal counsel are familiar with
key legal and technology issues. Cyber
investigations often raise diffcult legal
issues relating to privacy and monitoring.
Legal counsel who are familiar with your
systems and with legal principles in this
area will be able to navigate these issues
with law enforcement counsel more
quickly. These counsel can work with
your company’s law enforcement liaison
to ensure that information is collected and
transferred lawfully and appropriately.
? Calling authorities for assistance
Optimally, your frst contact with law
enforcement will not be in the throes of a
crisis. Companies should establish relation-
ships with their local federal law enforce-
ment offces before they suffer a cyber
incident. Having a point-of-contact and a
pre-existing relationship with law enforce-
ment facilitates any subsequent interaction
that may occur if an organization needs to
enlist law enforcement’s assistance. It also
helps establish the trusted relationship that
? 240
INCIDENT RESPONSE
among a series of thefts and the possible
motivations for a given cyberthreat.
Cyber intrusions are rarely isolated to a
single victim, and law enforcement collects
examples of common techniques and prac-
tices from cyberthreats that can assist vic-
tims in securing their systems. For example,
knowing that a particular group of criminals
enters systems through a common vulnera-
bility but once inside patches the original
vulnerability while introducing several more
can be crucial information for victims. By the
same token, knowing that a group is focused
on a specifc version of a common software
package or is targeting a particular industry
can help law enforcement narrow down a
list of possible perpetrators.
? Realities of cybercrime investigations
Not surprisingly, the realities of cyber
investigations differ from their portrayals
in movies and television. Agents are rarely,
if ever, able to trace an intrusion in pro-
gress instantly, nor do they often identify a
perpetrator from halfway around the world
quickly. Instead, such investigations often
require painstaking assessment of histori-
cal log fles, a long-term understanding of
key motivations of likely attackers, and
collection of evidence using exacting legal
processes.
? Cooperation with law enforcement
in the investigation
Robust cooperation with law enforcement in
the early hours and days of an investigation
is essential to success. Agents likely will
have many questions about the intrusions
and the overall confguration of the system.
Beginning from the time the intrusion is dis-
covered, companies should make an initial
assessment of the scope of the damage, take
steps to minimize continuing damage, and
begin preserving existing logs and keeping
an ongoing written record of steps under-
taken. Such documentation is often essential
to understanding the scope of the intrusion
at the inception; it can also be essential much
later in the prosecution, as companies assess
damage and response costs for loss and res-
titution purposes.
When contacting law enforcement or
communicating within the company, compa-
nies should avoid using systems suspected
in the compromise. Such actions may pro-
vide a key tip to attackers that they have
been discovered. To the extent possible,
companies should use trusted accounts and
systems for communication about the inci-
dent and be wary of attempts to gather infor-
mation about the investigation via ‘social
engineering.’
? Network forensics and tracing
One way that law enforcement conducts
investigations is through network forensics
and tracing. Although it is occasionally pos-
sible to follow a “hot lead” when an attack is
ongoing, investigations more often depend
on a careful examination of network logs.
Because company systems are often complex
and interrelated, investigators must consult
with the system administrators who are
experts on critical systems to identify where
information necessary to developing leads
will be stored. Such consultations can prove
diffcult if all system personnel are working
intently on rebuilding security or restoring
critical systems.
Companies can help with this by reserv-
ing a few experts whose job it is to work
with law enforcement and to identify critical
logs and other information that can be used
to identify leads for law enforcement. These
experts will be particularly important if the
threat is believed to be an insider who has
stolen trade secrets or other sensitive infor-
mation, because the most important evi-
dence is likely to be on internal systems.
? Working with outside counsel and private
forensic frms
Companies experiencing a severe cyber
incident often turn to outside legal counsel
and private forensic frms to assist them.
Such entities can provide substantial sup-
port and expertise, based upon their experi-
ence assisting other victims, and can guide
241 ?
WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
provide an internationally recognized
means for exchanging evidence.
If a suspect is identifed overseas, law
enforcement has a range of options to obtain
justice for the victim. Extraditing the suspect
to face charges in the U.S. is a traditional
means, but the process can be lengthy, and
many countries refuse to extradite their own
nationals. In such cases, prosecutors in the
U.S. may work with their counterparts
abroad to ensure an appropriate prosecution
in the suspect’s home country. Other options
may be available depending on the case.
Because these choices often implicate victim
interests, prosecutors frequently consult
with victims before undertaking major inter-
national investigative steps.
? Victim rights and expectations
Victims of cyber incidents—including corpo-
rate victims—have established rights under
federal law. The specifc victim rights and
the responsibilities of prosecutors and law
enforcement are described in the Attorney
General Guidelines for Victim and Witness
Assistance (2012), which is available on the
Department of Justice’s public website.
Victim rights typically attach at the time that
charges are fled, and include the following:
? the right to notice of public hearings in
the prosecution
? the right to be reasonably heard at such
hearings
? the reasonable right to confer with the
attorney for the government
? the right to full and timely restitution as
provided in law.
Beyond these mandatory rights, investiga-
tors and prosecutors in cyber cases strive to
ensure cooperation with and support to the
victim, to pass key information back to vic-
tims to support their security and recovery
efforts, and to work to ensure that the victim
is not further harmed by the investigation
and prosecution.
Although law enforcement cannot disclose
every aspect of an ongoing investigation,
companies through diffcult legal and tech-
nical issues relating to system monitoring,
response options, and breach notifcation.
Having ready access to advice from lawyers
well acquainted with cyber incident
response can speed decision-making and
help ensure that a victim organization’s
incident response activities remain on frm
legal footing.
An additional beneft is that legal and
forensic frms often have established connec-
tions with law enforcement agencies and are
familiar with the information that they will
likely seek and understand the cyberthreats
that they are investigating. Far from a
replacement for law enforcement, these enti-
ties are often a crucial link between law
enforcement and victims.
? International issues
Because of the unbounded nature of com-
puter networks and hence of cyberthreats,
cyber investigations often cross international
borders. A prime advantage of working with
law enforcement on a cyberthreat investiga-
tion is that it has the tools and capabilities to
broaden an investigation to include foreign
partners and collect foreign evidence.
U.S. law enforcement agencies recognize
the international opportunities and chal-
lenges and so have worked to build investi-
gative and prosecution capabilities around
the world. The U.S. and other countries have
entered into international treaties, most
prominently the Budapest Convention on
Cybercrime, to ensure that there is an ade-
quate legal foundation for investigations
into cyberthreats. Investigative agencies
have trained cyber agents who regularly
work alongside their foreign counterparts on
investigations.
Many times, direct police-to-police inter-
national cooperation will be the fastest way
to get information necessary to advance an
investigation. More formal processes, such
as Mutual Legal Assistance requests, are
used when evidence needs to be in a form
usable in prosecutions. Although they are
often slower than direct assistance, they
INCIDENT RESPONSE
? 242 SecurityRoundtable.org
especially when such sharing may implicate
other victims, companies should expect that
law enforcement will communicate with
them regularly. Information fow should not
be a “one-way street” to law enforcement.
? Legal considerations when working closely
with law enforcement
As useful as it can be to cooperate with law
enforcement, it is also crucial that companies
understand and delineate their role in the
investigation and exercise care before they
take on roles that may effectively make them
agents of law enforcement. For example,
companies are generally permitted under
U.S. law to monitor their own systems to
protect their rights and property. Usually,
that information can be shared with law
enforcement once they arrive on scene. If
law enforcement begins directing the
response, however, different authorities and
limitations typically apply.
The law relating to law enforcement
monitoring is complex and goes beyond
what can be discussed in this chapter. In
general, companies should carefully delin-
eate between actions undertaken by the
provider for its own purposes and those
undertaken at law enforcement’s behest. If
possible, companies should set out the
facts and their understandings relating to
such monitoring in writing shared with the
investigating agency. More information on
this topic can be found in Chapter 4 of the
Department of Justice’s manual Searching
and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations,
which is available from the Department’s
website. In addition, a sample letter relat-
ing to company monitoring that can be
used by company counsel is included as
Appendix G of that manual.
? Active defense, hacking back, and potential
liabilities
Companies undergoing a cyber attack may
be tempted to “hack back” and attempt to
access or impair another system that appears
to be involved in a cyber intrusion or attack.
Although that temptation is certainly under-
standable in the heat of an incident, doing so
is often illegal under U.S. and foreign laws
and could result in civil or even criminal
liability. Many intrusions and attacks are
launched from already compromised sys-
tems, precisely to confuse the identity of the
true actor. Consequently, hacking back may
damage or impair another innocent victim’s
system rather than that of the intruder.
This does not mean, however, that com-
panies cannot engage in “active defense”
within their own systems. For example,
reacting to cyberattacks by changing net-
work confgurations or establishing “sand-
boxes,” in which companies place realistic
but false data to distract intruders from more
sensitive data are active steps that can be
taken to help defend systems. Law enforce-
ment agencies can help identify other proac-
tive steps that companies may be able to
undertake to protect their systems.
? Conclusion
Effective cybersecurity and cyber investiga-
tions are essential to protecting company
assets and public safety in our increasingly
networked world. A close and respectful part-
nership between companies and law enforce-
ment when cyberattacks occur is an impor-
tant aspect of both. Planning for such coop-
eration in advance and carefully delineating
the roles played by company representatives,
law enforcement, and outside experts greatly
enhances the likelihood of success.
243 ?
Booz Allen Hamilton – Jason Escaravage, Vice President;
Anthony Harris, Senior Associate; James Perry, Senior
Associate; and Katie Stefanich, Lead Associate
Planning, preparation, and testing for
an enterprise-wide incident response
Cyber incident management is happening at your
organization right now. In fact, it’s happening every
day, all day. Sometimes a cyber breach requires very lit-
tle response; for example, it may be a benign attempt by
a curious but harmless hacker to see if your network can
be accessed. For large companies, this kind of attack can
happen hundreds of times in a week. You probably
never even hear about it from your IT department
because those small incidents aren’t worth your atten-
tion. They are easily eradicated; usually, just deleting
the malicious email is enough, so they hardly cause any
irreparable harm.
But what happens when it is a not-so-small breach?
What happens when your intellectual property is stolen,
or your employees’ personal records are exposed? What if
your e-commerce website goes down for a day? Those
incidents you will hear about, and that moment is not the
time to fgure out what to do.
Of course, every situation has its own nuance, but at
a foundational level, every organization, regardless of
size, geographical location, or industry must have an
incident management plan. One that includes partici-
pation from organizations and staff throughout the
enterprise.
Effective cyber incident management happens in phas-
es; it is not just about a response. Planning and preparing,
or “steady-state” activities are just as important, if not
more important than responding to a breach. To truly be
ready for any kind of cyber incident, organizations need
C-level support for smooth incident management coordi-
nation. This is supported by a plan that is thorough, easy
to understand, and widely tested.
? 244
INCIDENT RESPONSE
The C-suite must understand and enforce
organization-wide roles in cyber incident
management. Everyone—corporate commu-
nications, legal, business unit leaders, and so
on—has a role to play. They may not even
know it—so it is important for leadership to
stress their responsibility in these efforts.
In addition to collaborating with the CISO
and truly understanding the incident man-
agement capability, stay on top of current
cyber risks. They change all the time—phish-
ing becomes spear-phishing becomes pharm-
ing, for example. Not only that, some are
exclusive to certain industries. Product secu-
rity risks vary from retail. Retail varies from
automotive. However, one thing is certain—
all parts of the business have evolving cyber
risks. By staying on top of cyber risks, you
can incorporate them as part of your enter-
prise-wide risk management strategy. Which
would do the most harm? Which are most
likely? Anticipating and preparing for all
kinds of cyberthreats doesn’t mean sitting on
edge all the time. It requires simple demon-
stration of good steady-state behavior—
which is the frst phase of any incident man-
agement lifecycle, so a key section of an
incident management plan.
? Putting together the cyber incident
management plan
Cyber incident management is constant; it
happens in phases, and an actual incident
lifecycle is only one part of it.
Shown in Figure 1 is a full lifecycle for
incident management.
This chapter will focus on the following:
? incident response responsibility for the
C-Suite and the business
? key considerations for cyber incident
management plans
? testing a plan
? enabling plan adoption across the enterprise
? Incident response for the C-Suite and beyond
Cyber incident response is often thought of
as an IT department function. This assump-
tion could be a costly mistake. Businesses in
their entirety are connected to the Internet.
As such, a cyber breach can happen any-
where within the business, ranging in sever-
ity, complexity, and impact. Relying on the
IT department alone to be ready for any
manifestation of a cyber incident would be
an unfair if not impossible expectation.
IT security, typically led by a chief infor-
mation security offcer (CISO), needs to be
empowered by the C-Suite so they can coor-
dinate cyber incident response activity among
all the impacted organizations and staff—this
requires the facilitation of good working rela-
tionships during non-crisis times. One way
to do this is for the CISO and the CEO to con-
nect on cybersecurity trends frequently. The
CISO has responsibility for assembling the
right team, making sure the right technology
architecture is in place, and for reporting
cybersecurity issues upward. In a show of
partnership, C-level leadership should enable
the CISO to improve the organization’s inci-
dent management capability.
Fill in the blank: During a major cyber breach, the frst thing I
do is _______
HINT: The answer is not to wait for instruction from the IT department.
If you can’t answer, imagine whether your legal department could. How about HR de-
partment? Or corporate communications team or VP of sales? They all should; they’re all
impacted by cyber incidents, so they have a role to play.
If you are starting from scratch, the National Institute of Standards and Technology (NIST)
Cybersecurity Framework is a good reference point. It was created in collaboration between
public sector and private industry.
245 ?
PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE
how people, process, and technology work
together in harmony across the whole enter-
prise. And, once the plan is created, it
requires consistent support from the C-level
to ensure adherence by the whole organiza-
tion. The plans must be tested and updated
frequently to make sure they keep up with
changes in threats, tools, and resources.
? Testing the plan
Short of being the victim of an actual intru-
sion, testing your incident response pro-
gram is paramount to understanding how
well your business would fair during a real
incident. Many organizations pay for
expensive tools, documentation, and con-
sultation but are unable to replicate any of
their strategies because they are not pre-
pared to use them. Executives should
understand that an incident response pro-
gram with an always vigilant, always ready
team is the greatest defense to a cyber intru-
sion and will reduce risk and increase con-
fdence.
Assessing an organization’s incident
response program can provide a clear vision
into their future, showing would happen if a
cyberattack occurred and delivering insight
into what works and what does not. There
are several benefts to testing an organiza-
tion’s incident response plan:
There is a caveat, however: incident
management lifecycles do not ft neatly
into a calendar. They overlap, phases are
repeated, and truly, “Preparation” and
“Prevention,” or steady-state activities are
happening all the time, even in the midst of
an incident.
When the steady-state activities are done
well, it makes an organization resilient and bet-
ter able to bounce back after a breach occurs.
? Elements of planning
A good cyber incident management plan
considers the whole enterprise, and it
considers more than just the technical
aspects of incident response. When plan-
ning for cyber incident management,
responsibilities and activities can be organ-
ized and integrated by three categories:
people, process, and technology (Table 1).
Each of these things should be consid-
ered in the context of your organizational
philosophy to risk management. Policies
that help mitigate risk—such as acceptable
use policies and data handling policies—can
be used as governing authority for cyber
incident management planning.
Although an incident management plan
starts with the CISO, the rest of the business
units should follow suit. Drafting an initial
plan requires substantial effort to integrate
Threat Intelligence
Prepare
Prevent
Event Lifecycle Management
Detect
Respond
Remediate
S
t
a
k
e
h
o
l
d
e
r
C
o
m
m
u
n
i
c
a
t
i
o
n
&
C
r
i
s
i
s
C
o
m
m
u
n
i
c
a
t
i
o
n
FIGURE
? 246
INCIDENT RESPONSE
TABLE
People Process Technology
? In the main incident
management plan,
consider how the
incident management
team is structured
and staffed. Is it
composed of people
already in your IT
department or are
there some roles that
need to be flled? Staff
should have the mix
of skills necessary
to orchestrate the
strategic and technical
sides of an incident
response.
? An incident
management plan
should include
a process and
procedure for every
phase of the incident
management lifecycle.
? Technology aids the
incident response
process—from
vulnerability intake
to understanding the
security controls on
your electronic assets
to facilitating quick
communication. At a
basic level, there should
be automated process
for incident handling—if
your organization is still
using manual incident
tracking systems, you are
overdue for a technology
investment.
? Consider also the
touchpoints from the
IT department into the
rest of the organization.
Make sure you know
who will provide you
with the information
you need to make
critical decisions in the
midst of an incident.
? Finally, keep in mind
the partnerships
internal and external—
such as vendors
and media—to the
organization that must
be built prior to an
incident that would
enable the smooth
coordination of incident
response.
? The plan should be
supported by runbooks,
which are tactical
guides that address
specifc incident
scenarios most likely
to affect your business.
Make sure the processes
are updated per a
determined frequency
to refect evolving
cyberthreats.
? Threat and vulnerability
detection technology can
mitigate the impacts of
a cyber breach. Beyond
basic, more sophisticated
data analytics tools
provide complex,
customized statistics
that can help measure
the business impact of
a breach, among other
capabilities.
247 ?
PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE
Steady-state activities should be the heftiest part of your plan.
Your IT department is always monitoring your network, but you’d be surprised how often
organizational cybersecurity relies on the human eye and manual processes. Your IT team
could use your support to enhance their capability, for example:
? Automated tool development
? Asset management
? Threat detection ability
? Trend analysis
? Wargaming and tabletop exercises
? Keeping the program relevant and at the
forefront of cybersecurity: reducing risk
and increasing executive confdence
? Understanding current knowledge and
tool gaps
? Increasing work performance and effciency
to reduce cost and time spent resolving an
incident.
? Testing methods
Testing entails far more than just making
sure employees are trained on tools and
procedures, they have to be able to detect,
contain, and remediate active incidents—
real or fctional—and the only way to do
that is by managing realistic situations.
There are a variety of ways to provide sce-
narios that can test an organization’s inci-
dent response program.
Using a “red team,” or a group whose
purpose is to simulate a cyber adversary, is
a way to covertly test the response to an
actual adversary. Only employees with a
need to know will be aware of a red team’s
activities, so to the organization’s incident
responders, the scenario is treated like an
actual incident (without the loss of capital).
Results from these exercises can be shared
with executives, providing an overview of
strengths and weaknesses to tweak the pro-
gram and try again.
Engaging specialized third parties to
review an incident response program can
validate program elements. It’s often said that
a second set of eyes can fnd faws in a docu-
ment that the author overlooked. This same
strategy can apply to an incident response
program. Although many organizations have
plenty of documentation surrounding their
program, they sometimes rarely review or
update it. The cybersecurity landscape
changes every day, which leaves an under-
reviewed program in an incomplete state,
becoming more irrelevant as time passes.
Employing specialized third parties to review
an organization’s program on a regular basis
can assist in maintaining an up-to-date, risk-
averse program.
Strategic simulations, also known as war
games, can simulate numerous possible situ-
ations in which their program will be
applied. These scenarios ask participants to
use their current technological and process
knowledge to solve situations ranging from
the exfltration of organizational intellectual
property to a large phishing campaign
requesting employee information, to an
enterprise-wide denial of service—halting
productivity, sales, or transactions. War
games also help an organization to craft sce-
narios in which teams that do not typically
communicate with one another have to
cooperate to solve problems. This is espe-
cially helpful when senior leadership is
involved—it helps illustrate major decision
points and clarifes the business impact of
various cyber breach scenarios.
Although developing, preparing, and
implementing the incident response plan is
essential, making sure all of that work is
functional and as effcient as possible is vital
to having a successful incident response
INCIDENT RESPONSE
? 248 SecurityRoundtable.org
is why corporate communications can help
craft the appropriate messaging.
In addition to internal messaging, make
sure cyber incidents are incorporated into
the organization’s crisis communications
capability. Just as corporate communications
would be on hand to protect the brand’s
image during an emergency, they should
similarly have a crisis communications plan
for a cyber incident. As a part of that, ensure
that the right spokespersons are media
trained prior to an incident.
? The inevitable cyber breach
It’s hard to estimate the cost of a cyber inci-
dent. Undoubtedly, the longer that busi-
ness operations are affected—production is
stalled, websites are down, IP is stolen, and
so on—the cost climbs higher and higher.
Having a plan that is pervasive enterprise-
wide that uses a tested, all-staff approach
can help resolve cyber incidents quicker.
Given that cyberthreats are present all the
time, an incident is all but inevitable.
Fortunately, incident response planning
can mitigate the impacts of such an event.
program. By implementing tests such as red
team exercises, war games, and regular
reviews, an organization can understand
what may happen if they are an unfortunate
victim of a cyberattack and, maybe, through
solutions implemented through test fnd-
ings, prevent a real incident.
? Internal and external communications
planning
Once the plans have been written and tested,
it’s important to keep up momentum and
continued awareness about cyber risks. Just
as the IT department is constantly engaged
in cyber incident management, so too must
the staff throughout the organization—albeit
with regard to their own personal role.
Enlist the help of your corporate commu-
nications department to help with cyberse-
curity awareness messaging that is tailored
for all staff. Messaging should help employ-
ees stay attuned to cyberthreats that could
affect them, as well as how they can play a
part in keeping the organization secure.
Keep in mind that “cyber” may not resonate
with staff outside the IT department, which
249 ?
? Rapidly evolving cyberthreat landscape
Cybersecurity and cyberattacks are no longer emerging
issues. Over the past three to fve years, the complexity of
cyberthreats has increased dramatically, and the nature of
cyberattacks has evolved from the theft of fnancial data
and intellectual property to include recent destructive
attacks. Organizations now face increasingly sophisticat-
ed attacks from adversaries using multiple threat vectors
and cunning strategies to penetrate the security perimeter.
Although the 2008 TJX data breach has long been
assumed to be the turning point in board of directors’
awareness of cybersecurity, it took the 2013 Target breach to
have an impact on the boards’ agenda. Faced with the pos-
sibility of loss of data and intellectual property, decreased
shareholder value, regulatory inquiries and litigations, and
damaged reputations, boards are realizing that cybersecu-
rity is no longer just an IT issue but one of strategic risk.
Corporate directors understand that they must become
more involved in addressing cyber risks; however, cyber-
security is a new and highly technical area that leaves
many corporate boards uncertain as to how to proceed.
Research from the Ponemon Institute reveals that 67 per-
cent of board members have only some knowledge
(41 percent) or minimal to no knowledge about cybersecu-
rity (26 percent). Although board members realize that
they need to invest in cybersecurity, such a lack of knowl-
edge is affecting their ability to respond to cybersecurity
risk and provide proper oversight.
? Understand the adversaries
Cybercrime is big business, and sophisticated cyber
criminals are playing for high stakes. However, motiva-
tions among the groups may differ:
? Hacktivists often seek to damage the reputation of an
organization and cause disruptions.
Fidelis Cybersecurity – Jim Jaeger, Chief Cyber Strategist
Detection, analysis, and
understanding of threat vectors
? 250
INCIDENT RESPONSE
? Organized cyber criminals include
international crime syndicates targeting
organizations largely in the fnancial
services and retail industries for fnancial
gain. Although there are a number of
players, this arena is dominated by
loosely knit teams of attackers located in
Eastern Europe.
? State-sponsored espionage threat actors
deploy targeted malware in stealthy,
multi-stage attacks, sometimes called
advanced persistent threats (APT),
targeting intellectual property. At risk is
anything that may be of value, including
business plans and contracts; trading
algorithms; product designs and business
processes; trade secrets; client data; lists
of employees, customers, and suppliers;
and even employee log-on credentials.
As attackers have sharpened their skills and
expanded their techniques over the last
couple of years, organizations are now fac-
ing a new challenge. Cybercrime has
advanced to include cyber warfare and cyber
terrorism as nation-state actors have moved
from disruptive to destructive attacks.
Experts predict that cyberattacks will
intensify as cyber criminals accelerate their
activities. Organizations face a world of
continuous compromise. It is no longer a
question of whether the company will be
breached, but when. Ponemon research,
however, shows that board members gener-
ally lack knowledge about cybersecurity
breach activity within their organizations.
One in fve, for example, was unaware if the
organization had been breached in the
recent past.
Although larger organizations are gener-
ally able to recover from a signifcant breach,
providing that negligence is not a factor and
excessive liability is avoided, sustaining
operations over the course of two or more
Blurring lines of attack
It used to be that the tactics employed by Eastern European cyber criminals were relatively
unique compared with those used by hackers deploying state-sponsored APT attacks to target
intellectual property. Cybercrime experts are now seeing a blurring of the lines of attack, which
has caused some forensics teams to misidentify the adversary. For example, researchers from
two forensics frms investigated an attack on a global credit card processor for two months
without success, convinced that it was an APT attack. It wasn’t until the frm brought in a new
forensics team that they were able to identify the attack as originating from Eastern Europe
and stop the breach.
Corporate espionage leads to company downfall
Cyberattacks aimed at stealing intellectual property can put a company out of business. A
classic example involves Nortel, a telecommunications giant that was the victim of a decade-
long low and slow attack wherein hackers used seven stolen passwords to extract research,
business plans, technical papers, corporate emails, and other sensitive data. The attack was
discovered by an employee who noticed unusual downloads that appeared to have been
made by a senior executive. The company changed the compromised passwords but did
little else beyond conducting a six-month investigation that yielded nothing. In the follow-
ing years, the company reportedly ignored recommendations to improve network security.
Analysts speculate that the extensive cyberattacks on the technology company ultimately
contributed to its downfall. The company continued to lose ground to overseas competitors
and ultimately declared bankruptcy.
251 ?
DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
extended breaches would be considered a
huge challenge. Clearly, cybersecurity has
become an increasingly challenging risk that
demands both corporate management and
board attention. To provide the proper risk
oversight, the C-level leaders and board
members are advised to work closely with IT
security leaders to examine the threat envi-
ronment and how adversaries are attacking
peer organizations.
? Understand the threat vectors
The fast pace of cloud, mobile, virtualization,
and emerging technologies present opportu-
nities to gain operational effciencies, deploy
innovative business models, and create new
markets. However, as companies increasing-
ly digitize valuable assets and move opera-
tions online, the risk of cyberthreats grows
even greater. In today’s digital world,
employees are increasingly interconnected
and leverage a variety of mobile devices,
applications, and cloud platforms to conduct
business in the offce, at home, and “on-the-
go.” Mobile applications, email, WiFi net-
works, and social media sites are just some of
the vulnerable access points that attackers
seek to exploit.
Not only are employees increasingly inter-
connected, but organizations are as well.
Boards and corporate management must
consider the extended attack surface and the
potential security risks associated with third
parties such as suppliers, transaction proces-
sors, affliates, and even customers. Not to be
overlooked are law frm partners, as they
hold data relating to an organization’s conf-
dential operations and trade secrets.
Internal employees present at least as big
an exposure for companies as do external
attacks. There is increasing recognition that
the activity of employees with privileged
access and administrative rights must be
monitored, controlled, and audited. Part of
the concern is not necessarily that the
employees go rogue and become insider
threats, which certainly has to be considered,
but that hackers target the credentials of sys-
tem administrators because they grant unfet-
tered system access. To guard against the use
of compromised credentials, organizations
should implement the concept of least privi-
lege for employee digital rights, especially
for those with administrative rights.
Determined attackers use a variety of
approaches to exploit system vulnerabilities
and penetrate virtually all of a company’s
perimeter defense systems. Threat vectors
used to compromise an organization can
include network intrusions, compromised
websites and web applications, malware,
targeted “spear phishing” and other email
attacks, Trojans, zero-day exploits, social
engineering tactics, and privilege misuse.
This dynamic nature of the cyberthreats
presents ongoing challenges to companies
and boards as every possible threat vector
must be addressed.
? Detect advanced threats
Like any business risk, cybersecurity risk
must be calculated and then mitigated
through the use of specifc types of controls,
such as frewall, antivirus, intrusion detec-
tion, and other similar solutions. However,
no network is so secure that hackers won’t
Questions to ask about risk
? Who are our most likely intruders?
? What is the biggest weakness in our IT systems?
? What are our most critical and valued data assets? Where are they located?
? Do we consider external and internal threats when planning cybersecurity programs?
? Do our vendor partners have adequate security measures? Do we have suffcient
contractual clauses regarding such security?
? What are best practices for cybersecurity? Where do our practices differ?
? Have we created an incident response plan?
? 252
INCIDENT RESPONSE
fnd their way in. Once in, they can go for
months, even years, without detection.
Because deeply embedded hackers can be
extremely diffcult to eradicate, the challenge
is to detect these threats as soon as possible.
Unfortunately, organizations are hard
pressed to match resources with cyber crimi-
nals. Similar to a game of “whack-a-mole,”
once organizations get on top of one type of
attack, the cyber criminals simply evolve
their tactics.
A solid cybersecurity governance pro-
gram is vital to getting ahead of cybercrime.
Unfortunately, there is a gap in the percep-
tion of governance effectiveness between
board members and security professionals.
Ponemon research indicates that 59 per-
cent of board members believe the corpora-
tions’ cybersecurity governance practices
are very effective, whereas only 18 percent
of security professionals believe so. This
gap in perspective has to be closed if organ-
izations are to improve their ability to face
increasingly stealthy and sophisticated
cyber risks.
? Robust, constant monitoring is key to detection
The saying, “You don’t know what you don’t
know” is especially true in cybersecurity.
Robust, constant network monitoring is vital
to uncovering threats. Any number of solu-
tions are available that enable organizations
to monitor network activity. Because the vol-
ume of network traffc combined with
increasingly complex networks defes manual
threat analysis, many organizations often rely
on the automated threat-detection capabili-
ties of numerous disparate solutions.
However, this overreliance on technology
alone to address security threats can cause
organizations to lose sight of the bigger threat
picture.
Organizations also jeopardize their ability
to detect advanced threats through a failure
to fully integrate the security solutions into
the entire network defense infrastructure.
Often security technologies are deployed
with default settings, resulting in many false-
positive alerts. Many times organizations
overlook the human element. Organizations
can’t depend on technology alone to defend
networks. Detecting advanced threats
requires a risk management program that
includes technology, people, and processes.
Board members should ensure that security
budgets include funding for security experts
who can understand the risk, interpret the
alerts, and act on the intelligence.
? Anticipate attacks
Today’s threat actors conduct detailed recon-
naissance and develop custom malware in
an effort to penetrate networks. It’s diffcult
to know when an attack will happen. A
dynamic threat intelligence capability helps
to ensure that organizations can anticipate
breaches before they occur and adjust their
defensive strategies.
Widespread sharing of threat intelli-
gence among security professionals can
empower organizations to detect threats
more effciently and effectively and avoid
Dismissed security alerts lead to massive breach
A large retailer became the victim of a major data breach. The retailer had invested hundreds
of millions of dollars in data security, had a robust monitoring system in place, and had been
certifed as PCI compliant. Despite the investment, the company failed to completely deploy
and tune the monitoring system. The system could have been confgured to remove malware
automatically, but because the software was new and untested, the feature was deactivated.
A small amount of hacker activity was surfaced to the security team, evaluated, and acted on;
however, the team determined it didn’t warrant further investigation. Several subsequent
alerts were either ignored or lost in the noise of hundreds of false-positive alerts. It wasn’t
until the Department of Justice warned the company about suspicious activity that the retailer
began investigating the activity.
253 ?
DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
cyber attacks. At one end of the threat intel-
ligence spectrum are indicators of compro-
mise (IOC). Integrated from several sources
and typically shared through an automat-
ed, continuous, real-time threat intelligence
data stream, IOCs provide information on
malicious code and malicious web pages
that hackers are using.
At the other end of the threat intelligence
spectrum are threat advisories, which pro-
vide big picture analysis of current security
issues posing risks to enterprises. Such advi-
sories typically feature an overview of the
threat, a risk assessment, indicators, and
mitigation strategies.
? Build board cyber literacy
As boards become more involved in cyberse-
curity, they should address cybersecurity
risk as they would other types of business
risk. To be effective in leading their organiza-
tions with the right knowledge, oversight,
and actions, boards need a base level of
understanding of cybersecurity risks facing
the organization. However, organizations
are challenged with what is the best way to
build this board cyber literacy.
Many boards already have some form of
oversight when it comes to cyber exposure,
generally in the audit committee or risk
committees specifcally tasked with enter-
prise IT security and emerging risks. To
gain a deeper understanding of the relevant
issues surrounding cyber risk, some organi-
zations are adding cyber expertise directly
to the board via the recruitment of new
directors. However, because nominating
and governance committees must balance
many factors in flling board vacancies,
there is a concern that it may take a long
time for boards to achieve the proper board
composition.
In addition to board composition, direc-
tors point to a lack of available time on the
agenda to discuss cybersecurity as a road-
block in becoming cyber literate. Although
board members are not expected to be cyber-
security experts, they need access to exper-
tise to help inform boardroom discussions.
Ways to bring knowledgeable perspectives
on cybersecurity matters into the boardroom
include the following:
? Periodic briefings from in-house
specialists
? “Deep dive” briefngs from third-party
experts, including cybersecurity frms,
government agencies, and industry
associations
? Guidance from the board’s existing
external auditors and outside counsel,
who will have a multi-client and industry-
wide perspective on cyber risk trends
and how the organizations’ cyber defense
program compares with others in the
industry
? Director education programs, whether
provided in house or externally
? Periodic exercise of the incident response
plan to include board members.
? Empower the chief information security
offcer
Boards have a responsibility to manage
cyber risks as thoroughly as possible. One
critical element in providing effective over-
sight is to empower the chief information
security offcer (CISO) to drive security
throughout the organization. In many organ-
izations the CISO’s role is subordinate to
that of the chief information offcer (CIO).
Directors should be mindful that the agenda
of the CIO is sometimes in confict with that
of the CISO. Whereas the CISO is focused on
data and network security, the CIO is focused
on supporting business processes with
applications and networks that have high
availability.
Recognizing that business strategies that
lack a security component increase vulner-
abilities and place the organization at risk,
the CISO must have a strong, independent
voice within the organization. To accom-
plish this, the board must ensure that the
CISO is reporting at the appropriate levels
within the organization. Although there is
no single right answer, the trend has been
to migrate reporting lines to other offcers,
including the general counsel, the chief
operating offcer, the chief risk offcer, or
INCIDENT RESPONSE
? 254 SecurityRoundtable.org
even the chief executive offcer, depending
on the industry, size, and scope of the com-
pany, and the organization’s dependency
on technology.
? Conclusion
The threat landscape is rapidly evolving as
well-funded cyber criminals continue to
launch increasingly sophisticated attacks
through multiple threat vectors. Cybersecurity
will continue to pose a serious risk that will
demand corporate management and board
attention and oversight. Boards that fail to
actively measure and continuously monitor
cybersecurity as part of the organization’s
strategy will leave their frms open to signif-
cant fnancial, reputational, and competitive
risk.
The overwhelming number of cyber inci-
dents has forced board members to become
more involved in cybersecurity, which is as it
should be. However, to be effective, much
education is still needed. Board members
don’t need to be cyber experts, but they
should have a thorough knowledge of the
risks their organization faces and provide
the support needed to the IT security profes-
sionals to protect against those risks.
Questions to ask about cyber literacy and CISO empowerment
? Are we considering cybersecurity aspects of our major business decisions, such as
mergers and acquisitions, partnerships, and new product launches?
? Are we allocating enough time for cybersecurity on the board agenda?
? Are we continuously monitoring and regularly reporting on governance compliance,
maturity level, progress of information security, and data privacy projects and
activities, as well as the status of incidents, risks, and issues within the organization?
Are they used for active oversight?
? Do we have clear lines of accountability and responsibility for cybersecurity?
? Is the information security management function organizationally positioned at the
appropriate level to effectively implement policies?
? Is the cybersecurity budget adequate? Are we investing enough so that we are not an
easy target for a determined hacker?
255 ?
When a data breach occurs, directors and C-level execu-
tives must be ready with an incident response and reme-
diation plan to minimize the damage, limit the company’s
liability and exposure, and help the company resume nor-
mal operations as quickly as possible. Incident response
preparedness, however, varies greatly. Although some
organizations are well prepared, sometimes even compa-
nies that have invested millions of dollars on preventive
and detection systems fall short in responding to and reme-
diating data breaches. Frequently, it’s because the organiza-
tion hasn’t fully developed the relationships and processes
necessary for rapid and coordinated response.
Companies that have been compromised must act
quickly to investigate and remediate the breach while
preserving all electronic evidence. Ascertaining what data
were lost, destroyed, or stolen is paramount because it
enables companies to determine their risk exposure and
potential liability. Beyond digital forensic preservation,
investigation, and containment, the complexities of breach
remediation require notifcation of a broad range of third
parties and engagement with law enforcement. By engag-
ing breach resolution experts that provide forensics
services, litigation support, and crisis communications,
organizations can more effectively combat today’s sophis-
ticated cyberthreats.
? Assemble a cross-functional response team
Effective investigation and remediation of a data breach
requires an understanding of the cyber adversary and
specialized forensic skills that most IT staffs lack. When a
company that does not have its own internal security
team experiences a cyberattack, it is vital that the frm hire
experts who are experienced in digital forensics, incident
Fidelis Cybersecurity – Jim Jaeger, Chief Cyber
Strategist and Ryan Vela, Regional Director,
Northeastern North America Cybersecurity Services
Forensic remediation
? 256
INCIDENT RESPONSE
response, and remediation. Engaging an
independent and impartial breach response
frm:
? provides the technological expertise and
industry knowledge to fully remediate
the incident
? ensures integrity in incident response and
creates a defensible record of investigation
and remediation
? enables the organization to maintain and
secure attorney-client privilege for the
reports and other investigative documents.
Breach response also requires that an organi-
zation have a well-prepared internal inci-
dent response team. Companies that suffer a
breach without having established such a
team often waste valuable time trying to get
organized and assign responsibilities, stall-
ing the breach remediation process. The
team should include representatives from IT,
security, legal, compliance, communications,
risk management, and affected business
units. In addition, it is important to involve
a member from the executive leadership
team to ensure that business considerations
are addressed and to maintain the remedia-
tion momentum by ensuring rapid approval
on courses of action when needed.
? Engage outside legal counsel
The legal ramifcations of a data breach can
be devastating, ranging from litigation and
regulatory investigations to civil liabilities
effects that may include shareholder and
customer-driven lawsuits. Because inside
counsel lacks the specialized cyber exper-
tise that is needed for effective breach
response, it’s vital that an organization
identify, vet, and retain outside counsel that
has the ability to respond on a moment’s
notice. The benefts of outside counsel
include the following:
? specialized skillsets: cyberattack
investigations require a team of lawyers
with regulatory, data-breach response,
privacy, litigation, and eDiscovery
expertise; outside counsel brings the
specialized skills and credentials that
internal teams lack
? law enforcement liaison: serves as liaison
with law enforcement, such as the Secret
Service, Federal Bureau of Investigation,
and Department of Justice
? attorney-client privilege: engaging
outside counsel secures the privilege
needed to protect internal communications
from discovery by any opposing party
during pretrial investigation and from
being used as evidence in a trial; also,
invoked privilege allows the forensic
company to report breach results directly
to the law frm
? leadership advice: leadership of any
organization falling victim to a data breach
instinctively seeks to minimize costs and
take shortcuts in incident response; by
quarterbacking the investigation and
remediation, outside counsel often proves
invaluable in providing a strategy and
helping C-level leadership and directors
to hold themselves to the course of action.
? Control breach communications
Ultimately, all communications about the
breach have the potential to leave an organi-
zation open to legal liability. Outside breach
counsel should therefore oversee all breach
communications. This includes facilitating
conversations between members of the inci-
dent response team and organizing external
communications.
Internally, getting the right information to
the right people at the right time can make or
break breach incident response efforts. When
members of the response team are working
with incomplete, inaccurate, or different sets
of information, it can lead to costly ineff-
ciencies, delays, and errors in breach
response. Outside counsel is well positioned
to know the types of conversations that must
happen between incident response team
members to keep efforts on track. Similarly,
breach counsel knows what hazards are
likely to arise with external communications.
It is also vital that organizations engage a
crisis communications frm to handle all
external communications. Because such
257 ?
FORENSIC REMEDIATION
communications have either positive or neg-
ative lingering effects, it’s important that all
communications be carefully composed and
carry the right tone.
Just as important, there is nothing worse
than having to publically recant information.
In deciding whether to release a statement,
organizations should consider the following:
? Is there accurate information to report?
Executives, feeling pressure to go public,
may disclose key facts only to retract
the statement at a later date. Waiting
until a report from an external forensic
response frm has been reviewed can
help organizations maintain accurate
communications.
? Is disclosure within a specifc timeframe
required? Timing of disclosures often
is dictated by statutory and regulatory
requirements. Several state breach laws,
for example, require notifcation upon
discovery or without reasonable delay.
Here, outside counsel often can be
invaluable in providing justifcation to
delay an announcement until the facts
are solid.
? Has the incident been leaked? However
it occurs, leaks by journalists or postings
in the blogosphere can accelerate
a company’s disclosure timeline. It is
critical that frms experiencing a breach
prepare and pre-coordinate a contingency
announcement in case their hand is
forced. Crisis communications frms also
have the media relationships that can
enable the rapid response necessary in
these situations.
? Partner with law enforcement and seek their
assistance
Seeking assistance from law enforcement
can be extremely valuable in data breach
investigations because these agencies are
continuously following the digital trail of
cybercrime. Law enforcement can play a
vital role in providing indicators of compro-
mise (IOCs) observed in similar breaches
that may be linked, thus providing the inci-
dent response and forensic team with key
data to search for and fll in missing pieces in
the breach investigation. Attributing a single
breach to a specifc attacker or hacker organ-
ization is often diffcult, but when you look
at the IOCs provided by law enforcement
across multiple hacks, this task often
becomes much easier.
Involving law enforcement is also prudent
in that cyber criminals routinely hide behind
borders, and bringing them to justice remains
a challenge. The U.S. government is increas-
ingly partnering with foreign governments
and international law enforcement agencies
in efforts to prosecute malware creators and
Vetted investigation report vital to external communications
When faced with a data breach, the instinct is often to go public as quickly as possible to get
ahead of the situation. However, to avoid public announcements backfring and making an
already bad situation worse, leadership would do well to wait for confrmation of breach
status from the incident response team. On occasion, they even get to give their client good
news. Case-in-point is a large blood donor system involving multiple hospitals and universi-
ties. The organization was maintaining a database of 90,000 donors when it noticed indications
of hacker activity in the network.
Already under media pressure for physical loss of sensitive data, leadership was under-
standably concerned about reducing negative publicity by being proactive in its communica-
tions. They agreed to give the response team the time needed to conduct an investigation,
and fortunately so. It was determined that the indicators were actually false-positive alerts.
By synching the communication cycle with the progress of the investigation, the organization
was able to avoid falsely alerting 90,000 donors that their data was at risk.
? 258
INCIDENT RESPONSE
those who are engaged in cybercrime. If there
is any indication that the investigation may
have an international aspect, federal law
enforcement may be able to expedite the
investigation. Law enforcement’s expertise in
gathering evidence and conducting forensic
analysis can be leveraged to ensure that the
data can be used in future court proceedings.
Also, in some cases, organizations may be
able to delay notifcation requirements if it
would impede or interfere with a law enforce-
ment investigation.
? Alert industry regulators
Threat actors are neither attacking one insti-
tution at a time, nor are they quickly chang-
ing their methods. They often use the same
techniques on multiple institutions in multi-
ple sectors. With the increasing number of
data breaches comes a renewed push for the
sharing of cyber risk information between
the United States government and the pri-
vate sector to help individual organizations
and industries as a whole better defend
against attacks. Because of their position in
the industry, regulators can be an important
source of information on cyber threats,
attacks, and trends. Information sharing and
analysis organizations have made a resur-
gence and organizations can beneft by seek-
ing their aid for insight on indicators of
compromise during a data breach.
Regulatory investigations have the poten-
tial to represent a signifcant challenge in
terms of money, time, resources, and distrac-
tions. Because regulators will have to be
satisfed that the data breach has been com-
pletely resolved, organizations should
engage with regulators as early as possible
during the remediation process.
? Notify insurance providers
After a data breach, organizations can expect
to see signifcant costs arising from forensic
investigations, outside counsel, crisis com-
munications professionals, data breach noti-
fcation expenses, regulatory investigations
and fnes, lawsuits, and remedial measures.
Such costs can quickly reach tens of millions
of dollars in a few weeks.
Once an incident is determined to be a
breach, it’s important to engage with the
frm’s insurance providers to evaluate the
insurance coverage and determine which
existing policies may cover the event; as
well as identify the necessary reporting
requirements.
One of the challenges with cyber insur-
ance is the lack of standardization in terms
of coverage. From a broad standpoint most
policies cover the initial incident response
and investigation. Few, however, cover
remediation. Because the policies vary
widely, general counsel and outside coun-
sel have to understand the details of the
policies to tailor an incident response
approach that maximizes the coverage.
Here, the outside forensics response team
Collaboration with law enforcement takes down hacking ring
Monday mornings can hit hard for many people, but for a major payments processor, one
particular Monday morning packed a punch. In a brazen move, a global network of thieves
had breached the processor’s network. As a result of the hack, the gang was able to generate
debit cards and crack the ATM PIN codes. Once that was done, the gang withdrew millions
of dollars over the weekend.
By acting on information provided by the FBI, the forensic team was able to uncover ad-
ditional details about the breach and advance the investigation to the point of identifying
the culprits. Through cooperation from various law enforcement agencies worldwide, the
investigation broke the sophisticated computer hacking ring and, for the frst time, resulted
in a Russian court convicting hackers for cybercrimes committed in the United States via
the Internet.
259 ?
FORENSIC REMEDIATION
can also be invaluable in helping organiza-
tions to articulate and justify cyber insur-
ance claims.
? Conduct complete, focused digital forensics
analysis
When a data breach occurs, organizations
need answers fast: Who was involved? How
did they do it? What data was compromised?
What are the risks? Answers depend on the
forensic analysis of digital evidence. Further,
the proper preservation of digital evidence is
crucial to demonstrate to regulators that rea-
sonable security controls are in place or to
prove wrongdoing in criminal prosecution.
However, organizations all too often are
thrown into panic. Hasty decisions are made
and evidence is lost. Here, directors should
look to outside counsel for guidance. Their
experience and focus on minimizing legal
liability make their advice about what should
be considered evidence, and thus preserved,
invaluable.
In the course of its forensics efforts,
organizations typically encounter two
challenges:
? Limited scope of forensics. Many times
organizations fail to look beneath the
surface in the hopes that a simple review
will fx the problem. Alternatively, they
may limit the scope of the investigation
to mitigate the high cost of forensics. Such
actions may fail to uncover the true cause
and extent of the breach. By exploring
all potentially compromised systems,
organizations can reduce the risk of
overlooking exposed system components.
? Improper handling of evidence.
A company’s internal IT staff may
compromise the evidence even before
forensic experts can preserve it.
Organizations must ensure that the
internal IT staff is mindful of proper
evidence-handling protocol.
? Focus on aggressive remediation
When an organization experiences a data
breach, it is often diffcult to determine the
nature of the attack cycle and pathways of
attack as hackers disperse their tools
throughout the network. This is especially
true in advanced persistent threat attacks, in
which malware can remain dormant and
undetected for months. The remediation
phase is therefore critical to remove malware
from infected hosts and prevent future reoc-
currences of the same or similar breaches.
At one end of the remediation spectrum is
sequential eradication. Here, incident
responders work to eliminate malware as
soon as it is discovered. This traditional
approach has the beneft of lower costs and
reducing the risk of data loss. However, the
drawback is that the organization forfeits the
opportunity to learn about the hacker’s
tactics and runs the risk of retaliation. Also,
attackers may go quiet, making it more dif-
fcult to fnd their tools and requiring that
forensic investigators shift their efforts to
eradication.
At the other end of the spectrum is
aggressive remediation, in which all reme-
diation actions are executed simultaneously
across the entire network. If executed prop-
erly, aggressive remediation precludes the
hacker from detecting and reacting to the
remediation actions. This approach is called
for when an organization experiences
repeated breaches by the same advanced
attackers or a breach has gone undetected
for weeks or months. Aggressive remedia-
tion provides a better understanding of the
attacker’s tools, tactics, targets, and motiva-
tions. Because this method fully removes all
traces of the attacker’s tools, threats, and
vulnerabilities, including the attacker’s
ability to re-enter the network, it minimizes
retaliatory risk.
This approach allows the attacker to
remain active in the network during investi-
gation. Should they become aware of foren-
sic activities, they could move quickly to a
destructive attack. Special forensic skills,
extensive planning, and sophisticated exe-
cution therefore are required to avoid inter-
fering with or alerting the attacker as to the
forensic efforts underway, as well as to
minimize the potential for damage and
data loss.
INCIDENT RESPONSE
? 260 SecurityRoundtable.org
? The critical importance of network monitoring
If determined attackers want to get in, they
will fnd a way. The real question is whether
the organization will detect the breach.
Unfortunately, the answer is, “Probably
not.” Advanced, targeted attacks focus on
quiet reconnaissance and infltration of their
victims’ network. Professional cyber crimi-
nals are so adept at cloaking their activities
that they routinely go unnoticed for months,
even years, without detection.
Although defense-in-depth has long been
hailed as a best practice, organizations are
now urged to improve their abilities to detect
attacks that have succeeded. Robust network
monitoring is a strategically important ele-
ment in IT security and is crucial to deter-
mining if anything was stolen. By employing
robust network monitoring organizations
can maintain control, limit the damage, and
plan for an appropriate response.
? Summary
Organizations have reached a pivot point,
realizing that it is no longer a question of if
the frm has been hacked, but an assump-
tion that it has. Faced with the new reality
of operating the business while potentially
executing incident response activities, organ-
izations are placing a priority on robust
network monitoring to detect the extraordi-
narily complicated threats hidden in the
network. Once identifed, these threats
demand a host of remediation responses that
include forensic preservation, containment,
expulsion, and remediation. Responding to a
major breach correctly requires a team of
outside forensic and legal experts partnered
with their internal incident response team. A
well-defned incident response team includes
key staff functions and line of business man-
agers as well as C-level executives and cor-
porate directors.
Experiencing a cyberattack is disruptive,
and combating the malware behind large
data breaches remains a constant challenge.
Getting the right people involved and under-
standing the best way to effciently use them
is essential to properly investigating and
remediating the event while managing costs
and extent of business impact. Board direc-
tors and C-level leadership must ensure that
their organizations are ready with a well
thought out breach incident response plan to
help minimize the organization’s liability
and exposure.
Aggressive remediation outwits hacker mastermind
“Please don’t lock the attacker out of the network.” Not the request that any CEO wants to
hear, let alone the leadership of a major retailer that was under attack by a hacker master-
mind who was stealing 45,000 credit cards every three days. Yet here was the Secret Service
explaining that it was the best live investigation in three years, and that if kept alive, they
would be able to track and identify the hacker—with a good chance of getting a conviction.
Faced with the challenge of how to minimize the damage without alerting the attacker,
the forensic team decided on the strategy of letting the attacker continue his efforts, but
to change several digits of the credit card numbers the hacker was collecting. Other than
actually trying to use the cards, the attacker would have no way of knowing he had stolen
invalid card numbers. The ruse worked, allowing the team to keep the attacker alive in the
network long enough to complete the forensic analysis and eradication. The attacker is now
serving two 20-year jail terms.
261 ?
Rackspace Inc. – Brian Kelly, Chief Security Offcer
Lessons learned—containment
and eradication
Cyberattacks continue to proliferate and show no signs of
stopping. Information security is a business risk issue,
and concerns over how to manage data breaches have
moved beyond IT security teams to the C-suite and the
board. Recognizing that attacks happen to the best of
organizations, board directors are asking, “What can be
done to minimize the damage?” Based on the experience
of senior information security leadership servicing some
of the largest data breaches to date, here are ten lessons
that offer guidance in successfully containing and eradi-
cating cyberattacks.
? Cast incident response in the context of business risk
Although the natural tendency has been to treat cyberat-
tacks as a technical issue to be resolved by the security
team, such attacks are serious business problems that can
pose substantial risk to the business. Decisions made uni-
laterally by the security team without an appreciation for
strategic initiatives can have signifcant implications for
the corporation.
To correctly characterize the risk and make the appro-
priate decisions to limit the liability to the company,
cyberattacks and incident response must be put in the
context of business risk. For this to happen, discussions
with the board must be two-way conversations. CISOs
have to translate the event or incident into business terms,
at which point the board and leadership team can provide
a point of view or strategic focus that may be vital to the
incident. For example, the incident response team may be
unaware of such considerations as M&A activity, clinical
trials, and new R&D efforts. Through board-level conver-
sations the response team can gain the necessary insight
into the motives of an attacker and make a connection that
may alter the investigation.
? 262
INCIDENT RESPONSE
The exercises also provide insights into the
following:
? how and when to engage external
partners
? what can potentially go wrong during
the phases
? what types of communications are needed
? how to protect the incident response
information fow that is for the response
team’s exclusive use
? how to bring other departments into the
investigation.
Armed with such information, leadership
and board directors are better enabled to for-
mulate questions and act on the information
to provide proper governance and oversight.
? Retain incident response teams and
outside counsel experienced in managing
cybersecurity incidents
When it comes to containment and eradica-
tion, it is vital that internal security teams
understand their strengths and weaknesses.
Often internal teams assume they can handle
the event and try to fx the problems them-
selves, only to make matters worse by acci-
dentally destroying or tainting crucial evi-
dence. Organizations are therefore turning
to external counsel and forensic response
teams that can step in on a moment’s notice
to respond to cyberattacks.
Selecting the right counsel and forensic
team—especially those experienced in inter-
actions with law enforcement—can be the
difference between success and failure. In
addition to benefting from their expertise,
involvement of an attorney allows organiza-
tions to maintain attorney-client privilege.
Because different phases of the incident
response lifecycle require different capabili-
ties, such as evidence collection, forensic
analysis, and malware reverse engineering,
organizations should select teams that have
broad expertise. Established relationships
with several teams is wise because the scope
and magnitude of an incident may require
? Seek unity of command
Unity of command is vital to respond to a
cyberattack. However, not every incident
requires the same command and control
structure. Careful planning should deter-
mine in advance the level of management
required based on the severity of the event
and identify those that require board atten-
tion and corporate offcer leadership.
Similar to military operations, in which
the general commands the day-to-day oper-
ations of the military during peacetime, a
CISO oversees the day-to-day responsibili-
ties and projects. During times of war, com-
mand shifts to the Joint Chiefs of Staff and
designated war fghting commanders. The
same holds true in a cyberattack. The inci-
dent response leader takes control and
leads the team through the steps necessary
to respond to the incident.
Effective command and control during
these times of crisis is critical. However,
when an incident is declared, people often
come out of the woodwork to get involved.
Because time is critical, nothing can be
worse than senior executives trying to
infuence activity or wrestle control when
an attack is in progress. Slow response and
uncoordinated containment activities can
provide attackers with the time necessary
to move laterally in the network, creating
an even more serious breach. It is therefore
vital that command and control be clear,
understood, disciplined, and followed with
precision.
To increase leadership’s understanding
of the workings of command and control
and provide insight into the protocols and
procedures of incident response, it is imper-
ative that organizations rehearse the inci-
dent response plan at least annually.
Whether the activity is a mock tabletop
exercise or a live-fre drill, the rehearsal
gives company leadership and directors a
baseline understanding of the criteria used
to determine the severity of an event, the
lifecycle of an attack and incident response,
and the goals for each phase of the lifecycle.
263 ?
LESSONS LEARNED—CONTAINMENT AND ERADICATION
interact with internal personnel, query the
forensic investigators, analyze the fndings,
and provide the perspective that the board
and senior management need for decision
making. Many frms use outside counsel with
experience in guiding incident response oper-
ations to perform this trusted advisor role.
? Employ good case management practices
No one ever fully knows how an investiga-
tion will evolve. Even if it is unlikely that a
security event will become public or that the
investigation will end up in a court of law,
directors should assume that it could and
take the appropriate actions from day one. It
is vital to follow good case management
practices and do everything possible to pre-
serve forensics evidence—from the frst indi-
cation of the event through to the comple-
tion of the investigation.
Evidence is perishable and can be tainted.
Organizations that are slow to engage the
appropriate forensics partners run the risk of
potentially destroying, tainting, or missing
key evidence that could be crucial in the
later stages of the investigation. By asking
the question, “Should this go to court; what
do we need to do from the moment we start
more than one forensics team. Having rela-
tionships with several partners provides a
fallback.
The worst time to fnd a partner is during
an incident. In addition to running the risk
of no frm being available, the breached
company is faced with paying rates that are
non-negotiable and entering into a diffcult
relationship that often leads to protracted
investigations. Selecting and vetting cyber
response teams in advance allows the team
an opportunity to learn about the frm’s
operational practices and environment. The
forensics team can come up to speed quickly
and hit the ground running. In addition to
the qualitative advantage, selecting partners
in advance provides a quantitative advan-
tage in that you can pre-negotiate rates and
terms that are acceptable to both parties and
begin the relationship on a positive note.
Organizations also should look to engage a
trusted advisor to provide independent
advice to directors and offcers regarding the
security incident. Faced with pressure to
defect accusations or make things look better
during an event, internal staff may report
only what is necessary or skew information.
An impartial trusted advisor knows how to
Make sure you have the right forensic team
Forensic services frms provide highly specialized resources that can cost tens of thousands
of dollars. An inexperienced team, or one lacking the proper evidence collection, forensic
analysis, and incident response skills, may not only cost an organization in terms of time and
money but also jeopardize the success of mitigating the attack by inadvertently destroying or
tainting evidence. It may be time to bring in a new team if the forensics team:
? is unable to put a big picture together that includes the scope of the breach as well as
the sequence and path of movement
? has no clear plan for collection of evidence
? is unable to distinguish between evidence that is “need to have” and evidence that is
“nice to have”
? takes a checklist approach to incident response
? is grasping at straws after the frst couple of weeks
? is unable to scale efforts if needed
? is unable to provide guidance and stand frm in communications with clients,
regulators, and other stakeholders
? fails to understand or exercise proper chain of custody.
? 264
INCIDENT RESPONSE
customers, answer to the press, respond to
regulators, and defend the company’s con-
duct in parallel actions, such as a civil suit
and a regulatory investigation.
A company’s internal public relations
team knows much about the organization
but is not an expert in directing cyber breach
communications. When multi-billion dollar
payments and corporate reputations are at
risk, board directors and senior management
must take care to turn to independent,
impartial crisis communications experts.
Cyberattacks are distressing events.
Those involved often have an emotional
attachment or are too close to the incident to
be viewed as impartial in their communica-
tions. Independent experts provide the clear
thinking and unbiased perspective that is
required to assist the company in all dia-
logues and announcements—from initial
notifcation to worst-case communications.
Further, the external team will be able to
ensure that once communications are initi-
ated, such as notifying customers of a breach,
follow-up communications occur on a timely
schedule. Often overlooked is the need to
manage negative nonverbal communica-
tions that may be sent to internal and exter-
nal parties as a result of actions taken by the
response team. For example, shutting down
a website or requiring password changes
sends a clear message that something has
happened. The communications team must
manage these types of communications as
well. Finally, in addition to being able to
articulate what is happening, it is vital that
the crisis communications team stands frm
in its mission to protect the company by
advancing the facts in the face of unjustifed
assertions or incorrect accusations.
? Be prepared for containment
to affect business activities
Incident containment has two major compo-
nents: stopping the spread of the attack and
preventing further damage to hosts. During
the containment effort, organizations should
be prepared to shut down or block services,
revoke privileges, increase controls, and
place restrictions on network connectivity
this investigation to present a solid case?”
organizations can limit their liability down
the road and better position themselves for
successful litigation.
? Adopt an outcome-based approach
Some forensics organizations take a checklist
approach to incident response. However, no
two cyber events are the same, and incident
response is not a scripted process. Security
teams operate under the fog of cyberwar,
and decisions will be made under conditions
of stress, fatigue, and confusion in response
to seemingly random events. What is needed
is an outcome-based approach to incident
response, recognition that there are multiple
ways to achieve the outcome, and an under-
standing of what can go wrong. Normally,
outcomes are based on a specifc list of ques-
tions that must be answered by the incident
response team based on initial attack indica-
tions and regulatory responsibility. The team
should be focused on answering these ques-
tions during the investigation. Investigators
who are experienced in outcome-based inci-
dent response are better able to focus on
what matters, form hypotheses, take action
based on the type of attack and observable
facts, and pivot should something go wrong.
During the course of containment and
eradication, it is expected that attackers will
take new action based on the security team’s
efforts. One model that can be used to pre-
vent enemies from gaining the upper hand
is the “O-O-D-A Loop”: Observe, Orient,
Decide, and Act. This model provides a
method for making informed decisions and
acting based on feedback from various
sources. Recognizing that attackers are doing
the same, the key is to tighten and accelerate
the OODA Loop, leveraging people, process,
and technology to move faster than the
adversaries.
? Hire impartial, independent spokespersons
for crisis communications
The stakes for immediate and effective cri-
sis communications throughout an investi-
gation have never been higher. During a
cyber crisis, a company may need to notify
265 ?
LESSONS LEARNED—CONTAINMENT AND ERADICATION
people and processes into consideration,
technology actually can create more com-
plexity, consume more resources than it
returns, and deliver only incremental value.
In short, complexity is the enemy of security.
Organizations must take a holistic
approach to eradicating and closing the
security gaps. This may necessitate new
processes and policies, new services and
technologies, and additional personnel.
Skimping on cybersecurity may result in
much higher costs down the line. Board
directors should be prepared to increase
security budgets and can be frm but fair in
maintaining their fduciary responsibility by
requiring the right justifcation from the
security team.
? Share information with others
who can beneft
The fact that hackers have breached the com-
puter systems is the kind of news that no
organization wants to reveal. Corporate
leadership worries about attrition of custom-
ers, negative press, and diffculties with
partners that may occur if news of an inci-
dent leaks out. However, for the good of the
industry, the sharing of incident details may
and Internet access. Such activities can affect
business processes dramatically by restrict-
ing organizational functions and work
fows; therefore, the decision to perform
such actions should never be one sided.
Because business activities are dynamic, the
decision to implement controls during con-
tainment always should include a two-way
discussion with business process owners
and company leadership. It is vital that
organizations have strategies and proce-
dures in place for making containment-
related decisions that refect the level of
acceptable risk to the organization.
? Focus on people, process, and technology
during eradication
Malware detection and eradication can be an
expensive and time-consuming process, as
malware can lie dormant in a system for
months and then activate again. Although it
is easy and tempting to apply a quick fx in
the heat of the incident, attention must be
given to fnding and fxing the true root
cause. Here, the natural tendency is to lead
with a technology solution. With new secu-
rity tools comes the belief that the problem is
solved. The reality is that, without taking
Attacker gains the upper hand—once
When the cyberattack happened, it caught everyone by surprise, but it shouldn’t have. It
was just a matter of time, because the organization had a high level of technology debt, the
IT security lacked alignment with the business, the business unit failed to understand its
level of risk and necessary controls, and the organization had given minimal attention to
rehearsing incident response.
It took the organization more than 48 hours to detect the breach. Then, several days
passed before they realized the event was bigger than what could be handled internally. The
delay in detection and slow action to call in security experts allowed the attackers to move
quickly through the network, expand their footprint, and ultimately affect more than twenty
customer environments. The investigation and recovery lasted for about four months, with
costs totaling in the millions.
Sensing easy prey, the attacker returned in several months. This time the organization
was prepared. The technology debt had been paid, resulting in a stronger foundation and
improved security monitoring. IT security was well aligned with the business, and the busi-
ness unit understood and accepted its risk and controls. More important, the organization
had rehearsed incident response scenarios. This time the attack was detected in minutes.
The internal response team was able to shut the attack down in a matter of minutes with
little cost and no risk to the business or customers.
INCIDENT RESPONSE
? 266 SecurityRoundtable.org
? Are the risk defnitions correct?
? Did we manage the command and control
effectively?
? Did we bring the right people in at the
right time?
? Did we think about everything properly
from a risk perspective, business
perspective, communications perspective,
and customer perspective?
? Summary
No matter what precautions are taken, no
organization is immune to cyberattacks.
Organizations must have a comprehensive
incident response team that includes exter-
nal incident response and forensic analysis,
outside and in-house counsels, and public
relations frms in place prior to any breach
event. These partners provide incident
response forensics, legal and crisis commu-
nications assistance; and will manage the
incident in conjunction with the organiza-
tion to mitigate the damage and return the
business to full operational capacity as
quickly as possible. Unfortunately, the
worst time to fgure out how to respond is
during an actual incident. Making the plan
up on the fy in the middle of a crisis only
leads to mistakes that aggravate the situa-
tion. Lines of communication, roles, and
identifcation of decision makers must be
known before a breach occurs. Tabletop or
similar exercises that include C-level man-
agement and board directors should be
carried out to help organizations practice
incident responses and stress-test their
plans.
be precisely what is needed. Cyberattacks
are the new normal and security breaches no
longer carry the stigma that they once did.
What is important to recognize is that
cyber criminals use the same attacks over
and over again. By using the same code with
slight modifcations, cyber criminals achieve
effciency in their efforts while driving their
costs down. By sharing information with oth-
ers who can beneft, such as other companies
within the industry sector, the U.S. Computer
Emergency Response Team, and cybersecu-
rity researchers who may be able to assist,
organizations can help protect others while
driving up the adversary’s costs.
? Debrief following an event to capture lessons
learned
What is worse than a big public breach? A
second big public breach. Because the han-
dling of cyberattacks can be extremely expen-
sive, organizations may fnd it helpful to
conduct a robust, non–fnger-pointing assess-
ment of lessons learned after major cyberat-
tacks to prevent similar incidents from hap-
pening in the future. Capturing the lessons
learned from the handling of such incidents
should help an organization improve its inci-
dent handling capability. Questions to ask
include the following:
? Why did this happen?
? What could have prevented it?
? Did we classify the event at the correct
risk level?
? What were the indicators that drove the
event classifcation?
267 ?
BakerHostetler – Theodore J. Kobus, Partner and
Co-Leader, Privacy and Data Protection; Craig A. Hoffman,
Partner; and F. Paul Pittman, Associate
Cyber incident response
Most security experts acknowledge that a dedicated and
well-resourced attacker will eventually fnd a way to
break into a company’s network. Sophisticated attackers
are not the only threat—fnancially or politically moti-
vated individuals with less-than-average skills also have
been able to compromise companies. Faced with an ever-
increasing number of endpoints to guard, online access
management issues related to cloud services and ven-
dors, budgetary constraints, and the fact that systems are
built and maintained by individuals (who are fallible),
companies are recognizing at an increasing rate that a
security incident involving the unauthorized access to its
customer, employee, or sensitive business data is inevita-
ble. How are companies responding? By taking a series of
measures to become ‘compromise ready,’ including
developing an incident response plan. Proper prepara-
tion for an incident enables a company to be better posi-
tioned to respond in a way that mitigates risk and pre-
serves relationships. In addition, how a company
responds infuences whether the company experiences a
drop in revenue or faces a regulatory investigation or
consumer litigation. This response can signifcantly affect
a company’s reputation.
Offcers and directors are tasked with ensuring that
their company’s incident response strategy is appropriate
and adapts to the constantly changing threat landscape.
They also have a role in overseeing the response to an
incident. Incidents often arise just prior to an SEC report-
ing deadline, and companies that are caught unprepared
may not be positioned well to withstand any subsequent
scrutiny over their disclosure decision.
In this chapter we discuss the underlying state and
federal notifcation obligations that are implicated by
? 268
INCIDENT RESPONSE
to ensure that the various team members
understand their role and authority to
make decisions.
? Categorization. Provide a simple structure
for classifying events by severity (e.g.,
low, medium, high) and risk to “level set”
the team regarding urgency, escalation to
the C-suite, and level of engagement of
the representative groups on the incident
response team.
? Response protocol. Provide a fexible frame-
work for executing the eight key steps
of incident response: (1) preparation,
(2) identification, (3) assessment,
(4) communication, (5) containment,
(6) eradication, (7) recovery, and
(8) post-incident.
? Third parties. Identify key third parties
that will assist the company, including
external privacy counsel, forensics, crisis
communications, mail and call center
vendor, and credit monitoring.
Once the plan is created, test the plan for
gaps and provide training for the incident
response team. External privacy counsel
often conducts these exercises, sometimes in
conjunction with the primary forensic frm
and crisis communications frm. Most com-
panies choose to use a hypothetical scenario
that they would consider to be the most
likely catastrophic incident they may face
(e.g., a payment card event for a retailer) fol-
lowed by subsequent, periodic testing using
different scenarios (e.g., service disruption,
employee data).
No two incident scenarios are the same,
so there is not a one-size-fts-all, turnkey
solution to incident response. There are,
however, critical factors that drive a success-
ful response.
? Notify and assemble incident response team
members and begin the investigation. Don’t
panic when a security incident arises. Be
methodical, but swift, in your response.
Assemble the incident response team
members and notify them of the security
incident. If a member of the C-suite is
not on the team, there must be a direct
potential incidents along with best practices
developed from our experience in helping
companies respond to more than 1,000
potential events. Although these laws are a
critical part of a response, responding to an
incident is not just a legal issue. Being
viewed as handling the incident well
involves also an effective communications
response.
? Incident response best practices
A company’s incident response should be
guided by a plan that has been tailored to the
company’s industry and fne-tuned through
mock breach exercises. The response plan is
a critical element of the crisis management
strategy—not because it provides a prescrip-
tive, detailed list of action items, but because
it has been refned and practiced through
tabletop drills. A good plan outlines a fexi-
ble framework of the general steps that must
be taken to prepare for, respond to, and
recover from a security incident. An incident
response plan must be fexible enough to
adapt to the particular security incident the
company is facing (e.g., network intrusion,
denial of service, account takeovers, mal-
ware, phishing, loss of paper, employee
data, security vulnerabilities detected by
third parties, or theft of assets).
? Identify the internal incident response
team. Identify team members from
critical departments (e.g., IT, IS, legal,
communications, internal audit, HR, risk
management, business lines), describe
their roles, and defne how and when
they will be activated when a potential
incident is identifed.
? Identify who will lead the incident response
team. Companies approach this in different
ways. For some, the IT and IS groups play
a signifcant role. At highly regulated
companies, legal and regulatory members
will be integral to the response. Because
some issues go beyond the technical
response, being a good project manager is
probably one of the key traits a company
should look for when deciding who will
lead the group. Practice drills also help
269 ?
CYBER INCIDENT RESPONSE
such helpful information when fling a
motion to dismiss.
? Determine any legal obligations and comply.
Experienced outside privacy counsel that
is well versed in incident response can
help the company quickly and accurately
determine the state, federal, and
international privacy and security laws
and regulations that may be implicated
by the security incident. Complying with
these laws is sometimes a balancing act
that requires a company to consider other
factors. Engaging outside privacy counsel
who understands how the regulators
view these laws, as well as the challenges
companies face in responding to these
types of incidents, is critical. Outside
privacy counsel must be a partner with
the company in the response. There is no
one-size-fts-all approach.
? Communicate with the public and report
to the incident response team. During the
course of the investigation and response,
there should be constant communication
among incident response team members.
Periodic reporting meetings are useful.
In addition, offcers and directors should
receive reports that provide essential facts
and plans for responding to the security
incident. It is critical to have outside
counsel involved in the communications
plan to preserve any privileges that
may attach to communications. Further,
develop a ‘holding statement’ for
executives to use when communicating
with the media, affected individuals, and
shareholders. Also, consider creating
a website and using a call center to
keep affected individuals apprised of
developments.
? Eradicate remnants of the security incident
and recover business operations. When
the security incident and any resulting
damage have been contained, develop
a plan to eliminate the vestiges of the
security incident, restore the company’s
assets, and return your business to
normal operations. Ensure that the
threat created by the security incident is
eradicated.
connection to the C-suite so that decisions
can be approved in a timely fashion and
the response team can move forward with
the investigation. It is useful to appoint a
security incident manager; often this is
someone with strong project management
skills who can move the process forward
in a productive way working alongside
outside privacy counsel. Once the team
is assembled, it should initiate an internal
investigation into the security incident,
and depending on the potential severity
of the incident, daily progress calls should
be scheduled.
? Identify and fx the issue. Conduct an initial
analysis of the reported incident and
focus on getting quickly to a point where
the internal and/or external computer
security frm can develop and implement
an effective containment plan. If news of
the incident is going to become public, at
least the company will be in a position
to say that it identifed and blocked the
attack from continuing. The company can
then turn to identifying the full nature
and extent of the attack. Working with
internal resources, at least initially, is very
common; however, consider bringing in
external security frms when the company
is facing capability, credibility, or capacity
issues.
? Gather the facts and let them drive the
decision-making. Resist the pressure to
communicate about the incident too early
or to be overly reassuring. Focus on the
investigation. Institute a plan early on
for collecting all available forensic data—
hardware, devices, database activity, and
system logs—and transfer it to a safe
location for subsequent analysis. Create
a timeline of events surrounding the
security incident and the actions taken
by the company. Structure additional
investigation and response efforts
based on the information gathered
and the scope of the incident. Work to
include any favorable fndings in public
communications; notifcation letters are
often attached to class action complaints
and therefore a company can rely on any
? 270
INCIDENT RESPONSE
In addition, certain federal laws such as
the Health Insurance Portability and
Accountability Act (HIPAA) and the
Gramm-Leach Bliley Act (GLBA) require
companies to notify affected individuals.
Under HIPAA, notifcation is required with-
in 60 days and a failure to provide timely
notice will likely result in an investigation
that may lead to a fne. Timely notifcation
enables consumers to exercise self-help in
monitoring their payment card, bank
accounts, and credit reports to prevent fraud.
By reducing the likelihood that consumers
will be subject to fraud, a company can also
reduce the likelihood of future suits based
on the data breach.
Reporting
In addition to providing notifcation of a
data breach to affected individuals, a com-
pany also may be required to report a data
breach to other individuals and entities
under certain state and federal laws and
industry guidelines.
Law enforcement: Law enforcement can
be helpful during an investigation, but it
should be brought in at the appropriate time.
Telecoms and fnancial institutions have spe-
cifc guidelines regarding reporting to law
enforcement, but most industries do not
have similar regulations. Typically, compa-
nies engage either the Federal Bureau of
Investigation (FBI) or the United States
Secret Service (USSS), although local law
enforcement can be helpful in certain situa-
tions. Your outside privacy counsel should
have established relationships with law
enforcement and understand when they
should be contacted. Although law enforce-
ment can be helpful with the investigation
and communications with regulators, keep
in mind that its goal is very different from
the company’s: law enforcement wants to
catch the ‘bad guy’ and the company must
fgure out the appropriate way to respond to
the incident.
Federal regulators: Certain industry-
specifc laws also require reporting of a
breach to federal regulators. Under HIPAA,
? Potential legal issues and obligations
The issues caused by the ‘patchwork quilt’
of state breach notifcation laws in the
United States receive a lot of attention and
feed calls for a single federal law that pre-
empts any inconsistent state laws. However,
in most incidents, especially for incidents
that affect individuals across the country,
differences across state breach notifcation
laws rarely make a difference in how the
company responds. Complications do arise
when only a few state laws are implicated,
such as when one state does not have a
“risk of harm” trigger that allows a compa-
ny to determine that notifcation is not
required but the other states do. There are
no decisions from courts describing how to
interpret and apply these laws. There are
state attorneys general who have certain
interpretations regarding the timing of noti-
fcation and others who have well-known
‘hot button’ issues, neither of which are
evident from reading the text of the notif-
cation law.
Notifcation
Typically, a security incident becomes a data
breach when there is unauthorized access to
unencrypted personally identifying infor-
mation (PII), which is generally a person’s
name associated with his or her Social
Security number, driver’s license number,
health and medical information, and fnan-
cial information, depending on the state or
federal law. When a data breach occurs, all
states (except Alabama, New Mexico, and
South Dakota) require that a company notify
the affected individuals that their PII has
been compromised. The breach notifcation
laws of each state and the type of data that
are considered PII vary between states and
can create multiple and sometimes inconsist-
ent obligations on the company required to
provide notice. Most state laws require
notice as soon as reasonably possible, where-
as a few require notifcation within 30 or
45 days of discovery. Providing notifcation
within 30 days of initial discovery is often a
signifcant challenge.
271 ?
CYBER INCIDENT RESPONSE
affected by the incident for their costs associ-
ated with fraudulent charges and the reissu-
ing of cards. The liability assessments can be
one of the largest fnancial consequences of
an incident.
In certain circumstances, a company may
be required to report a data breach to the
media. Under state notifcation laws, if the
company does not have suffcient contact
information to mail notifcation letters to
affected individuals, the company has to
provide notice through substitute means,
which involves posting a link in a conspicu-
ous location on the company’s website, issu-
ing a press release to major statewide media,
and sending an email to the individuals (if
the company has their email addresses).
HIPAA requires a press release if a data
breach involves more than 500 affected indi-
viduals. In other circumstances, a company
may have no legal obligation to report a
security incident or data breach to the media
but may feel compelled to do so in an effort
to control the story and prevent inaccurate
or misleading information from being con-
veyed to the public by the hacker, affected
individuals, or other sources. Accordingly,
careful thought should be given to develop-
ing a communications strategy as part of a
company’s incident response—one that con-
siders not only the message but also the tim-
ing of the message and the medium in which
it is distributed.
Board of directors: Although reporting a
security incident to the board of directors is
not required by any specifc state or federal
law, a director’s duty to shareholders
requires that the director be informed of
important topics that signifcantly affect the
overall business of the company. Consequently,
directors may (and should) require that an
incident response team member (preferably
counsel) provide reports on any security
incidents or data breach, and the progress of
any incident response efforts. Some compa-
nies are establishing a special audit commit-
tee for cyber incidents and even engaging a
“cyber advisor” to brief the board on these
issues.
a company must report any data breach to
the Secretary for the Department of Health
and Human Services, although the timing
of that reporting differs depending on
whether the number of affected individuals
exceeds 500. Under the GLBA, fnancial
institutions must report a security incident
to their primary federal regulator as soon
as possible.
State attorneys general and agencies:
Some state laws require a company to report
a data breach to the state attorney general,
depending on the number of affected indi-
viduals, which may range from 1,000 in
some states to only one person in others.
Other states require notifcation to state
agencies, such as state consumer protection
agencies, departments of health, or cyberse-
curity agencies. The form of the notice may
also vary. Some states require simply that a
copy of the breach notifcation letter that was
sent to the affected individuals be fled with
the state attorney general. Other states may
require more, such as written notice identify-
ing the nature of the breach, the number of
affected individuals, any steps taken to
investigate and prevent future breaches, and
the content of the notice intended for the
affected individuals. Working with regula-
tors can be one of the most critical pieces of
an incident response. Ensure that your out-
side privacy counsel has a working relation-
ship with your regulators and can guide you
on the timing and content of communica-
tions. In most cases, if this piece is handled
appropriately, there is a greater chance of
very little fallout.
Other entities: When payment card data
are at risk, the response is governed by pay-
ment card network operating regulations
that merchants have agreed to follow as part
of the merchant services agreement with
their acquiring bank and payment processor.
The card network regulations defne a spe-
cifc security standard that merchants must
comply with (PCI DSS). They also dictate the
investigatory process and provide for the
recovery of noncompliance fnes and assess-
ments to reimburse banks that issued cards
? 272
INCIDENT RESPONSE
should apply to the communications
with and fndings of the forensic frm
and others engaged in assisting the law
frm. The external law frms also should
provide guidance to other members of
the incident response team on how to
preserve privileges, such as through the
use of an ‘Attorney-Client Privileged
Communication’ stamp in emails and
communications, for example. Outside
counsel should collaborate with in-house
counsel in determining whether there are
any legal or contractual obligations to
notify or report, or potential liability as a
result of a data breach.
? Forensics frm. An outside forensics frm
is sometimes needed to conduct an
examination of the available forensic data
to determine whether there are signs of
unauthorized access, and if so, determine
the nature and extent of the issue and
provide recommendations on short-term
containment and longer-term measures to
remediate and enhance security.
? Crisis communication firm. Although
public relations frms understand how
to get a company into the news, crisis
communications frms have to exercise
a different skill set in guiding the
communication strategy for companies
facing security incidents. Those frms
understand that there is often little, if
any, good news to report, so they focus
on communications designed to make it
clear that the company is responding in
a quick and transparent manner that is
designed to protect affected individuals.
They can also provide media training for
the spokesperson and assist in responding
to media inquiries in a consistent and
measured manner.
? Breach response and notifcation frm. Using a
dedicated external call center and mailing
vendor to notify and handle inquiries
from affected individuals can greatly
assist a company with the logistical
challenges it faces during an incident
response. The call center can answer calls
from an approved FAQ sheet.
Lawsuits and/or regulatory action
A company’s response to a security incident
or data breach can have signifcant legal and
fnancial consequences beyond those associ-
ated with investigating and responding to
an incident. Some state and federal laws
allow for consumers affected by a data
breach to assert a private right of action
against companies. When the incident affects
a large number of individuals, it is fairly
common to see putative class actions fled in
the hours or days after the incident becomes
public. Regulators, such as the FTC,
Department of Health and Human Services,
and Federal Communications Commission
may initiate investigations that may result in
multimillion-dollar fnes or the imposition of
a consent order that imposes a lengthy obli-
gation to implement a privacy and security
compliance program and have it audited by
a third party. Last, although not common,
directors and offcers may be named in
shareholder lawsuits.
? Role of external parties in a company’s
incident response
An incident response typically requires the
involvement of several external parties who
serve important roles in identifying and
assessing the cause, extent, and impact of a
security incident as well as crafting and dis-
seminating a response to the affected indi-
viduals, the public, the media, law enforce-
ment, and regulatory authorities. One step
that may save a few days during an incident
response is to engage and negotiate the mas-
ter services agreements with these compa-
nies before an incident so that only a new
statement of work has to be prepared when
an incident arises.
? Privacy counsel. An external law frm often
serves as the ‘quarterback’ of the incident
response. This role includes engaging other
third parties to assist the frm in providing
legal advice to the company, such as a
forensics frm, which then serves as a
foundation for establishing that attorney-
client privilege. Work-product protection
CYBER INCIDENT RESPONSE
SecurityRoundtable.org 273 ?
derivative suits. This is particularly impor-
tant because communications to directors
that are not made at the direction of, or by,
counsel may not be privileged and could be
discoverable in subsequent litigation.
Should a security incident or data breach
be made public, executives should be pre-
pared to comment on the incident. When
necessary, a holding statement should be
developed and vetted by counsel.
Communications by offcers or directors
with the public should be accurate, com-
plete, and truthful, but also simple, so as not
to be misleading or admit liability. Any fl-
ings or disclosures with the federal regula-
tors, such as the Securities and Exchange
Commission, should be carefully vetted to
ensure accuracy, which may prove diffcult
when the facts surrounding a security inci-
dent are being determined. This can be par-
ticularly problematic in quarterly (or peri-
odic) earnings calls with analysts that may
occur while investigation and response
efforts are taking place.
? Conclusion
In this ‘cyber climate,’ companies must be
prepared for a security incident. Offcers and
directors cannot sit on the sideline; they
must be aware of cyberthreats and engaged
in developing and implementing an incident
response plan to limit the amount of damage
that can be caused by a data breach. An
effective incident response can help preserve
the company’s reputation and limit its expo-
sure, allowing it to continue and grow its
business operations.
Regardless of the external parties retained to
assist in an incident response, it is important
to ensure that they are retained by outside
counsel to enable the assertion of the attor-
ney-client privilege and work-product doc-
trine to protect documents and communica-
tions generated in the investigation and
during the response to a security incident.
? Role of offcers and directors in a company’s
incident response
The C-suite and boardroom play a small but
important part in a company’s actual inci-
dent response: they mainly ensure that criti-
cal executive-level decisions concerning
impact to the business and expenditures are
made promptly. This is best facilitated by
having a C-suite representative serve as a
member of the incident response team. It is
also important for offcers and directors to be
engaged in the incident response process,
because in the event that another security
incident occurs, the offcers and directors
could be held accountable by consumers,
shareholders, and regulators for any lack of
familiarity with the company’s cybersecurity
program.
Given the potential liability and impact
to a company’s reputation posed by a data
breach, directors should have procedures in
place to ensure that they receive timely
updates on any incident response.
Communications with the board regarding
the incident response and the fndings of
any investigation should be carefully craft-
ed and limited to factual information if pos-
sible, because of the prospect of shareholder
275 ?
Sard Verbinnen & Co – Scott Lindlaw, Principal
Communicating after a cyber incident
Data security is the number one concern that keeps board
members up at night, NYSE’s annual Law in the Boardroom
survey found. It’s a rational nightmare for anyone run-
ning a company, given the explosion of data breaches and
the havoc they can wreak. As recent shareholder deriva-
tive and securities lawsuits underscore, a director is not
merely responsible for ensuring that a company’s cyber
defenses are robust. Rather, lawsuits against directors of
Target Corp., the TJX Companies, and Heartland Payment
Systems, Inc. have taught us that directors must also
ensure that the company is prepared to manage the after-
math of a breach. To contain the damage, effective com-
munications with a host of internal and external audi-
ences are essential.
The two greatest harms inficted by a breach are repu-
tational damage and loss of customer loyalty, according to
the Ponemon Institute, which compiles breach costs glob-
ally. To mitigate reputational damage, loss of customers,
and related harms from a breach, it is critical that a com-
pany communicate clearly (and often simultaneously)
with multiple audiences. The board’s oversight of this
aspect of cybersecurity should not start in the fog of a
cyber crisis. It should begin well before an incident.
? The director’s duties and cybersecurity-related
communications
A data breach can substantially diminish stock value, as
several academic studies have found. The most recent
study, involving 174 breaches, found “the cumulative
change in net earnings including extraordinary items in
the four quarters after a breach announcement is a 22.54%
decrease, indicating deteriorated earnings performance.”
These fndings by Kholekile L. Grebu, Jing Wang, and
Wenjuan Xie of the University of New Hampshire Peter T.
Paul College of Business and Economics do not always
hold true. A study of several prominent data breaches by
? 276
INCIDENT RESPONSE
increased customer acquisition activities,
reputation losses, and diminished goodwill,
cost the victimized companies an average of
$3.72 million per incident.
Companies have an opportunity to miti-
gate each of these classes of loss through
effective communications. This means fol-
lowing the law on all notifcations required
to consumers and investors, of course.
However, a company should not stop there.
Communicating about a cyber incident to
customers and investors as required by law
should be the bare minimum from a commu-
nications standpoint. To preserve goodwill
and stanch reputational losses, companies
must move beyond mere compliance and
operate from a perspective of stewardship.
They must demonstrate leadership, integrity,
and responsibility through thoughtful com-
munications. To achieve that, these princi-
ples should guide any communications relat-
ing to a cyber incident:
? Preserve the company’s credibility with
all constituencies, including consumers,
customers, partners, regulators, employees,
investors, journalists, and analysts.
? Maintain control of the communications
process by establishing concise, agreed-
upon messages so that the company speaks
with one voice.
? Provide pertinent, confirmed facts
without jeopardizing any internal or law
enforcement investigations.
? Coordinate all public communications
with legal counsel to (1) ensure accuracy;
(2) avoid compromising any investigation
or increasing legal exposure; and
(3) preserve attorney-client privilege.
? Prepare for potential negative legal,
fnancial, and customer scenarios.
These should be the tactical goals of com-
munications responding to a cyber incident:
? Reassure all constituencies that you are
taking steps to contain and fx the issue.
? Manage how the breach is portrayed in
news and social media—where possible,
position company as victim, not villain.
Sard Verbinnen & Co. found that share price
impact is hard to measure because of a mul-
titude of factors affecting stocks. Still, a com-
pany should anticipate that revenue and
profts may take a hit after a breach. A pri-
mary goal of a post-breach communications
strategy should be to mitigate this impact as
much as possible.
Because breaches can have a substantial
effect on the bottom line, preparing for and
responding to such incidents fall squarely in
the director’s fduciary duties. As explained
in Chapter 8, directors owe their companies
certain obligations, such as the duties of care,
good faith, and loyalty. In the context of
cybersecurity incidents, these duties require
directors to ensure the company develops a
reasonable crisis-management plan for use in
the event a breach occurs. This calls for board
members to have at least a high-level under-
standing of communications strategies and
tactics, for internal and external audiences.
For example, almost all states have laws
requiring companies to notify customers
when a breach compromises sensitive per-
sonal data. Directors and companies have
been sued on the ground that they failed to
take reasonable steps to notify consumers
that a company’s systems had been breached.
When the law requires it, notifying customers
about a breach is fundamentally a legal func-
tion but also a communications function.
Plaintiffs will try to hold directors accounta-
ble for a perceived failure of notifcation.
Likewise, regularly disseminating accurate
information to shareholders may be a regula-
tory requirement but also requires effective
communications. The Securities and Exchange
Commission has put companies on notice as
to the reputational harms of breaches and
companies’ disclosure obligations regarding
cyber incidents. “Reputational damage
adversely affecting customer or investor con-
fdence” may cause an attacked company to
sustain “substantial costs and suffer other
negative consequences,” the Commission
wrote in disclosure guidance in 2011. The
Ponemon Institute reported that in 2014,
breach-related lost business costs, including
the abnormal turnover of customers,
277 ?
COMMUNICATING AFTER A CYBER INCIDENT
prepared to respond very quickly to any
cyber incident and to communicate the com-
pany’s position. As part of this, the board
should review the company’s budget for
security risk management, ensuring the
availability of the funds necessary to hire
outside law frms, IT and forensics experts,
remediation support services, and commu-
nications consultants.
? Audiences to consider when responding
to a breach
A company responding to a breach must
communicate with myriad audiences. It
must coordinate and calibrate its messaging
with each while recognizing that messages
aimed at investors may end up in news sto-
ries, that news stories will shape investors’
perceptions, and that everything the com-
pany says could end up on Twitter.
? Consumers, customers, and partners: In
addition to legally required notifcations,
the breached company must be prepared
to communicate what it is doing to
contain an incident; provide assurances,
if applicable, regarding safety of
customer information and recourse on
future fraudulent activity; give front-
line customer service representatives
guidance on how to communicate with
customers; provide a dedicated call
center and/or website to handle
customer inquiries; and provide third-
party credit monitoring, if appropriate.
? Journalists and social media
communities: It will not be suffcient
to issue prepared public statements at
the company’s convenience. The victim
company must be prepared to react
to a deluge of media inquiries and be
prepared for leaks. The company may
also have to proactively engage reporters,
including regional, national, and
cybersecurity beat reporters. This requires
developing a process for engaging the
news media, including designating
media spokespersons, preparing key
executives for direct exposure to news
media, correcting inaccurate reports,
? Confne public comments to what you
know. Do not speculate.
? Avoid prolonging news media coverage
unnecessarily.
? Do and say nothing to heighten the
interest of regulators.
? Provide no fodder to plaintiffs’ attorneys.
? Minimize damage in the eyes of
consumers, customers, and investors.
? Protect share price.
Companies must integrate these communi-
cations principles and goals into a coherent
incident-response plan before a breach
strikes. An effective plan will position the
victimized company to communicate quick-
ly and effectively in the event of a data
breach or other security incident. Important
decisions will have to be made in real time,
but the tools and guidelines in a cyber inci-
dent response plan should ensure immedi-
ate engagement of the proper personnel, the
proper process for obtaining and reviewing
information needed to determine the appro-
priate communications response, and align-
ment on all appropriate steps to communi-
cate to employees and external audiences.
A company’s incident-response plan
should identify members of several sub-
teams, including legal, IT, and communica-
tions. Anyone who will be directly involved
in making communications decisions or in
the dissemination of internal and/or exter-
nal communications must read and under-
stand this plan. Press releases, key messages,
question-and-answer documents, contact
lists, and letters to stakeholders such as
investors and employees should be prepared
in advance, leaving blank spaces to fll in as
facts emerge. The plan should contemplate
the establishment of a dedicated website and
whether the company’s existing corporate
blogs and social media presence may be use-
ful communications instruments after a
breach. The communications plan, and espe-
cially its contacts lists, should be treated as a
living document. It should be kept up to
date and reviewed and tested regularly.
Directors must make clear to manage-
ment that they expect the company to be
? 278
INCIDENT RESPONSE
typically comprise two main arguments.
First, they allege directors failed to prevent
the breach. Second, they contend directors
covered it up and/or failed to notify inves-
tors and consumers. This latter class of argu-
ments essentially alleges failures of commu-
nication. The cases against Target and
Heartland show how the plaintiffs use deriv-
ative and securities suits to blame directors
and offcers for these alleged sins of commu-
nications, or lack thereof:
? Target Corp.: On December 18, 2013,
the blog Krebs on Security broke the
news of a major breach at the retailer.
The next day the company confrmed
it was investigating a security breach
involving stolen credit card and debit
card information of 40 million customers
who shopped in its stores. A few weeks
later, the company disclosed that the data
theft was signifcantly more extensive
and affected millions more shoppers than
it had initially reported.
Four sets of shareholders filed
derivative lawsuits against Target
offcers and directors. Later these were
consolidated into one derivative action.
The plaintiffs alleged that directors
breached their fduciary duties by failing
to “timely notify customers of the theft of
their personal and fnancial information
[and] to accurately notify customers
regarding the scope and substance of the
data breach.” The amended complaint
chronicled a series of statements in which
Target provided shifting information. As
a matter of media relations, this had
the effect of continually adding fuel to
the fre: each time the company updated
the number of affected customers, the
coverage spiked anew.
The plaintiffs also pre-emptively
argued that the directors’ actions in
managing the response did not constitute
decisions under the business judgment
rule, which would have protected them
against such a lawsuit. “The Board caused
Target to disseminate false and misleading
public statements concerning, among
and monitoring traditional and social
media on an ongoing basis. The company
must also prepare to use social media to
distribute messages.
? Investors and analysts: The breached
company must be prepared to answer
questions about the impact of the incident
on fnancial outlook and about the costs
of response and security upgrades. It
can expect to face such questions on its
frst earnings call after the incident, and
thereafter. A Form 8-K may be required
if shareholders would view the impact of
the incident as material.
? Internal audiences: Employees need to
hear from the company about what has
transpired, and what changes in security
policies and protocols are coming. They
must be alert to future attacks and avoid
talking publicly about the incident.
Human resources should prepare to
involve itself if employees had a possible
role in causing the incident or failing to
detect it.
In addition to the above audiences, the
breached company must carefully weigh
and coordinate each statement with a sec-
ondary set of audiences in mind. Plaintiffs’
attorneys will be circling and will race to the
courthouse to sue the company on behalf of
purportedly aggrieved customers and share-
holders. Banks and credit card companies
who may have lost money on fraudulent
transactions will expect to be made whole.
Insurance companies will also be monitoring
public statements if the victimized company
has a cyber incident or other relevant policy
and moves to fle a claim.
? Lawsuits against directors: communications
issues
As if the breaches themselves weren’t
enough to keep directors up at night, board
members have an additional and unique set
of worries: shareholder derivative and secu-
rities lawsuits after an incident. Directors of
Target, the TJX Companies, and Heartland
Payment Systems, among others, have each
seen these actions after breaches. These suits
COMMUNICATING AFTER A CYBER INCIDENT
SecurityRoundtable.org 279 ?
investors, the plaintiffs claimed, was that
“Defendants’ misrepresentations and
omissions obfuscated the Company’s true
fnancial condition and future business
prospects, artifcially infating the price of
Heartland’s common stock.”
? Conclusion
Cybersecurity is the number one fear keep-
ing directors up at night, but they can rest a
little easier by holding management account-
able and requiring a current, useful prepar-
edness plan before a crisis. Critical to any
company’s breach-response plan must be
communications. A breached company can-
not assume a defensive crouch and issue
reactive statements at the times of its choos-
ing. On the other hand, it should not say
more than it is confdent of, or more than is
necessary to safeguard its interests and those
of its customers and investors. An effective
communications plan helps protect the com-
pany after a cyber incident by blunting the
loss of reputation and customers and by
keeping plaintiffs at bay.
Every breach starts with an event outside
a company’s control, and the Target and
Sony Pictures attacks underscore how
unfolding events can further buffet a com-
pany. However, with a communications plan
that is carefully conceived and rehearsed, a
company can meet its legal obligations to
communicate and help limit the secondary
harms of a cyber incident, such as loss of
reputation and customers. It is incumbent on
directors to ensure that the plan’s communi-
cations components are ready to activate
when the cyber crisis strikes.
other things, the true nature and extent
of the data breach at the Company,” the
amended complaint stated. (A separate
action brought by consumers similarly
alleges that “Target failed to disclose and
provide timely and accurate notice of the
data breach to the public...”)
? Heartland Payment Systems, Inc.: On
December 26, 2007, hackers broke into
Heartland’s corporate computer network
and stole about 130 million credit and
debit card numbers and related card data.
The SQL injection attack on its corporate
network resulted in malware being placed
on its payment processing system.
Plaintiffs brought a securities class
action against the company after the U.S.
Department of Justice indicted several
individuals for what was reportedly
then the largest data security breach
in U.S. history. They accused CEO
and Chairman of the Board Robert O.
Carr and CFO Robert H.B. Baldwin of
concealing the breach for more than a
year—of “lying about the very existence
of the breach.” They also contended
the defendants knowingly made false
and misleading statements about
the breach in a 10-K annual report to
the SEC, during interviews with the
media, in press releases, and in other
public presentations and speeches. The
plaintiffs alleged that Carr and Baldwin
concealed the incident and made a
series of materially false and misleading
statements on an earnings call, “outright
den[ying] that a security breach had even
occurred at Heartland.” The harm to
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk management
investment decisions
283 ?
Axio Global, LLC – Scott Kannry, CEO and
David White, Chief Knowledge Offcer
Optimizing investment to
minimize cyber exposure
“
We are living in the Dark Ages of security. We cling to
outmoded world views and rely on tools and tactics from
the past, and yet we are surprised to fnd ourselves living
in an era of chaos and violence.”
Amit Yoran, President of RSA;
2015 RSA Conference Keynote
Why begin a chapter about minimizing cyber exposure with
a recent quote criticizing the security industry and raising a
question about whether it is even possible to succeed? It
underscores the importance of understanding the current
climate, how it has evolved to the current state, and its
inherent challenges. Ideally, one can then grasp that a new
way of thinking about cybersecurity is critical to succeed
and look to defne a process and methodology that gives
security leaders a better foundation to achieve that goal.
Let’s start with where we’ve been. Our hope is that few,
if any, security leaders still believe that impenetrability is
achievable. We’ve been subject to a barrage of verbiage
such as, “There are only two kinds of companies—those
that know they have been hacked and those that don’t yet
know it,” and hacked executives publicly expressing sur-
prise that their organization was successfully victimized,
despite investing in the best possible defense. However,
that belief was prevalent for many years, and investment
decisions during this “castle-wall” era were fairly easy to
make: focus on buying technological controls to fortify the
perimeter.
Thankfully, we have evolved from that era into one
that we’ll call the “defense-in-depth” era. The original
premise was fairly simple: put up more castle walls, or
perimeters, and hopefully the multiple layers will act in
concert to create impenetrability, or at least something as
close to it as possible. A more evolved premise is based on
a mantra such as, “Operate as if the bad guys are already
? 284
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
weather the storm. This point supports the
relevance of the insurance industry, not only
as a provider of fnancial certainty but also
as an industry that can provide insight and
data to support thoughtful cybersecurity
investments. We’ll now explain all of these
elements and how this approach stands the
greatest chance of minimizing exposure to
the organization.
The approach is best evidenced by Figure 1,
which depicts the relationship between
cyber risk and cybersecurity capability.
Organizations that have minimal cybersecu-
rity capability face an extraordinary degree
of risk. For these organizations, investments
in basic controls will produce meaningful
downward movement on the risk curve. It’s
also the reality that organizations on the far
left side of the curve will be given harsh treat-
ment by the insurance industry—premiums
will be extraordinarily high or coverage may
not be available at all—which is a signal that
the organization must bolster its capability
through traditional controls. At a certain
point, however, the curve begins to fatten
and the relative reduction in risk per dollar
invested pales in comparison to that which
was previously achieved. Beyond this point
frms would be wise to invest more substan-
tially in insurance because of its dispropor-
tionate effect on the risk curve. Unlike a tra-
ditional control, insurance actually reduces
(or eliminates) the cost of an event and
therefore shifts the entire risk curve down-
ward. An organization that adopts this
approach is one that is more thoughtfully
protected and better able to withstand the
impact of that inevitable event.
To better understand the elements, let’s
look at the risk calculus, which can be
explained with the following equation:
Risk =
Business Impact ? Likelihood
Capability
where business impact is a measure of
impact to the enterprise from a cyber event,
likelihood is an estimate of an event actually
occurring, and capability is a measure of the
organization’s ability to detect, protect,
respond, and recover from an event.
inside,” which starts to balance perimeter
controls with those that focus on behavioral
monitoring, segmentation, and simulated
internal environments. This trend is def-
nitely one that is taking hold. Many frms
still spend the majority of their security
budgets on perimeter-focused controls, but
spending is now being shared with internal
and reactive controls.
However, despite the improved strategy,
events over the past year and those that
undoubtedly have happened since this chap-
ter was written should easily debunk any
notion that the defense-in-depth era has
been substantially more successful than the
castle-wall era. Arguably, it has gotten worse,
in large part because of improvements and
industrialization of the tools and techniques
used by adversaries. This has led not only to
calls for a rethinking of how security is
approached but also to the practical reality
that security leaders’ jobs are more diffcult
than ever: their rate of success at protecting
the enterprise seems to be precipitously
declining, along with their job longevity.
Plus, the castle-wall and defense-in-depth
eras exacerbated a problem central to secu-
rity leader decision making; they facilitated
a monumental buildup in the availability
and use of technological controls. Evidence
of this is apparent at the RSA conference,
where a landscape of thousands of security
providers displays their wares, each claim-
ing to be the ultimate solution or silver bul-
let. Security leaders ask where to start. What
should I spend my next dollar on? How can
I justify this investment and intended return
to the board? How can I keep my job when
an event inevitably occurs? Welcome to the
modern reality for security leaders.
We propose that it is time to evolve into
what we’ll call the cybersecurity enlighten-
ment era. It’s an era that focuses on risk
management, not risk elimination, and
where cybersecurity strategy is acknowl-
edged as an investment challenge. It’s also
an era that highly values impact minimiza-
tion because cyber events are inevitable and
ultimately, the organization’s resilience
depends on having the fnancial resources to
285 ?
OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
to detect events. Many of these controls will be
technological or administrative, but the
human element is also critical and can’t be
overlooked, nor can the protocols surround-
ing third-party vendors, outsourced parties,
and subcontractors. The denominator is also
where the positive impact of insurance takes
hold, because successfully responding to and
recovering from an event depends not only on
technical capabilities but also on the fnancial
ability to cover the costs and losses involved.
How does an organization put actual
numbers into the equation? Our recommen-
dation is to start with developing and ana-
lyzing organization-specifc cyber loss sce-
narios. Gather a group of individuals that
represent key functions and insights into the
organization—information technology and
operational technology security, safety, risk
management, treasury, and legal— and brain-
storm about the likelihood and impact of
cyber events across the critical functions of the
It is important to understand that organi-
zations may have very little control over the
numerator in this equation, as these elements
are largely infuenced by the constantly
evolving threat climate, the capability and
desire of adversaries to carry out an attack,
and the ever-increasing complexity of the
technologies controlling operations, which
can fail unexpectedly in ways that result in
damage. For example, various recent reports
pegged the cause of a cargo plane crash on a
failure in software confguration, evidencing
the reality that cyber events aren’t only those
with malicious connotations. It’s also impor-
tant to recognize that neither business impact
nor likelihood can ever equal zero, even for
the most capable organizations.
Organizations can infuence the denomina-
tor by implementing, sustaining, and matur-
ing a capable cybersecurity program. This
measure refects the controls that an organiza-
tion has in place to protect its cyber assets and
Sustain Capability &
Invest in Insurance
Insurance lowers the risk
impact curve overall
Invest in Cyber
Capabilities
Risk
Cybersecurity Capability
FIGURE
? 286
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
Benchmarking is also a critical and strongly
recommended element of the capability
factor. We recognize that many security
leaders may be wary of supplying cyber
program information for benchmarking pur-
poses as to not create additional vulnerabili-
ties by giving away the proverbial keys to
the back door, but resources that do so in an
entirely de-identifed manner can provide
powerful comparative insight that is other-
wise unavailable. From a security leader’s
perspective, this information may actually
be the most powerful, because it can provide
justifcation for additional investment in
controls and, in the worse case event of a
breach, exculpability.
This is an appropriate place to introduce
the fnal detail and insight for the denomina-
tor and right side of the risk curve—the
importance of insurance coverage and rele-
vance of the insurance industry to deploying
an enlightened cybersecurity strategy. One
of the roles that the industry can serve, and
will increasingly serve, is a resource for
benchmarking intelligence via the under-
writing and premium pricing process. This
capability is candidly in its infancy for a few
reasons: the scope of coverage is evolving
and therefore the depth of information
required to underwrite is not truly compre-
hensive, many insurers are happy to deploy
a nonintrusive approach as a competitive
lever, and correlation information lacks in
areas where claims or losses have not yet
occurred. Despite this evolving capability,
frms can fnd meaningful value in the pro-
cess, because even an extraordinarily high
premium or a denial of coverage does have
informative value. Additionally, for areas in
which cyber coverage is relatively more
mature, top insurers do have enough data to
provide a “risk engineering” beneft similar
to other well-established areas of insured
risk, and the industry is continually evolving
to provide greater capabilities in this respect.
Another area of insurance industry rele-
vance requires a more nuanced dive into
coverage, but one that is important for its
informative value and relevance to security
investment decisions. Security leaders
organization. It’s important to capture as much
of the loss spectrum as possible—frst- and
third-party fnancial damages and frst- and
third-party tangible damages, the latter half
being critically important for organizations
that use industrial control systems.
In our experience, this type of exercise
proves to be very fruitful. We’ve found that
most of the informational insight actually
resides within the organization—it’s simply
a matter of getting the right stakeholders at
the table. In some instances, organizations
are surprised at how much they already
know and can bake into the calculations. For
example, we’ve worked with energy frms
that had already commissioned numerous
loss engineering studies based on traditional
perils such as earthquake, fre, or mechanical
breakdown, each with fully developed
impact estimates. All it took in this instance
was confrmation from operational and
cybersecurity leaders that a cyber event
could produce many of the same outcomes,
coupled with a technical discussion about
the likelihood of such an event to very eff-
ciently compile enough data for the numera-
tor in the equation.
Using the loss scenario approach also
helps inform the numbers in the denomina-
tor, because the technical part of the discus-
sion helps determine the organization’s
capability to protect its operations from,
detect signs of, and effectively respond to a
particular scenario. For example, if we are
working with a retailer and a scenario involv-
ing the theft of credit card information, we
may start with the fnancial impact if the
event occurs and then work backward to dis-
cuss where the information resides and how
it is processed, and most critically, how each
access point is or could be protected from
known and conceivable threats. Here, it is
useful to compare an organization’s current
capabilities against any applicable standards
or regulatory frameworks, ensure that appro-
priate threat intelligence for that particular
area of risk is being used, and continually
monitor the performance of the organiza-
tion’s protective mechanisms in its own envi-
ronment and the environment at large.
OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
SecurityRoundtable.org 287 ?
Beyond the continually evolving risk engi-
neering capabilities of the insurance industry
and the insight provided by simply under-
standing the complete insurance landscape
for cyber exposures, the biggest beneft pro-
vided by insurance is the aforementioned
ability to meaningfully reduce the risk curve.
Here too it is critically important to under-
stand the entire insurance landscape, because
frms that purchase a single cyber insurance
policy may be disappointed in how it per-
forms. This point is not intended as criticism
of the insurance industry—the industry does
offer coverage for the vast majority of the
cyber exposure spectrum—it’s a point recog-
nizing that comprehensive coverage for com-
plex cyber events can involve multiple types
of policies.
Ultimately, our hope is that this process
and balanced approach provides a higher
likelihood of minimizing cyber risk, espe-
cially in comparison to any of the legacy
strategies deployed to date. If nothing else, it
helps to more effectively minimize cyber risk
through the effective deployment of insur-
ance as a complementary control, but the
process overall does produce defendable
insight and a means by which security lead-
ers can optimize investment while minimiz-
ing risk, thus allowing cybersecurity to start
to evolve out of the dark ages.
should familiarize themselves with their
own frm’s insurance portfolio as well as
industry trends relating to coverage availa-
bility and pricing. The exercise should not be
limited to cyber insurance, because despite
what many in the insurance industry would
profess, there is currently no such thing as an
all-encompassing, all-risk cyber insurance
policy. Cyber insurance, as it is commonly
known, covers many frst-party fnancial
losses and resultant fnancial liabilities from
a cyber event, but not tangible losses such as
property damage and bodily injury. Therefore,
frms also must be attentive to property, casu-
alty, environmental, terrorism, and any other
type of insurance that could provide coverage
for losses resulting from a cyber event.
What type of actionable insight does this
provide? On one hand, simply knowing
what cyber exposures the insurance industry
is willing to cover can help security leaders
make investment decisions. For example, the
insurance industry currently does not offer
much, if any, coverage for losses attributable
to the theft of intellectual property such as
trade secrets and R&D. Knowing this may
prompt overweight investment into controls
and protocols protecting trade secrets,
whereas investment into other areas of risk
where coverage is readily available can be
more balanced.
289 ?
Lockton Companies Inc. – Ben Beeson, Senior
Vice President, Cybersecurity Practice
Investment in cyber insurance
A number of high-profle corporate data breaches, mainly
in the US retail sector over the last two years, have led rap-
idly to a major change in enterprise cybersecurity strategy.
Many chief information security offcers (CISOs) now view
risk avoidance as extremely challenging, if not impossible,
and a traditional approach that builds layered defenses
around the network perimeter as increasingly insuffcient.
Accepting risk means adopting an approach that seeks to
mitigate and build enterprise resilience. This approach now
also must weigh the benefts of transferring residual sever-
ity risk from the balance sheet through cyber insurance.
Here are 10 reasons to consider making the investment.
1. Advanced persistent threats (APTs)
Targeted attacks, known as APTs, have become
increasingly diffcult to detect, let alone stop. The
emergence of the nation-state as an adversary leaves
the majority of organizations vulnerable regardless of
the resources committed to defense.
2. Governance and an enterprise-wide risk management
strategy
The emergence of cybersecurity as a governance issue
that must be addressed by the board of directors is
redefning the role of cyber insurance as purely a
fnancial instrument to transfer risk. Cybersecurity
involves the entire enterprise, with numerous
stakeholders, no longer only the domain of the IT
department. Driving a culture of collaboration between
these stakeholders is challenging for many organizations,
but cyber insurance and, more importantly, the
underwriting process can be the catalyst.
3. Increasing regulatory risk
Liability to boards of directors is expected to increase
and give added weight to a focus on governance. SEC
guidance published in 2011 highlights how regulators
see cyber insurance as part of a strong enterprise risk
? 290
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
attack by a third party. This will not
extend to an act involving the board of
directors or executive team.
7. Security is not about compliance
Treating security as a compliance
exercise only will result in failure. For
example, many organizations that are
compliant with payment card industry
data security standards have been
breached.
8. Monetizing the cost of cybersecurity
One of the biggest challenges to the
CISO is to quantify cybersecurity risk in
dollar terms to the executive team. The
premium charged by an insurance
company can help solve this problem.
9. Merger and acquisition activity
The difficulty in evaluating the
cybersecurity posture in any acquisition
target leaves the acquirer vulnerable.
10. Operational technology
Industry sectors dependent on
operational technology and industrial
control systems are particularly
vulnerable. Built primarily to be available
24/7 and to operate in isolation, these
devices are increasingly being connected
to the corporate information technology
network and the Internet.
? The cyber insurance marketplace today
It is estimated that more than 50 insurers
domiciled mainly in the U.S. and London
insurance market provide dedicated cyber
products and solutions today. Buyers are
concentrated overwhelmingly in the U.S.
with little take up to date internationally,
with low demand in the rest of the world.
Annual premium spending at the end of 2014
was estimated to be in excess of $2 billion.
Total capacity (the maximum amount of
insurance available to any single buyer) is
currently at about $300,000,000, although this
is now contracting substantially in certain
sectors such as retail and health care. Cyber
insurance frst emerged at the end of the
1990s, primarily seeking to address loss of
revenue and data restoration costs from
attacks to corporate networks. However,
the underwriting process was seen as too
management strategy. Many in the legal
community see the launch in February
2014 of a federal cybersecurity framework
(known as the NIST framework) as
creating a standard of care to be used by
plaintiff attorneys to allege negligence or
worse.
4. A fnancial incentive
Legislators are giving greater prominence
to the role of cyber insurance. The failure
to pass laws to drive stronger enterprise
security has demonstrated the challenges
in trying to enforce minimum standards.
There is growing support for market-based
incentives such as insurance that can
reward strong cybersecurity through
discounted premium or broader coverage.
However, the insurance market for cyber
risks is young, if not embryonic in some
respects, and faces signifcant challenges
if it is to continue to grow. Reversing the
lack of actuarial data to model risk and
an underwriting process that must
change to meet ever-evolving threats sit
at the top of the insurance industry’s
priorities.
5. Vicarious risk to vendors and business
associates
Adversaries are focusing increasingly on
third parties that have access to sensitive
information and other critical assets of the
target enterprise. Professional service
frms or cloud-based solution providers
are examples of business associates whose
security may be weaker than that of their
client and consequently provide an easier
back door for the attacker. Liability for
a breach of personally identifable
information (PII) or protected health
information (PHI) typically still rests with
the enterprise data owner, even though
a breach may have occurred to the
vendor’s network. Cyber insurance
addresses costs of responding to a breach
and possible privacy regulatory action or
civil litigation.
6. Insider threat
Attacks from the inside continue to be
hard to prevent. Cyber insurance covers
the employee as perpetrator as well as an
291 ?
INVESTMENT IN CYBER INSURANCE
Certain insurers will also extend coverage
to downtime of vendors on whom a
policyholder is reliant. This is commonly
known as “contingent business
interruption.”
Costs to restore compromised data
Reimbursement for costs associated with
an extortion threat
? Operational technology
A few insurers have begun to extend
coverage for the information technology
network to also include operational
technology such as industrial control
systems.
? Physical assets
Cybersecurity is no longer just about risks
to information assets. A cyberattack can
now cause property damage that also
could lead to fnancial loss from business
interruption as well as liability from
bodily injury or pollution, for example.
Understanding where coverage lies in a
corporate insurance policy portfolio is
challenging and at times ambiguous. An
assumption that coverage should rest
within a property or terrorism policy may
not be accurate. Exclusionary language
has begun to emerge and is expected to
accelerate across the marketplace as losses
occur. Dedicated products also have
started to appear.
? Reputation and brand
Insuring reputational risk from some
form of cyber event remains out of the
scope of the majority of insurers. At the
time of writing, the London market has
begun to innovate to address the fnancial
loss after adverse media publicity.
However, capacity remains constrained at
$100,000,000 at best.
What does cyber insurance not cover?
? Intellectual property assets
Theft of one’s own corporate intellectual
property (IP) still remains uninsurable
today as insurers struggle to understand its
intrinsic loss value once compromised. The
increasing diffculty in simply detecting an
attack and, unlike a breach of PII or PHI, the
frequent lack of a legal obligation to
intrusive and the cost prohibitively expen-
sive. It was not until 2003, and the passage
of the world’s frst data breach notifcation
law in California, that demand started
to grow.
What does cyber insurance cover?
Insurers do not address all enterprise assets
at risk. The majority of premium spent by
buyers was intended to address increasing
liability from handling personally identifa-
ble information (PII) or protected health
information (PHI) and the costs from either
unauthorized disclosure (a data breach) or a
violation of the data subject’s privacy.
Insurable costs range from data breach
response expenses such as notifcation,
forensics, and credit monitoring to defense
costs, civil fnes, and damages from a pri-
vacy regulatory action or civil litigation.
Insurers also continue to address certain
frst party risks, including the impact on
revenue from attacks on corporate net-
works, extortion demands, and the costs to
restore compromised data.
Insurable assets include the following:
? PII and/or PHI of employees or consumers
Data breach response costs to include the
following:
Notifcation
Credit monitoring
IT forensics
Public relations
Defense costs and civil fnes from a
privacy regulatory action
Defense costs and damages from civil
litigation
? Corporate confdential information
Addresses defenses costs and damages
incurred for a breach of third-party
corporate confidential information.
Certain insurers will extend to address
misappropriation of a third party’s trade
secret, but frst-party loss of intellectual
property remains uninsurable.
? Corporate information technology
network
Addresses the loss of income as a
consequence of network downtime.
? 292
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
assets. However, the ever-evolving nature of
the threat, particularly the emergence of APTs,
undermines the reliability of these statistics.
Pricing risk to physical assets is a bigger prob-
lem because this has begun to emerge only
since 2010, and actuarial data are extremely
thin on the ground.
Fundamentally insurers continue to look
for a strong security culture within the frm
as a frst step in risk triage. Additional fac-
tors such as industry, revenue size, and
actual assets at risk also contribute to how
risk is priced.
? How to engage the insurance market
Once a decision has been made to explore a
suitable solution, the frst step is to choose a
broker. The lack of consistency in policy lan-
guage from one insurer to the next means
that a broker with dedicated expertise is vital
for a successful outcome. First class brokers
work with their clients to understand the
assets at risk and how best to address them
either under the existing insurance program
or through a new dedicated product. An
existing Directors and Offcer’s policy form
(D&O) addressing management liability
from a cyber event probably offers suffcient
coverage. However, more often than not, lia-
bility to the enterprise requires a new dedi-
cated product.
A broker should understand that insur-
ers seek to understand the security culture
of a frm and will work to position their
clients as best as possible. For many larger
organizations this does not involve com-
pleting a written questionnaire and staying
divorced from the process. Rather, an inves-
tor-style presentation to the marketplace by
key stakeholders in IT, legal, and risk man-
agement in particular, which involves ques-
tions and answers, ensures the best possible
outcome. Top-tier underwriters appreciate
that cybersecurity is not a tick-box exercise.
They understand that the risk is dynamic
and will not necessarily penalize a buyer
today for shortcomings if a roadmap is
spelled out as to how these shortcomings
will be addressed in the next 12 months.
disclose, suggest that a solution is not in the
immediate future.
? Leveraging cyber insurance as a risk
management tool
Since 2009 the marketplace has evolved to
also provide services to help buyers manage
risk. Focused mainly on post-event response,
turnkey products have emerged, which pro-
vide a panel of legal, forensics, and public
relations specialists. Popular with smaller
enterprises that lack the resources or rela-
tionships, this innovation has been a key
component in increasing the relevance of
cyber insurance and consequently its growth.
Larger frms typically seek products based
on breadth of coverage and the fexibility to
use their own vendor network.
Services that help mitigate risk before an
event occurs have started to emerge. Insurers
likely will begin to incentivize buyers to
adopt these services with rewards such as
discounted premiums.
? How do insurers underwrite cyber risks?
Historically, underwriters have sought to
understand the controls that enterprises lev-
erage around their people, processes, and
technology. However, the majority of assess-
ments are “static,” meaning a snapshot at a
certain point in time through the completion
of a written questionnaire, a phone call inter-
view, or a presentation. A consensus is grow-
ing that this approach is increasingly redun-
dant and that insurers will seek to partner
with the security industry to use tools that
can help predict and monitor the threat as
part of the underwriting process to adopt a
more threat intelligence led capability as
part of the underwriting process. In fact, this
already has started to happen, as certain
insurers have started to use technology to
underwrite vendor and M&A activity risks.
? How do insurers price risk?
Pricing cybersecurity risk remains a challenge.
An insurance market that is only 15 years old
has begun to build up a profle for frequency
and severity of loss with regard to PII and PHI
INVESTMENT IN CYBER INSURANCE
SecurityRoundtable.org 293 ?
upon up front. Forensics are not
inexpensive and can form a signifcant
part of the overall cost.
7. Law enforcement
Law enforcement typically is involved in
a major security breach. In fact, many
times the FBI, the agency leading
cybersecurity corporate defense, notifes
the enterprise before it becomes aware of
the breach. A claim should not be
excluded by an insurer for failure to
disclose as soon as practicable if law
enforcement had advised nondisclosure
during the investigation.
8. War and terrorism
Many insurance policies exclude acts of
war and terrorism which must be deleted
with the emergence of the nation-state
adversary in particular.
9. Intentional act
Ensure that coverage addresses the
employee or insider as perpetrator
acting in isolation of the executive team.
10. Continuity of coverage
When renewing the insurance policy
with the same insurer, avoid signing a
warranty regarding a circumstance or
claim.
? Conclusion
Cyber insurance has a broader role to play
than simply reimbursing costs associated
with a loss. Fundamentally, engaging in an
underwriting process that forces collabora-
tion from stakeholders across the enter-
prise can drive stronger cybersecurity
resilience. Increasing regulator and share-
holder scrutiny means that the case for
investment will continue to grow. In addi-
tion, insurers will start to provide premi-
um- and coverage-based incentives for
adopting best practices such as the NIST
framework and leveraging preferred tech-
nology tools.
A broker must then negotiate competi-
tive terms and conditions with competing
insurers with a fnal recommendation as to
whom their client should choose.
10 key coverage items to negotiate:
1. Full prior acts coverage
Insurers try to limit coverage to acts from
the frst day that the policy begins, known
as the retroactive date. However, in the
context of the challenges in detecting an
attack, buyers should seek to remove this
exclusion and avoid the risk of a claim
denial.
2. Restrict knowledge and notice of a
circumstance to the executive team
Again, an insurer should not be allowed
to impute liability to the whole enterprise
because detection has proven to be such a
challenge.
3. Security warranty
Remove any language that tries to warrant
that security is maintained to the same
level as represented in the underwriting
submission. The dynamic nature of the
risk leaves this too open to insurer
interpretation in the event of a loss.
4. Operational technology
The majority of insurance policies provide
coverage only to the corporate IT network.
If relevant, ensure that language is
broadened to also address operational
technology such as industrial control
systems.
5. Outside counsel
Choice of counsel must be agreed upon
up front. In the event of a security breach,
a dedicated legal expert must take
the response lead not least for attorney
client privilege. Negotiating with an
insurer during the event would be
counterproductive.
6. IT forensics
In a similar vein to choice of counsel, the
preferred forensics frm must be agreed
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk and workforce
development
297 ?
NYSE Governance Services – Adam Sodowick, President
Cyber education: A job never fnished
Whether it stems from a lack of education, a sense of
ambivalence, or, in some cases, malice, nearly all cyber
vulnerabilities begin and end with some degree of human
error. In today’s data-driven environment, companies
must establish a culture of responsibility so that all levels
of employees work together to maintain vigilant practices
that mitigate cyber risk. Despite vast amounts of resourc-
es spent on countless frewalls, security systems, and
algorithms to ferret out breaches, these complex efforts
barely scratch the surface of the problem.
? Overview
Cybercrime is one of the most prevalent economic crimes
today according to PwC’s Global Economic Crime Survey.
The damages continue to grow with 24% of the more than
5,000 organizations represented in the 2014 PwC study
reporting being a victim of cybercrime. A recent study by
Verizon Enterprise Solutions points to another signifcant
issue, noting that 66% of cybercrimes are not detected for
at least six months.
The trajectory of costs continues to rise. According to
the Ponemon’s Cost of Cybercrime 2014 report, cyberat-
tacks cost the average U.S. company more than $12.7 mil-
lion. With some companies experiencing more than $61
million in losses, this average is an increase of more than
9% from the prior year.
Attacking the problem means understanding the
source. As one of the top fve most reported crimes
against businesses, cybercrime is not merely a technology
problem anymore. “It is a strategy problem, a human
problem, and a process problem,” according to the PwC
report. The Online Trust Alliance’s (OTA) 2015 Data
Protection & Breach Readiness Guide reports that employ-
ees caused 29% of data breaches between January and
June of 2014, proving that internal weaknesses are a sig-
nifcant area of vulnerability for every organization. The
? 298
CYBER RISK AND WORKFORCE DEVELOPMENT
A vast number of cases are actually a result
of error, employee ineptitude, or apathy.
These situations can cause severe holes in the
system and are cases for organizations to
change behavior so that employees become a
defensive tool against cyber risk.
The computer manufacturer Dell Inc., for
example, boasts a “culture of security” that
is fostered by the following four fundamen-
tal principles: security awareness training,
proper access management, mobile security,
and securing and monitoring the organiza-
tion’s networks, according to the company’s
white paper, The Human Side of IT Security.
Kevin Hanes, executive director, Security
and Risk Consulting, Dell SecureWorks,
describes how Dell’s information security
unit works with other organizations to deal
with cybersecurity issues. “My view is
organizations need to keep in mind that the
bad actors are going to typically follow a
path of least resistance, and often that path is
the people,” he notes. Dell’s approach to
imparting a cyber-aware culture at an organ-
ization begins at the top and involves con-
sistent communication at all levels to ensure
employees understand why the vigilance,
inconvenient though it may be, is necessary
in all aspects of what they do.
Interestingly, not all employees view the
threats in the same light. In a June 2015 global
study commissioned by Dell SecureWorks
and the Ponemon Institute, 56% of the IT
security/IT staff surveyed consider ‘negligent
insiders’ a serious threat, whereas only 37% of
the IT Security/IT corporate leaders surveyed
considered such insiders a serious threat. This
difference, the study’s authors note, points to
a need to listen more carefully to those in the
“security trenches who are dealing with these
threats.”
? Taking action
Once companies have better awareness of
the root causes of insider threats, what steps
can be taken? OTA recently reported that
90% of data breaches occurring in the frst
half of 2014 could have been prevented eas-
ily by adhering to commonly accepted best
practices for data protection. For companies
OTA guide further reports that data leaks by
employees who lost documents or used
social engineering or fraud to access and
leak information were caused by a lack of
internal controls. Therefore, educating and
cultivating true employee buy-in to a culture
of responsibility is crucial to mitigating pos-
sible damaging breaches.
? Types of insider threats
The genesis of insider threats is not always
malicious; however, the malicious or politi-
cally driven acts tend to be the ones that
make headlines. Media did not ignore
instances such as Home Depot’s former secu-
rity architect who sabotaged his previous
employer’s computer network and the April
2015 case in which the Department of Justice
indicted a Nuclear Regulatory Commission
employee for attempting to deliver nuclear
secrets to a foreign government via spear-
phishing tactics.
Although not intentionally malicious, a
related form of insider abuse stems from a
sense of privilege, when someone abuses the
trust he or she is given to safeguard sensitive
and valuable data. The 2014 Verizon Enterprise
Solutions report found that in 55% of cases
involving insider incidents, the primary moti-
vator was privilege abuse; the primary moti-
vator in 40% of cases was fnancial gain.
A 2012 survey of global employees by
Boston-based data storage and information
management company Iron Mountain found
that workers often develop a feeling of per-
sonal ownership when they are involved
with the collection of data. The study found
that in Europe, for example, many offce
workers are likely to take data with them
when they switch jobs, which, for certain
subgroups, such as millennials, happens
with more frequency than with previous
generations. The study found that of those
who did steal company information, 51%
exited with confdential customer databases,
46% with presentations, 21% with company
proposals, 18% with strategic plans, and
another 18% with product/service road
maps—all of which represent highly sensi-
tive, valuable assets.
299 ?
CYBER EDUCATION: A JOB NEVER FINISHED
Although Teradata works diligently to
train employees and maintain awareness of
cyber issues, Carver concedes the job is
never fnished. He continually takes the les-
sons learned and the new angles and feeds
them back into the funnel, honing and sharp-
ening the employee education program.
Even with that level of attentiveness, Carver
assumes his company will encounter a
breach and is planning for that eventuality.
He also feels it’s important to help employ-
ees understand what to do if they think
they’ve made a cyber-related error and how
to report any questionable or erroneous
activity.
Carver suggests three tips for chief compli-
ance offcers who are working to implement a
more robust cyber awareness program. First,
begin with including everybody. “It’s all
employees’ job to assure data protection,” he
says. Second, it’s an issue for all companies
across all sectors and needs to be prioritized
no matter what the industry. Finally, remem-
ber that what makes an organization vulner-
able is the human aspect. “You could do eve-
rything
The Definitive Cybersecurity Guide For Directors And Officers
THE DIGITAL AGE
T HE DEFI NI T I VE CYBERSECURI T Y GUI DE
FOR DI RECTORS AND OFFI CERS
NAVIGATING THE DIGITAL AGE:
The Def nitive Cybersecurity Guide
for Directors and Off cers
Published by
SecurityRoundtable.org
Navigating the Digital Age: The De?nitive
Cybersecurity Guide for Directors and
Of?cers
Publisher: Tim Dempsey
Editor: Matt Rosenquist
Design and Composition: Graphic World, Inc.
Printing and Binding: Transcontinental Printing
Navigating the Digital Age: The Defnitive Cybersecurity Guide for Directors and Offcers
is published by:
Caxton Business & Legal, Inc.
27 North Wacker Drive, Suite 601
Chicago, IL 60606
Phone: +1 312 361 0821
Email: [email protected]
First published: 2015
ISBN: 978-0-9964982-0-3
Navigating the Digital Age: The Defnitive Cybersecurity Guide for Directors and Offcers
© October 2015
Cover illustration by Tim Heraldo
Copyright in individual chapters rests with the authors. No photocopying: copyright licenses do not apply.
DISCLAIMER
Navigating the Digital Age: The Defnitive Cybersecurity Guide for Directors and Offcers (the Guide) contains
summary information about legal and regulatory aspects of cybersecurity governance and is current as of
the date of its initial publication (October 2015). Although the Guide may be revised and updated at some
time in the future, the publishers and authors do not have a duty to update the information contained in
the Guide, and will not be liable for any failure to update such information. The publishers and authors
make no representation as to the completeness or accuracy of any information contained in the Guide.
This guide is written as a general guide only. It should not be relied upon as a substitute for specifc
professional advice. Professional advice should always be sought before taking any action based on the
information provided. Every effort has been made to ensure that the information in this guide is correct at
the time of publication. The views expressed in this guide are those of the authors. The publishers and
authors do not accept responsibility for any errors or omissions contained herein. It is your responsibility
to verify any information contained in the Guide before relying upon it.
iii ?
Introduction
New York Stock Exchange – Tom Farley, President
No issue today has created more concern within corporate
C-suites and boardrooms than cybersecurity risk. With
the ability to shatter a company’s reputation with their
customers and draw criticism from shareholders, lawsuits
from affected parties, and attention from the media, the
threat of cyber risk is ubiquitous and insidious. No com-
pany, region, or industry is immune, which makes the
responsibility to oversee, manage, and mitigate cyber risk
a top-down priority in every organization.
The New York Stock Exchange has long advocated that
exemplary governance and risk oversight is fundamental
to the health of individual companies, as well as to the
sound operation of our capital markets. In other words,
we too take the threat very seriously. Today, managing
cybersecurity risk has expanded far beyond the realm of
IT; it has become a business continuity necessity to ensure
shareholder value remains intact and that privacy and
corporate intellectual property is protected. Accordingly,
those responsibilities are weighing heavily on corporate
executives and directors, making it vital for them to better
understand and prepare for the evolving cybersecurity
landscape.
Cyber risk ultimately poses a threat to confdence, a
foundational aspect of U.S. corporate issuers and markets.
We are taking a leadership role on many fronts, such as
reducing market fragmentation and complexity, as well
as increasing effciency through the highest levels of
intelligence, analytics, and technology. Confdence in the
integrity and security of our assets is concurrent with our
success—as it is for every other company operating in the
public markets today.
Moreover, because the public markets have become
increasingly reliant on interdependent technology sys-
tems, the threat looms even larger. As we witnessed dur-
ing the 2008 fnancial crisis, rarely does any failure happen
in a vacuum; therefore, the threat of systemic disruption
has taken on an even higher level of prominence and
concern among regulators and policymakers worldwide.
It is important that companies remain vigilant, taking
steps to proactively and intelligently address cybersecurity
? iv
INTRODUCTION
risk within their organizations. Beyond the
technological solutions developed to defend
and combat breaches, we can accomplish
even more through better training, aware-
ness, and insight on human behavior.
Confdence, after all, is not a measure of
technological systems, but of the people who
are entrusted to manage them.
With insights from the preeminent
authorities on cybersecurity today, this
groundbreaking, practical guide to cyberse-
curity has been developed to refect a body
of knowledge that is unsurpassed on this
topic. At the heart of effective risk manage-
ment must be a thorough understanding of
the risks as well as pragmatic solutions.
Thank you for your continued partnership
with the New York Stock Exchange, and we
look forward to continuing to support your
requirements in this dynamic landscape.
v ?
Foreword
Visa Inc. – Charles W. Scharf, CEO
For years, cybersecurity was an issue that consumers,
executive management, and boards of directors took for
granted. They were able to do so because the technolo-
gists did not. The technologists worked every day to
protect their systems from attack, and they were quite
effective for many years. We sit here today in a very dif-
ferent position. The threats are bigger than ever before
and growing in frequency and severity every day.
Cybersecurity is now something everyone needs to think
about, whether it’s in your personal or professional life.
What worked in the past is not enough to protect us in the
present and future.
So what has changed?
First of all, the technology platforms of today are big-
ger targets than ever given the breadth and criticality of
items they control. Second, the amount and value of the
data that we all produce and store has grown exponen-
tially. The data is a gold mine for criminals. Third, the
interconnectedness of the world just makes it easier for
more people—regardless of geography—to be able to
steal or disrupt. And fourth, the perpetrators are more
sophisticated, better organized, better funded, and harder
to bring to justice than ever before.
So the problem is different, and what we all do about it
is different.
This is not simply an IT issue. It is a business prob-
lem of the highest level. Protecting our data and our
systems is core to business today. And that means that
having an outstanding cybersecurity program also
can’t detract from our objectives around innovation,
speed, and performance.
Security has been a top priority at Visa for decades. It
is foundational to delivering our brand promise. To be
the best way to pay and be paid, we must be the most
secure way to pay and be paid. We cannot ask people to
use our products unless they believe that we are just that.
Thus we must guard carefully both the security of our
own network and company and the security of the broader
payments ecosystem.
? vi
accounts had been compromised—a pivotal
moment for our industry.
The losses experienced by our clients,
combined with the impact on consumer con-
fdence, galvanized our industry to take
actions that, we believe, will have a mean-
ingful and lasting effect on how the world
manages sensitive consumer data—not just
payments.
We are taking action as an ecosystem, to
collaborate and share information across
industries and with law enforcement and
governments and to develop new technolo-
gies that will allow us to prevent attacks and
respond to threats in the future.
? Protect payments at physical retailers.
Fraudsters have targeted the point-of-
sale environment at leading U.S. retailers,
capturing consumer account information
and forcing the reissuance of millions
of payment cards. As an industry we
are rapidly introducing EMV (Europay,
MasterCard, and Visa) chip payment
technology in the United States. Chip-
enabled payment cards and terminals
work in concert to generate dynamic
data with each transaction, rendering the
transaction data useless to fraudsters.
? Protect online payments. Consumer
purchases online and with mobile devices
are growing at a signifcant rate. In order
to prevent cyberattacks and fraudulent
use of consumer accounts online, Visa and
the global payments industry adopted
a new payment standard for online
payments. The new standard replaces the
16-digit account number with a digital
token that is used to process online
payments without exposing consumer
account information.
? Collaborate and share information.
Sharing threat intelligence is a necessity
rather than a “nice to have,” allowing
merchants, fnancial institutions, and
payment networks like Visa to rapidly
detect and respond to cyberattacks.
Public and private partnerships are
also critical to creating the most robust
There are several elements that we have
found to be critical to ensuring an effective
security program at Visa.
? Be open and honest about the effectiveness
of your security program and regularly
share an honest assessment of your security
posture with the executive team and board.
We use a data-driven approach that scores
our program across fve categories: risk
intelligence, malware prevention, vulner-
ability management, identity and access
management, and detection and response.
Scores move up and down not only as our
defenses improve or new vulnerabilities
are discovered but also as threats change.
The capabilities of the adversaries are
growing, and you need a dynamic
approach to measurement.
? Invest in security before investing
elsewhere. A well-controlled environment
gives you the license to do other things.
Great and innovative products and
services will only help you win if you
have a well-protected business.
? Don’t leave the details to others. Active,
hands-on engagement by the executive
team and the board is required. The risk
is existential. Nothing is more important.
Your involvement will produce better
results as well as make sure the whole
organization understands just how
important the issue is.
? Never think you’ve done enough. The
bad guys are smart and getting smarter.
They aren’t resting, and they have more
resources than ever. Assume they will
attack.
Defending against cyberthreats is not some-
thing that we can solve for our company in a
vacuum. At Visa, we must protect not only
our own network but the whole payments
ecosystem. This came to life for us in late
2013 when some of the largest U.S. retailers
and fnancial institutions in the U.S. reported
data breaches. Tens of millions of consumer
FOREWORD
vii ?
FOREWORD
community of threat intelligence, so we
also work closely with law enforcement
and governments. At the heart of Visa’s
security strategy is the concept of “cyber
fusion,” which is centered on the principle
of shared intelligence—a framework to
collect, analyze, and leverage cyberthreat
intelligence, internally and externally,
to build a better defense for the whole
ecosystem.
Championing security is one of Visa’s six
strategic goals. This is an area where there
are no grades—it is pass or fail, and pass is
the only option. Cybersecurity needs to be
part of the fabric of every company and
every industry, integrated into every busi-
ness process and every employee action.
And it begins and ends at the top. It is job
number one.
? viii
TABLE OF CONTENTS
iii INTRODUCTION
New York Stock Exchange — Tom Farley, President
v FOREWORD
Visa Inc. — Charles W. Scharf, CEO
Introductions — The cyberthreat in the digital age
3 1. PREVENTION: CAN IT BE DONE?
Palo Alto Networks Inc. — Mark McLaughlin, CEO
9 2. THE THREE Ts OF THE CYBER ECONOMY
The Chertoff Group — Michael Chertoff, Executive Chairman
and Former United States Secretary of Homeland Security and Jim
Pfaging, Principal
17 3. CYBER GOVERNANCE BEST PRACTICES
Georgia Institute of Technology, Institute for Information
Security & Privacy — Jody R. Westby, Esq., Adjunct Professor
27 4. INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
Institutional Shareholder Services Inc. — Patrick McGurn,
ISS Special Counsel and Martha Carter, ISS Global Head
of Research
33 5. TOWARD CYBER RISKS MEASUREMENT
World Economic Forum — Elena Kvochko, co-author of
Towards the Quantifcation of Cyber Threats report and Danil
Kerimi, Director, Center for Global Industries
37 6. THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE
FOR ADDRESSING IT
Internet Security Alliance — Larry Clinton, CEO
43 7. EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
Former CIO of The United States Department
of Energy — Robert F. Brese
I. Cyber risk and the board of directors
51 8. THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER
OBLIGATIONS
Orrick, Herrington & Sutcliffe LLP — Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner
TABLE OF CONTENTS
ix ?
TABLE OF CONTENTS
57 9. WHERE CYBERSECURITY MEETS CORPORATE SECURITIES: THE SEC’S
PUSH TO REGULATE PUBLIC COMPANIES’ CYBER DEFENSES
AND DISCLOSURES
Fish & Richardson P.C. — Gus P. Coldebella, Principal
and Caroline K. Simons, Associate
65 10. A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
Internet Security Alliance and National Association
of Corporate Directors — Larry Clinton, CEO of ISA
and Ken Daly, President and CEO of NACD
71 11. ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
Stroz Friedberg LLC — Erin Nealy Cox, Executive Managing
Director
79 12. DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING:
HOW BOARDS CAN TEST ASSUMPTIONS
Dell SecureWorks — Mike Cote, CEO
II. Cyber risk corporate structure
87 13. THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT
QUESTIONS
Palo Alto Networks Inc. — Davis Hake, Director
of Cybersecurity Strategy
91 14. ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE
AN EFFECTIVE PROGRAM
Coalfre — Larry Jones, CEO and Rick Dakin, CEO
(2001-2015)
III. Cybersecurity legal and regulatory
considerations
101 15. SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY
AND BIG DATA
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Dean Forbes, Senior Associate, Agatha O'Malley,
Senior Associate, Jaqueline Cooney, Lead Associate and
Waiching Wong, Associate
107 16. OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
Data Risk Solutions: BuckleySandler LLP & Treliant Risk
Advisors LLC — Elizabeth McGinn, Partner; Rena Mears,
Managing Director; Stephen Ruckman, Senior Associate;
Tihomir Yankov, Associate; and Daniel Goldstein, Senior
Director
? x
TABLE OF CONTENTS
115 17. RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED
TO CYBERSECURITY MATTERS
Baker & McKenzie — David Lashway, Partner; John Woods,
Partner; Nadia Banno, Counsel, Dispute Resolution; and
Brandon H. Graves, Associate
121 18. LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
K&L Gates LLP — Roberta D. Anderson, Partner
129 19. CONSUMER PROTECTION: WHAT IS IT?
Wilson Elser Moskowitz Edelman & Dicker LLP — Melissa
Ventrone, Partner and Lindsay Nickle, Partner
137 20. PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
Fish & Richardson P.C. — Gus P. Coldebella, Principal
143 21. CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS
FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
Latham & Watkins LLP — Jennifer Archie, Partner
151 22. INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS,
AND RULES OF THE ROAD
Kaye Scholer LLP — Adam Golodner, Partner
157 23. MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
Pillsbury Winthrop Shaw Pittman LLP — Brian Finch,
Partner
163 24. COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS
FROM MALICIOUS AND NEGLIGENT EMPLOYEES
Littler Mendelson P.C. — Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group
IV: Comprehensive approach to
cybersecurity
171 25. DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING
THREAT ENVIRONMENT
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate
177 26. DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH
WITH DIVERSE CAPABILITIES
Booz Allen Hamilton — Bill Stewart, Executive Vice President;
Jason Escaravage, Vice President; and Christian Paredes,
Associate
xi ?
V. Design best practices
187 27. WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY
RISK MANAGEMENT
Intercontinental Exchange & New York Stock
Exchange — Jerry Perullo, CISO
193 28. BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
Palo Alto Networks Inc.
VI. Cybersecurity beyond your network
207 29. SUPPLY CHAIN AS AN ATTACK CHAIN
Booz Allen Hamilton — Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior Associate;
and Laura Eise, Lead Associate
213 30. MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
Covington & Burling LLP — David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate
219 31. A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
Delta Risk LLC — Thomas Fuhrman, President
229 32. THE INTERNET OF THINGS
The Chertoff Group — Mark Weatherford, Principal
VII. Incident response
237 33. WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
U.S. Department of Justice — CCIPS Cybersecurity Unit
243 34. PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE
INCIDENT RESPONSE
Booz Allen Hamilton — Jason Escaravage, Vice President;
Anthony Harris, Senior Associate; James Perry, Senior Associate;
and Katie Stefanich, Lead Associate
249 35. DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
255 36. FORENSIC REMEDIATION
Fidelis Cybersecurity — Jim Jaeger, Chief Cyber Strategist
and Ryan Vela, Regional Director, Northeastern North America
Cybersecurity Services
TABLE OF CONTENTS
? xii
TABLE OF CONTENTS
261 37. LESSONS LEARNED—CONTAINMENT AND ERADICATION
Rackspace Inc. — Brian Kelly, Chief Security Offcer
267 38. CYBER INCIDENT RESPONSE
BakerHostetler — Theodore J. Kobus, Partner and Co-Leader,
Privacy and Data Protection; Craig A. Hoffman, Partner;
and F. Paul Pittman, Associate
275 39. COMMUNICATING AFTER A CYBER INCIDENT
Sard Verbinnen & Co — Scott Lindlaw, Principal
VIII. Cyber risk management
investment decisions
283 40. OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
Axio Global, LLC — Scott Kannry, CEO and David White,
Chief Knowledge Offcer
289 41. INVESTMENT IN CYBER INSURANCE
Lockton Companies Inc. — Ben Beeson, Senior Vice President,
Cybersecurity Practice
IX. Cyber risk and workforce development
297 42. CYBER EDUCATION: A JOB NEVER FINISHED
NYSE Governance Services — Adam Sodowick, President
301 43. COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL
AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
Wells Fargo & Company — Rich Baich, CISO
307 44. CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
Booz Allen Hamilton — Lori Zukin, Principal; Jamie Lopez,
Senior Associate; Erin Weiss Kaya, Lead Associate; and Andrew
Smallwood, Lead Associate
313 45. BUILDING A CYBER-SAVVY BOARD
Korn Ferry — Jamey Cummings, Senior Client Partner;
Joe Griesedieck, Vice Chairman and Co-Leader, Board and
CEO Services; and Aileen Alexander, Senior Client Partner
319 46. EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED
APPROACHES FOR A MORE SOPHISTICATED ROLE
Egon Zehnder — Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick
325 CONTRIBUTOR PROFILES
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Introductions — The
cyberthreat in the digital age
3 ?
Palo Alto Networks Inc. – Mark McLaughlin, CEO
Prevention: Can it be done?
Frequent headlines announcing the latest cyber breach of
a major company, government agency, or organization are
the norm today, begging the questions of why and will it
ever end?
The reason cybersecurity is ingrained in news cycles,
and receives extraordinary investments and focus from
businesses and governments around the world, is the
growing realization that these breaches are putting our
very digital lifestyle at risk. This is not hyperbole. More
and more, we live in the digital age, in which things that
used to be real and tangible are now machine-generated or
only exist as bits and bytes. Consider your bank account
and total absence of tangible money or legal tender that
underlies it; you trust that the assets exist because you can
“see” them when you log in to your account on the fnan-
cial institution’s website. Or the expectation you have that
light, water, electricity, and other utility services will work
on command, despite your having little to no idea of how
the command actually results in the outcome. Or the com-
fort in assuming that of the 100,000 planes traversing the
globe on an average day, all will fy past each other at safe
distances and take off and land at proper intervals. Now,
imagine that this trust, reliance, and comfort could not be
taken for granted any longer and the total chaos that
would ensue. This is the digital age; and with all the eff-
ciencies and productivity that has come with it, more and
more we trust that it will just “work.”
This reliance on digital systems is why the tempo of
concern due to cyberattacks is rising so rapidly. Business
leaders, government leaders, education leaders, and mili-
tary leaders know that there is a very fne line separating
the smoothly functioning digital society built on trust and
the chaotic breakdown in society resulting from the ero-
sion of that trust. And it is eroding quickly. Why is that,
and do we have any analogies? And, more importantly,
can it be fxed?
? 4
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
attack, responses are highly manual in
nature. Unfortunately, humans facing off
against machines have little to no leverage,
and cyber expertise is increasingly hard to
come by in the battle for talent. Flipping the
cost curve on its head with automation and
a next-generation, natively integrated secu-
rity platform is required if there is any hope
of reducing the “breach du jour” headlines.
(See Figure 2.)
It is unlikely that the number of attacks
will abate over time. On the contrary, there is
every reason to expect that their number will
continue to grow. In fact, we can also expect
that the “attack surface” and potential tar-
gets will also continue to grow as we con-
stantly increase the connections of various
things to the Internet.
An understandable but untenable
response to this daunting threat environ-
ment is to assume that prevention is impos-
sible, so we must simply detect and respond
to all intrusions. The fundamental problem
with this approach is that without signifcant
prevention no combination of people, pro-
cess, and technology can prioritize and
respond to every intrusion that could signif-
cantly impact a network and those who rely
on it. The math problem is simply insur-
mountable. Quite simply, detection and
response should be supplements to, instead
of substitutes for, prevention.
? Machine vs. human
At the heart of the cybersecurity battle is a
math problem. It is relatively simple to
understand, but hard to correct. One of the
negative offshoots of the ever-decreasing
cost of computing power is the ability for
cyber criminals and adversaries to launch
increasingly numerous and sophisticated
attacks at lower and lower costs. Today,
bad actors without the capability to develop
their own tools can use existing malware
and exploits that are often free or inex-
pensive to obtain online. Similarly,
advanced hackers, criminal organizations,
and nation-states are able to use these
widely available tools to launch successful
intrusions and obscure their identity. These
sophisticated adversaries are also develop-
ing and selectively using unique tools that
could cause even greater harm. This all
adds up to tremendous leverage for the
attackers. (See Figure 1.)
In the face of this increasing onslaught in
the sheer number of attacks and levels of
sophistication, the defender is generally
relying on decades-old core security tech-
nology, often cobbled together in multiple
layers of point products; there is no true
visibility of the situation, nor are the point
products designed to communicate with
each other. As a result, to the extent attacks
are detected or lessons are learned from an
The attack math
Number of
successful attacks
Cost of launching a
successsful attack
FIGURE As computing power becomes less
expensive,the cost for launching automated
attacks decreases. This allows the number
of attacks to increase at a given cost.
5 ?
PREVENTION: CAN IT BE DONE?
U.S. Suddenly, the very way of life in the
Western world was deemed, appropriately
so, at risk. The comfort and confdence of
living in a well-protected and prosperous
environment was shattered as citizens lost
trust in their ability to follow their daily rou-
tines and way of life. It appeared as though
there was an insurmountable technological
lead, and everywhere people turned there
was anxiety and cascading bad news.
In the years immediately following
Sputnik, the main focus was on how to sur-
vive a post–nuclear-war world. Items like
backyard bomb shelters and nonperishable
food items were in great demand, and
schools were teaching duck-and-cover drills.
In other words, people were assuming
attacks could not be prevented and were
preparing for remediation of their society
post-attack.
However, this fatalistic view was tempo-
rary. America relied on diplomacy and tradi-
tional forms of deterrence while devoting
technological innovation and ingenuity to
breakthroughs such as NASA’s Mercury
program. While it took a decade of resourc-
es, collaboration, trial, and effort, eventually
the Mercury program and succeeding efforts
changed the leverage in the equation. The
space-based attack risk was not eliminated,
but it was compartmentalized to the point of
fading into the background as a possible but
So, the strategy must be to signifcantly
decrease the likelihood, and increase the
cost, required for an attacker to perform a
successful attack. To be more specifc, we
should not assume that attacks are going
away or that all attacks can be stopped.
However, we should assume, and be very
diligent in ensuring, that the cost of a suc-
cessful attack can be dramatically increased
to the point where the incidence of a success-
ful attack will sharply decline.
When this point is reached, and it will not
come overnight, then we will be able to
quantify and compartmentalize the risk to
something acceptable and understood. It’s at
that point that cyber risks will be real and
persistent but that they will leave the head-
lines and fade into the background of every-
day life, commerce, communications, and
interaction. This should be our goal. Not to
eliminate all risk, but to reduce it to some-
thing that can be compartmentalized. There
is a historical analogy to this problem and an
approach to solve it.
? Sputnik analogy
The analogy, which is imperfect but helpful,
is the space race. In 1957 the Soviet Union
launched Sputnik. The result was panic at
the prospect that this technology provided
the Soviets with an overwhelming advan-
tage to deliver a nuclear attack across the
FIGURE Harnessing automation and integrated
intelligence can continually raise the cost
of making an attack successful, eventually
decreasing the number of successful attacks.
The attack math
Cost of launching a
successsful attack
Number of
successsful attacks
? 6
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
not probable event. It was at this stage that
the panic and confusion receded from the
headlines and daily reporting. We will know
we are in good shape in the cyber battle
when we have reached this point. So, how
do we get there?
As with all things in life, ideas and phi-
losophy matter. This is true because if you
do not know what you are trying to get
done, it’s unlikely that you will get it done.
In the space race analogy, the philosophy
shifted over time from one that primarily
assumed an attack was imminent and
unstoppable with the majority of planning
and resources geared toward life in the post-
attack world, to one of prevention where the
majority of resources and planning were
geared to reduce the probability and effec-
tiveness of an attack.
Importantly, the risk of an attack was not
eliminated, but the probability of occurrence
and success was reduced by vastly increas-
ing the cost of a successful attack. It was
previously noted that no analogy is perfect,
so the analogy of “cost” here for space-based
attacks and cyberattacks is, of course, meas-
ured in different ways. Most notably,
cyberthreats are not the sole purview of
superpower nations, and the technological
innovation most likely to reverse the cost of
successful attacks is most likely to come
from industry, not governments. However,
the principle is the same in that a prevention
philosophy is much more likely to result in
prevention capabilities being developed, uti-
lized, and continually refned over time.
? Is prevention possible?
The obvious question then is whether pre-
vention is possible. I think that most security
professionals and practitioners would agree
that total prevention is not possible. This is
disheartening but also no different from any
other major risk factor that we have ever
dealt with over time. So, the real question is
whether prevention is possible to the point
where the incidence of successful attacks is
reduced to something manageable from a
risk perspective. I believe that this is possible
over time. In order to achieve this outcome,
it is an imperative that cost leverage is
gained in the cyber battle. This leverage can
be attained by managing the cyber risk to an
organization through the continual improve-
ment and coordination of several key ele-
ments: technology, process and people, and
intelligence sharing.
Technology
It is very apparent that traditional or legacy
security technology is failing at an alarming
rate. There are three primary reasons for this:
? The frst is that networks have been
built up over a long period of time and
often are very complicated in nature,
consisting of security technology that
has been developed and deployed in a
point product, siloed approach. In other
words, a security “solution” in traditional
network architecture of any size consists
of multiple point products from many
different vendors all designed to do one
specifc task, having no ability to inform
or collaborate with other products. This
means that the security posture of the
network is only as “smart” overall as the
least smart device or offering. Also, to the
extent that any of the thousands of daily
threats is successfully detected, protection
is highly manual in nature because there is
no capability to automatically coordinate
or communicate with other capabilities in
the network, let alone with other networks
not in your organization. That’s a real
problem because defenders are relying
more and more on the least leverageable
resource they have—people—to fght
machine-generated attacks.
? Second, these multiple point solutions are
often based on decades-old technology,
like stateful inspection, which was useful
in the late 1990s but is totally incapable of
providing security capabilities for today’s
attack landscape.
? And third, the concept of a “network”
has morphed continues to do so at a
rapid pace into something amorphous
in nature: the advent of software as a
service (SaaS) providers, cloud computing,
7 ?
PREVENTION: CAN IT BE DONE?
successful leaders understand the need to
assess organizational risk and to allocate
resources and effort based on prioritized
competing needs. Given the current threat
environment and the math behind success-
ful attacks, leaders need to understand both
the value and vulnerabilities residing on
their networks and prioritize prevention
and response efforts accordingly.
Under executive leadership, it is also
very important that there is continued
improvement in processes used to manage
the security of organizations. People must
be continually trained on how to identify
cyberattacks and on the appropriate steps to
take in the event of an attack. Many of the
attacks that are being reported today start or
end with poor processes or human error. For
example, with so much personal informa-
tion being readily shared on social network-
ing, it is simple for hackers to assemble very
accurate profles of individuals and their
positions in companies and launch socially
engineered attacks or campaigns. These
attacks can be hard to spot in the absence of
proper training for individuals, and diffcult
to control in the absence of good processes
and procedures regardless of how good the
technology is that is deployed to protect an
organization.
A common attack on organizations to
defraud large amounts of money via wire
transfers counts on busy people being poor-
ly trained and implementing spotty pro-
cesses. In such an attack, the attacker uses
publicly available personal information
gleaned off social networking sites to iden-
tify an individual who has the authority to
issue a wire transfer in a company. Then the
attacker uses a phishing attack, a carefully
constructed improper email address that
looks accurate on a cursory glance, seem-
ingly from this person’s manager at the
company telling the person to send a wire
transfer right away to the following coordi-
nates. If the employee is not trained to look
for proper email address confguration, or
the company does not have a good process
in place to validate wire transfer requests,
like requiring two approvals, then this attack
mobility, the Internet of Things, and other
macrotechnology trends that have the
impact of security professionals having
less and less control over data.
In the face of these challenges, it is critical
that a few things are true in the security
architecture of the future:
? First is that advanced security systems
designed on defnitive knowledge of
what and who is using the network be
deployed. In other words, no guessing.
? Second is that these capabilities be as
natively integrated as possible into
a platform such that any action by
any capability results in an automatic
reprogramming of the other capabilities.
? Third is that this platform must also
be part of a larger, global ecosystem
that enables a constant and near-real-time
sharing of attack information that can be
used to immediately apply protections
preventing other organizations in the
ecosystem from falling victim to the same
or similar attacks.
? Last is that the security posture is
consistent regardless of where data
resides or the deployment model of the
“network.” For example, the advanced
integrated security and automated
outcomes must be the same whether the
network is on premise, in the cloud, or has
data stored off the network in third-party
applications. Any inconsistency in the
security is a vulnerability point as a general
matter. And, as a matter of productivity,
security should not be holding back high-
productivity deployment scenarios based
on the cloud, virtualization, SDN, NFV,
and other models of the future.
Process and people
Technology alone is not going to solve the
problem. It is incumbent upon an executive
team to ensure their technical experts are
managing cybersecurity risk to the organi-
zation. Most of today’s top executives did
not attain their position due to technological
and cybersecurity profciency. However, all
? 8 SecurityRoundtable.org
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
often succeeds. It is important that technol-
ogy, process, and people are coordinated,
and that training is done on a regular basis.
Intelligence sharing
Given the increasing number and sophistica-
tion of cyberattacks, it is diffcult to imagine
that any one company or organization will
have enough threat intelligence at any one
time to be able to defeat the vast majority of
attacks. However, it is not hard to imagine
that if multiple organizations were sharing
what they are seeing from an attack perspec-
tive with each other in close to real time, that
the combined intelligence would limit suc-
cessful attacks to a small number of the
attempted attacks. This is the outcome we
should strive for, as getting to this point
would mean that the attackers would need
to design and develop unique attacks every
single time they want to attack an organiza-
tion, as opposed to today where they can use
variants of an attack again and again against
multiple targets. Having to design unique
attacks every time would signifcantly drive
up the cost of a successful attack and force
attackers to aggregate resources in terms of
people and money, which would make them
more prone to be visible to defenders, law
enforcement, and governments.
The network effect of defense is why
there is such a focus and attention on threat
intelligence information sharing. It is early
days on this front, but all progress is good
progress, and, importantly, organizations are
now using automated systems to share
threat intelligence. At the same time, analyti-
cal capabilities are being rapidly developed
to make use and sense of all the intelligence
in ways that will result in advanced plat-
forms being able to reprogram prevention
capabilities in rapid fashion such that con-
nected networks will be constantly updating
threat capabilities in an ever-increasing eco-
system. This provides immense leverage in
the cybersecurity battle.
? Conclusion
There is understandable concern and atten-
tion on the ever-increasing incidence of
cyberattacks. However, if we take a longer
view of the threat and adopt a prevention-
frst mindset, the combination of next-
generation technology, improvements in
processes and training, and real-time shar-
ing of threat information with platforms
that can automatically reconfgure the secu-
rity posture, can vastly reduce the number
of successful attacks and restore the digital
trust we all require for our global economy.
9 ?
The Chertoff Group — Michael Chertoff, Executive
Chairman and Former United States Secretary
of Homeland Security, and Jim Pfaging, Principal
The three Ts of the cyber economy
Thanks to rapid advances in technology and thinking, over
the last decade we have seen entire industries and countries
reinvented in large part because of the power of the Internet
and related innovations. Naturally, these developments cre-
ated new opportunities and risks, and none is greater than
cybersecurity. Today, business leaders, academics, small
business owners, and school kids know about hackers,
phishing, identify theft, and even “bad actors.”
In late 2014, the Sony Pictures Entertainment breach
led to debates over data security, free speech, and corpo-
rate management as well as the details of celebrity feuds
and paychecks. The idea of cybersecurity is rising to the
fore of our collective consciousness. Notable cybersecuri-
ty breaches, including those at Target, Anthem BlueCross,
and the U.S. Offce of Personnel Management, have dem-
onstrated that no organization or individual is immune to
cyberthreat. In short, the cybersecurity environment has
changed dramatically over the past several years, and
many of us have struggled to keep up. Many frms now
fnd themselves in an environment where one of their
greatest business risks is cyber risk, a risk that has rapidly
risen from an afterthought to primary focus.
How do we create more opportunity and a safer world
while protecting privacy in an interconnected world? This
question is not just for policy makers in government and
leaders of global Fortune 500 businesses. It affects the
neighborhood small business, the academic community,
investors and, of course, our children.
Answering that question requires an understanding of
the three Ts—technology, threat, and trust. Why? Because
these are big interrelated ideas that have a signifcant
effect on business strategy, policy, and public opinion. For
starters, you need to know about the three Ts, think about
? 10
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
technology and are thriving. Still, the advan-
tage lies with the frms who not only
embraced the Internet but also built their
entire business around it: Amazon, Google,
and Uber. Finally, there is Apple, which
came of age with the Internet and morphed
into a wildly successful global leader with
the introduction of the iPhone.
There have been applications for these
technologies, with signifcant impact, in a
variety of industries. In transportation, Uber
is a great example of transforming a perva-
sive but sedentary sector into a newly reimag-
ined market. Uber used emerging technolo-
gies to disrupt seemingly distinct segments
such as auto rental and even automotive
manufacturing. In the electrical sector, smart
meters, transformers, and switches have
given utilities greater control over their distri-
bution networks while their customers have
gained greater control of their consumption.
However, the golden age of innovation
has a dark side. A new class of "bad guys"
has emerged and is taking advantage of
"holes" in these new technologies and our
online behavior to create new risks. This
leads us to the second T—Threat.
? Threat
Lifecycle
It is almost cliché to talk about the pervasive-
ness and escalating impact of cybersecurity
attacks. However, it is useful to provide a
map that can help us better understand
where we may be heading to help us prepare
and to develop more lasting defenses.
Using a simple x-y graph, we can create an
instructive map, in which x represents the
severity of the impact and y the "actor" or
perpetrator. Impact can be divided into the
following stages: embarrassment, theft,
destruction to a target frm or asset, and wide-
spread destruction. The actors also can be
grouped into four escalating stages: individu-
als, hacktivists, cyber organized crime, and
nation-states. See Figure 1. Given the impor-
tance of understanding threat, business lead-
ers should understand how the map applies
to their business. To aid in this understand-
ing, it is useful to cover a few examples that
illustrate various stages of these threats.
them, and decide how you are going to
embrace the frst, deal with the second, and
shape the last.
? Technology
Today we live in a golden age of innovation
driven by technologies that dominate
headlines—cloud computing, mobility, big
data, social media, open source software, vir-
tualization, and, most recently, the Internet of
Things. These tectonic shifts allow individu-
als, government, and companies to innovate
and reinvent how they interact with each
other. These forces mandate that we redefne
what, how, and where we manage any busi-
ness. We need to challenge core assumptions
about markets, company culture, and the art
of the possible. The winners will be those
who leverage these innovations to reduce
costs and deliver better, lower-priced prod-
ucts. Take Table 1 below, for example:
It is easy to see the relationship between
innovation and valuation. Some companies,
such as Kodak, did not react fast enough
and lost their market as a result. Others,
such as AT&T, have invested heavily in new
TABLE
A good reputation
TABLE
Market capitalization
(or private estimates, USD
in millions)
3/31/2005 3/31/2015
Amazon $13,362 $207,275
Apple $30,580 $752,160
Google $64,180 $378,892
Uber N/A $41,000
AT&T $78,027 $175,108
Citigroup $244,346 $165,488
General
Electric
$388,007 $274,771
Kodak $6,067 $794
Sources: Capital IQ, Fortune
11 ?
THE THREE TS OF THE CYBER ECONOMY
work of criminals operating in Eastern
Europe, netted 40 million credit and debit
card numbers and 70 million customer
records and was largely responsible for the
company’s 46 percent drop in proft in Q4 of
2013 when compared to 2012.
2
The attack
also resulted in a serious decline in the com-
pany’s stock price and led the company’s
board to fre their CEO. The attack is esti-
mated to have netted its perpetrators
approximately $54 million in proft from the
sale of stolen card details on black market
sites—quite the motivation for a criminal
enterprise.
Another high-profle attack, directed
against Sony Pictures Entertainment, is
alleged to have been the work of hackers sup-
ported by the government of North Korea.
The attackers managed to secure not only a
copy of The Interview, which had offended
and motivated the North Korean state, but
also a vast trove of data from the corporate
network, including the personal and salary
In 2011, a high-profle attack was under-
taken by Anonymous, the prominent
“hacktivist” collective, in which it attacked
the security services frm HBGary Federal.
The attack was precipitated by HBGary’s
CEO, Aaron Barr, claiming in a Financial
Times article that his frm had uncovered
the identities of Anonymous leaders and
planned on releasing these fndings at a
security conference in San Francisco the fol-
lowing week.
1
Anonymous responded by
hacking into HBGary’s networks, eventually
posting archives of company executives’
emails on fle-sharing websites, releasing a
list of the company’s customers, and taking
over the frm’s website. Although the attack
did affect HBGary fnancially, Anonymous’
primary motivation was to embarrass
Aaron Barr and HBGary.
More recent attacks have been perpetrat-
ed by better-organized criminal gangs and
have had a greater impact. For instance, the
Target breach, believed to have been the
Nation-
states
Cyber
organized
crime
Hacktivist
Individual
Embarrass Steal
customer
info
Disrupt
operations and
destroy property
Destroy
business and
future earnings
Widespread
disruption
and destruction
INTENT & IMPACT
A
C
T
O
RJPMorganChase
Sony
??
Saudi Aramco
HBGary
Target
FIGURE
? 12
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? Trust
One of the greatest casualties in the ever-
increasing torrent of cyberthreats is trust—
specifcally, the trust consumers have in
business, the trust citizens and business
have in government, and the trust govern-
ment has in business. This should be trou-
bling for all corporate executives and gov-
ernment leaders because trust is precious to
all relationships and is critical to effective
workings of commerce and government. As
we know, it takes years to build, but it is easy
to lose. For instance, a single data breach can
undo years of effort and cause immediate
and lasting reputation loss.
Measuring trust
Recent consumer surveys suggest that con-
sumers are tired of dealing with fraudulent
charges and are raising their expectations for
how their favorite brands and websites pro-
tect consumer data and personally identifa-
ble information. In May 2015, Pew Research
released a study in which 74 percent of
Americans said it was “very important” to
be “in control of who can get info about
you.” Edelman, one of the world’s largest
public relations frms, does an annual study
called The Trust Barometer. The 2015 edition
of this survey showed a huge jump in the
importance consumers place in privacy of
their personal data. The study revealed that
80 percent of consumers, across dozens of
countries and industries, listed this as a top
issue in evaluating brands they trust. Finally,
HyTrust, an emerging technology company,
published a study on the impact of a cyber
breach on customer loyalty and trust. Of the
2,000 consumers surveyed, 52 percent said a
breach would cause them to take their busi-
ness elsewhere.
3
What business can afford to
lose 50 percent of its customers?
What these numbers make clear is that con-
sumers are paying attention to cybersecurity
issues and that failure to address these con-
cerns comes at a company’s own risk. Recent
attacks have served as learning moments for
many companies and consumers, allowing
them to gain a frmer understanding of just
details of tens of thousands of employees,
internal email traffc, and other highly sensi-
tive information. The attack led the company
to delay the release of its big-budget flm, and
it generated weeks of headlines. The attack
also forced the company to take a variety of
computer systems offine. Although the long-
term impact of the attack is unclear, it has had
a dramatic impact on the studio’s reputation,
stock price, and earnings.
What is next? In the future, we can expect
a continued rise in the severity of cyberthreats.
Well-fnanced criminal gangs and well-
resourced nation-states appear to be increas-
ingly capable and willing to engage in attacks
that cause signifcant damage.
Boards and risk
After the initial shock of “how is this possi-
ble,” every business leader has to consider
what it means for his or her business. Just a
few years ago, many viewed cybersecurity
threats as a technical problem best left to the
company CIO or CISO. Increasingly, CEOs
and boards are coming to the realization
cybersecurity threats are a business risk that
demands C-level and board scrutiny.
Corporate boards have begun to look at
cybersecurity risk in much the same way
they would look at other risks to their busi-
ness, applying risk management frame-
works while evaluating the likelihood and
impact of cyber risk. Boards also have begun
to look at ways to transfer their risk, leading
insurance companies to offer cybersecurity
insurance products. In their evaluation of
cyber risk, companies are also taking a hard
look at the second order effects of a cyberat-
tack, notably the ability for a successful
attack to undermine customers’ trust in the
company. A successful attack often leads to
the revelation of sensitive, personally identi-
fable information on customers, eroding
consumer confdence in the frm. Many of
the commonly understood risk management
frameworks and related insurance products
now being used recognize this and make it
clear that corporate boards must have a thor-
ough understanding of the third T, Trust.
13 ?
THE THREE TS OF THE CYBER ECONOMY
develop cyber risk mitigation products. Many
of the insurance industry’s largest players,
including Allstate, Travelers, Marsh, and
Tennant, have moved to offer companies
cyber insurance products, although the imma-
turity of the market has created complications
for insurers and potential customers. Insurers
have had a hard time calculating their risk and
thus appropriate premiums for potential cus-
tomers, while customers have sometimes
found their insurance quotes too expensive.
Fortunately, time and the accompanying set-
tling of industry standards and actuarial data
will help to mature and grow this market.
Role of government
Effective risk management—for govern-
ments or private enterprises—starts with an
honest understanding of the situation and
recognition that information sharing with
partners is essential. Information sharing, of
course, starts with agreeing on common val-
ues, and then trusting vetted, capable, and
reliable partners. Information sharing can be,
and must be, something that takes place at
and across all levels. The Constitution charg-
es the federal government with the responsi-
bility of providing for the defense of the
nation while protecting the privacy and civil
liberties of our citizens, a diffcult balance
that requires trust in the government and
processes by which we reach that balance.
As we discuss the role of government in
information sharing and building trust, we
have to acknowledge the impact the
Snowden revelations have had on public
trust in government. Fundamentally, we
have to determine what we want the role of
government to be and engage in legal
reforms that refect that role. Laws such as
the Computer Fraud and Abuse Act, enacted
in 1986 and amended fve times since then,
and the Electronic Controls Privacy Act
(ECPA), which dates to 1986, have to be
updated to refect the signifcant changes in
technology and practice that have occurred
since they were envisioned.
Beyond these efforts, we need to establish
or reinforce agreed-upon rules and programs
how damaging such an attack can be. However,
with this knowledge comes increased expecta-
tions for how companies safeguard their data
and that of their consumers.
Role of industry
Fortunately, industry is moving in this direc-
tion, and many companies have begun to
consider cyber risk in their corporate plan-
ning. In 2014, the National Association of
Corporate Directors issued a call to action,
which included fve steps that its members
should take to ensure their enterprises prop-
erly address cyber risk. These include the
following:
? Treating cyber risk as an enterprise risk
? Understanding the legal implications of
cyber risks
? Discussion of cyber risk at board
meetings, giving cyber risk equal footing
with other risks
? Requiring management to have a
measureable cybersecurity plan
? The development of a plan at the board
level on how to address cyber risks,
including which risks should be avoided,
accepted, mitigated, or transferred via
insurance.
Although this guidance is an excellent start,
we at The Chertoff Group believe that indus-
try has to go further and move toward a
common cyber risk management framework
that allows everyone to understand the
cyber risks to a business and how the com-
pany intends to address them. This model
would be a corollary to the General Accepted
Accounting Principles (GAAP), the standard
accounting guidelines and framework that
underlies the fnancials and planning of
almost any business. The emergence of
GAAP in the 1950s made it signifcantly
easier for investors, regulators, and other
stakeholders to gain a clear understanding
of a business and its fnancials, allowing for
comparisons across industries and sectors.
In parallel, banks, insurers, and other pro-
viders of risk mitigation are scrambling to
? 14
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
for government data collection on citizens
and the legal frameworks that manage the
transfer of that data between governments
for judicial and law enforcement purposes.
Importantly, this initiative must provide for
mutual accountability for all participants.
These initiatives have to lay out clearly the
roles of all participants and, in our opinion,
reinforce and strengthen the role for NSA in
helping this nation deal with the adversaries
that are using information technology to
harm us.
On the international front, in response to
mounting concerns over data privacy, data
security and the rise of online surveillance,
governments around the world have been
seeking to pass new data protection rules.
Several governments, including Germany,
Indonesia, and Brazil, have considered
enacting “data localization” laws that would
require the storage, analysis, and processing
of citizen and corporate data to occur only
within their borders.
However, many of these proposals are
likely to impose economic harm and sow
seeds of distrust. For example, several of the
proposals under consideration would force
companies to build servers in locations
where the high price of local energy and the
lack of trained engineers could translate into
higher costs and reduced effciencies.
Furthermore, requiring that data reside in a
server based in Germany instead of one in
Ireland will do little to prevent spies from
accessing that data if they are determined
and capable.
So, what should we do? It is critical that
policymakers and technology providers
work together to develop solutions that keep
online services available to all who rely on
them. We must develop principles that can
serve as a framework for coordinated multi-
lateral action between states and across the
public and private sectors. We must be pre-
pared to lead abroad and at home with effec-
tive ideas.
Public private partnerships (PPPs) are
important pieces of the solution and are
good models of trust that we should lever-
age going forward. First, the formation of
Information Sharing and Analysis Centers
(ISACs) was a Clinton Administration initia-
tive to build PPPs across critical infrastruc-
ture sectors. These sector-by-sector ISACs
have proven to be models of trust. The
Financial Services ISAC has truly epito-
mized these ideas and is considered by
many to be the leading ISAC in sharing
threat information. This model has been rep-
licated in other industries and led President
Obama to call for an expansion of the infor-
mation sharing model to smaller groups of
companies through Information Sharing and
Analysis Organizations (ISAOs). Another
example is a U.S. government-industry ini-
tiative to combat botnets, in which the gov-
ernment is working with the Industry Botnet
Group to identify botnets and minimize
their impacts on personal computers.
? Technology, threat, and trust in the
boardroom
What do the three Ts of the cyber economy
mean for you? Here are just a few of the
questions every leader has to consider:
? Are we using technology for competitive
advantage?
? Are we secure? How do you know? Do we
have a framework, a GAAP-equivalent
for cyber risk, that gives me the tools to
understand and measure risk?
? Are we a good steward of the data we
collect about our customers?
Each of us needs answers to these questions.
Your response will have a big impact on the
future of your organization.
A few years ago, there was a common
story in security circles about two types of
companies: those who knew they had been
hacked and those who had been hacked but
did not know it. Going forward, we will talk
about companies in terms of who cares
about cybersecurity: in some companies, it
will be the entire executive suite; in others,
it will just be the CISO or CIO. Your com-
pany doesn’t want to fall into the latter cat-
egory. Use the three Ts to help your organi-
zation manage cyber risk and leverage the
THE THREE TS OF THE CYBER ECONOMY
SecurityRoundtable.org 15 ?
target-profit-falls-46-on-credit-card-
breach-and-says-the-hits-could-keep-
on-coming/.
3. See “Consumers Increasingly Hold
Companies Responsible for Loss of
Confdential Information, HyTrust Poll
Shows,” HyTrust, October 1, 2014, Available
athttp://www.hytrust.com/company/
news /pres s - rel eas es /cons umer s -
increasingly-hold-companies-responsible-
loss-confdential-info, Additional survey
data available athttp://www.hytrust.
com/si t es/defaul t /fi l es/HyTrust _
consumer_poll_results_with_charts2.pdf.
fantastic opportunities in this golden age of
innovation.
Works Cited
1. See Joseph Menn, “Cyberactivists warned
of arrest,” The Financial Times, February
5, 2011, Available athttp://www.ft.com/
cms/s/0/87dc140e-3099-11e0-9de3-
00144feabdc0.html#axzz3cg7emYx4.
2. See Maggie McGrath, “Target Proft Falls
46% On Credit Card Breach And The Hits
Could Keep On Coming,” Forbes, February
26, 2014, Available athttp://www.forbes.
com/sites/maggiemcgrath/2014/02/26/
17 ?
Georgia Institute of Technology, Institute for Information
Security & Privacy – Jody R. Westby, Esq., Adjunct Professor
Cyber governance best practices
? The evolution of cybersecurity governance
Corporate governance has evolved as a means of protect-
ing investors through regulation, disclosure, and best
practices. The United Nations Guidance on Good Practices
in Corporate Governance Disclosure noted:
Where there is a local code on corporate governance,
enterprises should follow a “comply or explain” rule
whereby they disclose the extent to which they fol-
lowed the local code’s recommendations and explain
any deviations. Where there is no local code on corpo-
rate governance, companies should follow recognized
international good practices.
1
The Business Roundtable (BRT), one of America’s most
prominent business associations, has promoted the use of
best practices as a governance tool since it published its
frst Principles of Corporate Governance in 2002. In its 2012
update, BRT noted:
Business Roundtable continues to believe, as we noted
in Principles of Corporate Governance (2005), that the
United States has the best corporate governance,
fnancial reporting and securities markets systems in
the world. These systems work because of the adop-
tion of best practices by public companies within a
framework of laws and regulations that establish
minimum requirements while affording companies
the ability to develop individualized practices that are
appropriate for them. Even in the challenging times
posed by the ongoing diffcult economic environment,
corporations have continued to work proactively to
refne their governance practices, and develop new
practices, as conditions change and “best practices”
continue to evolve.
2
? 18
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
17799 and then ISO/IEC 27001.
8
ISO/IEC
27001 is the most accepted cybersecurity
standard globally.
Today, the ISO/IEC 27000 series of infor-
mation security standards is comprised of
nearly 30 standards. ISO, of which the
American National Standards Institute
(ANSI) is the member body representing U.S.
interests for the development of international
standards, has additional information secu-
rity standards outside of the 27000 series.
9
ISO information security standards cover a
range of topics, such as security controls, risk
management, the protection of personally
identifable information (PII) in clouds, and
control systems. Additional security stand-
ards also have been developed for fnancial
services, business continuity, network secu-
rity, supplier relationships, digital evidence,
and incident response.
10
The U.S. National Institute of Standards
and Technology (NIST) has developed a
comprehensive set of cybersecurity guid-
ance and Federal Information Processing
Standards (FIPS),
11
including a Framework
for Improving Critical Infrastructure
Cybersecurity (Framework).
12
The NIST
guidance and standards are world-class
materials that are publicly available at no
charge. NIST recognized existing standards
and best practices by mapping the
Framework to ISO/IEC 27001 and COBIT.
Other respected cybersecurity standards
have been developed for particular purpos-
es, such as the protection of credit card data
and electrical grids. The good news is that
cybersecurity best practices and standards
are harmonized and requirements can be
mapped. This is particularly important
because as companies buy and sell operating
units or subsidiaries or merge, they may
have IT systems and documentation based
upon several standards or best practices.
Thus, the harmonization of standards ena-
bles companies to blend IT departments and
security programs and continue to measure
maturity.
Some companies may need to align with
multiple standards. For example, electric
transmission and distribution companies
Increases in cybercrime and attacks on corpo-
rate systems and data have propelled discus-
sions regarding governance of cyber risks
and what exactly boards and senior execu-
tives should be doing to properly manage
this new risk environment and protect corpo-
rate assets. The topic reached a crescendo in
May 2014 when the Institutional Shareholder
Service (ISS) called for seven of the ten Target
board members not to be re-elected on the
grounds that the failure of the board’s audit
and corporate responsibility committees “to
ensure appropriate management of these
risks set the stage for the data breach, which
has resulted in signifcant losses to the com-
pany and its shareholders.”
3
Over the past decade, the concept of cyber-
security governance has evolved from infor-
mation technology (IT) governance and
cybersecurity best practices. The Information
Systems Audit and Control Association
(ISACA) has been a frontrunner in IT govern-
ance best practices with the COBIT (Control
Objectives for Information and Related
Technology)
4
framework. ISACA founded the
IT Governance Institute (ITGI) in 1998 to
advance the governance and management of
enterprise IT. The ITGI defnes IT governance:
IT governance is the responsibility of the
board of directors and executive manage-
ment. It is an integral part of enterprise
governance and consists of the leadership
and organisational structures and pro-
cesses that ensure that the organisation’s
IT sustains and extends the organisation’s
strategies and objectives.
5
Gartner has a similar defnition.
6
? Cybersecurity program standards and best
practices
7
As IT systems became vulnerable through
networking and Internet connectivity, secur-
ing these systems became an essential ele-
ment of IT governance. The frst cybersecu-
rity standard was developed by the British
Standards Institute in 1995 as BS 7799. Over
time, this comprehensive standard proved
its worth and ultimately evolved into ISO
19 ?
CYBER GOVERNANCE BEST PRACTICES
important to understand the breadth and
reach of the standard and to choose one that
meets the organization’s security and compli-
ance needs.
ISO/IEC 27001, which can be obtained
from ANSI athttp://webstore.ansi.org, is a
comprehensive standard and a good choice
for any size of organization because it is
respected globally and is the one most
commonly mapped against other stand-
ards. One should not make the mistake of
believing that all standards contain a full
set of requirements for an enterprise secu-
rity program; they do not. Some standards,
such as NERC-CIP or PCI, set forth security
requirements for a particular purpose but
are not adequate for a full corporate secu-
rity program.
will need to meet the North American
Electric Reliability Corporation Critical
Infrastructure Protection (NERC-CIP) stand-
ards, as well as the Payment Card Industry
Data Security Standard (PCI DSS) if they
take credit cards, and some other broad
security program standard, such as ISO/IEC
27001 or NIST for their corporate operations.
Even with harmonization, it is important
that companies choose at least one standard to
align their cybersecurity program with so pro-
gress and security maturity can be measured.
In determining which standard to use as a
corporate guidepost, organizations should
consider the comprehensiveness of the stand-
ard. Although standards requirements may be
mapped, each standard does not contain the
same or equivalent requirements. Thus, it is
Leading cybersecurity standards and best practices include:
? The International Organization for Standardization (ISO), the information security series,http://www.iso.org/iso/home/search.htm?qt=information+security&published=on&
active_tab=standards&sort_by=rel (also available from ANSI athttp://www.ansi.org)
? The American National Standards Institute (ANSI)—the U.S. member body to ISO.
Copies of all ISO standards can be purchased from ANSI athttp://webstore.ansi.org/
? National Institute of Standards and Technology (NIST) Special Publication 800 (SP-800)
series and Federal Information Processing Standards (FIPS),http://csrc.nist.gov/
publications/index.html
? Information Technology Infrastructure Library (ITIL),http://www.itlibrary.org/.
? International Society of Automation (ISA),https://www.isa.org/templates/two-
column.aspx?pageid=131422
? Information Systems Audit and Control Association (ISACA), the Control Objectives
for Information and Related Technology (COBIT),http://www.isaca.org/cobit/pages/
default.aspx
? Payment Card Industry Security Standards Council (PCI SSC),https://www.
pcisecuritystandards.org/
? Information Security Forum (ISF) Standard of Good Practice for Information Security,https://www.securityforum.org/shop/p-71-173
? Carnegie Mellon University’s Software Engineering Institute, Operationally Critical
Threat, Asset, and Vulnerability Evaluation (OCTAVE),http://www.cert.org/resilience/
products-services/octave/
? Health Insurance Portability and Accountability Act (HIPAA) regulations for security
programs,http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/
index.html
? North American Electric Reliability Corporation Critical Infrastructure Protection
(NERC-CIP),http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
? U.S. Nuclear Regulatory Commission, Regulatory Guide 5.71, Cyber Security Programs
for Nuclear Facilities,https://scp.nrc.gov/slo/regguide571.pdf
? 20
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
necessarily extends this duty to include the
protection of the organization’s digital assets
(data, networks, and software). As a conse-
quence, the governance of cyber risks has
become increasingly important for boards of
directors and senior management. This
includes exercising good risk management,
validating the effectiveness of controls, and
ensuring compliance requirements are met.
An increase in shareholder derivative
suits against D&Os for failure to protect
against breaches also has heightened atten-
tion on cybersecurity at the board and senior
management level. Target was hit with share-
holder derivative suits for failure to protect
the company and its data from a breach,
13
as
was Wyndham Hotels on similar grounds.
14
In addition, cybersecurity has become an
important compliance issue that carries the
risk of headlines concerning enforcement
actions, investigations, and breaches of per-
sonally identifable information. Several state
and federal laws impose privacy and securi-
ty requirements on targeted industry sec-
tors and types of data. For example, the
Gramm-Leach-Bliley Act (GLBA), the Health
Insurance Portability and Accountability Act
(HIPAA), the Health Information Technology
for Economic and Clinical Health Act
(HITECH Act), and state breach laws impose
specifc requirements pertaining to the secu-
rity and privacy of data and networks.
So, what does cyber governance mean?
What actions should board members be tak-
ing? Who should be involved—the entire
board or just certain committees? Cyber gov-
ernance means more than D&Os periodically
asking interesting questions or receiving
reports regarding the company’s cybersecu-
rity program. There is now an international
standard, ISO/IEC 27014, on the governance
of information security, which sets out roles
and responsibilities for executive manage-
ment and boards of directors and is applica-
ble to all types and sizes of organizations.
The standard notes:
[G]overnance of information security
provides a powerful link between an
organization’s governing body, executive
Some information security standards,
such as NERC-CIP, U.S. Nuclear Regulatory
cybersecurity requirements, PCI standards
for credit card data, and HIPAA security
requirements are mandatory. Portions of
NIST guidance are mandatory for federal
government contractors and U.S. govern-
ment agencies and departments. The remain-
der of the standards listed are voluntary.
In addition to the leading cybersecurity
standards listed in the shaded box, additional
standards have been developed for certain
industry sectors because they require height-
ened security protections. For example, ISO/
IEC 27015 was developed as additional secu-
rity requirements for fnancial organizations;
ISO/IEC 27799 was developed for informa-
tion security in health systems using ISO/IEC
27002 (the controls portion of ISO/IEC 27001);
27011 was developed for telecommunications
systems using ISO/IEC 27002; and ISO/IEC
27019 was developed for industrial control
system security for the energy utility industry.
The value of using a standard as a guide-
post for the development, maintenance, and
maturity of a security program is that it sets
forth best practices for cybersecurity and is
updated as required to meet changing
threats, technological innovation, and com-
pliance requirements. Standards also enable
boards and senior executives to understand
how comprehensive their organization’s
security program is and provide an objective
basis for audits and cybersecurity assess-
ments. Evaluating a cybersecurity program
against a leading standard enables an organ-
ization to measure progress, assess the effec-
tiveness of controls, identify gaps and def-
ciencies, and measure program maturity.
? Cyber governance standards and best practices
Cyber governance standards and best prac-
tices have evolved over the past 20 years as
companies have increased connectivity to the
Internet and networks and as cyberattacks
have continued to rise. Directors and offcers
(D&Os) have a fduciary duty to protect the
organization’s assets and the value of the cor-
poration. The increased dependence on IT
systems and data in corporate operations
21 ?
CYBER GOVERNANCE BEST PRACTICES
and compliance obligations, reputational
risks, business interruption, and fnancial
losses; allocate the resources needed for the
risk-based approach.
3. “Set the direction of investment decisions”:
establish an information security
investment strategy that meets business
and security requirements; integrate
security considerations into existing
business and investment processes.
4. “Ensure conformance with internal and
external requirements”: ensure policies
and procedures incorporate legal,
regulatory, and contractual obligations;
routinely audit such compliance.
5. “Foster a security-positive environment”:
accommodate human behavior and
the needs of users; promote a positive
information security environment through
training and tone from the top.
6. “Review performance in relation to
business outcomes”: ensure the security
program supports business requirements,
review impact of security on business as
well as controls.
18
ISO/IEC 27014 sets forth separate roles and
responsibilities for the board and executive
management within fve processes: Evaluate,
Direct, Monitor, Communicate, and Assure.
These are set forth in abbreviated form in the
following table.
19
management and those responsible for
implementing and operating an informa-
tion security management system. It pro-
vides the mandate essential for driving
information security initiatives through-
out the organization.
15
The objectives of the standard are to align
security program and business objectives
and strategies, deliver value to stakeholders
and the board, and ensure information risks
are adequately managed.
16
The difference between IT governance
and information security governance is that
the latter is focused on the confdentiality,
integrity, and availability of information,
whereas governance of IT is focused on the
resources required to acquire, process, store,
and disseminate information.
17
ISO/IEC
27014 sets forth six principles as foundation
for information security governance:
1. “Establish organization-wide information
security”: information security activities
should encompass the entire organization
and consider the business, information
security, physical and logical security, and
other relevant issues.
2. “Adopt a risk-based approach”:
governance decisions should be based on
the risk thresholds of a company, taking
into account competitiveness issues, legal
Board of directors Executive management
Evaluate
Ensure business initiatives take information
security into consideration
Ensure information security supports
business objectives
Review reports on information security
performance, initiate prioritized actions
Submit new security projects with
signifcant impact for board review
Direct
Establish risk thresholds of organization Ensure security and business objectives are
aligned
Approve security strategy and overarching
policy
Develop security strategy and overarching
policy
Allocate adequate resources for security
program
Establish a positive culture of cybersecurity
Continued
? 22
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
is IT-focused, however, and does not men-
tion the roles and responsibilities of chief
information security offcers (CISOs). The
separation of the role of the chief informa-
tion security offcer from the chief informa-
tion offcer (CIO) (in other words, not having
the CISO report to the CIO), is a best practice
that the Board Briefng ignores. It assigns all
responsibilities to the CIO, IT Strategy
Committee, IT Steering Committee, IT
Architecture Review Board, and Technology
Council. Nevertheless, it is a valuable
resource for boards and executive teams
seeking to implement good cyber govern-
ance practices.
Finally, Carnegie Mellon University’s
Software Engineering Institute developed the
Governing for Enterprise Security Implementation
Guide in 2007 as a guide for boards and execu-
tives on governing enterprise security pro-
grams.
21
It is still quite instructive and includes
a model organizational structure for cyber
? Beyond ISO/IEC 27014: Other best practices
and guidance
At present, the only guidance NIST has
developed that addresses information secu-
rity governance is its 2006 Special Publication
800-100, Information Security Handbook: A
Guide for Managers. This publication, how-
ever, is written for a federal audience and is
more technical than other materials directed
toward boards and senior executives.
ISACA’s IT Governance Institute updated
its Board Briefng on IT Governance in 2014,
20
which sets forth an approach similar to ISO/
IEC 27014, but is based on ISACA’s COBIT
best practices. The Board Briefng includes
questions board members should ask and
also checklists, tool kits, roles and responsi-
bilities, and other helpful materials. The
Board Briefng focuses on fve activity areas:
Strategic Alignment, Value Delivery, Risk
Management, Resource Management, and
Performance Measurement. The publication
Board of directors Executive management
Monitor
Assess effectiveness of security program Determine appropriate metrics for security
program
Ensure compliance and legal obligations
are met
Provide input to board on security
performance results, impacts on
organization
Evaluate changes to operations, legal
frameworks, and impact on information
security
Keep board apprised of new developments
affecting information security
Communicate
Report to investors/shareholders on
whether information security is adequate
for business
Inform board of security issues that require
their attention
Provide results of external audits or reviews
and identifed actions to executive team
Ensure board’s actions and decisions
regarding security are acted upon
Recognize compliance obligations, business
needs, and expectations for information
security
Assure
Order independent reviews/audits of
security program
Support reviews/audits commissioned by
board
23 ?
CYBER GOVERNANCE BEST PRACTICES
members to become inundated in technical
data and issues and lose sight of the major
risks that must be managed. In part, CIOs
and CISOs need to develop better executive
and board communication skills when
reporting on cybersecurity program activi-
ties and incidents. Outside experts can also
help separate which cybersecurity govern-
ance issues should be directed to the execu-
tive management team and which are for
board consideration.
Once the critical vulnerabilities that
require board and executive attention have
been identifed, the next step is to deter-
mine the information fows that are needed
to keep the board and senior management
informed and enable informed decision-
making. These two steps—identifcation of
cyber-related vulnerabilities and associ-
ated information flows—should be fol-
lowed by an analysis of the board’s and
senior management’s roles in incident
response and business continuity/disaster
recovery.
The Target breach revealed how disas-
trous it can be when a company’s executive
team and board are not prepared to manage
a major cybersecurity incident. The breach
was clever but not terribly diffcult to recov-
er from; as ISS pointed out so clearly, it was
Target’s executive team and board who
failed to protect the company’s data and
ensure a robust incident response plan was
in place that involved their participation.
Cybersecurity governance is an area
where an independent adviser can provide
valuable guidance to a board and executive
team by reviewing available reports and
assessing the current state of the security
program, identifying key vulnerabilities
and associated information fows that
should be directed to the board, advising on
the threat environment, and establishing
the proper organizational structures for
effective cybersecurity governance. These
activities should be undertaken in a collab-
orative fashion with IT and security leaders
and in the spirit of helping them gain visi-
bility and support for security program
initiatives.
governance; composition of a cross-
organizational privacy/security committee;
sample mission, goals, and objectives for a
board Risk Committee; and an explanation of
the critical activities in an enterprise security
program, including who should lead and be
involved in them, and the outputs (artifacts)
to be developed. It indicates where the board
has a role for governance oversight and sets
forth roles and responsibilities for the critical
players, as well as shared responsibilities, for
the following:
? chief security offcer/chief information
security offcer
? chief privacy offcer
? chief information offcer
? chief fnancial offcer
? general counsel
? business line executives
? human resources
? public relations
? business managers
? procurement
? operational personnel
? asset owners
? certifcation authority.
? Additional considerations in cybersecurity
governance
Board structure plays a signifcant role in
cybersecurity governance. A Risk Committee
is the best choice for governance of cybersecu-
rity because IT risks must be managed as
enterprise risks and integrated into enterprise
risk management and planning. Many compa-
nies place all oversight for cybersecurity in the
board Audit Committee, which can substan-
tially increase the workload of that committee.
Placing cyber governance with the Audit
Committee also creates segregation of duties
issues at the board level because the Audit
Committee is auditing the security program,
determining remediation measures, and then
auditing this work the following year.
One of the most important aspects of
cybersecurity governance is the identifca-
tion of vulnerabilities that could have a
material impact on corporate operations
and/or bottom line. It is easy for board
? 24
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
12. Evaluate the adequacy of cyber
insurance against loss valuations and
ensure adequate risk strategies are in
place for cyber risks.
Many organizations also are struggling
with how to integrate cybersecurity into
their enterprise risk management process.
Most business operations today are
dependent upon IT systems and the conf-
dentiality, availability, and integrity of their
data. Following are another dozen guiding
points on integrating cyber risks into enter-
prise risk management.:
A dozen best practices for integrating cybersecurity into
enterprise risk management
1. Understand the business’s strategies,
objectives, and needs for IT and data.
2. Inventory assets (data, applications,
hardware), assign ownership,
classifcation, and risk categorization.
3. Map legal requirements to data for all
jurisdictions.
4. Evaluate the security of vendors, business
partners, and supply chain linkages.
5. Align the cybersecurity program with
best practices and standards.
6. Ensure controls are determined and
metrics identifed.
7. Conduct a risk assessment to establish a
baseline for cyber risk management.
8. Develop cyber risk strategies (block the
risk, cyber insurance, other compensating
controls, all of these).
9. Design system architecture to
accommodate business goals and
objectives, meet security and legal
requirements, and detect or prevent
unauthorized usage.
10. Use technical tools and services to
provide integrated data on threats and
attacks.
11. Make cyber training and security
compliance part of annual performance
reviews for all personnel.
12. Stay abreast of innovation and changes
in the threat environment as well as
changing operational requirements.
? Dutiful dozen
There are some actions that boards can take
to ensure they are managing cyber risks
and meeting their fduciary duty. Following
is a list of a dozen actions that are within
best practices, which can be used as a start-
ing point and checklist for governance
activities:
A dozen best practices for cyber governance
1. Establish a governance structure with
a board Risk Committee and a cross-
organizational internal team.
2. Identify the key cyber vulnerabilities
associated with the organization’s
operations.
3. Identify the security program activities
over which boards and executives
should exercise oversight, and identify
the key information fows and reports
that will inform board and executives on
the management of cyber vulnerabilities
and security program activities.
4. Identify legal compliance and fnancial
exposures from IT systems and data.
5. Set the tone from top that privacy and
security are high priorities for the
organization, and approve top-level
policies on acceptable use of technology
and compliance with privacy and
security policies and procedures.
6. Review the roles and the responsibilities
of lead privacy and security personnel,
and ensure there is segregation of duties
between IT and security functions.
7. Ensure that privacy and security
responsibilities are shared, enterprise
issues that apply to all personnel.
9. Review and approve annual budgets for
security programs.
10. Review annual risk assessments, the
maturity of the security program, and
support continual improvement.
11. Retain a trusted adviser to independently
inform the board on changes in the
threat environment, provide assistance
on governance issues, and advise on
response issues in the event of a major
cyber incident.
25 ?
CYBER GOVERNANCE BEST PRACTICES
management of enterprise IT is available
athttp://www.isaca.org/cobit/pages/
default.aspx.
5. Board Briefng on IT Governance, IT
Governance Institute, 2nd ed., 2014 at
10,http://www.isaca.org/restricted/
Documents/26904_Board_Briefing_
fnal.pdf.
6. Gartner, IT Glossary, “IT Governance,”http://www.gartner.com/it-glossary/
it-governance.
7. The term “cybersecurity best practice”
may be used interchangeably with
“standard” in the cybersecurity context,
as the standards embody best practices.
The term “standard” is commonly used
to refer to mandatory requirements.
With respect to cybersecurity programs,
however, there is no bright line between
best practices and standards. Some
standards, such as NERC-CIP and
HIPAA, are mandatory for certain
organizations, while other standards,
such as ISO/IEC, are voluntary.
Other standards, such as the Federal
Information Processing Standards (FIPS)
and NIST guidance (the 800 Special
Publication series) are voluntary for
some entities and mandatory for others.
8. Wikipedia, “BS 7799,”https://en.
wikipedia.org/wiki/BS_7799.
9. International Organization for
Standardization, Information Security,http://www.iso.org/iso/home/search.
htm?qt=information+security&publis
hed=on&active_tab=standards&sort_
by=rel.
10. Id.
11. National Institute of Standards and
Technology, Computer Security Division,
Computer Security Resource Center,
http: //csrc. nist. gov/publications/
PubsSPs.html.
12. Framework for Improving Critical
Infrastructure Cybersecurity, National
Institute of Standards and Technology,
Version 1.0, Feb. 12, 2014,http://www.
nist.gov/cyberframework/upload/
cybersecurity-framework-021214.pdf.
? Conclusion
Best practices and standards now require
boards and senior management to exercise
governance over cybersecurity programs and
associated risks. Laws such as Gramm-Leach-
Bliley, the Health Insurance Portability and
Accountability Act, and the Federal
Information Security Management Act all
require executive oversight of security pro-
grams. Each organization’s operations, system
architecture, policies and procedures, and
culture vary, thus, cyber risk management has
to be tailored to the organization. Boards
should know what standards/best practices
their organization is using to implement their
security program and determine an approach
for their own governance activities. Checklists
and the use of ISO/IEC 27014, the ISACA
Board Briefng on IT Governance, and the
Carnegie Mellon University’s Governing for
Enterprise Security Implementation Guide are all
useful resources that will help ensure boards
are meeting their fduciary duty and protect-
ing the assets of the organization.
References
1. Guidance on Good Practices in Corporate
Governance Disclosure, United Nations
Conference on Trade and Development
(UNCTAD), New York & Geneva, 2006,http://unctad.org/en/docs/iteteb20063_
en.pdf.
2. Principles of Corporate Governance 2012,
Harvard Law School Forum on Corporate
Governance and Financial Regulation,
Aug. 17, 2012,http://corpgov.law.
harvard.edu/2012/08/17/principles-of-
corporate-governance-2012/.
4. Elizabeth A. Harris, “Advisory Group
Opposes Re-election of Most of Target’s
Board,” The New York Times, May 28,
2014,http://www.nytimes.com/
2014/05/29/business/advisory-group-
opposes-re-election-of-most-of-targets-
board.html?_r=0 (quoting ISS report).
4. COBIT is an acronym for Control
Objectives for Information and Related
Technology. Information on the COBIT
5 framework for the governance and
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 26 SecurityRoundtable.org
16. Id. at 4.2. “Objectives.”
17. Id. at 4.4. “Relationship.”
18. Id. at 5.2. “Principles.”
19. Id. at 5.3. “Processes.” The full
requirements of the standard should be
reviewed prior to use by an organization;
ISO 27014 is available athttp://www.iso.
org/iso/home/search.htm?qt=27014&
sort=rel&type=simple&published=on.
20. Board Briefng on IT Governance, IT
Governance Institute, 2nd ed., 2014,
http: //www. i saca. org/restri cted/
Documents/26904_Board_Briefing_
fnal.pdf.
21. Jody R. Westby & Julia H. Allen, Governing
for Enterprise Implementation Guide,
Carnegie Mellon University, Software
Engineering Institute, 2007, http://
gl obal cyberri sk. com/wp-content/
upl oads/2012/08/Governi ng-for-
Enterprise-Sec-Impl-Guide.pdf.
13. See, e.g., Kevin LaCroix, “Target Directors
and Offcers Hit with Derivative Suits
Based on Data Breach,” Feb. 3, 2014,http://www.dandodiary.com/2014/02/
articles/cyber-liability/target-directors-
and-officers-hit-with-derivative-suits-
based-on-data-breach/.
14. See, e.g., Jon Talotta, Michelle Kisloff, &
Christopher Pickens, “Data Breaches Hit
the Board Room: How to Address Claims
Against Directors & Offcers,” Hogan &
Lovells, Chronicle of Data Protection, Jan.
23, 2015,http://www.hldataprotection.
com/2015/01/articles/cybersecurity-
data-breaches/data-breaches-hit-the-
board-room/.
15. ISO/IEC 27014 (2013), Governance
of Information Security, “Summary,”http://www.iso.org/iso/home/search.
htm?qt=27014&sort=rel&type=simple&
published=on.
27 ?
Institutional Shareholder Services Inc. – Patrick McGurn,
ISS Special Counsel and Martha Carter,
ISS Global Head of Research
Investors’ perspectives on cyber
risks: Implications for boards
Although pundits proclaimed 2014 as the “Year of the
Data Breach” and a signifcant “no” vote at Target’s
annual meeting put directors on notice that sharehold-
ers want to know about potential risks, few 2015 corpo-
rate disclosure documents provide evidence that boards
increased transparency with respect to cyber oversight.
Despite prodding from top regulators and investors’
calls for greater transparency, companies continue to fall
short on disclosure in their key governance disclosure
documents of cybersecurity risks and their board’s over-
sight of them. Equally concerning is the limited infor-
mation regarding cyber risk oversight provided by
boards at a handful of frms that were the targets of
2014’s most widely publicized breaches. Boards would
beneft from an understanding of investors’ perspec-
tives and adoption of best practices in disclosure on
cyber risks.
? Target’s breach led to boardroom backlash
Target’s high-profle data breach made headlines world-
wide. Despite this, neither Target’s 2014 proxy state-
ment nor the company’s initial annual meeting-related
engagement materials discussed in a meaningful way
the massive data theft or the board’s responses to it. As
part of its research process leading up to the annual
meeting, Institutional Shareholder Services (ISS)
engaged with members of the Target board to learn
more about the directors’ oversight of cyber risks before
and after the breach. In the end, ISS opined in its 2014
annual meeting report on Target that the members of the
board’s Audit and Corporate Responsibility committees
had “failed to provide suffcient oversight of the risks
facing the company that potentially led to the data
? 28
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
lack of sharp, downward stock movements
in the wake of disclosures of hacks or other
data breaches (or quick rebounds from such
price drops when they occur) with share-
holders’ apathy over cybersecurity prob-
lems. In a recent Harvard Business Review
article (Why Data Breaches Don’t Hurt Stock
Prices, March 31, 2015), cybersecurity strate-
gist Elena Kvochko and New York Times
Chief Technology Offcer Rajiv Pant dismiss
this easy explanation. They argue that muted
stock price reactions to data breaches refect
the absence of timely information and qual-
ity tools to price cyber risk: “Shareholders
still don’t have good metrics, tools, and
approaches to measure the impact of cyber
attacks on businesses and translate that into
a dollar value . . . The long and mid-term
effects of lost intellectual property, disclo-
sure of sensitive data, and loss of customer
confdence may result in loss of market
share, but these effects are diffcult to quan-
tify.” Faced with this information vacuum,
Kvochko and Pant note that “shareholders
only react to breach news when it has direct
impact on business operations, such as
litigation charges (for example, in the case of
Target) or results in immediate changes to a
company’s expected proftability.”
Indeed, stock prices may not tell the
whole story. Contrary to the conventional
wisdom, recent survey data show investors
understand the long-term risks stemming
from hacks and they may actually shy
away from investing in companies with
multiple breaches. A recent survey—
conducted by FTI Consulting on behalf of
consulting giant KPMG LLP—of more than
130 global institutional investors with an
estimated $3 trillion under management
found that cyber events may affect inves-
tors’ confdence in the board and demand
for the affected companies’ shares.
Investors opined that less than half of
boards of the companies that they currently
invest in have adequate skills to manage
rising cyberthreats. They also believe that
43 percent of board members have “unac-
ceptable skills and knowledge to manage
innovation and risk in the digital world.”
breach.” Accordingly, ISS recommended
votes against the members of those two
board oversight panels. ISS acknowledged
the board’s actions in the wake of the
breach but found that the committees
“failed to appropriately implement a risk
assessment structure that could have better
prepared the company for a data breach.”
After investors’ concerns emerged before
the meeting, the company engaged in a solic-
itation effort to defend the board’s response
to the breach. When the votes were tallied,
none of the members of Target’s audit and
governance panels received support from
more than 81 percent of the votes cast. Target
lead director James A. Johnson received the
lowest support—62.9 percent of the votes
cast. According to ISS’ Voting Analytics data-
base of institutional investors’ voting records,
governance professionals at funds connected
to nearly half of Target’s top 10 largest inves-
tors cast votes against one or more of the
company’s directors.
In the direct wake of the 2014 data
breach issues and the dearth of proxy-
related disclosure on those matters, SEC
Commissioner Luis A. Aguilar fred a shot
across the bow of boards that lack disclo-
sure. In a June 10, 2014, speech (“Boards of
Directors, Corporate Governance and Cyber
Risks: Sharpening the Focus”) delivered at
a New York Stock Exchange (NYSE)–hosted
cybersecurity conference, Aguilar said,
“oard oversight of cyber-risk manage-
ment is critical to ensuring that companies
are taking adequate steps to prevent, and
prepare for, the harms that can result from
such attacks. There is no substitution for
proper preparation, deliberation, and
engagement on cybersecurity issues.”
Noting the wide damage crater caused by
cyber events, Aguilar noted that the board-
room plan should include “whether, and
how, the cyber-attack will need to be dis-
closed internally and externally (both to
customers and to investors).”
? Shareholders care about breaches
Are shareholders apathetic about data
breaches? Some media reports equate the
29 ?
INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
? ISS policy respondents indicate a disclosure
framework
What level of detail do investors expect to
see about these issues in disclosures regard-
ing cyberthreats? In 2014, as part of ISS’
2015 policy-formulation process, we asked
institutional investors to weigh the factors
they assess in reviewing boardroom over-
sight of risk, including cyberthreats. A
majority of the shareholder respondents
indicated that the following are all either
“very” or “somewhat” important to their
voting decisions on individual directors
elections:
? role of the company’s relevant risk
oversight committee(s)
? the board’s risk oversight policies and
procedures
? directors’ oversight actions prior to and
subsequent to the incident(s)
? changes in senior management.
Notably, shareholders do not appear to be
looking for scapegoats. Disclosures about
boardroom oversight action subsequent to
an incident drew more demand than fr-
ings. An eye-popping 85 percent of the
respondents cited such crisis management
and “lessons learned” disclosures as “very
important.” In contrast, only 46 percent of
the shareholders indicated that changes in
senior management are “very important” to
them when it came time to vote on director
oversight.
? 2015 disclosures provide few insights
Despite prodding by the SEC and numerous
indications from investors, many boards
continue to lack disclosure of cyberthreats
in their fagship documents—the proxy
statement and the 10-K. Only a handful of
the companies that drew widespread cover-
age of their data breaches during 2014 men-
tion the events in their proxy statements,
and many cite materiality concerns to avoid
discussing the data breaches in detail in
their 10-Ks.
In sharp contrast to the absence of infor-
mation in Target’s 2014 proxy statement,
More ominously for boards, four of fve
investor respondents (79 percent) suggest-
ed that they may blacklist stocks of hacked
frms. As for a remedy, 86 percent of the
surveyed investors told KPMG and FTI
that they want to see increases in the time
boards spend on addressing cyber risk.
? Investors raise the bar for disclosure
Insights on the gap between investors’
expectations and boardroom practices were
gleaned from PwC’s juxtaposition of two
surveys that it conducted in the summer of
2014, one of 863 directors in PwC’s 2014
Annual Corporate Directors Survey, and the
other of institutional investors with more
than $11 trillion in aggregate assets under
management in PwC’s 2014 Investor Survey.
? Nearly three quarters (74 percent) of
investors told PwC that they believe
it is important for directors to discuss
their company’s crisis response plan in
the event of a major security breach.
Only about half of directors (52 percent)
reported having such discussions.
? Roughly three out of four (74 percent)
investors urged boards to boost cyber
risk disclosures in response to the SEC’s
guidance, but only 38 percent of directors
reported discussing the topic.
? Similarly, 68 percent of investors believe it is
important for directors to discuss engaging
an outside cybersecurity expert, but only
42 percent of directors had done so.
? Fifty-fve percent of investors said it
was important for boards to consider
designating a chief information security
offcer, if their companies did not
have one in place. Only half as many
directors (26 percent) reported that such
a personnel move had been discussed in
the boardroom.
? Finally, 45 percent of investors believe
it is important for directors to discuss
the National Institute of Standards
and Technology (NIST)/ Department
of Homeland Security cybersecurity
framework, but only 21 percent of directors
reported their boards had done so.
? 30
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
and management process to the full
Board.”
Next, the Home Depot disclosure provides
some color on the board’s risk oversight
policies and procedures:
For a number of years, IT and data secu-
rity risks have been included in the risks
reviewed on a quarterly basis by the ERC
and the Audit Committee and in the
annual report to the Board on risk assess-
ment and management. In the last few
years, the Audit Committee and/or the
full Board have also regularly received
detailed reports on IT and data security
matters from senior members of our IT
and internal audit departments. These
reports were given at every quarterly
Audit Committee meeting in fscal 2014,
including an additional half-day Audit
Committee session devoted exclusively to
these matters that was held prior to the
discovery of the Data Breach. The topics
covered by these reports included risk
management strategies, consumer data
security, the Company’s ongoing risk mit-
igation activities, and cyber security strat-
egy and governance structure. . . .
To further support our IT and data
security efforts, in 2013 the Company
enhanced and expanded the Incident
Response Team (“IRT”) formed several
years earlier. The IRT is charged with
developing action plans for and respond-
ing rapidly to data security situations. . . .
The IRT provided daily updates to the
Company’s senior leadership team, who
in turn periodically apprised the Lead
Director, the Audit Committee and the
full Board, as necessary.
The Home Depot board also highlights its
cyber-risk oversight actions prior to the
incident:
Under the Board’s and the Audit
Committee’s leadership and oversight,
the Company had taken signifcant steps
however, another big box retailer provided
investors with a window into the board’s
role in cyber risk oversight in its 2015
proxy materials. Home Depot addressed its
2014 data breach, which affected up to
56 million customers who shopped at the
company’s stores between April 2014 and
September 2014, with a concise (roughly
1000-word) explanation of the steps taken
by the board before and after the company’s
breach.
The proxy statement disclosures include a
brief summary of the depth and duration of
the breach, an explanation of the board’s
delegation of oversight responsibility to the
audit committee, and an outline of remedial
steps that the board took in response to the
event.
Notably, Home Depot’s disclosures gen-
erally align with all the pillars identifed by
investors in their responses to the ISS policy
survey:
First, Home Depot’s board details the
delegation of risk oversight to the audit com-
mittee and describes the directors’ relation-
ship with the company’s internal audit and
compliance team:
The Audit Committee . . . has primary
responsibility for overseeing risks related
to information technology and data pri-
vacy and security. . . . The Audit
Committee stays apprised of signifcant
actual and potential risks faced by the
Company in part through review of quar-
terly reports from our Enterprise Risk
Council (the “ERC”). The quarterly ERC
reports not only identify the risks faced
by the Company, but also identify wheth-
er primary oversight of each risk resides
with a particular Board committee or the
full Board . . . The chair of the ERC, who
is also our Vice President of Internal
Audit and Corporate Compliance, reports
the ERC’s risk analyses to senior manage-
ment regularly and attends each Audit
Committee meeting. The chair of the ERC
also provides a detailed annual report
regarding the Company’s risk assessment
31 ?
INVESTORS’ PERSPECTIVES ON CYBER RISKS: IMPLICATIONS FOR BOARDS
Privacy Governance Committee,
to provide further enterprise-wide
oversight and governance over data
security. This committee reports
quarterly to the Audit Committee.
? We are in the process of further
augmenting our IT security team,
including by adding an offcer level
Chief Information Security Offcer and
hiring additional associates focused on
IT and data security.
? We are reviewing and enhancing all
of our training relating to privacy and
data security, and we intend to provide
additional annual data security
training for all of our associates before
the end of Fiscal 2015.
? Our Board, the Audit Committee, and
a special committee of the Board have
received regular updates regarding the
Data Breach. In addition to the IT
and data security initiatives described
above, the Board, supported by
the work of its Audit and Finance
Committees, has reviewed and
authorized the expenditures associated
with a series of capital intensive
projects designed to further harden
our IT security environment against
evolving data security threats.
? Boards would beneft from engagement
and disclosure
Although the good news is that cybersecu-
rity has seemingly come to the forefront for
many directors, the bad news is that share-
holders are not yet getting the transparency
they need to assess the quality of boardroom
oversight. The signifcant “no” vote against
the Target board at its 2014 annual meeting,
coupled with survey data, show that share-
holders are far from apathetic when it comes
to assessing cyber risk oversight.
? Target’s lessons learned
In the wake of its challenging 2014 annual
meeting, Target hosted calls or held meet-
ings with shareholders representing approx-
imately 41% of shares voted. The majority of
to address evolving privacy and cyber
security risks before we became aware of
the Data Breach:
? Prior to the Data Breach and in part
in reaction to breaches experienced
by other companies, we augmented
our existing security activities by
launching a multi-work stream effort
to review and further harden our
IT and data security processes and
systems. This effort included working
extensively with third-party experts
and security frms and has been
subsequently modifed and enhanced
based on our learnings from the Data
Breach experience.
? In January 2014, as part of the efforts
described above, we began a major
payment security project to provide
enhanced encryption of payment card
data at the point of sale in all of our U.S.
stores. . . . Upon discovery of the Data
Breach, we accelerated completion
of the project to September 2014,
offering signifcant new protection for
customers. The new security protection
takes raw payment card information
and scrambles it to make it unreadable
to unauthorized users. . . .
? We are rolling out EMV “chip-and-PIN”
technology in our U.S. stores, which
adds extra layers of payment card
protection for customers who use EMV
chip-and-PIN enabled cards. . . .
Finally, the Home Depot board discusses the
boardroom oversight actions taken subse-
quent to the incident including changes in
senior management:
Following discovery of the Data Breach,
in addition to continuing the efforts
described above, the Company and the
Board took a number of additional
actions:
? We formed an internal executive
committee, the Data Security and
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 32 SecurityRoundtable.org
these conversations were led by Director
Anne Mulcahy. In light of this feedback and
with the assistance of a third-party strategy
and risk management and regulatory com-
pliance consultant, the board “embarked on
a comprehensive review” of risk oversight
at the management, board, and committee
levels. As a result of this comprehensive
review, in January 2015, the Target board
“clarifed and enhanced” its practices to pro-
vide more transparency about how risk
oversight is exercised at the board and com-
mittee levels. As part of this revamp, the
board reallocated and clarifed risk oversight
responsibilities among the committees, most
notably by elevating the risk oversight role
of the corporate risk & responsibility com-
mittee (formerly known as the corporate
responsibility committee).
Examples such as Home Depot and the
Target board’s 2015 disclosures provide
more transparency on risk oversight and are
a good framework for other boards to follow.
Boards would be wise to raise their games
by disclosing more details of their board
oversight efforts and engaging with inves-
tors when cyber incidents occur, or they may
run the risk of a loss of investor confdence.
33 ?
Elena Kvochko, Author, Towards the Quantifcation
of Cyber Threats report; and Danil Kerimi, Director,
Center for Global Industries, World Economic Forum
Toward cyber risks measurement
As most companies in the U.S. already use some form of
cloud-based solutions, the digital footprint of enterprises
is growing, and so are the risks. Technological solutions
have always focused on convenience, transparency, and
an ever-increasing ability to share information and col-
laborate, while built-in security hasn’t been a priority
until recently. Now enterprises are shifting away from
this model. Growing privacy and security concerns affect
customer perception. According to Deloitte, 80% of cus-
tomers are aware of recent cyber breaches, and 50% of
them are ready to switch brands if they feel their informa-
tion may be compromised. Experian reported that now
cyber breaches are as devastating for the reputation of
organizations as environmental disasters and poor cus-
tomer service.
Most executives recognize that cyber risks are no longer
on the horizon but are an imminent cost of doing business.
Companies are actively looking for effective mitigation
actions. Recent surveys show that cybersecurity is already
part of the agenda of 80% of corporate boards (up from
around 30% 4 years ago). Companies are adjusting their
enterprise risk management frameworks and including
cyber risks and accompanying controls as part of the nec-
essary risk management actions. Traditional controls intro-
duced for in-house infrastructure no longer work, as more
and more operations are performed in the cloud. Just as in
any healthy ecosystem, these environments present great
opportunities for stakeholders to interact with each other
and with the content, but they also carry inherent risks.
Risk mitigation approaches and technologies lag
behind the sophistication of the threat. In fact, our ear-
lier research with the World Economic Forum and
McKinsey showed that 90% of executives feel they only
? 34
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
fnancial services industry and describes the
risk appetite and potential losses for a port-
folio that an institution will incur over a
defned period of time and is expressed in a
probability to insure the loss.
In the cyber value-at-risk, we introduced
three major pillars, according to which com-
panies can model their risk exposure: exist-
ing vulnerabilities, value of the assets, and
profle of an attacker. A complete cyber value-
at-risk allows us to answer the question:
“Given a successful cyberattack, a company
will lose not more than X amount of money
over period of time with 95% accuracy.” The
application of these models will depend on
particular industries, companies, and avail-
able data and should be built for an organi-
zation. We discussed specifc indicators that
can potentially be used to populate the
model. Mathematically, these components
can be brought together and used to build a
stochastic model. For example, vulnerabili-
ties can be measured in the number of exist-
ing unpatched vulnerabilities, not up-to-
date software, number of successful compro-
mises, or results of internal and external
audits. They can be benchmarked against
the maturity of existing controls and security
of networks, applications, data, etc. The
maturity of defending systems has to be
benchmarked against the threat environ-
ment, hence the profle of an attacker com-
ponent becomes important. In this model, it
would be important to look into their moti-
vations (e.g., fnancial gain, destruction of
assets, espionage), the tools they are using,
and the innovative approaches. Because
cyber breaches are criminal activity, nontech-
nical factors, such as behavioral motivations,
are to be considered. The component of the
value of assets of many organizations is dif-
fcult to establish. This includes tangible
assets, such as fnancial fows, infrastructure,
and products, and intangible assets, primarily
data assets (customer and employee data,
business strategies, intellectual property),
brand, reputation, and trust of stakeholders.
Although cost of business interruption can
be qualifed easier, the impact on intangible
assets is still subject to approximation. The
have “nascent” and “developing” capabili-
ties to combat cyberthreats. In this situa-
tion when cyber breaches have become an
inevitable reality of doing business, execu-
tives ask themselves, “What does it mean
for my business, how probable is it that a
devastating breach will happen to us, and
how much could it cost us?” Still, very few
organizations have developed ways to
assess their cyber risk exposure and to
quantify them.
In this chapter, we discuss the cyber
value-at-risk framework introduced by the
Partnering for Cyber Resilience initiative of
the World Economic Forum and released at
the Annual Summit in Davos in 2015. More
than 50 organizations, including Wipro,
Deloitte (project advisor), and Aon, have
contributed to this effort. The framework
laid the foundations for modeling cyber
risks and encouraged organizations to take
a quantitative approach toward assessing
their cyber risks exposure, which could
also help make appropriate investment
decisions.
We were delighted to see many spin-off
projects and initiatives that were initiated as
part of this work and hope they will contrib-
ute to better risk management tools. Our
research showed that the aggregate impact
of cybercrime on the global economy can
amount to $3 trillion in terms of slow down
in digitization and growth and result in the
slower adoption of innovation. Multiple
other studies showed signifcant negative
impact of cyber breaches. CSIS established
that the annual cost of economic espionage
reaches $445 billion. Target's breach cost the
company more than $140 million, a large
portion of which went to cover litigation
costs. Interestingly, however, Aon research
shows that more than 80% of breaches cost
the companies less than $1 million.
? Value-at-risk
How can companies defne their risk expo-
sure and the level of investments, as well as
priority areas for these investments? To
answer this question, we turned to the value-
at-risk concept. The concept goes back to the
35 ?
TOWARD CYBER RISKS MEASUREMENT
breach probability distribution”); hacker
model (mapping out motivations of adver-
saries in relation to the organization); attack
model (attack types and characteristics);
asset and loss model (potential loss given a
successful attack); security model (describ-
ing organizations’ security posture), and
company model (modeling organizations’
attractiveness as a target). Cyberpoint’s
Cy-var models looks at “time-dependent
valuation of assets” while taking into
account an organization’s security posture
and includes variables such as the values of
intellectual property assets, IT security con-
trols in place to protect those assets and
other related risks, infrastructure risks, a
time horizon, and a probability of an attack.
At the same time, all stakeholders came to
agreement that quantifying risks is a chal-
lenging task. In a workshop organized togeth-
er with Deloitte, the World Economic Forum
Partnering for Cyber Resilience members
defned the attributes of an ideal model of
cyber risks quantifcation: applicability across
various industries; ease of interpretation by
experts and executives alike; association with
real data and measurable security events;
scalability across organizations or even
across the industry; at the same, not relying
on data that are currently absent within most
organizations.
Although the cyber value-at-risk frame-
work doesn’t specify how to calculate the
fnal number, it presents core components
and gives examples of how these compo-
nents can be quantifed. This complete
model, however, could be characterized by
general applicability across various indus-
tries. For it to be effective, it has to be vali-
dated by the industry stakeholders. Cyber
value-at-risk aimed to bring together “tech-
nical, behavioral and economic factors from
both internal (enterprise) and external (sys-
temic) perspectives.” As a next step, it would
be important to understand dependencies
between various components in the frame-
work and ways to incorporate these models
into existing enterprise risk frameworks. It is
important to remember that organizations
should be wary of new emerging risks and
impact of losing these assets can be unno-
ticed in the short term but may hurt long-
term proftability and market leadership of
an organization.
The cyber value-at-risk model has a num-
ber of limitations, including availability of
data, diffculties in calculating probabilities,
and applicability across various industries,
but it presents a frst step and incentives for
organizations to move toward quantitative
risk management. By publishing the model,
we aimed to encourage more industry stake-
holders to develop comprehensive quantita-
tive approaches to cyber risks measurement
and management. For further examples and
information, please refer to Wipro’s use of
cyber value-at-risk for its clients, Deloitte’s
continuous development cyber value-at-
risk, Rod Becktom’s cybervar model, and
CXOWare’s Cyber Risk application model.
The Institute of Risk Management (IRM)
announced that it will release a cyber risk
quantifcation framework to help companies
assess their cyber risks exposure. The call to
action from the Partnering for Cyber
Resilience effort was that to develop a uni-
fed framework that can be used by indus-
tries to reduce uncertainty around cyber risks
implications on businesses in the absence of
dominant models and frameworks. Aon has
defned important ways in which quantifca-
tion of cyberthreats can lead to better busi-
ness decisions. First, as the conversation has
shifted from technology and information
security departments to boardrooms, the
question of costs and risks becomes ever
more prevalent. It helps show the scale and
the impact that cyberthreats can have on
fnancial targets and overall competitiveness
of organizations; helps defne and narrow
down the investments required to mitigate
those threats; makes it easy to paint compel-
ling pictures, build scenarios, and make busi-
ness cases; and helps make a determination
whether any parts of the risk can be trans-
ferred. Deloitte has put together a compre-
hensive model for modular approach to
cyber risk measurement introducing the
following components: probability model
(“attractiveness and resilience determine
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 36 SecurityRoundtable.org
consider cyber risks in addition to broader
technology or operational risks.
Overall, the goal was to help raise aware-
ness of cyber risks as a standing and regular
cost of doing business and help fnd a way
to measure and mitigate those risks. This
can be done through standardization of
various risk factors and indicators into a
normal distribution.
The components that we looked at in this
chapter help bring together various risk fac-
tors via “measures of risk likelihood and
impact.” To achieve a more granular level of
sophistication, quantifcation and standardi-
zation metrics must mature. Some of the
main cited obstacles are availability of data
to build models, lack of standardized met-
rics and tools, lack of visibility within enter-
prise, and inability to collect data and
dubbed models internally. The variables and
components of the model can be brought
together into a stochastic model, which will
show the maximum loss given a certain
probability over a given period of time. It
was discussed that close to real-time sharing
of data between organizations could address
some of the main challenges of datasets'
availability and provide enough data to
build models.
Although a silver bullet to achieve cyber
resilience doesn’t exist, organizations con-
sider comprehensive frameworks for quanti-
fying and mitigating risk factors, including
cyber risks. Following this model, compa-
nies will assess their assets and existing
controls, quantify vulnerabilities, and know
their attackers and threats. The most signif-
cant challenge so far is the absence of input
variables, quality of existing datasets and,
following these, no standardized measures
to assess cyber risk exposures. Building such
a model would require efforts in data classi-
fcation, encourage a strong organization
leadership, process improvement and col-
laboration, as well improve decision making
across various business areas. For example,
the car industry, mortgage industry, or most
insurances have agreed on a standardized
metrics and data collection; the same should
happen for cyber risks measurement.
Understanding dependencies between these
variables and what they mean for various
industries should be a subject for cross-
industry collaboration so that input varia-
bles are unifed. The main benefts of this
approach are seen in the ability to support
decision-making processes, quantify the
damage at a more granular level, and defne
appropriate investments. This would help
stimulate the development of risk transfer
markets and emergence of secondary risk
transfer products to mitigate and distribute
the risks. For organizations, the focus will
shift from an attacker to assets and how to
secure them in such a distributed digital
ecosystem, where everything is vulnerable.
As more robust quantitative cyber risks
models emerge and the industries are mov-
ing toward a standardized recognizable
model, the confdence of digital ecosystems
stakeholders and their ability to make effec-
tive decisions will also rise.
Based on Towards the Quantifcation of Cyber
Threats report.
37 ?
Internet Security Alliance – Larry Clinton, CEO
The evolving cyberthreat and an
architecture for addressing it
According to the Pentagon’s 2015 Annual Report, “The
military’s computer networks can be compromised by
low to meddling skilled attacks. Military systems do not
have a suffciently robust security posture to repel sus-
tained attacks. The development of advanced cyber tech-
niques makes it likely that a determined adversary can
acquire a foothold in most DOD systems and be in a posi-
tion to degrade DOD missions when and if they choose.”
If the cyber systems of the world’s most sophisticated
and best funded armed forces can be compromised by
“low to meddling skilled attacks,” how safe can we expect
discount retailers, movie studios, or any other corporate
or public systems to be?
That is not even the bad news.
? Things are getting much worse: Three reasons
1. The system is getting weaker.
The bad news is that the cyber systems that have become
the underpinning of virtually all of aspects of life in the
digital age are becoming increasing less secure. There are
multiple reasons for this distressing trend. First, the sys-
tem is getting technologically weaker. Virtually no one
writes code or develops “apps” from scratch. We are still
relying on many of the core protocols designed in the
1970s and 80s. These protocols were designed to be
“open,” not secure. Now the attacking community is
going back through these core elements of the Internet
and discovering still new vulnerabilities. So as new func-
tionalities come online, their own vulnerabilities are sim-
ply added to the existing and expanding vulnerabilities
they are built upon. The reality is that the fabric of the
Internet is riddled with holes, and as we continue to
stretch that fabric, it is becoming increasingly less secure.
Additionally, vulnerabilities in many open source
codes, widely in use for years, are becoming increasingly
apparent and being exploited by modern “zero-day”
? 38
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
new access points to large amounts of data
resulting from the explosion in the number of
mobile devices vastly increases the challeng-
es to securing cyberspace.
However, the rise in use of mobile devices
pales in comparison to the coming Internet
of Things (IoT). The IoT, embedded comput-
ing devices with Internet connections,
embraces a wide range of devices, including
home security systems, cars, smart TVs, and
security cameras. Like the bring-your-own-
device (BYOD) phenomenon, the coming of
the IoT further undermines the overall secu-
rity of the system by dramatically increasing
the vectors, making every new employee’s
internet-connected device, upon upgrade, a
potential threat vector.
2. The bad guys are getting better.
Just after the turn of the century, the NSA
coined a new term, the “APT,” which stood
for the advanced persistent threat. The APT
referred to ultrasophisticated cyberattack
methods being practiced by advanced
nation-state actors. These attacks were char-
acterized by their targeted nature, often
focused on specifc people instead of
networks, their continued and evolving
nature, and their clever social engineering
tactics. These were not “hackers” and “script
kiddies.” These were pros for whom cyberat-
tacks were their day job.
They were also characterized by their
ability to compromise virtually any target
they selected. APTs routinely compromised
all anti-virus intrusion detection and best
practices. They made perimeter defense
obsolete.
Now these same attack methods, once
practiced only by sophisticated nation-states,
are widely in use by common criminals.
Whereas a few years ago these attacks were
confned to nations and the Defense Industrial
Complex, they now permeate virtually all
economic sectors.
The APT now stands for the average persis-
tent threat.
The increasing professionalism and
sophistication of the attack community is
fueled by the enormous profts cyberattacks
attacks, and the patching system we have
relied on to remediate the system can’t keep
pace. Huge vulnerabilities such as
Heartbleed and Shellshock have existed
within open source code for years only to
be revealed recently when scrutinized by
fresh eyes.
Within hours of the Heartbleed vulnerabil-
ity becoming public in 2014, there was a surge
of attackers stepping up to exploit it. The
attackers exploiting the vulnerability were
much faster than the vendors could patch it.
This is a growing trend. In 2014 it took
204 days, 22 days, and 52 days to patch the top
three zero-day vulnerabilities. In 2013 it took
only four days for patches to arrive. Even
more disturbing is that the top fve zero-day
attacks in 2014 were actively used for a com-
bined 295 days before patches were available.
Moreover, because almost no one builds
from scratch anymore, the rate of adoption
for open source programming as a core com-
ponent of new software greatly exceeds the
vetting process for many applications. As
the code gets altered into new apps, the risks
continue to multiply. In 2015 Symantec esti-
mates there are now more than a million
malicious apps in existence. In fast-moving,
early stage industry, developers have a
strong incentive to offer new functionality
and features, but data protection and priva-
cy policies tend to be a lesser priority.
The risks created by the core of the system
becoming intrinsically weaker is being fur-
ther magnifed by the explosion of access
points to the system, many with little or no
security built into their development. Some
analysts are already asserting that there are
more mobile devices than there are people
on the earth. If that is not yet literally true, it
will shortly be.
It is now common for individuals to have
multiple mobile devices and use them inter-
changeably for work and leisure often with-
out substantial security settings. Although
this certainly poses a risk of data being stolen
directly from smartphones, the greater con-
cern is that mobile devices are increasingly
conduits to the cloud, which holds increasing
amounts of valuable data. The number of
39 ?
THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
corporate growth, innovation, and profta-
bility also undermine cybersecurity.
Technologies such as VOIP or cloud com-
puting bring tremendous cost effciencies but
dramatically complicate security. Effcient,
even necessary, business practices such as the
use of long supply chains and BYOD are also
economically attractive but extremely prob-
lematic from a security perspective.
Corporate boards are faced with the
conundrum of needing to use technology to
grow and maintain their enterprises without
risking the corporate crown jewels or hard-
won public faith in the bargain. In addition,
the fears and potential losses from cyber
events tend to be speculative and future ori-
ented, whereas most corporate leaders (as
well as the citizen investors who have their
401(k)s tied up in the stock market) tend to
make their decisions with an eye toward the
next quarter or two.
The national security equation
Finally, from the national security perspec-
tive, Internet economics are also complicated.
This economic puzzle is important to solve
because multiple independent studies indi-
cate that the number one problem with
securing critical infrastructure from cyberat-
tack is economic. As the 2014 National
Infrastructure Protection Plan makes clear,
the public and private sectors have aligned,
but not identical, perspective on cybersecu-
rity based on their differing, and legally
mandated, roles and obligations.
The private sector is legally required to
invest to maximize shareholder value.
Although shareholder value is enhanced to
some degree by security investment, gener-
ally security is considered a cost center in
the corporate world. As with most corporate
investments, security is a mater of cost ben-
eft for the private sector. What this trans-
lates to is that the private sector may legiti-
mately judge that there is a level of security
that goes beyond their commercial interest
and hence their legally mandated obligation
to their shareholders. An example is the
common case of pilfering in many retail
stores, wherein the owner may be aware
are generating—routinely estimated in the
hundreds of billions of dollars and growing.
It is now apparent that attackers are not
going to rely on reusing the same old meth-
ods. Instead, like any smart, successful, and
growing enterprise, they are investing in
R&D and personnel acquisition. They are
seeking to grow their business, including
fnding new vulnerabilities in older infra-
structures and thus widening the surface
available for attack.
3. The economics of cybersecurity favor the attackers.
Cyberattacks are relatively cheap and easy to
access. Virtually anyone can do an Internet
search and fnd vendors to purchase attack
methods for a comparatively small invest-
ment. The attacker’s business plans are
expansive with extremely generous proft
margins. Multiple reports suggest hundreds
of billions of dollars in criminal cyber reve-
nue each year. They can use virtually identi-
cal attack methods against multiple targets.
The vast interconnection of the system
allows attackers to exploit weaker links who
have permitted access to more attractive
targets, and their “market” is accessible to
them worldwide.
Meanwhile, cyber defense tends to be
almost inherently a generation behind the
attackers, as anticipating the method and
point of attack is extremely diffcult. From a
business investment perspective it is hard
to show return on investment (ROI) to
attacks that are prevented, making ade-
quate funding a challenge. Moreover, law
enforcement is almost nonexistent—we
successfully prosecute less than 2% of cyber
criminals, so there is little to discourage the
attackers from being bold. Furthermore, as
we have already illustrated, notwithstand-
ing consumers tend to prefer utility and
function over security, which provides a
disincentive for investors to enhance devic-
es with added security, which often slows
or limits utility.
This little-understood imbalance of the
economic incentives is exacerbated by the
fact that many of the technologies and busi-
ness practices that have recently driven
? 40
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
the Department of Homeland Security
(DHS) be given authority to set minimum
standards for cybersecurity over the private
sector. Subsequently two bills were offered
in the Senate, one by the Chairman of the
Senate Commerce Committee, Senator Jay
Rockefeller (D-WV) with Senator Olympia
Snow (R-ME) and separately by Senate
Homeland Security Chairman Joe Lieberman
(D-CN) and Senator Susan Collins (R-ME).
Both bills largely followed the Obama para-
digm of DHS setting regulatory mandates
for the private sector with substantial penal-
ties available for noncompliance.
Despite strong backing from the Senate
Majority Leader Harry Reid and much of the
military establishment, the bills could not
get out of committee. Even though Reid
exercised his parliamentary power to control
the Senate agenda, there was not enough
support to even get the bills to the foor for
consideration, let alone vote on it.
There was certainly industry opposition to
these bills, but what killed them was the
bipartisan realization that the traditional reg-
ulatory model was an ill ft for cybersecurity.
Government agencies’ ability to craft regula-
tions that could keep up with cyberthreats
was highly questionable. Early efforts to
apply traditional regulation to cyberspace,
such as HIPAA in the health-care industry,
had not generated success. Indeed health
care is widely considered one of the least
cyber secure of all critical infrastructures.
However, with cyber systems becoming
increasingly ubiquitous and insecure threat-
ening economic development and national
security, there was obvious need for an
affrmative and effective approach. The non-
regulatory, collaborative model selected
largely followed the “social contract” para-
digm previously promoted by industry gov-
ernment analysts.
The social contract approach
In 2013 President Obama reversed course
180 degrees. In an executive order on
cybersecurity the president abandoned the
government-centric regulatory approach
that 5% of his inventory is “walking out the
back door” every month. The reason he
doesn’t hire more guards or put up more
cameras or other security measures is that
the cost beneft presumably suggests it will
cost him 6% to do so, and hence the better
business decision is to tolerate this level of
insecurity.
Government doesn’t have that luxury.
The government is charged with providing
for the common defense. Surely, they have
economic considerations with respect to
security; however, they are also mandated to
a higher level of security largely irrespective
of cost to provide for national security, con-
sumer protection, privacy, and other non-
economic considerations.
In the Internet space, government and
industry are using the same networks. This
means the two users of the systems have dif-
fering security requirements—both legiti-
mate and backed by lawful authority.
Moreover, requiring greater cybersecurity
spending, beyond commercial interest as
suggested by some, could run afoul of other
government interests such as promoting
innovation, competitiveness, and job growth
in a world economy (presumably not follow-
ing U.S.-based requirements).
Finally, the presumption that requiring
increased security spending by commercial
entities up to the government risk tolerance
is in the corporate self-interest is complicat-
ed by the data that have emerged after
highly publicized cyber breaches. One year
after the Target breach, which would pre-
sumably damage the company’s image prof-
itability and reputation, Target’s stock price
was up 22%, suggesting such predictions
were incorrect. Similarly, 6 months after the
high-profle cyberattacks on Sony (the sec-
ond high-profle cyberattack for Sony in a
few years), Sony’s stock price was up 26%.
? Some good news: Enlightened policy working
in partnership
Traditional regulatory efforts fail
In 2012 President Obama offered a legisla-
tive proposal to Congress suggesting that
41 ?
THE EVOLVING CYBERTHREAT AND AN ARCHITECTURE FOR ADDRESSING IT
telephone service at affordable rates, govern-
ment would guarantee the investment pri-
vate industry would make in building and
providing the service. This agreement
ensured enough funds to build, maintain,
and upgrade the system plus make a reason-
able rate of return on the investment. Thus
were born the privately owned public utili-
ties and the rate of return regulation system.
The result was that the U.S. quickly built
out the electric and communications systems
for the expanding nation, which were gener-
ally considered the best in the world. Some
have argued this decision was foundational
to the U.S.'s rapid expansion and develop-
ment, which turned it from a relatively
minor power in the early part of the twenti-
eth century to the world’s dominant super-
power less than a generation later.
Although the Obama social contract
approach to cybersecurity has different
terms than that of previous infrastructure
development, the paradigm is similar.
Similar modifcations of the incentive model
are also in use in other areas of the economy,
such as environment, agriculture, and trans-
portation, but this is the frst application in
the cybersecurity feld.
Although it is in its formative stages, at
this point early indications for the social con-
tract approach are positive. The cybersecuri-
ty framework development process conduct-
ed by the National Institute of Standards and
Technology (NIST) has been completed and
received virtually unanimous praise. In an
exceedingly rare development, the Obama
approach to cybersecurity closely tracks with
that outlined by the House Republican Task
Force on Cyber Security. Bipartisan bills
using liability incentives, instead of govern-
ment mandates, are moving through
Congress, and additional incentive programs
are under development.
? Conclusion
The cybersecurity problem is extremely
serious and becoming more so. An inher-
ently insecure system is becoming weaker.
The attack community is becoming more
embodied in his previous legislative pro-
posals and the Senate bills. Instead, he sug-
gested a public private partnership—a
social contract—that would address the
technical as well as economic issues that are
precluding the development of a cyber sys-
tem that can become sustainably secure. In
this new partnership, industry and govern-
ment would work together to identify a
framework of standards and practices wor-
thy of industry based on cyber risk assess-
ments conducted by the companies. The
president ordered that the framework be
voluntary, prioritized, and cost effective. If
there were an economic gap between what
ought to be done and what would be
accomplished through normal market
mechanisms, a set of market incentives
would be developed to promote voluntary
adoption of the framework. Although
industry that operates under regulatory
systems would remain subject to regulatory
authority, no new regulatory authority for
cybersecurity would be part of the system.
Instead, a partnership system based on vol-
untary use of consensus standards and
practices and reinforced through market
incentives would be built.
The cyber social contract model has sub-
stantial precedent in the history of infra-
structure development in the United States.
In the early twentieth century the innovative
technologies were telephony and electricity
transport. Initially the private companies
that provided these technologies, because of
natural economies, served primarily high-
density and affuent markets. Policy makers
of the era quickly realized that there was a
broader social good that would be served by
having universal service of these services
but also realized that building out that infra-
structure would be costly and uneconomic
either for industry or government.
Instead of government taking over the
process or mandating that industry make
uneconomic investment, the policy makers
designed a modern social contract with
industry. If industry would build out the
networks and provide universal electric and
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 42 SecurityRoundtable.org
sophisticated and enjoys massive economic
incentives over the defender community.
Traditional government methods to fght
criminal activity have not matured to
address the threat and may be inappropri-
ate to meet the dynamic nature of this
uniquely twenty-frst century problem.
Fortunately, at least the U.S. government
seems to have developed a consensus strat-
egy to better leverage public and private
resources to combat cyberthreats without
excessively compromising other critical
social needs. Although there are some ini-
tial signs of progress, the road to creating a
sustainably secure cyber system will be
long and diffcult.
43 ?
Former CIO of the U.S. Department
of Energy – Robert F. Brese
Effective cyber risk management:
An integrated approach
In its 2015 Data Breach Report, Verizon found that in 60%
of the nearly 80,000 security incidents reviewed, including
more than 2,000 confrmed data breaches, cyber attackers
were able to compromise an organization within minutes.
Alarmingly, only about one third of the compromises
were discovered within days of their occurrence. This is
not good news for C-suites and boardrooms. Data breach-
es, compromises in which data loss is unknown, denial of
service attacks, destructive malware, and other types of
cybersecurity incidents can lead to lost revenue, reputa-
tion damage, and even lawsuits, as well as short- and
long-term liabilities affecting a company’s future.
Although “getting hacked” may seem, or even be, inevita-
ble, the good news is that by taking an integrated
approach to risk management, cybersecurity risk can be
effectively managed.
But who is responsible for this integrated approach,
and what does it include? Although often the case, man-
aging cybersecurity risk should not be left solely to the
chief information offcer (CIO) and chief information
security offcer (CISO). Even though these professionals
are capable, only an integrated information (i.e., data),
information technology, and business approach will ena-
ble a company to effectively manage cybersecurity risk as
a component of an organization’s overarching enterprise
risk program. There is also a movement for board-level
involvement and reporting, resulting in a risk to board
members’ tenure if they are not considered to be suff-
ciently engaged in the oversight of cybersecurity risk
management and incident response. As an example, in
2014, Institutional Shareholders Services (ISS) recom-
mended that shareholders of Target stock vote against all
seven of the directors that were on the board at the time of
the highly publicized 2013 breach. Although somewhat
shocking, it should be inherently obvious that effective
? 44
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
collaboration. They also predict that the digi-
tal industrial economy, and the Internet of
Things (IoT), will result in even greater diff-
culty. However, attempting to scale cyberse-
curity risk management in isolation from an
organization’s enterprise risk program only
exposes the organization to greater risk by
creating a gap in risk oversight.
Nearly every company has established
processes to manage enterprise risk. Larger
companies often have a chief risk offcer
(CRO) or equivalent individual who is inde-
pendent of the business units and is given
the authority and responsibility to manage
the enterprise risk processes. Incorporating
cybersecurity into the mix of corporately
managed risks should be a priority. Some
may argue that cybersecurity is too different
from the other risks a company faces, such as
market risk, credit risk, currency risk, or
physical security risk, to be managed in a
similar manner. However, although cyberse-
curity may seem more “technical,” the
desired outcome of the treatment is the
same, that is to eliminate, mitigate, transfer,
or accept risk affecting the company’s future.
One thing is certain: not all cybersecurity
risk can be eliminated through controls or
transferred through insurance, so residual
risk must accepted. Making good decisions
requires an integrated, formal approach.
? The cybersecurity risk management process
There are several key steps that should be
taken to effectively integrate cybersecurity
risk management into the company’s enter-
prise risk management process. This chapter
doesn’t attempt to explain the details of any
particular process but instead focuses on com-
mon attributes that should be used, including
risk framing and assessment, controls assess-
ment, risk decision-making, residual risk sign-
off, risk monitoring, and accountability. Figure 1
provides a visual of the process. For addi-
tional details on approaches to cybersecurity
risk management, the National Institute of
Standards and Technology (NIST) Computer
Security Resource Center (CSRC), interna-
tional standards organizations, and other
industry sources may be consulted.
cybersecurity risk management is key to
meeting the fduciary responsibilities of cor-
porate offcers and the board.
To ensure success, managing cybersecu-
rity risk must be an ongoing and iterative
process, not a one-time, infrequent, or check-
the-box activity. This area of risk manage-
ment must grow with the company and
change with ever-evolving cyber threats.
Data holdings and information technology
(IT) systems, and the Internet-connected
environment in which they operate, change
at a pace that is more rapid than many of the
other variables affecting enterprise risk. Not
only must the right stakeholders be engaged
at the right levels within an organization,
but also the right automated tools and
processes must be in place to support risk
decision making and monitoring.
? Perfect security is a myth
As in physical security, there is no such thing
as perfect IT (cyber) security. All the fre-
walls, encryption, passwords, and patches
available cannot create a zone of absolute
safety that enables a company to operate
unimpeded and free of concern regarding
the cybersecurity threat. However, perfect
security is not required, or even desired. The
effects of too little security are fairly obvious.
However, too much security unnecessarily
constricts the business’ ability to operate by
reducing the effectiveness and effciency of a
customer’s access to the company’s products
and services and unnecessarily constraining
internal and business-to-business (B2B)
interactions. Effective risk management
fnds the balance between the needs of the
business to operate and the needs and cost of
security. In fnding this balance, the company
will be able to compete successfully in its
market while protecting the critical informa-
tion and assets on which its success relies.
? Enterprise risk management
Gartner, Inc., the world’s leading IT research
and advisory company, has found that cyber-
security risk management programs have
experienced trouble in scaling with corporate
initiatives in mobility, cloud, big data, and
45 ?
EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
a company has to avoid, mitigate, share,
transfer, or accept risk. This means that cor-
porate structure, training and awareness
programs, physical security, and other
options should be considered in addition to
traditional IT controls. Cyber insurance may
also be considered. Again, the CIO and
CISO cannot do this alone, and there should
be active engagement across all the various
business lines, business support, and IT
organizations that can contribute to identi-
fying potential controls and the impact they
may have on cybersecurity risk.
Risk Decision Making: A crucial element
of risk response is the decision-making pro-
cess. Decisions are made regarding what will
be done and what will not be done in
response to each risk. A balance must be
struck between protecting systems and
information and the need to effectively run
the business that relies on them. Other fac-
tors that should be considered include the
amount of risk reduction related to imple-
mentation and maintenance costs and the
impacts on employee training and certifca-
tion requirements.
An acceptable course of action is identi-
fed and agreed to by the business, and then
controls are implemented and initially eval-
uated for effectiveness. If the controls per-
form acceptably, then the sign-off and moni-
toring processes can begin. If not, then a
new course of action must be developed,
which may require further controls assess-
ment to respond to the risk or even addi-
tional framing and assessment to adjust the
risk tolerance.
Risk Framing and Assessment: The ini-
tial activities in risk management include
risk framing and assessment and controls
assessment. CIOs and CISOs have been
assessing the risk to IT systems for many
years and are well informed on the range of
cybersecurity threats and vulnerabilities
that affect corporate risk. However, the con-
sequences (i.e., business impact) may or
may not be well understood, depending on
how close the relationship between IT and
the line of business leaders has been in the
past. The engagement between IT and the
line of business owners is crucial and must
result in clarity about the type and amount
of risk the business is willing to accept with
respect to the
confdentiality (preventing unauthorized
disclosure);
integrity (preventing unauthorized modifca-
tion or destruction); and
availability (ensuring data and systems are
operational when needed)
of the information and systems on which
the business relies. Once IT understands the
business owner’s risk threshold, the CIO
and CISO can begin planning, implement-
ing, and assessing the appropriate security
controls.
Controls Assessment: Preparing an
appropriate response to risk requires the
assessment of potential controls. Controls
include all of the tools, tactics, and processes
Risk
Framing &
Assessment
Controls
Assessment
Risk
Decision
Making
Residual
Risk Sign-off
Risk
Monitoring
Accountability
FIGURE
The cybersecurity risk management process
? 46
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
treatment plan and/or the accepted level of
residual risk may require revision. If so, the
previous process steps should be revisited.
The frequency of review should be in rela-
tion to the likelihood and severity of the risk.
Because most companies have a large num-
ber of systems, each with their own risk
register, an automated system is typically
used to aid monitoring and review.
Accountability: Last and most important,
we have to consider accountability.
Accountability is not about who to blame
when something goes wrong. As stated earli-
er, the likelihood of something going wrong is
high. Accountability ensures a formal risk
management process is followed and that
effective decision-making is occurring. One
person should be accountable for the risk
management process; however, numerous
individuals will be
responsible or
accountable for
the various steps,
and many more
will be consulted
and informed
along the way.
One option to
ensure roles and
responsibilities are
clearly articulated
Residual Risk Sign-Off: The sign-off of
residual risk closes the decision-making pro-
cess. This should be the role of the business
because it is the operational customer of the
risk management process. Additionally, this
should be a formal, documented activity.
The decisions on how each risk will be
treated and/or accepted must be articulated
in a manner such that the signatory and
reviewers (i.e., regulators, etc.) can clearly
understand the risk treatment plan and the
residual risk being accepted. Once the resid-
ual risk is formally accepted, the system is
typically placed into operation. The formal
recognition of the residual risk also helps
build a culture of risk awareness in the busi-
ness units.
Risk Monitoring: Monitoring risk is an
ongoing process. Each monitoring activity is
designed with a purpose, type, and frequen-
cy of monitoring. Typically, a risk register
has been developed during the risk framing
and assessment phase and leveraged
throughout all steps of the risk management
process. The register also serves as a refer-
ence for auditors. The register should con-
tain the risks that matter most and be rou-
tinely updated and reviewed with the busi-
ness over time. If the likelihood or severity
of consequences changes, or if other physical
or IT environmental factors change, the
TABLE
Process Step CIO CISO LOB CRO CEO Board
Risk Framing and
Assessment
A R C C C C
Controls Assessment A R C I I I
Risk Decision-Making C R A C I I
Residual Risk Sign-Off C R A I I I
Risk Monitoring A R C C I I
Accountability R C C A C C
A responsibility assign-
ment matrix (RAM), also
known as RACI matrix/
'reisi:/ or ARCI matrix
or linear responsibility
chart (LRC), describes
the participation by var-
ious roles in completing
tasks or deliverables for
a project or business
process.
47 ?
EFFECTIVE CYBER RISK MANAGEMENT: AN INTEGRATED APPROACH
conduct user acceptance testing or experi-
ence surveys as well.
? Evaluating maturity of an organization’s
cybersecurity risk management program
Cybersecurity risk management programs
aren’t born effective and are not immedi-
ately prepared to scale with the business.
Equally important as making effective risk
management decisions and accepting resid-
ual risk is the continuous evaluation of the
process itself. Numerous IT, cybersecurity,
and business consultants, as well as trade
associations have published guidance,
checklists, and suggested questions for
board members. Although there are many
ways for the C-suite and board to stay
engaged, a company’s cybersecurity risk
management program must continuously
mature to ensure future success. To under-
stand a program’s growing maturity, ques-
tions should be focused on evaluating
improvements in how well risk is under-
stood and treated, the effectiveness of busi-
ness leader and general employee participa-
tion, how responsive the risk management
process is to change, and the capability to
effectively respond to an incident.
How consistent is the understanding of
the company’s tolerance for cybersecurity
risk across the C-suite and senior managers?
How deep in the organization does this
understanding go?
How well do line of business owners
understand the cybersecurity risks associat-
ed with their business? Are sound and effec-
tive risk management and acceptance deci-
sions being made in a timely manner to meet
business needs?
How clearly are roles and responsibilities
understood, and how well do role owners
adhere to and fulfll their responsibilities?
Do employees report cybersecurity issues
and are they incorporated into the risk mon-
itoring process?
When threats, vulnerabilities, or other con-
ditions change, does the risk management
process respond and, when necessary, make
sustainable changes to the risk treatment plan?
is by using a RACI matrix (see insert) to iden-
tify which person or organization is responsi-
ble, accountable, consulted, or informed. Table
1 provides an example but should be adjusted
to align to the enterprise risk management
and governance processes of the company.
? Information supporting cybersecurity risk
management
No risk management is a precise science,
including cybersecurity risk management.
Throughout the risk management process,
the information required for success has to be
“good enough” to recognize and understand
risks to the level necessary to support effec-
tive decision-making. Although complex
mathematical models may work to manage
some risks the company faces, forcibly creat-
ing objectivity when little or none exists can
actually result in poor or ineffective decisions
by creating a focus on the numbers rather
than on the meaning of the risk analysis. So,
using big bucket approach categories such as
low, moderate, and high or unlikely, likely,
and very likely may be adequate.
? Stakeholder engagement
A key success factor of ensuring that fduci-
ary responsibilities are fulflled in a compa-
ny’s cybersecurity risk management pro-
gram is the right level of stakeholder engage-
ment. Leaving the program to the CRO or
the CIO alone should not be considered due
diligence. Framing and assessing risk
requires a clear understanding of corporate
risk tolerance. The line of business lead
should have the responsibility to sign off on
the residual risk, but to make good risk deci-
sions, the perspectives of other individuals
and organizations in the company must be
consulted and taken into consideration.
Depending on the system(s) for which risk is
being evaluated, some potential stakehold-
ers include the CIO, CISO, chief fnancial
offcer (CFO), legal counsel, and other line of
business owners and external partners with
supporting or dependent relationships. If
there is signifcant potential to affect the cus-
tomer experience, there may be a need to
INTRODUCTIONS — THE CYBERTHREAT IN THE DIGITAL AGE
? 48 SecurityRoundtable.org
How effective is the cyber incident
response plan? Is it regularly exercised and
are lessons learned from exercises and prior
incidents leveraged to improve the plan?
? Effective communications
Long-term effectiveness in cybersecurity risk
management requires all employees to fulfll
their responsibilities of the security of the
organization for which they work. Creating
a company culture of cybersecurity risk
awareness is critical and is fostered through
effective communications. Leadership must
understand how risk is being measured
across the enterprise, articulate what level is
acceptable, and balance the cost they are will-
ing incur for this level of security. Employees
must understand the basics of the various
cybersecurity threats and vulnerabilities and
the importance of their daily decisions and
actions as they go about their business.
Regular training and awareness activities are
essential and can be similar to the “see some-
thing, say something” campaigns related to
physical security. Additionally, employees
must be empowered and rewarded for iden-
tifying cybersecurity issues.
Communications are also important to
build strong relationships, not only through
customer assurances but also with external
partners and suppliers. Communicating
cybersecurity requirements and expecta-
tions to business partners can improve risk
decision-making as well as lead to coopera-
tive approaches to mitigating risk.
Cybersecurity risks also exist in the supply
chain, and communicating cybersecurity
requirements and vetting suppliers for cer-
tain critical components or services can effec-
tively reduce risk. Had Target, Home Depot,
and certain other high-profle cyberattack
victims built stronger cybersecurity relation-
ships with external partners, their risk of
becoming a victim may have been reduced.
? Conclusion
C-suites and boards should not fear cyberse-
curity. By integrating cybersecurity risk man-
agement into the enterprise risk management
process and by effectively engaging IT and
business executives, cybersecurity risk can be
understood and managed. Building a risk-
aware culture is important to ensuring the
quality of the ongoing risk monitoring pro-
cess. When cyberthreats and vulnerabilities
are regularly evaluated, employees are
empowered to report issues and business
executives are aware of potential impacts to
their operations, the company’s cybersecuri-
ty defenses become more agile and respon-
sive and the overall risk remains under con-
trol. Finally, continuous evaluation of the risk
management process, including its effective-
ness and responsiveness to change and to
incidents, is necessary to ensure effectiveness
is sustained.
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk and the
board of directors
51 ?
Orrick, Herrington & Sutcliffe LLP – Antony Kim, Partner;
Aravind Swaminathan, Partner; and Daniel Dunne, Partner
The risks to boards of directors
and board member obligations
As cyberattacks and data breaches continue to accelerate
in number and frequency, boards of directors are focusing
increasingly on the oversight and management of corpo-
rate cybersecurity risks. Directors are not the only ones.
An array of federal and state enforcement agencies and
regulators, most notably the Department of Justice (DOJ),
Department of Homeland Security (DHS), Securities
and Exchange Commission (SEC), Financial Industry
Regulatory Authority (FINRA), and state Attorneys
General, among others, identify board involvement in
enterprise-wide cybersecurity risk management as a cru-
cial factor in companies’ ability to appropriately establish
priorities, facilitate adequate resource allocation, and
effectively respond to cyberthreats and incidents. As SEC
Commissioner Luis A. Aguilar recently noted, “Boards
that choose to ignore, or minimize, the importance of
cybersecurity responsibility do so at their own peril.”
1
Indeed, even apart from the regulators, aggressive plain-
tiffs’ lawyers, and activist shareholders are similarly
demanding that boards be held accountable for cyberse-
curity. Shareholder derivative actions and activist investor
campaigns to oust directors are becoming the norm in
high-profle security breaches.
Directors have clearly gotten the message. A survey by
the NYSE Governance Services (in partnership with a
leading cybersecurity frm) found that cybersecurity is
discussed at 80% of all board meetings. However, the same
survey revealed that only 34% of boards are confdent
about their respective companies’ ability to defend them-
selves against a cyberattack. More troubling, a June 2015
study by the National Association of Corporate Directors
found that only 11% of respondents believed their boards
possessed a high level of understanding of the risks associ-
ated with cybersecurity.
2
This is a diffcult position to be in:
aware of the magnitude of the risks at hand but struggling
? 52
CYBER RISK AND THE BOARD OF DIRECTORS
action or inaction. To maximize their per-
sonal protection, directors must ensure that,
if the unthinkable happens and their corpo-
ration falls victim to a cybersecurity disaster,
they have already taken the steps necessary
to preserve this critical defense to personal
liability.
In the realm of cybersecurity, the board of
directors has “risk oversight” responsibility:
the board does not itself manage cybersecurity
risks; instead, the board oversees the corpo-
rate systems that ensure that management is
doing so effectively. Generally, directors will
be protected by the business judgment rule
and will not be liable for a failure of oversight
unless there is a “sustained or systemic fail-
ure of the board to exercise oversight—such
as an utter failure to attempt to assure a rea-
sonable information and reporting system
exists.” This is known as the Caremark test,
5
and there are two recognized ways to fall
short: frst, the directors intentionally and
entirely fail to put any reporting and control
system in place; or second, if there is a report-
ing and control system, the directors refuse to
monitor it or fail to act on warnings they
receive from the system.
The risk that directors will face personal
liability is especially high where the board
has not engaged in any oversight of their
corporations’ cybersecurity risk. This is a
rare case, but other risks are more prevalent.
For example, a director may fail to exercise
due care if he or she makes a decision to
discontinue funding an IT security project
without getting any briefng about current
cyberthreats the corporation is facing, or
worse, after being advised that termination
of the project may expose the company to
serious threats. If an entirely uninformed or
reckless decision to de-fund renders the cor-
poration vulnerable to known or anticipated
risks that lead to a breach, the members of
the board of directors could be individually
liable for breaching their Caremark duties.
II. The Personal Liability Risk to Directors
Boards of directors face increasing litigation
risk in connection with their responsibilities
to understand and fnd solutions to address
and mitigate them.
In this chapter, we explore the legal obli-
gations of boards of directors, the risks that
boards face in the current cybersecurity
landscape, and strategies that boards may
consider in mitigating that risk to strengthen
the corporation and their standing as dutiful
directors.
I. Obligations of Board Members
The term “cybersecurity” generally refers to
the technical, physical, administrative, and
organizational safeguards that a corporation
implements to protect, among other things,
“personal information,”
3
trade secrets and
other intellectual property, the network and
associated assets, or as applicable, “critical
infrastructure.”
4
This defnition alone should
leave no doubt that a board of directors’ role
in protecting the corporation’s “crown jew-
els” is essential to maximizing the interests of
the corporation’s shareholders.
Generally, directors owe their corporation
fduciary duties of good faith, care, and loy-
alty, as well as a duty to avoid corporate
waste.
3
The specifc contours of these duties
are controlled by the laws of the state in
which the company is incorporated, but the
basic principles apply broadly across most
jurisdictions (with Delaware corporations
law often leading the way). More specifcal-
ly, directors are obligated to discharge their
duties in good faith, with the care an ordi-
narily prudent person would exercise in the
conduct of his or her own business under
similar circumstances, and in a manner that
the director reasonably believes to be in the
best interests of the corporation. To encour-
age individuals to serve as directors and to
free corporate decision making from judicial
second-guessing, courts apply the “business
judgment rule.” In short, courts presume
that directors have acted in good faith and
with reasonable care after obtaining all mate-
rial information, unless proved otherwise; a
powerful presumption that is diffcult for
plaintiffs to overcome, and has led to dis-
missal of many legal challenges to board
53 ?
THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
by failing to act in the face of a reasonably
known cybersecurity threat. Recent cases
have included allegations that directors:
? failed to implement and monitor an
effective cybersecurity program;
? failed to protect company assets and
business by recklessly disregarding
cyberattack risks and ignoring red fags;
? failed to implement and maintain
internal controls to protect customers’
or employees’ personal or fnancial
information;
? failed to take reasonable steps to timely
notify individuals that the company’s
information security system had been
breached;
? caused or allowed the company to
disseminate materially false and
misleading statements to shareholders (in
some instances, in company flings).
Board members may not be protected from
liability by the exculpation clauses in their
corporate charters. Although virtually all
corporate charters exculpate board mem-
bers from personal liability to the fullest
extent of the law, Delaware law, for exam-
ple, prohibits exculpation for breaches of
the duty of loyalty, or breaches of the duty
of good faith involving “intentional mis-
conduct” or “knowing violations of law.”
As a result, because the Delaware Supreme
Court has characterized a Caremark viola-
tion as a breach of the duty of loyalty,
7
exculpation of directors for Caremark
breaches may be prohibited. In addition,
with the myriad of federal and state laws
that touch on privacy and security, directors
may also lose their immunity based on
“knowing violations of law.” Given the
nature of shareholder allegations in deriva-
tive litigation, these are important consid-
erations, and importantly, vary depending
on the state of incorporation.
Directors should also be mindful of stand-
ard securities fraud claims that can be
brought against companies in the wake of a
data breach. Securities laws generally pro-
hibit public companies from making material
for cybersecurity oversight, particularly in
the form of shareholder derivative litigation,
where shareholders sue for breaches of
directors’ fduciary duties to the corporation.
The rise in shareholder derivative suits coin-
cides with a 2013 Supreme Court decision
limiting the viability of class actions that fail
to allege a nonspeculative theory of con-
sumer injury resulting from identity theft.
6
Because of a lack of success in consumer
class actions, plaintiffs’ lawyers have been
pivoting to shareholder derivative litigation
as another opportunity to proft from mas-
sive data breaches.
In the last fve years, plaintiffs’ lawyers
have initiated shareholder derivative litiga-
tion against the directors of four corpora-
tions that suffered prominent data breaches:
Target Corporation, Wyndham Worldwide
Corporation, TJX Companies, Inc., and
Heartland Payment Systems, Inc. Target,
Heartland, and TJX each were the victims of
signifcant cyberattacks that resulted in the
theft of approximately 110, 130, and 45 million
credit cards, respectively. The Wyndham
matter, on the other hand, involved the theft
of only approximately 600,000 customer
records; however, unlike the other three
companies, it was Wyndham’s third data
breach in approximately 24 months that got
the company and its directors in hot water.
The signs point to Home Depot, Inc., being
next in line. A Home Depot shareholder
recently brought suit in Delaware seeking to
inspect certain corporate books and records.
A “books and records demand” is a common
predicate for a shareholder derivative action,
and this particular shareholder has already
indicated that the purpose of her request is
to determine whether Home Depot’s man-
agement breached fduciary duties by failing
to adequately secure payment information
on its data systems, allegedly leading to the
exposure of up to 56 million customers’ pay-
ment card information.
Although there is some variation in the
derivative claims brought to date, most have
focused on two allegations: that the directors
breached their fduciary duties by making a
decision that was ill-advised or negligent, or
? 54
CYBER RISK AND THE BOARD OF DIRECTORS
III. Protecting Boards of Directors
From a litigation perspective, boards of
directors can best protect themselves from
shareholder derivative claims accusing them
of breaching their fduciary duties by dili-
gently overseeing the company’s cybersecu-
rity program and thereby laying the founda-
tion for invoking the business judgment
rule. Business judgment rule protection is
strengthened by ensuring that board mem-
bers receive periodic briefngs on cybersecu-
rity risk and have access to cyber experts
whose expertise and experience the board
members can rely on in making decisions
about what to do (or not to do) to address
cybersecurity risks. Most importantly, direc-
tors cannot recklessly ignore the information
they receive, but must ensure that manage-
ment is acting reasonably in response to
reported information the board receives
about risks and vulnerabilities.
Operationally, a board can exercise its
oversight in a number of ways, including by
(a) devoting board meeting time to presenta-
tions from management responsible for
cybersecurity and discussions on the subject,
to help the board become better acquainted
with the company’s cybersecurity posture
and risk landscape; (b) directing manage-
ment to implement a cybersecurity plan that
incentivizes management to comply and
holds it accountable for violations or non-
compliance; (c) monitoring the effectiveness
of such plan through internal and/or exter-
nal controls; and (d) allocating adequate
resources to address and remediate identi-
fed risks. Boards should invest effort in
these actions, on a repeated and consistent
basis, and make sure that these actions are
clearly documented in board and committee
packets, minutes, and reports.
(a) Awareness. Boards should consider
appointing a chief information security
offcer (CISO), or similar offcer, and
meet regularly with that individual
and other experts to understand the
company’s risk landscape, threat
actors, and strategies to address
statements of fact that are false or mislead-
ing. As companies are being asked more and
more questions about data collection and
protection practices, directors (and offcers)
should be careful about statements that are
made regarding the company’s cybersecurity
posture and should focus on tailoring cyber-
security-related risk disclosures in SEC fl-
ings to address the specifc threats that the
company faces.
Cybersecurity disclosures are of keen
interest to the SEC, among others. Very
recently, the SEC warned companies to use
care in making disclosures about data secu-
rity and breaches and has launched inquiries
to examine companies’ practices in these
areas. The SEC also has begun to demand
that directors (and boards) take a more
active role in cybersecurity risk oversight.
Litigation is not the only risk that direc-
tors face. Activist shareholders—who are
also customers/clients of corporations—
and proxy advisors are challenging the re-
election of directors when they perceive that
the board did not do enough to protect the
corporation from a cyberattack. The most
prominent example took place in connection
with Target’s data breach. In May 2014, just
weeks after Target released its CEO,
Institutional Shareholder Services (ISS), a
leading proxy advisory frm, urged Target
shareholders to seek ouster of seven of
Target’s ten directors for “not doing enough
to ensure Target’s systems were fortifed
against security threats” and for “failure to
provide suffcient risk oversight” over
cybersecurity.
Thoughtful, well-planned director
involvement in cybersecurity oversight, as
explained below, is a critical part of a com-
prehensive program, including indemnifca-
tion and insurance, to protect directors
against personal liability for breaches.
Moreover, it can also assist in creating a com-
pelling narrative that is important in brand
and reputation management (as well as liti-
gation defense) that the corporation acted
responsibly and reasonably (or even more
so) in the face of cybersecurity threats.
55 ?
THE RISKS TO BOARDS OF DIRECTORS AND BOARD MEMBER OBLIGATIONS
details of any cybersecurity risk
management plan should differ from
company to company, the CISO and
management should prepare a plan
that includes proactive cybersecurity
assessments of the company’s network
and systems, builds employee
awareness of cybersecurity risk and
requires periodic training, manages
engagements with third parties that
are granted access to the company’s
network and information, builds an
incident response plan, and conducts
simulations or “tabletop” exercises to
practice and refne that plan. The board
should further consider incentivizing
the CISO and management for company
compliance with cybersecurity policies
and procedures (e.g., bonus allocations
for meeting certain benchmarks) and
create mechanisms for holding them
responsible for noncompliance.
(c) Monitor compliance. With an
enterprise-wide cybersecurity risk
management plan frmly in place,
boards of directors should direct
that management create internal and
external controls to ensure compliance
and adherence to that plan. Similar
to internal fnancial controls, boards
should direct management to test and
certify compliance with cybersecurity
policies and procedures. For example,
assuming that management establishes
a policy that software patches be
installed within 30 days of release,
management would conduct a patch
audit, confrm that all patches have
been implemented, and have the
CISO certify the results. Alternatively,
boards can also retain independent
cybersecurity frms that could be
engaged by the board to conduct an
audit, or validate compliance with
cybersecurity policies and procedures,
just as they would validate fnancial
results in a fnancial audit.
(d) Adequate resource allocation. With
information in hand about what the
that risk. Appointing a CISO has an
additional beneft. Reports suggest that
companies that have a dedicated CISO
detected more security incidents and
reported lower average fnancial losses
per incident.
8
Boards should also task a committee
or subcommittee with responsibility
for cybersecurity oversight, and devote
time to getting updates and reports
on cybersecurity from the CISO on
a periodic basis. As with audit
committees and accountants, boards
can improve oversight by recruiting
a board member with aptitude for
the technical issues that cybersecurity
presents, and placing that individual on
the committee/subcommittee tasked
with responsibility for cybersecurity
oversight. Cybersecurity presentations,
however, need not be overly technical.
Management should use established
analytical risk frameworks, such as the
National Institute for Standards and
Technology “Framework for Improving
Critical Infrastructure Cybersecurity,”
(usually referred to as the “NIST
Cybersecurity Framework”) to assess
and measure the corporation’s current
cybersecurity posture. These kinds
of frameworks are critical tools that
have an important role in bridging
the communication and expertise gaps
between directors and information
security professionals and can also
help translate cybersecurity program
maturity into metrics and relative
relationship models that directors are
accustomed to using to make informed
decisions about risk. It is principally
through their use that directors can
become sufficiently informed to
exercise good business judgment.
(b) Plan implementation and
enforcement. Boards should require that
management implement an enterprise-
wide cybersecurity risk management
plan and align management’s incentives
to meet those goals. Although the
CYBER RISK AND THE BOARD OF DIRECTORS
? 56 SecurityRoundtable.org
other government-issued identifcation;
(c) fnancial or credit/debit account
number plus any security code necessary
to access the account; or (d) health or
medical information.
4. Critical infrastructure refers to systems,
assets, or services that are so critical
that a cyberattack could cause serious
harm to our way of life. Presidential
Policy Directive 21 (PPD-21) identifes
the following 16 critical infrastructure
sectors: chemicals, commercial facilities,
communications, critical manufacturing,
dams, defense industrial base, emergency
services, energy, fnancial services, food
and agriculture, government facilities,
healthcare and public health, information
technology, nuclear, transportation, waste,
and wastewater. See Critical Infrastructure
Sectors, Department of Homeland
Security, available athttp://www.dhs.
gov/critical-infrastructure-sector.
5. For Delaware corporations, directors’
compliance with their oversight function
is analyzed under the test set out in In re
Caremark Int’l, Inc. Derivative Litig., 698 A.2d
959 (Del. Ch. 1996).
6. See Clapper v. Amnesty Int’l USA, 133 S. Ct.
1138 (2013). Consistent with Clapper, most
data breach consumer class actions have
been dismissed for lack of “standing”:
the requirement that a plaintiff has
suffered a cognizable injury as a result
of the defendant’s conduct. That has
proven challenging for plaintiffs because
consumers are generally indemnifed
by banks against fraudulent charges on
stolen credit cards, and many courts have
rejected generalized claims of injury in the
form of emotional distress or exposure to
heighted risk of ID theft or fraud.
7. Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).
8. Ponemon Inst., 2015 Cost of Data Breach
Study: Global Analysis (May 2015), http://
www-03.ibm.com/security/data-breach/.
company’s cybersecurity risks are,
and an analysis of its current posture,
boards should allocate adequate
resources to address those risks so that
management is appropriately armed
and funded to protect the company.
As criminals continue to escalate the cyber-
war, boards of directors will increasingly fnd
themselves on the frontlines of regulatory,
class plaintiff, and shareholder scrutiny.
Directors are well-advised to proactively ful-
fll their risk oversight functions by driving
senior management toward a well-developed
and resilient cybersecurity program. In so
doing, board members will not only better
protect themselves against claims that they
failed to discharge their fduciary duties, but
will strengthen their respective organizations’
ability to detect, respond, and recover from
cybersecurity crises.
Endnotes
1. SEC Commissioner Luis A. Aguilar,
Remarks at the N.Y. Stock Exchange,
Boards of Directors, Corporate Governance
and Cyber-Risks: Sharpening the Focus
(June 10, 2014).
2. Press Release, Nat’l Assoc. of Corp.
Dir., Only 11% of Corporate Directors
Say Boards Have High Level of Cyber-
Risk Understanding (June 22, 2015)https://www.nacdonline.org/AboutUs/
PressRelease.cfm?ItemNumber=15879.
3. Personal information is defned under a
variety of federal and state laws, as well
as industry guidelines, but is generally
understood to refer to data that may be
used to identify a person. For example,
state breach notifcation laws in the U.S.
defne personal information, in general,
as including frst name (or frst initial)
and last name, in combination with
any of the following: (a) social security
number; (b) driver’s license number or
57 ?
Fish & Richardson P.C. – Gus P. Coldebella,
Principal and Caroline K. Simons, Associate
Where cybersecurity meets
corporate securities: The SEC’s
push to regulate public companies’
cyber defenses and disclosures
The risks associated with cyberattacks are a large and
growing concern for American companies, no matter the
size or the industry. If a company is publicly traded, how-
ever, there’s a signifcant additional impetus for execu-
tives’ cyber focus: the ever-increasing attention the U.S.
Securities and Exchange Commission (SEC) pays to
cybersecurity issues. The SEC, as one of the newest gov-
ernment players in the cybersecurity space, is fexing its
regulatory muscles—including by mandating and scruti-
nizing cybersecurity risk disclosures, prodding compa-
nies to disclose additional information, and launching
investigations after a breach comes to light.
This chapter explores the SEC’s expanding role as
cyber regulator and the growing nexus between cyberse-
curity and corporate securities. It gives companies a
primer on the background and sources of the SEC’s cyber
authority, discusses tricky disclosure and securities regu-
lation-related issues, and provides a potential framework
for companies to think about whether, how, and when
they should publicly disclose cybersecurity risks, and—
when the inevitable happens—cyberattacks.
? The SEC’s authority to regulate cybersecurity
Generally, a company’s duty to disclose material infor-
mation under U.S. securities laws arises only when a
statute or SEC rule requires it, and currently, no existing
laws or rules explicitly refer to disclosure of cyber risks
or incidents. Even so, the SEC has made it clear that it
will use authorities already on the books to promote
cybersecurity in public companies. During the SEC’s
March 2014 “Cybersecurity Roundtable,” Chairman
Mary Jo White said that, although the SEC’s “formal
jurisdiction over cybersecurity is directly focused on
the integrity of our market systems, customer data pro-
tection, and disclosure of material information, it is
? 58
CYBER RISK AND THE BOARD OF DIRECTORS
? Contours of the SEC’s staff guidance
Taking its cues from Regulation S-K, the
Guidance details the key places where cyber-
security disclosures may appear in a com-
pany’s 10-Ks and 10-Qs. The main focuses
are as follows:
? Risk factors. The company’s risk factors
are the central place for cyber disclosure.
If cybersecurity is among the most
signifcant factors making investment
in the company risky, the risk factor
disclosure should take into account
“all available relevant information” from
past attacks, the probability of future
attacks occurring, the magnitude of
the risks—including third-party risk,
and the risk of undetected attacks—
and the costs of those risks coming
to pass, including the potential costs
and consequences resulting from
misappropriation of IP assets, corruption
of data, or operational disruption. The
risk factor should also describe relevant
insurance coverage.
? MD&A. If the costs or other consequences
of a cyberattack represent a material
trend, demand, or uncertainty “that is
reasonably likely to have a material effect
on the registrant’s results of operations,
liquidity, or fnancial condition or would
cause reported fnancial information
not to be necessarily indicative of future
operating results or fnancial condition,”
the company should address cybersecurity
risks and cyber incidents in its
Management’s Discussion and Analysis
of Financial Condition and Results of
Operations (MD&A).
? Description of business. If one or more
cyber incidents materially affected the
company’s products, services, customer
or supplier relationships, or competitive
conditions, the Guidance suggests
disclosure in the “Description of Business”
section.
? Legal proceedings. If any litigation arose as
a result of a cyber incident, the Guidance
suggests disclosure if material.
incumbent on every government agency to
be informed on the full range of cybersecu-
rity risks and actively engage to combat
those risks in our respective spheres of
responsibility.” In other words—formal
jurisdiction notwithstanding—the SEC
will use every tool it has to combat cyber
risks.
To divine the SEC’s position on cyberse-
curity, companies and experienced counsel
may look to a patchwork of non-binding staff
guidance, SEC offcials’ speeches, and espe-
cially staff comment letters on companies’
public flings. Given that cyber disclosures
can have an effect on corporate reputations
and stock price, give would-be attackers
information about vulnerabilities, and trig-
ger shareholder and other litigation and
government investigations, companies
anguish over exactly when, what, and how
much to disclose. To answer these questions,
it is crucial to understand the background
and contours of existing requirements and
the SEC’s expectations.
? History and background of the SEC’s
cybersecurity oversight
In May 2011, Senator Jay Rockefeller sent a
letter to then-SEC Chairman Mary Schapiro
urging the SEC to “develop and publish
interpretive guidance clarifying existing
disclosure requirements pertaining to infor-
mation security risk.” Rockefeller, frustrated
with Congress’s inability to pass cybersecu-
rity legislation, identifed the SEC’s control
over corporate public disclosure as a vehicle
to promote security in the absence of legisla-
tion. Five months after the Rockefeller letter,
in October 2011, the Division of Corporation
Finance (the “Division”) issued CF Disclosure
Guidance: Topic No. 2 (the “Guidance”). Even
though it’s not an SEC rule itself, the
Guidance announced the Division’s view
that—”although no existing disclosure
requirement explicitly refers to cybersecurity
risks and cyber incidents”—existing SEC
rules, such as Regulation S-K, “may impose”
obligations to disclose cybersecurity and cyber
events in a company’s periodic reporting.
59 ?
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
staff comments have consistently urged
companies to disclose past data breaches
that are not material, even in the face of
companies’ well-reasoned positions to the
contrary. For instance, Amazon resisted
disclosing a past cyberattack at its subsidi-
ary Zappos because it said the entire
Zappos operation was not material to
Amazon’s consolidated revenues. SEC
staff pushed Amazon to disclose it any-
way, to place the risk factor “in appropri-
ate context.” A version of this comment
appears in letter after letter. By frst man-
dating cybersecurity risk factors via the
Guidance, and then urging even non-
material incidents to be included in those
risk factors for “context,” the staff appears
to be pushing for disclosure of past cyber
events notwithstanding materiality.
Trend 2: Staff will research cyber incidents—
and ask about them. Division staff is inde-
pendently monitoring breaches and com-
paring them with company disclosures.
When a breach has been reported by a
company or in the press, but there is no
concomitant disclosure in the company’s
flings—especially where the company has
already acknowledged susceptibility to
attack as a risk factor—the staff will likely
notice. Citigroup discovered this when the
staff referred to press reports about a 2011
breach that supposedly affected 360,000
credit card accounts and asked why no
10-Q disclosure was made. The staff’s
practice is to ask for analysis supporting
the conclusion that no further disclosure is
necessary, including a discussion of mate-
riality from a fnancial and reputational
risk standpoint. Moreover, when a compa-
ny discloses that a particular kind of
potential breach may be material, the
staff’s comment letter almost always asks
the company to disclose whether that kind
of breach has already occurred—and if it
has, to disclose it, material or not (see
Trend 1). Taken together, these trends sug-
gest that the SEC may be using its author-
ity to make up for the lack of a federal
breach notifcation law.
? Financial statements. If signifcant costs
are associated with cyber preparedness
or remediation, they should appear in the
company’s fnancial statements.
? SEC post-guidance practice
Of course, guidance is just guidance unless
the SEC, through its actions, gives it teeth.
And the SEC has. Under Sarbanes-Oxley,
the Division reviews every public compa-
ny’s reports at least once every three years,
and the Division has focused intensely
on cyber disclosures since the Guidance—
especially risk factor disclosures.
Responding to a follow-up letter from
Senator Rockefeller requesting that
the SEC enshrine the Guidance as a formal
SEC rule, Schapiro’s successor Mary Jo
White took pains to stress that active staff
review of cybersecurity—using existing
disclosure rules—was an SEC priority.
In her May 1, 2013 letter, White revealed
that the Division had already issued
approximately 50 cyber-related comment
letters. And many more have been sent
since then. Google, Amazon, AIG, Quest
Diagnostics, and Citigroup are just some of
the scores of public companies that
received letters from staff urging enhanced
disclosures of their cyber risks. The lessons
we can learn from those exchanges are
detailed below.
? Tips for preparing 10-K and 10-Q cyber
disclosures
According to a recent survey by Willis,
87% of Fortune 500 companies claim to
have complied with the Guidance. The
SEC’s “enforcement” of it through com-
ment letters has given it the muscle and
imprimatur of a rule. Certain noteworthy
trends that emerge from these letters
follow:
Trend 1: Staff pushes for all cyber incidents
to be disclosed—material or not. Materiality
is the touchstone of disclosure. Even so,
and even though the Guidance calls for
disclosure of “cyber incidents... that are
individually, or in the aggregate, material,”
? 60
CYBER RISK AND THE BOARD OF DIRECTORS
enumerated material corporate events, such
as termination of executive offcers or chang-
es in auditors, must be reported on a “current
basis” on Form 8-K. However, no currently-
existing securities law or rule expressly
requires cyberattacks—material or other-
wise—to be reported on Form 8-K. Generally,
reporting cyber events is entirely voluntary.
Companies that do so use Form 8-K’s Item
8.01, “Other Events,” which is used to volun-
tarily report events that the company consid-
ers to be of importance to investors. Public
companies must navigate issues such as
materiality, selective disclosure, trading, and
effect on stock price, all in an environment
where disclosure of a cyber event is almost
sure to draw a lawsuit, a government investi-
gation, or other unwanted scrutiny. No one-
size-fts-all answer exists—it is almost always
a judgment call. In this section, we detail
some of the questions and analysis that com-
panies should consider regarding whether to
disclose an attack on Form 8-K, and if so,
when. One way to think about these ques-
tions is outlined in the decision tree on the
next page (Figure 1).
Why consider disclosure if you don’t have
to? Even if no rule mandates disclosure,
companies and experienced counsel know
that there are frequently upsides to disclo-
sure—especially in a world where securi-
ties litigation, derivative suits, and enforce-
ment actions are lurking. Instead of pro-
voking shareholder litigation, might an
announcement ward it off? Can an 8-K
eliminate a plaintiff’s or regulator’s argu-
ment that an insider traded on the basis on
material non-public information? The chart
on the next page (Table 1) lays out some of
the possible advantages—along with the
more well-known disadvantages—that com-
panies should consider.
Is the cyberattack material? The determina-
tion of whether a cyber event is material is
not clear-cut. First, the Supreme Court has
rejected a bright-line, quantitative rule for
materiality—instead reaffrming Basic v.
Levinson’s formulation that any nonpublic
information that signifcantly alters the total
Trend 3: Staff is interested not only in the
disclosure, but the pre-disclosure process. As
Chairman White has stated, even with the
absence of a direct law or regulation directly
compelling companies to adopt strict
cybersecurity measure, the SEC is exercis-
ing its power to indirectly prod companies
to analyze and strengthen their cybersecu-
rity programs through issuing disclosure
guidance and bringing investigations,
enforcement actions, and litigation against
companies that fall short. In this way the
SEC has taken on a larger mission than
simply requiring disclosure—it is using its
existing authorities to steer companies to
engage in a deep, searching process to
evaluate cyber risk. Whether or not you
think the SEC is the appropriate regulator
of this area, such a searching analysis is
important to securing a company’s digital
assets. Management should engage in and
document its analysis of the effects of cyber
incidents on the company’s operations,
with special attention to probability of
various types of attacks and their potential
cost, from a quantitative and qualitative
standpoint. It should do so not just to
weather the storm of a possible SEC inquiry,
but because such an analysis brings neces-
sary executive-level oversight to a crucial
area of enterprise risk.
Trend 4: Third-party risk is on the staff’s mind.
Staff is encouraging companies to look
beyond their four walls to the cyber risk
posed by the use of vendors. Staff will ask
whether the company’s vendors have experi-
enced cyberattacks, and request assessment—
and disclosure—if a breach at a third-party
vendor could have a material effect on the
company. The SEC likely believes that if
public companies are required to disclose
risks in their supply chain in addition to their
own, third-party cybersecurity will improve
as a result.
? In the heat of battle: 8-K disclosure
questions during an attack
Of course, 10-Ks and 10-Qs are not the only
reports public companies produce—certain
61 ?
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
Really? Are you sure?
LEAN AGAINST
8-K DISCLOSURE
LEAN TOWARD
8-K DISCLOSURE
Will it trigger securities or
other litigation
or investigations?
Will it compromise
security?
Will the disclosure itself
harm the company?
Will insiders trade
while in possession of
this information?
Does it make prior
statement misleading?
Does the cost and
consequence of the breach
substantially affect you
or your ?nancial outlook?
Yes
Not sure
Not sure
Maybe not
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
Yes
No
No
Yes
No
No
No
No
No
No
No
Is it material?
Will you disclose
anyway via website,
to third parties, etc.?
Is discovery of the breach
(by the gov't or public)
likely or inevitable?
Is there a separate
obligation to disclose?
(state PII laws, trading
rules)?
Is there a potential
Regulation FD issue?
FIGURE
Fish & Richardson 8-k Disclosure Decision Tree
Continued
TABLE
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
1. May eliminate potential class
plaintiffs’ argument that
information was not known
to the market or was not
adequately disclosed, cutting
off potential securities claims
to the date of the 8-K
2. May counter allegations that
insiders were trading on
basis of material nonpublic
information about the breach
(so long as insider trades
happen after 8-K issued)
1. If incident is truly not material and
was not going to be discovered,
could needlessly cause reputational
harm and draw litigation and other
unwanted scrutiny
2. May be seen as concession that
incident was material (although
companies frequently disavow
materiality in 8-K), and even if not
material, may make incident seem
bigger than it is
? 62
CYBER RISK AND THE BOARD OF DIRECTORS
mix of information available to shareholders
could well be material. Second, even when
the scope of an attack has come into focus,
the effects of cyberthefts are frequently hard
to quantify. Although it is relatively easy for
a company to decide to announce a breach of
customer personal information (because the
breach will likely have to be disclosed under
state law and because remediation costs may
be signifcant), what should a company do
about, for example, theft of trade secrets,
such as source code for a big-selling software
product? Without more (such as the thieves’
development and marketing of a competing
product), such a theft may not have a mate-
rial effect on the company’s fnancial state-
ments. Adding to the diffcult nature of this
inquiry: companies must be aware that an
initial determination that the event is not
material—if the event later becomes public—
is likely to be critically reexamined with
20/20 hindsight, months or years after the
event, by shareholders, plaintiffs’ lawyers,
regulators, and the press. So careful analysis
and documentation of the company’s deter-
mination are important.
Is there a duty to correct or to update? If the
company made public statements about its
information systems or other aspects of its
operations affected by a cyberattack, and the
statements were inaccurate or misleading
when made, the company has an obligation
to correct the statements—even if it only
learned of the inaccuracy afterwards. Failure
to comply with this “duty to correct” can pro-
vide plaintiffs’ lawyers with fodder for
a suit alleging that purchasers or sellers relied
on the inaccurate statement to their detri-
ment. Moreover, even if the company’s for-
ward-looking statements were accurate when
made, some courts have found a “duty to
update” when circumstances change (such as
when an attack happens), and the forward-
looking statement becomes inaccurate.
Do you have another legal obligation to dis-
close? Other disclosure requirements may be
at play, such as any state notifcation laws that
require companies to inform affected individ-
uals if their personally identifable informa-
tion (PII) was stolen during an attack. If the
company is listed on an exchange such as
NYSE or NASDAQ, the trading markets
themselves may also have rules requiring
timely notifcation of material events. Frankly,
it is easier for a company to decide to announce
a data breach on Form 8-K—and to accrue the
benefts to fling an 8-K—if it is going to dis-
close for another reason, or already has.
TABLE
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
Pros Cons
F
i
s
h
&
R
i
c
h
a
r
d
s
o
n
8
-
K
P
r
o
s
a
n
d
C
o
n
s
M
a
t
r
i
x
3. Can eliminate a potential Reg
FD selective disclosure issue if
company has to reveal incident
to employees, third parties,
others
4. Quick, full disclosure may stave
off regulatory scrutiny (but see
“Cons”)
5. Allows company to own the
message, rather than giving
control of the message to
someone else
3. May trigger stock price drop—and if
so, likely to draw shareholder litigation
claiming that pre-8-K disclosures were
materially misleading
4. Even if no stock price drop, may
draw other types of litigation and
regulatory scrutiny
5. Could draw other hackers to test
company’s defenses
63 ?
WHERE CYBERSECURITY MEETS CORPORATE SECURITIES
window for insiders. Even after the inci-
dent’s details are known, if the company is
leaning against declaring the incident
material, the question is whether to dis-
close the incident—material or not—on
Form 8-K, so no later allegation of insider
trading can stick. (Of course, if the incident
is material, no trading by insiders should
occur until information about the incident
is made public.)
When to disclose? The decision to disclose
is only half of the 8-K equation—another
question is, when? Target took two months
after the world knew of its massive data
breach to issue an 8-K; Morningstar, which
releases an 8-K regularly on the frst Friday
of every month, disclosed its 2012 breach a
little more than one month after becoming
aware of it. Some companies, such as health
insurer Anthem, choose instead to wait
until the next periodic report. A challenge
facing a victim company is to balance the
benefts of prompt disclosure against the
potential downsides. Because a disclosure
should be accurate and not misleading
when made, a company should grasp the
scope of the cyber incident before disclos-
ing. In a typical breach, however, it is rare
for an entity to be able to immediately
assess the attack’s scope—investigations
take time. Therefore, a factor to consider in
deciding when to disclose is the pace and
progress of the post-breach investigation,
which will allow the company to under-
stand the extent of the attack. A company
confronts an unenviable disclosure dilem-
ma: disclose based on the state of the world
as you know it right now, and later be
accused of not telling the whole story? Or
disclose when you have a better grasp of
what actually happened, but face accusa-
tions of allowing earlier (and potentially
rosier) cybersecurity disclosures to persist
uncorrected? Generally, companies should
resist falling into the immediate disclosure
trap, because in our experience a cyber
incident looks very different at the end of
the frst week than it does at the end of the
frst day. Furthermore, the company will
Are you going to disclose anyway? Is the
incident likely to become widely known? Absent
a mandatory disclosure requirement, a
company may still have reasons to disclose
the attack to stakeholders. There may be
contractual obligations to customers or
other third parties to communicate about
breaches involving their information. Even
without a contractual obligation, a breach
may affect a company’s vendors, suppliers,
or partners, and the company may choose
to disclose the incident to them. A sound
operating assumption is that once the com-
pany discloses an incident to even a single
third party, it is likely to become widely
known. Thus, the company should have
a coordinated, unifed disclosure strategy
to ensure that all interested parties are
informed in a consistent manner, and very
close in time. Companies can use affrma-
tive disclosure to mitigate any reputational
harm or embarrassment that could arise
from having the narrative created on your
behalf by the media, security researchers,
hackivists, or worse.
Any such disclosure raises potential issues
under the SEC’s Regulation Fair Disclosure,
or Reg FD. Reg FD prohibits companies from
selectively disclosing material non-public
information to analysts, institutional inves-
tors, and certain others without concurrently
making widespread public disclosure. Many
companies that communicate with third
parties—as did J.P. Morgan after its October
2014 breach—will issue a Form 8-K to make
sure their communications do not violate
Reg FD. It is worth considering whether dis-
closures on a company’s website, or other-
wise to customers, vendors, or other parties,
trigger a Reg FD requirement.
What to do about trading? Another reason
that the materiality determination is a
tricky one is that insiders in possession of
material nonpublic information may not
trade while in possession of that informa-
tion. If there is even a chance that the cyber
incident may be material, an early call that
a public company general counsel must
make is whether to close the trading
CYBER RISK AND THE BOARD OF DIRECTORS
? 64 SecurityRoundtable.org
revealed that the SEC was among the gov-
ernment agencies investigating the 2013
data breach, including “how it occurred, its
consequences, and our responses.”
With the growing threat of cyberattacks
and mounting pressure from Congress and
the public, future regulatory and enforce-
ment actions are almost assured. Companies
should be prepared for additional scrutiny,
review their existing disclosures in light of
the Guidance and the SEC’s stated priori-
ties, and apply these principles to the pub-
lic disclosure and related questions that
will arise post-breach.
not want to have to correct itself after mak-
ing its cyber disclosure—it will want to get
it right the frst time.
? SEC cybersecurity enforcement
The SEC has not yet brought an enforce-
ment action against a public company
related to its cybersecurity disclosures. It
has, however, opened investigations look-
ing not only into whether companies ade-
quately prepared for and responded to
cyber incidents but also as to the suffciency
of their disclosures relating to the breaches.
Target’s February 2014 Form 8-K fling
65 ?
Internet Security Alliance, NACD – Larry Clinton, CEO
of ISA and Ken Daly, President and CEO of NACD
A cybersecurity action plan
for corporate boards
With the majority of cyber networks in the hands of the
private sector, and the threats to these systems apparent and
growing, organizations need to create an effective method
to govern and manage the cyber threat. This responsibility
ultimately falls to the corporate board of directors. In fact, the
word cyber is derived from the same Greek word, kybernan,
from which the word govern also derives.
? How is cyber risk different from other corporate risks?
Although corporate boards have a long history of man-
aging risks, the digital age may create some unique
challenges. To begin with, the nature of corporate asset
value has changed signifcantly in the last 20 years.
Eighty percent of the value of Fortune 500 companies
now consists of intellectual property (IP) and other
intangibles.
With this rapidly expanding “digitalization” of assets
comes a corresponding digitalization of corporate risk.
However, many of the traditional assumptions and under-
standings about physical security don’t apply to securing
digital assets.
First, unlike many corporate risks, such as natural dis-
asters, cybersecurity risks are the product of conscious
and often better-resourced attackers, including nation
states and state affliates. This means that the attack
methods, like the technology, will change constantly,
responding to defensive techniques and often in a highly
strategic fashion. This characteristic of cyberattacks
means that the risk management system must be a
dynamic 24/7/365 fexible process—a full team sport—
requiring participation from all corners of the organiza-
tion rather than being the primary responsibility of any
one particular entity.
Second, with many traditional human-based corporate
risks, such as criminal activity, companies can plug into a
? 66
CYBER RISK AND THE BOARD OF DIRECTORS
However, many digital technologies and
business processes that drive business econ-
omies come with major cybersecurity risks,
which as discussed elsewhere (see Chapter 6),
can put the corporation at a long-term cata-
strophic risk.
This means that cyber risk must be con-
sidered not as an addendum to a business
process or asset, but as a central feature of
the business process. In the modern world,
cybersecurity is as central to business
decisions as legal and financial considera-
tions. Thus, a board’s consideration of
fundamental business decisions such as
mergers, acquisitions, new product devel-
opment, partnerships, and marketing
must include cybersecurity.
? Are corporate boards concerned about
cybersecurity?
Although some critics have assumed that the
publicity from high-profle corporate breaches
is prima facie evidence of corporate inatten-
tion to cybersecurity, the evidence does not
support that proposition.
Corporate spending on cybersecurity has
doubled over the past few years and now
totals more than $100 billion a year. By com-
parison, the total annual budget for the U.S.
Department of Homeland Security is only
about $60 billion—including TSA and
immigration—with only $1 billion for cyber-
security. Total U.S. government spending on
cybersecurity is generally estimated to be
near $16 billion. Moreover, recent surveys
indicate cybersecurity now tops the list of
issues corporate boards must face—replacing
leadership succession, and two thirds of
board members are seeking even more time
and attention paid to cybersecurity.
Although the data seems to show conclu-
sively that corporate boards are aware of
and becoming ever more interested in cyber-
security, the novelty and complexity of the
issue has led to a fair amount of uncertainty
as to how to approach it.
One recent survey found that despite the
“spotlight on cyber security getting bright-
er” that nearly half of directors had not dis-
cussed the company’s crisis response plan
well-defned legal superstructure including
enforcement power, which can greatly assist
the organization in defending itself.
Unfortunately, in the cyber world this sys-
tem is dramatically underdeveloped. In
addition to the major problem of many
attackers actually receiving state support,
the international criminal legal system has
not evolved to the point where there is any-
thing close to the cooperation and coordina-
tion generally available in the physical
world. As a result, current estimates are that
law enforcement is able to apprehend and
convict less than 2% of cyber criminals.
Third, corporate cybersecurity is not con-
fned to traditional corporate boundaries.
Whereas in the physical world a particularly
conscientious organization might be able
defend itself by having an especially strong
security perimeter, the cyber world is essen-
tially borderless. A fundamental characteristic
of cyber systems is that they are interconnect-
ed with other, independent systems. For
example, the highly publicized breach of
Target was accomplished by exploiting vul-
nerabilities in Target’s air conditioner vendor.
In another well-publicized case, a well-
defended energy installation was compro-
mised by malware placed on the online menu
of a Chinese restaurant popular with employ-
ees who used it to order lunch. This means
that a board must consider not only their
“own” security but that of all the entities with
whom they interconnect, including vendors,
customers, partners, and affliates.
Fourth, unlike many physical risks, in
which the security effort is to create a perim-
eter around an asset, so many modern corpo-
rate assets are in fact digital. Cyber risk
must be considered as an integral part of the
business process. A good deal of modern
corporate growth, innovation, and profta-
bility is inherently tied to digital technology.
Rare is the entity that has by now not built
the benefts of digitalization into their busi-
ness plan in many different ways, including
online marketing, remote business produc-
tion, employee use of personal mobile
devices, cloud computing, big data, out-
sourced process, and off-site employment.
67 ?
A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
free, even as a goal. The goal is to keep your
system healthy enough so that you can fght
off the germs that will inevitably attack it.
When you do get sick, as we all eventually
do, you detect and understand the infection
promptly and accurately and get access to
the appropriate expertise and treatment so
that you can return to your normal routine as
soon as possible—ideally wiser and stronger.
Thinking of cybersecurity narrowly as an
IT issue to be addressed simply with techni-
cal solutions is a fawed strategy. The single
biggest vulnerability in cyber systems is
people. Insiders, whether they are poorly
trained, distracted, angry, or corrupted, can
compromise many of the most effective tech-
nical solutions.
Building on the NACD model, the Institute
of Internal Auditors (IIA) extended NACD’s
principle 1 by commenting that the board
should receive an internal annual health
check of the organization’s cybersecurity
program that covers all domains of the
organization’s cybersecurity, including an
assessment of if the enterprise risk levels
have improved or deteriorated from year to
year, and comments specifically that
“Sarbanes-Oxley compliance provides little
assurance of an effective security program
to manage cyber risks.”
2. Directors must understand the legal
implications of cyber risk.
The legal situation with respect to cyberse-
curity is unsettled and quickly evolving.
Boards should be mindful of the potential
legal risks posed to the corporation and
potentially to the directors on an individual
or collective basis. For example, high-profle
attacks may spawn lawsuits, including
shareholder derivative suits alleging that the
organization’s board neglected its fduciary
duty by failing to take steps to confrm the
adequacy of the company’s protections
against breaches of customer data. To date
juries have tended not to fnd for the plain-
tiffs in these cases, but that could change
with time and boards need to be aware of the
risk of court suits.
in the event of a breach, 67% had not dis-
cussed the company’s cyber insurance cov-
erage, nearly 60% had not discussed engag-
ing an outside cybersecurity expert, more
than 60% had not discussed risk disclosures
in response to SEC guidance, and slightly
more than 20% had discussed the National
Institute of Standards and Technology
(NIST) cybersecurity framework.
? A corporate board action plan
for cybersecurity
In an effort to fll the gap between awareness
and targeted action, The National Association
of Corporate Directors (NACD), in conjunc-
tion with AIG and the Internet Security
Alliance, published their frst Cyber Risk
Oversight Handbook for corporate boards in
June 2014. The handbook was the frst pri-
vate sector document endorsed by the U.S.
Department of Homeland Security as well as
the International Audit Foundation and is
available free of charge either through DHS
or NACD. It identifed fve core principles
for corporate boards to enhance their cyber
risk oversight.
The fve principles can be conceptualized
into two categories. Principles 1, 2, and 3 deal
with board operations. The fnal two princi-
ples deal with how the board should handle
the senior management.
1. Understand that cybersecurity is an
enterprise-wide risk management issue.
The board has to oversee management in
setting the overall cyber strategy for the
organization, including how cybersecurity is
understood in terms of the business. It is
critical that the board not approach the topic
simply by thinking, “What if we have a
breach?” Virtually every organization will be
successfully breached. The board has to
understand the issue is how to manage the
risks caused by breaches, not to focus solely
on how to prevent them.
One useful metaphor is to think of corpo-
rate cybersecurity in a similar fashion to how
we think of our own personal health.
Obviously, it is impractical to be totally germ
? 68
CYBER RISK AND THE BOARD OF DIRECTORS
some boards are now recruiting cyber pro-
fessionals for board seats to assist in analyz-
ing and judging staff reports. Another tech-
nique is to schedule periodic “deep-dives”
for the full board. Many organizations have
delegated the task to a special committee—
often audit but sometimes a risk or even
technology committee—although no one
approach has been demonstrated clearly
superior. A proliferation of committees can
exacerbate the board time problem, and due
care must be paid to overload any one com-
mittee, such as audit, with issues that are not
inherently in their expertise lane.
Still another technique is to empower the
board with the right questions to ask and
require that the outside or internal experts
answer the questions in understandable ter-
minology. The NACD Cyber Risk Handbook
provides lists of 5 to 10 simple and direct
questions for board members covering the
key issues such as strategy and operation
readiness, situational awareness, incident
response, and overall board “cyber literacy.”
At minimum, boards can take advantage
of the company's ongoing relationships
with law enforcement agencies and regu-
larly make adequate time for cybersecurity
at board meetings. This may be through
interaction with CISOs or as part of the
audit or similar committee reports. More
appropriately, boards, as discussed above,
should integrate these questions into gen-
eral business discussions.
The fnal two principles offered by NACD
focus on how boards should deal with senior
management:
4. Directors need to set an expectation that
management have an enterprise-wide
cyber risk management framework in
place.
It is important that someone be thinking
about cybersecurity, from an enterprise-wide
perspective (i.e., not just IT) every day.
Corporations have introduced a variety of
models, chief risk offcer, chief fnancial
offcer, chief operating offcer as well as the
more traditional CIO and CISO models. The
Prudent steps for directors to take include
maintaining records of discussions related to
cyber risks at the board and key committee
meetings. These records may include updates
about specifc risk as well as reports about
the company’s overall security program and
how it is addressing these risks. Evidence
that board members have sought out special-
ized training to educate themselves about
cyber risk may also be helpful in showing
due diligence.
No one standard applies, especially for
organizations who do business in multiple
jurisdictions. Some countries, including the
U.S. have received specifc guidance from
securities regulators. Many countries have
passed a variety of laws, some of which may
be confusing or conficting with mandates in
other countries. It is critical that organiza-
tions systematically track the evolving laws
and regulations in their markets and analyze
their legal standing.
Again, building on the NACD model, IIA
emphasizes that this legal analysis must be
extended to third parties and recommends
that the board get a report of all the critical
data that are being managed by third-party
providers and be sure the organization has
appropriate agreements in place, including
audits of these providers. The board ought
to communicate that a “chain of trust” is
expected with these third-party providers
that they have similar agreements with their
down-stream relationships.
3. Board members need adequate access to
cybersecurity expertise.
Most board meetings are incredibly pressed
for time, and often there are multiple issues
and people who feel they need more board
time. Add to this the fact that most acknowl-
edge that directors lack the needed expertise
to evaluate cyber risk, and the board is left
with the conundrum of how to get enough
time to become properly educated to address
this serious issue.
One answer is to increase the use of out-
side experts working directly with the board
to provide independent assessments. Indeed,
69 ?
A CYBERSECURITY ACTION PLAN FOR CORPORATE BOARDS
At the people level, it is important to follow
leading practices for managing personnel,
especially with respect to hiring and fring.
Ongoing cybersecurity training is similarly
important and most effective if cybersecurity
metrics are fully integrated into employee
evaluation and compensation methods.
Of special attention is the inclusion of
senior and other executive level personnel
who, research has shown, are highly valued
targets and often uniquely lax in following
through on security protocols.
The asset management process then can
be considered in light of the business prac-
tices that may create liabilities.
For example, the expansion of the number
of access points brought on by the explosion
in mobile devices and the emerging “Internet
of Things” (connecting cars, security camer-
as, refrigerators, etc. to the Internet) really
increases vulnerability (see Chapter 6).
Still a different type of vulnerability can
occur in the merger and acquisition process.
Here management may feel pressure to gen-
erate value through the merging of highly
complex and technical information systems
on accelerated pace. In discussions with
management, the board must carefully
weigh the economics of the IT effciencies
the company seeks with the potential to miss
or create vulnerability by accessing a system
that is not well enough understood or had its
defciencies mitigated.
5. Based on the plan, management needs to
have a method to assess the damage of a
cyber event. They need to identify which
risks can be avoided, mitigated, accepted,
or transferred through insurance.
Organizations must identify for the board
which data, and how much, the organization
is willing to lose or have compromised. Risk
mitigation budgets then must be allocated
appropriately between defending against
basic and advanced risks.
This principle highlights the need for the
“full-team” approach to cybersecurity
advocated under principle 4. For example,
the marketing department may determine
important aspect to ensure, however, is that
the risk management is truly organization
wide, including the following steps:
? establish leadership with an individual
with cross-departmental expertise
? appoint a cross-organization cyber risk
management team including all relevant
stakeholders (e.g., IT, HR, compliance,
GC, fnance, risk)
? meet regularly and report directly to the
board
? develop an organization-wide cyber
risk management plan with periodic
tests reports and refnements. At a
more technical level, the Cyber Security
Framework developed by the National
Institute of Standards and Technologies
(NIST) is a useful model.
? develop an independent and adequate
budget for the cyber risk management
team.
One mechanism to implement the frame-
work is to create a “cybersecurity balance
sheet” that identifes, at a high level, the
company’s cyber assets and liabilities and
can provide a scorecard for thinking through
management progress in implementing the
security system. The balance sheet may
begin with identifying the organization’s
“crown jewels.” This is an important exer-
cise because it is simply not cost effcient to
protect all data at the maximum level.
However, the organization’s most valued
data must be identifed (e.g., IP, patient data,
credit card data). Other corporate data can
be similarly categorized as to its relative
security needs.
The next step is to discuss the strategy for
securing data at each level. This strategy
generally involves a consideration of people,
process, and technology.
At the technology process levels there are
a range of options available with good
research indicating cost-effective methods to
secure lower-level data and thus reserving
deployment of more sophisticated, and
hence costly, measures to be reserved for the
higher valued data.
CYBER RISK AND THE BOARD OF DIRECTORS
? 70 SecurityRoundtable.org
that a particular third-party vendor is ideal
for a new product. The CISO may determine
that this vendor does not have adequate
security. Marketing may, nevertheless,
decide it is worth the risk to fulfll the busi-
ness plan and presumably senior manage-
ment may support marketing, but condition
approval on the ability to transfer some of
this additional risk with the purchase of
additional insurance.
This is an example of the process pro-
ceeding appropriately, wherein cyber risk
is integrated into business decisions con-
sistent and managed on the front end con-
sistent with the organization’s business
plan.
If an organization follows these princi-
ples, it should be well on its way to estab-
lishing a sustainably secure cyber risk man-
agement system.
71 ?
Stroz Friedberg LLC — Erin Nealy Cox,
Executive Managing Director
Establishing a board-level
cybersecurity review blueprint
Over the last two years cybersecurity has leaped to the top
of the boardroom agenda. If you’re like most board mem-
bers, though, you haven’t had enough time to fgure out
how to think about cybersecurity as part of your fduciary
responsibility, and you’re not quite certain yet what ques-
tions to ask of management. You may even harbor a secret
hope that, like many technology-related issues,
cyberthreats will soon be rendered obsolete by relentless
advancement.
Don’t count on it. Cybersecurity is taking its place
among the catalog of enterprise risks that demand board-
room attention for the long term. It comes along with the
digital transformation that is sweeping through virtually
all industries in the global economy. As businesses “digi-
tize” all aspects of their operations, from customer inter-
actions to partner relationships in their supply chains,
entire corporations become electronically exposed—and
vulnerable to cyberattack.
Cybersecurity risk is not new. However, in the last two
years multiple high-profle attacks have hit brands we all
trusted with our personal information, making for big
headlines in the media and signifcant reputational and
fnancial damage for many of the victimized companies.
What’s more, corporate heads have rolled: CIOs and even
CEOs have departed as a direct result of breaches. The
ripple effect continues. Cybersecurity legislation is a per-
ennial agenda item for governments and regulators
around the world, and shareholder derivative lawsuits
have struck the boards of companies hit by high-profle
cyberattacks.
Although directors have added cybersecurity enter-
prise risk to their agendas, there is no standard way for
boards to think about cybersecurity, much less time-tested
guidelines to help them navigate the issue. This chapter’s
goal is to help directors evolve their mindsets for thinking
? 72
CYBER RISK AND THE BOARD OF DIRECTORS
expressed through the following three high-
level questions:
1. Has your organization appropriately
assessed all its cybersecurity-related
risks? What reasonable steps have you
taken to evaluate those risks?
2. Have you appropriately prioritized your
cybersecurity risks, from most critical to
noncritical? Are these priorities properly
aligned with corporate strategy, other
business requirements, and a customized
assessment of your organization’s cyber
vulnerabilities?
3. What actions are you taking to mitigate
cybersecurity risks? Do you have a regularly
tested, resilience-inspired incident response
plan with which to address cyberthreats?
Naturally, these questions are proxies for the
industry-specifc and/or situation-specifc
questions particular to each organization
that will result in that organization’s most
productive cybersecurity review. The key to
formulating the relevant questions for your
organization is to fnd the right balance
between asking enough to achieve the assur-
ance appropriate to board oversight, but not
so much that management ends up spinning
wheels unnecessarily.
The rest of this chapter is a guide to fram-
ing board-level cybersecurity review issues
for your organization by exploring meaning-
ful ways to apply these high-level questions
in a variety of circumstances and industries.
The next step is yours, or your board’s: use
this blueprint to drive cybersecurity enter-
prise risk discussions with management,
critical stakeholders, and external experts.
Doing so will help achieve cyber resilience
for your organization.
? The board’s cyber resilience blueprint
Boards are very comfortable managing fnan-
cial issues and risks. They have audit
committees, they have compensation com-
mittees, their members include former CFOs
(to populate those committees), and they
have plenty of experience reviewing fnancial
about the enterprise risk associated with
cybersecurity and provide a simple blue-
print to help directors incorporate cyberse-
curity into the board’s overall enterprise risk
strategy.
? Establishing the right blueprint for
boardroom cybersecurity review
For boards, cybersecurity is an issue of enter-
prise risk. As with all enterprise risks, the
key focus is mitigation, not prevention. This
universally understood enterprise risk
guideline is especially helpful in the context
of cybersecurity because no one can prevent all
cyber breaches. Every company is a target, and
a suffciently motivated and well-resourced
adversary can and will get into a company’s
network.
Consequently, terms like “cyber defense”
are insuffcient descriptors of an effective
posture because they evoke the image that
corporations can establish an invincible
perimeter around their networks to prevent
access by bad actors. Today, it’s more accu-
rate to think of the board-level cybersecurity
review goal as “cyber resilience.” The idea
behind the cyber resilience mindset is that,
because you know network breaches will
happen, it is more important to focus on
preparing to meet cyberthreats as rapidly as
possible and on mitigating the associated
risks.
Also important to a board member’s
cybersecurity mindset is to be free from fear
of the technology. Remember, the issue is
enterprise risk—not technical solutions. Just
as you need not understand internal com-
bustion engine technology to write rules for
safe driving, you need not be excluded from
the cybersecurity risk discussion based on
lack of technology acumen. Although this is
liberating, in a sense, there is also a price:
directors cannot deny their fduciary respon-
sibility to oversee cybersecurity risk based
on lack of technology acumen.
Given a focus on enterprise risk (not tech-
nology) and risk mitigation (not attack
prevention), the correct blueprint for cyber-
security review at the board level can best be
73 ?
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
review process, and that these discussions
take place regularly—preferably at every
meeting of the board.
A committee responsible for studying
cybersecurity risk can cover both of these
aspects of participation. With such a
committee, someone on the board (i.e., the
committee chair) becomes the stakeholder
charged with becoming educated about cyber-
security risk and educating the broader group.
Although the board will never need to know
how to confgure a frewall, there is much to
learn about the nature of cybersecurity risks,
their potential impacts on your organization,
and successful mitigation approaches. It may
also be appropriate to appoint a director with
cybersecurity expertise for this purpose.
Establishing such a committee also fulflls
the goal of consistent cybersecurity discus-
sion. The chair can give a report, arrange for
reports from the CIO or CISO, or facilitate
talks by outside experts on issues around
which additional subject matter expertise
proves useful. Threat intelligence is an exam-
ple of an excellent topic for an outside expert
because it’s not a specialty most organiza-
tions have in house or that can be justifably
developed. A person or organization steeped
in analyzing the tools, approaches, and
behaviors of threat actors can look at your
organization’s profle and provide custom-
ized insight that accelerates the board’s
cybersecurity education.
To empower all directors to engage in
cybersecurity review, board-level discus-
sions should address issues in the enterprise
risk language with which boards are already
familiar. One requisite, therefore, is that
boards not stand for technical jargon. Even
reports from the CIO should be delivered in
plain language free of specialized terms.
statements and analyzing proft and loss. The
knowns are known and the unknowns are
few, if any.
It is useful to juxtapose this stable, com-
fortable picture with the state of board-level
cybersecurity discussion—that is, you may
not yet be certain what questions to ask, or
know what to expect from management’s
responses. To help accelerate you toward the
same level of stability and comfort you have
managing fnancial issues, the following
board-level cybersecurity review blueprint is
organized into six areas:
1. Inclusive board-level discussion:
empowering all directors to be accountable
for cybersecurity
2. Proactive cyber risk management:
incorporating cybersecurity into all early
stage business decisions
3. Risk-oriented prioritization: differentiating
assets for varying levels of cyber protection
4. Investment in human defenses: ensuring
the organization’s cybersecurity investment
goes beyond technical to include awareness,
education, and training programs for
employees
5. Assessments of third-party relationships:
limiting cyber exposure through business
partners
6. Incident response policies and
procedures: mitigating potential risks
when breaches occur.
1. Inclusive board-level discussion
Given the rapidly growing threat posed by
cybercrime and the potentially devastating
consequences of a major breach, it is critical
that every director have enough of an under-
standing of cyber risk to be able to take an
active part in the board’s cybersecurity
Active inclusion, in sum:
? Establish a cybersecurity risk committee, or add the subject to an existing enterprise
risk committee.
? Discuss cybersecurity risk at every board meeting.
? Empower all directors to become educated and comfortable discussing cybersecurity risk.
? 74
CYBER RISK AND THE BOARD OF DIRECTORS
cybersecurity analysis of the target to their
diligence process; protecting their M&A
process from cyber breaches; and potential
cyber exposure resulting from post-deal
integration.
In both of these examples, it should be
clear how challenging it would be to address
cybersecurity concerns after the initiative
gets underway.
3. Risk-based prioritization
Everyone’s resources are limited. Because
there are an infnite number of cybersecurity
measures in which a company can invest,
the trick is to prioritize such measures based
on a customized assessment of the most seri-
ous threats facing your organization. Such
assessments should be approached along
two primary dimensions: your organiza-
tion’s most valuable assets and its greatest
cyber vulnerabilities.
Often, your most critical assets are obvi-
ous: payment card data for a retailer, the
script of an upcoming franchise sequel for
a movie studio, the source code at the
heart of a software company’s bestselling
product. Every board’s cybersecurity
review must ask management what meas-
ures are being taken to protect a compa-
ny’s most critical assets, beginning with
development and on through production
and distribution. Beyond the most critical
are other assets that require differentiated
gradations of protection. Identifying and
prioritizing those assets is an information
governance challenge, so the board also
has to understand the organization’s infor-
mation governance policy and have a
sense for the quality of its execution. Has
the company identifed what are sensitive
2. Proactive cyber risk management
It is important to incorporate discussion of
cybersecurity risk in all business decisions,
from the beginning, because it is much
harder and far less effective to consider
cybersecurity after the fact. Whether a deci-
sion has to do with corporate strategy, new
product launches, facilities, customer inter-
action, M&A, legal or fnancial issues, man-
agement should always proactively consider
cybersecurity risk.
As an example, take the white-hot omni-
channel marketing trend, which has retailers
using mobile technology to collect data from
their customers, and then exploiting that
knowledge to better target marketing and
promotions—sometimes, at the moment a
customer walks into the store. Obviously,
such retailers are gathering more informa-
tion about their customers than ever before.
How will they protect it? Do the mobile
applications that make these approaches
possible expose their organizations to new
vulnerabilities? No matter how exciting the
revenue-driving opportunity, these are ques-
tions that retail boards should be asking
management as part of the decision to pur-
sue such initiatives. Management should
respond with some variation of, “Our soft-
ware vendor says their security is `X, and in
addition, we’re doing our own testing to see
how vulnerable the software may be before
we introduce it to our customers.”
Boards should extrapolate the thinking in
the above example to all aspects of their
business decision-making. To apply proac-
tive thinking to cyber strategy, consider
growth through M&A. Boards should think
through M&A cybersecurity risks in multi-
ple dimensions. To name three: adding
Proactive cyber risk management, in sum:
? Think about potential cybersecurity risk from the outset of all business initiatives from
corporate strategy to new types of customer interaction.
? Think particularly about new kinds of risk associated with emerging digital business
initiatives.
75 ?
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
awareness. Furthermore, investments in
human defenses should be aligned to the
insights from customized threat intelli-
gence so they are focused on the ‘most
valuable/most vulnerable’ prioritization
discussed in the previous section.
When looking at cybersecurity invest-
ment, board reviews should include classic
IT spending on systems that authenticate
user identity and manage access, as well as
compliance with applicable laws and regula-
tions. However, that’s just the baseline.
Boards need to think further, to issues such as
the following:
How well does our IT knowledge/expertise
align with the kind of challenges suggested by
our threat intelligence reports?
Are we appropriately augmenting our inter-
nal staff with outside expertise?
Should we hire “white hat” hackers to attack
our networks in search of gaps?
Should we test our employees’ anti-phishing
awareness/ability?
No matter how well your security technol-
ogy works, hackers can always go after the
weakest link—humans—through a combi-
nation of tactics known as social engineer-
ing and spear phishing. The only defense
against these phenomena is enterprise-
wide education. Ongoing education and
awareness programs, such as spear phish-
ing training, should be part of the cyberse-
curity investment. Boards should ask
about, support, and ensure these programs
are aligned with business requirements.
data and where they are being held? What
data are not sensitive and where are they
being held? Are your retention policies
ensuring you keep the information that is
important and throw away everything
else? We’ve all read headlines about
breaches that could have been less sensa-
tional if the victims had better retention
practices.
The second dimension—your compa-
ny’s cyber vulnerabilities—is where cus-
tomized threat intelligence plays a role.
Analyzing your network for weaknesses,
learning where sensitive information is
stored and how it is protected, and assess-
ing your environment: the competitiveness
of your industry (e.g., how valuable your
intellectual property is to others) and the
way information fows in concert with
business processes (e.g. whether or how
you store sensitive information about con-
sumers or clients, what countries you do
business in, and what that implies for your
security).
The board’s cybersecurity review should
include discussion of both dimensions, and
the issues should be discussed often—these
risks are not static. They can vary signif-
cantly over time and depend on evolving
Internet connectivity and infrastructure
complexity.
4. Investment in human defenses
Cyber defense and cyber resilience are as
much human matters as they are matters
of products and technology confgura-
tions. Although security technologies for
protection and response are indeed neces-
sary, boards should also ask about enter-
prise-wide cybersecurity education and
Risk-based prioritization, in sum:
? Optimize limited resources by prioritizing along two dimensions: what’s most valuable
and what’s most vulnerable.
? Ensure the quality of policies and practices around the organization’s approach to
information governance so that all assets are protected appropriately.
? 76
CYBER RISK AND THE BOARD OF DIRECTORS
5. Assessments of third-party relationships
Those of us paying close attention to the
stories behind 2014’s cyber breach headlines
know that in many cases the so-called “attack
vectors” came through third-party relation-
ships. Bad actors breached a business part-
ner (that likely had weaker security than the
intended target) and then used that part-
ner’s access credentials to break into the tar-
get company.
But this is only one way in which third-
party relationships create security vulnera-
bilities. As business collaboration surges, for
example, the amount of confdential, trade
secret, and intellectual property information
that is being shared among employees of
business partners skyrockets. This electronic
fow of mission critical information, often
across the open Internet, creates an environ-
ment ready-made for economic espionage. It
used to be such cases were a particular thorn
in the side of only a few sectors, such as
defense, energy, and technology. Today, all
kinds of industries are targeted.
A board’s cybersecurity review should
include an understanding of how the organ-
ization conducts cyber due diligence on
third parties. Boards need a clear under-
standing of the third parties their organiza-
tions do business with and must prioritize
those relationships in terms of high, medi-
um, and low risk. Once a partner is identi-
fed as high risk (e.g., they have access to
your corporate network), that partner’s own
security posture must be understood. How
much visibility does your organization have
into your vendors’ security policies and
practices? Do they respond to your security
questionnaires? Do you have the right to
conduct on-site validations/audits?
Boards also should require IT involve-
ment early in the development of new
business partner relationships. That way,
information access can be better tuned to
the business requirements of the partner-
ship. An HR vendor, for example, may
need access to your employee data, but that
access may not need to be around the clock.
Perhaps it can be controlled and limited to
certain times of the month and/or hours of
the day to limit risk exposure and enable
fnely tuned security monitoring.
6. Incident response policies and procedures
Armed with the knowledge that perfect secu-
rity isn’t achievable and breaches are there-
fore inevitable, boards must ensure their
organizations have well-honed policies for
cyber incident response, and must test these
plans with regular simulation exercises.
Good incident response plans defne the
roles and responsibilities of the response
team (including crisis communications,
human resources, legal, IT, etc.) and estab-
lish clear initial action items, including noti-
fcations to internal and external resources
who will lead an investigation or manage
communications. Remember, preparing for
the worst is not an admission of a weak or
vulnerable network. On the other hand, a
delayed, bumbling response to a security
breach is what often leads to increased data
loss, exposure to regulatory action, and
reputational damage.
Assessments of third-party relationships, in sum:
Review all business partner relationships for potential cybersecurity vulnerabilities.
Empower IT’s involvement earlier in the development of business relationships.
Human investment, in sum:
Supplement appropriate investment in information security products with continuous
enterprise-wide cybersecurity awareness, education, and training programs.
77 ?
ESTABLISHING A BOARD-LEVEL CYBERSECURITY REVIEW BLUEPRINT
our risk in a way that is consistent with most
likely attacks?
? Conclusion: No surprises!
No one likes unpleasant surprises, least of all
corporate boards. The goal of a board’s
cybersecurity review is to avoid being unpre-
pared for a cyber incident. Unfortunately,
experience so far suggests that the only com-
panies with truly top-grade, board-level
cybersecurity plans are those that have expe-
rienced an unpleasant surprise in the form of
a bad breach. They felt the pain once and
don’t ever want to go through it again.
If you follow the board-level cybersecu-
rity review thinking and principles dis-
cussed in this chapter, and partner with
external experts that bring domain-specifc
knowledge and skills you may not have in-
house, you can avoid surprises and be pre-
pared to meet risk head on. The review
approach described in this chapter will
enable you to lead your organization’s shift
from a paradigm of discomfort and uncer-
tainty in the cybersecurity risk realm to one
of assurance and comprehensive answers,
facilitated by the board’s regular cyber risk
discussions; from simple perimeter protec-
tion to around-the-clock monitoring and
universally understood incident response;
from lack of cyber risk awareness to enter-
prise-wide awareness led by top-down
C-suite messaging and incentivized
employee behavior.
The blueprint presented in this chapter
can help ensure you truly have your eye on
the cyber risk ball. Obviously, that doesn’t
mean your company won’t be breached.
But if—or when—you are, you will be able
to handle the event with clear-eyed conf-
dence that the risks have been properly
managed.
Two key thoughts boards should keep in
mind when reviewing incident response
plans were noted previously, albeit in a dif-
ferent context. First, it is critical to engage the
entire enterprise in your incident response
plan. IT security professionals can only do so
much if an employee clicks on a spear phish-
er’s link, creating a hole in your network.
Employees can be educated to avoid those
clicks and incented to be frst responders—or,
at least, to notice these attempts to breach
your company’s defenses. Employees are on
the front lines of cybersecurity; prompt notice
of a breach from an alert employee can often
signifcantly mitigate damage. Second, your
organization’s cybersecurity risk environ-
ment is a dynamic, ever-changing thing. Your
incident response plan must be kept up to
date and rehearsed continually, taking evolv-
ing threat intelligence into account.
Appropriate board-level review questions
include the following:
What are the organization’s policies and pro-
cedures to rapidly identify breaches?
How are all employees empowered to monitor
and report/respond?
How are we triaging/escalating once an inci-
dent is detected?
How is incident response integrated into IT
operations?
What are we doing to align our cyber respons-
es to business requirements and to ensure that
all parts of the business understand their roles
in the response plan?
How does our response plan match up with
our threat intelligence? Are we characterizing
Incident response, in sum:
? Because breaches will happen, board review must ensure frst-class incident response.
? All enterprise employees should be part of the incident response plan.
? Incident response must continually evolve—because threats do.
CYBER RISK AND THE BOARD OF DIRECTORS
? 78 SecurityRoundtable.org
Inclusive Board-Level Discussion
CYBER REVIEW blueprint
T
H
E
B
O
A
R
D
’
S
Proactive Cyber Risk Management
Risk-Oriented Prioritization
Investment in Human Defenses
Assessment of Third-Party
Relationships
Incident Response Policies
and Procedures
79 ?
Dell SecureWorks – Mike Cote, CEO
Demystifying cybersecurity
strategy and reporting: How
boards can test assumptions
Cybersecurity is one of those issues that justify the state-
ment, “It’s what you don’t know that can hurt you.”
Although board engagement in cybersecurity risk is on
the rise, corporate directors continue to struggle with the
complexity of the subject matter, making it more diffcult
for them to assess whether the company’s strategy is
effective. As one public company director recently stated,
“I understand the magnitude of the risk, and I know we
have signifcant resources decked against it, but as a
board member how will I know if management has the
right measures in place to keep us from being the next
story in the news?”
This chapter does not explain how to eliminate the risk
of a data breach. In fact, one requirement for being resil-
ient against cyberthreats is to accept that breaches will
happen. Nor does this chapter strive to make an expert of
the reader. After all, the board’s job is to provide reason-
able oversight of the risk, not manage it.
What this chapter does do is provide boards with a
framework of inquiry—elements of a mature security
strategy in plain language—to help directors have discus-
sions with management about the company’s overall
resilience against the threats. By understanding these
concepts, directors will have a better context for testing
assumptions when management reports on metrics such
as the effectiveness of breach prevention, breach frequen-
cy, and response time.
? Background: Who is behind hacking, and why do
they do it?
Before delving into the right strategy for cybersecurity, it
is helpful for boards to frst understand the nature of the
threat. Hacking has become a burgeoning global industry
that generates billions of dollars in illicit trade annually.
It’s fueled by a strong reseller’s market in which hackers
sell stolen data to others who possess the desire but not
? 80
CYBER RISK AND THE BOARD OF DIRECTORS
? Elements of a mature security strategy . . . in
plain language
1. Determine what needs protecting and who
holds the keys.
Companies begin their journey to resiliency
by identifying and prioritizing the assets they
must protect. What do cyber criminals want
that they can get from us and why? Do
employees handle intellectual property that
could make or break us competitively? Do
we collect personally identifable informa-
tion that cyber criminals could sell to iden-
tity thieves? Do we store customer account
information? How would someone take
command and control of our infrastructure
or systems?
It is equally important to know where
those coveted assets are located. Many
boards are surprised to learn that the infor-
mation security team is fending off hackers
across the entire enterprise, even outside it:
for example, in a supplier’s network, on a
home computer, or on an employee’s iPad,
where he or she just reviewed a proprietary
schematic. Hackers are capable of scanning
for vulnerabilities wherever someone con-
nects to the Internet, and business leaders
must operate under the assumption that
even they are a target.
As with sensitive fnancial information,
only those who need access to the assets
should have it, and policies should be in place
to ensure stringent controls. Administrator
passwords are gold to cybercriminals, and
increasing the number of people with access
to them effectively multiplies the ways that
hackers can attack.
2. Prevention is not an endgame.
It’s tempting to think that we can eliminate
breaches if we just put more effort into pre-
vention at the front end, but information
security professionals know that eliminating
the possibility of a breach is an unrealistic
goal in today’s environment. Preventative
tools such as frewalls play an essential role
because they provide the frst layer of
defense: they ‘recognize’ and stop the threats
the tools to harvest valuable intellectual
property. It’s funded by organized crime and
actors within nation-states that not only
operate beyond any jurisdiction but also
have access to billions of dollars of capital to
invest in these criminal operations.
The robust cyber black market offers sto-
len goods—from credit cards to personal
identities—in large quantities at reasonable
cost. Sellers also offer money-back guaran-
tees on the quality of their goods. Buyers can
obtain tutorials for hacking or for using sto-
len data, and they can even hire subcontrac-
tors to do the dirty work.
It’s not always about the money. From
attacks based on sectarian hate between
nation-states to sabotage from a bitter, laid-
off employee, motivations for hacking run
deep and wide. Anger about environmental
policies and resentment against the excesses
of Wall Street are among other examples.
Whatever their reasons, hackers are focused
on stealing, disrupting, or destroying data
every moment of every day. There are thou-
sands of cyber criminals around the globe.
They work around the clock, for free or for
hire, on speculation or with a known pur-
pose, trying to invent new ways to steal or
harm a company. They have the funding and
technology to be not only persistent but also
highly adaptable, and the barrier to replicat-
ing their cyber weapons is low in contrast to
the physical world. They have the luxury of
always being anonymous, always on offense,
and seldom prosecuted.
Companies, on the other hand, are highly
visible, and by virtue of being connected to
the Internet must operate in an environment
where being attacked by hackers is the
norm. Companies must prevent, detect,
defend against, and take on the threat with-
out the luxury of knowing when they’ll be
attacked, by whom, or on what front.
A mature cybersecurity strategy prepares
for and responds to this challenging envi-
ronment. Breaking that strategy down into
its core elements provides boards with a use-
ful framework for discussing risk assump-
tions with the chief information security
offcer.
81 ?
DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS
4. Stay a step ahead: The future won’t look like
the past.
To stay one step ahead of the threat, an infor-
mation security program should also be able
to predict what the adversary will do next.
To make fnancial predictions, business lead-
ers apply internal and environmental intel-
ligence to test assumptions. In the case of
cybersecurity, security teams should apply
“threat intelligence,” which tells them the
intent and capabilities of current, real-world
hackers who may want to harm them.
Gathered from a company’s own environ-
ment and often supplemented with much
broader environmental intelligence from a
third party, threat intelligence can be applied
to cybersecurity technologies and human
procedures. As a result, the enterprise is able
to anticipate the nature of forthcoming
attacks and more effectively allocate limited
resources to stop them.
Companies with the ability to predict can
also defend earlier with less effort and recov-
er faster when a breach occurs. When boards
and management discuss metrics like breach
frequency, response time, and potential
impact, it’s helpful to know if the security
team is applying threat intelligence to help
them make their assumptions.
5. Educate and train vigilant employees.
One of the most important defenses against
cyberattack is an informed, vigilant employ-
ee population. Employees and executives are
often targeted with carefully crafted emails
designed to be relevant to the employee’s
personal or work life. In reality, these phish-
ing emails are often loaded with malicious
code. One click by a less careful individual
can deploy a cyber weapon into the compa-
ny’s network and execute various actions
that shut down critical business functions or
steal information and accounts. Similar tac-
tics may be used over the phone to get
employees to divulge confdential informa-
tion such as client lists, which can then be
paired with other stolen data to complete a
set of stolen identities.
we already know about. As we already
established, however, hackers are highly
adaptive. No one piece of technology can
provide a complete defense. A good security
program assumes that at some point preven-
tion will fail and the business will have to
deal with threats in its network.
Detection then becomes the focus.
Companies need the right technology, pro-
cesses, programs, and staff to help them
detect what has happened so that they can
fnd the threat and respond more quickly
to contain and eradicate it. The question is
not if the hackers will get in but when.
Board members may test this assumption
by asking their security team, “Do we
know if hackers are inside our defenses
right now? How do we know when they
get in?”
3. You can’t defend with your eyes closed.
No one wants to be blindsided. If a compa-
ny’s security team can’t “see” what is hap-
pening on the network and across all of the
endpoints such as work stations, point-of-
sale terminals, and mobile devices, then the
company will have little chance to detect or
respond quickly to an attack when preven-
tion fails. Visibility across the enterprise is an
essential attribute of the cybersecurity strat-
egy because it helps companies respond to
unusual activity more quickly, reducing
down time and related costs.
Business leaders should know that hav-
ing visibility means collecting large amounts
of data from all of those places. Unfortunately
those data are useless if the security team
doesn’t have the bandwidth to analyze and
act on it. The information security industry
has responded to this problem, and services
are available to manage the data, do the
heavy lifting, and sort out what is actionable.
The actionable data can then be fed back to
the information security team to more eff-
ciently zero in on the threats that need their
immediate attention. Boards may ask if their
security team is managing all the data itself,
and, if so, does it still have the bandwidth to
focus on the actual threats.
? 82
CYBER RISK AND THE BOARD OF DIRECTORS
7. Measure effectiveness, not compliance.
It is impossible for a company to know how
effective its security program is against real-
world attackers unless it conducts real-world
exercises to test its defenses. Compliance
frameworks can improve rigor in many
areas of cybersecurity, but it is folly to
assume that following a compliance man-
date (or even passing a compliance inspec-
tion) is commensurate with resilience. No
matter how well architected a security pro-
gram is against recommended standards, no
two companies’ environments are alike.
That’s why it is so important to battle-test
one’s own environment. Network security
testing emulates actual hackers using real-
life tactics such as phishing to validate how
well defenses work against simulated
attacks. By learning how hackers penetrate
security defenses, companies can determine
actual risk and resource cybersecurity opera-
tions accordingly. Testing also helps compa-
nies meet compliance mandates. Compliance
should be a by-product of an effective secu-
rity program, not the other way around.
8. Emphasize process as much as technology.
Technology is only half the solution to mak-
ing a company resilient. Breaches can occur
as the result of human and process errors
throughout the enterprise. Take the example
of recent high-profle cases in which weak-
nesses in a supply chain or a business part-
ner’s security allowed hackers to access the
parent company’s network and do signif-
cant damage. Leading practice today is for
companies to insist, by contract, that their
business partners meet the same security
requirements.
However, what if a business line leader
fails to insist on contract requirements in the
interest of going to market quickly? What
happens when business enablement trumps
security in the far reaches of the business,
where people think, “No harm done”?
Adequate checks and balances should be in
place to ensure that IT security and business
procedures are being executed, and policies
The bottom line is that human behavior
is equally as important as security tech-
nologies in defending against the threat.
Boards should know whether employee
awareness and training programs are in
place and how effective they are. The best
programs will simulate how hackers may
trick an employee and provide on-the-spot
training if the employee falls victim. An
open dialog in these cases helps employees
and the organization as a whole learn from
mistakes. It also builds a culture of security
awareness.
6. Organize information security teams for
success.
Defending and responding effectively
against cyber adversaries also depends on
manpower and expertise. Technologies
cannot be used to full advantage without
highly skilled people to correlate, analyze,
prioritize, and turn the data into actiona-
ble intelligence that can be used to increase
resilience. A properly organized and
staffed security team needs people with
many different types of expertise and
skills. It requires people to deploy the
technologies, understand what the threats
are, determine what hackers are doing, fix
system and software vulnerabilities, and
counter active threats. Although these
professional capabilities are interdepend-
ent, they are not all interchangeable,
requiring different training and certifica-
tions. Information security leaders also
need the management skills to put the
right governance processes and proce-
dures in place, advocate for security
requirements, and communicate risk to
senior management.
Boards are encouraged to inquire as to
whether the security team has the band-
width and manpower to be able to respond
and remediate a crisis, as well as to handle
day-to-day operations. Security teams
should be organized to focus on what mat-
ters most—immediate threats—and other
resources should be considered where there
are gaps.
DEMYSTIFYING CYBERSECURITY STRATEGY AND REPORTING: HOW BOARDS CAN TEST ASSUMPTIONS
SecurityRoundtable.org 83 ?
element of cybersecurity, but it is a by-product
of a good program, not the measure of effec-
tiveness. Nor is it a guarantee of security, as
illustrated by many recent high-profle
breaches in which companies had already
met the requirements for one compliance
mandate or another.
Diffcult decisions about funding can be
made more easily by discussing how exist-
ing resources are allocated. Many business
leaders fear that “we’ll never spend enough,”
but experience shows that a pragmatic
approach to funding the security program is
to focus on effectiveness and prioritization:
? Determine actual vulnerabilities by
regularly testing defenses.
? Detect the perpetrators more quickly by
increasing visibility.
? Predict and mitigate risks more quickly and
effciently by applying threat intelligence.
? Apply time, attention, and funding
accordingly.
Companies may also want to consider third-
party providers to monitor, correlate, and
analyze the massive quantity of data that a
mature security program generates. This
allows valuable, and sometimes scarce,
human resources to focus on the actual
threats. A reputable third party can also pro-
vide the testing that determines effectiveness
and be a helpful validator of the program.
Armed with an understanding of what a
mature security program looks like and how
it plays out across the entire enterprise,
boards will be better equipped to discuss the
company’s current strategy and inquire
about assumptions in the metrics.
should hold relevant business leaders and
employees accountable for implementation.
How do you know when procedure isn’t fol-
lowed? Real world testing confrms not only
the effectiveness of your defenses but also
the process, policies, and procedures that
keep those defenses in place, operational
and optimized for resilience.
? Summary: A framework for oversight
By the very nature of being connected to
the Internet, companies are targeted 24/7,
365 days a year by anonymous, sophisti-
cated hackers who strive to steal from or
harm the business and its employees. That
ongoing challenge is taking place across
the entire enterprise, not just on the net-
work, so it’s important to remember that
we all play a role in managing the risk:
employees, business partners, and even
board members. There is no silver bullet
piece of technology that will eliminate all
danger, and being resilient is just as
dependent on people and process as it is on
technology. A cybersecurity ‘win’ in this
environment is defned as how effectively
and effciently the company fnds and
removes threats from its environment and
whether it remains fully operational in the
process.
Cybersecurity risk is an enterprise risk,
not a function of IT. For boards to provide
reasonable oversight they’ll have to under-
stand what the company is protecting,
inquire about how well the company is
organized to defend those assets, and explore
whether it has the manpower and capabili-
ties to respond and remediate in the event
of a breach. Compliance is an important
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk corporate
structure
87 ?
Palo Alto Networks Inc. – Davis Hake,
Director of Cybersecurity Strategy
The CEO’s guide to driving better
security by asking the right questions
I recently met with a chief information offcer (CIO)
whose chief executive offcer (CEO) had just taken a strik-
ing and dramatic interest in cybersecurity. He had read an
article in the paper about cyberthreats to major corpora-
tions and wanted to know what his own company was
doing to solve the specifc problem described in the arti-
cle. The CIO was incensed, because the question would
inevitably force him to shift priorities for his already
overworked team to an issue that had little to no effect on
their actual security efforts. There is an old saying in the
disaster response community that you shouldn’t exchange
business cards during an emergency. In essence, you need
to familiarize yourself with the risks and relevant people
before an emergency so security teams are not blown in
different directions depending on the new security scare
of the day.
Similarly, CEOs cannot familiarize themselves with
cybersecurity narrowly through the lens of a single inci-
dent that occurs on their network or with one of their
competitors. The danger in responding to a singular event
or threat in isolation—or daily incidents we read about in
the press—is that this is a reactive approach rather than a
holistic, risk-based approach. Cybersecurity is the poster
child for this phenomenon. Executives know that there is
a newfound focus on cybersecurity at the boardroom
level—incidents like Target’s 2013 data breach have been
a wake-up call for many—but there is often still a severe
lack of understanding about the real risks behind the
headlines. The statistics also back up the magnitude of
these anecdotes.
A recent New York Stock Exchange (NYSE) and
Veracode survey looking at boardroom attention to cyber-
security found 80 percent of participants said it is dis-
cussed in most or every boardroom meeting. They noted
specifcally that “responsibility for attacks is being seen as
? 88
CYBER RISK CORPORATE STRUCTURE
common problems such as a lack of invest-
ment, absence of high-level strategy, and
failure to integrate into business operations
still plagued many organizations struggling
to address cyberthreats. Seeing this tension
in many of the organizations they were brief-
ing on cyberthreats, the U.S. Department of
Homeland Security worked with current
and former executives to help capture fve
simple questions that a CEO could ask his or
her technical team, which would also drive
better security practices. They are:
1. What is the current level and business
impact of cyber risks to our company?
What is our plan to address identifed
risks?
2. How is our executive leadership informed
about the current level and business
impact of cyber risks to our company?
3. How does our cybersecurity program
apply industry standards and best
practices?
4. How many and what types of cyber
incidents do we detect in a normal week?
What is the threshold for notifying our
executive leadership?
5. How comprehensive is our cyber incident
response plan? How often is the plan
tested?
The team that coordinated the Cybersecurity
Framework also provided key recommenda-
tions to leadership, to align their cyber risk
policies with these questions. First and fore-
most, it is critical for CEOs to lead incor-
poration of their cyber risks into existing risk
management efforts. Forget the checklist
approach; only you know the specifc risk-
reward balance for your business, so only
you can understand what is most important
to your company. It seems simple, but with
cybersecurity, the default practice tends to
be for organizations to silo considerations
about risks into a separate category apart
from thinking about their valuable assets.
You have to start by identifying what is most
critical to protect and work out from there.
The process of aligning your core value with
your top IT concerns is a journey and is not
a broader business issue, signaling a shift
AWAY from the chief information security
offcer (CISO) and the IT security team.”
Where is this shift moving to? “When a
breach does occur, boards are increasingly
looking to the CEO and other members of
the executive team to step up and take
responsibility,” said the authors.
Yet despite this shift in perceived respon-
sibility to the executive level, there does not
appear to be the same drive to connect tech-
nical teams to the board-level focus on con-
cerns about cybersecurity risk. A 2015
Raytheon and Ponemon Institute study of
those with the day-to-day technical respon-
sibility for cybersecurity, CIOs, CISOs, and
senior IT leaders, found that 66 percent of
respondents believe senior leaders don’t
perceive cybersecurity as a priority. What
this means is that while CEOs are increas-
ingly on the hook from their boards for being
savvy about cyber risks, many are not yet
engaging with the necessary parts of their
organization to address cybersecurity issues.
Our hope is that this guide can prime you
to ask productive questions that drive better
people, processes, and technological change
to reduce the risk of successful breaches of
your organization. As the CEO, it is your job
to balance risk and reward within your com-
pany. Cyberthreats are not magic, hackers
are not wizards, and the risks to your spe-
cifc organization from a breach can be man-
aged just like any other risks that you make
decisions about every day. In fact, these risks
can even be turned into opportunities for
new innovation.
But where to begin? You want to avoid
causing unnecessary work, but you are
required to participate, and often lead, the
conversation around addressing cyber risks.
When the U.S. Government began working
with members of the IT and critical infra-
structure industry on a Cybersecurity
Framework for improving critical infrastruc-
ture cybersecurity, a key point that arose was
the need for nontechnical tools that could be
used at an executive level. Technical best
practices have existed in international stand-
ards and government agencies for years, but
89 ?
THE CEO’S GUIDE TO DRIVING BETTER SECURITY BY ASKING THE RIGHT QUESTIONS
not having a cybersecurity background, you
will certainly be able to make valuable con-
tributions about which cyber risks are
acceptable. You will fnd situations where
the operational priorities that you are
responsible for as CEO, outweigh cybersecu-
rity risks. Your perspective on these matters
is what makes you core to leading cyberse-
curity efforts in your organization.
Finally, as with any risk management
effort, you must plan for the best but prepare
for the worst. Cyberthreats are very real, and
advanced hacking tools once available only
to nation-states are regularly sold on the
online black market. There are technical
architectures that can prevent and limit
damage done by cyberattacks (see Palo Alto
Network’s other chapter, “Designing for
breach prevention”), but no solution is ever
100 percent. Developing an incident response
plan that is coordinated across your enter-
prise and regularly tested is vital for even
the most well-defended organizations. Use
your existing risk management practices and
your leadership team to identify your most
important assets; then plan for what would
happen to your company if those assets were
shut off or inaccessible for a sustained peri-
od of time. Similar to fre drills, regular prac-
tice also helps you stay aware of cybersecu-
rity’s constantly changing environment and
shows a personal interest that will signal the
issue’s importance throughout your compa-
ny. There are also excellent chapters in this
book to get you started in setting up an inci-
dent response plan, and there are many
good companies that specialize in the sticky
problems of rebuilding your network when
you need to call in the cavalry.
While risk management is a strong
approach to tackling the challenges of
cybersecurity, the bottom line is that it will
often require some investment in new peo-
ple, processes, or technology. A common
myth is that security must be a cost center
for every organization. This view has plagued
IT security experts for years, as their efforts
are viewed as drains on resources that would
otherwise be bringing in revenue. But as
you start to lay out cybersecurity from a
something that can be solved in one lump
investment or board meeting. Just like any
risk analysis, it requires serious considera-
tion and thought about what is most impor-
tant to your core business practices.
Which brings me to the second recom-
mendation to come out of the Cybersecurity
Framework effort: don’t begin your journey
alone! Bring your leadership team, especially
your CIO, chief security offcer (CSO), and
CISO, into the conversation from the start, to
help determine how your IT priorities match
to your business goals. Building a diverse
team that includes other leaders, such as
your head of human resources, will help
foster a culture that views cyberthreats not
as “someone else’s problem” but as chal-
lenges that should be addressed and dealt
with as an entire organization. For example,
cyber criminals still continue to successfully
use fake emails as a primary method for
gaining access to a company’s network.
Stopping these attacks requires not just a
technical solution but also strong training,
which is often the responsibility of human
resources and not your IT security team.
As more signifcant challenges arise, and
they will do so often and unexpectedly, lean
on your leadership team to evaluate prob-
lems in relation to the impact to your other
business risks. Then let your team address
them based on your existing business goals.
For example, if you experience a cyber
breach or accidental disclosure of sensitive
information, a diverse leadership team is
incredibly helpful at not just responding to
the technical problems but also ensuring
other areas such as public image, legal
ramifcations, and revenue impact are taken
into consideration in any mitigation and
remediation efforts. It is your job to help
frame the problem for your team and pro-
vide oversight and guidance, not microman-
age a crisis.
As with normal business operations, you
should also be asking your team to assist
you in day-to-day requirements of your
cybersecurity, such as reviewing IT budgets
and personnel security policies. None of this
is surprising, and you will fnd that despite
CYBER RISK CORPORATE STRUCTURE
? 90 SecurityRoundtable.org
know these as web-based email or online
storage services. They are incredibly popular
for their low cost, fexibility, and availability
across multiple platforms, but they also exist
on servers outside your control and can pre-
sent a huge risk from users accidentally
making company resources available to
external parties. There are now innovative
solutions that can manage these programs
just like any normal application that lives on
your network and even block their use for
only malicious purposes.
True leadership in any issue doesn’t
involve simply throwing more money at the
problem; you must always balance the risks
and rewards of your decisions and invest-
ments into a coherent strategy. Cybersecurity
is no different. Unfortunately, today’s reality
is such that cyberthreats will remain an issue
of fear for boardrooms in the foreseeable
future, leading to default knee-jerk reactions
as new threats evolve. Ultimately, we must
get to a place where cybersecurity is a nor-
mal part of any business’s operational plan.
With cool-headed, rational leadership, you
have the unique ability to help transform
this issue in your company from a crisis to
an opportunity for real innovation.
risk management perspective, you will
be forced to identify your most valuable
assets, pressing vulnerabilities, and core
motivations. This introspective approach
can also drive new ideas applicable to your
core business lines. It is imperative that
you recognize these innovations and make
the right investments to reap both the
benefts of better security and new business
opportunities.
For example, take a company that wants
to enable its sales staff to securely meet with
customers face to face away from the offce
for consultations. Using mobile devices and
phones to access internal company data,
such as customer accounts, from the feld
can open serious cyber risks. In this case you
could ensure that when purchasing a mobile
platform, you also choose a security vendor
that can provide mobile device management
capabilities. This allows your IT department
to secure lost or stolen devices and limit
malicious software that could be accidental-
ly downloaded by employees (or often their
kids), limiting cyber risks and enabling fex-
ibility of your sales team.
Another great example is the use of soft-
ware as a service (SaaS) products. You may
91 ?
Coalfre – Larry Jones, CEO and Rick
Dakin, CEO (2001-2015)
Establishing the structure,
authority, and processes to
create an effective program
Cybersecurity program oversight is currently an unsettling
process for many C-suites and boardrooms. Establishing
structure, authority, and program oversight should be
aligned to existing management processes and structure for
other critical programs. However, cybersecurity programs
remain unsettling. Why?
Simply put, cybersecurity programs address a different
type of risk. Typically, the risk that is being addressed
includes sophisticated attacks that are intended to interrupt
operations or steal sensitive data. In either case, organiza-
tions fnd themselves under attack. In the case of Sony, a
nation-state attacked the company for the sole purpose of
disrupting the distribution of media. In the case of
JP Morgan Chase, a highly sophisticated adversary launched
a denial of service attack against the service delivery plat-
form to disrupt the fow of transactions. Both cases provide
business justifcation to manage cybersecurity initiatives as
a bet-your-business type of risk management program.
The connection between the boardroom and those
managing the technical infrastructure is critical. However,
no board or C-Suite has the skills or knowledge of the
threat landscape or technologies involved in cybersecu-
rity programs to fatten the management structure for
top to bottom direct management. Each level of the
organization must participate in an integrated and col-
laborative fashion. The structure and risk management
responsibilities have been documented many times by
well-respected cybersecurity organizations such as the
National Institute of Standards and Technology (NIST) in
a series of special publications. Coalfre has specifcally
supported the local adoption and application of these
general principles for the electric utility, fnancial servic-
es, health-care, and retail sectors. As a result, this chapter
leverages the lessons learned from those previous engage-
ments to provide a condensed but effective approach to
? 92
CYBER RISK CORPORATE STRUCTURE
cyber risk management and cybersecurity
program creation and oversight.
First, the nature of the threat landscape is
evolving, while the underlying technology
platforms that hold sensitive data are also
changing. In this fuid environment, man-
agement must create a nimble program of
active cyber defenses informed by an itera-
tive risk management process. For the fore-
seeable future, cybersecurity program over-
sight will not be one that can be reduced to
an annual review process. When cyberat-
tacks go undetected for months and then
bring a company to its knees overnight, the
level of vigilance and communication is
heightened. To be effective, the structure has
to be distributed throughout the organiza-
tion, and risk thresholds have to be set that
cause unplanned alerts to drive manage-
ment action on a regularly scheduled review
and ad hoc incident-response basis.
Often the primary risks to cyber assets is a
cyberattack. The sophistication and determi-
nation of known threat actors drives the exec-
utive team to put on war paint and respond in
kind. Unlike other enterprise risks that can be
managed with traditional controls, cybersecu-
rity requires the mindset of a warrior. Think in
terms of Sun Tzu’s guiding principles pub-
lished in 473 BC, The Art of War: “we must
know ourselves and our enemies and select a
strategy to positively infuence the outcome of
battle. There is no reason to fear the attack but
there is reason to be concerned about our
readiness to defend ourselves from the attack
and respond appropriately.”
The most common approach for creating
and maintaining an enterprise cybersecurity
program follows a fve-step risk manage-
ment process. The process is iterative and
constantly informed by new information.
I am often asked, “When will the cybersecu-
rity program be completed?” Unfortunately,
the answer is never. Cybersecurity has to be
viewed as a process and not an end point,
the proverbial marathon versus sprint.
Each of the steps in the process requires
participation at multiple levels across an
organization.
Respond
Detect
Protect
Plan Adjust
1. Plan
i. Cyber asset inventory and environment
characterization
ii. Risk assessment and risk management
strategy
iii. Governance and organization structure
2. Protect
i. Program control design, control
selection, and implementation
ii. Training
iii. Maintenance
3. Detect
i. Threat and program effectiveness
monitoring and reporting
ii. Incident alerting and response
planning
4. Respond
i. Event analysis and escalation
ii. Containment, eradication, and recovery
5. Adjust
i. Lessons learned and program
adjustment
ii. Communications
The rest of the chapter addresses each step of
the cybersecurity program development
process and highlights responsibilities for
stakeholders throughout the organization.
FIGURE
Cybersecurity Program
Benchmarks
93 ?
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
many times that it is more realistic to expect
that vendors have done little to inherently
protect systems or data in the native design
of their systems. In many cases, unless
deployed appropriately, new cloud and
mobile applications can actually decrease
the level of cybersecurity already deployed
on legacy systems. It is the responsibility of
each executive to fully defne his or her
operating environment and include critical
third parties in the assessment.
Although lack of cybersecurity integration
by vendors is not universal, we’re seeing some
enlightenment in a few security-focused ser-
vice providers. However, it remains a serious
concern for the majority of new system acqui-
sition and support processes, and cybersecurity
typically shifts to an add-on feature after pro-
curement of a major new system in many
cases. In short, the process of identifying criti-
cal cyber assets and the systems that support
those assets will remain a key part of the cyber-
security program oversight function for the
long term. The process of ‘knowing thyself’
has been expanded to knowing your partners
and vendors and where your sensitive data
has been shared or managed by third parties.
The following is a quick test:
? What are your top 3 most important
business processes, and what systems
support those functions?
? Does the way your CIO answers
the previous question match your
understanding of critical systems?
Risk assessment and risk management strategy
After a solid understanding of the battlefeld
is established and executives appreciate the
critical cyber assets being protected, an
assessment of risk to those cyber assets is
critical to the design of the cybersecurity pro-
gram. The ability to adjust the program to
meet the evolving threat landscape and tech-
nology architecture shifts is an important
component of organizational security matu-
rity. Responsibilities for conducting an effec-
tive cyber risk assessment are distributed at
three levels, as shown in Figure 2.
? Plan
Cyber asset inventory and environment characterization
In accordance with the principles of Sun Tzu,
“know thyself.” When cybersecurity pro-
grams are managed at only a technical level,
the focus of the program is at risk of being
misdirected. Sensitive data hosted on an inex-
pensive platform may bely the true value to
the organization. Only senior executives and
business unit managers understand the rela-
tive importance of specifc operations or data.
Simple cybersecurity program designs
often include some level of network and data
segmentation, encryption, or levels of access.
As a senior executive, one of the things you
should be asking is if your most important
systems and most sensitive data are properly
deployed in the protected zones within your
system architecture. However, the IT team will
never know how to answer that question if
senior management (specifcally business unit
management) does not specifcally provide
guidance on the relative importance of busi-
ness functions and their associated systems.
The new generation CIOs and CISOs
understand this principle completely, and
the best of them have structured the operat-
ing environment and security programs to
focus on the most important cyber assets.
However, to assume all CIOs or CISOs
understand this principle of critical asset
classifcation and environment characteriza-
tion is dangerous, because many do not. The
most important part of this discussion is,
“Does every business unit manager under-
stand what his or her most critical cyber
assets are and where they are deployed?”
Even if the CIO and CISO understand the
relative priorities, senior executives cannot
effectively participate in either cyber risk
management or cybersecurity program over-
sight without frst understanding the extent
of the environment being protected.
As a quick warning, many of my clients
have the false expectation that cybersecurity
has become a critical part of the design for
new or more modern platforms being pur-
chased from large vendors and hosting pro-
viders. This expectation has proven false so
? 94
CYBER RISK CORPORATE STRUCTURE
increasingly popular means of transferring
risk but comes with the requirement that
you understand risk in ways that may not
have been previously considered. It is impor-
tant that the business units and security staff
are able to communicate the constraints as
well as the risk mitigation alternatives for
senior executives to make reasonable deci-
sions on risk management strategies.
Governance and organization structure
The risk assessment management duties and
responsibilities are typically allocated in
accordance with Table 1.
? Protect
Program design and implementation
The outcome for any cybersecurity program
is the expectation that an organization can
defend its critical cyber assets from irrepara-
ble damage resulting from a cyberattack.
The impact of cyberattack is different for
every organization. As a result, the cyberse-
curity strategy and associated program
must be considered against the potential
impact.
The primary objective for a risk assess-
ment is to drive selection of adequate and
rational controls and then assign responsi-
bilities to manage those controls. During the
process the environment will be character-
ized to bring context and the existing system
vulnerabilities, and weaknesses will be
evaluated to select controls to offset the
probability of compromise during an attack.
A comprehensive cybersecurity program
addresses administrative, physical, and
technical controls as an integrated suite.
Once the inherent threats and vulnerabili-
ties are understood within the context of the
impact they could have on the organization,
its clients, and partners, senior executives
must approve the risk management strategy.
Many executives want to see all risk either
mitigated or transferred. However, the bulk
of companies in critical infrastructure indus-
tries end up accepting some level of risk in
their strategy. Cost, continuity of operations,
or other concerns may drive the formation of
the cybersecurity program to mitigate what
is reasonable and accept the residual risk.
Cybersecurity insurance is becoming an
• Actionable policy
and procedures
• Guidance and
constraints
• Corporate strategy
• Policy
• Results of
monitoring
• Feedback
• Results of
monitoring
• Feedback
TIER 3:
Systems
Management
TIER 1:
Executive
Leadership
TIER 2:
Business
Management
FIGURE
Cyber Risk Organizational Structure
and Responsibilities
95 ?
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
TABLE
Executive Business Unit Systems Management
? Prioritize critical assets
? Establish risk appetite
? Approve risk
Management strategy
? Mitigate the risk
? Transfer the risk
? Accept the risk
? Approve the program
and policies
? Assign responsibilities
? Provide oversight
? Defne boundaries
? Design use case
scenarios to understand
impact from system
attack and compromise
? Identify constraints for
mitigating all risk
? Develop a justifed risk
management strategy
? Identify all required
users of systems or
delegates to receive data
on a “need to know”
basis
? Recommend technical
and physical controls
? Identify threats and
system vulnerabilities
? Evaluate the likelihood
and probability of
impact for each threat
and vulnerability
? Estimate the impact on
systems and operations
from a fnancial,
legal, and regulatory
perspective
Although security programs are different
for every company, the principles for devel-
oping the program are fairly consistent. NIST
Special Publication 800-53 has done a good
job in describing the selection of controls for
high-, medium-, and low-level impacts.
Every organization needs access controls, but
only those that result in national security
impact are realistic candidates for deploying
the high-level version of that control. Many
executives are “sold” a package of controls
because they are used by the NSA, but the
question to ask is, “How does the NSA
mission relate to our operations?”
As discussed in the risk assessment seg-
ment, executives have to defne their risk
appetite. This is hard during the early days
of cybersecurity program development
because most of the C-suites have an inher-
ently low risk appetite and do not yet under-
stand the impact of lowering the threshold
for control selection. As a result, cybersecu-
rity programs are often a work in process for
several years.
Training
The best cybersecurity programs are the
ones that staff and partners will actually
execute. Contrary to what many vendors
and partners will tell you, the magic is not in
the security solutions selected. Rather, the
magic is in the ability of the organization to
manage those solutions to mitigate risks.
Because the security skills available in the
industry today are low and growing increas-
ingly rare, companies should expect to spend
a disproportionate amount of training dol-
lars on cybersecurity.
Maintenance
Anyone working in forensic response will tell
you that system compromise and data breach
are rarely the result of some sophisticated
attack that no one has ever been seen before.
The bulk of effective attacks use vulnerabili-
ties that have been known for years. Cross-
site scripting, shell or SQL injection, shared
administrator accounts, lack of patching, and
other standard security hygiene issues are
normally the culprits. There are two signif-
cant operations that go dramatically under-
funded in most organizations: maintenance
of systems and security controls, which leaves
organizations vulnerable to attack.
? Detect
Program monitoring and reporting
The days of ‘acquire, deploy, and forget’ are
over. For years, senior executives did not
have to participate in cybersecurity program
Levels of Authority and Responsibility
? 96
CYBER RISK CORPORATE STRUCTURE
oversight, because a combination of fre-
walls, malware protection, and light access
controls were adequate to defend against
previous generations of relatively static
cyberattacks. Today, continuous monitoring
is critical to see the evolving threat and tech-
nology landscape.
Cybersecurity programs have moved from
a period of static defenses to active defenses,
and we must become more nimble to success-
fully protect critical systems and sensitive
data. From a military perspective, think of
this shift as moving from multiple armored
divisions with signifcant force and frepower
protecting cities or regions to the more recent
Special Forces mindset, in which quick detec-
tion and reaction are the key to success.
In the previous section, we mentioned
two areas for increased investment. The sec-
ond area is to develop cybersecurity pro-
grams with a much higher focus on threat
intelligence, monitoring, and alerting. This
requires new security solutions and specially
trained security professionals. The old line
of frewalls, malware protection, and access
controls are still required, but much more
active system patching, vulnerability man-
agement, and monitoring are driving mod-
ern security programs.
To avoid the perception of negligence,
senior executives often reinforce old line
security controls that are audited for regula-
tory compliance. However, focusing only on
compliance will not secure an organization.
Cyberthreats are ongoing, while compliance
is a point-in-time review. What is needed to
address increasing cyberthreats is a nimble
program that can suffer an intrusion but
repel the intruder and recover operations
quickly. Just like a good boxer needs to be
able to take a punch and stay in the ring,
companies today must be able to absorb a
cyber punch and keep operating while at the
same time mitigating and recovering.
Incident alerting and escalation
Identifying a potential attack is only half the
solution. Cybersecurity programs must alert
the technology teams and business units
to respond appropriately. One potential
response is to take systems off line. Without
executive and business unit involvement, a
poor decision could be made.
? Respond
Response capabilities vary after discovery of a
cybersecurity incident, and organizations are
typically faced with two unappealing options:
1. Pull up the drawbridge and stop the
hoards from overrunning the castle.
2. Keep the drawbridge down while trying
to fgure out where the bad guy is.
The most immediate, and some say rational,
response is to “pull up the drawbridge” to
eliminate whatever access hackers have.
Unfortunately, this alerts the bad guy that you
know he’s inside, so whatever systems and
accounts he may have compromised or what-
ever backdoors he’s created will be unknown.
On the other hand, if a company decides to
take option two, to play it low-key and con-
tinue with business as usual to determine the
scope of the problem, the organization can
determine what systems have been compro-
mised, what new privileged accounts have
been created, and what back doors may exist.
This will give the company a better chance of
long-term success in eliminating the breach
and repairing lost or damaged information.
One response is not necessarily better
than the other, because situations vary.
However, these critical decisions must be
made almost immediately.
? Adjust
No program is ever perfect. Continuous
monitoring and reporting will enable all
three tiers of responsibility to constantly
adjust the program and inform the other
tiers of actions.
? Summary
Effective cybersecurity program develop-
ment and oversight requires executives
to implement and manage a distributed
process at three levels within an organiza-
tion: executive level; business unit level;
and operational level (Table 2).
ESTABLISHING THE STRUCTURE, AUTHORITY, AND PROCESSES TO CREATE AN EFFECTIVE PROGRAM
SecurityRoundtable.org 97 ?
TABLE
Executive Business Unit Systems Management
Plan ? Prioritize systems
and functions for
protection
? Establish risk
appetite
? Inventory critical
systems
? Risk assessment
? Select justifed
controls
? Develop an
architecture to
integrate controls
? Provide periodic
updates to executives
to help them
understand context
for the program
Protect ? Approve
cybersecurity
program strategy
? Approve standards
and metrics for
control oversight
? Approve policies
? Train users
? Enforce controls
? Design and
manage physical
and logical
controls
? Design, deploy, and
manage technical
controls
Detect ? Receive periodic
threat briefngs
and controls
effectiveness
reports
? Receive periodic
education on
changes to the
threat landscape
and emerging
controls
? Incident and
event reporting
form staff,
partners and
third parties
? Operate system and
control monitoring
? Actively participate
in threat intelligence
functions
Respond ? Lead Incident
Response Team
? Participate in the
Incident Response
Team
? Containment
? Recovery
Adjust ? Allocate resources
for program
enhancements
? Deploy enhanced
training
? Deploy updated
administrative
and physical
controls
? Provide advice
for control
enhancements
If Sun Tzu lived today, he would clearly
see the nature of current cybersecurity pro-
grams and responsibilities and recognize that
criticality of executive level management. We
have to take a warrior’s attitude in develop-
ing strategies and programs to be successful
in combatting the cybersecurity challenges
we face today.
Levels of Authority and Responsibility
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cybersecurity legal and
regulatory considerations
101 ?
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Dean Forbes, Senior Associate; Agatha
O'Malley, Senior Associate; Jaqueline Cooney,
Lead Associate; and Waiching Wong, Associate
Securing privacy and proft in the era
of hyperconnectivity and big data
Companies increasingly use consumer data, including
personal information, to stay competitive; this includes the
capability to analyze their customers’ demographics and
buying habits, predict future behaviors and business
trends, and collect and sell data to third-parties. Consumers’
willingness to share their data centers on trust, however,
and 91% of adults believe that they have lost control over
how their personal information is collected and used (2014
Pew Research Center). So how do companies effectively
manage consumer data while simultaneously building
trust? It has been said that you cannot have good privacy
without good security. A frst step is to build an effective
security program while also better understanding what
privacy means and how it can be a strategic business ena-
bler in our era of hyper-connectivity and “big data”.
? Why does this matter? The data economy
The power and insights driven by consumer data has
changed the corporate landscape. This has created the
91%
of adults “agree” or “strongly agree” that
consumers have lost control over how their
personal information is collected and used by
companies
? 102
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? Privacy defnitions vary
“Privacy” may have different meanings to
stakeholders due to factors such as the con-
text, prevailing societal norms, and geo-
graphical location. There is no consensus
defnition of privacy, which makes it chal-
lenging to discuss, and act upon, a need for
privacy. However, an important central
concept regarding privacy recurs, which is,
the appropriate collection, use, and sharing
of personal information to accomplish busi-
ness tasks. Determining what appropriate
and limited means for your customer is key
to gaining trust and unlocking the potential
of the data economy.
? What is personal data?
Personal information comes in variations
such as: (1) self-reported data, or information
people volunteer about themselves, such as
their email addresses, work and educational
history, and age and gender; (2) digital
exhaust, such as location data and browsing
history, which is created when using mobile
devices, web services, or other connected
technologies; and (3) profling data, or per-
sonal profles used to make predictions about
individuals’ interests and behaviors, which
are derived by combining self-reported, digi-
tal exhaust, and other data. According to
research, people value self-reported data the
least and profling data the most (2015
Harvard Business Review). For many compa-
nies, it is that third category of data, used to
make predictions about consumer needs, that
truly provides the ability to create exciting,
thrilling products and experiences. However,
that same information is what consumers
value the most and seek to protect.
data economy—the exchange of digitized
information for the purpose of creating
insights and value. Companies are building
entire businesses around consumer infor-
mation, including building data-driven
products and monetizing data streams. This
is a supply-driven push made possible by
widespread digitization, ubiquitous data
storage, powerful analytics, mobile technol-
ogy that feeds ever more information into
the system, and the Internet of Things. This
also has a demand-driven effect as more
consumers expect their products to be
“smart” and their experiences to be target-
ed to delight them on an individual basis.
The data economy goes beyond the tech
industry. For example, many supermarkets
now record what customers buy across their
stores and track the purchasing history of
loyalty-card members. The most competitive
companies will sift through this data for
trends and then, through a joint venture, sell
the information to the vendors who stock
their shelves. Consumer product makers are
often willing to purchase this data in order to
make more informed decisions about prod-
uct placement, marketing, and branding.
The enabler of the data economy is data
itself. Individuals generate data. They do
this every time they “check in” to a location
through a mobile app, when they use a loy-
alty card, when they purchase items online,
and when they are tracked through their
Internet searches. Companies gain consum-
ers’ trust and confdence through transpar-
ency about the personal information that
they gather, providing consumers control
over uses and sharing of such information,
and offer fair value in return.
Facebook users share nearly 2.5 million pieces of content.
Every minute
Twitter users tweet nearly 300,000 times.
YouTube users upload 72 hours of new video content.
Amazon generates over $80,000 in online sales.
103 ?
SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA
Gmail service scans emails in order to target
and tailor advertising to the user. In 2013
Microsoft ran TV ads that claim that “your
privacy is [Microsoft’s] priority.”
Companies are also competing to be pri-
vacy champions against government surveil-
lance. For the last few years, the Electronic
Frontier Foundation has published the “Who
Has Your Back” list—highlighting compa-
nies with strong privacy best practices, par-
ticularly regarding disclosure of consumer
information to the government.
? Challenges and trends
Maintaining compliance
Beyond the moneymaker of the data econo-
my, there is also a need to comply with a
swirl of conficting regulations on privacy.
For global companies, this task is made more
diffcult as privacy regulations vary by region
and country. Although international accords
often serve as the basis of national laws
and policy frameworks,
1
the local variations
complicate compliance. For example, the
May 2014 ruling of the European Court of
Justice on the “right to be forgotten” set a
precedent for removing information from
search results that are deemed to be no
longer relevant or not in the public interest
by affrming a ruling by the Spanish Data
Protection Agency. Countries across Europe
have applied the ruling at a national level,
which means that they are not exactly the
same.
2
Compliance with this decision has yet
to be fully understood. Google has felded
about 120,000 requests for deletions and
granted approximately half of them.
3
Compliance is costly and complicated.
Beyond technical issues (which were easier
to solve), Google’s main issue with compli-
ance was administrative—forms needed to
be created in many languages, and dozens
of lawyers, paralegals, and staff needed to
be assembled to review the requests. Issues
? Privacy and security intersect through
breaches
Although privacy and security are two sepa-
rate concepts, the importance of these two
ideas intersect for the consumer if personal
information is not safeguarded. In a nut-
shell, consumers are more likely to buy from
companies they believe protect their privacy.
Large-scale security breaches, such as the
recent theft of credit card information of
56 million Home Depot consumers (2015)
and 40 million Target shoppers (2013), pro-
vide consumers with plenty to worry about.
Breach-weary consumers need to know who
to trust with their personal information, to
ensure that only the company that they pro-
vided the information to can use it. Risk
management for data privacy and security
of that data should guard against external
malicious breaches and inadvertent internal
breaches and third-party partner breaches.
? Privacy is linked to trust—differentiate
with it
Trust, and the data that it allows companies
to have access to, is a critical strategic asset.
Privacy issues that erode trust can disman-
tle the goodwill that a brand has spent dec-
ades building with consumers. Forward-
leaning companies are already moving
toward proactively gaining the trust of their
customers and using that as a differentiator.
Learning from its issues with the lack of
security on iCloud, Apple now markets all
of the privacy features of their products and
apps. With an eye toward the desires of its
customers, the iPhone’s iOS 8 is encrypted
by default. This makes all “private” infor-
mation such as photos, messages, contacts,
reminders, and call history inaccessible
without a four-digit PIN and numeric pass-
word. In 2012 Microsoft launched its “Don’t
get Scroogled” campaign as a direct attack
on its rival, Google, by highlighting that its
Privacy is very often confated with security. While privacy is about the appropriate collec-
tion, use, and sharing of personal information, security is about protecting such information
from loss, or unintended or unauthorized access, use, or sharing.
? 104
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
remain, such as the possibility of removing
links from Google.com as well as from
country-specifc search engines.
Compliance with established laws in the
U.S. is often topic- and industry-specifc. For
example, Congress has passed laws prohib-
iting the disclosure of medical information
(the Health Insurance Portability and
Accountability Act), educational records
(the Buckley Amendment), and video-store
rentals (a law passed in response to revela-
tions about Robert Bork’s rentals when he
was nominated to the Supreme Court).
4
Growing data = growing target for hackers
As data availability increases, the attractive-
ness of datasets for hackers increases as well.
Companies in all sectors—health care, retail,
fnance, government—all have datasets that
are attractive to hackers. Just a few of the con-
frmed cyberattacks that targeted consumer
information in 2014 include: eBay, Montana
Health Department, P.F. Chang’s, Evernote,
Feedly, and Domino’s Pizza.
5
Beyond personal information
Personal information (PI) is described in
privacy and information security circles as
information that can be used on its own or
with other information to identify, contact or
locate a single person, or to identify an indi-
vidual in context. With the advent of rich
geolocation data, and powerful associative
analysis, such as facial recognition, the
extent of PI is greatly expanded. Regulations
are struggling to keep up with the changes,
and companies can maintain consumer con-
fdence by collecting, using, and sharing
consumer data with privacy in mind.
? What to do? Build consumer trust
To unlock the data economy, companies will
need to tune in to their customer’s needs
and move quickly to earn and retain cus-
tomer trust. Privacy can be a competitive
differentiator for your business—and this
goes beyond lip service. Appropriate privacy
policies are needed internally, this means
building privacy considerations into busi-
ness operations and expected employee
conduct, along with a clearly defned means
of enforcement. Externally, this means
building privacy considerations into the
products and services offered to customers.
Some of the ways to do this include the
following.
Create easy-to-understand consumer-facing policies
The average website privacy policy averages
more than 2,400 words, takes 10 minutes to
read, and is written at a university-student
reading level.
6
No wonder half of online
Americans are not even sure what a privacy
policy is.
7
Writing clear, easy-to-understand
consumer-facing policies can help you
increase the number of people who will
actually read them, and you will gain the
trust of your consumers. No company has a
perfect solution, but many organizations
have come closer. Facebook has recently
rewritten its privacy policy for simplicity
and included step-by-step directions for
users.
8
To increase trust,
privacy policies
should clearly state the following:
1. the personal information that you will
collect
2. why data is collected and how it will
be used and shared
3. how you will protect the data
4. explanation of consumer beneft from the
collection, use, sharing, and analysis of
their data.
Additionally, companies should give a clear
and easy opt-out at every stage and only use
data in the ways stated. To ensure that the
data is used in the ways stated, develop clear
internal data use and retention guidelines
across the entire enterprise, limit internal
access to databases, create a procedure for
cyberattacks, and link it directly to the con-
sumer privacy policy.
Go “privacy by design”
The concept of “privacy by design” is inte-
grating and promoting privacy require-
ments and/or best practices into systems,
services, products, and business processes
at the planning, design, development, and
SECURING PRIVACY AND PROFIT IN THE ERA OF HYPERCONNECTIVITY AND BIG DATA
SecurityRoundtable.org 105 ?
Building consumer trust includes keeping
information safe from hackers, creating easy-
to-understand consumer-facing policies,
and applying the principle of “privacy by
default”. Companies that reframe these
actions as business enablers instead of busi-
ness costs will thrive—and fnd it easier to
comply with an increasingly complex web of
regulations. Finally, communicating your
good work to consumers will elevate the
profle of your organization as a trusted part-
ner, and pave the way for future gains.
References
1.https://www.eff.org/issues/international-
privacy-standards.
2.http://www.hitc.com/en-gb/2015/07/
07/facebook-questions-use-of-right-to-be-
forgotten-ruling/.
3.http://www.newyorker.com/magazine/
2014/09/29/solace-oblivion.
4.http://www.newyorker.com/magazine/
2014/09/29/solace-oblivion.
5. ht t p: //www. f o r be s . c o m/s i t e s /
jaymcgregor/2014/07/28/the-top-5-most-
brutal-cyber-attacks-of-2014-so-far/.
6. ht t p: //www. comput erworl d. com/
article/2491132/data-privacy/new-
software-targets-hard-to-understand-
privacy-policies.html.
7.http://www.pewresearch.org/fact-tank/
2014/12/04/half-of-americans-dont-
know-what-a-privacy-policy-is/.
8.https://www.washingtonpost.com/
blogs/the-switch/wp/2014/11/13/
facebook-rewrites-its-privacy-policy-so-
that-humans-can-understand-it/.
9.https://fortunedotcom.files.wordpress
. com/2014/11/pri vacyandsecuri t y
principlesforfarmdata.pdf.
implementation stages, to ensure that busi-
nesses meets their customer and employee
privacy expectations, and policy and regula-
tory requirements. The approach is a market
differentiator that is intended to reduce
privacy and security risks and cost by
embedding relevant company policies into
such designs. As such, privacy settings are
automatically applied to devices and ser-
vices. Privacy by design and default is
recognized by the U.S. Federal Trade
Commission as a recommended practice for
protecting online privacy, and is considered
for inclusion in the European Union’s Data
Protection Regulation, and was developed
by an Ontario Information and Privacy
Commissioner.
Communicate your good work
Privacy policies and actions are more than
legal disclosure; they are marketing tools.
All the actions you take to protect consum-
ers’ privacy should be communicated so
they know you can be trusted. The Alliance
of Automobile Manufacturers, representing
companies such as Chrysler, Ford, General
Motors, and Toyota, publicly pledged more
transparency about how they will safe-
guard data generated by autonomous vehi-
cle technologies. Many groups have pub-
lished data principles that communicate
how data is gathered, protected, and
shared.
9
? Conclusion
Our current data economy brings exciting
opportunities for companies to grow by
enhancing their products and services. These
innovations rely on consumers to trust your
organization with their personal information.
107 ?
Data Risk Solutions: BuckleySandler LLP &
Treliant Risk Advisors LLC – Elizabeth McGinn,
Partner; Rena Mears, Managing Director; Stephen
Ruckman, Senior Associate; Tihomir Yankov,
Associate; and Daniel Goldstein, Senior Director
Oversight of compliance
and control responsibilities
For too long, cybersecurity has been considered the realm
of the Information Technology (IT) Department, with
corporate executives assuming that the goal of cybersecu-
rity is simply to make sure IT is secure enough to allow
the company to use data reliably to do its business. In
today’s economy, however, data are not only a tool for
doing business but also a core asset of the business itself.
The collection, analysis, and sale of rich data about one’s
products and customers inform decision-making and
business strategy and provide a key revenue generator
for many companies. Because data are now so valuable,
the increasingly pervasive and debilitating nature of
cyberthreats poses an existential threat to the company’s
success. Data’s value to cyber criminals also has the
attention of federal and state regulators concerned with
consumer privacy and safety, posing new legal and com-
pliance challenges.
This is why companies can no longer afford to approach
the oversight of cybersecurity as an IT issue. Simply
because a cyberthreat’s mode of attack usually exploits
vulnerabilities in a company’s IT infrastructure does not
mean that oversight should rest purely with the team that
maintains and repairs that infrastructure. Certainly, a
secured IT infrastructure is crucial and an important frst
line of defense. However, the enterprise risk created by
cyberthreats requires a holistic approach that considers
the management of an entire array of impacts—from rep-
utational to regulatory to fnancial—that transcend core IT
competencies and functions. Because securing today’s
data is central to securing the company’s future, effective
? 108
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
encompasses the risks of fnancial loss; busi-
ness or operational disruption; loss or com-
promise of assets and information; failure to
comply with legal, regulatory, or contractual
requirements; or damage to the reputation of
an organization because of the unauthorized
access to or exploitation of data assets.
Cybersecurity is the protection of data assets
from unauthorized electronic access or
exploitation risks through processes
designed to prevent, detect, and respond to
these risks.
1
Effective oversight of cybersecu-
rity is therefore essential to a company’s
oversight of risk management.
Two core components of the company’s
cybersecurity program must be overseen at
the highest levels of management: compli-
ance and controls. Compliance here means
the company’s program for ensuring actual
adherence to internal cybersecurity policies
as well as external privacy and data protec-
tion laws and regulations in the jurisdictions
where the company operates. Controls mean
the company’s systems and processes for
protecting its data infrastructure and carry-
ing out incident response. These components
should be overseen actively to confrm that
compliance and controls are going beyond
mechanical application of generic cybersecu-
rity rules and standards, which may just
establish a regulatory foor for corporate
practices, not a set of industry-leading prac-
tices, and which may not be appropriate or
relevant to the threat landscape and unique
regulatory requirements for the company’s
industry. Moreover, even industry-leading
practices quickly may become dated, because
regulators’ views on “reasonable” cybersecu-
rity are changing all the time.
2
The legal risks
from inattentive oversight are limited only
by plaintiffs’ imagination and regulators’
zeal, and the practical risks are limited only
by hackers’ ambition and creativity.
From a risk management perspective, the
key inquiry revolves around the value of
each data asset. For example, data assets
whose business usefulness has long passed
may still be rich in information that may be
embarrassing to the organization if released
publicly. So in a way, cybersecurity risks are
oversight of cybersecurity compliance and
controls requires leadership from the C-suite
and the boardroom.
Critically, this leadership must be coordi-
nated. For a company’s cybersecurity com-
pliance and control programs to be effective,
efforts must be structured in ways that ensure
the board and senior management, including
the C-suite, work together to achieve its risk
objectives. Each has distinct cybersecurity
responsibilities: senior management is
responsible for determining relevant cyber-
related risks and implementing a compliance
program that incorporates appropriate pro-
cesses and controls to mitigate them, whereas
the board is responsible for overseeing the
risk identifcation process and independently
evaluating whether the program is designed,
implemented, and operating effectively to
meet the company’s cybersecurity risk miti-
gation objectives. Meeting these responsibili-
ties well requires a formalized integrated
approach to cybersecurity risk evaluation,
defned roles and responsibilities, implemen-
tation of a program that is supported by the
board, clearly articulated by the C-suite, and
effectively implemented by operational
resources. Disconnect between the board,
C-suite, and operations poses as much of a
challenge to corporate cybersecurity as
cyberthreats themselves.
? Cybersecurity oversight is risk management
oversight
To understand why coordinated C-suite and
board oversight of cybersecurity is essential,
one must understand cybersecurity as a
means of managing and responding to cor-
porate risk. The purpose of risk management
in general is to identify and mitigate the
risks a company faces to a level acceptable to
the enterprise as determined by the board, a
level known as a company’s “risk appetite.”
The strategies and objectives for managing
risks and responding to threats are articu-
lated in the policies, procedures, and con-
trols of the organization and are the respon-
sibility of senior management.
One signifcant and growing area of risk
for most companies is data risk. Data risk
109 ?
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
of the organization’s risk management
efforts.
The board also has to be sure to engage in
oversight of cybersecurity compliance and
controls at all phases of the company’s data
risk management “lifecycle.” See Figure 1.
The lifecycle involves, frst, identifcation—
looking at the company’s cybersecurity risk
profle, identifying the key data assets that
have to be protected (the “crown jewels”),
and determining the applicable laws and
regulations governing their protection; next,
design and implementation—creating and
implementing operational controls and com-
pliance processes to manage the risks to those
data assets; next, monitoring—actively over-
seeing the compliance processes and controls;
next, evaluation—evaluating the effectiveness
and management of the controls and compli-
ance processes implemented; and fnally
reporting and reassessment—documenting how
the controls and compliance processes are
working, and reassessing to the extent that
there are gaps. The last phase of the lifecycle
involves internal reporting on capabilities to
respond to threats, external reporting on
those capabilities to stakeholders (e.g., SOC 2
reporting), and adjusting management to
respond to internal drivers (e.g., business
changes) and external drivers (e.g., con-
stantly evolving regulatory requirements
and guidance). Strong C-suite supervision
and board oversight are needed at every
phase.
The oversight and compliance need not
rest on the entire board—a standing commit-
tee comprising knowledgeable board mem-
bers, armed with outside expertise where
appropriate, often can provide a more
focused and better informed oversight.
However, whatever oversight activities are
undertaken must be documented so that the
board can show that it is carrying out its
fduciary duties.
? Building blocks of effective oversight
of cybersecurity compliance
An organization’s cybersecurity compliance
efforts must support the company’s busi-
ness units and management in their efforts
partially an extension of data retention
risks, for what the organization does not
have (and has no obligation to keep) cannot
be hacked.
Thus, the board and senior management
must approach the oversight of cybersecuri-
ty compliance and control from a broader
risk management vantage point: one that
weighs the value of the data as an asset class
to the organization, the value that may be
assigned by the threat actors who may seek
the asset, and the broader impact and costs—
including but not limited to legal and com-
pliance costs—stemming from the potential
compromise of data.
In this vein, perhaps the board’s most
critical inquiry to senior management is
whether the organization has adopted suff-
cient processes to inventory and value its
various data assets. From a cybersecurity
perspective, senior management should
then weigh under what circumstances,
through what channels, and on what plat-
forms the organization’s most critically val-
ued data assets should be made accessible.
? Board of directors’ role in oversight
of compliance and controls
Too often, boards have exercised limited
oversight of cybersecurity, yet monitoring
the management of data risk associated with
cybersecurity is part of the board’s fduciary
duty to the corporation. The time for the
board to begin to play an oversight role is not
the moment when data actually are put at
risk, through a breach or corporate theft; the
board must build cybersecurity oversight
into its general strategy for overseeing risk
management from day one.
Managing the risks associated with
cybersecurity compliance and control
involves determining one’s risk appetite in a
variety of areas and requires senior manage-
ment to make fundamental judgment calls
about the design of the control environment,
the scope and depth of the compliance
program, and the resource allocation for
each. The board must be well informed of
how the corporate leadership is managing
these risks and able to assess the adequacy
? 110
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
obtaining outside review for defciencies or
improvements. A mechanism for periodic
updates to the Plan should be included in
the Plan; many companies get into trouble
with regulators for failing to update their
cybersecurity approach as their business
model changes or as regulations or enforce-
ment strategies change.
If the company is operating in the United
States, the Plan must be neither aspiration-
al nor hyper-specifc. An aspirational
plan—one that sets out where the organiza-
tion envisions its cybersecurity program to
be at some point in the future—may end up
causing the company to look like it is fall-
ing short if regulators come calling.
Similarly, a hyper-specifc Plan may put the
company at risk of technical noncompli-
ance. In short, the Cybersecurity Risk
Management Plan should match what the
company actually does.
to achieve compliance with government
rules and regulations as well as the organi-
zation’s internal policies and procedures by
(1) identifying risks; (2) preventing risks
through the design and implementation of
controls; (3) monitoring and reporting on the
effectiveness of those controls; (4) resolving
compliance diffculties as they occur; and
(5) advising and training.
3
There are several steps the board and
C-suite should take to provide effective
oversight of the cybersecurity compliance
program’s execution of all of these functions.
First and most important, the C-suite should
implement an enterprise-wide approach to
compliance risk management. As part of this
approach, the organization should create a
formalized Cybersecurity Risk Management
Plan that is reviewed by the board. If the
Plan is developed internally by the corporate
leadership, the board should consider
Identify
Monitor
Evaluate
Design
&
Implement
Report
&
Reassess
FIGURE
Data risk management lifecycle
111 ?
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
well-developed monitoring and assessment
processes that encourage timely internal
communication of potential risks to the
compliance team.
Fourth, consistent with the risk manage-
ment lifecycle, the C-suite should make sure
it has effective means to test compliance in
practice and communicate the results to the
board. It is critical for updates to cybersecu-
rity compliance policies to translate actually
into updated implementation, and the board
must be able to see—and where needed
spur—this implementation. (See the next
section). The C-suite also has to be able to
test to see that cybersecurity compliance is
taking root across the company’s operations
and prevent ‘siloing’ within business lines
or cost centers.
Fifth and fnally, the board should make
cybersecurity compliance a priority, plain
and simple. None of the above measures will
be prioritized at the senior management
level and below unless they are also the
board’s priority.
? Building blocks of effective oversight
of cybersecurity controls
Board and C-suite oversight of cybersecurity
controls relates to the control of associated
enterprise risks: legal, fnancial, regulatory,
and reputational, to name a few. None of
these risks can be fully avoided, but effective
controls can reduce their impact on the
organization, and effective oversight can
ensure that these controls are thorough.
One step a board can take to provide
effective oversight of cybersecurity controls
is to ensure that the controls implemented
by the C-suite contain prevention, detection,
and rapid remediation components. Many
companies focus on prevention and detec-
tion, but not remediation, and then are
caught off guard when they learn of an
intrusion requiring immediate remediation
that went undetected. Prevention measures
include data inventorying, data loss preven-
tion planning, strong perimeter and internal
defenses, and processes for timely patching
core software to plug security holes. Many of
these are IT measures, but prevention is not
Second, the C-suite should extend the
enterprise-wide approach to compliance
risk management to the company’s entire
ecosystem—its vendors and other third-party
partners (e.g., cloud services providers, out-
side data processors). This means ensuring
that oversight is robust for the corporate vet-
ting of cybersecurity practices at third par-
ties and that the contractual relationships
with third parties allow for monitoring and
oversight. Many technological innovations
are leading companies to outsource aspects
of their business involving data, but this
comes with risks of the partners not securing
data to the degree the company is.
Third, the C-suite should ensure—and
the board should monitor—the independ-
ence of the cybersecurity compliance team
from the company’s IT and business units.
Given silos that frequently develop around
the compliance, IT, and business teams, the
C-suite ought to ensure that the compliance
team has the resources and skills to inde-
pendently evaluate the suffciency of the
company’s cybersecurity program. If the
compliance team is not equipped to under-
stand what technological steps the IT team is
or should be taking to advance the organiza-
tion’s cybersecurity, and so defers entirely to
their judgment, it may fail to apprehend the
compliance implications of the steps ulti-
mately taken.
Of course, independence should not
mean isolation. It is critical that these teams
can and do speak to each other regularly:
compliance risks arise in the IT and busi-
ness lines, and the compliance team must
be involved in assessing those risks. For
example, if a new business line involves
collection of new pieces of customer data,
failure to ensure that data are properly
secured and kept private from the start cre-
ates compliance risks. Likewise, the IT
Department’s failure to patch software in a
timely manner creates compliance risks.
The compliance team must be suffciently in
the loop to ensure steps are being taken to
prevent these failures, without being opera-
tionally involved in the actual prevention
efforts. This can be achieved through
? 112
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
As with cybersecurity compliance, for the
above measures to be prioritized, they must
be a board priority. In this vein, the board
should check to see that cybersecurity con-
trols are appropriately funded; none of these
controls can be prioritized without adequate
funding.
? Implementation challenges
Even the best designed data security initia-
tives are prone to failure if not implemented
correctly. A common problem that can occur
even after apparently successful program
implementation is a disconnect between
appropriately drafted policies and proce-
dures on the one hand, and operational
practices and technology infrastructure on
the other (in-house and third party-man-
aged), and a failure of the board to notice.
Cybersecurity policies and procedures
are effective only if they are tailored to the
company’s unique business environment,
applicable regulatory requirements, and
known security risks. However, too often,
boards and C-suite leadership oversee the
development and adoption of boilerplate
policies and procedures that, although per-
haps built on generally appropriate founda-
tions, are either insuffciently customized or
implemented inappropriately. The resulting
disconnects may lead not only to damaging
data breaches and unauthorized disclosure
of personal information but also to scrutiny
from regulators and actions from the plain-
tiffs’ bar. For example, the Federal Trade
Commission (FTC) currently views the dis-
connects between cybersecurity policies
and procedures and their actual implemen-
tation as unfair or deceptive trade practices
under Section 5 of the FTC Act, and this is a
trend that senior executives should expect
to continue.
It is critical to the success of a cybersecu-
rity program that the operational uptake
of—and ongoing adherence to—program
requirements are measured effectively.
Monitoring of the program not only enables
effective reporting up to the board but also,
more importantly, identifes vulnerabilities
in the program and areas for improved
limited to IT and includes building a corpo-
rate culture that is mindful of data risk, as is
discussed more below.
Detection measures include analysis of
operational data and anomaly detection as
well as systems for logging, monitoring, and
testing data moving into and out of the corpo-
rate IT environment and across various devic-
es (e.g., from computer to cloud service or
external storage devices), where legally per-
missible. Rapid remediation measures include
incident response plans that are rehearsed,
implementation of forensic recovery tools,
and measures to quickly restore failed sys-
tems from back-ups. Boards should recom-
mend appointment of a permanent incident
response team—comprising senior manage-
ment from IT, legal, compliance, vendor man-
agement, PR, investor relations, and business
lines—to lead the incident response efforts,
report incidents and remediation plans to the
C-suite and the board, and notify external
regulators and customers when necessary.
In line with the previous point, a key step
the C-suite should take is to oversee lines of
communication among the various parts of
the company that either manage or make use
of the company’s cybersecurity controls. If a
business line is experiencing occasional bugs
in its online customer order processing, for
example, and IT is not informed of the issue
in a timely manner, malware may go unde-
tected. If an employee with database access
quits and HR does not timely inform IT, then
user credentials may remain active long after
they should.
Another key step the C-suite can take is to
prioritize regular training of employees—at
a minimum annually—on cybersecurity
threats and how to avoid them. A surprising
number of threats can be thwarted by
employee education about suspicious
emails, strong password practices, and cau-
tious use of personal devices. The more
employees at every level learn to treat data
as a valuable asset, the more careful they will
be. Conversely, no matter how strong a com-
pany’s cybersecurity controls, it only takes
one employee mistake to expose sensitive
company data.
113 ?
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
business asset is clearly established; its value
is verifed on a daily basis by those who seek
to gain access to business networks and
view, remove, or otherwise exploit the data
residing there. However, resources allocated
to cybersecurity are still frequently an IT line
item, rather than an enterprise-wide issue.
Businesses operating in this environment of
perpetually evolving digital risks must rec-
ognize that data security is no longer a cost
of doing business; it is a core component of
remaining in business. As such, budgets
must be allocated appropriately to meet the
risks. Budgets vary according to business
type, data types and sensitivity, volume of
data, sharing with third parties, and any
number of other of risk factors that must be
considered by the board and executives. The
budgeting process has to enable the compa-
ny to do more than get the right people and
processes in place but also to implement
technology that truly addresses the security
needs of the organization. This process
requires commitment from the C-suite and
oversight from a board that understands the
importance of cybersecurity.
Cybersecurity budgeting also must
include dedicated resources for training of
personnel. As mentioned above, the human
element is frequently the weakest link in an
otherwise solid data security program. Staff
must have the resources they need to be
trained not only to be proactive in taking
steps to safeguard data but also to recognize
attempts by unauthorized parties trying to
gain network access. Phishing, for example,
remains a remarkably effective tool for gain-
ing credentials that open a door to the net-
work and the data therein, and inadequate
training may increase a company’s vulnera-
bility to phishing attacks. Regulators know
this and expect board members providing
cybersecurity oversight to know, too.
The board and C-suite also must bear in
mind that successful initial implementation of
a cybersecurity program does not necessarily
lead to a cybersecurity program that has lon-
gevity. Ongoing success is largely dependent
on top-down involvement by the board and
active management by the C-suite. The board
security. Although evaluating the effective-
ness of a cybersecurity program would
appear to be a core component of any suc-
cessful implementation, many organizations
fail to adequately address this need, often
leading to exploited weaknesses, data
breaches, and programmatic failure.
Effective metrics for evaluation can be
broken down into several categories to ena-
ble more targeted application across the
enterprise. Programmatic metrics measure
the progress of various organizational com-
ponents of the information protection pro-
gram, such as overall program development,
implementation, and maintenance (e.g.,
cybersecurity policies are updated to meet
new regulatory requirements). Operational
metrics measure the performance of (as the
name implies) various operational compo-
nents of the information protection program;
the number of cybersecurity incidents per
reporting period is an excellent example.
And compliance metrics measure individu-
als’ compliance with program requirements.
Such metrics may measure, for example,
whether employees are observing required
data security protocols when sending sensi-
tive customer information to a third party
for processing. In general, the trend for
many of these metrics is toward the meas-
urement of outcomes; metrics that demon-
strate a company’s frequent intrusion detec-
tion scanning are not helpful if the outcome
is still a high number of intrusions each year.
Regardless of whether your organization
is seeking to measure programmatic, opera-
tional, or compliance aspects of your cyber-
security program, the metrics that you
design must be clearly defned and meaning-
ful and measure progress against a clearly
stated objective. A properly implemented
metrics program helps leadership ascertain
initial uptake and improve the compliance
with—and performance of—a well-designed
cybersecurity program.
Another challenge for effective imple-
mentation of cybersecurity compliance and
controls—and one that must be closely mon-
itored by the board—is resource allocation.
The recognition of data as a highly valued
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 114 SecurityRoundtable.org
ensure that these measures are being adopt-
ed. Only with consistent C-suite involve-
ment and strong board oversight—informed
by an understanding of data risk as a central
enterprise risk—can cybersecurity challeng-
es be handled effectively.
References
1. See NIST, “Framework for Improving
Critical Infrastructure Cybersecurity”
(2014) (defning “cybersecurity”). Of
course there are many defnitions of
“cybersecurity”; the NIST defnition
adapted here is just a recent American
example.
2. For example, some regulators require
certain data to be encrypted while many
others do not. See, e.g., 201 Mass. Code
Regs. § 1700 (2009).
3. See International Compliance Association,
“What is Compliance?,” available at http://
www.int-comp.org/faqs-compliance-
regulatory-environment.
should be apprised regularly of data security
incidents and emerging data risks, as well as
changes to the regulatory environment. An
actively informed and involved board, work-
ing in harmony with the C-suite, enables agile
enterprise-wide response to evolving threats
and appropriate upkeep and improvement of
a robust cybersecurity program.
? Conclusion
Today’s cybersecurity risks affect organiza-
tions of all sizes and across industries
and lead to not only IT headaches but also
headaches for the entire business. Companies
are increasingly put into the unenviable
position of needing to put up shields against
a variety of cyberthreats, knowing that no
defense can provide perfect protection.
However, the C-suite nevertheless must
strive to employ strong cybersecurity com-
pliance and control measures that go beyond
mechanical satisfaction of applicable legal
rules, and the board has an obligation to
115 ?
Baker & McKenzie — David Lashway, Partner; John
Woods, Partner; Nadia Banno, Counsel, Dispute
Resolution; and Brandon H. Graves, Associate
Risks of disputes and regulatory
investigations related to
cybersecurity matters
Disputes and regulatory investigations are two of the
more important risk categories related to cybersecurity
matters. These risk categories can create signifcant fnan-
cial exposure, brand risk, and distraction. In the worst
case, some of these risks could result in bankruptcy.
The risks related to disputes are traditional (e.g., litiga-
tion, arbitration, and negotiation of contract terms) and
novel (e.g., data ownership disputes). They arise not only
in the context of data breaches but in everyday operations.
Regulatory investigations are another source of risk.
This risk is hard to quantify because there is not clear
statutory authority for all regulatory investigations begun
or threatened. This creates uncertainty for regulated enti-
ties. The costs for non-compliance can be extensive, with
fnes in the millions of dollars and consent decrees author-
izing audits for 20 years.
These risks affect businesses even in the absence of a
data breach incident. More businesses recognize this fact
and are accounting for these risks in all aspects of their
businesses. Businesses that attempt to deal with risk
related to cybersecurity matters as an afterthought may be
left behind.
Many businesses are international in scope and must
comply with cybersecurity rules and regulations in a vari-
ety of countries. This can create a highest-common-
denominator situation: businesses end up attempting to
comply with the strictest regime in which they operate.
The dynamic nature of cybersecurity matters makes it
impossible to completely enumerate every risk associated
with such matters. This chapter provides a short survey of
some of the most high-profle risks that all businesses will
face in our current economy.
? 116
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? Risks of disputes
Businesses have a growing awareness of
cybersecurity matters. As a result, cyberse-
curity matters will increasingly impact tradi-
tional business activities, such as contract
negotiation.
Plaintiffs also have an increasing aware-
ness of cybersecurity-related causes of
action. Courts have been receptive to some
of these causes of action and skeptical of oth-
ers, but plaintiffs continue to make threats in
pursuit of a lucrative settlement.
Dispute risks in business activities
Cybersecurity matters will impact every tra-
ditional business activity, if they do not
already. Two activities, contract negotiation
and data processing, are already subject to
dispute in many industries.
1. Contract negotiation. Contractual parties,
especially government agencies,
are becoming more sophisticated
about requesting provisions related
to cybersecurity during contract
negotiations. Frequently, these provisions
will place additional burdens on the
counterparty, leading to disputes during
negotiation. Many businesses are also
attempting to apply existing contract
provisions to cybersecurity matters.
When this reinterpretation is put forward
in the wake of a security breach, the
reinterpretation can lead to costly litigation.
a) Flow-down provisions. Federal agencies,
especially the Department of Defense,
are including more flow-down
provisions related to cybersecurity in
their contracts with suppliers. Often,
the agency requires its contractors
to include these provisions in their
contracts with subcontractors and
other contractual counterparties. As
these fow-down provisions expand
through the supply chain, businesses
with no direct connection with the
federal agency will see requests—or
demands—that they comply with
provisions drafted without their input.
These provisions can include security
standards and breach disclosure require-
ments. For instance, Defense Federal
Acquisition Regulation Supplement
(DFARS) 204.7300 requires “adequate
security” for all contractors and subcon-
tractors with systems on which con-
trolled technical information is resident
on or transits. As with many of these
provisions, “adequate security” is not
defned with a checklist but as “protec-
tive measures that are commensurate
with the consequences and probability
of loss, misuse, or unauthorized access
to, or modifcation of information.”
These same provisions include report-
ing requirements for both actual and
potentially adverse effects on an infor-
mation system, which is a more strin-
gent requirement than many state
data breach requirements.
Compliance with these provisions will
be diffcult, and the set language creat-
ed by such provisions prevents busi-
nesses from negotiating more concrete
terms, forcing businesses to accept
uncertainty as a cost of entering into
such a contract.
b) Liability/indemnity. Cybersecurity creates
risk, and more businesses are looking
to affrmatively allocate that risk
through contractual terms. Actuaries
are still developing tables related
to cybersecurity risk (Congress is
discussing legislating on this issue), so
the allocation of risk in a contract may
not be based on methods as rigorous
as those in other risk allocations. This
will create tension between parties
who value the risk differently.
Cybersecurity incidents and the atten-
dant response can be very expensive,
with some sources placing the average
fnancial cost of a data breach in the
millions of dollars. The allocation of
117 ?
RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS
press, which can create tension with
notifcation provisions.
2. Data ownership/data processing. Most state
breach notifcation laws differentiate
between data owners and data processors,
but existing contracts do not always
explicitly define these roles. Some
businesses have attempted to understand
these issues and have asserted ownership
(or, in some cases, denied ownership) of
data in the absence of a specifc ownership
allocation. This can lead to disputes in
long-standing business relationships. One
business may seek to sell information it is
collecting while a contractual counterparty
is attempting to safeguard the same data.
Not all businesses seek to clarify this
relationship prior to selling data, which
can lead to signifcant disputes when such
sales come to light.
In the context of a data breach
Data breaches expose businesses to many
additional disputes. At times, these disputes
can be more problematic than the intrusion
itself. Contractual counterparties, customers,
and other impacted businesses may all seek
some compensation in the wake of a data
breach. Insurance companies may seek to
avoid payment under policies that arguably
apply, leading to additional litigation.
1. Contractual counterparties. Most contracts
have provisions that are either directly
or indirectly implicated by a data breach.
Some of these provisions are triggered
by a breach, such as obligations to
notify consumers whose information
is exposed. A counterparty may allege
that other provisions are broken by
an intrusion, such as a requirement to
have adequate or reasonable security.
Businesses often struggle with whether a
particular provision requires notifcation,
either because the provision itself is not
clear or because the business believes
that the intrusion does not rise to the
level contemplated in the contract.
such cost, combined with an increas-
ing chance of an incident triggering
these clauses, is an area likely to be
subject to dispute both during con-
tract negotiation and in the wake of
a breach.
Many contracts already contain liabil-
ity allocation provisions, but those
provisions do not explicitly address
cybersecurity matters. In the wake of a
cybersecurity incident, interpreting
the liability allocation provisions will
be a matter of some dispute.
c) Data security and notifcation. Laws,
regulations, and political and
consumer pressure have increased
businesses’ focus on the security of
consumer data. At the same time,
consumer data have become a more
valuable commodity. For instance,
AT&T and Apple both contested Radio
Shack’s ability to sell consumer data
during Radio Shack’s bankruptcy.
Recognizing these trends, businesses
are placing more provisions in contracts
that dictate security requirements.
Because the underlying consumer data
are valuable, these provisions may be
subject to signifcant disputes during
negotiations. Other businesses are
attempting to read existing provisions
as covering security requirements and
privacy responsibility.
Many businesses that entrust sensitive
data to counterparties are including
breach notifcation provisions in con-
tracts. These provisions vary greatly,
even within a single industry, and cre-
ate various thresholds for notifcation.
For instance, some provisions require
notifcation in the event of a breach.
Others require notifcation if there is
an indication of a breach. Many vic-
tims of a security breach seek to keep
the existence of a breach out of the
? 118
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
press, but business customers have also
pressed for indemnifcation in the wake
of an intrusion.
Disputes with business partners over data
breaches can disrupt normal operations,
above and beyond the disruption caused
by the data breach itself. The need to
resume normal operations can pressure
the victim to quickly agree to a settlement.
Customers will often fle class actions in
the wake of a data breach. Plaintiffs’ law-
yers are growing more sophisticated in
how and where they fle these actions.
Both individual consumers and fnancial
institutions have fled class actions, and,
in some cases, these class actions are con-
solidated into complicated multidistrict
litigation with multiple tracks for the dif-
fering plaintiffs. This creates expensive
and cumbersome litigation.
3. Other impacted businesses. Contractual
counterparties are not the only businesses
that may sue in the wake of a data breach.
Banks that issued cards implicated in
Target’s data breach are suing Target, even
if they lack any traditional relationship to
Target. Our more interconnected society has
spread the effects of cybersecurity problems,
and affected parties are developing more
creative methods to fle suit against the
original victim of the intrusion.
4. Insurance. More and more insurance
companies are offering cyber policies,
and more businesses are attempting to
make claims for intrusions under general
policies. Insurance companies are, in
turn, attempting to limit the scope of
coverage. Some insurance companies are
denying claims, while others are carefully
reviewing invoices for services related to
data breaches. The cost to respond to a
breach can be expensive, and insurers will
continue to dispute claims and charges.
In some cases, this will lead to additional
litigation after the data breach response is
complete.
Counterparties may disagree with this
interpretation, leading to disputes if the
intrusion does come to light.
Notifcation provisions often have an
abbreviated time frame for notifcation.
Attempting to identify and comply with
notifcation provisions of impacted coun-
terparties can create additional stress
beyond the already signifcant stress
related to a data breach. Reviewing and
attempting to interpret these provisions
after an intrusion also creates risk of con-
tractual breach, as a business may not
discover the notifcation provision until
after the required time frame has passed.
In the wake of a breach, a victim’s securi-
ty will come under scrutiny, and a con-
tractual counterparty may argue that the
security was inadequate under the con-
tract. For instance, in the DFARS provi-
sion discussed previously, “adequate
security” is ripe for protracted litigation
in the wake of a cybersecurity incident. It
is diffcult to defne such terms adequate-
ly and still provide fexibility in the face
of changing threats.
In some industries, such as those that deal
with payment cards, many security
requirements are codifed and subject to
audit. The victim of a data breach may be
subject to a more intrusive audit to con-
frm its security.
Many contracts that involve confdential
data have a provision for certifying that
the confdential data have been destroyed.
A counterparty may rightly inquire how
such a certifcation was made in the wake
of a cybersecurity incident.
2. Customers. Many intrusions lead to
lawsuits by customers, whether they be
individual consumers or large businesses.
Recent card breaches have resulted in
signifcant class-action litigation, and
these cases have received much of the
119 ?
RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS
? Risks of regulatory investigations
Certain regulators have explicit statutory
jurisdiction over cybersecurity matters.
Other regulatory agencies do not, but they
attempt to regulate such matters under
their existing, general jurisdiction. As pub-
lic and congressional scrutiny of cybersecu-
rity measures increases, regulators will be
more aggressive in asserting jurisdiction
over their regulated entities’ cybersecurity
matters.
Federal regulators
1. Industry regulators. Traditional regulators
have already applied or are planning to
apply standards related to cybersecurity
matters to their regulated entities.
The Federal Financial Institutions
Examination Council (FFIEC), the Federal
Trade Commission (FTC), the Federal
Communications Commission (FCC),
the Department of Health and Human
Services (HHS), and the Department
of Homeland Security (DHS) are some
of the regulators that have sought to
regulate cybersecurity matters among
their regulated entities. In addition,
the National Institute of Standards and
Technology (NIST) publishes documents
that plaintiffs and regulators apply in
analyzing a business’s cybersecurity.
The FFIEC has been one of the leading
regulators with regard to cybersecurity.
The FFIEC has had an IT examination
handbook for several years and is devel-
oping a tool to help fnancial institutions
assess risk. In addition, the FFIEC requires
fnancial institutions to require certain
cybersecurity measures of the institu-
tions’ third-party service providers, effec-
tively expanding the FFIEC’s jurisdiction.
The FFIEC has experience in investigating
data breaches and imposing punishments
based on insuffcient security. Other regu-
lators look to the FFIEC’s examination
handbook to inform their own regula-
tions and investigations.
The FTC has been aggressive in fling
administrative complaints against busi-
nesses that, in the eyes of the FTC, do not
adequately protect sensitive consumer
information. The FTC requires, among
other things, “reasonable security” but pro-
vides no formal defnition. This creates
uncertainty for businesses seeking to
understand their obligations. The FTC is
involved in litigation in federal court
concerning both its jurisdiction over data
security and the standards it applies to
businesses. Congress is considering a bill to
formalize FTC jurisdiction over data secu-
rity, which may further empower the FTC.
The FCC’s Cybersecurity and
Communications Reliability Division
works to maintain the reliability of commu-
nications infrastructure in the face of vari-
ous cyberthreats. In 2014 the FCC began
imposing substantial fnes on wireless carri-
ers for insuffcient secured sensitive con-
sumer information.
HHS regulates cybersecurity matters
under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA).
Under this authority, HHS has imposed
multimillion-dollar fnes for insuffcient
data security.
DHS is involved in coordinating informa-
tion sharing, securing critical infrastruc-
ture, and protecting federal cybersecurity
assets. Currently, its programs for most
private businesses are voluntary, but as
Congress continues to focus on informa-
tion sharing as a key component of reduc-
ing cybersecurity incidents, plaintiffs and
courts will see these programs less as
voluntary and more as the minimum
standard of care.
NIST publishes an array of standards
related to cybersecurity. Although none of
these standards are binding on private
entities (at least as of publication), they
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 120 SecurityRoundtable.org
are often cited as what is reasonable secu-
rity or as industry standard. In addition,
plaintiffs and regulators look to NIST
standards to inform allegations made in
complaints and investigations.
2. Securities and Exchange Commission. The
Securities and Exchange Commission
(SEC), under pressure from Congress, has
focused on public statements concerning
data breaches. This focus encompasses
both disclosures made after breaches and
risk factors made in market reports. To
date, the SEC has stated that the materiality
analysis for data breaches is the same as for
other risk factors, but there is little formal
notice or adjudication on these statements,
creating uncertainty and risk.
The SEC released guidance on cybersecu-
rity risks in 2011. According to the SEC,
registrants “should disclose the risk of
cyber incidents if these issues are among
the most signifcant factors that make
an investment in the company specula-
tive or risky.”
The SEC, in conjunction with the Financial
Industry Regulatory Authority, has
engaged in enforcement actions against
the entities they regulate for insuffcient
security for both customer data and
market data.
State regulators
State regulators and attorneys general are
also involved in cybersecurity matters;
indeed, state attorneys general have been
active in investigating data breaches. Each
state has a different legal environment con-
cerning data breaches. These attorneys gen-
eral typically assert jurisdiction when the
state’s citizens are impacted, potentially
exposing a business to an investigation even
if the business does not typically operate in
the state.
California has generally been the frst
state to impose data breach notifcation
requirements. California passed its data
breach notifcation law in 2003. In the time
since, California has expanded what data are
covered by the statute, including most
recently usernames and passwords. Most
other states have similar statutes.
Several other states, including Vermont,
New York, and Michigan, have been par-
ticularly active in investigations. For certain
larger breaches, some state attorneys gen-
eral will work together in a coordinated
investigation.
? Conclusion
Cybersecurity matters create extensive risks
for business. Foremost among these are risks
related to disputes and regulatory investiga-
tions. These risks are not fully defned and
likely never will be.
121 ?
K&L Gates LLP – Roberta D. Anderson, Partner
Legal considerations for
cybersecurity insurance
? Legal, regulatory, and additional concerns driving
the purchase of cybersecurity insurance
Legal liability, regulatory and other exposures surrounding cybersecurity
and data privacy-related incidents
In addition to a seemingly endless stream of data breaches
and other serious cybersecurity and data protection-
related incidents, the past several years have seen signif-
cantly amplifed legal liability surrounding cybersecurity
and data privacy, a remarkable proliferation and expan-
sion of cybersecurity and privacy-related laws, and
increasingly heightened regulatory scrutiny.
In the wake of a data breach of any consequence, an
organization is likely to face myriad different forms of legal
and regulatory exposure, including class action litigation,
shareholder derivative litigation, regulatory investigation,
the costs associated with forensic investigation, notifcation
to persons whose information may have been compro-
mised, credit monitoring, call center services, public rela-
tions expenses, and other event management activities.
Beyond third-party liability and event management
activities, organizations face substantial frst-party losses
associated with reputational injury and damage to brand in
the wake of a serious breach event. They also face substan-
tial business income loss if an event disrupts normal day-
to-day business operations. Even if an organization’s own
system is not compromised, the organization may suffer
signifcant losses if an incident affects a key vendor, cloud
provider, or any key third party in the organization’s prod-
uct and service supply chain. Also at stake is the organiza-
tion’s digital assets, the value of which in some cases may
eclipse the value of the organization’s other property.
Cybersecurity insurance can play a vital role in an
organization’s overall strategy to address, mitigate, and
maximize protection against the legal and other exposures
fowing from data breaches and other serious cybersecu-
rity, privacy, and data protection-related incidents.
? 122
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
SEC’s cybersecurity risk factor disclosure guidance and
cybersecurity insurance
In October 2011, in the wake of what it
phrased “more frequent and severe cyber
incidents,” the Securities and Exchange
Commission’s (SEC’s) Division of Corporation
Finance issued disclosure guidance on cyber-
security, which advises that companies
“should review, on an ongoing basis, the
adequacy of their disclosure relating to
cybersecurity risks and cyber incidents.” The
guidance advises that “appropriate disclo-
sures may include,” among other things, a
“[d]escription of relevant insurance cover-
age” that the company has in place to address
cybersecurity risk.
SEC comments in this area have regularly
requested information regarding “whether
[the company] ha
ance coverage,” as well as “the amount of [the
company]’s cyber liability insurance.” More
recently, the SEC is asking not only whether
the company has cybersecurity insurance and
how much the company has but also how
solid the company’s coverage is:
“We note that your network-security insur-
ance coverage is subject to a $10 million
deductible. Please tell us whether this
coverage has any other signifcant limita-
tions. In addition, please describe for us the
‘certain other coverage’ that may reduce
your exposure to Data Breach losses.”
(Emphasis added.)
“We note your disclosure that an unau-
thorized party was able to gain access to
your computer network ‘in a prior fscal
year.’ So that an investor is better able to
understand the materiality of this cyber-
security incident, please revise your dis-
closure to identify when the cyber inci-
dent occurred and describe any material
costs or consequences to you as a result of
the incident. Please also further describe
your cyber security insurance policy,
including any material limits on cover-
age.” (Emphasis added.)
The SEC’s guidance provides another com-
pelling reason for publicly traded companies
to carefully evaluate their current insurance
program and consider purchasing cyberse-
curity insurance.
? The exclusion of cybersecurity and data
privacy-related coverage from traditional
insurance policies
In response to decisions upholding coverage
for cybersecurity and data privacy-related
risks under traditional lines of insurance cov-
erage, such as Commercial General Liability
(CGL) coverage, the insurance industry has
added various limitations and exclusions to
traditional lines of coverage.
By way of example, Insurance Services
Offce (ISO), the insurance industry organi-
zation that develops standard insurance pol-
icy language, recently introduced a new
series of cybersecurity and data breach exclu-
sionary endorsements to its standard-form
CGL policies, which became effective in May
2014. One of the endorsements, entitled
“Exclusion - Access Or Disclosure Of
Confdential Or Personal Information And
Data-Related Liability - Limited Bodily Injury
Exception Not Included,” adds the following
exclusion to the primary CGL policy:
This insurance does not apply to:
p. Access Or Disclosure Of Confdential Or
Personal Information And Data-related
Liability
Damages arising out of:
(1) Any access to or disclosure of any
person’s or organization’s confdential
or personal information, including
patents, trade secrets, processing
methods, customer lists, fnancial
information, credit card information,
health information or any other type
of non public information; or
(2) The loss of, loss of use of, damage to,
corruption of, inability to access, or
inability to manipulate electronic data.
This exclusion applies even if damages
are claimed for notifcation costs, credit
123 ?
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
? Types of cybersecurity insurance
Established coverages
There are a number of established third-
party coverages (i.e., covering an organiza-
tion’s potential liability to third parties) and
frst-party coverages (e.g., covering the
organization’s own digital assets and income
loss) as summarized in Table 1:
Emerging markets
In addition to the established coverages,
three signifcant emerging markets provide
coverage for the following:
? frst-party losses involving physical asset
damage after an electronic data-related
incident
? third-party bodily injury and property
damage that may result from an electronic
data-related incident
monitoring expenses, forensic expenses,
public relations expenses or any other
loss, cost or expense incurred by you or
others arising out of that which is
described in Paragraph (1) or (2) above.
In connection with its fling of the endorse-
ments, ISO stated that “when this endorse-
ment is attached, it will result in a reduction
of coverage. . . .”
Although there may be signifcant poten-
tial coverage for cybersecurity and data
privacy-related incidents under an organiza-
tion’s traditional insurance policies, includ ing
its Directors’ and Officers’ Liability,
Professional Liability, Fiduciary Liability,
Crime, CGL, and Commercial Property poli-
cies, the new exclusions provide another
reason for organizations to carefully consider
specialty cybersecurity insurance products.
Continued
TABLE
THIRD-PARTY COVERAGES
Type Description
Privacy liability Generally covers third-party liability, including defense and
judgments or settlements, arising from data breaches, such as
the Target breach, and other failures to protect protected and
confdential information
Network security
liability
Generally covers third-party liability, including defense and
judgments or settlements, arising from security threats to
networks, e.g., inability to access the insured’s network
because of a DDoS attack or transmission of malicious code
to a third-party network
Regulatory liability Generally covers amounts payable in connection with
administrative or regulatory investigations and proceedings,
including regulatory fnes and penalties
PCI DSS liability Generally covers amounts payable in connection with payment
card industry demands for assessments, including contractual
fles and penalties, for alleged noncompliance with PCI Data
Security Standards
Media liability Generally covers third-party liability arising from infringement
of copyright or other intellectual property rights and torts such
as libel, slander, and defamation, which arise from media-related
activities, e.g., broadcasting and advertising
? 124
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? reputational injury resulting from an
incident that adversely affects the public
perception of the insured organization or
its brand.
Because privacy and electronic data-related
exclusions continue to make their way into
traditional property and liability insurance
policies, and given that an organization’s
largest exposures may fow from reputational
injury and brand tarnishment, these emerg-
ing coverages will be increasingly valuable.
? Strategic tips for purchasing cybersecurity
insurance
Cybersecurity insurance coverage can be
extremely valuable, but choosing the right
insurance product presents signifcant chal-
lenges. A diverse and growing array of prod-
ucts is in the marketplace, each with its own
insurer-drafted terms and conditions that
vary dramatically from insurer to insurer—
and even between policies underwritten by
the same insurer. In addition, the specifc
needs of different industry sectors, and dif-
ferent organizations within those sectors, are
far-reaching and diverse.
Although placing coverage in this dynam-
ic space presents a challenge, it also presents
substantial opportunity. The cyber insurance
market is extremely competitive, and cyber
insurance policies are highly negotiable.
This means that the terms of the insurers’
off-the-shelf policy forms often can be sig-
nifcantly enhanced and customized to
respond to the insured’s particular circum-
stances. Frequently, very signifcant enhance-
ments can be achieved for no increase in
premium.
The following are fve strategic tips for
purchasing cyber insurance:
Adopt a team approach.
Successful placement of cybersecurity insur-
ance coverage is a collaborative undertak-
ing. Because of the nature of the product and
the risks that it is intended to cover, success-
ful placement requires the involvement and
input not only of a capable risk management
department and a knowledgeable insurance
broker but also of in-house legal counsel and
IT professionals, resources, and compliance
personnel—and experienced insurance cov-
erage counsel.
TABLE
FIRST-PARTY COVERAGES
Type Description
Crisis management Generally covers “crisis management” expenses that typically
follow in the wake of a breach incident, e.g., breach notifcation
costs, credit monitoring, call center services, forensic
investigations, and public relations efforts
Network
interruption
Generally covers the organization’s income loss associated
with the interruption of the its business caused by the failure of
computer systems/networks
Contingent
network
interruption
Generally covers the organization’s income loss associated with
the interruption of the its business caused by the failure of a
third-party’s computer systems/networks
Digital assets Generally covers the organization’s costs associated with
replacing, recreating, restoring, and repairing damaged or
destroyed computer programs, software, and electronic data
Extortion Generally covers losses associated with cyber extortion, e.g.,
payment of an extortionist’s demand to prevent a cybersecurity
or data privacy-related incident
125 ?
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
TABLE
Understand risk profle and tolerance.
A successful insurance placement is facili-
tated by having a thorough understanding
of an organization’s risk profle, including
the following:
? the scope and type of data maintained by
the company and the location and manner
in which, and by whom, such data are
used, transmitted, handled, and stored
? the organization’s network infrastructure
? the organization’s cybersecurity, privacy,
and data protection practices
? the organization’s state of compliance
with regulatory and industry standards
? the use of unencrypted mobile and other
portable devices.
Many other factors may warrant considera-
tion. When an organization has a grasp on its
risk profle, potential exposure, and risk tol-
erance, it is well positioned to consider the
type and amount of insurance coverage that
it needs to adequately respond to identifed
risks and exposure.
Ask the right questions.
It is important to carefully evaluate the cov-
erage under consideration. Table 2 shows ten
of the important questions to ask when con-
sidering third-party and frst-party cyber
insurance.
The list is not exhaustive, and many other
questions should be considered, including,
for example, the extent to which the policy
Third-Party First-Party
Does the policy:
cover the acts, errors, and omissions of
third parties, e.g., vendors, for which
the organization may be liable?
Does the policy:
cover business income loss resulting from
system failures in addition to failures of
network security, e.g., any unplanned
outages?
cover data in the care, custody, or
control of third parties, e.g., cloud
providers?
cover business income loss resulting from
cloud failure?
cover new and expanding privacy laws
and regulations?
cover contingent business income loss resulting
from the failure of a third-party network?
cover personally identifable information
in any form, e.g., paper records?
cover data restoration costs?
cover confdential corporate data, e.g.,
third-party trade secrets?
cover business income loss after a network
is up and running, but before business
returns to full pre-incident operation?
cover wrongful or unauthorized
collection of data?
contain hourly sublimits?
cover regulatory fnes and penalties? contain an hourly “waiting period”?
cover PCI DSS-related liability? contain a sublimit applicable to the
contingent business income coverage?
exclude the acts of “rogue” employees? exclude loss for power failure or blackout/
brownout?
exclude unencrypted devices? exclude software programs that are
unsupported or in a testing stage?
? 126
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
an organization’s cybersecurity and data
protection practices, seeking detailed informa-
tion surrounding technical, complex subject
matter. These questions are often answered by
technical specialists who may not appreciate
the nuances and idiosyncrasies of insurance
coverage law. For these reasons, it is advisable
to have insurance coverage counsel involved
in the application process.
? Tips for prevailing in cyber insurance
coverage litigation
As CNA’s recently fled coverage action in the
Columbia Casualty case illustrates, cybersecu-
rity insurance coverage disputes and litigation
are coming. In the wake of a data breach or
other privacy, cybersecurity, or data protection-
related incident, organizations should antici-
pate that their insurer may deny coverage for
a resulting claim against the policy.
Before a claim arises, organizations are
encouraged to proactively negotiate and
place the best possible coverage to decrease
the likelihood of a coverage denial. In con-
trast to many types of commercial insurance
policies, cybersecurity policies are extremely
negotiable, and the insurer’s off-the-shelf
forms can usually be signifcantly negotiated
and improved for no increase in premium. A
well-drafted policy will reduce the likeli-
hood that an insurer will be able to success-
fully avoid or limit insurance coverage in the
event of a claim.
Even where a solid form is in place, how-
ever, and there is a solid claim for coverage
under the policy language and applicable
law, insurers can and do deny coverage.
When facing coverage litigation, organi-
zations are advised to consider the following
fve strategies to prevail:
Tell a concise, compelling story.
In complex insurance coverage litigation,
there are many moving parts and the issues
are typically nuanced and complex. It is criti-
cal, however, that these nuanced, complex
issues come across to a judge, jury, or arbitra-
tor as simple and straightforward. Getting
overly caught up in the weeds of policy inter-
pretive and legal issues, particularly at the
covers, or excludes, cyberterrorism. In all
cases, the organization should request a ret-
roactive date of at least 1 year prior to the
policy inception, given that advanced attacks
go undetected for a median of 229 days.
Beware the fne print.
Like any other insurance policy, cybersecuri-
ty insurance policies contain exclusions that
may signifcantly curtail and undermine the
purpose of the coverage. Some insurers, for
example, may insert exclusions based on
purported shortcomings in the insured’s
security measures. One case recently fled in
the California federal court on May 7, 2015,
highlights the problems with these types of
exclusions. The case is Columbia Casualty
Company v. Cottage Health System, in which
Columbia Casualty, CNA’s non-admitted
insurer, seeks to avoid coverage under a
cybersecurity insurance policy for the defense
and settlement of a data breach class action
lawsuit and related regulatory investigation.
CNA relies principally upon an exclusion,
entitled “Failure to Follow Minimum
Required Practices,” which purports to void
coverage if the insured fails to “continuously
implement” certain aspects of computer
security. These types of broadly worded,
open-ended exclusions can be acutely prob-
lematic and impracticable. If enforced liter-
ally, they may vaporize the coverage that the
policy is intended to provide. The good news
is that, although certain types of exclusions
are unrealistic given the nature of the risk an
insured is attempting to insure against,
cybersecurity insurance policies are highly
negotiable. It is possible to cripple inappro-
priate exclusions by appropriately curtailing
them or to entirely eliminate them—and
often this does not cost additional premium.
Pay attention to the application.
CNA in the Columbia Casualty case also seeks
to deny coverage based upon alleged misrep-
resentations contained in the insured’s insur-
ance application relating to the risk controls.
The important takeaway is that cybersecurity
insurance applications can, and usually
do, contain a myriad of questions concerning
127 ?
LEGAL CONSIDERATIONS FOR CYBERSECURITY INSURANCE
CNA represented in its marketing materials
that the policy at issue in Columbia Casualty
offers “exceptional frst-and third-party cyber
liability coverage to address a broad range of
exposures,” including “security breaches”
and “mistakes”:
Cyber liability and CNA NetProtect
products
CNA NetProtect fills the gaps
by offering exceptional frst- and third-
party cyber liability coverage to address a
broad range of exposures. CNA
NetProtect covers insureds for exposures
that include security breaches, mistakes,
and unauthorized employee acts, virus
attacks, hacking, identity theft or private
information loss, and infringing or dis-
paraging content. CNA NetProtect cover-
age is worldwide, claims-made with
limits up to $10 million.
It is important to use the discovery phase
to fully fesh out the context of the insur-
ance and the entire insurance transaction in
addition to the meaning, intent, and inter-
pretation of the policy terms and condi-
tions, claims handling, and other matters
depending on the particular circumstances
of the coverage action.
Secure the best potential venue and choice of law.
One of the frst and most critical decisions
that an organization contemplating insur-
ance coverage litigation must make is the
appropriate forum for the litigation. This
decision, which may be affected by whether
the policy contains a forum selection clause,
can be critical to potential success, among
other reasons because the choice of forum
may have a signifcant impact on the related
choice-of-law issue, which in some cases is
outcome-determinative. Insurance contracts
are interpreted according to state law and
the various state courts diverge widely on
issues surrounding insurance coverage.
Until the governing law applicable to an
insurance contract is established, the policy
can be, in a fgurative and yet a very real
sense, a blank piece of paper. The different
outset, risks losing the organization’s critical
audience and obfuscating a winningly con-
cise, compelling story that is easy to under-
stand, follow, and sympathize with. Boiled
down to its essence, the story may be—and in
this context often is—something as simple as
the following:
“They promised to protect us from a cyber
breach if we paid the insurance premium. We
paid the premium. They broke their promise.”
Place the story in the right context.
It is critical to place the story in the proper
context because, unfortunately, many insur-
ers in this space, whether by negligent defcit
or deliberate design, are selling products that
do not refect the reality of e-commerce and
its risks. Many off-the-shelf cybersecurity
insurance policies, for example, limit the
scope of coverage to only the insured’s own
acts and omissions, or only to incidents that
affect the insured’s network. Others contain
broadly worded, open-ended exclusions such
as the one at issue in the Columbia Casualty
case, which, if enforced literally, would large-
ly if not entirely vaporize the coverage osten-
sibly provided under the policy. These types
of exclusions can be acutely problematic and
impracticable. A myriad of other traps in
cyber insurance policies—even more in those
that are not carefully negotiated—may allow
insurers to avoid coverage if the language
were applied literally.
If the context is carefully framed and
explained, however, judges, juries, and arbi-
trators should be inhospitable to the various
“gotcha” traps in these policies. Taking the
Columbia Casualty case as an example, the
insurer, CNA, relies principally upon an
exclusion, entitled “Failure to Follow
Minimum Required Practices,” which pur-
ports to void coverage if the insured fails to
“continuously implement” certain aspects of
computer security. In this context, however,
comprising the extremely complex areas of
cybersecurity and data protection, any insured
can reasonably be expected to make mistakes
in implementing security. This reality is, in
fact, a principal reason for purchasing cyber
liability coverage in the frst place. In addition,
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 128 SecurityRoundtable.org
Importantly, it will give the organization
unique access to compelling arguments based
upon the context, history, evolution, and
intent of this line of insurance product.
Likewise, during the discovery phase, cover-
age counsel with unique knowledge and
experience is positioned to ask for and obtain
the particular information and evidence that
can make or break the case—and will be able
to do so in a relatively effcient, streamlined
manner. In addition to creating solid ammu-
nition for trial, effective discovery often leads
to successful summary judgment rulings,
thereby, at a minimum, streamlining the case
in a cost-effective manner and limiting the
issues that ultimately go to a jury. Likewise,
counsel familiar with all of the many different
insurer-drafted forms as they have evolved
over time will give the organization key
access to arguments based upon obvious and
subtle differences between and among the
many different policy wordings, including
the particular language in the organization’s
policy. Often in coverage disputes, the multi-
million dollar result comes down to a few
words, the sequence of a few words, or even
the position of a comma or other punctuation.
? Conclusion
Cyber insurance coverage can be extremely
valuable. Although placing coverage in this
dynamic space presents challenges, it also
presents substantial opportunities. Before a
claim arises, organizations are encouraged to
proactively negotiate and place the best pos-
sible coverage in order to decrease the likeli-
hood of a coverage denial and litigation. In
contrast to many other types of commercial
insurance policies, cyber insurance policies
are extremely negotiable, and the insurers’
off-the-shelf forms typically can be signif-
cantly negotiated and improved for no
increase in premium. A well-drafted policy
will reduce the likelihood that an insurer
will be able to successfully avoid or limit
insurance coverage in the event of a claim. If
a claim arises, following sound litigation
strategies and refusing to take “no” for an
answer will greatly increase the odds of
securing valuable coverage.
interpretations given the same language
from one state to the next can mean the dif-
ference between a coverage victory and a
loss. It is therefore critical to undertake a
careful choice of law analysis before initiat-
ing coverage litigation or selecting a venue
or, where the insurer fles frst, before taking
a choice of law position or deciding whether
to challenge the insurer’s selected forum.
Consider bringing in other carriers.
Often when there is a cybersecurity, privacy,
or data protection-related issue, more than
one insurance policy may be triggered. For
example, a data breach like the Target breach
may implicate an organization’s cybersecu-
rity insurance, CGL insurance, and Directors’
and Offcers’ Liability insurance. To the
extent that insurers on different lines of cov-
erage have denied coverage, it may be ben-
efcial for the organization to have those
insurance carriers pointing the fnger at each
other throughout the insurance coverage
proceedings. Again considering the context,
a judge, arbitrator, or jury may fnd it offen-
sive if an organization’s CGL insurer is argu-
ing, on the one hand, that a data breach is
not covered because of a new exclusion, and
the organization’s cybersecurity insurer also
is arguing that the breach is not covered
under the cyber policy that was purchased
to fll the “gap” in coverage created by the
CGL policy exclusion. Relatedly, it is impor-
tant to carefully consider the best strategy
for pursuing coverage in a manner that will
most effectively and effciently maximize the
potentially available coverage across the
insured’s entire insurance portfolio.
Retain counsel with cybersecurity insurance expertise.
Cybersecurity insurance is unlike any other
line of coverage. There is no standardization.
Each of the hundreds of products in the mar-
ketplace has its own insurer-drafted terms
and conditions that vary dramatically from
insurer to insurer—and even between poli-
cies underwritten by the same insurer.
Obtaining coverage litigation counsel with
substantial cybersecurity insurance expertise
assists an organization on a number of fronts.
129 ?
Wilson Elser Moskowitz Edelman & Dicker LLP –
Melissa Ventrone, Partner and Lindsay Nickle, Partner
Consumer protection: What is it?
From a legal perspective, consumer protection is the
application of rules and regulations to agencies, busi-
nesses, and organizations that require them to protect
their customers from intentional and unintentional harm.
Instead of caveat emptor, or buyer beware, the business
entity has a mandate to protect its customers from the bad
things that may befall them. In essence, the government
has decided it is the business’s responsibility to protect
the least sophisticated consumers from themselves and
what may happen to them.
The intersection of consumer protection and cyber-
security imposes a responsibility on businesses to
protect their consumers’ information. Unlike many
areas of business, when an organization is the victim
of a criminal attack, such as being hacked, the busi-
ness is not considered a victim. Instead, the customers
are considered the victims, and the business becomes
a potential scapegoat—the target of inquiries, investi-
gations, irate customers, reputational harm, and lost
business, even though it was the business that suf-
fered the criminal activity. Leading experts agree that
no organization is immune from cyberattacks and that
impenetrable data security is not possible. Nevertheless
the media and the public continue to vilify and hold
businesses responsible for failing to do what experts
agree cannot be done.
Consumers demand that organizations safeguard
their privacy and protect their information from data
breaches; however, those same consumers are impatient
and intolerant when security measures slow services or
degrade usability. Some may terminate their relation-
ships as a result, jumping ship to underfunded start-ups
simply because consumers want what they want, and
they want it now.
? 130
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
What does this mean? Well, according to an
FTC report, this means that an organization’s
data security measures must be “reasonable
and appropriate in light of the sensitivity and
volume of consumer information it holds, the
size and complexity of its data operations, and
the cost of available tools to improve security
and reduce vulnerabilities.” In other words,
the FTC can choose to investigate an organiza-
tion simply because the FTC believes the
organization is doing a poor job protecting
consumers’ information. Confused? You are
not alone. Frankly, it appears that the FTC
views poor cybersecurity practices a bit like
courts view pornography—they know it
when they see it.
Organizations looking for guidance
from the FTC on appropriate security
measures to protect consumer information
may fnd themselves twisting in the wind
like the last leaf on a tree. The FTC has not
issued any detailed guidelines on what
constitutes “reasonable security measures.”
To be fair, the FTC most likely struggles, as
do many agencies, with establishing guide-
lines that are fexible enough to apply to a
wide range of organizations in a variety of
industries, yet structured enough to set a
standard.
The FTC addressed this argument by
instructing companies to review its previous
consent decrees to identify “reasonable”—
or more appropriately, what it considered to
be unreasonable—security standards. Thus,
in the midst of day-to-day operations, the
FTC apparently expects an organization to
carefully review a multitude of previous
consent decrees to identify what it should be
doing to reasonably protect consumers’
information.
Organizations can also review a 15-page
guide the FTC published in 2011, Protecting
Personal Information: A Guide for Business.
This guide informs organizations that a
“sound business plan” is based on fve
principles:
? Know what information you have and
who has access to the information.
Adding to the diffculty of trying to bal-
ance data privacy and security with innova-
tion and usability, organizations must con-
currently maintain compliance with the
myriad of state and federal data privacy
and security laws, regulations, and guide-
lines. It would take several books to outline
all the laws, regulations, and guidelines
that affect consumer protection and cyber-
security. This chapter is designed to pro-
vide organizations with an understanding
of those laws that have the most signifcant
impact on privacy and security from a con-
sumer protection perspective. There is no
better place to start this discussion than by
examining the recent activities of the
Federal Trade Commission (FTC).
? Cybersecurity, consumer protection,
and the FTC
The FTC has deemed itself the enforcer of
data privacy and security, the ultimate
authority responsible for protecting con-
sumer privacy and promoting data security
in the private sector. In fact, the FTC com-
monly is considered the most active agency
in the world in this area. Although the
debate continues on whether the FTC has
authority to police data privacy and security
under section 5 of the FTC Act, organizations
must be aware that the FTC and other regu-
lators are monitoring practices and investi-
gating and enforcing various laws under the
guise of privacy and cybersecurity as a con-
sumer protection issue.
The FTC regulates this space under sec-
tion 5 of the FTC Act, which prohibits unfair
or deceptive practices. The FTC may choose
to investigate an organization if it believes
that the organization has made materially
misleading statements or omissions regard-
ing the security provided for consumers’
personal data. Further, according to a pre-
pared statement by the FTC, “a company
engages in unfair acts or practices if its data
security practices cause or are likely to cause
substantial injury to consumers that is nei-
ther reasonably avoidable by the consumer
nor outweighed by countervailing benefts
to consumers or to competition.”
131 ?
CONSUMER PROTECTION: WHAT IS IT?
priority is the strengthening of cybersecurity
in the marketplace, particularly as it pertains
to the fnancial industry and those businesses
and organizations that provide services in the
fnancial sector. To that end, in the summer of
2014, the FFIEC completed a cybersecurity
assessment involving more than 500 commu-
nity fnancial institutions with the goal of
determining how prepared those institutions
were to mitigate cyber risks. The results are
instructive as potential standards for the
efforts an organization should take when its
operations interact with or are tangential to
the fnancial industry, or simply when a busi-
ness collects, stores, or shares consumers’
private information.
Cyber preparedness—which is the crux
of consumer protection—encompasses the
following:
? Risk management and oversight:
Organizations should proactively train
employees, allocate resources, and exercise
control and supervision of cybersecurity
operations. This includes involving upper-
level management and boards.
? Threat intelligence: A business should
undertake processes to educate, identify,
and track cyber activities, vulnerabilities,
and threats.
? Cybersecurity controls: Businesses
should implement controls to prevent
unauthorized access or exposure of
information, to detect attacks or attempts
to compromise systems, and to correct
known and identifed vulnerabilities.
As the industry begins to more fully
recognize the futility of keeping malicious
attackers outside the network perimeter,
companies also should implement
controls that more quickly identify when
malicious activity takes place inside the
network.
? External dependency management:
Organizations should have processes in
place to manage vendors and third-party
service providers and help ensure that
connections to systems are secure, as well
as processes to audit and evaluate the
third-party’s cybersecurity protections.
? Keep only that information needed to
conduct business.
? Protect the information in your control.
? Properly dispose of information that is no
longer needed.
? Prepare a plan for responding to security
incidents.
Although this may have been an accurate list
in 2011, any company that limits its cyberse-
curity program to these fve principles will
quickly discover its inadequacies. The FTC
claims to recognize that there is no one-size-
fts-all data security program, no program is
perfect, and the mere fact that a breach
occurs does not mean a company has vio-
lated the law.
Organizations must be aware of the
FTC’s heightened activity in this space.
Right now, data privacy and protection of
consumer information has the public’s
attention and is sometimes used as a politi-
cal platform. Organizations must have an
in-depth understanding of their cybersecu-
rity posture, identify key vulnerabilities,
and have a plan to either mitigate or remedi-
ate problems. Failure to place consumer
protection and cybersecurity at the top of its
priority list may land an organization in the
FTC’s crosshairs.
? Cybersecurity, consumer protection,
and the fnancial industry
As in other industries, cybersecurity and
consumer protection in the fnancial sector
are a patchwork of federal statutes, regula-
tions, agencies, and enforcers. There are fve
federal banking regulatory agencies: the
Offce of the Comptroller of the Currency
(OCC), the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit
Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), and
the Consumer Financial Protection Bureau
(CFPB). A representative from each of them
sits on the Federal Financial Institutions
Examination Council (FFIEC), which is
empowered to set out principles, standards,
and forms for the uniformity of the supervi-
sion of fnancial institutions. A top FFIEC
? 132
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
regulatory agencies and state insurance
authorities.
Those entities governed by the SEC
(Securities and Exchange Commission) and
FINRA (Financial Industry Regulatory
Authority) are expressly required to devel-
op written identity theft prevention pro-
grams and, in the face of a breach, will
likely face questions regarding cybersecu-
rity policies and efforts. Further, the regula-
tions imposing these requirements mandate
that upper-level management signs off on
any written program and participates in its
administration. As the goal of these require-
ments is to protect customer information,
an organization should be mindful to
design programs that consider the nature of
the organization’s operations, as well as its
size and complexity, so that the plan can be
effectively implemented to achieve its
desired goals.
The OCC recommends all banks and
fnancial institutions implement incident
response and business continuity plans
and test those plans regularly. It also sets
supervisory expectations about how fnan-
cial institutions and third-party service
providers in the fnancial sector can and
should safeguard sensitive information.
The OCC conducts on-site audits of fnan-
cial institutions and certain third-party ser-
vice providers to confrm compliance. The
OCC also gets involved in the aftermath of
cyberattacks to assess the corrective actions
that fnancial institutions take in response.
The OCC is vested with the authority to
require the banks subject to their regulation
and the banks’ service providers to take
steps to protect systems, prevent loss or
theft of sensitive information, and mitigate
identity theft.
In 2007, under the terms of the Fair and
Accurate Credit Transactions Act, the OCC,
FRB, FDIC, NCUA, and FTC issued regula-
tions requiring creditors and fnancial insti-
tutions to develop and implement formal
written programs aimed at identifying and
preventing identity theft (the Red Flags
Rule). Large banks have resident OCC
investigators trained to assess cybersecurity
? Cyber incident management and
resilience: Organizations should have
procedures and processes to detect incidents,
respond to those incidents, mitigate the
impact of the incidents, document and
report on the incidents, and provide for
recovery and business continuity.
Within the fnancial sector, and regarding
businesses that interact with the fnancial
sector, these can reasonably be considered
the components of due diligence. Efforts to
protect consumers from the dangers of the
exposure of personal information entrusted
to a business involve guiding the organiza-
tion through these steps on a scale appropri-
ate to the size of the business and the scope
of the information involved.
Adding to the complexity of compliance,
there are multiple statutes and regulations
that expressly require businesses to under-
take security measures and notify consumers
regarding privacy and information-sharing
practices. The Gramm-Leach-Bliley Act
(GLBA) and the corresponding regulations
adopted to implement its requirements are
aimed at protecting consumer interests.
Similar to other regulations, businesses are
required by the GLBA Safeguard Rule to
use “reasonable security measures” to pro-
tect consumer information that they collect
and store. In the fnancial services industry,
this often includes highly sensitive infor-
mation, such as Social Security numbers,
fnancial account numbers, and income and
credit histories.
Fortunately, the GLBA outlines, at least in
some fashion, what constitutes “reasonable
security measures.” For instance, the GLBA
Safeguard Rule requires the development
and implementation of a written informa-
tion security plan. In addition, the Rule
requires companies to provide an annual
written privacy notice to its customers that
clearly, conspicuously, and accurately
explains its information-sharing practices
and provides customers the right to opt out
of the organization’s sharing practices. Both
of these consumer protections are enforced
by the FTC along with several other federal
133 ?
CONSUMER PROTECTION: WHAT IS IT?
other organizations that may receive health
information from covered entities while
performing various services. HIPAA is
enforced primarily by the U.S. Department
of Health and Human Services Offce of
Civil Rights (OCR). State attorneys general
also have the authority to enforce HIPAA.
OCR’s authority to enforce HIPAA
encompasses covered entities regardless of
size and their “business associates,” a term
that includes frst-tier vendors that contract
directly with covered entities and all down-
stream entities that receive PHI in the course
of their business. Perhaps the most helpful
aspect of HIPAA is that it specifes privacy
requirements that covered entities must fol-
low, as well as identifes security elements
for covered entities to consider.
The HIPAA Privacy Rule outlines stand-
ards for the use and disclosure of all forms
of PHI and categorizes PHI into three major
“usage” categories: treatment, payment,
and health care operations and sets up rules
associated with each use. Uses that fall out-
side of these categories or that do not
qualify as any of the exceptions described in
the rule require an authorization from the
affected individual. Meanwhile, the HIPAA
Security Rule establishes standards for pre-
serving the confdentiality, integrity, and
availability of electronic PHI. Specifcally,
the Security Rule requires covered entities
to have appropriate administrative, physi-
cal, and technical safeguards in place to
protect PHI and contains detailed security
requirements for protecting PHI. For
instance, covered entities must conduct an
assessment of the risks to and vulnerabili-
ties of the protected health information.
These guidelines provide organizations
with concrete examples of steps needed to
protect PHI and hence the consumer infor-
mation in their systems. However, organiza-
tions should be aware that compliance with
HIPAA is a minimum standard. As technol-
ogy continues to change and develop, cir-
cumstances may require organizations to
exceed the minimum HIPAA compliance
requirements to effectively protect consumer
information.
issues. Smaller banks face on-site visits
every 12 to 18 months. In 2013, the OCC
updated its Third-Party Relationship Risk
Management Guidance to set out expecta-
tions for risk assessment and management
of third-party relationships. The senior
management and boards of banks retain
responsibility for cybersecurity even when
third parties are involved. As a result, the
OCC mandates comprehensive oversight
and management of third-party relation-
ships throughout the life of each relation-
ship. This requires extensive due diligence
prior to establishing a relationship, execu-
tion of written contracts that should include
the right to audit the third party, ongoing
monitoring, documentation, and reporting
regarding risk management processes, and
independent review of processes. Further,
the OCC requires that third-party contracts
stipulate that the OCC has the authority to
examine and regulate the services provided
to the bank by the third party.
The fnancial industry is highly regulat-
ed, and its consumer protection and cyber-
security aspects are no exception. Identity
theft, at its heart, is a consumer protection
issue. Enforceable security guidelines set
out by regulators and aimed at the protec-
tion of consumer information trickle down
to service providers, as the fnancial institu-
tions are affrmatively charged with manag-
ing risks associated with vendors and
service providers. The recommendations
and requirements of the fnancial regulators
make clear that extensive due diligence,
monitoring, planning, and management are
required in the quest to take reasonable
security measures.
? Health care, cybersecurity, and consumer
protection
Any discussion of consumer protection and
cybersecurity must include a discussion of
the health care industry. The Health
Insurance Portability and Accountability
Act of 1996 (HIPAA) governs protected
health information (PHI) maintained by
various organizations that fall under the
jurisdiction of HIPAA (covered entities) and
? 134
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
This is an important point, because in
addition to OCR, the FTC considers itself
empowered to regulate organizations that
are covered by HIPAA. According to the
FTC, HIPAA does not preempt the FTC’s
authority to also regulate covered entities.
Furthermore, in 2010 the FTC issued the
Health Breach Notifcation Rule, which man-
dates that entities not covered by HIPAA
that experience a breach of a “personal
health record” provide notifcation to the
affected consumer.
Covered entities and their business asso-
ciates must do more than merely “check the
box” on cybersecurity compliance. If an
organization faces an OCR investigation, it
will be required to provide information
related to its entire data privacy and security
program, not just information related to the
“incident” that triggered the investigation.
Often, organizations are required to provide
evidence of policies and procedures going
back several years.
As part of its efforts to enforce compli-
ance with HIPAA, OCR conducted security
audits of covered entities in 2011 and 2012,
commonly referred to as Phase 1. Although
Phase 2 was delayed until OCR imple-
ments a web portal that enables covered
entities to submit information, in May 2015
OCR began sending the frst surveys of
Phase 2 audits, so covered entities and their
business associates should be prepared for
this next phase. Similar to other agencies,
OCR intends to audit the cybersecurity
practices of the organizations that fall
under its jurisdiction. OCR previously
announced that it would conduct a pre-
audit survey of 800 covered entities and
400 business associates, and from that pool
select 350 covered entities and 50 business
associates for a full audit.
The audits will take place over three years
and will focus on:
? Risk analysis and risk management (the
Security Rule)
? Notice of privacy practices and access
rights (the Privacy Rule)
? Content and timeliness of breach
notifcation (the Breach Notifcation Rule).
Phase 2 audits will likely not be as compre-
hensive as the audits in Phase 1 and will
focus on key high-risk areas OCR learned of
in its Phase 1 audits.
Health care information is commonly con-
sidered the most sensitive and personal
information a consumer has, and it therefore
deserves increased security controls. This is
perhaps recognized by the authority of the
state attorneys general to enforce HIPAA, a
provision not found in all federal statutes.
Numerous states have passed laws specif-
cally intended to protect personal health
information, regardless of whether the
organization holding such information is
considered a “covered entity” under HIPAA.
As health care breaches continue to increase
in number, organizations should expect
greater regulatory scrutiny and activity relat-
ed to their efforts to protect consumer health
information.
? State laws and regulations
In addition to the federal landscape, busi-
nesses should be aware that state laws and
regulations affect consumer protection obli-
gations. Various states have laws that affect
specifc industries and general consumer
protection laws that may be implicated in
business practices. This is a growing concern
with the increase in e-commerce. Businesses
that in the past would have limited their
footprint to the jurisdiction of a single state
now are more likely to encounter customers
across state lines. Because the applicability
of state laws affecting consumers and
because cybersecurity is often triggered by
the residence of the consumer, even small
businesses can fnd that they face unexpect-
ed multijurisdictional questions.
? Recommendations and conclusion
Given the wide range of laws, regulations,
and guidelines—only a few of which could
be covered here—how do organizations
begin to navigate these treacherous waters?
CONSUMER PROTECTION: WHAT IS IT?
SecurityRoundtable.org 135 ?
Organizations must build privacy and secu-
rity into their systems, processes, and ser-
vices from the ground up and from the top
down. Education and training for all employ-
ees should start on day one and be continu-
ous. The time and effort required to assess
cyber risk and understand data is minimal
compared with the potential implications of
failing to do so. Technology is constantly
evolving, which means cybersecurity does
as well, and an organization’s efforts to pro-
tect consumer information must similarly
adapt. It is better to have considered a tool
and rejected it because it substantially
degrades the service offered than to ignore
the vulnerability entirely. Organizations
must face cybersecurity risks as an enter-
prise and leverage industry experts to guide
them through this quagmire of laws, regula-
tions, and threats.
137 ?
Fish & Richardson P.C. – Gus P. Coldebella, Principal
Protecting trade secrets in the
age of cyberespionage
The cybertheft of intellectual property (IP) from U.S. com-
panies has, in the words of former NSA director and Cyber
Command chief General Keith Alexander, resulted in the
“greatest transfer of wealth in human history.” And the
data bear that out: by some estimates, the value of IP stolen
from U.S. businesses over the Internet alone is $300 billion
per year—a whopping 6% of our $5 trillion total intellec-
tual property assets. For certain nations, cyber espionage is
a central component of their growth strategies: for exam-
ple, the Report of the Commission on the Theft of U.S.
Intellectual Property (the IP Commission Report) found
that “national industrial policy goals in China encourage
IP theft, and an extraordinary number of Chinese in busi-
ness and government entities are engaged in this practice.”
Cyber espionage of IP assets allows companies and coun-
tries to circumvent the expense and hard work of basic
research and product development—which could take
years or even decades—and instead quickly pursue their
economic agendas based on stolen IP, all to the detriment
of U.S. businesses, jobs, and economic growth.
On May 1, 2014, a federal grand jury brought criminal
charges of hacking, economic espionage, and trade secrets
theft against fve offcers of China’s military. The hackers
are alleged to have penetrated the networks of important
American companies to acquire proprietary and confden-
tial technical and design specifcations, manufacturing
metrics, attorney-client discussions about upcoming trade
litigation, economic strategies, and other forms of sensi-
tive, nonpublic information. What was the object of this
indictment? Certainly not to get a conviction: the likeli-
hood of China extraditing the defendants to the U.S. is
negligible. Instead, the U.S. used the indictment to trans-
mit two strong signals. First, it sent a message to China:
that we are aware of this aberrant behavior—in which a
nation-state aims its espionage apparatus not at another
country, but at another country’s companies—and that the
? 138
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
patent, the registration of a trademark, and the
creation/publication of copyrighted material.
Cyberthieves generally set their sights on
a company’s trade secrets—the one type of
IP that is not readily available for the world
to see.
Some companies keep their trade secrets
offine. Legend has it that one of the most sto-
ried trade secrets, the formula for Coca-Cola,
is on a handwritten piece of paper in a safe in
Coke’s Atlanta headquarters. But air-gapped
trade secrets are rare in the Internet age. Given
this, it is crucial for a company to identify and
locate the trade secrets on its networks, and
those that are being deposited there in the
ordinary course of business. Every company
has such mission-critical secrets: design speci-
fcations, chemical formulas, computer code,
fnancial algorithms, customer lists, and busi-
ness plans, to name a few. Finding them is a
key, and sometimes overlooked, part of a top-
to-bottom network vulnerability analysis.
Unless a company knows what trade secrets it
has and where they are located, it cannot
begin to secure them.
Once a company catalogs its online trade
secrets, it should ask several high-level stra-
tegic questions: How are they currently safe-
guarded? Who may access them? What sys-
tems are in place to alert the company that
the trade secrets have been exfltrated or
altered? These questions and the protective
measures developed in response are not only
important to thwart cyber attackers—but
also help to prevent all types of attempted
trade secret theft, whether conducted via the
Internet or the old-fashioned way. They also
help to best position the company if it brings
litigation seeking damages, injunctive relief,
or other recompense for the theft. Although
the cybertheft of trade secrets has not yet
yielded many judicial decisions, law books
are rife with cases of companies seeking
damages resulting from current or former
employees spiriting off trade secrets to their
next employer or to a competitor. One of
the central questions in any such litigation
is: did the company make reasonable efforts
under the circumstances to protect the
secrecy of its confdential information? The
U.S. will expose this misconduct to the
world. Second, the indictment sent a mes-
sage to U.S. companies that, although past
breaches and legal and reputational risk may
have convinced boards and management to
shore up defenses against cyberattacks
involving ‘personally identifable informa-
tion,’ or PII, the most sophisticated attackers
are interested in other, more mission-critical
data on companies’ networks—intellectual
property. The loss of trade secrets could
cause more harm to a company’s reputation,
value, and future prospects than a PII breach
ever could. The U.S. government is signaling
that companies should focus on taking
immediate, reasonable steps to defend their
intellectual property assets.
In a world where countries persistently
attack companies and compromise of a com-
pany’s networks seems inevitable, manage-
ment may be tempted to throw up their hands
and concede defeat. There are, however,
important legal and practical reasons to fght.
In this chapter, we explore reasonable steps
companies can take to prevent the cybertheft
of their IP assets, to mitigate the harm of such
thefts if they occur, and to challenge competi-
tors that use stolen IP assets to unfairly gain
an advantage in the marketplace.
? Conducting a trade secrets risk analysis
So what types of IP are cyber spies after?
Intellectual property has four broad catego-
ries: patents, trademarks, copyrights, and
trade secrets. A trade secret—according to the
Uniform Trade Secrets Act, or UTSA, adopted
in some form by 48 states and the District of
Columbia—is information that gains its actual
or potential economic value from being not
generally known and reasonably protected
from disclosure. Of the four IP types, only
trade secrets maintain their value, and their
legal protection as trade secrets, through non-
disclosure. If a trade secret is not disclosed, the
economic beneft it provides and the legal
protection it enjoys can theoretically last
forever. If it is disclosed, those advantages can
be destroyed. Trade secrets stand apart from
other IP, which gains and maintains its legal
protection through disclosure: the fling of a
139 ?
PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
the full set of information needed to replicate
a targeted invention, product, or service.” A
company can achieve segmentation in two
ways detailed by Villasenor: frst, by divid-
ing a trade secret into modules, distributing
the modules across multiple networks, and
ensuring that there is no easy path from one
network to the next; and second, once the
trade secrets are broken up into modules,
by allowing employees access only to the
modules that are relevant to them. Some
modules can be separated physically and
allow nearly no user access. For example,
‘negative information’—valuable secrets
about what does not work and is often the
result of meticulous collection of data through
extensive, costly research—is not frequently
accessed in a company’s day-to-day opera-
tions and therefore can be segmented and
stored in an extremely limited set of locations.
Implementing robust access control alongside
segmentation makes it more diffcult for an
adversary to steal a company’s crown jewel
trade secrets in a single attack, and to ‘spear-
phish’ its way into accessing some or all of a
company’s crown jewel data under the guise
of an authorized user.
Monitor data fow, not just authorization
Instead of monitoring only for unauthorized
access, companies should fag and investi-
gate instances and activity of high-volume or
suspicious data transfers, whether or not the
transferor is ‘authorized.’ Systems that look
only for suspicious behavior by unauthor-
ized users can blind the company to critical
and common cyberattacks. History shows
that trade secret theft frequently is carried
out by authorized users—think about a dis-
gruntled employee downloading the master
customer list, or the trading algorithm, right
before he or she quits to work for a competi-
tor. In another common scenario, when
hackers obtain privileged user credentials to
infltrate a company’s network, activity that
appears attributable to ‘Mike in Accounting’
may actually be malicious. Systems should
be designed to monitor the fow of key data,
whether or not it is being accomplished by
someone with apparent trust.
reasonable measures identifed in these deci-
sions—such as training employees on trade
secret protection, requiring employee conf-
dentiality agreements prior to granting
access, and revoking access upon termina-
tion from the company—apply with equal
force in the cyber context, and companies
should employ them. Below, we discuss
additional cyber-specifc protective meas-
ures that companies can consider taking.
? Planning for the worst
Certain adversaries—especially nation-
states and state-sponsored groups targeting
U.S. trade secrets—are highly skilled, tech-
nologically savvy, and persistent. They are
not trolling for just any IP, and they will not
be put off by even best-in-class technical
defenses and move onto the next target
when their mission is to steal your compa-
ny’s secrets. Even with reasonable defenses
in place, companies should assume that an
attack will eventually be successful, and that
a company’s IP and trade secrets may be
compromised as a result. One way compa-
nies can protect themselves is to consider
ways, such as the following suggestions, to
reduce the likelihood that even a successful
intrusion leads to IP theft.
Access controls and segmentation
Companies should implement access con-
trols on crown jewel data. Although almost
every employee requires access to certain
parts of the company’s network, not all of
them need access to fles containing trade
secrets. Not even all employees that require
access to some trade secrets need access to all.
A smart access control system makes it clear
that secrets actually are treated as secrets—
i.e., only those with a need to know (as
opposed to everyone with a network pass-
word) are given access to the data.
Another related layer of protection is
‘trade secret segmentation,’ which, accord-
ing to John Villasenor in his article Corporate
Cybersecurity Realism (Aug. 28, 2014), is dis-
tributing information “so that no single
cybersecurity breach exposes enough of a
trade secret to allow the attacker to obtain
? 140
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
exercised it. Under such a plan, the frst call
should be to experienced outside counsel,
who can hire the forensics and crisis PR
teams to investigate and respond to what
happened, and who give the results of the
investigation the greatest chance of being
considered privileged, which is important as
the legal and regulatory consequences of
breaches continue to grow. It is also impor-
tant—especially with potential trade secret
theft—to preserve all information surround-
ing the incident in a forensically sound way.
For example, collecting and analyzing log
information may allow a company to deter-
mine what data were lifted and where they
were sent, which could be critical in investi-
gations by law enforcement and in post-
breach litigation.
? Taking on the IP thieves and their
benefciaries
Adversaries want to steal your trade secrets
for a simple reason: to use, sell, and proft
from them. Every IP theft contains the
seeds of unfair competition based upon the
stolen secrets. Assume the worst has hap-
pened, and you begin to see the company’s
hard work or research emerge in the mar-
ketplace, embedded in a competitor’s
product or across the negotiating table.
What options do you have? We discuss
fve here:
Misappropriation of trade secrets. The victim
of trade secret theft may bring an action
under state law to enjoin the benefciary
of the theft and recover damages. (There
currently is no federal private right of
action for misappropriation of trade
secrets.) As already discussed, most states
have adopted a version of the Uniform
Trade Secrets Act, or UTSA. UTSA pre-
vents using a trade secret of another with-
out consent if the defendant employed
improper means to appropriate the secret,
or “knew or had reason to know that
his knowledge of the trade secret was
derived from or through a person who
had utilized improper means to acquire
it.” UTSA §§ 1(2)(ii)(A); 1(2)(i). UTSA,
Mark and tag secrets
Even in the bygone days of trade secrets
on paper, companies knew to clearly mark
their secrets with a legend. This accom-
plished two things: employees would
know to handle those secrets consistent
with the company’s trade secrets policies,
and if they were stolen, they could be iden-
tifed as the company’s property. Just like
cartographers of old intentionally included
fake shortcuts, streets, and even towns to
immediately recognize misappropriated
copies of their maps, tagging digital assets
provides a way to defnitively prove that
the IP was originally yours. Today, with an
array of technological means at hand, com-
panies can do more, including tagging
digital IP with code that could, say, render
stolen fles inoperable. The IP Commission
Report correctly recommended that “pro-
tection...be undertaken for the fles them-
selves and not just the network, which
always has the ability to be compromised.”
It suggested that:
Companies should consider marking
their electronic fles through techniques
such as “meta-tagging,” “beaconing,”
and “watermarking.” Such tools allow for
awareness of whether protected informa-
tion has left an authorized network and
can potentially identify the location of
fles in the event that they are stolen.
Additionally, software can be written that
will allow only authorized users to open
fles containing valuable information. If
an unauthorized person accesses the
information, a range of actions might then
occur. For example, the fle could be ren-
dered inaccessible and the unauthorized
user’s computer could be locked down,
with instructions on how to contact law
enforcement to get the password needed
to unlock the account. (IP Commission
Report at 81.)
Collect forensic leads as part of incident response
Of course, executives must make sure that
the company has created a robust incident
response plan and has practiced and
141 ?
PROTECTING TRADE SECRETS IN THE AGE OF CYBERESPIONAGE
bureaucratic, that was in the context of
arguing for a quicker method for U.S.
companies to seek exclusion. Our experi-
ence is that § 337 actions tend to be much
quicker than currently available alterna-
tives, including state and federal court
litigation. The ITC process offers U.S.
companies a powerful weapon against
importation of goods containing stolen
trade secrets.
Computer Fraud and Abuse Act (CFAA).
Under certain circumstances, the CFAA
provides a private right of action for com-
panies to bring suit against a party who
knowingly and intentionally accesses a
protected computer without authoriza-
tion, obtains information, and causes
harm. 18 U.S.C. § 1030(g). The victim may
be able to seek damages from not only the
individual who accessed the computer
and stole the information but also the
company profting from the stolen trade
secret so long as the victim can plead and
prove that the competitor “conspire[d] to
commit” such an offense (18 U.S.C. §
1030).
Call the feds. A company may refer the
theft to federal criminal authorities, which
can bring charges under 18 U.S.C. §§ 1831-
32 for theft of trade secrets and economic
espionage. The economic espionage and
trade secret theft statutes reach not only
parties who steal the trade secret but also
anyone who “receives, buys, or possesses
a trade secret, knowing the same to have
been stolen or appropriated, obtained,
or converted without authorization.”
18 U.S.C. §§ 1831(a)(3); 1832(a)(3). In addi-
tion to imposing hefty fnes ($5 million for
organizations, unless the theft was intend-
ed to beneft a foreign government, in
which case it is $10 million), the law also
allows judges to force the criminals to
forfeit “any property, or proceeds derived
from the stolen or misappropriated trade
secrets, as well as any property used or
intended to be used to help steal trade
secrets.” 18 U.S.C. §§ 1834, 2323(b).
therefore, allows an action against the
hacker and the company seeking to ben-
eft from the stolen trade secrets, if the
plaintiff can show that the competitor had
reason to believe that the data it was
using were stolen from someone else’s
network. The remedies available under
UTSA are powerful and encompass dam-
ages and injunctive relief. UTSA author-
izes a court to award damages for actual
loss and unjust enrichment, including
multiple damages if the misappropriation
was “willful and malicious.” UTSA §§
3(a); 3(b). A court also may enjoin actual
or threatened misappropriation or may
condition the competitor’s future use of
the trade secret on payment of a reasona-
ble royalty. UTSA §§ 2(a); 2(b).
Section 337 of the Tariff Act of 1930. To sty-
mie competitors that import their prod-
ucts into the U.S., a potent option is to
initiate a process at the International Trade
Commission (ITC) under Section 337 of
the Tariff Act of 1930. A company may
petition the ITC to investigate whether
imported goods are the result of “unfair
methods of competition”—which includes
incorporating stolen trade secrets—so
long as the unfairness has the potential
to injure or destroy a domestic industry.
19 U.S.C. § 337. Because § 337 investiga-
tions are brought against goods, not par-
ties, there is no need to prove that the
specifc company profting from the stolen
data was actually behind the cyberattack,
only that the product was made or devel-
oped using misappropriated trade secrets.
Even though the ITC cannot award dam-
ages under § 337, the remedy it can issue
is potent against any company seeking to
import misappropriated products in the
U.S.: it can issue an order, enforceable
by Customs and Border Protection, pre-
venting goods from entering the country
and enjoining sale of such products
already here.
Although the IP Commission has criti-
cized the § 337 process as too lengthy and
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 142 SecurityRoundtable.org
Of course, there are always pros and cons to
be weighed before bringing civil litigation
or involving federal law enforcement
authorities. For example, law enforcement
has a greater array of tools to compel pro-
duction of evidence quickly, unlike in a civil
suit, although a parallel criminal action
may affect the company’s ability to seek
civil discovery if the defendants seek a stay
or exercise their Fifth Amendment right not
to testify. There are also practical and busi-
ness considerations that may argue for or
against such a suit, including its potential to
affect existing or future commercial rela-
tionships and continued access to foreign
markets.
Future action: Report cyberspies and their
benefciaries under Executive Order 13694.
In response to high-profle cyberattacks,
the President and the federal government
recognized that cyber espionage is a seri-
ous threat to the nation’s economy and
national security but acknowledged that
it is not always possible to take criminal
or civil action against perpetrators
because they are often outside the juris-
dictional reach of U.S. courts. For that
reason, the U.S. has devised another
method for reaching these malefactors,
punishing them for their actions, and
deterring future attacks. On April 1, 2015,
the President signed Executive Order
13694, authorizing the Offce of Foreign
Assets Control, or OFAC, within the
Treasury Department, to (i) identify for-
eign hackers, the parties who aid them,
and the parties who beneft from their
activity by using their stolen information
to proft and (ii) respond by freezing their
U.S. assets and imposing sanctions. OFAC
will add foreign individuals identifed as
being responsible for, contributing to,
complicit in, or profting from signifcant
malicious cyber-enabled activities to its
list of Specially Designated Nationals
(SDNs). To earn a spot on the SDN list, the
associated attack has to be “reasonably
likely to result in, or have materially con-
tributed to, a signifcant threat to the
national security, foreign policy, or eco-
nomic health or fnancial stability of the
United States.” Although OFAC cannot
assist a company with recovering lost
information or barring products from
entering the market, reporting the perpe-
trators of particularly serious cyberat-
tacks to OFAC can serve as a powerful
deterrent. It is important to note that E.O.
13694 is, at the writing of this chapter, so
new that OFAC has yet to promulgate
fnal regulations governing the SDN-
designation process, so companies should
consult with counsel to understand their
options once fnal rules are in place.
? Conclusion
Trade secrets are high on the list of assets
that cyber spies are interested in stealing.
Careful planning will help your company do
its best to prevent the theft of these valuable
assets and to thwart a competitor’s attempt
to proft from its crimes if an attack is suc-
cessful. If the worst-case scenario material-
izes and you discover that your company’s
IP has been stolen, take immediate steps to
engage experienced outside counsel to assess
your best options to investigate the breach,
recover damages, enjoin unfair competition,
and seek justice.
143 ?
Latham & Watkins LLP – Jennifer Archie, Partner
Cybersecurity due diligence in M&A
transactions: Tips for conducting
a robust and meaningful process
To begin with a tautology, when you buy a company, you
buy their data—and the attendant risks to that data.
Cybersecurity risks are not limited to consumer-facing
businesses, whose recent losses of cardholder or patient
data grab news headlines. Indeed, few businesses today
have assets and liabilities that are not in some sense data
driven. For most business combinations—whether M&A,
joint venture, or leveraged buyout—cybersecurity should
be a risk category in its own right. Buyers should review
not just historic breaches but also cybersecurity risk man-
agement. Even though these risks are hard to quantify, the
analysis will inform deal terms, deal value, and post-deal
indemnity claims.
? First step: Get an early read on cyber readiness
at the engagement stage
Buyers should begin all cybersecurity risk assessments
early in the engagement process, with the goal of clearly
articulating as early as possible the target company’s
most important information assets, systems, and busi-
ness processes. Every target business should be able to
readily identify which information technology (IT) sys-
tems and data sets are most valuable to the business and
explain at a high level how the company protects and
exploits them. Even at the earliest stages, the seller
should be prepared to identify and discuss the following
at a high level:
? What types of information or computer systems and
operations are most important to your business? What
sensitive types of data do you handle or hold relating
to natural persons (which data elements in particular)?
? Where is sensitive information stored?
? How is it protected in transit, at rest, and in motion?
? What are the most concerning threats to information,
networks, or systems?
? 144
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
government investigations from the Federal
Trade Commission (FTC) or other agencies
may be poorly understood. Federal investi-
gations tarnish brands, especially if enforce-
ment results. Investigations are expensive
and distracting, and may lead to a sweeping
10- or 20-year permanent injunction dictat-
ing how future information security will be
managed and monitored. Compliance with
such a decree is expensive and limits a com-
pany’s independence and fexibility in sig-
nifcant ways. After a breach, management is
often surprised to learn how persistent and
aggressive the FTC or state attorneys general
can be, even if the company sees itself as a
victim of harm, not a perpetrator of con-
sumer injury. If the target’s legal or business
representatives are not knowledgeable about
the regulatory and enforcement environ-
ments, buyers should not place much weight
on a seller’s lulling statements or assurances
that there have been no incidents or that risk
of a cyber event is low.
? Check for integrated cyber risk awareness
and mitigation and a comprehensive security
management program
Another sign of a mature security program
is a management team with cross-function-
al awareness on these points at the CEO
and board levels, as refected in board min-
utes or other documentation. A security
program will not be effective if it is a silo
inside the IT or information security func-
tions. All substantial stakeholder depart-
ments should be involved in cybersecurity
risk management, including business unit
leaders, legal, internal audit and compli-
ance, fnance, human resources, IT, and risk
management.
Diligence questionnaires should ask the
target company to generally summarize the
administrative, technical, and physical infor-
mation security controls currently in place to
safeguard the most critical business data sets.
Such controls include technical measures
(such as boundary and malware defense,
data encryption, intrusion detection systems,
anomalous event monitoring, and access
controls), administrative measures, and
? Have there been prior incidents?
? What is the cybersecurity budget?
? What are your recovery plans if
critical information or systems become
unavailable?
If the front line deal-facing personnel
respond, “I don’t know, I’d have to ask,” this
is a telling and interesting sign that the target
company’s security management program is
likely not well integrated into the senior
leadership ranks. Sellers thus should be pre-
pared in early discussions to showcase a
sophisticated understanding of data security
risks and how those risks may materially
affect the company’s operations, reputation,
and legal risks (or not). A buyer’s key dili-
gence objective should be to probe and test
whether the target company has imple-
mented a mature risk management organiza-
tion to evaluate the accuracy of management
assurances about lack of historical breaches,
payment card industry (PCI) compliance,
protections against competitor or insider
theft, and business continuity. Too often in
hindsight, a target’s statements made in dili-
gence turn out to have been good faith
impressions, or even merely aspirational or
refective of paper policy, but not operational
reality.
? Tailor diligence to what types of information
are handled and how important is
information security to the bottom line
Beyond these general questions, the buyer
should directly probe whether the target
management has a sophisticated under-
standing of potential cyber-related liabilities
and the regulatory environment. Unlike
environmental or traditional fre or natural
disaster scenarios, cyberattack-related liabil-
ities are multi-faceted and unique. In some
industries—such as energy, transportation,
fnancial institutions, health care, defense
contracting, education, and telecommunica-
tions—government oversight can be active
and intrusive, and the target’s subject matter
expertise will likely reside within the legal,
compliance, and/or IT functions. In other
industries, however, exposure to costly
145 ?
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
been adopted, budgeted and scheduled, or
already implemented.
For companies whose vendors hold com-
pany-sensitive data or access systems, the
company should have implemented—prior
to engaging in a business relationship—a
formal vendor management program that
specifcally assesses risk and identifes
potential security or data privacy concerns
and appropriate remediation next steps.
After a decision to engage, the company
should mitigate data security risks through
written agreements and supervision. These
third parties should have data security
insurance coverage and/or the agreements
should require such a party to defend and
indemnify the target company for legal lia-
bility arising from any release or disclosure
of the information resulting from the negli-
gence of the vendor or other third party.
Third-party agreements involving data
exchange or access also should articulate
breach notifcation procedures, cooperation
levels, information sharing, and expressly
assign incident control and reporting
responsibilities.
Cloud-based or other software-as-a-
solution (SAAS) solutions as well as mobile
devices present their own cybersecurity risks
and should not be overlooked in diligence.
Does the company permit employees to use
cloud-based fle-sharing services? Does it
rely on SAAS solutions for critical or other
business needs such as contact relationship
management or HR? Email? How are the
security and compliance risks presented
being managed? Companies that issue or
support mobile devices should have policies
and procedures in place designed to protect
sensitive information in those environments.
? Use subject matter experts to assess cyber
readiness and liabilities
Given the importance of the above ques-
tions, the buyer should pay careful atten-
tion to who asks these questions on behalf
of the buyer or underwriters, in what set-
tings, and with what time allowances. Put
simply, deal teams ideally should embed
subject matter experts on the business side,
physical security. The company should have
a current documented crisis management/
incident response plan in place, including
pre-staging of legal and forensic experts and
a public relations strategy, all approved by
senior management. A seller should specif-
cally inquire about and assess what fnancial
resources are applied to data security, in the
context of the target’s overall approach to
risk containment and specifc to its industry.
Also, sellers should ask the following to
gather detailed information about how the
company has organized the management of
cybersecurity and risk:
? Is there a single designated person with
overall responsibility? To whom does he
or she report? (Risk Offcer? CTO? CIO?
CEO?)
? Describe board oversight. Have directors
and senior managers participated in data
security training/been involved in the
development of data security protocols?
? Does the company have legal counsel
regularly advising on data security
compliance? Is counsel internal or
external, and if external, who?
? How does the company educate and train
employees and vendors about company
policies, information security risks, and
necessary measures to mitigate risk?
? How can employees or members of the
public (such as independent security
researchers) report potential vulnerabilities/
breaches, including irregular activity or
transactions?
? What is the plan to recover should critical
or other necessary systems become
unavailable? What are the recovery point
and recovery time objectives? How have
these and other elements of the plan been
correlated to business needs?
If the company has in the last year or two
completed an internal or external audit or
assessment to determine compliance with
company security policies and/or external
security standards, this should be requested,
or at a minimum the target company should
report whether all recommendations have
? 146
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
network. The attacker then acquired elevat-
ed rights that allowed it to navigate portions
of the company’s systems and to deploy
unique, custom-built malware on self-check-
out systems to access the payment card
information of up to 56 million customers
who shopped at U.S. and Canadian stores
between April 2014 and September 2014. In
fscal 2014, alone, Home Depot recorded $63
million in pretax expenses related to the data
breach, partially offset by $30 million of
expected insurance proceeds for costs
believed to be reimbursable and probable of
recovery under insurance coverage, result-
ing in pretax net expenses of $33 million.
What this sort of fnancial and reputa-
tional exposure means for M&A diligence
within the retail sector is that buyers should
devote expert and highly substantive atten-
tion to how cardholder data are collected,
stored, handled, and secured. Payment pro-
cessing services are material to all retail
businesses, and all payment processing
agreements have PCI compliance as a mate-
rial term. So just as the SEC always wants to
know about where that relationship stands
in its review of risk factors, buyers too want
to pay special attention in this area. If PCI
compliance is lacking, the seller should at
least be able to disclose a specifc remedia-
tion timeline and a budgeted plan that is
hopefully supervised and accepted by the
payment processor.
PCI compliance handled correctly is costly
and involves constant adaptation and opti-
mization to new threats and new standards.
It is not an annual “check-a-box” process.
Within the data security space—as was true
for Home Depot, Target, and many others—
good business practice assumes that a com-
promised merchant will have a recent,
valid, self-certifcation or even third-party
certifcation of PCI compliance. However, a
buyer should not rely simply on the inclusion
of such a report or certifcate in a virtual data
room. Many a breached retailer has held a
current PCI certifcation. Accordingly, the
buyer should always test the security of
cardholder data independently, at a process
the technical side, and even the legal side
early on—to do the following:
? Pose questions orally
? Follow up with document requests
? Assess the documentation
? Conduct on-site testing and analysis
where appropriate
? Assess and advise on the maturity
and suitability of the program to the
underlying data risks
? Review and advise on deal terms or costs
to remediate gaps in compliance or risk
management.
Very importantly, the deal team also must be
nimble and focused upon the specifc indus-
try, because cybersecurity risks are highly
variable across industry sectors; threats,
liabilities, and government expectations for
adequate security are evolving constantly.
For example, if hackers acquire and then re-
sell large databases of cardholder data to
identity thieves—as happened to Target and
Home Depot—the types of expenses and
liabilities a buyer could expect are well doc-
umented in SEC flings. Expenditures
include the following:
? Costs to investigate, contain, and remediate
damaged networks and payment systems
and to upgrade security
? Liability to banks, card associations, or
payment processors for fnes, penalties,
or fraudulent charges
? Card reissuance expenses
? Expense of outside legal, technical, and
communications advisors.
? For retail sector, diligence surrounding
PCI compliance should seek more than
a “yes” or “no” response
Buyers of companies who accept, process,
store, or handle cardholder payment data
streams of course will want to pay particular
attention to compliance with current PCI
standards. At Home Depot, for example, an
attacker used a vendor’s username and
password to gain access to Home Depot’s
147 ?
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
email and no way to process employee
benefts or time cards (Source:http://www.
cbsnews.com/news/north-korean-cyberat-
tack-on-sony-60-minutes/). To add insult to
injury, much of the exfltrated material is
now readily available (and free text search-
able) on WikiLeaks.
The potential for outright theft of intellectu-
al property by competitors should not be over-
looked. In DuPont v. Kolon (United States v.
Kolon Industries, Inc. et al.), for example, the
manufacturer of Heracron, a competitor prod-
uct to DuPont’s Kevlar, misappropriated
DuPont’s confdential information by hiring
former DuPont employees as consultants and
pressuring them to reveal Kevlar-related trade
secrets. DuPont sued the competitor, Kolon, in
2009, and in 2012 the Department of Justice
brought criminal trade secret misappropriation
charges against Kolon and fve of its executives
pursuant to 18 U.S.C. § 1832. In light of the
parallel charges, Kolon settled, paying $360
million in damages—$85 million in fnes and
$275 million in restitution. (Source: Department
of Justice Offce of Public Affairs,http://www.
justice.gov/opa/pr/top-executives-kolon-
industries-indicted-stealing-dupont-s-kevlar-
trade-secrets). To assess these sorts of risks,
acquirers should ask:
? Are there former employees who had
access to critical intellectual property or
other company confdential information
who have recently left for competitors?
? What agreements are in place to protect
the proprietary information they have?
U.S.-based businesses, academic institutions,
cleared defense contractors, and government
agencies increasingly are targeted for eco-
nomic espionage and theft of trade secrets by
foreign competitors with state sponsorship
and backing. In the last fscal year alone,
economic espionage and theft of trade
secrets cost the American economy more
than $19 billion. According to the FBI,
between 2009 and 2013, the number of
arrests related to economic espionage and
theft of trade secrets—which the FBI’s
level if necessary. The same security consult-
ants who arrive post-breach to assess root
cause and damage can examine card-related
data security very meaningfully in the M&A
setting, even with only a few days of on-site
interviews and document collection. If PCI
compliance concerns arise in diligence, deal
terms can be arranged that mandate and
appropriate funding for third-party inde-
pendent assessments and implementation of
recommendations. Moreover, many retailers
now are migrating to new payment systems,
and this is a unique technology risk because
of the likelihood of delay, interruptions, and
budgetary over-runs.
? Understand and assess awareness
and mitigation of risks of trade secret
theft, nation-state espionage, and denial
of service attacks
Beyond payment card security risks, theft of
trade secrets by competitors and insiders,
state-sponsored espionage that is exploited
for economic advantage, and cyberattacks
that disable or cripple corporate networks
are less publicized but can be equally dam-
aging to a target business. For example, the
high-profle, studio-wide cyberattack at
Sony Pictures in November 2014 at the
hands of a group calling itself #GOP, aka
the Guardians of Peace, starkly illustrates
the potential to cripple a business. The
attack, which the FBI attributed to North
Korea, resulted in the theft of terabytes of
company internal email and documents,
release of unreleased movies to fle-sharing
networks, deletion of documents from Sony
computers, threatening messages to the
company and individual employees, theft
and apparent exploitation of sensitive
human resources data, and a near complete
and prolonged disruption of the company’s
ability to transact business and communi-
cate electronically over its networks and
systems. In an interview with CBS News,
Sony’s outside cyber investigator, Kevin
Mandia, disclosed that 3,000 computers and
800 servers were wiped, and 6,000 employ-
ees were “given a taste of living offine”—no
? 148
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? What is known about the attackers and
the attack vector?
? What data do you suspect or know were
taken?
? How long between the frst known
intrusion and discovery of the incident?
? Do you suspect or know whether the thief
or intruder attempted or made fraudulent
or competitive use of exfltrated data?
? During the past three years, have you
experienced an interruption or suspension
of your computer system for any reason
(not including downtime for planned
maintenance) that exceeded four hours?
A buyer should assess a target’s measures to
prevent and detect insider threats, including
whether basic protections are in place to
identify and mitigate insider threats, such as
the following:
? Pre-employment screening via dynamic
interviews, background checks, and
reference checking
? Workforce education on warning signs
? Internal network security measures such
as website monitoring, blocking access
to free (unauthorized) cloud-storage sites
such as Dropbox, turning off USB drives
? Automated monitoring of Web, deep
Web, or peer-to-peer network searching
for leaked data.
Private and state actors have made use of
denial of service attacks to disrupt the busi-
ness of a company that meets with their disap-
proval (or as an extortion scheme). Material
impact on ecommerce, on-line entertainment,
email, and other critical systems are the result.
An acquirer might reasonably ask:
? Has the target company evaluated its
exposure to such attacks?
? What measures does it have in place to
defend itself?
? How would it know if such an attack was
occurring?
? Have any such attacks occurred?
Economic Espionage Unit oversees—at least
doubled, indictments more than tripled, and
convictions increased sixfold. These num-
bers grossly understate the frequency of
such attacks or losses. Last year, the United
States Department of Justice indicted fve
Chinese military hackers on charges includ-
ing computer hacking, identity theft, eco-
nomic espionage, and trade secret theft
from 2006 to 2014. The alleged actions
affected six U.S.-based nuclear power,
metal, and solar product companies. The
indictment, fled May 1, 2014, alleges that
the defendants obtained unauthorized
access to trade secrets and internal commu-
nications of the affected companies for the
beneft of Chinese companies, including
state-owned enterprises. Some defendants
allegedly hacked directly—stealing sensi-
tive, nonpublic, and deliberative emails
belonging to senior decision makers, as
well as technical specifcations, fnancial
information, network credentials, and stra-
tegic information in corporate documents
and emails—while others offered support
through infrastructure management. Charges
were brought under 18 U.S.C. §§1028, 1030,
1831, and 1832. (Source: Department of Justice
Offce of Public Affairs,http://www.justice.
gov/opa/pr/us-charges-five-chinese-
military-hackers-cyber-espionage-against-us-
corporations-and-labor).
Many companies choose not to publicly
disclose or discuss these sorts of attacks or
disruptions, which may go undiscovered for
many months and often years. Even when
attacks are discovered, breaches may not be
reported to law enforcement or even to
affected commercial partners. Questions
about historical incidents during due dili-
gence therefore should be open-ended but
also very direct:
? Have you suffered thefts of confdential
data (wherever stored)?
? Has your network suffered an intrusion?
? Did you retain outside experts to
investigate?
CYBERSECURITY DUE DILIGENCE IN M&A TRANSACTIONS: TIPS FOR CONDUCTING A ROBUST AND MEANINGFUL PROCESS
SecurityRoundtable.org 149 ?
buyers should closely examine policies for
what is covered, deductibles, coverage peri-
ods, and limits. Diligence experts should
also evaluate post-closing opportunities to
enhance the insurance program if signif-
cant unmitigated risks of third-party liabili-
ties or direct expense from an attack have
been identifed.
? Conclusion
If there was ever an era when minimizing
or commoditizing assessment of cybersecu-
rity risks in the M&A space was sensible,
that time has surely passed. Expertise in
assessing data-driven risks should be
embedded on the front end of every transac-
tion and tracked throughout the deal, so
that deal terms, deal value, and post-closing
opportunities to strengthen security can
be considered against a fully developed
factual picture of the target company’s
cyber readiness and exposure.
? Assessing cyber insurance
Finally, buyers should evaluate the extent
to which cyber risks are mitigated by
insurance coverage, including whether
enhancements to the cyber program may be
available post-closing. Most cyber insur-
ance policies today cover the data breach
and privacy crisis management expenses
associated with complying with data breach
notifcation laws. Those costs include the
costs of expert legal, communications, and
forensic advisors, benefts such as credit
repair or monitoring to affected individu-
als, and even costs of responding to govern-
ment investigations or paying fnes. Cyber
coverage is also widely available for extor-
tion events, defacement of website, infringe-
ment, and network security events, even
arising from theft of data on third-party
systems or malicious acts by employees.
Because of the volatility and variability of
the cyber insurance market at this time,
151 ?
Kaye Scholer LLP – Adam Golodner, Partner
International infection point—
companies, governments,
and rules of the road
In the attorney general’s conference room at the United
States Department of Justice is a mural on the ceiling—on
one end a heavenly depiction of justice granted, and on
the other a depressing tableau of justice denied. These
images help remind us that principles matter, choices
matter, and in many situations divergent outcomes are
possible. We are at this kind of infection point in global
cyber. Technology, software, hardware, and physical and
social networks are embedded everywhere today. Into the
future the Internet of Things and the Industrial Internet
will bring the next wave of global hyper connectedness
and drive business innovation, new markets, effciency,
and consumer benefts globally. Every business today is a
technology business, and every society increasingly a
technology society. We all beneft from it. It is good. The
world has changed, but it has also stayed the same.
In some sense, cyber issues are not new. They are the
same issues countries and societies have been dealing
with for centuries—theft, fraud, vandalism, espionage,
and war. Over time, societies have created rules to deal
with these domestically and globally. But cyber presents
new facts. Activities and incidents happen at machine
speed, and distance hardly matters. Masking who you are
is easier. Some seemingly anonymous person can reach
out and touch you instantaneously from anywhere. The
kind of information we collect is quantitatively and quali-
tatively different than the past. We must appreciate and
understand these facts and what they mean.
With a future of embedded everything and hyper con-
nectivity, we have to create acceptable ‘rules of the road’
that ensure we get the promise of the future, not a world
where governments or individuals turn that promise on
its head and abuse the very same connectedness. Countries
and companies have to defne acceptable ‘rules of the
road’ for behavior in cyberspace—what’s okay and not
okay for governments to do to each other, companies, and
? 152
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
strategies, and next generation innovation
from U.S. companies, with that very same
stolen intellectual property being given by
the governments that stole it to favored
domestic champions for the purpose of com-
peting against that very same victim of the
theft. Companies share these concerns. No
company wants to have its operations,
brand, or competitive advantage under-
mined or destroyed. Despite these concerns,
nation-state, non-nation-state, hacktivist,
and criminal activity continues. In fact by all
accounts it’s increasing in all categories
across the governmental and commercial
sectors.
Although some policy makers have begun
to talk about cyber ‘norms,’ there has not
been sustained multi-lateral head-of-state to
head-of-state work to set rules of the road.
However, it has to begin. The issues are big
enough and complex and signifcant enough
that we have to set the right path now. We
can build rules that the majority of the fam-
ily of nations can agree to and then bring the
outliers along. Most commentators are of the
view that a formal treaty is premature, if it
ever makes sense. This sounds right to me.
However, the time is right to up-lever the
conversation to the head of state level and
convene the heads of state of some core
countries (such as U.S., U.K., Germany, France,
Sweden, Estonia, India, Brazil, Japan, Korea,
Australia, Canada) to start to build out
offensive, defensive, law enforcement, and
commercial rules of acceptable behavior. Of
course, other countries, such as China, could
join in short order if it turns out they are in
fast agreement, but the work of building out
the core should move ahead without waiting
for everyone to be on board. An additional
beneft of doing this is that it reduces the
impulse of countries to complain about the
activities of other countries when the activity
at issue is one that all countries fnd to be
acceptable, and in the converse, gives weight
to complaints about activities outside of the
acceptable.
Why should companies care? Why should
they be integral to these discussions? First,
companies own the enterprise networks and
individuals in cyberspace. Analogies can
and should be made to longstanding princi-
ples relating to theft, fraud, vandalism, espi-
onage, and war—and how countries deal
with each other on these issues. After all,
technology is a tool; we have had tools in the
past, and we have applied age-old principles
to new tools throughout history. However,
the pace of change is accelerating. That
means we need to move fast to apply new
facts to old principles now and help shape
the future. Like the mural on the ceiling on
the attorney general’s conference room, dif-
ferent future outcomes are possible. What
principles and rules will secure goodness
into the global technology future? What are
the roles of companies, boards of directors,
and CEOs in shaping that future? We discuss
these questions in this chapter.
There are three areas in which companies
and their leaders can help: rules of the road,
cyber laws globally, and security and privacy.
? Rules of the road
Cyber is a top issue for the U.S., E.U. Member
States, China, India, Russia, Brazil, Australia,
and Japan, and the heads of state in each of
these countries spend signifcant time on the
issue. For the last three years the U.S. has
said that cyber is the number one national
security threat to the U.S.—not nuclear, bio-
logic, or chemical, but cyberthreat. All these
countries view cyber as a national security
and economic security issue. In national secu-
rity, cyber is both an offensive and a defensive
issue. On the offensive side, cyber tools and
techniques can be a means of espionage, war,
or deterring a threat. On the defensive side,
conversely, countries are concerned that
companies in critical infrastructure sectors
(fnancial, communications, defense, electric,
energy, transportation, health care, chemical,
public services) can have their operations
affected, data compromised or destroyed,
or public safety threatened—in effect, bring-
ing important segments of the economy
to a halt.
U.S. policy leaders also are highly con-
cerned about other nation-states stealing
core intellectual property, business and deal
153 ?
INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD
security? What tools in the toolbox are
acceptable to curb behavior—prosecution,
sanctions, trade, covert action? Is it OK for
national security services to steal intellectual
property of companies? Is it OK for intelli-
gence services to give it to competitors?
What collection of information of or about
individual citizens of another country is
acceptable or unacceptable? What is the
standard? What collection on other govern-
ments and their leaders is acceptable?
Most of these questions have some
grounding in existing principles and laws,
but the cyber facts have to be understood
and applied to start to enunciate these
rules of the road. Although work has cer-
tainly begun on cyber ‘norms,’ the time is
right for taking the work to the next level.
Furthermore, because the playing feld is
made up of private networks and elements
of technology services and products, the
outcomes should by defnition be of inter-
est to companies, CEOs, and boards of
directors. Good rules of the road should
help build trust in networks and technolo-
gy globally. So, companies should engage
in helping set the global rules of the road
today. It affects their future.
? Cyber laws globally
Given that cyber runs the gamut from
national security concerns to consumer pro-
tection, and countries around the world
have different values and interpretation of
what laws protect their country and citizens,
it should come as no surprise that companies
doing business globally will face a myriad of
sometimes divergent laws on a range of
cyber topics.
An in-depth review of these laws is
beyond the scope of this chapter, but it is
important to note the categories in which a
company, CEO, general counsel, and per-
haps even the board must understand that
their activity may trigger a compliance issue
or affect their ability to provide a product or
service.
With regard to compliance and security,
there is a saying that ‘compliance does not
equal security.’ There is no doubt that driving
databases in which cyber activity takes
place—domestic companies and global com-
panies. Companies own the software, hard-
ware, the information, and the upstream and
downstream relationships where this contest
takes place. Think of the Internet—every lit-
tle bit of it is owned by somebody, and the
vast majority is owned by public companies
globally. Although cyber is the ffth fghting
domain (along with land, sea, air, and space),
it is the only one owned essentially by pri-
vate companies. Second, information tech-
nology and communications services and
products are created and sold by the private
sector. If a government acts on those services
or products, it acts on services and products
with a private sector brand. The same brand
used by other companies. Third, the future
of the global interoperable, open, secure,
network is at stake. Will companies be able
to continue to drive innovative business
models, or will they be stifed by the rules
and activities of governments, hacktivists,
and criminals playing in their playing feld?
Here are some ‘rules of the road’ that
should be in play. What cyber activity is an
act of war? What cyber activity is acceptable
espionage? What is cyber vandalism, and
what is the appropriate response? What
activity by a nation-state is acceptable on a
bank, stock exchange, energy, transporta-
tion, electric, or life sciences company? What
if it’s a non-nation-state activity? What action
is acceptable to proactively stop a planned
cyber activity? What principles should ani-
mate the decision to use a cyber tool of war
on a target connected to the Internet? Is it
OK to deliver cyber means through private
networks or technologies? What is an accept-
able response to another country’s cyber or
kinetic act? What are the principles for dis-
closing or stockpiling zero-day vulnerabili-
ties or interdicting a supply chain? How can
we make global assurance methodologies
such as the Common Criteria for Information
Technology Security Evaluation (Common
Criteria) for products even more useful?
Should there be requirements for govern-
ments to share cyberthreat information with
other countries and companies to improve
? 154
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
data localization (Russia), U.S.-E.U. Safe
Harbor (allowing for transfer of E.U.
privacy information to U.S.)
? speech and content: protection (U.S.
Constitution), limits (France, Germany,
Russia, China)
? consumer protection: unfair or deceptive
security practices (U.S. FTC)
? criminal law: laws against hacking
(U.S. CFAA, Budapest Convention on
Cyber Crime, many countries), mutual
legal assistance (MLATs) (U.S. and many
countries for cross-border investigation
and extradition)
? multilateral agreements: Wassenaar
arrangement (obligation to limit export
of dual-use technologies, including
security), mutual defense treaties (e.g.,
NATO and Article 5 cyber obligations),
WTO and technical barriers to trade
agreement (obligation of WTO members
to use international standards, including
technology), WTO government procurement
agreements (many countries, rules opening
government procurement markets for
foreign tech products).
Over the past decade there have been many
skirmishes to try to limit the impact of pro-
posed laws that would splinter the global
market for technology products and servic-
es and protect the ability of companies to
continue to drive innovation in products
and services. Particularly in the post-
Snowden world, where trust of countries
and technologies has been strained, compa-
nies must pay particular attention to legis-
lative and regulatory proposals that would
undermine the global interoperability or
security of the network, or use security as a
stalking horse to protect or promote domes-
tic manufacturers.
? Security and privacy
As technology and economics continues to
drive connectivity, cloud, mobility, data ana-
lytics, the Internet of Things, and the
Industrial Internet, we must deal effectively
with security and privacy. It’s not just the
Snowden effect. People are still working
to ‘real security’ is the goal, and one that will
likely get you where you need to be for com-
pliance as well.
Here is a list of categories of laws to be
concerned about and a few specifc-use
cases:
? infrastructure security: voluntary public-
private partnerships (U.S., U.K.), regulation
of critical infrastructure (China, pending
in E.U., pending in Germany), sector-
specifc regulation (India telecoms, U.S.
chemical, Russia strategic industries)
? incident notifcation: data breach (U.S.
in 47 states, E.U. telecoms, pending new
E.U. Privacy Directive), SEC disclose
material adverse events (U.S. SEC)
? tort, contract, product liability: in the
absence of specifc regulation, a company
must use ‘reasonable care’ to secure
their and third-party data, continue to
provide service, build secure products,
and protect IP (U.S., E.U., India and for
contract, globally)
? board of directors corporate: the board
must use its ‘business judgment’ to secure
the assets of the company and provide
reasonable security (U.S.)
? acquisition of information by nation-
states: lawful intercept telecoms (most
countries), requests from non-telecoms by
judicial or administrative process (most
countries), collection outside of home
country (most countries)
? technology controls, national security
reviews, and certifications: export
control commercial technologies (U.S.),
export control of military technologies
ITAR (U.S.), certifcation of IT product
(26 countries Common Criteria evaluation,
China own requirements, Russia own
requirements, Korea pending), import
restriction on encryption (China, Russia),
in-country use of encryption (China,
Russia), national security reviews for
M&A (U.S. CFIUS & FCC, China).
? privacy: economy-wide limits on
collection and transfer of information
about individuals (E.U.), sector specifc
(U.S. health care HIPAA, fnancial GLB),
INTERNATIONAL INFLECTION POINT—COMPANIES, GOVERNMENTS, AND RULES OF THE ROAD
SecurityRoundtable.org 155 ?
questions companies can and should ask
when providing service, domestically, but
particularly globally. There no doubt is com-
petitive advantage in providing solutions
that don’t raise privacy concerns.
? Conclusion
Cyber is by defnition a global issue for any
company, CEO, and board. The company’s
networks are global, products are global,
and adversaries are global. Furthermore, the
company must have relationships with gov-
ernments globally. Many companies are
‘global citizens’ and have a majority of their
sales outside their home country. Where the
cyber issue is in the top of the mind in each
of the major markets these companies serve
and where governments have not yet sorted
out acceptable global ‘rules of the road,’ it is
incumbent on company leadership to help
fgure out what the future is going to look
like. Without common ground about what’s
OK and not OK for governments to do with
regard to each other, companies, and citi-
zens, we will face an uncertain technology
future. I am optimistic about the future and
about the ability to master the cyber issue.
However, it will take moving through the
problem set. We are at an infection point—
as we continue to embed devices, software,
and hardware into everything, we need to
have a view, a path, a structure that gives us
confdence. Therefore, when we sit down in
an offce such as the attorney general’s or a
board of directors and ponder the better and
lesser proclivities of mankind, we must be
confdent we are driving rules-based deci-
sions to the happier side of the ledger—one
that ensures we reap the benefts of this
terrifc, accelerating, age of technology.
through what they think about security and
privacy. Most want both. Some regions have
differing views. In the U.S., we limit what the
government can do through Constitutional
Fourth Amendment restrictions on unrea-
sonable searches and seizures, but we freely
give personal information to commercial
companies in exchange for free content and
other services we like. In Europe, it’s the
opposite. The E.U. presumptively limits
what information relating to individuals the
private sector can collect and share but often
has minimal legal procedures regulating
government activities to collect information
about its citizens. China has its own view on
national security and information, as does
Russia. In any event, companies have an
important role to play in the future of the
intersection of security and privacy.
Most people talk in terms of balancing
security and privacy. This may be a false
dichotomy. I think the better approach is to
drive to security and privacy. Try to get both
right. Do what you need to secure a system
or crown jewels or an enterprise, and use
techniques and technologies that help
ensure privacy. I think this is the challenge
for the future and likely an area that will
spur great innovation. How can we work
effectively with anonymized data? How can
we implement machine-to-machine anoma-
ly detection without identifying the indi-
vidual or that a device belongs to a particu-
lar individual? How can we manipulate
encrypted data at scale? Can we know
enough from encrypted data streams across
the enterprise or network to understand and
stop an exfltration or an attack? How can
we share cyberthreat information that is
anonymous and actionable? These are the
157 ?
Pillsbury Winthrop Shaw Pittman LLP – Brian Finch, Partner
Managing third-party liability
using the SAFETY Act
One of the most pressing questions directors and offcers
of publicly listed companies is how to manage third-party
liability in the post 9/11 era. In particular, directors and
offcers continually struggle with the issue of whether
‘enough’ security measures have been deployed to protect
not only corporate assets and employees but also innocent
bystanders.
Before 9/11, courts typically would not hold makers of
items such as ammonium nitrate fertilizer liable for the
misuse of their product by terrorists (fnding that such
terrorist acts were ‘unforeseeable’ and that the fertilizer
manufacturers did not have a duty to protect the unfortu-
nate victims of the attacks).
Unfortunately, a series of decisions completely changed
the legal landscape post 9/11. In one case stemming from
the 1993 World Trade Center attack, New York state courts
initially held the Port Authority of New York and New
Jersey partially liable for the losses suffered by the victims
of the 9/11 attacks. In that particular case, the Port
Authority was held to a standard in which if it knew or
should have been aware of the possibility of a terrorist
attack, then it was obligated to take all reasonable meas-
ures necessary to mitigate the possibility of said attacks.
Even considering that the decision was ultimately
overturned on a technicality (the Port Authority was
found to have a unique form of ‘sovereign immunity’
and therefore could not be held liable under any circum-
stances), the initial decision set forth a blueprint that
other courts are sure to follow in future cases involving
terrorist or cyberattacks.
Similarly, claims fled against the manufacturers of
airplanes used in the 9/11 attacks were also allowed to
proceed, leading to signifcant costs for those companies.
In that instance, a federal court in New York allowed
claims alleging that the cockpit doors on planes made by
Boeing were negligently designed—thereby allowing
? 158
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
receive liability protections under the
SAFETY Act.
In addition, entities that purchase or
deploy SAFETY Act approved security prod-
ucts and/or services also will have the ben-
eft of immediate dismissal of third-party
liability claims arising out of, related to, or
resulting from a declared ‘act of terrorism’
(a term that encompasses physical or cyber-
attacks, regardless of whether there is any
motive or intent that could be deemed ‘polit-
ical’ in nature).
The reader should remember that at the
time of the drafting of this article, no litiga-
tion specifcally involving the SAFETY Act
has occurred, and so there is no established
legal precedent interpreting the statute itself.
However, the fundamental principles of the
SAFETY Act are based on the “government
contractor defense,” a well-established com-
mon law affrmative defense to third-party
litigation that has been reviewed and upheld
by the U.S. Supreme Court.
Accordingly, this article is based on inter-
pretations of the SAFETY Act, the Final Rule
implementing the SAFETY Act, and the
underlying theory of the government con-
tractor defense.
? Background of the SAFETY Act
The SAFETY Act provides extensive liability
protections to entities that are awarded either
a ‘Designation’ or a ‘Certifcation’ as a
Qualifed Anti-Terrorism Technology (QATT).
Under a ‘Designation’ award, successful
SAFETY Act QATT applications are entitled
to a variety of liability protections, including
the following:
? All terrorism-related liability claims must
be litigated in federal court.
? Punitive damages and pre-judgment
interest awards are barred.
? Compensatory damages are capped at
an amount agreed to by the Department
of Homeland Security (DHS) and the
applicant.
? That damage cap will be equal to a set
amount of insurance the applicant must
carry, and once that insurance cap is
terrorists to gain control of the planes—
were allowed to proceed. The court’s ration-
ale in that case was that a jury could fnd
that Boeing should have foreseen that a ter-
rorist would want to breach the cockpit and
hijack the plane, and thus its cockpit doors
should have been more strongly designed.
Because those claims were allowed to
proceed, Boeing on average paid 2
1
?2 times in
settlement fees what the plaintiffs (here the
families of persons killed in the 9/11 attacks)
would have received if they had elected to
participate in the 9/11 Victims Compensation
Fund.
In light of the above, it is obvious that
directors and offcers of publicly listed com-
panies must be very concerned about post-
attack litigation. Even if a court or jury ulti-
mately fnds that there is no culpability on
the part of a director, offcer, or the company
itself, the stark reality is that the legal fght to
reach that decision will be expensive and
protracted.
So, the key question that directors and
offcers of publicly listed companies must
ask themselves is, ‘How do we manage/
minimize third-party liability in a post 9/11
world?’ Insurance is certainly an option, but
obtaining a comprehensive policy can be
very expensive, and further coverage is
uncertain. Again using 9/11 as an example,
many companies paid immense amounts in
legal fees to force their insurance carriers to
honor terrorism-related claims under the
policies they issued.
Understanding the limits of insurance,
the question then becomes what other risk
mitigation tools exist that could limit by stat-
ute or eliminate third-party claims? Based on
a review of existing statutes, regulations,
and alternative options such as insurance
coverage, the best opportunity for limiting
liability is the Support Anti-Terrorism By
Fostering Effective Technologies Act
(‘SAFETY Act’). Under the SAFETY Act,
‘sellers’ of security products or services
(a term that also includes companies that
develop their own physical or cybersecurity
plans and procedures and then uses them
only for internal purposes) are eligible to
159 ?
MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
loss to citizens or institutions of the United
States.
The Secretary has broad discretion to declare
that an event is an “act of terrorism,” and
once that has been declared, the SAFETY Act
statutory protections will be available to the
seller of the QATT and others.
A cursory review of this defnition reveals
that there is no need to divine a motivation
for the attack and that the language used can
be interpreted to include physical attacks as
well as cyberattacks. The only ‘intent’ that
must be demonstrated under the SAFETY
Act then is that the attack is intended to
cause destruction, injury, or other loss to the
U.S. or its interests. This is important to
remember because it means that cyberat-
tacks also trigger the protections of the
SAFETY Act.
? SAFETY Act protections available
to customers and other entities
One of the most signifcant additional bene-
fts of the SAFETY Act is that the liability
protections awarded to the seller of the
QATT fow down to customers, suppliers,
subcontractors, vendors, and others who
were involved in the development or deploy-
ment of the QATT. In other words, when a
company buys or otherwise uses a QATT
that has been either SAFETY Act ‘Designated’
or ‘Certifed,’ that customer is entitled to
immediate dismissal of claims associated
with the use of the approved technology or
service and arising out of, related to, or
resulting from a declared act of terrorism.
The bases for these expanded protections
are clearly set forth in the SAFETY Act stat-
ute and in the Final Rule implementing the
SAFETY Act. Both are detailed below:
With respect to the protections offered to
entities other than the Seller of the QATT,
the SAFETY Act statute states as follows:
IN GENERAL.—There shall exist a
Federal cause of action for claims arising
out of, relating to, or resulting from an act
of terrorism when qualifed anti-terrorism
reached no further damages may be
awarded in a given year.
? A bar on joint and several liability
? Damages awarded to plaintiffs will be
offset by any collateral recoveries they
receive (e.g., victims compensation funds,
life insurance).
Should the applicant be awarded a
‘Certifcation’ under the SAFETY Act for their
QATT, all of the liability protections awarded
under a ‘Designation’ are available. In addi-
tion, the seller of a QATT will be entitled to an
immediate presumption of dismissal of all
third-party liability claims arising out of, or
related to, the act of terrorism.
This presumption of immunity can be
overcome in two ways: (1) by demonstrat-
ing that the application was submitted with
incorrect information and that that informa-
tion was provided though fraud or willful
misconduct or (2) by showing that the
claims asserted by the plaintiff related to a
product or service are not encompassed by
the QATT defnition as written by the
Department of Homeland Security. Absent
a showing of element, the attack-related
claims against the defendant will be imme-
diately dismissed.
For the SAFETY Act protections to be trig-
gered, the Secretary of Homeland Security
must declare that an “act of terrorism” has
occurred. The defnition of an “act of terror-
ism” is extremely broad, and includes any
act that:
(i) is unlawful;
(ii) causes harm to a person, property, or
entity, in the United States, or in the case of a
domestic United States air carrier or a United
States-fag vessel (or a vessel based principally
in the United States on which United States
income tax is paid and whose insurance cover-
age is subject to regulation in the United
States), in or outside the United States; and
(iii) uses or attempts to use instrumentalities,
weapons or other methods designed or intend-
ed to cause mass destruction, injury or other
? 160
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
DHS, as set forth in the preamble to the
SAFETY Act Final Rule, agrees with this
interpretation, stating:
Further, it is clear that the Seller is the only
appropriate defendant in this exclusive
Federal cause of action. First and foremost, the
Act unequivocally states that a “cause of
action shall be brought only for claims for
injuries that are proximately caused by sellers
that provide qualifed anti-terrorism technol-
ogy.” Second, if the Seller of the Qualifed
Anti-Terrorism Technology at issue were not
the only defendant, would-be plaintiffs could,
in an effort to circumvent the statute, bring
claims (arising out of or relating to the perfor-
mance or non-performance of the Seller’s
Qualifed Anti-Terrorism Technology) against
arguably less culpable persons or entities,
including but not limited to contractors, sub-
contractors, suppliers, vendors, and custom-
ers of the Seller of the technology.
Because the claims in the cause of action
would be predicated on the performance or
non-performance of the Seller’s Qualifed
Anti-Terrorism Technology, those persons or
entities, in turn, would fle a third-party
action against the Seller. In such situations,
the claims against non-Sellers thus “may
result in loss to the Seller” under 863(a)(2).
The Department believes Congress did not
intend through the Act to increase rather than
decrease the amount of litigation arising out
of or related to the deployment of Qualifed
Anti-Terrorism Technology. Rather, Congress
balanced the need to provide recovery to plain-
tiffs against the need to ensure adequate
deployment of anti-terrorism technologies by
creating a cause of action that provides a cer-
tain level of recovery against Sellers, while at
the same time protecting others in the supply
chain.
Within the Final Rule itself, the Department
also stated:
There shall exist only one cause of action for
loss of property, personal injury, or death for
performance or non-performance of the
technologies have been deployed in
defense against or response or recovery
from such act and such claims result or
may result in loss to the Seller. The sub-
stantive law for decision in any such
action shall be derived from the law,
including choice of law principles, of the
State in which such acts of terrorism
occurred, unless such law is inconsistent
with or preempted by Federal law. Such
Federal cause of action shall be brought only
for claims for injuries that are proximately
caused by sellers that provide qualifed anti-
terrorism technology to Federal and non-
Federal government customers.
The SAFETY Act statute also reads:
JURISDICTION.—Such appropriate district
court of the United States shall have original
and exclusive jurisdiction over all actions for
any claim for loss of property, personal injury,
or death arising out of, relating to, or result-
ing from an act of terrorism when qualifed
anti-terrorism technologies have been deployed
in defense against or response or recovery
from such act and such claims result or may
result in loss to the Seller.
The key language, which comes from 6
U.S.C. Section 442(a)(1), states that the claims
arising out of, relating to, or resulting from
an act of terrorism “shall be brought only for
claims for injuries that are proximately
caused by sellers that provide qualifed anti-
terrorism technology to Federal and non-
Federal government customers.”
Furthermore, in Section 442(a)(2), the
SAFETY Act states that U.S. district courts
shall have original and exclusive jurisdiction
for claims that “result or may result in loss to
the seller.”
The language in 6 U.S.C. Section 442(a)(1)
and (a)(2) reads such that terrorism-related
claims that have or could have resulted in a
loss to the seller may only be brought in U.S.
district courts against the seller. Nothing in
the statute would give rise to claims against
other parties who use or otherwise partici-
pate in the delivery and use of the QATT.
161 ?
MANAGING THIRD-PARTY LIABILITY USING THE SAFETY ACT
Further, based on the extensive analysis con-
ducted above regarding the applicability of
the SAFETY Act statute and Final Rule, buy-
ers of security QATTs will be considered
‘customers’ for SAFETY Act purposes, and
therefore entitled to immediate dismissal of
claims related to an approved security tech-
nology or service. Thus, the SAFETY Act can
and should serve as an excellent tool to miti-
gate or eliminate said liability.
Accordingly, sellers and customers of
‘QATTs’ are entitled to all appropriate pro-
tections offered by the SAFETY Act, whether
those offered by Designation, the presump-
tion of dismissal offered by Certifcation, or
the fow-down protections offered to cus-
tomers and others. QATT customers and
sellers could still face security-related litiga-
tion should the Homeland Security Secretary
not declare the attack to be an “act of terror-
ism” or if the claims do not relate to the
QATT as defned by DHS.
? Conclusion
Entities that are potentially at risk for third-
party liability claims after an attack can be
materially protected through the SAFETY
Act. Users of SAFETY Act-approved security
products or services will also receive direct
and tangible benefts.
The SAFETY Act provides strong liability
protections that will fow down to such cus-
tomers per the language of the SAFETY Act
statute and Final Rule. A wide variety of
attacks, products, and services, including
cyberattacks and cybersecurity products and
services, are covered by the language of the
SAFETY Act, and thus, such products and
services are also eligible to provide dramati-
cally limited litigation and for such litigation
to be limited to ‘sellers,’ not ‘customers.’
Certainly not every attack will result in
liability for security vendors or their custom-
ers, particularly with respect to third-party
liability. Should such liability occur, howev-
er, it can be mitigated or eliminated using
the SAFETY Act.
Perhaps most importantly for directors
and offcers of publicly listed companies, the
SAFETY Act should always be considered
Seller’s Qualifed Anti-Terrorism Technology
in relation to an Act of Terrorism. Such
cause of action may be brought only against
the Seller of the Qualifed Anti-Terrorism
Technology and may not be brought against
the buyers, the buyers’ contractors, or down-
stream users of the Technology, the Seller’s
suppliers or contractors, or any other person
or entity.
Thus, the SAFETY Act statute and the Final
Rule implementing the law make it clear that
when there is litigation involving a SAFETY
Act QATT (whether Designated or Certifed)
alleging that the QATT was the cause, direct-
ly or indirectly, of any alleged losses, the
only proper defendant in such litigation is
the Seller of the QATT. Customers and oth-
ers are not proper defendants and are enti-
tled to immediate dismissal, because allow-
ing litigation to proceed against customers
would be contrary to the SAFETY Act statute
and Congressional intent.
? Practical application of SAFETY Act
protections to limit third-party claims
Considering the above, companies that sell
or deploy security QATTs, as well as their
customers, are entitled to extensive benefts.
Sellers of cybersecurity QATTs are entitled to
the broad protections from third-party liabil-
ity claims offered under a ‘Designation’ and
a ‘Certifcation.’
As explicitly set forth in the SAFETY Act
statute and the SAFETY Act Final Rule, the
only proper defendant in litigation following
an act of terrorism allegedly involving a
SAFETY Act Designated and/or Certifed
QATT is the seller itself. In this case, the
‘Seller’ would be the security vendor or
company that deploys its own internally
developed security policies, procedures, or
technologies with the QATT being said
Certifed or Designated security policies,
procedures, or even technologies.
The basis for this analysis rests upon the
fact that sellers of security QATTs will have
received the QATT Designation or
Certifcation, thus conferring upon them
specific statutory liability protections.
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 162 SecurityRoundtable.org
Given the relative paucity of case law
defning what constitutes ‘adequate’ or ‘rea-
sonable’ security, directors and offcers
should look to the SAFETY Act as a way to
help determine whether their company’s
security plans and programs could be con-
sidered to have achieved those benchmarks.
Doing so will not only help improve security
but also almost assuredly decrease the com-
pany’s risk exposure.
when examining risk mitigation strategies
associated with the company’s internal secu-
rity programs (physical and/or cyber) as
well as security goods and services pur-
chased from outside vendors. The SAFETY
Act offers powerful liability protections and
can doubly serve as evidence that the com-
pany exercised ‘due diligence’ and ‘reason-
able care’ when designing and implement-
ing its security programs.
163 ?
Littler Mendelson P.C. – Philip L. Gordon, Esq., Co-Chair,
Privacy and Background Checks Practice Group
Combating the insider threat:
Reducing security risks from
malicious and negligent employees
“Edward Snowden,” the affair that bears his name dem-
onstrates the extreme damage that a privileged insider
can cause, even to an organization with the most sophis-
ticated security technology and one of the largest cyber-
security budgets. Although Snowden may have been a
contractor, survey after survey demonstrates that
employees, whether through negligence or malice, are
the most common cause of security incidents. According
to the Vormetric Insider Threat Report 2015, 89% of
respondents globally stated that their organization was
more at risk than ever from the insider threat, and 55%
identifed employees as the #1 internal threat. PwC’s
Global State of Information Security 2015 found that
current employees are the most frequently cited cause of
security incidents, well ahead of contractors, hackers,
organized crime, and nation-states.
These studies confrm that there has been no abatement
in the insider threat in recent years. Just as PwC’s study
found in 2015, a 2013 Ponemon Institute study, entitled
the “Post-Breach Boom,” also reported that negligent and
malicious insiders were the cause of 61% of security
breaches experienced by respondents, substantially
exceeding other causes, such as external attacks and sys-
tem error or malfunctions.
Employers can take a wide range of relatively low-cost,
low-tech steps to reduce the risk of insider threats. These
steps track the stages of the employment lifecycle, ranging
from pre-employment screening at the outset of the
employment relationship to exit interviews when that rela-
tionship ends. Between those endpoints, employers can
reduce the insider threat by implementing and managing
access controls, securing mobile devices (whether employ-
er-owned or personal) used for work, carefully managing
remote work, providing effective training, and following a
myriad other steps discussed in more detail below.
? 164
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
check adequately protects their organiza-
tion. Currently, the vast majority of employ-
ers do not conduct background checks after
the job application process has been com-
pleted. However, several service providers
now offer “risk alerts,” either directly to
employers or indirectly through the employ-
er’s background check vendor. These risk
alerts notify the employer and/or the back-
ground check vendor of post-hire risk fac-
tors available through public records
sources, such as pending criminal charges,
criminal convictions, and bankruptcies.
Employers may consider using such “con-
tinuous monitoring” services to help iden-
tify employees who become security risks
over time.
? Employee-oriented safeguards for sensitive
corporate data
Even employees who have been thoroughly
screened and have proven their trustworthi-
ness can expose an organization’s sensitive
data to loss or theft. Organizations and the
employees themselves can take the basic
precautions described below to mitigate
these risks.
A. Safeguarding electronic data
1. Access control lists: Restricting access
to information, particularly sensitive
customer, employee, and business
information, on a need-to-know basis is
a fundamental principle of information
security. Employees in the accounts
payable department, for example,
should be barred from accessing
human resources information. In
addition, access to information by
employees with a need to know should
be limited to the minimum necessary
to perform their job responsibilities.
Organizations should implement
a process for establishing the access
rights of new hires based on their
job responsibilities, for modifying
access rights when job responsibilities
change, and for promptly terminating
access rights when the employment
relationship ends.
? Pre-employment screening and post-hire
risk alerts
Effective background screening can eliminate
the insider threat before it ever occurs by
identifying job applicants who pose a
threat to the employer’s information assets.
Employees responsible for evaluating back-
ground reports should be looking not only
for prior convictions for identity theft but
also for other crimes involving dishonesty,
such as fraud and forgery, which indicate an
applicant’s propensity to misuse informa-
tion. Employers that rely on staffng compa-
nies should consider not hiring temporary
workers for positions involving access to
sensitive employee, customer, or business
data, such as positions in the human resourc-
es or R&D departments or those responsible
for processing credit card payments. If such
hiring is imperative, the employer should
impose on the staffng company, by contract,
background check criteria for temporary
placements that are at least as stringent as the
employer’s own background check criteria.
Employers should beware that pre-
employment screening can itself expose an
employer to signifcant risks. In the past few
years, the plaintiffs’ class action bar has
aggressively pursued employers for alleged
violations of the federal Fair Credit Reporting
Act (FCRA), which regulates the procure-
ment of background checks from third-party
consumer reporting agencies. As of mid-
2015, nearly 20 jurisdictions—states, coun-
ties, and municipalities—have enacted “ban-
the-box” legislation to restrict private
employers’ inquiries into criminal history. At
the same time, the U.S. Equal Employment
Opportunity Commission (EEOC) has fled
several lawsuits against large employers,
alleging that their pre-employment screen-
ing practices have a disparate impact on
African American and Hispanic job appli-
cants. Consequently, organizations should
carefully review their pre-employment
screening practices for compliance with the
many federal, state, and local laws aimed at
helping ex-offenders secure employment.
Employers also should consider whether
a one-time, pre-employment background
165 ?
COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES
password protection, automatic log-
out after a short period of inactivity,
automatic log-out after a small number
of unsuccessful log-in attempts, and
remote wipe capability. In addition,
employees should be routinely
reminded of the need to physically
safeguard their mobile device, for
example, by not sharing the device
with others and by securing the device
(for example, in a hotel safe) when the
device is left unattended. In addition,
employees should be instructed to
immediately report the loss or theft
of the device to a person or group
designated to respond to such reports.
5. Remote work security: Corporate spies
can tap into unsecured WiFi connections
to steal sensitive data. To reduce this
risk, employees should be required to
use a secure/encrypted connection,
such as a virtual private network
(VPN), to access the corporate network
when working remotely. In addition,
employees should generally be required
to use that secure remote connection to
conduct business involving sensitive
data rather than storing the sensitive
data on a portable storage medium,
such as a thumb drive or a laptop’s
hard drive. Where local storage is a
business imperative (e.g., when work
must get done during a long fight),
employees should be required to use an
encrypted portable storage medium to
store sensitive data.
6. No storage in personal online
accounts: Once an organization’s
sensitive data move to an employee’s
personal email or cloud storage
account, the organization effectively
loses control of the information.
Absent the employee’s prior written
authorization, the email or cloud
service provider generally cannot
lawfully disclose the organization’s
data to the organization. At the same
time, employees often will hesitate
to sign such an authorization out of
concern that the employer will gain
2. Protecting log-in credentials:
Employees should be regularly
reminded of the importance of
protecting their log-in credentials.
They should be instructed not to share
their log-in credentials with anyone.
Hackers may pose as IT professionals
on the phone or send phishing emails
purporting to originate with the
employer’s IT Department, to trick
(“social engineer”) employees into
revealing log-in credentials. Employees
also should be instructed not to write
down their log-in credentials and
to immediately change their log-
in credentials when they suspect the
credentials have been compromised.
Finally, each employee should be
required to acknowledge that only he
or she is the authorized person to access
and view the organization’s information
through his or her log-in credentials and
is personally responsible for all activity
using those log-in credentials.
3. Screen security: Employees can reveal
sensitive data to “shoulder surfers”
in airplanes, at coffee shops, and
even at work by failing to adequately
protect their computer monitor or
screen. Employees should be reminded
to position their monitor or screen
to reduce the risk of viewing by
unauthorized individuals. In locations,
such as airplanes, where that may
not be possible, employees should
use a privacy screen to prevent
unauthorized viewing. Regardless of
location, employees should activate a
password-protected screen saver when
they leave their screen unattended.
4. Mobile device security: One of the
most common causes of security
breaches is the exposure of sensitive
data through the loss or theft of
employees’ mobile devices. To reduce
this risk, organizations should push
security controls to all mobile devices—
whether employer-issued or personally
owned—that are used for work. These
controls should include encryption,
? 166
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
secure remote connection. When there
is a business need, employees should be
required to keep the paper documents
with them at all times or to secure the
documents when unattended, just as
employees should do with a mobile
device.
4. Require secure disposal of paper
documents: Pharmacies and other
health care providers around the
country have been the subject of
scathing publicity and government
investigations after journalists-
cum-dumpster-divers discovered
unshredded patient records discarded
in bulk behind the facility. Whether
working from the offce or from
home, employees should be required
to shred paper documents containing
sensitive data or to discard them in
secure disposal bins.
5. Private conversations are meant for
private places: In today’s world of
mobile telephony, employees often
can end up discussing sensitive
information while walking down the
street, riding in public transportation,
or sitting in a crowded restaurant. Even
when working at the corporate offce
or the home offce, employees must
be aware that they are not discussing
sensitive data over the phone where
unauthorized individuals can
overhear them.
? Employee monitoring
Monitoring technology has become increas-
ingly sophisticated and can now help employ-
ers root out the insider threat. For example,
recently developed email and Internet moni-
toring software uses “Big Data” techniques to
identify patterns of conduct for the workforce
as a whole, for particular groups, or for par-
ticular individuals to establish a norm for
expected online conduct. When an employee
deviates from the norm—for example, by
downloading an unusually large number of
fles to an external storage device or by send-
ing an unusual number of emails to a per-
sonal e-mail account—the software alerts the
access to private information stored
in the account, and employees almost
always will fatly refuse to sign if
they are disgruntled or after they have
left the organization. Consequently,
employers should unambiguously
communicate to their workforce that
storage of the organization’s sensitive
data in a personal online account is
prohibited.
B. Safeguarding sensitive data in paper and
oral form
1. Clean desk policy/secure storage:
Whether employees are working at the
employer’s offce or their home offce,
paper documents containing sensitive
data can easily be viewed or stolen
by those not authorized to access the
information, such as maintenance
personnel at the offce or those making
repairs at the home. Employees
should be reminded to secure paper
documents containing sensitive data
in locked offces, desk drawers, fling
cabinets, or storage areas and to
remove papers containing sensitive
data from their physical desktop when
it is unattended.
2. Beware of printers, scanners, and
fax machines: Office equipment
located in unrestricted areas poses a
risk to sensitive data in paper form.
Employees should be instructed to
promptly remove print jobs, scans,
and faxes from these machines so that
sensitive data cannot be viewed by
unauthorized individuals.
3. Avoid off-site use of paper documents:
Massachusetts General Hospital agreed
to pay $1 million to settle alleged
HIPAA violations after one of its
employees left the medical records of
192 HIV patients on the Boston subway.
Organizations can avoid incidents like
this by prohibiting employees from
taking paper documents with sensitive
data off-site unless there is a strong
and legitimate business need to do so.
Typically, employees will be able to
access the same information through a
167 ?
COMBATING THE INSIDER THREAT: REDUCING SECURITY RISKS FROM MALICIOUS AND NEGLIGENT EMPLOYEES
Millennials admitted to compromising their
organization’s IT security as compared to
5% of Baby Boomers. Given this “culture of
noncompliance,” employers should consid-
er three methods for reminding employees
of their responsibilities as stewards of the
employer’s sensitive data.
First, employers should consider requir-
ing that all new hires whose responsibilities
will involve access to sensitive data execute
a confdentiality agreement. In addition to
identifying those categories of information
that employees must keep confdential, the
agreement should summarize some of the
key steps employees are required to take to
preserve confdentiality, require return of the
employer’s sensitive data upon termination
of the employment relationship, and confer
on the employer enforcement rights in the
event the employee breaches the agreement.
Employers should note that several federal
regulators, including the Securities &
Exchange Commission (SEC), the National
Labor Relations Board (NLRB), and the
EEOC, have been fnding unlawful overly
broad confdentiality agreements that effec-
tively restrict employees’ rights to engage in
legally protected conduct, such as whistle-
blowing or discussing the terms and condi-
tions of employment with co-workers.
Consequently, any confdentiality agreement
should be scrutinized by legal counsel before
it is distributed to new hires for signature.
Second, educating employees on informa-
tion security is critical. Training should
address a range of topics, including (a) the
employer’s legal obligations to safeguard
sensitive data, (b) the types of information
falling within the scope of this legal duty,
(c) the consequences for the employer’s bot-
tom line of failing to fulfll those legal obliga-
tions, (d) the steps employees can take to
help the employer fulfll its legal obligations,
and critically (e) the situations that consti-
tute a security incident and to whom the
incident should be reported. Training should
be recurring and supplemented with peri-
odic security awareness reminders. These
reminders could take the form of email,
posts on an internal blog, or text messages
employer of the deviation from the norm, so
the employer can investigate further.
Employers concerned about the insider threat
should consider investing in monitoring soft-
ware that can perform this type of “user-
based analytics.”
Employers also should consider installing
data loss prevention (DLP) software on their
networks. This software fags communica-
tions, such as outbound emails containing
sensitive data, for further action. For exam-
ple, DLP software may identify strings of
digits resembling Social Security numbers in
an outbound email, quarantine the email
before it leaves the organization’s network,
and alert the employer’s IT department of a
potential data theft.
Although network surveillance software
can substantially enhance other information
security measures, implementation can pose
risks for the organization. Although case
law applying the Federal Wiretap Act to
real-time email interception is somewhat
sparse, the cases suggest that employers
who capture email content in real time with-
out robust, prior notice to employees may
be exposed to civil lawsuits and even crimi-
nal prosecution. Multinational employers
face broader, potential exposure for violat-
ing local data protection laws, particularly
in the European Union. Consequently,
employers should conduct a thorough legal
review before implementing new monitor-
ing technology.
? Confdentiality agreements, employee
training, and exit interviews
Although many of the safeguards described
above may appear to be common sense,
they likely will appear to be inconveniences
to many employees, especially to the Gen-Y
members and Millennials in the workforce
for whom the broad disclosure of sensitive
information through social media has
become natural. Cisco’s 2012 Annual
Security Report bears this out, reporting
that 71% of Gen-Y respondents “do not obey
policies” set by corporate IT. Similarly,
Absolute Software’s 2015 U.S. Mobile
Device Security Report found that 25% of
CYBERSECURITY LEGAL AND REGULATORY CONSIDERATIONS
? 168 SecurityRoundtable.org
the one hand, and the groups responsible for
information security—the IT Department, the
Chief Information Security Offcer, and/or
the Chief Privacy Offcer—on the other. The
former group views information security as
the sole responsibility of the latter, and the
latter group views employees (and employee
data) as the sole responsibility of the former.
However, HR professionals and in-
house employment counsel can play a criti-
cal role in enhancing an organization’s
information security. They typically are
responsible for evaluating whether to reject
applicants based on information reported
by the employer’s pre-employment screen-
ing vendor. They routinely train new hires
and current employees on a wide range of
topics and could easily partner with infor-
mation security professionals to conduct
information security training. They often
negotiate contracts with service providers
who receive substantial quantities of
employees’ sensitive data. They regularly
receive and investigate complaints of sus-
pected employee misconduct, which may
include reports generated by DLP software
or other online surveillance software or
about employees’ otherwise mishandling
sensitive data. They also typically are
involved in disciplinary decisions, includ-
ing those based on employees’ mishan-
dling of sensitive data.
In sum, by making human resources pro-
fessionals and in-house employment counsel
valued members of the organization’s infor-
mation security team, organizations can sig-
nifcantly enhance the effectiveness of their
overall information security program.
and can include critical alerts, such as notif-
cation of a recent phishing email sent to
members of the employer’s workforce or
warnings against clicking on links or open-
ing attachments that could result in the
downloading of malicious code.
Third, employers should consider modi-
fying their exit interview process to specif-
cally address information security. At the
exit interview, the employer can accomplish
the following:
? provide the employee with a copy of his
or her executed confdentiality agreement
and remind the employee of his or her
ongoing obligation not to disclose the
employer’s sensitive data to unauthorized
third parties;
? obtain the return of all employer-owned
computers, mobile devices, and portable
storage media on which sensitive data
may be stored;
? arrange for the remote wiping, or other
removal, of the employer’s sensitive data
from any of the employee’s personal
mobile devices allowed to access corporate
information systems;
? confrm that the employee has not stored
any of the employer’s sensitive data in
personal email accounts, personal cloud
storage accounts, personal external
storage media, or anywhere else.
? HR and in-house employment counsel need
a seat at the “information security table”
In many, if not most, organizations, there is a
chasm between the Human Resources depart-
ment and in-house employment counsel, on
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Comprehensive approach
to cybersecurity
171 ?
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Sedar LaBarre, Vice President; Matt Doan,
Senior Associate; and Denis Cosgrove, Senior Associate
Developing a cybersecurity
strategy: Thrive in an evolving
threat environment
The Internet and ‘always on’ connectivity is transforming
how we live, work, and do business. Game-changing
technology, powered by our increasingly connected soci-
ety, offers more effcient workers, new revenue streams,
and stronger customer relationships. Technology is not
optional; it is a core business enabler. That means it must
be protected.
Cybersecurity was once widely considered just another
item in a long list of back-offce functions. Vulnerability
patching? Device confguration? These were IT problems
for the IT team to worry about. However, that has
changed. A series of high-profle cybersecurity attacks—
from Stuxnet to Target—demonstrate that cybersecurity
represents a business risk of the highest order. The C-suite
and board are taking notice.
However, as cybersecurity makes its way onto the
executive agenda, it is simultaneously time to rethink
our strategies. The ‘Internet of Things’ is more than a
fad. Suddenly, and increasingly, everything is connected.
Business leaders get it: to fend off emerging players
and ensure market competitiveness, companies are re-
architecting their business models around this concept.
It will drive success. It also requires new cybersecurity
strategies that take a broader view of risk. Developing
strategies that recognize risk beyond back-end IT sys-
tems is critical, to include products, customer interfaces,
and third-party vendors. Above all, the new challenges
in cybersecurity demand an organizational-wide
approach to protecting, and ultimately enabling, the
business. It is time to cast the net wider, and more effec-
tively, than ever before.
? 172
COMPREHENSIVE APPROACH TO CYBERSECURITY
3. Product/service development: the research,
design, testing, and manufacturing
environments for your products and
services
4. Customer experience: the operational
realms where customers use and interact
with your products or services
5. External infuencers: all external entities
that affect how you guide your business
to include regulators, law enforcement,
media, competitors, and customers.
A cybersecurity strategy at this scale requires
enterprise-wide collaboration. It will take
the whole organization to manage cyber
risk, so it is imperative to cast a wide net
and include representatives from across
business units in strategy formulation dis-
cussions. It requires a multidisciplinary
team effort to develop a security strategy
that refects the scale and complexity of the
business challenge.
? Elements of cyber strategy at scale
Building a cybersecurity strategy can seem
overwhelming, but it doesn’t have to be.
Start with a vision, understand the risk,
identify controls, and build organizational
capacity. Every element builds on each other.
1. Set a vision: It all starts with a creative
vision. It’s critical to paint a high-level
landscape of the future that portrays
how cybersecurity is intertwined with
the most critical parts of your business.
Think about the how value is created
within your company. Is it a cutting-edge
product? Is it by delivering world-class
customer service? Craft a short story on
how cyber protects and enables that.
2. Sharpen your priorities: You have
limited resources, just like every other
company. You can’t protect everything, so
you better be certain you’re focusing on
the most critical business assets. The frst
step is to fgure out what your company
determines to be its ‘crown jewels.’ Once
you’ve defned what truly matters, it’s
time you evaluate how exposed—or
at-risk—these assets are. That will give
? The value of getting cybersecurity right
An effective cybersecurity strategy must
start with placing it in the context of the
business—what your company uniquely
provides as products or services really deter-
mines how to approach the challenge. For
old-school IT security hands, this is a differ-
ent way of thinking. It means getting out of
the IT back offce and learning the nuances
of what makes the business go. Take the
view of the CEO and board. It isn’t just that
it is the right thing to do or because compli-
ance matters. There are more meaningful
answers to uncover.
The right cybersecurity strategy is guided
by two related considerations: (1) ‘How does
cybersecurity enable the business?’ and
(2) ‘How does cyber risk affect the business?’
From this perspective, cybersecurity breaks
out of its technical box and IT jargon. It
focuses on competitive advantage, and it
positions cybersecurity as an enabler and
guarantor of the core business, whatever
business you’re in. If done right, cybersecu-
rity helps drive a consistent, high-quality
customer experience.
? It takes an enterprise
A cybersecurity strategy grounded in your
unique business ecosystem will quickly
reveal what must be protected. Enterprise IT
still matters; it moves, analyzes, and stores
so much of your business-critical data.
However, a cybersecurity strategy must now
go further. Your industry should shape the
fne-tuning of the scope here, but we can boil
the components of your ecosystem ‘map’
down into several key features:
1. Enterprise IT: the back-end technology
infrastructure that facilitates company-
wide communications; processes, stores
corporate, and transfers data; and enables
workforce mobility
2. Supply chain: the fow of materials
and components (hardware and
software) through inbound channels
to the enterprise, where they are
then operationalized or used in the
development of products and services
173 ?
DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT
undesirable will most certainly happen.
Incident response is more than just having
the right technology capabilities in place,
such as forensics and malware analysis. In
fact, real success in cyber incident response
usually comes down to the people aspect.
How plugged in are you with your
company’s legal, privacy, communications,
and customer sales units? They are all
critical to success; and with this expanded
scope of players, you can imagine how a
cyber matter can quickly rise to become a
top-line business matter.
7. Transform the culture: The best
organizations out there today do this
well. Because people are the core of your
business, it comes down to them ‘buying
in’ to cybersecurity as something that they
care about. From your dedicated cyber
workforce, to business unit leaders, to
those that manage your company’s supply
chain, you’ll need all hands on deck, each
doing their part in advocating for and
implementing cybersecurity measures. A
security organization can make this easier
by fnding ways to make cyber relevant
for each part of the business by sharing
innovations that excite and enable the
business.
? Bringing the strategy to life
Perhaps the best measure of an effective
cybersecurity strategy is its ability to be
implemented and make a visible change in
how the business is operated. With a strate-
gy in hand, the next move is to build momen-
tum with ‘quick wins’ while investing in
long-term capability development.
The frst step is to use your strategy’s risk
framework to assess where you must apply
new or enhanced controls. Look broadly. The
biggest cybersecurity challenges may not be
where your organization usually expects to
see them. There are multiple ways to assess
how well the organization is performing,
including workshops, external assessments,
tabletop exercises, or war games.
To appropriately assess the organization,
you need to know what ‘good’ looks like.
you a basis for right-sizing your security
program around these assets.
3. Build the right team: Once you defne
what matters and how much security
makes sense, think about the people. What
does your direct and extended workforce
have to look like to be uniquely successfully
at your company? These days, you can’t
get by with your security program being
flled with technologist majority. Time to
weave in an accompanying set of skill
sets that will help you propel you to
success, to include organizational change
management, crisis management, third-
party risk management, and strategic
communications.
4. Enhance your controls: This is largely
about scope. With your company’s
quickly expanding ‘map,’ you’ll need to
adopt new methods for treating risk.
For example, if you deliver a ‘connected’
product to consumers, you’ll have to
ensure strong embedded device security,
as well as protections over the airwaves.
Without this, your brand could be at
stake. Fortunately there’s a great deal
of momentum in the world today, with
new methodologies, technologies, and
skill sets continuously being developed to
meet the challenge of today’s expanding
cyberattack surface.
5. Monitor the threat: Unfortunately,
cybersecurity isn’t only about reducing
risk behind your frewalls. It must also
include maintaining awareness of the
threat landscape—external and internal.
Because the threat is always changing
and always determined, you have to take
on that same adaptive mindset. Whether
that’s employing strong monitoring and
detection capabilities, consuming threat
intelligence feeds, or participating in
an industry-level information sharing
forum, there many avenues that you
should strongly consider using.
6. Plan for contingencies: No one can ever
be 100% secure, so it’s vital to have a
strong incident response capability in
place to manage the ensuing events when
something happens, because something
? 174
COMPREHENSIVE APPROACH TO CYBERSECURITY
This is different for each organization and
industry, but relying on industry bench-
marks and existing standards/frameworks
(e.g., NIST Cyber Framework) is a good
place to get a quick read on your maturity.
However, don’t adopt these standards
blindly; fgure out what’s applicable to
your needs and what’s relevant for your
organization.
Once you’ve assessed your priorities and
set a maturity target, the next move is to
build a roadmap that pairs ‘quick wins’ with
more strategic and enduring capabilities.
Right away, you’ll want to ensure that you
are doing the basic blocking and tackling of
cybersecurity. Many call this instilling prop-
er ‘cyber hygiene,’ or putting a foundational
layer of protections and capabilities in place.
Once you’ve gained a solid foothold, time to
take the next step, such as establishing pre-
dictive intelligence mechanisms that help
you anticipate the next threat, instead of
reacting to it when it hits.
Perhaps the best way—and the biggest
challenge—to bringing your strategy to life
is to remember it isn’t policy or technology
that matters most, but people. Once you’ve
embraced this idea and put the person at the
center of all of your decisions, you can really
start to envision what it’ll take for cybersecu-
rity ‘change’ to happen in your organization.
? What getting it right looks like
It is easier to write about the concepts of a
good cyber strategy than it is to deliver one
for your organization. However, getting
cybersecurity right for the organization has
benefts far beyond IT. A strong cyber strategy
drives security capability development and
ultimately has the power to transform the
business into a more successful one. An effec-
tive cyber strategy looks different depending
on the industry and individual business, but
they all share some key features.
It’s driven from the top. First, a strong cyber
strategy won’t be locked away in a fle cabinet,
buried in a hard drive, or lost in the cloud.
Instead, it will be part of your organization’s
core message, and it will feel alive. That tone
will be set from the top, with senior executives
explaining how cyber will drive the future suc-
cess of the business.
It’s at the beginning of every new story.
Whether you’re designing a new product or
launching into a fresh multinational joint
venture, cyber is a conversation that will
always take place. Requirements are built in
from the beginning and brought to life as the
venture evolves. Remember, it’s always easier
and cheaper to implement cyber earlier rather
than later in the lifecycle.
Cyber is communicated in simple busi-
ness language. Don’t be paralyzed by those
who only want to ‘speak geek.’ Simple, easy-
to-understand logic should prevail when com-
municating how cybersecurity is enabling
your business.
You’ve established a predictive edge. If
you’ve evolved your strategy in a disciplined
manner, some really amazing things start to
come to life. One powerful aspect is that
you’re using multiple sources of intelligence
to understand the world around you, and you
are able to anticipate the adversary’s next
move. Sometimes this can feel like playing a
fun video game, but it could really mean sav-
ing the lifeblood of your business.
The puzzle pieces come together. With all
that you’ve invested in cybersecurity, the real
payoff comes when you see the component ele-
ments work in harmony as a system. A unifed
construct that links constituent technologies,
processes, and people together will prove
highly effective in monitoring and responding
to events and engaging the broader business
ecosystem to get things done.
You play a role in the community.
Cybersecurity is not something you should
attempt alone as an organization. The com-
plexity of vulnerability and the highly
resourced threats today are simply over-
whelming for any one entity. Cybersecurity
DEVELOPING A CYBERSECURITY STRATEGY: THRIVE IN AN EVOLVING THREAT ENVIRONMENT
SecurityRoundtable.org 175 ?
the ‘map’ of your business, and you now
understand all the points where cybersecuri-
ty must play a part. Success at this point
means that you’ve carefully and deliberately
initiated dialogue and worked with different
elements of the business to embed security in
places beyond Enterprise IT and extended it
into broader touchpoints across the external
world.
Your enterprise embraces it. From senior
leadership to customer-facing sales teams,
cybersecurity is integrated as part of your
cultural DNA. You hear about it all the time,
and you see how it’s factored into all major
business decisions. Your organization has
evolved to the point where your organization
is now living the principles of good cybersecu-
rity without even thinking about it.
requires the power of community, new ideas,
and security capabilities coming to life. When
successful, your organization is an active part
of key dialogues with industry and govern-
ment. Threat intelligence and best practices
are shared two ways, but more importantly,
you integrate into the fabric of a very impor-
tant and very valuable community.
‘Change agents’ are swarming. You’ll need
these thought leaders to move across all ele-
ments of the business to shift mindsets and
anchor new behaviors. These advocates help
spread the cybersecurity vision broadly and
provide ‘on the ground’ feedback to make your
security strategy stronger.
Security is now embedded across your
ecosystem. You’ve taken a long, hard look at
177 ?
Booz Allen Hamilton – Bill Stewart, Executive Vice
President; Jason Escaravage, Vice President; Ernie
Anderson, Principal; and Christian Paredes, Associate
Designing a Cyber Fusion
Center: A unifed approach
with diverse capabilities
Since the early 2000s, organizations have focused cyberse-
curity efforts around a preventative, “defense-in-depth”
approach. The multiple layers of security are intended to
thwart attackers; this trend has become known as the
“moat-and-castle” defense: higher walls, a deeper moat,
and other fortifcations to deter or prevent the enemy
from breaching the castle grounds.
Within the past several years, high-profle breaches
across the fnancial, government, retail, health-care,
defense, and technology sectors have spotlighted the need
for a better incident response (IR) capability to detect,
contain, and remediate threats. These breaches are evi-
dence that prevention alone is no longer a suffcient
approach. However, many organizations lack a mature IR
capability and end up spending millions of dollars to out-
source IR services. Furthermore, once the incident is
remediated, organizations are still left wondering how to
effectively secure themselves for the highest return on
investment (ROI).
Prevention remains a critical component of an effective
security program. And organizations are increasingly
investing in native detection and response capabilities, or
a Security Operations Center (SOC). But the people, pro-
cesses, and technologies that are the backbone of SOC
must be integrated within one Cyber Fusion Center (CFC)
that also combines functions such as Cyber Threat
Intelligence (CTI), Red Teaming, and Attack Surface
Reduction (ASR).
The Cyber Fusion Center. The CFC is a comprehensive,
integrated approach to security. The CFC mission is to
protect the business—its assets, people, clients, and
reputation—so that it can thrive and operate without
costly disruptions.
? 178
COMPREHENSIVE APPROACH TO CYBERSECURITY
centralize threat knowledge and analysis,
unify the organization’s security strategy,
and ultimately maximize the value of invest-
ments in cybersecurity.
Although the security functions that
make up the CFC are not new, the CFC
approach represents a complex interaction
between the security teams with multiple
“touch points,” parallel workfows, and con-
stant feedback mechanisms. With the right
design and implementation considerations
organizations can:
? increase operational effectiveness by
orchestrating the security functions and
information fow from threat intelligence,
through security and IT operations
? improve security readiness by enabling
stronger detection mechanisms and
awareness of threats
? accelerate security maturation by
reducing the costs associated with
coordinating complex security functions
across multiple teams.
The CFC is distinguished not by its individ-
ual parts but by the integration and interde-
pendencies across its functions. More than
just a security approach, the CFC is a secu-
rity mind-set that organizations can imple-
ment to better secure themselves, protect
their customers, and reduce costly business
disruptions.
? Building a robust SOC to detect and respond
to threats
Organizations are quickly recognizing the
need to detect and respond to a variety of
threats; simply blocking threats isn’t
enough. The Security Operations Center
(SOC) is the organization’s frst line of
defense against all forms of threats and is
the heart of the CFC. The SOC will handle
any suspected malicious activity and work
closely with the other teams in the CFC. A
well-designed and maintained SOC will
focus on gaining effciencies though contin-
uous analyst training and mentoring, and
constant evaluation of the organization’s
security technologies.
The CFC approach does not guarantee
that there will be no security incidents; this is
an impossible feat. Rather, it ensures that all
security efforts are coordinated effciently by
leveraging the benefts of proximity (either
physical or logical) and easy communication
between security teams.
The CFC is designed to integrate key
security functions into a single unit without
stovepipes or prohibitive bureaucracy:
? Security Operations Center (SOC): the
heart of the CFC and the frst line of
an organization’s defense responsible for
detecting, responding to, containing, and
remediating threats, as well as proactively
identifying malicious activity. The SOC is
also home to Threat Defense Operations
(TDO), the dedicated “hunting” arm
of security and intelligence operations
responsible for actioning intelligence,
conducting in-depth malware analysis,
and continually building and improving
prevention and detection methods.
? Cyber Threat Intelligence (CTI): the
“forward observers” responsible for
identifying threats to the organization
and disseminating timely, relevant, and
actionable reporting to the SOC, C-Suite,
and other stakeholders.
? Red Team: the “attackers” who simulate
the tactics, techniques, and procedures
(TTP) of threats relevant to your
organization. The Red Team will
continually “stress test” your SOC, driving
improvements in detection, response, and
SOC analyst threat understanding.
? Attack Surface Reduction (ASR): the
proactive defense group responsible
for identifying and mitigating
vulnerabilities, unnecessary assets, and
nonessential services. More than just
patch management, optimized ASR
teams focus on continually improving an
organization’s hardening and deployment
procedures to eliminate vulnerabilities
before systems go live.
By integrating these functions, the CFC aims
to break down communication barriers,
179 ?
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
malware analysis that yields valuable techni-
cal intelligence (TECHINT) that can be used in
detection logic and further enriched by CTI.
Managing all the security alerts (aka “alert
fatigue”). This process—building detection
solutions and then identifying and mitigat-
ing threats—is where many organizations
struggle. Oftentimes, implementation of eff-
cient and effective SOC processes are stifed
by an overwhelming number of consoles,
alerts, threat feeds, and tools that prohibit
seamless workfows for analysts. While
security managers should continually iden-
tify potential feeds and technologies to
invest in, their impact on the SOC analyst
should always be a primary consideration:
? How many new alerts will this technology
or new data feed produce?
? Who will tune the technology to limit the
number of false positives it produces?
? Is the technology flling a gap in detection
capabilities or adding on to existing
capabilities?
? How does the introduction of this new
technology affect the SOC workfow?
The main point to remember is that more
technology, tools, and threat feeds do not
necessarily enable your SOC to operate more
effciently. Designs that emphasize smooth
A tiered SOC structure. The SOC can be
designed around a simple detect, identify,
and mitigate model. Analysts at various tiers
investigate malicious activity (aka alerts or
events) with these three stages in mind: Tier
1 analysts are charged with classifying the
severity of the event and correlating the
event with any historical activity. If neces-
sary, Tier 1 analysts will escalate incidents to
Tier 2 and 3 analysts, who will conduct in-
depth investigations and perform root-cause
analysis to determine what happened.
Threat Defense Operations (TDO).
Additionally, specialized analysts within the
SOC—Threat Defense Operations (TDO)
analysts—are responsible for creating detec-
tion logic in the form of signatures, rules,
and custom queries based on CTI-provided
threat intelligence. TDO engineers deploy
the detection logic to a range of devices,
appliances, tools, and sensors that make up
an organization’s security stack. The rules,
signatures, and queries create a threat-based
preventative sensor network that generates
network and host-based alerts that Tier 1–3
analysts in the SOC respond to.
TDO analysts will then fne-tune their
detection logic based on SOC feedback, cre-
ating an effcient CFC that won’t waste time
investigating false alarms. The TDO team is
also responsible for providing in-depth
Case Management Approach
Manage Standardize Measure
• Case Mgt. Dashboard
• Monitor, Detect, and
Contain Metrics
• Real-Time Improvements
• Formal Shift Change Process
• Process and Procedures
Documentation
• Business Process Reengineering
Capabilities
Enable Detection
Mitigate Threats
Identify Threats
SOC 24/7 Organizational Framework
Description
First-level responder responsible for detecting and assessing cybersecurity
threats and incidents across the environment
“Operationlize” threat intelligence to enable automated detection and
manual analysis within and across prevention and detection technology
Conducts in-depth analyses of security incidents with speci?c ability to
identify Indicators of Compromise, perform root-cause analysis, and execute
containment strategies
• Shift Leader Oversight
• Case Mgt. Tracking Tool
• 24/7 Structure
? 180
COMPREHENSIVE APPROACH TO CYBERSECURITY
Instead of looking to new technology frst,
successful organizations will constantly
evaluate their security posture and frequent-
ly train their analysts on how to react to new
threats. Organizations must carefully con-
sider how new technology and tools will
impact the analysts’ workfow and their abil-
ity to detect and respond to threats while
focusing on processes and procedures.
? Using Cyber Threat Intelligence to anticipate
threats
Cyber Threat Intelligence (CTI) has become
the security buzzword of 2015. Many prod-
ucts and services claim to provide threat
intelligence and promise to prevent a major
incident. As this term has saturated the mar-
ket and security circles, the true meaning
and value of threat intelligence has become
clouded. As a result, the usefulness of threat
intelligence is, in some cases, dismissed.
However, true threat intelligence is incred-
ibly powerful—it can serve as a force-multi-
plier for your CFC, helping to improve aware-
ness of threats and offering the means by
which these threats could be prevented or
detected.
So what is threat intelligence? First, and
most important, only humans can produce
threat intelligence through focused research,
a synthesis of multiple sources (aka “all-
source analysis”), and clear, concise commu-
nication that explains the relevance of threats
to your organization. Generally, threat intelli-
gence feeds will not provide much intelli-
gence value unless they are thoroughly vetted
by human analysts frst; feeds are more likely
to generate false alarms than to indicate mali-
cious activity. Additionally, good threat intel-
ligence will be implemented in a way that
demonstrates the following characteristics:
Cyber Threat Intelligence is timely. Cyber
intelligence addresses an impending threat
to the business environment. Receiving that
intelligence before the threat is realized is
crucial to the organization. Dissemination of
strategic and tactical intelligence, including
indicators of compromise (IOCs), can take
the form of indications and warning (warn-
ing of an imminent threat), daily or weekly
workfows and “painless” methods of data
collection (e.g., analysts do not need to con-
tact other teams to access certain data) are
more likely to succeed than those that prior-
itize technology. Organizations should focus
on technology that enables SOC investiga-
tors to spend less time collecting data and
more time investigating the root cause of the
activity they’ve been alerted to.
Implementing 24/7 operations and managing
investigations. Design and implementation
should focus on standardizing daily opera-
tions, case management, and methods of
“measuring success.” Modern-day threats
necessitate that SOCs operate 24/7, 365 days
a year, requiring well-thought-out shift
schedules and defned roles. Leaders with
managerial and technical experience can aid
in workfow management and provide ana-
lyst training.
Having a well-integrated, easy-to-use
case-management system that doesn’t get
in the way of investigations and seamlessly
interacts with other SOC tools is key. This
tool ideally provides metrics on how effec-
tively your SOC monitors, detects, and
contains cases and will allow an organiza-
tion to identify gaps in people, processes,
and technologies.
Standardizing your standard operating pro-
cedures. Successful implementation also
demands accurate and up-to-date docu-
mentation. This includes documentation on
network architecture, standardized operat-
ing procedures (SOPs), and point-of-contact
lists. If the SOC is considered the “heart”
of the CFC, then SOPs act as its beat, guid-
ing analysts in situations ranging from col-
lecting forensic evidence to stopping data
exfltration.
These procedures change as new technol-
ogy and organizational structures are imple-
mented. Many organizations fail to update,
train, and test their staff and leaders on
SOPs, hurting their response times and con-
tainment metrics.
The bottom line. The SOC provides core
security functions within the CFC and can
achieve effciencies through close integration
with other teams such as CTI and TDO.
181 ?
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
Oftentimes, business decisions have to be
made without all the information. An under-
standing of the threat landscape can help to
make these business decisions, however. For
example, attacks on organizations in related
industries can serve as an indication that
your business might soon be targeted (or has
already been targeted).
Although the SOC team is your organiza-
tion’s frst line of defense, it can operate more
effectively and effciently with the support of
CTI. Your security team will handle a wide
array of potential threats and must be able to
quickly triage events, determine the threat
level, and mitigate incidents. CTI can help
SOC analysts to prioritize these alerts, can aid
in investigations, and can help SOC analysts
attribute malicious activity to specifc threats
or threat groups. Over time, by leveraging
technical intelligence the SOC will develop a
stronger understanding of the threats they
face, enabling them to act more quickly. The
TDO component of SOC will also closely
coordinate with CTI to conduct analysis and
develop creative detection mechanisms.
The bottom line. Real, human-developed
Cyber Threat Intelligence will enable your
organization to pre-empt threats, assess
risk, and take appropriate defensive actions.
Benefts such as avoiding the cost of poste-
vent recovery and remediation, and pre-
venting the theft, destruction, and public
release of critical data, make Cyber Threat
Intelligence critical to your organization.
? Conducting Red Team exercises to “stress-
test” and strengthen your Cyber Fusion
Center
A fundamental question for every business
is: Will your cybersecurity organization be
ready when an attack comes? An important
means of assessing and “stress-testing” your
CFC is to actively attack it. Through coordi-
nated Red Team exercises, your CFC per-
sonnel can learn to detect and respond to a
variety of threats.
Simulate threat actors’ TTP. Red Team oper-
ations will ideally be designed to simulate
the tactics, techniques, and procedures of
threats that your CTI team has assessed to be
reports (highlights on relevant threats), and
executive briefs (assessments on major and
specifc cyber issues for C-suite stakehold-
ers). Depending on the audience, other tech-
nical or nontechnical reports can also be
produced.
Cyber Threat Intelligence is relevant. For
many organizations thresholds for relevan-
cy are tricky to defne, especially when
media reports constantly warn about a
range of threats. A cyber breach in a distant
industry—even a major one—may not con-
cern you as much as a breach within your
own sector; a vulnerability in a technology
platform you don’t use is obviously less
important than a potential zero-day vulner-
ability in your enterprise-enabling plat-
form. Relevant threat intelligence produces
valuable insights on not only issues occur-
ring in the global business environment but
also on specifc issues within your industry
and related to your IT environment. Even
further, it strives to give you unique insight
into specifc adversaries targeting your
organization or peers, by assessing their
intentions and capabilities.
Cyber Threat Intelligence is actionable.
Actionable threat intelligence is created
when analysts flter through large volumes
of data and information (from human sourc-
es, technical feeds, criminal forums, etc.),
analyze why specifc pieces of information
are relevant to your organization, and com-
municate how that information can be used
by various stakeholders. C-suite executives
need strategic “big picture” intelligence to
inform business decisions such as risks asso-
ciated with an increasingly global IT foot-
print. On the other hand, your SOC, TDO,
and ASR teams need tactical and technical
intelligence to support current investiga-
tions, create detection logic, and prepare for
potential attacks. Technical intelligence will
also be used to determine if certain mali-
cious actions or indicators have already been
present on your network.
Strategic and tactical threat intelligence.
Today’s corporate leaders face a serious
challenge in that it is not always possible to
accurately predict a cyberattack or its effects.
? 182
COMPREHENSIVE APPROACH TO CYBERSECURITY
strained—no SOC likes to lose, and often-
times the Red Team has the advantage. This
can make after-action review of an incident
stressful for both teams. However, a healthy,
competitive relationship between the SOC
and Red Team can foster improvements in
the CFC, particularly in detection and
response capabilities. Although the SOC and
Red Team functions contrast, their missions
are the same: to protect the organization and
improve its security capabilities.
Implementation of Red Team operations
should therefore emphasize the interde-
pendency between the SOC and Red Team
mission. The Red Team should assist the
SOC during remediation efforts to ensure
any uncovered vulnerabilities are no longer
susceptible to exploitation.
The bottom line. Fundamentally, Red Team
design and implementation takes a human-
centric approach. The benefts of placing your
“attackers” in close (physical or logical) prox-
imity to your SOC analysts cannot be under-
stated. SOC analysts learn to develop an
appreciation for the fact that they are fghting
people who make decisions to achieve an
objective—it’s not just about the malware.
? Reducing your organization’s attack surface
Efforts to protect your organization will be
signifcantly diminished if your IT systems
have easily exploitable vulnerabilities, unnec-
essary services, and nonessential assets. On
the other hand, shutting down all protocols,
services, and data resources is not a viable
option. Thus, the goal of Attack Surface
Reduction (ASR) is to close all but the required
doors to your technical infrastructure and
limit access to those doors through monitor-
ing, vulnerability assessment/mitigation,
and access control.
The ASR team is dedicated to identifying,
reducing, and managing critical vulnerabili-
ties, services, and assets, while also focusing
on preventing the introduction of vulnera-
bilities via improved hardening procedures.
Understanding and prioritizing your “attack
surface.” Implementing ASR is all about iden-
tifying and understanding your most critical
business applications and services—the
a risk to your organization. Your SOC could
also be a valuable source of input as you
determine how to implement your Red Team
operations. What types of threats does your
SOC regularly observe? More important,
what types of threats does your SOC typi-
cally not see? Does your SOC fnd that there
are gaps in detection? What does your SOC
think they detect/mitigate well and is worth
testing? Where does your SOC have limited
detect/mitigate capabilities?
It is the Red Team’s responsibility to test
these questions and the limits of your SOC
and broader CFC. For example, if it is known
that the SOC rarely encounters web shells—
a type of malware installed on web servers—
your Red Team may choose to directly attack
a web server.
An important aspect of a Red Team
operation is that only select leaders are
aware of operations (often referred to as
the “white team”), adding to the realism of
the event. This implementation allows
those who are aware to observe the event
as it unfolds, particularly how teams inter-
act with each other, how information is
passed along, how stakeholders are
engaged, and how the teams handle a vari-
ety of attack scenarios. These leaders can
also help to scope Red Team activities to
ensure no critical data or operations are
actually compromised or exposed.
(Remember to loop in the legal department
prior to the exercise as well.)
After-action improvements. The end result
of a Red Team activity should be valuable
insight your security team can use to
improve its capabilities. For example, during
a web server attack exercise, the CFC will
need to evaluate how it handled the inci-
dent. At what point did the SOC detect the
attack? Are there changes that could be
made in how security tools are confgured to
improve future detection of this type of
attack? These sample questions frame the
improvements that can be implemented
within the cybersecurity organization.
The nature of the Red Team’s operations
means that communication between the
SOC and Red Team can sometimes be
DESIGNING A CYBER FUSION CENTER: A UNIFIED APPROACH WITH DIVERSE CAPABILITIES
SecurityRoundtable.org 183 ?
Organizations require continuous scans and
costly-to-maintain confguration manage-
ment databases (CMDB) to track and ensure
the attack surface hasn’t expanded beyond
the organization’s acceptable risk level. And,
new exposures often emerge throughout the
course of normal business as new IT systems
are introduced or upgraded.
While there are many technologies avail-
able to aid organizations in managing vul-
nerabilities and assets, human analysts can
leverage contextual understanding of vul-
nerabilities and the attack surface in ways
that scanning software cannot provide.
Experienced ASR security professionals—
who possess a deep understanding of network
engineering, IT concepts, and security—are
able to synthesize disparate pieces of informa-
tion that can point to a previously undetected
or contextually important attack vector.
The bottom line. Attack Surface Reduction
enables organizations to proactively reduce
security vulnerability-related risk prior to
implementation and to mitigate existing and
other inevitable risks. Importantly, the ASR
function is designed so that humans comple-
ment the technology to minimize the attack
surface to an optimized level that balances
security risks and day-to-day realities of
enterprise business operations.
? Cyber Fusion Center attention
The seemingly endless string of breaches
across major U.S. sectors—fnance, technol-
ogy, manufacturing, and others—leaves
C-suite executives wondering, “Will we be
next?” or even, “Have we already been
breached?” New tools, technologies, and
data sources may help in preventing an
attack, but threat actors are clearly capable of
scaling the castle walls, or forging the castle
moat. Yet by developing a Cyber Fusion
Center, organizations develop the speed, col-
laboration, coordination, information fows,
and C-suite awareness necessary to not only
survive but thrive.
“crown jewels”—including their functions,
supporting infrastructure, scope, and inherent
vulnerabilities. This process entails a series of
vulnerability scans, security documentation
review, architecture assessments, host discov-
ery scans, nonintrusive penetration tests, and
targeted interviews with IT personnel.
Next, the ASR team should prioritize each
asset, considering their critical value to oper-
ations and the ability for the most relevant
threat actors—as assessed by your CTI
team—to leverage these assets in an intru-
sion. In addition, the impact of these attacks
must be considered. The assets that are most
likely to be the victim of a high-impact attack
or leveraged in a high-impact attack (such as
Adobe Flash) should receive the highest pri-
ority, most robust security controls, and
attention from the CFC.
More than just patch management. While
vulnerability and patch management is a core
ASR function, achieving a vulnerability-free
organization is not a realistic goal.
Vulnerabilities must be identifed and man-
aged appropriately—keeping a focus on pre-
venting and quickly responding to the most
critical. Continually improving deployment
and hardening procedures, especially for
publicly facing services and services that may
permit attackers to access high-trust zones, is
a critical ASR process for facilitating preven-
tive measure and effective mitigation timing.
As such, the ASR function should be
ongoing. ASR closely collaborates with other
CFC functions, especially CTI and TDO,
which can develop rules to detect exploita-
tion of new vulnerabilities. For example, CTI
may become aware of new vulnerabilities
that threat actors are leveraging. ASR will
work with CTI to prioritize the most relevant
vulnerabilities based on reports of their
exploitation “in the wild.”
A highly technical function that demands
strong human analysis. Maintaining complete
asset awareness is increasingly diffcult in
today’s dynamic business environment.
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Design best practices
187 ?
Intercontinental Exchange & New York
Stock Exchange – Jerry Perullo, CISO
What are they after?
A threat-based approach to
cybersecurity risk management
Given fnite resources and the ongoing threat of the “next
big hack,” cybersecurity is not the place to let a thousand
fowers bloom. How does a governance body that is bal-
ancing this complex topic with so many other complex
risks pick the right questions to ask? The spectrum of
popular guidance ranges from an end-to-end program
that generates hundreds of inspection points to a kneejerk
reaction to the latest headlines. Distilling the truly critical
areas of focus requires a balanced approach that is well
served by beginning with the end in mind and asking,
“What are they really after?”
Traditional guidance has centered security program
construction and audit on comprehensive standards-based
frameworks. Although the popularity of specifc standards
has waxed and waned, general principles have revolved
around identifying assets, establishing a risk management
program around those assets, and establishing preventa-
tive, detective, and corrective controls to protect those
assets. There is nothing wrong with this recipe at the tacti-
cal level. In fact, boards should expect a continuous pro-
gram cadence around this type of strategy and expect to
see third-party auditors, customers, vendors, and regula-
tors use this approach in examination. Controls should be
mapped to an established framework and any gaps or
vulnerabilities identifed. The challenge, however, is that
this produces a massive corpus of focus areas and controls
that cannot be digested in a single targeted governance
session. And fnally, it does not produce a ready answer to
the top board concern: “How could we be hacked?”
Likewise, reacting to headlines and rushing to establish
the controls and technology cited in the latest news story
will divert all resources to someone else’s vulnerability,
whereas yours may be very different. Simply asking,
“Could what happened last week happen to us?” may at
best result in a false sense of confdence or a mad dash to
? 188
DESIGN BEST PRACTICES
allow identity theft. Capturing 100 or 1000 is
not, however, alluring enough. Do you have
bulk card or PII data? Card processors, retail
institutions, and health-care providers are
clear targets for this type of penetration. If
this is your world, the major breaches of the
day serve as case studies. Lessons learned in
these areas lead to an emphasis on the follow-
ing questions:
? Do we know all the places where these
sensitive data live, and have we limited
it to the smallest set of systems possible
(ring-fencing)?
? Is access to the systems housing this data
tightly controlled, audited, and alarmed,
including via asset-based controls?
? Is this data encrypted in a manner that
would thwart some of the specifc tactics
observed in major breaches?
If you do not hold easily monetized data,
these questions may not be the right place to
start. Again, this does not mean that data
theft is acceptable in any organization.
Confdential email, intellectual property,
customer login credentials, and trade secrets
are some of the many examples of data we
must protect. Close examination often shows
that ring-fencing, asset-focused controls,
encryption, and other concentrations born of
the rash of recent card and PII breaches may
not be appropriate for more common and
less frequently targeted data, however. If
the data you are protecting are much more
valuable to you than to an assailant, tradi-
tional controls such as company-wide access
control, permission reviews, and identity
management are probably the right empha-
sis and should not be neglected in pursuit of
stopping a phantom menace.
? Threat category 2: Activism
Is your organization the target of frequent
protest or activism? Perhaps the issue is cli-
mate change. Perhaps it is labor relations.
Perhaps you are caught up in the storm of
anti-capitalism, anti-pharma, anti-farming,
or simply high profle. You may or may not
know if there are groups with an ideological
address a gap that isn’t relevant to your
organization. Vendors cannot be faulted for
preying on this tendency, and the result is a
barrage of solutions to the last headline’s
problems: “You desperately need encryp-
tion.” “You need behavioral technology to
baseline administrator activity and to alert
unusual access times or locations.“ “You
need to give up on securing everything and
only focus on the critical assets.” “You need
stronger passwords.” All of these solutions
have their place, but if they are not respon-
sive to the threats facing your business, they
may cause more distraction than protection
based on your unique requirements.
Identifying a relevant and reasonable
agenda for a governance session requires a
targeted and balanced approach. Let us
group the major cyber headlines of the last
decade into several large categories. With a
fnite grouping of threats, we can begin to
model what each threat would look like to
your organization, which leads to an assess-
ment of likelihood and impact. With this
picture of viable threats, the board can hone
in on specifc questions that will produce the
most value. By all means, all of the threats
listed below should receive treatment in
some capacity in any cybersecurity plan, but
prioritizing which are most relevant to your
organization will expose the most valuable
areas to explore with limited time. Further,
identifying business practices that expose
you to a particular threat category may lead
you to reconsider them in light of new costs
that were not included in previous assess-
ments. The calculus around maintaining a
lower profle or outsourcing targeted data
may change when you factor in cybersecu-
rity risk.
? Threat category 1: Data theft
Do you manage assets that can be easily mon-
etized? Credit numbers and social security
numbers—in bulk—are the drivers behind
many newsworthy breaches. Criminals have
established the proper fencing operations and
can justify enormous risk and effort to cap-
ture millions of card numbers or pieces of
personally identifable information (PII) that
189 ?
WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT
If this type of threat is not applicable to your
organization, focusing controls and review
on mitigating such attacks may not be the
best allocation of resources.
? Threat category 3: Sabotage
Are you a provider of critical infrastructure?
Do you or your key executives issue politi-
cally charged statements publicly? Would
the interruption of your business further an
extremist objective? Although these threats
require more sophisticated tactics and more
time to perpetrate, they often bring highly
motivated and coordinated threat actors.
Adversary objectives in this area usually go
well beyond website attacks. Physical con-
trol systems, data integrity, or even the func-
tionality of employee workstations may be
the target in this type of attack. Although
there are many vectors for this type of attack
and several are often used in conjunction, a
common theme quickly becomes targeting
employees individually. Social engineering
and phishing preys on common habits and
assumptions to dupe people into disclosing
a password, clicking a malicious web link,
or opening an attachment. These attacks can
be the most diffcult to defend against, but
their reliance on persistent access and a
longer lifecycle to build towards the fnal
goal makes detective and corrective controls
more valuable and decreases reliance on
absolute prevention. Additionally, the actors
involved and potential impact to national
interests likely make mitigation assistance
available to you if you focus on detection
and have the right contacts in place. Good
questions to ask if you are at risk of this
category of attack include the following
(and employees includes contractors and
vendors):
? Do individual employees recognize the
importance of their role in securing the
organization and what an attack may
look like?
? Are employees routinely reporting
suspicious activity?
? Are employees educated and incentivized
to act responsibly with regard to cyber?
motivation to put a black eye on your busi-
ness. Cyber opens up a whole new realm of
ways for people to accomplish this, and
often with anonymity. When attacks fall into
this category, the most likely impact is an
action that can be touted in public. This usu-
ally means one of two things: Denial of
Service (DoS) or defacement. The former
category will attempt to demonstrate your
powerlessness by rendering a component of
your business unavailable to your customers
or the general public. Although attacking
customer access or more internalized sys-
tems may be more damaging in reality,
remember that the goal is to make a splash
on a big stage with minimal effort or expo-
sure. More often than not, that means attack-
ing your public website. The same target
(plus social media accounts) is most com-
mon for defacement attacks. The only thing
more satisfying to an activist than rendering
your service unavailable is replacing it with
a pointed message. High-profle attacks in
this category include the near-incessant
Distributed Denial of Service (DDoS) attacks
against major banks, particularly those with
names evoking western countries. Targets of
defacement include Twitter and Facebook
profles of targeted companies and govern-
ment entities. If this type of threat is likely to
be pointed at your organization, good ques-
tions to ask include the following:
? Can we sustain a DDoS attack on the
order of magnitude recently observed in
the wild?
? If we have a DDoS mitigation plan, how
long would it take to activate during an
attack? Is an outage for this duration
acceptable, or would it be considered a
failure in the public eye?
? Are we continuously scanning our primary
website(s) for common vulnerabilities
that may allow unauthorized changes?
? If our website were defaced, how long
would it take to restore?
? Are credentials to offcial company social
media accounts tightly controlled by a
group outside marketing that is more
security conscious?
? 190
DESIGN BEST PRACTICES
advanced threats. At a minimum, automated
attacks look to procure access to your IT envi-
ronment so that your computing resources
can be made available for more nefarious
aims. Even if you do not host critical infra-
structure or easily monetized data, commod-
ity threats look to compromise your comput-
ers so that they can be used as agents of more
sophisticated attacks. Malware looks to enlist
your computing, storage, and bandwidth to
help criminals blast out junk email, store
pirated media, or contribute to a Denial of
Service attack. Attackers in this category do
not care (or often know) if your computers
belong to a fnancial services frm, manufac-
turer, university, home network, or hospital.
Protecting your organization from these
common attacks requires being less exposed
than the next target. Ask yourself:
? Have we identifed a role in our
organization that is responsible for
cybersecurity?
? Are only absolutely required services
exposed to the Internet?
? Are PCs and email servers protected
from common viruses and malware in an
automated fashion?
? Does our corporate email employ controls
to flter out the most common virus and
spam campaigns?
? Does our corporate Internet access
incorporate controls to block access to
malicious websites?
One special form of opportunistic attack
involves ransom. Some malware encrypts
the content of infected computers so that it
becomes unavailable until a payment is
made. This type of attack can be crippling. In
addition to the preventative controls out-
lined above, you should ask the following:
? Are our fle servers backed up and tested
regularly, and could we recover quickly if
all current data were unavailable?
? Have we, via policy and practice,
established the principle that PCs and
laptops are disposable, that data on these
? Are systems detecting suspicious employee
behavior that may indicate credentials
under the control of an outsider?
? Has contact been established with incident
response frms and law enforcement, and
could they quickly be mobilized if a
compromise is detected?
? Threat category 4: Fraud
Do you operate a system that makes or pro-
cesses payments? Although any pay-for-
service you offer may be the target of some-
one looking for a free ride, nothing attracts
the sophisticated criminal element like cash.
If you offer the ability to move money, you
should have a focus here. Although fraud is
certainly not a new challenge, Internet con-
nectivity has certainly brought it to new
levels. If this is relevant to your organiza-
tion, you have likely been dealing with the
ramifcations long before cyber considera-
tions were added. The following questions,
however, may be helpful to ensure cyberse-
curity efforts are aligned with traditional
fraud protections:
? Have we deployed and enforced two-
factor authentication such as text
messages, mobile phone apps, or physical
tokens to require our customers to have
more than a username or password to
authenticate?
? Are we using adaptive authentication
to identify suspicious locations, access
times, or transaction patterns in addition
to classic credentials?
? Are we tracking and trending the sources,
frequency, and value of losses?
? Are we working closely with peer
institutions and competitors to share
threat intelligence and identify common
patterns we should detect and/or block?
? Threat category 5: Commoditized hacking
Although specialized threats are associated
with specifc targets, all organizations have
exposure to the most common family of com-
moditized threats. These threats are oppor-
tunistic and warrant different controls than
WHAT ARE THEY AFTER? A THREAT-BASED APPROACH TO CYBERSECURITY RISK MANAGEMENT
SecurityRoundtable.org 191 ?
around mission critical infrastructure and
data. Attention to governance has ramped up
dramatically in a short period, and it can be
diffcult to sift through the advice of experts.
Investing time in analyzing threats and iden-
tifying what assets adversaries are truly after
is a critical frst step in establishing an effec-
tive governance policy around cybersecurity.
devices should not be relied upon, and
that network storage should be used to
house any critical data?
? Conclusion
Although cybersecurity is a relatively new
feld, it has already grown into an expansive
area requiring monitoring and controls
193 ?
Palo Alto Networks Inc.
Breaking the status quo: Designing
for breach prevention
? Today’s reality and commoditization of threats
The statistics regarding the success of advanced
cyberthreats paint a very grim picture. The increasing
speed at which new security threats appear, and the
growing sophistication of criminal hackers’ techniques,
make fghting cybercrime a constant challenge. A recent
study by Cyber Edge found that 71 percent of the secu-
rity professionals polled said their networks had experi-
enced a breach, up signifcantly from the previous year
(62 percent). And half of those respondents felt that a
successful cyberattack against their network was likely in
the next 12 months, compared to just 39 percent in 2013.
Unfortunately, there isn’t a week that goes by these
days when we aren’t learning about some new data
breach. To say that keeping up with attackers’ evolving
techniques and advanced threats is diffcult is an under-
statement. These attacks come from multiple angles,
through the edge of the network and directly at the users
of our digital infrastructure. Not only are they more tar-
geted in nature, the mechanisms that attackers use increas-
ingly utilize a growing pool of software vulnerabilities.
Some vulnerabilities are known only to the attacker,
referred to as zero-days. Others are known to the general
public but have yet to be fxed by the software vendor. A
fact attackers are very much aware of.
Additionally, new attack methods and malware are
shared readily on the black market, each more sophisticat-
ed than the last. The cat-and-mouse game between attack-
ers and defending organizations is no longer a competition.
Attackers have not only pulled ahead, they’ve gained so
much distance that most security teams have given up on
the notion that they can prevent an attack and are instead
pouring investment into trying to quickly detect attacks,
and defning incident response plans rather than trying to
stop them. Why? Because legacy security offerings consist
? 194
DESIGN BEST PRACTICES
? blocking the different techniques attackers
might use to evade detection and establish
command-and-control channels
? preventing installation of malware—
including unknown and polymorphic
malware
? blocking the different techniques that
attackers must follow in order to exploit
a software vulnerability
? closely monitoring and controlling data
traffc within the organization to protect
against the unabated lateral movement
when legitimate identities are hijacked.
? Cyberattack lifecycle
Despite the headlines, successful cyberat-
tacks are not inevitable, nor do they happen
by magic. Often it is a ‘window’ that is left
open or a ‘bag’ that is not screened that lets
an attacker slip into a network undetected.
After they are inside a network, attackers
will sit and wait, patiently planning their
next move, until they are sure they can
reach their objective. Much like a game of
chess, it is only at the end of a long and
logical series of steps that they will try to
act. Knowing the playbook of a cyberattack
can help us disrupt and prevent not just
well-understood attacks but also highly
sophisticated new attacks used by advanced
actors.
Despite different tools, tactics, and proce-
dures used by an attacker, there are certain
high-level steps in the attack lifecycle
that most cyberattacks have in common.
Traditional approaches to security focus on
installing a feature to disrupt only one point
along this lifecycle. This approach often
comes from the fact that different parts of an
IT security team have different objectives:
network administrators care about connec-
tivity and the frewall, info security analysts
care about analytics, and so forth. They
seldom have to really work together in a
coordinated manner because this approach
was previously useful at stopping low-level
threats that involved opportunistic target-
ing, such as the infamous email scam from a
foreign prince needing to transfer $1 million
to the U.S.
of a set of highly disjointed technologies that
only allow detection of attacks once they are
already on the network or endpoint.
Organizations cannot hire their way out
of this problem by throwing more people at
navigating a legacy architecture or making
up for the inherent gaps between the siloed
technologies. Instead, organizations should
be considering next-generation technology
that natively integrates security to deliver
automated results, preventing attackers
from achieving their ultimate objectives.
Given the sheer volume and complexity of
threats, it’s important to use automation to
accelerate detection and prevention with-
out the reliance on a security middleman.
Despite the growing cybersecurity chal-
lenge we are all facing, we cannot give up on
our digital infrastructure. Customers are
becoming more and more reliant on the
Internet and our networks to do business
and access commercial services. They use
these systems because of the trust they place
in them. This trust underpins everything
they do online and extends to an organiza-
tion’s brand and place in the market. Legacy
security approaches that focus only on detec-
tion and remediation, or rely on a series
of disjointed tools, abandon this trust and
can introduce signifcant risk by failing to
consider how to prevent cyberattacks in the
frst place.
A new approach is needed in order to
prevent modern cyberattacks. This new
approach must account for the realities that
today’s attacks are not only multidimensional
in nature but also use an increasingly sophis-
ticated set of techniques that are constantly in
a state of change. As these techniques evolve,
the risk of breach increases, and, as we all
know, an organization is only as strong as its
weakest entry point. Therefore, an effective
strategy must work to disrupt an attack at
multiple points, including:
? developing a Zero Trust security posture
that focuses on only allowing legitimate
users and applications, as opposed to
trying to block everyone and everything
that is bad
195 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
intellectual property and fnancial informa-
tion, disrupt digital systems, or cause embar-
rassment. It is against these patient and
persistent advanced adversaries that tradi-
tional single-point approaches fail. However,
by targeting every step of an attacker’s play-
book, it is possible to architect a solution that
offers much greater odds at stopping the
attacks before they can reach their objective.
At the very least, putting preventative meas-
ures in place that take the complete lifecycle
into consideration will raise the cost for the
attacker, potentially forcing him to look else-
where for an easier victim. Let’s take a look
at the steps an attacker goes through to get
into and out of a network.
However, today’s attacks have become
more and more sophisticated as advanced
tools have proliferated and as effective attack
strategies have been developed and shared
among criminal and nation-state adversaries.
These attacks are often called advanced per-
sistent threats (APTs), so named because they
use advanced tools and persistently target an
organization again and again until they get
in. They are patient and stealthy, preferring
to forego a quick boom and bust for a longer
payoff of high-value information.
While APTs used to be the domain of
nation-state espionage, today organizations
large and small face these high-level threats
from actors seeking to steal sensitive
Advice along the cyberattack lifecycle
Reconnaissance. Just like burglars and thieves, advanced attackers carefully plan their attacks.
They research, identify, and select targets, oftentimes using phishing tactics or extracting
public information from an employee’s public online profle or from corporate websites.
These criminals also scan for network vulnerabilities and services or applications they can
exploit.
? Even job websites can be a gold mine of information. If you are looking to hire a new
engineer who is familiar with a certain security product, an attacker can deduce what
you are using to protect your network and will know where common gaps are in your
security.
? You can’t stop all reconnaissance activity, but you certainly shouldn’t make it any
easier for the attacker! People and processes are just as important to security as
technology. Good training and strong security practices will help limit reconnaissance
and harden your security profle. You should be aware of what your adversary can
learn from your corporate website and ensure that members of your organization with
high-level access receive training to be security conscious.
? Finally, there are many services that offer advanced ‘red-team’ exercises to help you
identify weaknesses in your security posture. These simple steps can also put in place
policy ‘trip wires’ that can alert you to unusual activity that may indicate an advanced
actor is interested in you.
Weaponization and delivery. As we move to the next stage of the cyberattack lifecycle, tech-
nology becomes even more critical to preventing advanced threats. The hacker must choose
his method for gaining access onto your network. This access can be digital, or even physical,
but is primarily intended to gain a foothold from which to plan the assault and achieve the
attacker’s objectives.
Spear phishing
? With the information gained from their reconnaissance, the attackers have to determine
which methods they must use to penetrate your network. They often choose to embed
intruder code within seemingly innocuous fles like a PDF document or email message.
They may also seek to use highly targeted attacks to catch specifc interests of an
individual.
Continued
? 196
DESIGN BEST PRACTICES
Advice along the cyberattack lifecycle—cont'd
? Spear phishing is by far the most commonly used tactic because it’s simple and
effective. An attacker will use information gathered during the reconnaissance phase
to craft an email with a malicious attachment for a specifc user he believes has access
to sensitive credentials or information.
? Many organizations have begun training their employees to spot these attacks by
sending test emails that can track who opens them. Over time they can see which
departments continually fall for these attacks and target training there.
? However, we are all conditioned to read emails and open attachments if they seem
relevant to our positions. Even with the best training, a well-crafted spear phishing
email that appears to come from a family member, friend, or boss can trick the
most seasoned security veteran. It’s vital to ensure that you have technical security
measures as well to mitigate any malicious malware that might ride email into your
networks.
Watering hole
? Another approach to gaining access is known as watering hole attacks. In this
method the attacker will set up a fake website that downloads malicious code to
any visitor, then direct their victims to it. When a user visits the website, a software
exploitation kit installs malware on the victim’s computer, which then reports
back to the attacker so he knows who he’s infected and can access their system to
steal data.
? Watering hole attacks are harder to pull off because they require compromising a
separate web server, but they can be very effective if a company is watching for
malicious fles in email. Traditional security products do not always prevent their
users from visiting malicious websites. However, advanced approaches will flter
known malicious addresses to keep users from becoming a victims of a ‘drive-by
download.’
Exploitation. Once attackers gain access ‘inside’ an organization, they can activate attack
code on the victim’s computer (also known as a ‘host’) and ultimately take full control.
? To gain full control over a victim, specialized programs exploit vulnerabilities in
existing software to install themselves as legitimate users. Vulnerabilities are usually
old bugs that were not caught during the original writing of the code. Sometimes they
are known bugs that have not been repaired, or ‘patched’; sometimes they are as of
yet unknown to anyone except the attacker. These unknown vulnerabilities are called
zero-days because they are not found by the victim until the frst day he realizes he has
been penetrated by an attacker.
? As noted earlier, zero-days are the most nefarious of threats. Luckily, true zero-
days are also the most rare. When they are used, however, it generally means that
no one else is protected from them. Because no one is patched for it, if an attacker
moves quickly, he can take advantage of the same vulnerability on many, many
systems.
? If you can’t catch an unknown threat, you can at least prevent an attacker from
using that vulnerability to cause damage. Because attackers have similar goals, such
as stealing or damaging important fles, there are only so many techniques they
can use after they have penetrated a system to achieve their end goals. Advanced
security software will hunt for malware that uses zero-days by searching for and
stopping common techniques attackers use after they have gained access to your
network.
197 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
Advice along the cyberattack lifecycle—cont'd
? Common vulnerabilities are being found and fxed every day. Your organization
should also have a process in place to regularly update and patch all your software
and hardware. However, sometimes these new versions and updates can cause
existing systems to malfunction. This will often leave IT teams hesitant to update
systems until a new patch can be tested and can cause delays that leave you with
vulnerabilities known to the entire world. While you should always lean toward
patching and updating as soon as possible, the balance of security and operability
must be viewed through your own business risk management practices.
Installation. As a frst order of business, advanced attackers will seek to establish themselves
as securely and quietly as possible across your network.
? They do this by taking advantage of the trust of the digital systems they are working
in. Often an attacker will make himself an administrator on a computer and then try
to infect other users in order to steal their digital identities. He will play this game
of laterally escalating access privileges to gain a higher and higher level of control of
your systems. Along the way the attacker will also open backdoors that allow him to
connect back into your network even if he is eventually caught and shut out. This is
why it can be especially diffcult to fully remove an advanced actor from a network.
? It seems strange, but many of the tools attackers use can be found freely online or for sale
on the Internet. Tools are viewed just like a hammer and nails, where on the one hand
security professionals use them to test systems and build stronger security, but on the
other hand they can be used as weapons. These ‘off-the-shelf’ security tools, while highly
capable, can often be found by traditional security methods such as antivirus software.
? However, more advanced actors will build their own custom tools, such as remote
access tools (RATs), that are undetectable by antivirus software. In fact, some tools
commonly shut off antivirus software as one of the frst steps of installation. These
tools require a larger investment from the attacker and will primarily be designed to
gain a foothold as a seemingly legitimate user on the network. From there the attacker
can act like a normal employee and use authorized applications such as fle-sharing
software or internal email to cause mischief.
Command and control. Gaining a foothold in a network is of no use to attackers if they can’t
control their attack.
? An advanced actor knows that he is likely to be discovered at some point and must be
ready to improvise by hiding and running from security teams or software. To do this,
an attacker establishes a command-and-control channel back through the Internet to a
specifc server so he can communicate and pass data back and forth between infected
devices and his server.
? The most commonly used channel for attackers to communicate to their tools is
through regular Internet traffc (using hypertext transfer protocol, or HTTP). Usually
their communications will pass through defenses of traditional security tools as they
blend in with the large volume of traffc from legitimate users.
? The attacker’s tools will periodically phone home, typically referred to as beaconing,
to obtain the next set of commands. Beacons can also contain reconnaissance
information from the compromised target, such as the operating system confguration,
software versions, and the identity of users who are logged on to the network. In
very complicated networks, this information can allow an attacker to quietly burrow
deeper and deeper. Clever malware also moves beyond simple requests for command
and control and tries to emulate human behavior by using email or social networking
applications to receive its attacker commands.
Continued
? 198
DESIGN BEST PRACTICES
Advice along the cyberattack lifecycle—cont'd
? If you treat your network with zero trust, as though it might already be breached, you
can start to lock down unnecessary pathways for attackers to communicate and move
around. Segmenting networks and building internal controls on applications can act
like a frebreak, keeping an attacker from spreading to other parts of your network.
Actions on the objective. Attackers may have many different motivations for breaching your
network, and it’s not always for proft. Their reasons could be data exfltration, defacement
of web property, or even destruction of critical infrastructure.
? The most common goals of attackers often involve fnding and exfltrating your data
without getting caught. During this late stage, the work is usually done by an active
person issuing commands to his tools on your network. He has a goal and a script that
is followed in a complex process that may last days, weeks, or months, but ends with
all your sensitive data slipping through a backdoor in your network.
? This is one of the most diffcult steps to stop, as an active person can improvise and
adapt to your security response efforts. While it may seem counterintuitive, it’s
important to respond with patience when trying to stop an active intruder. A common
tactic of advanced attackers when they are caught is to ‘smash and grab’; this means
they will forget about remaining quiet and do whatever they can to achieve their
objectives, potentially damaging your systems in the process. They can also choose
to slip deeper into your systems, burrowing in and waiting to reuse one of their
backdoors to gain entry after you believe you have patched all your vulnerabilities.
For these reasons, it is critical to have a response plan in place ahead of time so that
the adversary doesn’t detect signs of panic and get tipped off. If you can discover
the attacker before he realizes he is caught, you can work to clean up his tools, while
closing doors and windows he may have used to get in.
? A strong response plan will also help you prepare in advance for any mitigation efforts
needed, including the vital step of external relations if it becomes public that you have
had an incident. Depending on the data that was accessed or stolen, you may have
regulatory or legal reporting requirements that you will need to be prepared to deal
with. Even if the attacker is not successful at actually taking data, these requirements
may still be in place as in many cases you may not be able to determine if data was
stolen, exposed, or remained untouched.
Trying to stop an advanced adversary at
only one point in this lifecycle is an exercise
in futility. Just like a network has vulnerabil-
ities and weaknesses, so too does the attacker.
He will reuse tactics, techniques, and proce-
dures on multiple victims, establishing pat-
terns that can be recognized, studied, and
exploited. But to gain this leverage, a new
approach to security is needed.
? Why legacy approaches fail
Most security architectures today resemble a
set of siloed organizations, processes, and
technical infrastructure. They have largely
been assembled like a manufacturing pro-
duction line, where a series of security events
roll down a conveyor belt of individual
point products, while different staff mem-
bers perform their individual duties. This
has been the traditional approach to security,
and historically we’ve been able to use it to
fend off low-level threats. However, these
architectures are beginning to show their
weaknesses as attackers have learned to slip
between silos. Today we see how costly leg-
acy systems can be both in their inability to
prevent targeted attacks and in their unnec-
essary expense to the organization.
199 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
This essentially allows adversaries to distrib-
ute malware and steal intellectual property
through basic applications into which they
have little or no visibility. We must break
away from the traditional approach to secu-
rity that has proven ineffective at stopping
advanced attacks time and time again.
Over the last several years in particular,
there has been a dramatic evolution in both
the attackers and the techniques they use. By
many estimates cybercrime is now a nearly
half-trillion-dollar industry, and like any
industry, opportunity fuels more investment
and innovation. The best way to get an
industry to collapse in on itself is to take
away that potential for proft. Therefore, we
must make it so unbelievably hard for cyber
criminals to achieve their objectives that
their only option is to invest more and more
resources to stage a successful attack, to the
point that it becomes unproftable.
One of the primary strategic failures of
traditional security architectures is their
reactive approach. Following the assembly-
line model, security teams work to read data
logs about events that happened to their
network in the past. Since most of these
teams operate in a siloed manner, these log
fles are routinely examined in isolation from
other critical teams and thus lack important
context that can be used to quickly detect
and prevent an attack. Relying on a human
in the middle of a network’s defenses is too
slow to be effective against advanced, auto-
mated hacking tools and creative attackers.
A secondary strategic failure is a lack of
attention toward ‘proactive prevention.’
Organizations often don’t do enough to
reduce their attack surface, allowing certain
classes of applications that are unnecessary
for their business and leaving doors open on
their network by using port-based policies.
Tenets of a traditional security architecture
Limited visibility. You can’t secure what you can’t see. Traditional sensors only seek out what
they know to be bad, rather than inspect all traffc to only allow what is good. Your security
architecture must eliminate blind spots by having the ability to see all applications, users,
and content across all ports and protocols (the doors and windows of your network) even
if they are encrypted. It must also have the ability to see and prevent new, targeted attacks
that are utilizing threats that have never been seen before, such as malware and zero-day
vulnerability exploits.
Lacking correlation. If attacks are multidimensional, your defense must be as well. Today’s
attackers shift techniques while they are working their way into a network in order to step
over traps laid by them for traditional defenses. In order to fnd the clues they leave behind,
your architecture must act like a system of systems where individual technologies work in
concert to identify and then automatically prevent attacks. Correlating sensors and protec-
tion makes each element within the system smarter. For example, if a thief has hit multiple
houses using the same techniques, you will need to adjust your burglar alarm for those
techniques. In cyberspace, however, this process can be automated to increase the speed of
detection and prevention.
Manual response. With attacks evolving at a rapid pace, it’s critical that we wean ourselves
from relying on the ‘man in the middle.’ Systems focused on detection often throw up
mountains of alerts and warnings for low-threat items, overwhelming your IT security team.
An advanced security architecture must employ a system of automation that’s constantly
learning and applying new defenses without a requirement for any manual intervention. It
must weed out the congestion automatically, handling 99 percent of low-level threats so you
can focus your team’s attention on the 1 percent of the highest priority incidents.
? 200
DESIGN BEST PRACTICES
enabler. By preventing damage to networks
and theft of sensitive information, vital IT
resources, people, and time are freed up to
tackle core business functions. In order to
shift from a ‘detect and remediate’ stature
to preventing attacks, business leaders need
to consider three cybersecurity imperatives:
1. Process: organize to reduce your attack
surface.
? Modern networks can be a rat’s nest
of systems and users cobbled together
from mergers, legacy architectures,
and prior acquisitions. This confusion
leaves many points of entry for
attackers to slip in unnoticed and
reside on your network for months
or even years. A critical step to
preventing advanced cyberattacks is
to know your network better than the
attacker does. To do this you must
work at simplifying your architecture
down to manageable pieces that can
be controlled, watched, and defended.
? A key step in reducing your attack
surface is to only allow network
traffc and communications that are
required to operate your business by
utilizing technology that understands
the applications, users, and content
transiting your network. This seems to
be common sense that any unknown
traffc could also be hiding malicious
activity, but often when organizations
take a deep look at their traffc, they
fnd high-risk applications that they
had no idea were running on their
network. Legacy approaches often only
search to block what is bad, rather
than allowing only what is good. This
approach is also known as ‘white
listing’ and will immediately reduce
the scope of your security challenge by
eliminating opportunities for malware
to get into your network.
? Another step to reducing your attack
surface is to segment important
components of your networks, such
as data centers. As described earlier,
advanced actors often seek to break
Stopping today’s advanced threats lies in
turning the economics of our reality on its
head by preventing threats in multiple places
at each step of the cyberattack lifecycle. This
requires creating an architecture that can
detect attacks at every point around and
within a network, closing any gaps and pre-
venting them from successfully launching in
the frst place.
? Prevention architecture
No organization today is immune to cyber-
attacks. Cyber criminals are ramping up
activity across the globe and utilizing new
methods to evade traditional security meas-
ures. An effective security architecture must
not only prevent threats from entering and
damaging the network but also take full
advantage of knowledge about threats in
other security communities. Traditional
solutions typically focus on a single threat
vector across a specifc section of the organi-
zation. This lack of visibility is leaving
multiple areas vulnerable to attack. In addi-
tion, these legacy solutions are made up of a
‘patchwork’ of point products that make it
very diffcult to coordinate and share intel-
ligence among the various devices.
As a result, security teams are forced to
invest more and more time and money in
detection and remediation efforts, under the
assumption that prevention is a lost battle.
These efforts require a time-consuming
process of piecing together evidence from
different devices, combing through them to
discover unknown threats, and then manu-
ally creating and deploying protections. By
the time this happens—often days or weeks
later—it’s too late because minutes or hours
are all an attacker needs to accomplish his or
her end goal. This Band-Aid approach
doesn’t fx the fundamental problem of
accounting for the new threat landscape.
While nothing will stop every attack,
designing a security architecture with a pre-
vention mindset (and following some of the
risk management best practices outlined in
our chapter, “The CEO’s guide to driving
better security by asking the right ques-
tions”) can make cybersecurity a business
201 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
risk. However, by using an integrated
cybersecurity platform that protects
across your entire enterprise, your
defenses can work together to identify
and close gaps that would be exploited
by an attacker. Communication is key
to any strong defense. If your products
can’t share information on what they
are seeing, there is no chance to pick
up clues that might aid in preventing
an advanced attack.
? The next step is automating prevention
measures. Humans have proven time
and again that we are the weakest link
in security. Advanced actors are faster,
more persistent, and stealthier than
manual response efforts. It just takes
one overlooked log fle or one missed
security alert to bring down an entire
organization. However, if you have an
integrated platform that communicates
visibility across your defenses, it can
also automatically act on new threats,
preventing what is malicious and
Indeterminate what is unknown.
? Integration should also enable your
organization’s agility and innovation.
Business doesn’t stop at the elevator,
as employees take laptops to work
from home or use their personal mobile
devices to access your corporate cloud
on the road. As your data moves to
enable your workforce, security should
go with it. Choose a platform compatible
with newer technologies such as mobile,
cloud, and network virtualization.
3. People: participate in a community that
shares cyberthreat information.
? End users cannot be relied upon to
identify every malicious URL or phishing
attack. Organizations must educate their
constituents about what they can do on
their part to stop cyberattacks. However,
beyond education, to protect against
today’s truly advanced cyberthreats,
we must utilize the global community
to combine threat intelligence from a
variety of sources to help ‘connect the
dots.’ Real-time, global intelligence feeds
help security teams keep pace with
into a less secure part of the network
and then move laterally into more
sensitive areas. By segmenting the
most vital parts of a network from
email or customer-facing systems, you
will be building in frebreaks that can
prevent the spread of a breach.
? You also can’t neglect to secure the
endpoint or individual user. This is
the fnal battlefeld. Originally, anti-
virus software contained signatures for
malicious software and could, thus, catch
most major infections from common
threats because it knew what to look for.
However, as we learned earlier, today’s
attacks can include unknown malware
or exploits that are essentially invisible
to antivirus software. This has led to a
massive decline in the effectiveness of
traditional antivirus products and a rise
in a new way of thinking about endpoint
protection. Rather than looking for
something that can’t be seen, you can
reduce the endpoint attack surface by
preventing the type of actions taken by
exploits and malware. Stopping the type
of malicious activity associated with
an attack is much more effective than
hunting for an attack that, by nature, is
stealthy and hidden.
? Finally, it seems simplistic, but as you
make investments to re-architect your
network and reduce your attack surface,
you have to use all those investments to
their fullest. Purchasing next-generation
technology is useless if you don’t
turn it on and confgure it properly.
Establishing a process for staying up to
date on your security investments is one
of the most critical habits to form.
2. Technology: integrate and automate
controls to disrupt the cyberattack lifecycle.
? Don’t use yesterday’s technology
to address today’s and tomorrow’s
security challenges. As noted earlier,
legacy security approaches offer
individual products to be bolted on
for single-feature solutions. This leaves
gaps that can be broken by new methods
of attack, leaving your organization at
? 202
DESIGN BEST PRACTICES
regulatory requirements or mandatory certif-
cations. IT security personnel are often drafted
from projects that support core business opera-
tions to work in the ‘dark corners’ of network
security with a gloomy future of scanning
thousands of false alarms, updating old soft-
ware, and, of course, getting blamed for the
inevitable cyber incidents that are usually
caused by larger organizational problems. This
sad tale is a reality for a shocking number of
organizations; it not only guarantees failure, it
ensures lost opportunity for innovation that
comes from having a strong security posture.
Adopting a prevention philosophy helps
create strategies for better security and
maximizes the value of an organization’s
actions and resources. Viewing cybersecu-
rity as a business enabler helps drive appro-
priate resource allocation by returning
value to the business based on new oppor-
tunities that would not have been available
without the level of trust afforded by a
prevention architecture.
Take the case of the IT security team.
When an organization decides to take their
security more seriously, usually after a cyber
incident, one of the frst things they do is
dump more people into IT security positions.
While trained security experts are a boon for
any organization, the architecture they are
working in can have them needlessly chasing
cycles of work, wasting budget by hunting
for cyber needles in digital haystacks of
alarms, and manually remediating countless
vulnerabilities. Employing a prevention
architecture that automates protection capa-
bilities and shares threat intelligence using an
integrated platform means that security
teams can operate much more effciently and
effectively. Their time is an organization’s
money, and it’s imperative to ensure that
personnel working on core IT functions that
keep business operations running are not
being wasted on outdated security practices.
Strong cybersecurity can also open new
opportunities by making organizations
more fexible and resilient. Today’s work-
force is constantly connected to the Internet
at home, on the road, and at their desk.
Users move between applications and
threat actors and easily identify new
security events.
? As attackers move from target to target,
they leave digital fngerprints in the
form of their tactics, techniques, and
procedures. By analyzing this evidence
and then sharing it, threat intelligence
from other organizations can quickly
inoculate you from new attacks as
bad guys seek to move between
organizations and even industries.
Combined with an integrated platform
that can act automatically on this
intelligence, you can rapidly distribute
warnings and make it impossible for
attackers to strike twice. The network
effect from vendors with large
customer bases is extremely powerful
as it builds a security ecosystem, which
can organically respond to new threats.
? Many organizations are even coming
together to share threats as an entire
sector. Recent policy from the U.S.
Government has made it easier to
collaborate and share cyberthreat
information between companies and
work together to identify and stop
advanced cyber actors.
The most signifcant way to fll in all the
gaps and truly protect an organization from
advanced and targeted threats is to imple-
ment an integrated and extensible security
platform that can prevent even the most
challenging unknown threats across the
entire attack lifecycle. An IT architecture
must remain secure while also providing
business fexibility and enabling applica-
tions needed to run day-to-day operations.
Stopping even the most advanced attacks is
possible, but we have to begin with a pre-
vention mindset.
? Conclusion: Cybersecurity as a business
enabler
Traditionally, IT security has been seen by
most organizations as a cost center, requiring
continued expenses but not bringing in any
revenue. The attention and resources devoted
to it are often the bare minimum to meet
203 ?
BREAKING THE STATUS QUO: DESIGNING FOR BREACH PREVENTION
If organizations continue to view investments
in cybersecurity simply as cost centers to be
solved by bolting on legacy technology, we
will all continue to suffer the consequences.
Our most valuable data and the keys to vital
pieces of infrastructure will walk out the door
in the hands of cyber criminals, while the
trust we have built between our customers
and our systems continues to degrade. This
will happen time and time again until we are
forced to change and narrow the way we use
digital systems in our everyday lives. This
must not become the reality for the entire
community that receives such unimaginable
benefts from the Internet. By adopting a pre-
vention mindset it is possible to change the
status quo and take back the control and trust
in systems that enable critical business opera-
tions. Planning for disaster is always a smart
move, but preparing for failure will accom-
plish just that.
devices seamlessly and expect that their
actions will translate between these differ-
ent environments. However, this tradition-
ally has not been the case. Threats from
third-party applications, unsecured cloud
environments, and infected personal mobile
devices have become so prevalent that many
traditional security products will either
block them completely or just assume that
they cannot be protected. This old way of
doing business doesn’t match the reality of
today’s workers, who are expected to be
more agile and mobile than ever before.
Architecting a network to wrap these devic-
es and third-party services into an existing
security platform ensures that data will
remain secure as workers go out to meet
with customers in the feld and expand busi-
ness beyond its offce walls.
The security feld is stuck today with few
answers to increasingly challenging problems.
Cybersecurity glossary
Advanced persistent threat (APT): An adversary that possesses sophisticated levels of expertise and
signifcant resources that allow it to create opportunities to achieve its objectives by using mul-
tiple attack vectors (e.g., cyber, physical, and deception).http://niccs.us-cert.gov/glossary
Attack surface: An information system’s characteristics that permit an adversary to probe,
attack, or maintain presence in the information system.http://niccs.us-cert.gov/glossary
Antivirus software: A program that monitors a computer or network to detect or identify
major types of malicious code and to prevent or contain malware incidents, sometimes
by removing or neutralizing the malicious code.http://niccs.us-cert.gov/glossary
Command-and-control channel: Data link for an attacker to communicate with his malicious
software installed on a victim’s system.
Data exfltration: After an attacker has found sensitive data that he is targeting, he will attempt
to package this data and remove it silently from a victim’s system.
Endpoint: Specifc parts of an IT infrastructure that users interact with directly, such as work-
stations or mobile devices.
Exploit: A technique to breach the security of a network or information system in violation
of security policy.http://niccs.us-cert.gov/glossary
Hypertext transfer protocol (HTTP): Technical rules for transferring data over the Internet. Web
browsers use HTTP, and the encrypted variant HTTPS, to allow users to interact directly
with websites in a secure manner.
Malware: Software that compromises the operation of a system by performing an unauthorized
function or process.http://niccs.us-cert.gov/glossary
Network: Joined pieces of an IT infrastructure that transfer and route data to and from endpoints
and other networks.
Polymorphic malware: Malicious software that is designed to continuously change its appear-
ance, allowing it to evade legacy security detection technology such as antivirus software.
Continued
DESIGN BEST PRACTICES
? 204 SecurityRoundtable.org
Cybersecurity glossary—cont'd
Port-based security: Stateful inspection frewalls block any Internet traffc coming into or out
of a network on a specifc line of communication, called a port. However, modern applica-
tions use different ports, and malicious software can change the port it uses.
Remote access tools (RATs): Malicious software that allows an attacker to control a system
where he is not physically present. These functions in IT systems also exist for legitimate
uses, such as support functions.
Zero-day: A software vulnerability that is unknown to the public but is used by an attacker to
gain access and control of a network or system.
Cybersecurity beyond
your network
Electronic version of this guide and additional content available at: SecurityRoundtable.org
207 ?
Booz Allen Hamilton – Bill Stewart, Executive
Vice President; Tony Gaidhane, Senior
Associate; and Laura Eise, Lead Associate
Supply chain as an attack chain
The supply chain ecosystem reaches farther and wider than
ever before. The growing range of suppliers provides sig-
nifcant competitive advantages for companies that strate-
gically and securely source from this global network. Yet
this complex footprint comes with an equally complex
range of cyberthreats, and the majority of organizations do
not realize the breadth and depth of these challenges.
However, hackers are well aware of existing supply chain
vulnerabilities and are moving aggressively to take advan-
tage of these exposures.
Threat actors typically target organizations’ supply
chains through two vectors: the frst type of attack is
known as “adversarial supply chain operations to,” or
“ASCO To,” and the second is known “adversarial sup-
ply chain operations through,” or “ASCO Through”
(Figure 1). In an ASCO To attack, your organization is
the direct target. In the latter, the adversary uses your
supply chain as a means to target one of your customers.
Although the intent is different, both have the potential
for devastating impact to your revenue, reputation, and
end consumer.
To compound this issue, today’s attackers are often
well funded and extremely organized. These attackers
have the resources, skills, and patience to conduct
sophisticated attacks on your supply chain. For exam-
ple, a supply chain cyber adversary may clandestinely
intercept delivery of your products and switch cyber
sensitive components with a malware-infused copycat.
These attacks are often so sophisticated that the end
users may not realize that they did not receive the origi-
nal version.
Nation-states, hacktivists, organized criminal groups,
and lone wolves are constantly scanning supply chains
? 208
CYBERSECURITY BEYOND YOUR NETWORK
Supply chain traditionally has been seen
as part of internal operations; it is some-
thing that happens behind the scenes for
your customers. In the past, customers did
not care where you made your products or
how you sourced them as long as you deliv-
ered them on time, at the appropriate cost,
and in good condition. However, this is all
changing. Companies and governments
around the world are realizing that the sup-
ply chain is an ideal way for attackers to
quietly infltrate their networks and infect a
system well before customers place an order.
Companies, large and small, have to begin
looking at supply chain security as part of
their overall supply chain risk management
process.
By prioritizing supply chain cybersecurity,
you are well on your way to tackling this
complex issue. You have an opportunity to
mitigate cyber risk and transform your sup-
ply chain risk management capability into
a competitive advantage to inform your
broader business.
? Increasing expectations
The U.S. government has been a force for driv-
ing higher-level visibility and controls across
the supply chain. As the future progresses,
for weak points, and the impact of this atten-
tion has the potential to reverberate well
beyond your supply chain. You inherit the
risks of your suppliers. If one of your suppli-
ers lacks security controls, you may absorb
their vulnerabilities. This is particularly true
if you do not comprehensively test their
components during your acceptance pro-
cess; once you accept their product, you
accept the risks of being attacked or passing
along an attack to your customers. In the
event that a cyberattack occurs, you own the
impacts as well. This includes brand dam-
age, operational stoppage, legal exposure,
canceled sales, and government sanctions.
? Dangerous combination of hidden risks and
higher expectations
Tackling cybersecurity risk in supply chain
may feel like you are trapped between a vir-
tual rock and a hard place. As companies
drive to increase supply chain fexibility at
the lowest overall cost, sourcing decisions
expose them to the vulnerabilities of suppli-
ers and all of their successive networks of
suppliers. This ever-evolving cybersecurity
threat in the multi-layered supply chain pre-
sents a number of challenges when manag-
ing cybersecurity. See Figure 2.
Adversaries
• Nation–State
Actors
• Competitors (esp.
Nation–State-
owned)
• Criminals
• Hacktivists
Design
ASCO To
ASCO Through
Customer Operations
Example Methods:
• Interdiction/Compromise
• Theft/Re-route
• Break/Fix subversion
Example Methods:
• Malware shotgun infection
• Malicious component insertion
• Repair part compromise
• Trojan insertion/Design to fail
• Fraud
Potential Effects:
• Halt or slow prodution
• Prevent sustainment operations
• Loss of intellectual property
Potential Effects:
• National security risk
• Customer compromise
• Impaired customer operations
• Brand/Legal/Market impact
• Loss of customer intellectual property
Lifecycle Process
Source
Build
Sustainment
&
Operations
Disposal Ful?llment Distribution
FIGURE
Attack methods on the supply chain
209 ?
SUPPLY CHAIN AS AN ATTACK CHAIN
and your customers that you have a strong
supply chain cyber cybersecurity capability.
It is not just the U.S. federal government
that is raising the stakes. Many clients also
are demanding to know more about the
supply chain. Private sector clients are real-
izing that securing high assurance services
on an untrusted hardware platform is the
same as building a fort on a foundation of
shifting sand. They want to know the depth
of visibility into the components and ser-
vices of products, and they want to be reas-
sured that there are controls in place to
manage a robust supply chain cybersecurity
program. As with the government, many of
these requests and requirements are at an
insurance companies will be an even larger
driver for increasing supply chain standards.
Business continuity policies are in place to
address threats that disrupt the supply chain.
Companies with weak supply chain cyber
security policies and procedures could fnd
their insurers raising their premiums or
excluding claims in case of a breach. The next
wave of standards could take shape with
requiring you to maintain a list of all cyber
sensitive supply chain components as well as
develop comprehensive risk frameworks to
classify, prioritize, and proactively manage
the sourcing of each of those components.
You need to proactively get ahead of these
standards. Prove to the government, insurers,
Lack of Visibility
External Dependencies
Dynamic Threat
Companies cannot ensure part integrity on their own—they will need participation
from suppliers and other business partners.
Cross-Functional Challenge
Requires change and collaboration from various internal business functions
to collectively manage cyber risk throughout the supply chain
Decision Making
Increased information requires new strategic and tactical decision-
making processes.
The evolving capabilities of well-resourced and determined adversaries means
that “point in time” solutions are insuf?cient.
Limited visibility across the supply chain regarding exposure and controls
FIGURE
Cybersecurity challenges in the supply chain
? 210
CYBERSECURITY BEYOND YOUR NETWORK
could necessitate that your approach be dif-
ferent than that of a competitor. Using a
maturity model also allows you to answer
the questions that are not yet asked by com-
pliance while aligning your supply chain to
your business strategy. It allows you to focus
on increasing your overall security and to
stay ahead of the curve.
? Where do I start?
Developing a robust supply chain cyberse-
curity program is complex, but that doesn’t
mean your approach has to be. It requires a
risk-based prioritization approach to changes
in policy, supplier contracts, resource alloca-
tion, and investment. Most companies do not
have the appetite or the budget for wholesale,
drastic changes. If you are like most organiza-
tions, you face the dilemma of not knowing
where to begin.
So the best place to start is to get your
arms around what has to be done.
1. Conduct a maturity assessment and build
a roadmap.
Your organization needs a plan for the path
forward in securing your supply chain. Before
you transition to developing a roadmap, you
must begin with a maturity assessment.
Supply chain cybersecurity program maturity
assessments are simply gap analyses between
how well your program operates today com-
pared with how it should operate in a target
state. To evaluate this, you must identify the
key controls that apply to supply chain risk
management—either controls you already use
as part of your corporate cybersecurity pro-
gram or controls that may be more unique to
supply chain. Even if you use existing con-
trols, you should modify them to apply to your
supply chain operations.
all-time high and will become more sophis-
ticated and comprehensive only during the
next several years. If you are their supplier,
they know that you are only as trustworthy
as your supply chain.
? How to create both a secure and compliant
capability
Complying with standards and guidelines is
not enough for securing all of the factors you
need to comprehensively increase your secu-
rity posture. Although standards strive to
create consistency among cybersecurity pro-
grams, the fundamental truth is that there is
no formula for security. Standards and
frameworks can help identify the landscape
of potential areas to address and may let you
set a minimum level of performance, but
that’s it. You must move beyond merely
striving to be compliant rather than noncom-
pliant. Supply chain cybersecurity is more
than an IT problem. If not used in the appro-
priate context, standards can be a generic
solution to a highly individualized problem
set. Supply chain risk is tied intimately to
your business strategy and operations, and it
must be tailored to your organization.
Rather than focusing on a standard, look at
your program with a maturity lens. Understand
the various degrees of risk you face. Then,
within a well-established structure, decide
where you need to invest and develop. It is
up to you to prioritize the control areas to
address. Focus on your current maturity in
those areas and what you must do to increase
your maturity. Focusing on your maturity
provides you with an opportunity to identify
where your program stands today, where it
must be in the future, and how to get there. A
maturity approach is not “one size fts all.”
Special considerations for your organization
Maturity Assessment Tip
The set of controls you select for your maturity assessment should incorporate the compli-
ance standards that customers might use as part of their Request for Proposal requirements
(e.g., NIST SP 800-161). You likely will cover more controls than these standards, but map-
ping them will allow you to kill two birds with one stone.
211 ?
SUPPLY CHAIN AS AN ATTACK CHAIN
3. Decompose your key product lines.
To assess the visibility, control, and risks in your
supply chain, select a few key product lines and
decompose them into their cyber sensitive com-
ponents. Then see how much information you
can collect on their manufacturing sources,
acceptance testing, suppliers, and intended cus-
tomers. You will likely fnd that your internal
systems and policies are prohibiting you from
this level of visibility; however, it is this level of
visibility that customers will be demanding in
physical deliveries of products, place malware in
cyber sensitive components, and allow the ship-
ments to continue to end customers. As you
identify risks for each phase, you have to assess
the likelihood and impact of each risk. This prior-
itized list becomes your risk agenda and helps
determine what to address frst to enhance your
supply chain cybersecurity program.
Next, identify key objectives for each control
you plan to evaluate. Threat intelligence, for
example, may have data collection, analysis,
and distribution as key control objectives. For
each objective, defne a scale as well as the key
characteristics for each step in that scale. Taking
the threat intelligence example, a low maturity
rating for data collection could be the ad hoc
collection of threat data via unstructured sources,
such as email. A higher maturity implementa-
tion of data collection would be a comprehensive
ingestion of multiple formal data feeds that can
be analyzed automatically and effciently.
Next, conduct a baseline assessment of your
current state—an honest assessment, backed by
examples. This will help you surface risks asso-
ciated with each control. After the baseline,
defne the target state for each control. The tar-
get state should be a balance between high
effectiveness and practical costs, keeping in
mind that not all controls need the highest level
of maturity. Comparing the target state with the
baseline provides you the gap you need to
address.
The outcome of your maturity assessment will
be a robust roadmap designed to transform your
supply chain cybersecurity program. This
equates to quick wins and key priorities for your
organization. It should also help address the key
requirements your customers demand.
2. Identify key risks throughout your supply
chain lifecycle.
Breaking down your supply chain lifecycle into
discrete phases can help you identify key risks for
each phase. Each phase presents its own vulner-
abilities and risks. For example, during the dis-
tribution phase, threat actors can intercept
Five Common Early Wins
Below are fve common ways you can gain early traction with your supply chain cybersecurity program:
? Integrate/enhance component tracking
? Include cyber in your supply chain risk management framework
? Enhance acceptance testing
? Conduct supply chain vulnerability penetration testing
? Enhance monitoring of supplier network access points
Supply chain
Lifecycle
Design
Source
Ful?ll
Build
Distribute
Dispose
Sustain & Operate
CYBERSECURITY BEYOND YOUR NETWORK
? 212 SecurityRoundtable.org
advantage in the market. Understanding how
to identify risk and then effectively manage
those risks will allow you to be in greater
control of your supply chain. A robust supply
chain cyber risk management program will
allow you to close vulnerabilities, making
you less of a target for attackers while helping
you meet and even shape your customer
expectations. The trust in your brand and the
quality of your product depend on the
strength of your supply chain cybersecurity.
Creating the right balance of security
and resilience in your supply chain will
allow you to build a foundationally strong-
er supply chain cybersecurity program.
This not only will differentiate you from
your competitors but also will allow you to
better understand the opportunities and
advantages that are key to your success.
the future, if not already. Once you can obtain
this kind of visibility, you can then assess the
processes, controls, and risks associated with
those cyber sensitive components.
? Supply chain cybersecurity as a differentiator
The risks and expectations of your supply
chain cybersecurity are increasing as threats
become more sophisticated and customers’
expectations rise. As you inherit the vulner-
abilities from your suppliers and the risks of
your customers, you have to be more aware
of how your supply chain can become an
attack chain. Compliance is not enough; you
must develop a robust maturity model to
help identify your vulnerabilities and devel-
op a roadmap to reduce your risks.
Companies that are able to effectively
manage their supply chain risks will have the
213 ?
Covington & Burling LLP – David N. Fagan, Partner;
Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H.
Canter, Associate; and Patrick Redmon, Summer Associate
Managing risk associated
with third-party outsourcing
? Third-party outsourcing and cybersecurity risk
Businesses increasingly work with third parties in ways
that can render otherwise well-guarded data vulnerable
to attack or accidental disclosure. These third parties can
include technology service providers; other major busi-
ness function vendors, such as payroll, insurance, and
benefts companies; and accounting and fnance, advertis-
ing, delivery and lettershop, legal, and other consulting
services.
Many of these commercial relationships require sensi-
tive information—whether the business’ own confdential
business information or the personal information of its
employees or customers—to be shared with, or stored by,
the third parties. Such relationships also may entail third-
party access to a company’s networks. There is, in turn, an
inherent risk in the third-party services: they can create
new avenues of attack against a company’s data or its
systems and networks—and those avenues require appro-
priate mitigation.
Perhaps no data security breach highlighted this risk
more than the incident incurred by Target. That incident
began not with a direct attack on the Target network but
with a phishing attack on a Pennsylvania HVAC contrac-
tor that had access to Target’s external billing and project
management portals. The HVAC contractor depended on
a free version of consumer anti-malware software that
allegedly failed to provide real-time protection. Once the
phishing campaign succeeded in installing key-logging
malware, the hackers obtained the HVAC contractor’s
credentials to Target’s external billing and project man-
agement systems and from there infltrated Target’s inter-
nal network, eventually reaching Target’s customer data-
bases and point-of-sale systems.
? 214
CYBERSECURITY BEYOND YOUR NETWORK
contractual provisions to manage third-
party risk, and, in some cases, to monitor
service providers on an ongoing basis
(e.g., 12 C.F.R. Pt. 225, App. F at III.D.
[2012])
? the HIPAA Privacy Rule, requiring
specifc contractual provisions in dealing
with business associates who handle
protected health information, 45 C.F.R.
§164.502(e) (2014)
? state regulations, such as the
Massachusetts Standards for the
Protection of Personal Information,
requiring reasonable steps in selecting
third parties and the use of contractual
provisions to require their compliance
with Massachusetts law, 201 Mass Code
Regs. 17.03(2)(f).
In addition, the Federal Trade Commission
has applied its authority under Section 5 of
the FTC Act, 15 U.S.C. §45 (governing unfair
acts and deceptive trade practices) to apply
to cybersecurity and data security, and has
taken action against companies that fail to
take “reasonable steps to select and retain
service providers capable of appropriately
safeguarding personal information” a de
facto regulatory requirement. See, for exam-
ple, GMR Transcription Servs., Inc., F.T.C.
Docket No. C–4482, File No. 122–3095, 2014
WL 4252393 (Aug. 14, 2014).
? Sources of third-party cybersecurity risk
The cybersecurity and privacy risks gener-
ated by third-party engagements include the
following:
? breaches of personal data—whether the
personal data of customers or employees—
and the attendant regulatory obligations
(e.g., notifcation requirements), as well as
legal liability, as in the Target breach
? breaches of a business’s proprietary data,
including the following:
? competitively sensitive data, privileged
information, attorney work product,
and trade secrets
? business partner data resulting in
obligations to notify business partners
The results of the Target breach are well
known: the personal information of up to
70 million customers was compromised, and
about 40 million customers had their credit
or debit card information stolen. By the end
of 2014, the costs to Target from the breach
had exceeded $150 million. These costs
include the litigation and settlement expens-
es resulting from lawsuits brought by con-
sumers and credit card issuers. Further, in the
quarter in which the data breach occurred,
Target’s year-over-year earnings plummeted
46 percent. Ultimately, in the aftermath of the
breach, Target’s CEO resigned.
The Target breach was not an isolated
incident. In 2014, a Ponemon Institute sur-
vey found that in 20 percent of data breach-
es, a failure to properly vet a third party
contributed to the breach. Even more trou-
bling, 40 percent of the respondents to
another Ponemon survey named third-party
access to or management of sensitive data as
one of the top two barriers to improving
cybersecurity. Further, the Ponemon
Institute’s 2015 U.S. Cost of Data Breach
Study reports that third-party involvement
in a data breach increased the per capita cost
of data breaches more than any other factor.
However, despite the cybersecurity risks
posed by third-party service providers,
many companies fail to systematically
address such risks. Only 52 percent of com-
panies surveyed in a 2014 Ponemon Institute
report have a program in place to systemati-
cally manage third-party cybersecurity risk.
? Legal risks
Although there are many commercial and
other reasons to adopt strong third-party risk
management processes, a variety of legal
frameworks require the management of third-
party risk. Examples of such statutory or regu-
latory requirements include the following:
? the Interagency Guidelines Establishing
Information Security Standards that
implement Section 501 of the Gramm-
Leach-Bliley Act and require fnancial
institutions to engage in due diligence in
the selection of service providers, to use
215 ?
MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
the sophistication of the vendor and the
nature of the IT systems and data at issue.
Nonetheless, three elements are common to
all third-party risk management:
1. due diligence prior to entering an
engagement
2. contractual commitments and legal risk
management
3. ongoing monitoring and oversight.
? Pre-engagement due diligence
A critical element of managing third-party
risk is the assessment of the third party’s
own security practices and posture before
any contract is signed. Such diligence is cru-
cial for the identifcation and evaluation of
risks, and, in turn, can ensure that such risks
are mitigated before the engagement,
including through the use of contractual
provisions. The actual evaluation may be
more ad hoc (i.e., conversations with key
business or technology stakeholders) or for-
mal (i.e., through a questionnaire or even
on-site assessment), and the extent of an
evaluation may depend on various factors
in the prospective relationship, including,
for example, whether the service provider
will have access to the company’s IT sys-
tems, the nature of the information that it
may access, and whether it will store such
information.
Depending on the extent of the relation-
ship and information that may be accessed
by the vendor, the following areas of inquiry
may be necessary to inform a cybersecurity
diligence assessment:
? whether and how often the vendor
has experienced cybersecurity
incidents in the past, the severity of
those incidents, and the quality of the
vendor’s response
? whether the vendor maintains
cybersecurity policies, such as whether
the vendor has a written security policy
or plan
? organizational considerations, such as
whether the vendor maintains suffcient
and appropriately trained personnel to
as well as potential contractual liability
to them
? data that result in fnancial harm to
the company, such as bank account
information
? other confdential, market moving
insider information in the hands
of third parties such as investment
bankers, consultants, and lawyers, such
as information regarding nonpublic
M&A activity, clinical trial results, or
regulatory approvals
? the introduction into internal networks
of viruses or other malicious code, as
in the Dairy Queen attack, in which
vendor credentials were used to
gain access to internal networks and
eventually install malware targeting
point-of-sale systems
? the introduction of other vulnerabilities
to IT systems, for instance, by the use
of vulnerable third-party applications
or code, as occurred in the Heartbleed
OpenSSL exploit that potentially
exposed the data transmitted to and
from secure web servers
? misuse and secondary use of company
data such as for direct marketing or data
mining for the beneft of the vendor
? “fourth-party” risk, that is, the third-
party cybersecurity risks introduced
by a vendor’s relationships with its
own third-party service providers and
vendors
? potential director or management liability
for breach of fduciary duty in the exercise
of cybersecurity oversight.
To help manage this array of risks effectively,
companies may consider whether they have
appropriate procedures in place to evaluate
and monitor individual vendors, as well as a
program to manage and monitor third-party
relationships.
? Engagement-level management of third-party
cybersecurity risk
The appropriate measures needed to scruti-
nize and monitor third-party service pro-
viders will depend to a large extent upon
? 216
CYBERSECURITY BEYOND YOUR NETWORK
? Contractual risk and negotiation
In addition to evaluating third parties on the
basis of their cybersecurity practices, anoth-
er important risk mitigation tool is the actual
contractual language. As with other areas,
contractual requirements can be an effective
way to allocate risk and responsibility for
potential breaches of cybersecurity, includ-
ing the investigation and remediation of
such incidents. Commonly negotiated terms
include the following:
? a requirement that the vendor have a
written information security program
that complies with applicable law or
other regulatory or industry standards
? limits and conditions on the use of
subcontractors and other third-party
service providers
? restrictions on secondary use of data,
including making clear that the customer
remains the owner of any data transmitted
to the vendor and any derivatives of that
data
? mandatory and timely notifcation in case
of a security incident
? rights to audit or otherwise monitor the
vendor’s compliance with the terms of
the contract
? in case of a breach, a requirement that the
vendor take on reasonable measures to
correct its security processes and take any
necessary remediation steps
? provisions ensuring an orderly transition
to in-house systems or another third
party in case of the termination of the
relationship.
In addition to such terms, indemnifcation
clauses can be used to shift the risk of data
breach onto the third party and to incentiv-
ize healthy security practices. To accompany
an indemnifcation clause, it sometimes can
be desirable to draft clauses that defne
when the entity is or is not liable, on which
party the burden of proof falls, and how
root-cause analysis should be conducted. To
ensure capacity to take on the fnancial costs
protect the data and/or service at issue
and respond to incidents
? human resources practices, particularly
background screening of employees,
cybersecurity training, and the handling
of terminations
? access controls, particularly whether
controls are in place that restrict access
to information and uniquely identify
users such that access attempts can be
monitored and reviewed
? encryption practices, including whether
information is encrypted at rest, whether
information transmitted to or from
the vendor is properly encrypted, and
whether cryptographic keys are properly
managed
? evaluation of in what country any data
will be stored
? the vendor’s policies regarding the
secondary use of customer data, and
whether IT systems are created in
such a way as to respect limitations on
secondary use
? physical security, including resilience
and disaster recovery functions and
the use of personnel and technology to
prevent unauthorized physical access to
facilities
? back-up and recovery practices
? change control management, including
protocols on the installation of and
execution of software
? system acquisition, development, and
maintenance to manage risk from software
development or the deployment of new
software or hardware
? risk management of the vendor’s own
third-party vendors
? incident response plans, including
whether evidence of an incident
is collected and retained so as to be
presentable to a court and whether the
vendor periodically tests its response
capabilities
? whether the vendor conducts regular,
independent audits of its privacy and
information security practices
217 ?
MANAGING RISK ASSOCIATED WITH THIRD-PARTY OUTSOURCING
Although relatively uncommon outside
of certain regulated industries, such as the
fnancial and health-care industries, provi-
sions in vendor contracts for regular secu-
rity audits by an independent third party
provide a robust but intrusive form of
periodic monitoring. However, it is not
always possible to obtain audit rights from
a vendor. Alternatively, the vendor could
be required to provide up-to-date certifca-
tions of compliance with industry stand-
ards or regular, third-party audit reports.
In addition, to manage fourth-party risk,
vendors could be required to perform ini-
tial and periodic assessments of their own
service providers and vendors if they will
be handling sensitive information. If, in
the course of an audit, vulnerabilities are
identifed or practices are found that are
not in compliance with industry practices
or regulatory requirements, the vendor
may be required to notify the customer
and correct any outstanding issues in a
timely fashion.
As part of ongoing monitoring of vendor
cybersecurity, it is useful if the contract with
a third-party service provider also includes
notifcation and remediation provisions if
the vendor becomes aware of defciencies in
its cybersecurity posture. In addition, as part
of the remedies, the outsourcing party may
seek the right to terminate the agreement
immediately and to receive a pro rata refund
of any fees paid or payable. In addition to
contractual provisions dealing with the ter-
mination, contingency plans to facilitate an
orderly end to the third-party relationship
and a smooth transition to an in-house solu-
tion or another a third-party provider may
prove useful.
? Conclusion
The measures described above—diligence,
contractual terms, and continued monitor-
ing and oversight—are critical elements of a
comprehensive cybersecurity program that
includes managing third-party relationships.
To effectuate these elements, in turn, it often
of a breach, third parties are frequently
required to obtain a cybersecurity insurance
policy.
From the business’s perspective a third-
party vendor should be fully responsible for
any liability for data breaches that occur
while the data are under the vendor’s con-
trol. However, vendors often push for caps
on their cybersecurity liability. To guide
negotiations as to appropriate caps on liabil-
ity, consider the type of data processed or
accessed by the third party (e.g., how sensi-
tive is it, does it relate to employees, con-
sumers, or is it not personally identifying
information), the volume of records to be
handled by the third party, the ability for the
customer to implement security controls
such as encryption, the nature and extent of
the third-party promises on cybersecurity,
and the brand and reputation of the third
party with respect to data security. Based on
those inputs, a company can then consider
the potential losses and sources of third-
party liability to evaluate what constitutes
an acceptable level of risk in terms of exclu-
sions for indemnifcations and caps on liabil-
ity. A business also may consider offsetting
any contractual concessions with corre-
sponding increases in their own cybersecu-
rity insurance coverage.
? Ongoing monitoring and oversight
Ongoing monitoring and oversight of third-
party service providers is essential given the
rapidly changing landscape of cybersecurity
threats. Whereas due diligence provides a
snapshot of a third party’s cybersecurity
stance at a specifc point in time, continual
monitoring and the right to such monitoring
are necessary to help ensure that the third
party responds and adapts to secure its sys-
tems against new threats. Over the life of the
relationship, periodic checks, including on-
site reviews of vendor, can be important
oversight mechanisms. Other monitoring
requirements include access to timely and
accurate records and reports of the third-
party provider’s cybersecurity posture.
CYBERSECURITY BEYOND YOUR NETWORK
? 218 SecurityRoundtable.org
that scales due diligence, contractual obliga-
tions, and oversight processes according to
the nature and extent of the cybersecurity
risks presented by the vendor relationship.
In all events, it is important that organiza-
tions periodically review their processes for
evaluating and overseeing third-party rela-
tionships to ensure that such processes are
periodically updated and appropriately tai-
lored to address new and emerging threats.
is helpful to have standardized processes
and documentation.
Examples include standardized diligence
checklists and questionnaires, template con-
tract addendums addressing cybersecurity
issues, and standardized schedules for
audits and other forms of monitoring.
Because there is no one-size-fts-all approach
that is appropriate for every vendor, it is
appropriate to implement a tiered approach
219 ?
Delta Risk LLC – Thomas Fuhrman, President
A new look at an old threat
in cyberspace: The insider
“
The frst thing that business leaders should do about the
insider threat is to take it seriously.“
People are, without doubt, the most consequential part
of cybersecurity. They design the hardware, write the
software, build the systems, confgure and manage the
boxes, install the software patches, and, obviously, use
the computers. At every point in cyberspace, people create
vulnerabilities. Whether they realize it, people are a major
security risk. The insider threat, however, is not just a
product of conscientious but fallible humans: the dark side
of human nature is also in play. The idea of the ‘enemy
within’ is as old as the hills, and its cyber equivalent is too.
The insider threat to computer systems and networks
has been a recognized reality for decades. It was a topic in
1970 in the landmark report by the RAND Corporation,
Security Controls for Computer Systems, and its roots go
back even further. However, since 2013 when defense
computer systems contractor Edward Snowden—an
insider—carried out one of the largest and most signif-
cant unauthorized disclosures of classifed government
information in U.S. history, the issue was brought home to
business executives. They realized, “If that can happen to
the National Security Agency, it can happen to me.”
? What’s new with the insider threat?
In this, the post-Snowden era, the potential impact of the
insider has become a much more tangible issue to compa-
nies and organizations of every kind. However, although
this heightened awareness is new, there are also other
recent developments that make the current insider threat
challenge more diffcult than ever. Key among such devel-
opments are the following:
? the vast amount of vital business and personal data
that is online
? 220
CYBERSECURITY BEYOND YOUR NETWORK
to effciently screen potential employees, man-
age access rights, enforce obligations, detect
malicious tendencies and behaviors, and
implement security controls are needed.
The insider threat is usually thought of as
having two types: the malicious insider and
the unwitting insider. Although these two
types of insider are very different in motiva-
tions and objectives, they can have similar
ruinous effects on the organization.
? The malicious insider. The malicious insider
is the ‘spy’ or ‘traitor’ who represents
the insider cyberthreat at its most basic.
This rogue employee, at most a small
percentage of the workforce (Spectorsoft
reports that an estimated 10 percent of
employees account for 95 percent of
incidents), uses her or his legitimate access
to a company’s information resources to
deliberately harm the organization.
Malicious insiders know about the organi-
zation’s information, its systems, its struc-
ture and people, and its internal opera-
tions. They have access to the enterprise
network from inside the perimeter defens-
es. They can do damage such as stealing
data, disabling systems, and installing
viruses or malware. Those with privileged
access can do even more, such as disabling
accounts, destroying backups, changing
confguration fles, and more. Those with-
out privileged access can sometimes get
it through insider trickery, bypassing
authentication processes or gaining access
through the credentials of others. Snowden
himself reportedly persuaded colleagues
to share passwords with him to get access
beyond what he was already allowed.
A fundamental and important point to
recognize is that the insider as a malicious
threat is not limited to the cyber and infor-
mation systems realm. Other targets and
methods are possible, including physical
theft, destruction, or violence, coercion
and extortion, or other non-cyber actions.
This fact has a direct bearing on the
approaches available to prevent, detect,
? the migration of data outside the security
perimeter of the enterprise through
the widespread adoption of cloud-
based services, increased outsourcing,
increasingly Internet-enabled supply
chain operations, and the ubiquity of
mobile communications and computing
devices in the ‘bring your own device’
(BYOD) environment
? the increase in the marketability of
sensitive, personal, proprietary, or
confdential data through global cyber
crime syndicates and hacker networks.
These developments in combination invest
more power—and risk—in the individual
insider and make ‘keeping a secret while selec-
tively sharing it’ a harder problem than ever.
From a cyber perspective, the insider is
the person who the enterprise has entrusted
to access and operate with the company’s
data and information resources in the rou-
tine course of business. Anyone who has
legitimate (or ‘authorized’) access to the
information and the business systems, data-
bases, email, or other information resources
of the enterprise is an insider.
In many companies today, a large number
of legitimate insiders are not actually
employees. This group includes former
employees, contractors, business partners,
vendors, suppliers, and others such as cloud
service providers and business application
hosting services that have been granted
access to corporate enterprise networks.
Evidence indicates that the access privileges
of such non-employee insiders are diffcult
to manage and thus more easily exploited. In
the large data breach at The Home Depot in
2014, for example, the hackers entered the
corporate network through a vendor’s legiti-
mate access credentials.
Can employees and other insiders be
trusted? The answer, of course, is mostly yes.
It has to be. Business runs on human capital.
Without trustworthy insiders, the organiza-
tion cannot function. However, the residual
‘no’ is a cause for serious concern. Seen in
this light the question is more about setting
the limits of trust at the right level. Better ways
221 ?
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
become unconcerned about the associated
security and privacy risks. Users sometimes
bring such personal Internet habits into the
workplace, often paradoxically because of
their zeal to do their jobs. They may insert a
thumb drive into a corporate machine to
transfer a fle. (“I needed to work on the
fle—what was I supposed to do?”) They
could sync a personal smartphone to a cor-
porate computer. (“What’s wrong with
that?”) They may drop a proprietary docu-
ment into a public cloud. (“I need to work
on it while I travel.”) The list continues. All
of these actions and many others like them
by the unwitting insider create serious
enterprise security risks.
The single most common security weak-
ness of most people is a susceptibility to
phishing attacks. Phishing is a form of
‘social engineering’ that has the goal of
getting information such as usernames,
passwords, or credit card numbers.
Phishing usually starts with a fraudulent
email message (although other mecha-
nisms are also used) that appears to be
from a legitimate or known source. The
message may contain an attachment that,
if opened, installs malware on the victim’s
computer, or the message may direct the
user to a website that is also designed to
look legitimate, even familiar, to the target
victim. This bogus website prompts the
user to enter information such as log-in
credentials or account numbers. If the
user’s suspicions have not been aroused,
she or he may enter the requested data—
and gotcha!—the hacker has succeeded in
capturing information that can be used for
access later. Alternatively or in addition,
the bogus website may push out a virus,
remote access software, key-logging soft-
ware, or other malware. Very often phish-
ing is the start of a chain of exploits that
leads to a very serious breach. The Verizon
2015 Data Breach Investigations Report
(DBIR) states that more than 75% of mal-
ware installs were the result of unwitting
users clicking on attachments or web links
contained in emails.
and act against malicious or potentially
malicious insiders.
The psychology of the malicious insider is
a defned feld of study. In short, an insider
can become a threat for many reasons—
including for example, anger as a result of
workplace conficts or disputes, fear of
termination, dissatisfaction with work-
place policies, ideology, or fnancial need.
? The unwitting insider. Almost anyone can
fall into the category of unwitting insider
threat agent, including senior executives.
As a threat actor, the unwitting insider
unintentionally and unknowingly
makes security blunders that expose the
enterprise to serious cyber risks.
Because the pool of potential unwitting
actors is so large and their behaviors are
unintentional and hard to predict, the
unwitting insider is one of the most dan-
gerous weak points in the entire enterprise.
One group of insiders who can pose a
major threat are those who have a lax atti-
tude about security. These attitudes are not
always obvious. Security awareness cam-
paigns are so commonplace now that just
about everyone exercises at least some cau-
tion in online activities. At the same time,
though, we can also observe that a certain
insouciance about the risks in cyberspace
has crept into the behavior of many people.
The same person who would refrain from
using the word ‘password’ as a password
or from writing it on a sticky note to place
on the computer monitor may think noth-
ing of other poor security practices.
Today’s culture, for example, seems to
encourage the melding of personal and
professional pursuits. People have become
so accustomed to online life—being always
connected, using multiple computing plat-
forms, putting their ‘whole life’ (as they
say) on their smartphones, or posting pho-
tos and personal information on social
websites—that it appears many have
? 222
CYBERSECURITY BEYOND YOUR NETWORK
in shares of the Brooklyn Bridge, the
unwitting person can easily be taken in by
a well-designed phishing ploy. However,
whether the result of inadvertent or delib-
erate acts, the impact to the organization
can be the same—fnancial loss, compro-
mise of intellectual property, theft of cus-
tomer personal information and credit
card data, and reputational harm or loss of
competitive position.
This highlights a third and more sinister
type of ‘insider’ that must also be
considered—the malicious outsider
posing as an insider. Such actors explic-
itly seek to exploit insiders by appropri-
ating their credentials and moving
unnoticed within the network.
Figure 1 illustrates the categories of the
insider threat, along with typical motiva-
tions and potential impacts.
Phishing also is used in a more focused
way that targets specific people—
frequently senior executives or people in
the organization who have privileged
access to information resources. The
hacker will mine the Internet for personal
information on the target, information
that only the target would know, names
and contact information of colleagues,
web browsing and purchase history,
non-business activities and community
involvement, even writing styles to zoom
in on that specifc person. When such
information is used in a phishing email,
the look and feel, the text, and the context
of the message can appear unexceptional
and entirely authentic. If this were a game
it would be unfair. The target frequently
falls for the scheme.
Like the poor soul who sends money to the
Nigerian prince or the person who invests
Threat Actors
Unwitting insider
Malicious insider
Malicious outsider
posing as an
insider
Methods Motivations
• Ef?ciency and
convenience
• Customer service
• `Getting the job done´
• Financial gain
• Do harm to the company
• Fraud or theft of money
• Exploit the access of a
legitimate user
• Bypass security controls on
privilege escalation and lateral
movement throughout the
network to get to key systems
for ex?ltration and/or
insertion of malware
• Do harm to the company
A
l
l
i
n
s
i
d
e
r
t
h
r
e
a
t
s
c
a
n
h
a
v
e
t
h
e
s
a
m
e
o
u
t
c
o
m
e
s
• Advance an ideology or
other personal agenda
• Advance an ideology or
other personal agenda
• Financial gain—obtain
sensistive data that can
be monetized
Cyber
Incident
Examples
• Use legitimate access for
illegitimate purposes
• Theft of sensitive
information (e.g.,
personally identi?able
information, intellectual
property, proprietary
information)
• Financial fraud or theft
• Damaged or destroyed
information resources
• Sabotaged product (the
merchandise produced
by the enterprise)
• Reputation harm and
customer alienation; loss
of revenue
• Insertion of malware
and/or establishing a
long-term presence in
the network for repeat
action
• Move sensitive internal data to a
public cloud
• Lose a laptop
• Use a memory stick to import or
export data
• Mix company data with personal
data on moblie devices
Results
FIGURE
Insider threat actors and their effects
223 ?
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
cybercrime is exhibited in the tradecraft
that is applied once the initial breach is
achieved.
The outsider-posing-as-insider is not
interested in impersonating a particular
person other than to use the person’s net-
work or system credentials. Through
password cracking and other techniques,
a hacker can exploit the credentials of
more than one authorized user or admin-
istrator in the course of an attack. Unlike
the true insider, the only observables that
the outsider leaves are those network
footprints and fngerprints that may show
up in system logs or the actual malware
code or other digital fragments they
leave behind.
? The dimensions of the insider threat
The insider threat is easy to understand in
concept but very hard to quantify in prac-
tice. How big of a threat is it? Hard data and
statistics on the frequency of occurrence and
the impact of insider threats have histori-
cally been elusive and remain so. Lack of
detection and discovery of insider events,
and an unwillingness to share or report
them, are two of the primary reasons for the
paucity of data. Nevertheless, recent insider
threat surveys and breach data analyses are
consistent in their main fndings, including
the following:
? There has been an increase in insider
threat events in the last few years.
? Most organizations do not have adequate
controls in place to prevent or thwart
insider attacks.
? Insider attacks are believed to be more
diffcult to detect than external attacks.
? Third parties and other non-employee
insiders represent a major risk, and
insuffcient attention is devoted to
managing them. Most contracts and
service level agreements with external
vendors, suppliers, and business partners
do not include robust security provisions.
? Insider policy violations and inappropriate
activity are often discovered only during
? The outsider posing as an insider. This
type of insider is not an insider in the
true sense, but rather an imposter who
uses the legitimate credentials of others
to access the network in ways the real
user would not. This actor seeks to get
legitimate credentials using a variety of
tactics and techniques. He then uses these
acquired credentials to access password
fles, directories and access control lists,
and other network resources—which is
made easier if the credentials are already
those of a system administrator or other
privileged user.
As described above, the unwitting insider
is very commonly exploited by sophisti-
cated hackers as a soft point of entry for
advanced attacks. Elaborate penetration
techniques are hardly needed when a rel-
atively simple phishing email is likely to
serve the purpose. Upon achieving initial
access, the hacker may try to move later-
ally within the network or to escalate
access privileges to implant advanced
malware deeply in the network fabric.
Phishing is the dominant mechanism
used today to penetrate networks by even
the most sophisticated hackers because it
has a high success rate for very low cost.
Other social engineering tactics include
in-person deceit, such as impersonating
someone in authority, pretending to rep-
resent the Help Desk, asking someone for
assistance, or claiming to have left an
access badge inside the restricted area of a
facility. It can be a particularly effective
tactic because people usually try to be
courteous and helpful.
Hackers have tricks other than social engi-
neering to obtain the access they desire.
Most of the time, though, social engineer-
ing can be found somewhere along the
attack chain because it is a powerful and
effcient way of getting past perimeter
defenses. The sophistication we hear
about in reports of state-sponsored espio-
nage, hacker networks, and organized
? 224
CYBERSECURITY BEYOND YOUR NETWORK
? Provide regular insider threat awareness
training as well as realistic phishing
training exercises. An organized
phishing awareness exercise program
can raise the company’s standard of
performance in this critical area.
? Establish a set of institutional values
refecting the desired culture, select
leaders based on their adherence
to these values, and include
demonstration of these values as
an item on employee performance
assessments.
? Building a multi-disciplinary program.
Establish an executive committee to
manage an integrated multidisciplinary
program designed to deter, prevent,
detect, and respond to insider threats
and to limit their impact. The program
should have the active participation of
the functional organizations across the
business such as Risk, IT, Cybersecurity,
Physical Security, Human Resources,
Fraud, and General Counsel, as
well as company-specific verticals
(manufacturing, operations, etc.).
The program should include the following:
? creation and oversight of policies
related to the management of insider
risk
? regularized workfow, processes, and
meetings to actively and collectively
review threat intelligence, the internal
threat landscape, internal indicators of
risk, insider events, sponsored activities,
and trends from each subdiscipline
? implementation and oversight of
personnel reliability processes from
pre-employment background checks
to off-boarding procedures to assess
and act upon personnel security
risks, behavioral risk indicators,
and individual vulnerability to
compromise
? decision-making authority pertaining
to the integration of programs within
each vertical, the aggregation of insider
risk data across the verticals, and the
corporate response to insider events
examination of user devices after
individuals have left the organization.
? Most incidents are handled internally
with no legal nor law enforcement action.
? What to do
The frst thing that business leaders should
do about the insider threat is to take it seri-
ously. Although there is widespread recogni-
tion that the threat is very serious, in most
sectors there is insuffcient follow-through to
build the threat-specifc plans, organization-
al structures, and controls to deal with it.
What is needed is a comprehensive approach
that addresses and leverages the unique
aspects of the insider threat. Technology by
itself is not the answer; the critical human
dimension of the insider threat must also be
addressed.
A comprehensive approach would
include the following:
? Establishing a threat-aware culture of
institutional integrity and personal reliability.
Company culture is a product of many
factors, but one of the most decisive
is the behavior of senior leadership
and the values they model. A culture
of institutional integrity and personal
reliability is conducive to success in almost
any enterprise. Factors for achieving this
include the following:
? Create an environment in which self-
directed employee actions refect a
high degree of institutional integrity
and personal reliability.
? Articulate clear expectations in an
enterprise Acceptable Use Policy
governing IT resources. This should
be a formal signed agreement between
the company and each employee and
external party who has access to the
enterprise IT resources or facilities.
? Create a safe environment in which
to self-report accidental actions
that jeopardize security. Removing
the stigma of having inadvertently
committed a security violation can help
minimize impact and help everyone
learn.
225 ?
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
(SIEM) systems, pinpoint potentially
illicit activities by identifying
anomalies in a person’s IT resource
and data access patterns.
? Non-technical. Unique to the insider
threat is the availability of a large
amount of relevant non-technical
behavioral observables. Integrating
operational intelligence information at
the intersection of cybersecurity, fraud
detection, and physical security can
yield critical insights about potential
insider threats.
? Examples of non-technical cyber data
include the following:
? email behavior: volume, content,
and addressees; presence and type
of attachments
? workday activities: patterns of on/
off duty time, including weekdays,
weekends, and holidays; location
? job performance: performance
reviews, productivity, and time
accountability
? indicators of affliation: degree
of participation in company-
sponsored activities; indications of
discontent through online behavior
and social media usage.
Analysis of this type of data through auto-
mated and manual processes can identify
patterns of behavior that indicate at-risk
employees or imminent insider attacks.
There may also be value in integrating
external threat intelligence for factors that
could infuence at-risk insiders.
It is important that the company’s legal
counsel advise the executive committee
on informing employees of ongoing
monitoring and how the data will be
used. Oversight by the executive com-
mittee is essential to ensure it is operat-
ed within the bounds of policy.
? Having a plan. The executive committee
should develop a detailed (though
confdential) action plan for what to do
in the event of actual or suspected insider
? defnition of requirements for employee
training and awareness of insider
threats and prevention measures.
? Building and operating security controls.
Many of the security controls that already
exist (or should exist) within the enterprise
can be effective in detecting, preventing,
or mitigating the results of insider threat
activity. Key technical controls include the
following:
? access controls, particularly for
privileged users (those with
administrative authority)
? data protection, including encryption,
data loss prevention technology, data
backups, and exfltration monitoring
? confguration management and secure
confgurations
? vulnerability and patch management
? internal network segmentation.
? Monitoring and detecting insider behavior.
The program should seek to prevent
insider attacks by capturing observable
indicators of potential activity before
insiders act. Intelligence on the insider
threat generally comes from within the
enterprise through either technical data
or behavioral indicators:
? Technical. The most signifcant sources
of cyber-related technical intelligence
are the real-time alerts and outputs
of security appliances, network-
and host-based sensors, and data
loss prevention tools, as well as the
network- and system-level logs that
are generated automatically (if so
confgured) throughout the enterprise.
In most enterprises these sources
provide so much data that managing
and effectively integrating it with
operations become serious challenges.
In addition, the volume of data drives
a need for storage that can become
acute depending on policy decisions
regarding what logs are maintained
and for how long.
Insider threat-tracking tools in use
today, such as data loss prevention,
threat intelligence, and security
information and event management
? 226
CYBERSECURITY BEYOND YOUR NETWORK
and conducting operations pertaining to
the insider threat. Proven approaches and
practices for addressing this threat are
available, allowing the company to build
on the learnings of other organizations.
(See inset box.)
? Summing up
Companies often declare that people are
their greatest asset. Surely the human
resource is what propels a company for-
ward. However, the insider threat will
always be present. Commitment, loyalty,
and general affliation with the organization
cannot be taken for granted. Personal ethics
and allegiance to the employer collide with
the chance for selfsh gains in those who
have become security risks or who are
vulnerable to compromise. With legitimate
misbehavior or law-breaking. The plan
should describe how and when to contact
law enforcement and other authorities
regarding insider threats or actions. It
should provide a framework of possible
legal remedies to pursue in the event of
an insider attack. This action plan should
be tested on a regular basis through
scenario-based exercises involving the
company offcials who would actually be
involved if a real event were to occur.
? Evolving the approach. The executive
committee should refne the program as
the organization matures in the use of
this capability within the specifc business
environment.
? Not ‘going it alone.’ The executive
committee should take advantage of the
many resources available for planning
Resources
The following resources can help enterprises deal with the insider threat. Each provides a wealth of
information on proven approaches and practices that companies can build upon.
? Insider Risk Evaluation and Audit Tool. This tool is designed to help the user
gauge an organization’s relative vulnerability to insider threats and adverse behavior
including espionage against the U.S., theft of intangible assets or intellectual property,
sabotage or attacks against networks or information systems, theft or embezzlement,
illegal export of critical technology, and domestic terrorism or collaboration with
foreign terrorist groups.
The tool can be used for a number of purposes, including self-audit of an organization’s
current defenses against insider abuse, the development of a strategic risk mitigation
plan, and employee training and awareness.
http://www.dhra.mil/perserec/products.html#InsiderRisk
? CERT Insider Threat Center. Since 2001, the CERT Insider Threat Center has
conducted empirical research and analysis to develop and transition socio-technical
solutions to combat insider cyberthreats. Partnering with the U.S. Department of
Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other
federal agencies, the intelligence community, private industry, academia, and the
vendor community, the CERT Insider Threat Center is positioned as a trusted broker
that can provide short-term assistance to organizations and conduct ongoing research.
https://www.cert.org/insider-threat/
? Federal Bureau of Investigation. The Insider Threat: An introduction to detecting and
deterring an insider spy.
This brochure provides an introduction for managers and security personnel on how
to detect an insider threat and provides tips on how to safeguard trade secrets.
https://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
A NEW LOOK AT AN OLD THREAT IN CYBERSPACE: THE INSIDER
SecurityRoundtable.org 227 ?
occur. Insiders are also the target for care-
fully scripted phishing tactics; the insider
who innocently clicks a link in an email may
enable damage to the company well beyond
her or his pay grade.
However, there is much that the organi-
zation’s executive leadership can do to
mitigate the insider threat, including estab-
lishing the right culture, implementing
security controls, conducting ongoing mon-
itoring and detection efforts, and being
ready to respond quickly if indicators point
to a likely insider threat. The following box
summarizes the actions that are recom-
mended here.
authorization to access company and infor-
mation resources, a rogue insider can do
tremendous harm to the company. The
effects of an insider attack can be felt as
fnancial loss, erosion of competitive posi-
tion, brand degradation, customer aliena-
tion, and more. The Snowden disclosures of
2013 have, at least for now, sensitized busi-
ness leaders to the grave risks posed by the
insider threat.
The unwitting insider is the equal of the
malicious insider in potential damaging
impact. A momentary and unintentional
lapse in vigilance regarding security threats
can be all it takes for a major compromise to
Summary of actions to address the insider threat
1. Establish a culture of threat awareness, institutional integrity, and personal reliability
? Provide regular insider threat awareness training as well as realistic phishing
training exercises.
? Articulate clear expectations in an enterprise Acceptable Use Policy governing IT
resources.
? Create a safe environment in which to self-report accidental actions that jeopardize
security.
2. Build a multi-disciplinary program to deter, prevent, detect, and respond to insider
threats and to limit their impact.
3. Build and operate security controls designed to mitigate the insider risk.
4. Monitor insider behavior:
? multiple interdisciplinary dimensions
? draw on outside resources
? look inside the network for observables of potential insider threat activity
5. Have a plan for what to do in the event of actual or suspected insider malfeasance
? Know how and when to contact law enforcement and other authorities regarding
insider threats.
? Explore legal remedies.
6. Be ready to develop your approach as conditions continue to change.
7. Don’t ‘go at it alone.’ There are many resources available for planning and ongoing
operations. Best practices can be implemented based on another organization’s learning
curve.
229 ?
The Chertoff Group – Mark Weatherford, Principal
The Internet of Things
In the time it takes you to read this sentence—about eight
seconds—approximately 150 new devices will have been
added to the Internet of Things (IoT). That’s 61,500 new
devices per hour, 1.5 million per day. There are currently
about 7.4 billion devices connected to the IoT, more than
there are human beings on the planet. By 2020, according
to Gartner, there will be 26 billion. Cisco puts the number
at 50 billion, and Morgan Stanley says it will be 75 billion.
By any estimation, it will be a lot more devices than are in
existence today.
People are beginning to notice this phenomenal rate of
growth, and some companies are seeing incredible eco-
nomic opportunities. However, the fact that the feld has
grown so quickly and so dynamically means that some of
the lessons we’ve learned in the past about security and
privacy are not being employed—in the interest of frst-to-
market opportunities—and the lack of oversight has
many wondering about the unknown unknowns.
These three defnitions together provide a starting
point for understanding the IoT and its implications for
our future:
? In the physical sense, the IoT is all of those billions of
devices, installed on apparel, appliances, machines,
vehicles, electronics—most of them incorporating
sensors to gather bits of data and then sharing that
information via the Internet through central servers. The
concept of the IoT was introduced in 1999 and evolved
from the Machine-to-Machine (M2M) technology that
originated in the 1980s, in which computer processors
communicated with each other over networks. The
major difference is that most of the new devices cannot
be considered processors but rather sensors and relays
that simply facilitate the aggregation of data. Analogous
to the shift to “cloud” computing, it may be useful to
consider this new data-generating aspect as “the fog.”
? 230
CYBERSECURITY BEYOND YOUR NETWORK
is, in that existential meaning, the latest
iteration of communication technology.
Of course, as soon as we developed the
ability to send information over great
distances in just seconds, some people
began to look for ways to capture that
information from sources other than
their own. Early twentieth century
wartime code breakers monitoring the
enemy’s radio communications often are
mentioned as the frst hackers.
The last aspect of the IoT should cause the
most concern. As technology has become
ever more sophisticated in its march toward
providing greater capabilities for private
enterprise, governments, and the people
they serve, so have the tools and strategies of
the people who would access and use the
information for more malicious purposes.
The lack of recognition about the seriousness
of this threat to companies and governments
leads to a lack of security suffcient to defend
against attacks.
? IoT benefts
According to John Chambers, CEO of Cisco
Systems Inc., the Internet of Everything
(which includes the IoT plus the actual
networks that support and transmit the
data these devices generate) could be worth
$14.4 trillion in revenue, plus another
$4.6 trillion in savings to industry and
government. That’s $19 trillion, greater
than the GDP of many countries. The ben-
efts the IoT provides can be seen in every
area that relies on technology, as well as
many that traditionally have not. A few
examples:
? The amount of municipal solid waste
generated around the world is expected
to reach 2.2 billion tons annually by 2025,
almost double the amount recorded in
2012. The cost of handling this waste will
be about $375.5 billion per year. However,
by changing the traffc patterns of garbage
trucks and installing sensors in garbage
cans to identify when they are full and
should be picked up, U.S. cities alone can
The two concepts—the IoT and M2M—
are now poised for complete integration,
in what is termed convergence, as we
move into technology’s future. Keep in
mind that in that future, anything that can
be connected will be connected. Christian
Byrnes, a managing vice president
at Gartner, says that “The Internet of
Things brings a major addition to the
responsibilities of cybersecurity: safety. IoT
includes the fnal convergence of physical
and information security practices.
As such, CIOs and CISOs will face the
possibility of their failures being the direct
cause of death. Confdentiality, Integrity
and Availability will be remembered as
‘the good old days.’”
? The IoT can also be thought of as just the
collected data. With billions of connected
devices, all contributing information
around the clock, it’s more data about
more machines, operations, and people
than has ever been collected before—
more in the past year than perhaps has
been recorded in all of human history, and
certainly more than was imagined possible
just a few years ago. The intelligent
management and implementation of that
data make it possible to do such things
as navigate a driverless car through city
traffc, monitor a person’s anatomical
signals and take action to manage his
or her health, monitor the movement
and health of livestock, provide global
tracking and communications, manage
energy use in buildings, and even operate
sophisticated industrial equipment from
remote locations. Our intelligence and
industrial abilities in the era of the IoT will
be limited only by our imaginations; we
will have the data we need to accomplish
almost anything we can envision.
? In the philosophical sense, the IoT is also
part of a movement. It’s been evolving
for more than a century, from our frst
ability to communicate with each other
instantaneously by radio. The early days
of the Information Age quickly showed
us how important data gathering could
be to the success of an operation. The IoT
231 ?
THE INTERNET OF THINGS
personal information) to data entered
actively during the site visit. In addition,
most transactions a person conducts while
out in the world have the potential to be
recorded and added to databases, and these
transactions, when merged with other col-
lected information, can be interpreted using
computer algorithms. Even when the data
are anonymized, many people believe their
privacy is violated by such usage. In his
book Future Crimes, Mark Goodman writes,
“Data brokers get their information from
our Internet service providers, credit card
issuers, mobile phone companies, banks,
credit bureaus, pharmacies, departments of
motor vehicles, grocery stores, and increas-
ingly, our online activities. All the data we
give away on a daily basis for free to our
social networks . . . are tagged, geo-coded,
and sorted for resale to advertisers and
marketers.”
? For example, in a well-publicized case
from 2012, mega-retailer Target analyzed
purchasing records to predict when
women may be pregnant and even
when they were due. The company then
mailed pregnancy-related coupons to
the women’s addresses. The program
came to national attention when a high
school student received the coupons at
her family’s home, alerting her father
to her condition. Although embarrassing
for the young woman, Target’s use of the
information gathered was legal under
the Fair Credit Reporting Act, which
allows “frst parties” to perform in-house
analytics on collected data.
? During the Women’s Mini Marathon held
in Dublin, Ireland, last year, Symantec
security researcher Candid Wueest stood
on the street and stealthily monitored
data from the activity trackers worn by
hundreds of runners. The data included
everything from their names and
addresses to the type of device they were
wearing and the passwords for those
devices.
? In a 2013 case, a British man discovered
that his LG smart TV was clandestinely
save $10 billion in waste management
costs.
? Unscheduled maintenance events are
responsible for about 10 percent of all fight
cancellations and delays in commercial
aviation, costing $8 billion per year.
According to Marco Annunziata, chief
economist at General Electric, preventive
maintenance systems can allow airplanes,
while in fight, to communicate with
technicians on the ground so that when
the plane lands, the technicians already
know what needs attention. These systems
are self-learning and can predict issues
that a human operator may never see,
helping prevent more than 60,000 delays
and cancellations every year.
? On the personal scale there’s Amazon’s
Dash button. The idea is a perfect example
of how the IoT works at the micro
level. The buttons are simple wireless
devices with the logos of consumables
manufacturers, about the size and shape
of a thumb drive. A Dash button for a
detergent could be attached to a washing
machine. When the supply of detergent
is low, the consumer need only press
the button, and another bottle is ordered
through Amazon Prime. Amazon and
other developers are also working on IoT
devices that sense when the supply of a
consumable is low, and order the item
automatically, without the consumer even
being aware of the act.
? IoT privacy issues
One of the keys to IoT advancements, of
course, is the interconnectivity of informa-
tion sources and their recipients. The infor-
mation is often used in the commercial
realm for monetization strategies, and by
the government to target security threats,
each of which leads inevitably to concerns
about privacy. In many cases when human
beings are the sources of this information,
they do not even know they are acting as
such. Virtually every site a person visits on
the Internet in return gathers information
about that person, from data stored on the
computer being used (such as location and
? 232
CYBERSECURITY BEYOND YOUR NETWORK
our networks.” As connectivity grows expo-
nentially, so do the possibilities for security
breaches. Any device in the IoT that stores
information, whether it contains Internet or
TV viewing preferences, credit card num-
bers, health information, etc., can become a
target. The proliferation of devices that are
part of the IoT means that the number of
access points to a system is limitless.
Don’t think that just because a device has
a limited function—such as a smart light-
bulb, a FitBit, a smart toilet, or a thermostat—
that it holds no attractiveness for hackers. Put
enough of these connected devices together
and cyber criminals can create a botnet, a
network of processors that can be used to
facilitate large, repetitive tasks, such as gen-
erating passcode possibilities.
Also of great concern is the potential to
cause physical damage and harm to indi-
viduals and property. The FTC report con-
tains claims by company researchers of the
ability to hack into a self-driving automo-
bile’s built-in telematics unit and control the
vehicle’s engine and braking. Another claim
involves the ability to access computerized
health equipment and change the settings so
that they are harmful to the patient. Through
the medical device hijack attack vector
(MEDJACK), the TrapX Labs security team
has identifed that in many cases, medical
devices themselves are the key entry points
for health-care network attacks. Devices as
diverse as diagnostic equipment such as CT
scanners and MRI machines, life support
equipment including medical ventilators
and dialysis machines, and even medical
lasers and LASIK surgical machines are typi-
cally delivered to medical facilities wide
open for attacks that can compromise device
readings and operations, not to mention put-
ting people’s health and lives at risk.
A recent Hewlett-Packard report noted
that 70 percent of IoT devices contain security
vulnerabilities. Some of these weaknesses
pertain to the current differences in commu-
nication standards, as developers seek to
make their devices compatible with all types
of systems—an aspect of the convergence
factor mentioned earlier. Although many
transmitting viewing information back to
the South Korean manufacturer, as well
as reporting the contents of devices, such
as a USB drive, that were connected to
the TV. LG claimed the information was
used, as in the Target case, “to deliver
more relevant advertisements and to
offer recommendations to viewers based
on what other LG smart TV owners
are watching.” However, the man, an
IT consultant, discovered that the TV
transmitted the information whether the
system setting for “collection of watching
info” was set to on or off.
According to a report on privacy and security
released by the Federal Trade Commission in
January of 2015, one company that makes an
IoT home automation product indicated that
fewer than 10,000 households can “generate
150 million discrete data points a day,” or
approximately one data point every six sec-
onds for each household. Another participant
in the report noted that “existing smartphone
sensors can be used to infer a user’s mood;
stress levels; personality type; bipolar disor-
der; demographics (e.g., gender, marital
status, job status, age); smoking habits; over-
all well-being; progression of Parkinson’s
disease; sleep patterns; happiness; levels of
exercise; and types of physical activity or
movement.” Such “sensitive behavior pat-
terns could be used in unauthorized ways or
by unauthorized individuals.”
? IoT security issues
The IoT is subject to the same security risks
as traditional computer systems, but the
issues, unfortunately, don’t stop there. Like
any storage aspect of the Internet, security
vulnerabilities can be exploited to compro-
mise sensitive information. Rick Dakin, CEO
of Coalfre in Boulder, Colorado, says that
“while headlines about cybersecurity usually
focus on the changing threat landscape, a
greater concern is the evolving technology
landscape. Most people rapidly connect
unsafe devices to their networks with no
thought to security, and the Internet of
Things will accelerate the contamination of
233 ?
THE INTERNET OF THINGS
goals because the payoffs, if they are success-
ful, are huge—such as global economic or
even military dominance. Looking at the sit-
uation in this way helps validate the actual
threat these actors represent and can in turn
stimulate companies and governments to
mount a more adequate defense.
? Addressing the issues
The U.S. Congress, since 2012, has pro-
posed more than 100 pieces of legislation
related to Internet security and privacy.
Only a couple were actually signed into
law, but continuing security incidents, such
as the breach of Sony’s network and subse-
quent hostage-taking of one of its movies,
have created greater awareness of security
issues that will surely prompt more
attempts at legislation and regulation. In
fact, as of this writing, at least 10 pieces of
legislation are being considered on Capitol
Hill. In its report, the FTC endorsed strong,
fexible, and technology-neutral general
legislation but added that IoT-specifc leg-
islation would be premature, as the feld is
still in its early stages of development.
They would prefer to see industry adopt
self-regulatory practices.
At the corporate or company level,
though, there is much decision makers can
do now to address security and privacy con-
cerns. Much of that involves adopting a
forward-thinking attitude about the IoT and
its role.
? First is to understand that the IoT is not a
possibility or a projection of the future—it
is a reality. It is here now and will only
continue to grow and affect every facet of
our world.
? The IoT carries with it many risks and
challenges; it’s the companies and
organizations that address those issues
head on that will survive. Conventional
approaches to network security will likely
have to be rethought.
? Companies and organizations should stay
up to date with evolving vulnerability
assessments and advancements in
security solutions. This also applies to
companies are working on standardization
protocols, the issue will not go away anytime
soon. Sensitive commercial, industrial, and
government information is at risk, and that
risk will likely grow as the IoT develops,
before measures suffcient to mitigate that
risk propagate. As Rod Beckstrom, the former
CEO of ICANN, said in his Beckstrom’s Law:
? If it’s connected to the Internet it’s hackable.
? Everything is being connected to the
Internet.
? Therefore, everything is hackable.
Putting all the security aspects together, as
some cyber criminals apparently already
have, and the risks that accompany the
growth of the IoT can seem frightening.
Hackers have become so sophisticated in
their tactics that some are creating databases
from the information gathered in previous
attacks, which can enable them to defeat
common security measures. For example, in
the successful breach of more than 100,000
taxpayer returns fled electronically with the
IRS in 2014, the attackers were able to cor-
rectly answer security questions that the
taxpayers themselves had selected, simply
by cross-referencing information collected in
previous breaches of other organizations’
information.
Put a nation-state or other global entity
behind such efforts, and the risks to sensitive
information in the IoT mount exponentially.
In commerce, as well as in politics and war,
entities make decisions based on what they
believe is in their best interests. This is espe-
cially true in the case of state and large non-
state actors. It’s helpful to think of their
efforts to infltrate technological and security
information not so much as instigated by an
evil intent or ideology, but as motivated by
the survival and practical success of their
entity—the concept of realpolitik updated for
the twenty-frst century. They have a vested
interest in hacking information systems that
goes far beyond simple greed. It means they
are unfazed by potential punishments or
repercussions and have the willingness to
commit resources and effort towards their
CYBERSECURITY BEYOND YOUR NETWORK
? 234 SecurityRoundtable.org
security measures and to guard against
the unauthorized access of sensitive
information.
Remember that IoT security is not a battle
that can be won and left behind. It is a war
that will be fought for the foreseeable future—
the proverbial marathon versus a sprint.
Keep in mind also that the IoT challenges
we face mean a tremendous opportunity for
fresh thinking. The future of the Internet,
which carries with it the future of our world, is
ours for the making. If you’ve read Isaac
Asimov, you know that he was visionary
about the future of technology. In his science
fction composed in the 1940s, he wrote, “No
sensible decision can be made any longer with-
out taking into account not only the world as it
is, but the world as it will be.” That realization
is more important now than ever before
because someday soon we’ll almost certainly
ask why things aren’t connected to the Internet
rather than why they are connected.
administrators and executives, who
should become fuent in the language that
describes IoT capabilities, trends, and risks
so that they can make more relevant and
responsive decisions for their shareholders
and customers. Administrators should
attend conferences and industry events
when possible as well.
? Standardization of security protocols in
the IoT space must be made an industry-
wide priority.
? When breaches to networks do occur, it’s
important to notify consumers quickly so
that they can protect themselves from the
misuse of their data.
? Such breaches should also prompt
industry-coordinated action to address
the vulnerabilities exposed and propagate
industry standards.
? Companies can give themselves some
degree of protection also by entering into
legal agreements with IoT vendors to
provide adequate, tested, and updated
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Incident response
237 ?
U.S. Department of Justice – CCIPS Cybersecurity Unit
Working with law enforcement
in cyber investigations
The decision to call law enforcement, or to respond to a
law enforcement inquiry, during a cyber incident can be a
harrowing moment for a company’s executives and board
members. Fear of losing control of key systems, of the
investigation’s course, or over sensitive company infor-
mation are often given as reasons for caution or even to
forego cooperation altogether. However, working with
law enforcement need not be fearsome. With early plan-
ning, clear communications, and an understanding of law
enforcement’s roles and responsibilities, law enforcement
and private companies can partner successfully on cyber
investigations.
? Law enforcement’s role in cyber investigations
Law enforcement’s roles and responsibilities in a cyber
incident vary depending on the nature of the incident,
the suspected perpetrators, and the desires of the victim.
Although every investigation is different, law enforce-
ment agencies working on cyber investigations are
trained to understand company concerns and to incor-
porate their needs into the investigation’s goals.
Although a primary law enforcement goal is to protect
public safety and national security, agencies have
evolved to do this in a way that does not cause further
harm to the victims of a cyberattack.
? Why work with law enforcement?
The frst question that may come to mind in the hours
after a cyber incident is why a company should work with
law enforcement at all. After all, it introduces another
source of management challenges to an already diffcult
working environment. However, working with law
enforcement can have signifcant benefts:
? Agencies can compel third parties to disclose data
(such as connection logs) necessary to understanding
? 238
INCIDENT RESPONSE
and work with companies on timing. Law
enforcement also has tools, including obtain-
ing judicial protective orders, that can protect
sensitive information from disclosure during
investigations and prosecutions.
If an investigation is successful and an
indictment is contemplated, prosecutors will
consider victims among other factors when
making charging decisions. If a particular
charge would place sensitive company infor-
mation at risk, for example, prosecutors may
seek protections from the court or, if appro-
priate, use alternative charges that can
reduce that risk, while still serving the over-
all interests of justice.
Sometimes, the best available course of
action in a cyber investigation may not be
pursuing an arrest of the perpetrator but
rather disrupting the threat in some other
way. For example, law enforcement has used
combinations of civil and criminal tools to
disrupt attacks from ‘botnets’ designed to
steal fnancial information from companies
and individuals. In other cases, pursuing the
fnancial or technical infrastructure of a
criminal organization will be the most effec-
tive strategy. Other tools may be available to
the government that work best in a particu-
lar case. Whatever path is chosen, law
enforcement’s aim is to consult regularly
with victims to ensure that the path chosen
advances, rather than harms, the interests of
the victim as well as the public.
? Best practices for preparing for work
with law enforcement
Preparing to work with law enforcement is
an essential part of incident planning. The
full scope of such preparation goes beyond
what this chapter can cover. The CCIPS
Cybersecurity Unit has published a short
guide entitled Best Practices for Victim
Response and Reporting of Cyber Incidents,
which covers this topic in greater detail.
Some of the recommended preparations
include the following:
? Implement appropriate technology, services,
and authorizations. Investigations will be
severely hampered if a business lacks key
how the incident took place, which can
help a company better protect itself.
? Investigators can work with foreign
counterparts to obtain assistance that may
be otherwise impossible.
? Early reporting to and cooperation with
law enforcement will likely be favorably
considered when a company’s response
is subsequently examined by regulators,
shareholders, the public, and other
outside parties.
? Law enforcement may be able to
secure brief delays in breach reporting
requirements so that they can pursue
active leads.
? A successful prosecution prevents the
criminal from causing further damage
and may deter others from trying.
? Information shared with investigators
may help protect other victims, or even
other parts of the same organization, from
further loss and damage.
Effective partnership with law enforcement
can be built into an overall response plan,
especially when companies understand law
enforcement’s priorities and responsibilities.
? Law enforcement’s priorities
and responsibilities
Law enforcement agencies, including the FBI
and the U.S. Secret Service, prioritize con-
ducting cyber investigations in ways that
limit disruptions to a victim company’s nor-
mal operations. They work cooperatively
and discreetly with victims, and they employ
investigative measures that avoid computer
downtime or displacement of a company’s
employees. If they must use an investigative
measure likely to inconvenience a victim,
they try to minimize the duration and scope
of the disruption.
Law enforcement agencies also conduct
their investigations with discretion and work
with a victim company to avoid unwarranted
disclosure of information. They attempt to
coordinate statements to the news media con-
cerning the incident with a victim company
to ensure that information harmful to a com-
pany’s interests is not needlessly disclosed
239 ?
WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
cultivates information sharing that helps
victims and law enforcement.
Law enforcement agencies, including the
FBI and U.S. Secret Service, have established
regular outreach channels for companies
that may be victims of cyberattacks. These
include the following:
? FBI Infragard chapters and Cyber Task
Forces in each of their 56 feld offces
? U.S. Secret Service’s Electronic Crimes
Task Forces
? Computer Hacking and Intellectual
Property coordinators and National
Security Cyber Specialists in every U.S.
Attorney’s Offce
Incorporating these resources into your
planning can pay dividends in the hours
after you discover that you may be a victim
of an attack.
Victims may wonder which law enforce-
ment agency is best to call when they face a
cyberattack. Although agencies have differ-
ent areas of expertise, they work together to
ensure that there is ‘no wrong door’ for vic-
tims. As agencies follow leads and develop
information about the likely attacker, they
understand and can bring together expertise
from across the government to ensure that
the investigation is pursued aggressively
using all appropriate tools.
? What to expect when law enforcement
knocks on your door
Often, a company will not be the frst to
know that they have been the victim of an
intrusion or attack. Law enforcement may
discover additional victims as they investi-
gate an intrusion into a single entity. When
this happens, agencies typically reach out to
these additional victims directly.
A primary goal in such contacts is to
ensure that additional victims get the infor-
mation necessary to mitigate harms and
secure their systems. At the same time,
understanding the victim’s business, the
information that it processes, and its rela-
tionship with other entities can help agen-
cies better understand the relationship
information needed for law enforcement
to develop and pursue leads early.
Ensure that intrusion detection systems
and network logging tools are in place,
as well as the banners and other legal
authorizations necessary to use them.
? Identify the information, services, or systems
that are most essential to your business
operations. Knowing and communicating
this information to law enforcement
early in an investigation will be crucial to
prioritizing early investigative steps.
? Determine who will work with law
enforcement. Law enforcement may
need essential information about your
systems and what you have learned
about the attack to pursue ephemeral
leads. Designating a person or group as a
principal liaison to law enforcement will
ease this process and allow others in your
company to focus on other immediate
priorities. This person or group should
be authorized to gather necessary
information and communicate it to law
enforcement agents.
? Ensure that legal counsel are familiar with
key legal and technology issues. Cyber
investigations often raise diffcult legal
issues relating to privacy and monitoring.
Legal counsel who are familiar with your
systems and with legal principles in this
area will be able to navigate these issues
with law enforcement counsel more
quickly. These counsel can work with
your company’s law enforcement liaison
to ensure that information is collected and
transferred lawfully and appropriately.
? Calling authorities for assistance
Optimally, your frst contact with law
enforcement will not be in the throes of a
crisis. Companies should establish relation-
ships with their local federal law enforce-
ment offces before they suffer a cyber
incident. Having a point-of-contact and a
pre-existing relationship with law enforce-
ment facilitates any subsequent interaction
that may occur if an organization needs to
enlist law enforcement’s assistance. It also
helps establish the trusted relationship that
? 240
INCIDENT RESPONSE
among a series of thefts and the possible
motivations for a given cyberthreat.
Cyber intrusions are rarely isolated to a
single victim, and law enforcement collects
examples of common techniques and prac-
tices from cyberthreats that can assist vic-
tims in securing their systems. For example,
knowing that a particular group of criminals
enters systems through a common vulnera-
bility but once inside patches the original
vulnerability while introducing several more
can be crucial information for victims. By the
same token, knowing that a group is focused
on a specifc version of a common software
package or is targeting a particular industry
can help law enforcement narrow down a
list of possible perpetrators.
? Realities of cybercrime investigations
Not surprisingly, the realities of cyber
investigations differ from their portrayals
in movies and television. Agents are rarely,
if ever, able to trace an intrusion in pro-
gress instantly, nor do they often identify a
perpetrator from halfway around the world
quickly. Instead, such investigations often
require painstaking assessment of histori-
cal log fles, a long-term understanding of
key motivations of likely attackers, and
collection of evidence using exacting legal
processes.
? Cooperation with law enforcement
in the investigation
Robust cooperation with law enforcement in
the early hours and days of an investigation
is essential to success. Agents likely will
have many questions about the intrusions
and the overall confguration of the system.
Beginning from the time the intrusion is dis-
covered, companies should make an initial
assessment of the scope of the damage, take
steps to minimize continuing damage, and
begin preserving existing logs and keeping
an ongoing written record of steps under-
taken. Such documentation is often essential
to understanding the scope of the intrusion
at the inception; it can also be essential much
later in the prosecution, as companies assess
damage and response costs for loss and res-
titution purposes.
When contacting law enforcement or
communicating within the company, compa-
nies should avoid using systems suspected
in the compromise. Such actions may pro-
vide a key tip to attackers that they have
been discovered. To the extent possible,
companies should use trusted accounts and
systems for communication about the inci-
dent and be wary of attempts to gather infor-
mation about the investigation via ‘social
engineering.’
? Network forensics and tracing
One way that law enforcement conducts
investigations is through network forensics
and tracing. Although it is occasionally pos-
sible to follow a “hot lead” when an attack is
ongoing, investigations more often depend
on a careful examination of network logs.
Because company systems are often complex
and interrelated, investigators must consult
with the system administrators who are
experts on critical systems to identify where
information necessary to developing leads
will be stored. Such consultations can prove
diffcult if all system personnel are working
intently on rebuilding security or restoring
critical systems.
Companies can help with this by reserv-
ing a few experts whose job it is to work
with law enforcement and to identify critical
logs and other information that can be used
to identify leads for law enforcement. These
experts will be particularly important if the
threat is believed to be an insider who has
stolen trade secrets or other sensitive infor-
mation, because the most important evi-
dence is likely to be on internal systems.
? Working with outside counsel and private
forensic frms
Companies experiencing a severe cyber
incident often turn to outside legal counsel
and private forensic frms to assist them.
Such entities can provide substantial sup-
port and expertise, based upon their experi-
ence assisting other victims, and can guide
241 ?
WORKING WITH LAW ENFORCEMENT IN CYBER INVESTIGATIONS
provide an internationally recognized
means for exchanging evidence.
If a suspect is identifed overseas, law
enforcement has a range of options to obtain
justice for the victim. Extraditing the suspect
to face charges in the U.S. is a traditional
means, but the process can be lengthy, and
many countries refuse to extradite their own
nationals. In such cases, prosecutors in the
U.S. may work with their counterparts
abroad to ensure an appropriate prosecution
in the suspect’s home country. Other options
may be available depending on the case.
Because these choices often implicate victim
interests, prosecutors frequently consult
with victims before undertaking major inter-
national investigative steps.
? Victim rights and expectations
Victims of cyber incidents—including corpo-
rate victims—have established rights under
federal law. The specifc victim rights and
the responsibilities of prosecutors and law
enforcement are described in the Attorney
General Guidelines for Victim and Witness
Assistance (2012), which is available on the
Department of Justice’s public website.
Victim rights typically attach at the time that
charges are fled, and include the following:
? the right to notice of public hearings in
the prosecution
? the right to be reasonably heard at such
hearings
? the reasonable right to confer with the
attorney for the government
? the right to full and timely restitution as
provided in law.
Beyond these mandatory rights, investiga-
tors and prosecutors in cyber cases strive to
ensure cooperation with and support to the
victim, to pass key information back to vic-
tims to support their security and recovery
efforts, and to work to ensure that the victim
is not further harmed by the investigation
and prosecution.
Although law enforcement cannot disclose
every aspect of an ongoing investigation,
companies through diffcult legal and tech-
nical issues relating to system monitoring,
response options, and breach notifcation.
Having ready access to advice from lawyers
well acquainted with cyber incident
response can speed decision-making and
help ensure that a victim organization’s
incident response activities remain on frm
legal footing.
An additional beneft is that legal and
forensic frms often have established connec-
tions with law enforcement agencies and are
familiar with the information that they will
likely seek and understand the cyberthreats
that they are investigating. Far from a
replacement for law enforcement, these enti-
ties are often a crucial link between law
enforcement and victims.
? International issues
Because of the unbounded nature of com-
puter networks and hence of cyberthreats,
cyber investigations often cross international
borders. A prime advantage of working with
law enforcement on a cyberthreat investiga-
tion is that it has the tools and capabilities to
broaden an investigation to include foreign
partners and collect foreign evidence.
U.S. law enforcement agencies recognize
the international opportunities and chal-
lenges and so have worked to build investi-
gative and prosecution capabilities around
the world. The U.S. and other countries have
entered into international treaties, most
prominently the Budapest Convention on
Cybercrime, to ensure that there is an ade-
quate legal foundation for investigations
into cyberthreats. Investigative agencies
have trained cyber agents who regularly
work alongside their foreign counterparts on
investigations.
Many times, direct police-to-police inter-
national cooperation will be the fastest way
to get information necessary to advance an
investigation. More formal processes, such
as Mutual Legal Assistance requests, are
used when evidence needs to be in a form
usable in prosecutions. Although they are
often slower than direct assistance, they
INCIDENT RESPONSE
? 242 SecurityRoundtable.org
especially when such sharing may implicate
other victims, companies should expect that
law enforcement will communicate with
them regularly. Information fow should not
be a “one-way street” to law enforcement.
? Legal considerations when working closely
with law enforcement
As useful as it can be to cooperate with law
enforcement, it is also crucial that companies
understand and delineate their role in the
investigation and exercise care before they
take on roles that may effectively make them
agents of law enforcement. For example,
companies are generally permitted under
U.S. law to monitor their own systems to
protect their rights and property. Usually,
that information can be shared with law
enforcement once they arrive on scene. If
law enforcement begins directing the
response, however, different authorities and
limitations typically apply.
The law relating to law enforcement
monitoring is complex and goes beyond
what can be discussed in this chapter. In
general, companies should carefully delin-
eate between actions undertaken by the
provider for its own purposes and those
undertaken at law enforcement’s behest. If
possible, companies should set out the
facts and their understandings relating to
such monitoring in writing shared with the
investigating agency. More information on
this topic can be found in Chapter 4 of the
Department of Justice’s manual Searching
and Seizing Computers and Obtaining
Electronic Evidence in Criminal Investigations,
which is available from the Department’s
website. In addition, a sample letter relat-
ing to company monitoring that can be
used by company counsel is included as
Appendix G of that manual.
? Active defense, hacking back, and potential
liabilities
Companies undergoing a cyber attack may
be tempted to “hack back” and attempt to
access or impair another system that appears
to be involved in a cyber intrusion or attack.
Although that temptation is certainly under-
standable in the heat of an incident, doing so
is often illegal under U.S. and foreign laws
and could result in civil or even criminal
liability. Many intrusions and attacks are
launched from already compromised sys-
tems, precisely to confuse the identity of the
true actor. Consequently, hacking back may
damage or impair another innocent victim’s
system rather than that of the intruder.
This does not mean, however, that com-
panies cannot engage in “active defense”
within their own systems. For example,
reacting to cyberattacks by changing net-
work confgurations or establishing “sand-
boxes,” in which companies place realistic
but false data to distract intruders from more
sensitive data are active steps that can be
taken to help defend systems. Law enforce-
ment agencies can help identify other proac-
tive steps that companies may be able to
undertake to protect their systems.
? Conclusion
Effective cybersecurity and cyber investiga-
tions are essential to protecting company
assets and public safety in our increasingly
networked world. A close and respectful part-
nership between companies and law enforce-
ment when cyberattacks occur is an impor-
tant aspect of both. Planning for such coop-
eration in advance and carefully delineating
the roles played by company representatives,
law enforcement, and outside experts greatly
enhances the likelihood of success.
243 ?
Booz Allen Hamilton – Jason Escaravage, Vice President;
Anthony Harris, Senior Associate; James Perry, Senior
Associate; and Katie Stefanich, Lead Associate
Planning, preparation, and testing for
an enterprise-wide incident response
Cyber incident management is happening at your
organization right now. In fact, it’s happening every
day, all day. Sometimes a cyber breach requires very lit-
tle response; for example, it may be a benign attempt by
a curious but harmless hacker to see if your network can
be accessed. For large companies, this kind of attack can
happen hundreds of times in a week. You probably
never even hear about it from your IT department
because those small incidents aren’t worth your atten-
tion. They are easily eradicated; usually, just deleting
the malicious email is enough, so they hardly cause any
irreparable harm.
But what happens when it is a not-so-small breach?
What happens when your intellectual property is stolen,
or your employees’ personal records are exposed? What if
your e-commerce website goes down for a day? Those
incidents you will hear about, and that moment is not the
time to fgure out what to do.
Of course, every situation has its own nuance, but at
a foundational level, every organization, regardless of
size, geographical location, or industry must have an
incident management plan. One that includes partici-
pation from organizations and staff throughout the
enterprise.
Effective cyber incident management happens in phas-
es; it is not just about a response. Planning and preparing,
or “steady-state” activities are just as important, if not
more important than responding to a breach. To truly be
ready for any kind of cyber incident, organizations need
C-level support for smooth incident management coordi-
nation. This is supported by a plan that is thorough, easy
to understand, and widely tested.
? 244
INCIDENT RESPONSE
The C-suite must understand and enforce
organization-wide roles in cyber incident
management. Everyone—corporate commu-
nications, legal, business unit leaders, and so
on—has a role to play. They may not even
know it—so it is important for leadership to
stress their responsibility in these efforts.
In addition to collaborating with the CISO
and truly understanding the incident man-
agement capability, stay on top of current
cyber risks. They change all the time—phish-
ing becomes spear-phishing becomes pharm-
ing, for example. Not only that, some are
exclusive to certain industries. Product secu-
rity risks vary from retail. Retail varies from
automotive. However, one thing is certain—
all parts of the business have evolving cyber
risks. By staying on top of cyber risks, you
can incorporate them as part of your enter-
prise-wide risk management strategy. Which
would do the most harm? Which are most
likely? Anticipating and preparing for all
kinds of cyberthreats doesn’t mean sitting on
edge all the time. It requires simple demon-
stration of good steady-state behavior—
which is the frst phase of any incident man-
agement lifecycle, so a key section of an
incident management plan.
? Putting together the cyber incident
management plan
Cyber incident management is constant; it
happens in phases, and an actual incident
lifecycle is only one part of it.
Shown in Figure 1 is a full lifecycle for
incident management.
This chapter will focus on the following:
? incident response responsibility for the
C-Suite and the business
? key considerations for cyber incident
management plans
? testing a plan
? enabling plan adoption across the enterprise
? Incident response for the C-Suite and beyond
Cyber incident response is often thought of
as an IT department function. This assump-
tion could be a costly mistake. Businesses in
their entirety are connected to the Internet.
As such, a cyber breach can happen any-
where within the business, ranging in sever-
ity, complexity, and impact. Relying on the
IT department alone to be ready for any
manifestation of a cyber incident would be
an unfair if not impossible expectation.
IT security, typically led by a chief infor-
mation security offcer (CISO), needs to be
empowered by the C-Suite so they can coor-
dinate cyber incident response activity among
all the impacted organizations and staff—this
requires the facilitation of good working rela-
tionships during non-crisis times. One way
to do this is for the CISO and the CEO to con-
nect on cybersecurity trends frequently. The
CISO has responsibility for assembling the
right team, making sure the right technology
architecture is in place, and for reporting
cybersecurity issues upward. In a show of
partnership, C-level leadership should enable
the CISO to improve the organization’s inci-
dent management capability.
Fill in the blank: During a major cyber breach, the frst thing I
do is _______
HINT: The answer is not to wait for instruction from the IT department.
If you can’t answer, imagine whether your legal department could. How about HR de-
partment? Or corporate communications team or VP of sales? They all should; they’re all
impacted by cyber incidents, so they have a role to play.
If you are starting from scratch, the National Institute of Standards and Technology (NIST)
Cybersecurity Framework is a good reference point. It was created in collaboration between
public sector and private industry.
245 ?
PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE
how people, process, and technology work
together in harmony across the whole enter-
prise. And, once the plan is created, it
requires consistent support from the C-level
to ensure adherence by the whole organiza-
tion. The plans must be tested and updated
frequently to make sure they keep up with
changes in threats, tools, and resources.
? Testing the plan
Short of being the victim of an actual intru-
sion, testing your incident response pro-
gram is paramount to understanding how
well your business would fair during a real
incident. Many organizations pay for
expensive tools, documentation, and con-
sultation but are unable to replicate any of
their strategies because they are not pre-
pared to use them. Executives should
understand that an incident response pro-
gram with an always vigilant, always ready
team is the greatest defense to a cyber intru-
sion and will reduce risk and increase con-
fdence.
Assessing an organization’s incident
response program can provide a clear vision
into their future, showing would happen if a
cyberattack occurred and delivering insight
into what works and what does not. There
are several benefts to testing an organiza-
tion’s incident response plan:
There is a caveat, however: incident
management lifecycles do not ft neatly
into a calendar. They overlap, phases are
repeated, and truly, “Preparation” and
“Prevention,” or steady-state activities are
happening all the time, even in the midst of
an incident.
When the steady-state activities are done
well, it makes an organization resilient and bet-
ter able to bounce back after a breach occurs.
? Elements of planning
A good cyber incident management plan
considers the whole enterprise, and it
considers more than just the technical
aspects of incident response. When plan-
ning for cyber incident management,
responsibilities and activities can be organ-
ized and integrated by three categories:
people, process, and technology (Table 1).
Each of these things should be consid-
ered in the context of your organizational
philosophy to risk management. Policies
that help mitigate risk—such as acceptable
use policies and data handling policies—can
be used as governing authority for cyber
incident management planning.
Although an incident management plan
starts with the CISO, the rest of the business
units should follow suit. Drafting an initial
plan requires substantial effort to integrate
Threat Intelligence
Prepare
Prevent
Event Lifecycle Management
Detect
Respond
Remediate
S
t
a
k
e
h
o
l
d
e
r
C
o
m
m
u
n
i
c
a
t
i
o
n
&
C
r
i
s
i
s
C
o
m
m
u
n
i
c
a
t
i
o
n
FIGURE
? 246
INCIDENT RESPONSE
TABLE
People Process Technology
? In the main incident
management plan,
consider how the
incident management
team is structured
and staffed. Is it
composed of people
already in your IT
department or are
there some roles that
need to be flled? Staff
should have the mix
of skills necessary
to orchestrate the
strategic and technical
sides of an incident
response.
? An incident
management plan
should include
a process and
procedure for every
phase of the incident
management lifecycle.
? Technology aids the
incident response
process—from
vulnerability intake
to understanding the
security controls on
your electronic assets
to facilitating quick
communication. At a
basic level, there should
be automated process
for incident handling—if
your organization is still
using manual incident
tracking systems, you are
overdue for a technology
investment.
? Consider also the
touchpoints from the
IT department into the
rest of the organization.
Make sure you know
who will provide you
with the information
you need to make
critical decisions in the
midst of an incident.
? Finally, keep in mind
the partnerships
internal and external—
such as vendors
and media—to the
organization that must
be built prior to an
incident that would
enable the smooth
coordination of incident
response.
? The plan should be
supported by runbooks,
which are tactical
guides that address
specifc incident
scenarios most likely
to affect your business.
Make sure the processes
are updated per a
determined frequency
to refect evolving
cyberthreats.
? Threat and vulnerability
detection technology can
mitigate the impacts of
a cyber breach. Beyond
basic, more sophisticated
data analytics tools
provide complex,
customized statistics
that can help measure
the business impact of
a breach, among other
capabilities.
247 ?
PLANNING, PREPARATION, AND TESTING FOR AN ENTERPRISE-WIDE INCIDENT RESPONSE
Steady-state activities should be the heftiest part of your plan.
Your IT department is always monitoring your network, but you’d be surprised how often
organizational cybersecurity relies on the human eye and manual processes. Your IT team
could use your support to enhance their capability, for example:
? Automated tool development
? Asset management
? Threat detection ability
? Trend analysis
? Wargaming and tabletop exercises
? Keeping the program relevant and at the
forefront of cybersecurity: reducing risk
and increasing executive confdence
? Understanding current knowledge and
tool gaps
? Increasing work performance and effciency
to reduce cost and time spent resolving an
incident.
? Testing methods
Testing entails far more than just making
sure employees are trained on tools and
procedures, they have to be able to detect,
contain, and remediate active incidents—
real or fctional—and the only way to do
that is by managing realistic situations.
There are a variety of ways to provide sce-
narios that can test an organization’s inci-
dent response program.
Using a “red team,” or a group whose
purpose is to simulate a cyber adversary, is
a way to covertly test the response to an
actual adversary. Only employees with a
need to know will be aware of a red team’s
activities, so to the organization’s incident
responders, the scenario is treated like an
actual incident (without the loss of capital).
Results from these exercises can be shared
with executives, providing an overview of
strengths and weaknesses to tweak the pro-
gram and try again.
Engaging specialized third parties to
review an incident response program can
validate program elements. It’s often said that
a second set of eyes can fnd faws in a docu-
ment that the author overlooked. This same
strategy can apply to an incident response
program. Although many organizations have
plenty of documentation surrounding their
program, they sometimes rarely review or
update it. The cybersecurity landscape
changes every day, which leaves an under-
reviewed program in an incomplete state,
becoming more irrelevant as time passes.
Employing specialized third parties to review
an organization’s program on a regular basis
can assist in maintaining an up-to-date, risk-
averse program.
Strategic simulations, also known as war
games, can simulate numerous possible situ-
ations in which their program will be
applied. These scenarios ask participants to
use their current technological and process
knowledge to solve situations ranging from
the exfltration of organizational intellectual
property to a large phishing campaign
requesting employee information, to an
enterprise-wide denial of service—halting
productivity, sales, or transactions. War
games also help an organization to craft sce-
narios in which teams that do not typically
communicate with one another have to
cooperate to solve problems. This is espe-
cially helpful when senior leadership is
involved—it helps illustrate major decision
points and clarifes the business impact of
various cyber breach scenarios.
Although developing, preparing, and
implementing the incident response plan is
essential, making sure all of that work is
functional and as effcient as possible is vital
to having a successful incident response
INCIDENT RESPONSE
? 248 SecurityRoundtable.org
is why corporate communications can help
craft the appropriate messaging.
In addition to internal messaging, make
sure cyber incidents are incorporated into
the organization’s crisis communications
capability. Just as corporate communications
would be on hand to protect the brand’s
image during an emergency, they should
similarly have a crisis communications plan
for a cyber incident. As a part of that, ensure
that the right spokespersons are media
trained prior to an incident.
? The inevitable cyber breach
It’s hard to estimate the cost of a cyber inci-
dent. Undoubtedly, the longer that busi-
ness operations are affected—production is
stalled, websites are down, IP is stolen, and
so on—the cost climbs higher and higher.
Having a plan that is pervasive enterprise-
wide that uses a tested, all-staff approach
can help resolve cyber incidents quicker.
Given that cyberthreats are present all the
time, an incident is all but inevitable.
Fortunately, incident response planning
can mitigate the impacts of such an event.
program. By implementing tests such as red
team exercises, war games, and regular
reviews, an organization can understand
what may happen if they are an unfortunate
victim of a cyberattack and, maybe, through
solutions implemented through test fnd-
ings, prevent a real incident.
? Internal and external communications
planning
Once the plans have been written and tested,
it’s important to keep up momentum and
continued awareness about cyber risks. Just
as the IT department is constantly engaged
in cyber incident management, so too must
the staff throughout the organization—albeit
with regard to their own personal role.
Enlist the help of your corporate commu-
nications department to help with cyberse-
curity awareness messaging that is tailored
for all staff. Messaging should help employ-
ees stay attuned to cyberthreats that could
affect them, as well as how they can play a
part in keeping the organization secure.
Keep in mind that “cyber” may not resonate
with staff outside the IT department, which
249 ?
? Rapidly evolving cyberthreat landscape
Cybersecurity and cyberattacks are no longer emerging
issues. Over the past three to fve years, the complexity of
cyberthreats has increased dramatically, and the nature of
cyberattacks has evolved from the theft of fnancial data
and intellectual property to include recent destructive
attacks. Organizations now face increasingly sophisticat-
ed attacks from adversaries using multiple threat vectors
and cunning strategies to penetrate the security perimeter.
Although the 2008 TJX data breach has long been
assumed to be the turning point in board of directors’
awareness of cybersecurity, it took the 2013 Target breach to
have an impact on the boards’ agenda. Faced with the pos-
sibility of loss of data and intellectual property, decreased
shareholder value, regulatory inquiries and litigations, and
damaged reputations, boards are realizing that cybersecu-
rity is no longer just an IT issue but one of strategic risk.
Corporate directors understand that they must become
more involved in addressing cyber risks; however, cyber-
security is a new and highly technical area that leaves
many corporate boards uncertain as to how to proceed.
Research from the Ponemon Institute reveals that 67 per-
cent of board members have only some knowledge
(41 percent) or minimal to no knowledge about cybersecu-
rity (26 percent). Although board members realize that
they need to invest in cybersecurity, such a lack of knowl-
edge is affecting their ability to respond to cybersecurity
risk and provide proper oversight.
? Understand the adversaries
Cybercrime is big business, and sophisticated cyber
criminals are playing for high stakes. However, motiva-
tions among the groups may differ:
? Hacktivists often seek to damage the reputation of an
organization and cause disruptions.
Fidelis Cybersecurity – Jim Jaeger, Chief Cyber Strategist
Detection, analysis, and
understanding of threat vectors
? 250
INCIDENT RESPONSE
? Organized cyber criminals include
international crime syndicates targeting
organizations largely in the fnancial
services and retail industries for fnancial
gain. Although there are a number of
players, this arena is dominated by
loosely knit teams of attackers located in
Eastern Europe.
? State-sponsored espionage threat actors
deploy targeted malware in stealthy,
multi-stage attacks, sometimes called
advanced persistent threats (APT),
targeting intellectual property. At risk is
anything that may be of value, including
business plans and contracts; trading
algorithms; product designs and business
processes; trade secrets; client data; lists
of employees, customers, and suppliers;
and even employee log-on credentials.
As attackers have sharpened their skills and
expanded their techniques over the last
couple of years, organizations are now fac-
ing a new challenge. Cybercrime has
advanced to include cyber warfare and cyber
terrorism as nation-state actors have moved
from disruptive to destructive attacks.
Experts predict that cyberattacks will
intensify as cyber criminals accelerate their
activities. Organizations face a world of
continuous compromise. It is no longer a
question of whether the company will be
breached, but when. Ponemon research,
however, shows that board members gener-
ally lack knowledge about cybersecurity
breach activity within their organizations.
One in fve, for example, was unaware if the
organization had been breached in the
recent past.
Although larger organizations are gener-
ally able to recover from a signifcant breach,
providing that negligence is not a factor and
excessive liability is avoided, sustaining
operations over the course of two or more
Blurring lines of attack
It used to be that the tactics employed by Eastern European cyber criminals were relatively
unique compared with those used by hackers deploying state-sponsored APT attacks to target
intellectual property. Cybercrime experts are now seeing a blurring of the lines of attack, which
has caused some forensics teams to misidentify the adversary. For example, researchers from
two forensics frms investigated an attack on a global credit card processor for two months
without success, convinced that it was an APT attack. It wasn’t until the frm brought in a new
forensics team that they were able to identify the attack as originating from Eastern Europe
and stop the breach.
Corporate espionage leads to company downfall
Cyberattacks aimed at stealing intellectual property can put a company out of business. A
classic example involves Nortel, a telecommunications giant that was the victim of a decade-
long low and slow attack wherein hackers used seven stolen passwords to extract research,
business plans, technical papers, corporate emails, and other sensitive data. The attack was
discovered by an employee who noticed unusual downloads that appeared to have been
made by a senior executive. The company changed the compromised passwords but did
little else beyond conducting a six-month investigation that yielded nothing. In the follow-
ing years, the company reportedly ignored recommendations to improve network security.
Analysts speculate that the extensive cyberattacks on the technology company ultimately
contributed to its downfall. The company continued to lose ground to overseas competitors
and ultimately declared bankruptcy.
251 ?
DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
extended breaches would be considered a
huge challenge. Clearly, cybersecurity has
become an increasingly challenging risk that
demands both corporate management and
board attention. To provide the proper risk
oversight, the C-level leaders and board
members are advised to work closely with IT
security leaders to examine the threat envi-
ronment and how adversaries are attacking
peer organizations.
? Understand the threat vectors
The fast pace of cloud, mobile, virtualization,
and emerging technologies present opportu-
nities to gain operational effciencies, deploy
innovative business models, and create new
markets. However, as companies increasing-
ly digitize valuable assets and move opera-
tions online, the risk of cyberthreats grows
even greater. In today’s digital world,
employees are increasingly interconnected
and leverage a variety of mobile devices,
applications, and cloud platforms to conduct
business in the offce, at home, and “on-the-
go.” Mobile applications, email, WiFi net-
works, and social media sites are just some of
the vulnerable access points that attackers
seek to exploit.
Not only are employees increasingly inter-
connected, but organizations are as well.
Boards and corporate management must
consider the extended attack surface and the
potential security risks associated with third
parties such as suppliers, transaction proces-
sors, affliates, and even customers. Not to be
overlooked are law frm partners, as they
hold data relating to an organization’s conf-
dential operations and trade secrets.
Internal employees present at least as big
an exposure for companies as do external
attacks. There is increasing recognition that
the activity of employees with privileged
access and administrative rights must be
monitored, controlled, and audited. Part of
the concern is not necessarily that the
employees go rogue and become insider
threats, which certainly has to be considered,
but that hackers target the credentials of sys-
tem administrators because they grant unfet-
tered system access. To guard against the use
of compromised credentials, organizations
should implement the concept of least privi-
lege for employee digital rights, especially
for those with administrative rights.
Determined attackers use a variety of
approaches to exploit system vulnerabilities
and penetrate virtually all of a company’s
perimeter defense systems. Threat vectors
used to compromise an organization can
include network intrusions, compromised
websites and web applications, malware,
targeted “spear phishing” and other email
attacks, Trojans, zero-day exploits, social
engineering tactics, and privilege misuse.
This dynamic nature of the cyberthreats
presents ongoing challenges to companies
and boards as every possible threat vector
must be addressed.
? Detect advanced threats
Like any business risk, cybersecurity risk
must be calculated and then mitigated
through the use of specifc types of controls,
such as frewall, antivirus, intrusion detec-
tion, and other similar solutions. However,
no network is so secure that hackers won’t
Questions to ask about risk
? Who are our most likely intruders?
? What is the biggest weakness in our IT systems?
? What are our most critical and valued data assets? Where are they located?
? Do we consider external and internal threats when planning cybersecurity programs?
? Do our vendor partners have adequate security measures? Do we have suffcient
contractual clauses regarding such security?
? What are best practices for cybersecurity? Where do our practices differ?
? Have we created an incident response plan?
? 252
INCIDENT RESPONSE
fnd their way in. Once in, they can go for
months, even years, without detection.
Because deeply embedded hackers can be
extremely diffcult to eradicate, the challenge
is to detect these threats as soon as possible.
Unfortunately, organizations are hard
pressed to match resources with cyber crimi-
nals. Similar to a game of “whack-a-mole,”
once organizations get on top of one type of
attack, the cyber criminals simply evolve
their tactics.
A solid cybersecurity governance pro-
gram is vital to getting ahead of cybercrime.
Unfortunately, there is a gap in the percep-
tion of governance effectiveness between
board members and security professionals.
Ponemon research indicates that 59 per-
cent of board members believe the corpora-
tions’ cybersecurity governance practices
are very effective, whereas only 18 percent
of security professionals believe so. This
gap in perspective has to be closed if organ-
izations are to improve their ability to face
increasingly stealthy and sophisticated
cyber risks.
? Robust, constant monitoring is key to detection
The saying, “You don’t know what you don’t
know” is especially true in cybersecurity.
Robust, constant network monitoring is vital
to uncovering threats. Any number of solu-
tions are available that enable organizations
to monitor network activity. Because the vol-
ume of network traffc combined with
increasingly complex networks defes manual
threat analysis, many organizations often rely
on the automated threat-detection capabili-
ties of numerous disparate solutions.
However, this overreliance on technology
alone to address security threats can cause
organizations to lose sight of the bigger threat
picture.
Organizations also jeopardize their ability
to detect advanced threats through a failure
to fully integrate the security solutions into
the entire network defense infrastructure.
Often security technologies are deployed
with default settings, resulting in many false-
positive alerts. Many times organizations
overlook the human element. Organizations
can’t depend on technology alone to defend
networks. Detecting advanced threats
requires a risk management program that
includes technology, people, and processes.
Board members should ensure that security
budgets include funding for security experts
who can understand the risk, interpret the
alerts, and act on the intelligence.
? Anticipate attacks
Today’s threat actors conduct detailed recon-
naissance and develop custom malware in
an effort to penetrate networks. It’s diffcult
to know when an attack will happen. A
dynamic threat intelligence capability helps
to ensure that organizations can anticipate
breaches before they occur and adjust their
defensive strategies.
Widespread sharing of threat intelli-
gence among security professionals can
empower organizations to detect threats
more effciently and effectively and avoid
Dismissed security alerts lead to massive breach
A large retailer became the victim of a major data breach. The retailer had invested hundreds
of millions of dollars in data security, had a robust monitoring system in place, and had been
certifed as PCI compliant. Despite the investment, the company failed to completely deploy
and tune the monitoring system. The system could have been confgured to remove malware
automatically, but because the software was new and untested, the feature was deactivated.
A small amount of hacker activity was surfaced to the security team, evaluated, and acted on;
however, the team determined it didn’t warrant further investigation. Several subsequent
alerts were either ignored or lost in the noise of hundreds of false-positive alerts. It wasn’t
until the Department of Justice warned the company about suspicious activity that the retailer
began investigating the activity.
253 ?
DETECTION, ANALYSIS, AND UNDERSTANDING OF THREAT VECTORS
cyber attacks. At one end of the threat intel-
ligence spectrum are indicators of compro-
mise (IOC). Integrated from several sources
and typically shared through an automat-
ed, continuous, real-time threat intelligence
data stream, IOCs provide information on
malicious code and malicious web pages
that hackers are using.
At the other end of the threat intelligence
spectrum are threat advisories, which pro-
vide big picture analysis of current security
issues posing risks to enterprises. Such advi-
sories typically feature an overview of the
threat, a risk assessment, indicators, and
mitigation strategies.
? Build board cyber literacy
As boards become more involved in cyberse-
curity, they should address cybersecurity
risk as they would other types of business
risk. To be effective in leading their organiza-
tions with the right knowledge, oversight,
and actions, boards need a base level of
understanding of cybersecurity risks facing
the organization. However, organizations
are challenged with what is the best way to
build this board cyber literacy.
Many boards already have some form of
oversight when it comes to cyber exposure,
generally in the audit committee or risk
committees specifcally tasked with enter-
prise IT security and emerging risks. To
gain a deeper understanding of the relevant
issues surrounding cyber risk, some organi-
zations are adding cyber expertise directly
to the board via the recruitment of new
directors. However, because nominating
and governance committees must balance
many factors in flling board vacancies,
there is a concern that it may take a long
time for boards to achieve the proper board
composition.
In addition to board composition, direc-
tors point to a lack of available time on the
agenda to discuss cybersecurity as a road-
block in becoming cyber literate. Although
board members are not expected to be cyber-
security experts, they need access to exper-
tise to help inform boardroom discussions.
Ways to bring knowledgeable perspectives
on cybersecurity matters into the boardroom
include the following:
? Periodic briefings from in-house
specialists
? “Deep dive” briefngs from third-party
experts, including cybersecurity frms,
government agencies, and industry
associations
? Guidance from the board’s existing
external auditors and outside counsel,
who will have a multi-client and industry-
wide perspective on cyber risk trends
and how the organizations’ cyber defense
program compares with others in the
industry
? Director education programs, whether
provided in house or externally
? Periodic exercise of the incident response
plan to include board members.
? Empower the chief information security
offcer
Boards have a responsibility to manage
cyber risks as thoroughly as possible. One
critical element in providing effective over-
sight is to empower the chief information
security offcer (CISO) to drive security
throughout the organization. In many organ-
izations the CISO’s role is subordinate to
that of the chief information offcer (CIO).
Directors should be mindful that the agenda
of the CIO is sometimes in confict with that
of the CISO. Whereas the CISO is focused on
data and network security, the CIO is focused
on supporting business processes with
applications and networks that have high
availability.
Recognizing that business strategies that
lack a security component increase vulner-
abilities and place the organization at risk,
the CISO must have a strong, independent
voice within the organization. To accom-
plish this, the board must ensure that the
CISO is reporting at the appropriate levels
within the organization. Although there is
no single right answer, the trend has been
to migrate reporting lines to other offcers,
including the general counsel, the chief
operating offcer, the chief risk offcer, or
INCIDENT RESPONSE
? 254 SecurityRoundtable.org
even the chief executive offcer, depending
on the industry, size, and scope of the com-
pany, and the organization’s dependency
on technology.
? Conclusion
The threat landscape is rapidly evolving as
well-funded cyber criminals continue to
launch increasingly sophisticated attacks
through multiple threat vectors. Cybersecurity
will continue to pose a serious risk that will
demand corporate management and board
attention and oversight. Boards that fail to
actively measure and continuously monitor
cybersecurity as part of the organization’s
strategy will leave their frms open to signif-
cant fnancial, reputational, and competitive
risk.
The overwhelming number of cyber inci-
dents has forced board members to become
more involved in cybersecurity, which is as it
should be. However, to be effective, much
education is still needed. Board members
don’t need to be cyber experts, but they
should have a thorough knowledge of the
risks their organization faces and provide
the support needed to the IT security profes-
sionals to protect against those risks.
Questions to ask about cyber literacy and CISO empowerment
? Are we considering cybersecurity aspects of our major business decisions, such as
mergers and acquisitions, partnerships, and new product launches?
? Are we allocating enough time for cybersecurity on the board agenda?
? Are we continuously monitoring and regularly reporting on governance compliance,
maturity level, progress of information security, and data privacy projects and
activities, as well as the status of incidents, risks, and issues within the organization?
Are they used for active oversight?
? Do we have clear lines of accountability and responsibility for cybersecurity?
? Is the information security management function organizationally positioned at the
appropriate level to effectively implement policies?
? Is the cybersecurity budget adequate? Are we investing enough so that we are not an
easy target for a determined hacker?
255 ?
When a data breach occurs, directors and C-level execu-
tives must be ready with an incident response and reme-
diation plan to minimize the damage, limit the company’s
liability and exposure, and help the company resume nor-
mal operations as quickly as possible. Incident response
preparedness, however, varies greatly. Although some
organizations are well prepared, sometimes even compa-
nies that have invested millions of dollars on preventive
and detection systems fall short in responding to and reme-
diating data breaches. Frequently, it’s because the organiza-
tion hasn’t fully developed the relationships and processes
necessary for rapid and coordinated response.
Companies that have been compromised must act
quickly to investigate and remediate the breach while
preserving all electronic evidence. Ascertaining what data
were lost, destroyed, or stolen is paramount because it
enables companies to determine their risk exposure and
potential liability. Beyond digital forensic preservation,
investigation, and containment, the complexities of breach
remediation require notifcation of a broad range of third
parties and engagement with law enforcement. By engag-
ing breach resolution experts that provide forensics
services, litigation support, and crisis communications,
organizations can more effectively combat today’s sophis-
ticated cyberthreats.
? Assemble a cross-functional response team
Effective investigation and remediation of a data breach
requires an understanding of the cyber adversary and
specialized forensic skills that most IT staffs lack. When a
company that does not have its own internal security
team experiences a cyberattack, it is vital that the frm hire
experts who are experienced in digital forensics, incident
Fidelis Cybersecurity – Jim Jaeger, Chief Cyber
Strategist and Ryan Vela, Regional Director,
Northeastern North America Cybersecurity Services
Forensic remediation
? 256
INCIDENT RESPONSE
response, and remediation. Engaging an
independent and impartial breach response
frm:
? provides the technological expertise and
industry knowledge to fully remediate
the incident
? ensures integrity in incident response and
creates a defensible record of investigation
and remediation
? enables the organization to maintain and
secure attorney-client privilege for the
reports and other investigative documents.
Breach response also requires that an organi-
zation have a well-prepared internal inci-
dent response team. Companies that suffer a
breach without having established such a
team often waste valuable time trying to get
organized and assign responsibilities, stall-
ing the breach remediation process. The
team should include representatives from IT,
security, legal, compliance, communications,
risk management, and affected business
units. In addition, it is important to involve
a member from the executive leadership
team to ensure that business considerations
are addressed and to maintain the remedia-
tion momentum by ensuring rapid approval
on courses of action when needed.
? Engage outside legal counsel
The legal ramifcations of a data breach can
be devastating, ranging from litigation and
regulatory investigations to civil liabilities
effects that may include shareholder and
customer-driven lawsuits. Because inside
counsel lacks the specialized cyber exper-
tise that is needed for effective breach
response, it’s vital that an organization
identify, vet, and retain outside counsel that
has the ability to respond on a moment’s
notice. The benefts of outside counsel
include the following:
? specialized skillsets: cyberattack
investigations require a team of lawyers
with regulatory, data-breach response,
privacy, litigation, and eDiscovery
expertise; outside counsel brings the
specialized skills and credentials that
internal teams lack
? law enforcement liaison: serves as liaison
with law enforcement, such as the Secret
Service, Federal Bureau of Investigation,
and Department of Justice
? attorney-client privilege: engaging
outside counsel secures the privilege
needed to protect internal communications
from discovery by any opposing party
during pretrial investigation and from
being used as evidence in a trial; also,
invoked privilege allows the forensic
company to report breach results directly
to the law frm
? leadership advice: leadership of any
organization falling victim to a data breach
instinctively seeks to minimize costs and
take shortcuts in incident response; by
quarterbacking the investigation and
remediation, outside counsel often proves
invaluable in providing a strategy and
helping C-level leadership and directors
to hold themselves to the course of action.
? Control breach communications
Ultimately, all communications about the
breach have the potential to leave an organi-
zation open to legal liability. Outside breach
counsel should therefore oversee all breach
communications. This includes facilitating
conversations between members of the inci-
dent response team and organizing external
communications.
Internally, getting the right information to
the right people at the right time can make or
break breach incident response efforts. When
members of the response team are working
with incomplete, inaccurate, or different sets
of information, it can lead to costly ineff-
ciencies, delays, and errors in breach
response. Outside counsel is well positioned
to know the types of conversations that must
happen between incident response team
members to keep efforts on track. Similarly,
breach counsel knows what hazards are
likely to arise with external communications.
It is also vital that organizations engage a
crisis communications frm to handle all
external communications. Because such
257 ?
FORENSIC REMEDIATION
communications have either positive or neg-
ative lingering effects, it’s important that all
communications be carefully composed and
carry the right tone.
Just as important, there is nothing worse
than having to publically recant information.
In deciding whether to release a statement,
organizations should consider the following:
? Is there accurate information to report?
Executives, feeling pressure to go public,
may disclose key facts only to retract
the statement at a later date. Waiting
until a report from an external forensic
response frm has been reviewed can
help organizations maintain accurate
communications.
? Is disclosure within a specifc timeframe
required? Timing of disclosures often
is dictated by statutory and regulatory
requirements. Several state breach laws,
for example, require notifcation upon
discovery or without reasonable delay.
Here, outside counsel often can be
invaluable in providing justifcation to
delay an announcement until the facts
are solid.
? Has the incident been leaked? However
it occurs, leaks by journalists or postings
in the blogosphere can accelerate
a company’s disclosure timeline. It is
critical that frms experiencing a breach
prepare and pre-coordinate a contingency
announcement in case their hand is
forced. Crisis communications frms also
have the media relationships that can
enable the rapid response necessary in
these situations.
? Partner with law enforcement and seek their
assistance
Seeking assistance from law enforcement
can be extremely valuable in data breach
investigations because these agencies are
continuously following the digital trail of
cybercrime. Law enforcement can play a
vital role in providing indicators of compro-
mise (IOCs) observed in similar breaches
that may be linked, thus providing the inci-
dent response and forensic team with key
data to search for and fll in missing pieces in
the breach investigation. Attributing a single
breach to a specifc attacker or hacker organ-
ization is often diffcult, but when you look
at the IOCs provided by law enforcement
across multiple hacks, this task often
becomes much easier.
Involving law enforcement is also prudent
in that cyber criminals routinely hide behind
borders, and bringing them to justice remains
a challenge. The U.S. government is increas-
ingly partnering with foreign governments
and international law enforcement agencies
in efforts to prosecute malware creators and
Vetted investigation report vital to external communications
When faced with a data breach, the instinct is often to go public as quickly as possible to get
ahead of the situation. However, to avoid public announcements backfring and making an
already bad situation worse, leadership would do well to wait for confrmation of breach
status from the incident response team. On occasion, they even get to give their client good
news. Case-in-point is a large blood donor system involving multiple hospitals and universi-
ties. The organization was maintaining a database of 90,000 donors when it noticed indications
of hacker activity in the network.
Already under media pressure for physical loss of sensitive data, leadership was under-
standably concerned about reducing negative publicity by being proactive in its communica-
tions. They agreed to give the response team the time needed to conduct an investigation,
and fortunately so. It was determined that the indicators were actually false-positive alerts.
By synching the communication cycle with the progress of the investigation, the organization
was able to avoid falsely alerting 90,000 donors that their data was at risk.
? 258
INCIDENT RESPONSE
those who are engaged in cybercrime. If there
is any indication that the investigation may
have an international aspect, federal law
enforcement may be able to expedite the
investigation. Law enforcement’s expertise in
gathering evidence and conducting forensic
analysis can be leveraged to ensure that the
data can be used in future court proceedings.
Also, in some cases, organizations may be
able to delay notifcation requirements if it
would impede or interfere with a law enforce-
ment investigation.
? Alert industry regulators
Threat actors are neither attacking one insti-
tution at a time, nor are they quickly chang-
ing their methods. They often use the same
techniques on multiple institutions in multi-
ple sectors. With the increasing number of
data breaches comes a renewed push for the
sharing of cyber risk information between
the United States government and the pri-
vate sector to help individual organizations
and industries as a whole better defend
against attacks. Because of their position in
the industry, regulators can be an important
source of information on cyber threats,
attacks, and trends. Information sharing and
analysis organizations have made a resur-
gence and organizations can beneft by seek-
ing their aid for insight on indicators of
compromise during a data breach.
Regulatory investigations have the poten-
tial to represent a signifcant challenge in
terms of money, time, resources, and distrac-
tions. Because regulators will have to be
satisfed that the data breach has been com-
pletely resolved, organizations should
engage with regulators as early as possible
during the remediation process.
? Notify insurance providers
After a data breach, organizations can expect
to see signifcant costs arising from forensic
investigations, outside counsel, crisis com-
munications professionals, data breach noti-
fcation expenses, regulatory investigations
and fnes, lawsuits, and remedial measures.
Such costs can quickly reach tens of millions
of dollars in a few weeks.
Once an incident is determined to be a
breach, it’s important to engage with the
frm’s insurance providers to evaluate the
insurance coverage and determine which
existing policies may cover the event; as
well as identify the necessary reporting
requirements.
One of the challenges with cyber insur-
ance is the lack of standardization in terms
of coverage. From a broad standpoint most
policies cover the initial incident response
and investigation. Few, however, cover
remediation. Because the policies vary
widely, general counsel and outside coun-
sel have to understand the details of the
policies to tailor an incident response
approach that maximizes the coverage.
Here, the outside forensics response team
Collaboration with law enforcement takes down hacking ring
Monday mornings can hit hard for many people, but for a major payments processor, one
particular Monday morning packed a punch. In a brazen move, a global network of thieves
had breached the processor’s network. As a result of the hack, the gang was able to generate
debit cards and crack the ATM PIN codes. Once that was done, the gang withdrew millions
of dollars over the weekend.
By acting on information provided by the FBI, the forensic team was able to uncover ad-
ditional details about the breach and advance the investigation to the point of identifying
the culprits. Through cooperation from various law enforcement agencies worldwide, the
investigation broke the sophisticated computer hacking ring and, for the frst time, resulted
in a Russian court convicting hackers for cybercrimes committed in the United States via
the Internet.
259 ?
FORENSIC REMEDIATION
can also be invaluable in helping organiza-
tions to articulate and justify cyber insur-
ance claims.
? Conduct complete, focused digital forensics
analysis
When a data breach occurs, organizations
need answers fast: Who was involved? How
did they do it? What data was compromised?
What are the risks? Answers depend on the
forensic analysis of digital evidence. Further,
the proper preservation of digital evidence is
crucial to demonstrate to regulators that rea-
sonable security controls are in place or to
prove wrongdoing in criminal prosecution.
However, organizations all too often are
thrown into panic. Hasty decisions are made
and evidence is lost. Here, directors should
look to outside counsel for guidance. Their
experience and focus on minimizing legal
liability make their advice about what should
be considered evidence, and thus preserved,
invaluable.
In the course of its forensics efforts,
organizations typically encounter two
challenges:
? Limited scope of forensics. Many times
organizations fail to look beneath the
surface in the hopes that a simple review
will fx the problem. Alternatively, they
may limit the scope of the investigation
to mitigate the high cost of forensics. Such
actions may fail to uncover the true cause
and extent of the breach. By exploring
all potentially compromised systems,
organizations can reduce the risk of
overlooking exposed system components.
? Improper handling of evidence.
A company’s internal IT staff may
compromise the evidence even before
forensic experts can preserve it.
Organizations must ensure that the
internal IT staff is mindful of proper
evidence-handling protocol.
? Focus on aggressive remediation
When an organization experiences a data
breach, it is often diffcult to determine the
nature of the attack cycle and pathways of
attack as hackers disperse their tools
throughout the network. This is especially
true in advanced persistent threat attacks, in
which malware can remain dormant and
undetected for months. The remediation
phase is therefore critical to remove malware
from infected hosts and prevent future reoc-
currences of the same or similar breaches.
At one end of the remediation spectrum is
sequential eradication. Here, incident
responders work to eliminate malware as
soon as it is discovered. This traditional
approach has the beneft of lower costs and
reducing the risk of data loss. However, the
drawback is that the organization forfeits the
opportunity to learn about the hacker’s
tactics and runs the risk of retaliation. Also,
attackers may go quiet, making it more dif-
fcult to fnd their tools and requiring that
forensic investigators shift their efforts to
eradication.
At the other end of the spectrum is
aggressive remediation, in which all reme-
diation actions are executed simultaneously
across the entire network. If executed prop-
erly, aggressive remediation precludes the
hacker from detecting and reacting to the
remediation actions. This approach is called
for when an organization experiences
repeated breaches by the same advanced
attackers or a breach has gone undetected
for weeks or months. Aggressive remedia-
tion provides a better understanding of the
attacker’s tools, tactics, targets, and motiva-
tions. Because this method fully removes all
traces of the attacker’s tools, threats, and
vulnerabilities, including the attacker’s
ability to re-enter the network, it minimizes
retaliatory risk.
This approach allows the attacker to
remain active in the network during investi-
gation. Should they become aware of foren-
sic activities, they could move quickly to a
destructive attack. Special forensic skills,
extensive planning, and sophisticated exe-
cution therefore are required to avoid inter-
fering with or alerting the attacker as to the
forensic efforts underway, as well as to
minimize the potential for damage and
data loss.
INCIDENT RESPONSE
? 260 SecurityRoundtable.org
? The critical importance of network monitoring
If determined attackers want to get in, they
will fnd a way. The real question is whether
the organization will detect the breach.
Unfortunately, the answer is, “Probably
not.” Advanced, targeted attacks focus on
quiet reconnaissance and infltration of their
victims’ network. Professional cyber crimi-
nals are so adept at cloaking their activities
that they routinely go unnoticed for months,
even years, without detection.
Although defense-in-depth has long been
hailed as a best practice, organizations are
now urged to improve their abilities to detect
attacks that have succeeded. Robust network
monitoring is a strategically important ele-
ment in IT security and is crucial to deter-
mining if anything was stolen. By employing
robust network monitoring organizations
can maintain control, limit the damage, and
plan for an appropriate response.
? Summary
Organizations have reached a pivot point,
realizing that it is no longer a question of if
the frm has been hacked, but an assump-
tion that it has. Faced with the new reality
of operating the business while potentially
executing incident response activities, organ-
izations are placing a priority on robust
network monitoring to detect the extraordi-
narily complicated threats hidden in the
network. Once identifed, these threats
demand a host of remediation responses that
include forensic preservation, containment,
expulsion, and remediation. Responding to a
major breach correctly requires a team of
outside forensic and legal experts partnered
with their internal incident response team. A
well-defned incident response team includes
key staff functions and line of business man-
agers as well as C-level executives and cor-
porate directors.
Experiencing a cyberattack is disruptive,
and combating the malware behind large
data breaches remains a constant challenge.
Getting the right people involved and under-
standing the best way to effciently use them
is essential to properly investigating and
remediating the event while managing costs
and extent of business impact. Board direc-
tors and C-level leadership must ensure that
their organizations are ready with a well
thought out breach incident response plan to
help minimize the organization’s liability
and exposure.
Aggressive remediation outwits hacker mastermind
“Please don’t lock the attacker out of the network.” Not the request that any CEO wants to
hear, let alone the leadership of a major retailer that was under attack by a hacker master-
mind who was stealing 45,000 credit cards every three days. Yet here was the Secret Service
explaining that it was the best live investigation in three years, and that if kept alive, they
would be able to track and identify the hacker—with a good chance of getting a conviction.
Faced with the challenge of how to minimize the damage without alerting the attacker,
the forensic team decided on the strategy of letting the attacker continue his efforts, but
to change several digits of the credit card numbers the hacker was collecting. Other than
actually trying to use the cards, the attacker would have no way of knowing he had stolen
invalid card numbers. The ruse worked, allowing the team to keep the attacker alive in the
network long enough to complete the forensic analysis and eradication. The attacker is now
serving two 20-year jail terms.
261 ?
Rackspace Inc. – Brian Kelly, Chief Security Offcer
Lessons learned—containment
and eradication
Cyberattacks continue to proliferate and show no signs of
stopping. Information security is a business risk issue,
and concerns over how to manage data breaches have
moved beyond IT security teams to the C-suite and the
board. Recognizing that attacks happen to the best of
organizations, board directors are asking, “What can be
done to minimize the damage?” Based on the experience
of senior information security leadership servicing some
of the largest data breaches to date, here are ten lessons
that offer guidance in successfully containing and eradi-
cating cyberattacks.
? Cast incident response in the context of business risk
Although the natural tendency has been to treat cyberat-
tacks as a technical issue to be resolved by the security
team, such attacks are serious business problems that can
pose substantial risk to the business. Decisions made uni-
laterally by the security team without an appreciation for
strategic initiatives can have signifcant implications for
the corporation.
To correctly characterize the risk and make the appro-
priate decisions to limit the liability to the company,
cyberattacks and incident response must be put in the
context of business risk. For this to happen, discussions
with the board must be two-way conversations. CISOs
have to translate the event or incident into business terms,
at which point the board and leadership team can provide
a point of view or strategic focus that may be vital to the
incident. For example, the incident response team may be
unaware of such considerations as M&A activity, clinical
trials, and new R&D efforts. Through board-level conver-
sations the response team can gain the necessary insight
into the motives of an attacker and make a connection that
may alter the investigation.
? 262
INCIDENT RESPONSE
The exercises also provide insights into the
following:
? how and when to engage external
partners
? what can potentially go wrong during
the phases
? what types of communications are needed
? how to protect the incident response
information fow that is for the response
team’s exclusive use
? how to bring other departments into the
investigation.
Armed with such information, leadership
and board directors are better enabled to for-
mulate questions and act on the information
to provide proper governance and oversight.
? Retain incident response teams and
outside counsel experienced in managing
cybersecurity incidents
When it comes to containment and eradica-
tion, it is vital that internal security teams
understand their strengths and weaknesses.
Often internal teams assume they can handle
the event and try to fx the problems them-
selves, only to make matters worse by acci-
dentally destroying or tainting crucial evi-
dence. Organizations are therefore turning
to external counsel and forensic response
teams that can step in on a moment’s notice
to respond to cyberattacks.
Selecting the right counsel and forensic
team—especially those experienced in inter-
actions with law enforcement—can be the
difference between success and failure. In
addition to benefting from their expertise,
involvement of an attorney allows organiza-
tions to maintain attorney-client privilege.
Because different phases of the incident
response lifecycle require different capabili-
ties, such as evidence collection, forensic
analysis, and malware reverse engineering,
organizations should select teams that have
broad expertise. Established relationships
with several teams is wise because the scope
and magnitude of an incident may require
? Seek unity of command
Unity of command is vital to respond to a
cyberattack. However, not every incident
requires the same command and control
structure. Careful planning should deter-
mine in advance the level of management
required based on the severity of the event
and identify those that require board atten-
tion and corporate offcer leadership.
Similar to military operations, in which
the general commands the day-to-day oper-
ations of the military during peacetime, a
CISO oversees the day-to-day responsibili-
ties and projects. During times of war, com-
mand shifts to the Joint Chiefs of Staff and
designated war fghting commanders. The
same holds true in a cyberattack. The inci-
dent response leader takes control and
leads the team through the steps necessary
to respond to the incident.
Effective command and control during
these times of crisis is critical. However,
when an incident is declared, people often
come out of the woodwork to get involved.
Because time is critical, nothing can be
worse than senior executives trying to
infuence activity or wrestle control when
an attack is in progress. Slow response and
uncoordinated containment activities can
provide attackers with the time necessary
to move laterally in the network, creating
an even more serious breach. It is therefore
vital that command and control be clear,
understood, disciplined, and followed with
precision.
To increase leadership’s understanding
of the workings of command and control
and provide insight into the protocols and
procedures of incident response, it is imper-
ative that organizations rehearse the inci-
dent response plan at least annually.
Whether the activity is a mock tabletop
exercise or a live-fre drill, the rehearsal
gives company leadership and directors a
baseline understanding of the criteria used
to determine the severity of an event, the
lifecycle of an attack and incident response,
and the goals for each phase of the lifecycle.
263 ?
LESSONS LEARNED—CONTAINMENT AND ERADICATION
interact with internal personnel, query the
forensic investigators, analyze the fndings,
and provide the perspective that the board
and senior management need for decision
making. Many frms use outside counsel with
experience in guiding incident response oper-
ations to perform this trusted advisor role.
? Employ good case management practices
No one ever fully knows how an investiga-
tion will evolve. Even if it is unlikely that a
security event will become public or that the
investigation will end up in a court of law,
directors should assume that it could and
take the appropriate actions from day one. It
is vital to follow good case management
practices and do everything possible to pre-
serve forensics evidence—from the frst indi-
cation of the event through to the comple-
tion of the investigation.
Evidence is perishable and can be tainted.
Organizations that are slow to engage the
appropriate forensics partners run the risk of
potentially destroying, tainting, or missing
key evidence that could be crucial in the
later stages of the investigation. By asking
the question, “Should this go to court; what
do we need to do from the moment we start
more than one forensics team. Having rela-
tionships with several partners provides a
fallback.
The worst time to fnd a partner is during
an incident. In addition to running the risk
of no frm being available, the breached
company is faced with paying rates that are
non-negotiable and entering into a diffcult
relationship that often leads to protracted
investigations. Selecting and vetting cyber
response teams in advance allows the team
an opportunity to learn about the frm’s
operational practices and environment. The
forensics team can come up to speed quickly
and hit the ground running. In addition to
the qualitative advantage, selecting partners
in advance provides a quantitative advan-
tage in that you can pre-negotiate rates and
terms that are acceptable to both parties and
begin the relationship on a positive note.
Organizations also should look to engage a
trusted advisor to provide independent
advice to directors and offcers regarding the
security incident. Faced with pressure to
defect accusations or make things look better
during an event, internal staff may report
only what is necessary or skew information.
An impartial trusted advisor knows how to
Make sure you have the right forensic team
Forensic services frms provide highly specialized resources that can cost tens of thousands
of dollars. An inexperienced team, or one lacking the proper evidence collection, forensic
analysis, and incident response skills, may not only cost an organization in terms of time and
money but also jeopardize the success of mitigating the attack by inadvertently destroying or
tainting evidence. It may be time to bring in a new team if the forensics team:
? is unable to put a big picture together that includes the scope of the breach as well as
the sequence and path of movement
? has no clear plan for collection of evidence
? is unable to distinguish between evidence that is “need to have” and evidence that is
“nice to have”
? takes a checklist approach to incident response
? is grasping at straws after the frst couple of weeks
? is unable to scale efforts if needed
? is unable to provide guidance and stand frm in communications with clients,
regulators, and other stakeholders
? fails to understand or exercise proper chain of custody.
? 264
INCIDENT RESPONSE
customers, answer to the press, respond to
regulators, and defend the company’s con-
duct in parallel actions, such as a civil suit
and a regulatory investigation.
A company’s internal public relations
team knows much about the organization
but is not an expert in directing cyber breach
communications. When multi-billion dollar
payments and corporate reputations are at
risk, board directors and senior management
must take care to turn to independent,
impartial crisis communications experts.
Cyberattacks are distressing events.
Those involved often have an emotional
attachment or are too close to the incident to
be viewed as impartial in their communica-
tions. Independent experts provide the clear
thinking and unbiased perspective that is
required to assist the company in all dia-
logues and announcements—from initial
notifcation to worst-case communications.
Further, the external team will be able to
ensure that once communications are initi-
ated, such as notifying customers of a breach,
follow-up communications occur on a timely
schedule. Often overlooked is the need to
manage negative nonverbal communica-
tions that may be sent to internal and exter-
nal parties as a result of actions taken by the
response team. For example, shutting down
a website or requiring password changes
sends a clear message that something has
happened. The communications team must
manage these types of communications as
well. Finally, in addition to being able to
articulate what is happening, it is vital that
the crisis communications team stands frm
in its mission to protect the company by
advancing the facts in the face of unjustifed
assertions or incorrect accusations.
? Be prepared for containment
to affect business activities
Incident containment has two major compo-
nents: stopping the spread of the attack and
preventing further damage to hosts. During
the containment effort, organizations should
be prepared to shut down or block services,
revoke privileges, increase controls, and
place restrictions on network connectivity
this investigation to present a solid case?”
organizations can limit their liability down
the road and better position themselves for
successful litigation.
? Adopt an outcome-based approach
Some forensics organizations take a checklist
approach to incident response. However, no
two cyber events are the same, and incident
response is not a scripted process. Security
teams operate under the fog of cyberwar,
and decisions will be made under conditions
of stress, fatigue, and confusion in response
to seemingly random events. What is needed
is an outcome-based approach to incident
response, recognition that there are multiple
ways to achieve the outcome, and an under-
standing of what can go wrong. Normally,
outcomes are based on a specifc list of ques-
tions that must be answered by the incident
response team based on initial attack indica-
tions and regulatory responsibility. The team
should be focused on answering these ques-
tions during the investigation. Investigators
who are experienced in outcome-based inci-
dent response are better able to focus on
what matters, form hypotheses, take action
based on the type of attack and observable
facts, and pivot should something go wrong.
During the course of containment and
eradication, it is expected that attackers will
take new action based on the security team’s
efforts. One model that can be used to pre-
vent enemies from gaining the upper hand
is the “O-O-D-A Loop”: Observe, Orient,
Decide, and Act. This model provides a
method for making informed decisions and
acting based on feedback from various
sources. Recognizing that attackers are doing
the same, the key is to tighten and accelerate
the OODA Loop, leveraging people, process,
and technology to move faster than the
adversaries.
? Hire impartial, independent spokespersons
for crisis communications
The stakes for immediate and effective cri-
sis communications throughout an investi-
gation have never been higher. During a
cyber crisis, a company may need to notify
265 ?
LESSONS LEARNED—CONTAINMENT AND ERADICATION
people and processes into consideration,
technology actually can create more com-
plexity, consume more resources than it
returns, and deliver only incremental value.
In short, complexity is the enemy of security.
Organizations must take a holistic
approach to eradicating and closing the
security gaps. This may necessitate new
processes and policies, new services and
technologies, and additional personnel.
Skimping on cybersecurity may result in
much higher costs down the line. Board
directors should be prepared to increase
security budgets and can be frm but fair in
maintaining their fduciary responsibility by
requiring the right justifcation from the
security team.
? Share information with others
who can beneft
The fact that hackers have breached the com-
puter systems is the kind of news that no
organization wants to reveal. Corporate
leadership worries about attrition of custom-
ers, negative press, and diffculties with
partners that may occur if news of an inci-
dent leaks out. However, for the good of the
industry, the sharing of incident details may
and Internet access. Such activities can affect
business processes dramatically by restrict-
ing organizational functions and work
fows; therefore, the decision to perform
such actions should never be one sided.
Because business activities are dynamic, the
decision to implement controls during con-
tainment always should include a two-way
discussion with business process owners
and company leadership. It is vital that
organizations have strategies and proce-
dures in place for making containment-
related decisions that refect the level of
acceptable risk to the organization.
? Focus on people, process, and technology
during eradication
Malware detection and eradication can be an
expensive and time-consuming process, as
malware can lie dormant in a system for
months and then activate again. Although it
is easy and tempting to apply a quick fx in
the heat of the incident, attention must be
given to fnding and fxing the true root
cause. Here, the natural tendency is to lead
with a technology solution. With new secu-
rity tools comes the belief that the problem is
solved. The reality is that, without taking
Attacker gains the upper hand—once
When the cyberattack happened, it caught everyone by surprise, but it shouldn’t have. It
was just a matter of time, because the organization had a high level of technology debt, the
IT security lacked alignment with the business, the business unit failed to understand its
level of risk and necessary controls, and the organization had given minimal attention to
rehearsing incident response.
It took the organization more than 48 hours to detect the breach. Then, several days
passed before they realized the event was bigger than what could be handled internally. The
delay in detection and slow action to call in security experts allowed the attackers to move
quickly through the network, expand their footprint, and ultimately affect more than twenty
customer environments. The investigation and recovery lasted for about four months, with
costs totaling in the millions.
Sensing easy prey, the attacker returned in several months. This time the organization
was prepared. The technology debt had been paid, resulting in a stronger foundation and
improved security monitoring. IT security was well aligned with the business, and the busi-
ness unit understood and accepted its risk and controls. More important, the organization
had rehearsed incident response scenarios. This time the attack was detected in minutes.
The internal response team was able to shut the attack down in a matter of minutes with
little cost and no risk to the business or customers.
INCIDENT RESPONSE
? 266 SecurityRoundtable.org
? Are the risk defnitions correct?
? Did we manage the command and control
effectively?
? Did we bring the right people in at the
right time?
? Did we think about everything properly
from a risk perspective, business
perspective, communications perspective,
and customer perspective?
? Summary
No matter what precautions are taken, no
organization is immune to cyberattacks.
Organizations must have a comprehensive
incident response team that includes exter-
nal incident response and forensic analysis,
outside and in-house counsels, and public
relations frms in place prior to any breach
event. These partners provide incident
response forensics, legal and crisis commu-
nications assistance; and will manage the
incident in conjunction with the organiza-
tion to mitigate the damage and return the
business to full operational capacity as
quickly as possible. Unfortunately, the
worst time to fgure out how to respond is
during an actual incident. Making the plan
up on the fy in the middle of a crisis only
leads to mistakes that aggravate the situa-
tion. Lines of communication, roles, and
identifcation of decision makers must be
known before a breach occurs. Tabletop or
similar exercises that include C-level man-
agement and board directors should be
carried out to help organizations practice
incident responses and stress-test their
plans.
be precisely what is needed. Cyberattacks
are the new normal and security breaches no
longer carry the stigma that they once did.
What is important to recognize is that
cyber criminals use the same attacks over
and over again. By using the same code with
slight modifcations, cyber criminals achieve
effciency in their efforts while driving their
costs down. By sharing information with oth-
ers who can beneft, such as other companies
within the industry sector, the U.S. Computer
Emergency Response Team, and cybersecu-
rity researchers who may be able to assist,
organizations can help protect others while
driving up the adversary’s costs.
? Debrief following an event to capture lessons
learned
What is worse than a big public breach? A
second big public breach. Because the han-
dling of cyberattacks can be extremely expen-
sive, organizations may fnd it helpful to
conduct a robust, non–fnger-pointing assess-
ment of lessons learned after major cyberat-
tacks to prevent similar incidents from hap-
pening in the future. Capturing the lessons
learned from the handling of such incidents
should help an organization improve its inci-
dent handling capability. Questions to ask
include the following:
? Why did this happen?
? What could have prevented it?
? Did we classify the event at the correct
risk level?
? What were the indicators that drove the
event classifcation?
267 ?
BakerHostetler – Theodore J. Kobus, Partner and
Co-Leader, Privacy and Data Protection; Craig A. Hoffman,
Partner; and F. Paul Pittman, Associate
Cyber incident response
Most security experts acknowledge that a dedicated and
well-resourced attacker will eventually fnd a way to
break into a company’s network. Sophisticated attackers
are not the only threat—fnancially or politically moti-
vated individuals with less-than-average skills also have
been able to compromise companies. Faced with an ever-
increasing number of endpoints to guard, online access
management issues related to cloud services and ven-
dors, budgetary constraints, and the fact that systems are
built and maintained by individuals (who are fallible),
companies are recognizing at an increasing rate that a
security incident involving the unauthorized access to its
customer, employee, or sensitive business data is inevita-
ble. How are companies responding? By taking a series of
measures to become ‘compromise ready,’ including
developing an incident response plan. Proper prepara-
tion for an incident enables a company to be better posi-
tioned to respond in a way that mitigates risk and pre-
serves relationships. In addition, how a company
responds infuences whether the company experiences a
drop in revenue or faces a regulatory investigation or
consumer litigation. This response can signifcantly affect
a company’s reputation.
Offcers and directors are tasked with ensuring that
their company’s incident response strategy is appropriate
and adapts to the constantly changing threat landscape.
They also have a role in overseeing the response to an
incident. Incidents often arise just prior to an SEC report-
ing deadline, and companies that are caught unprepared
may not be positioned well to withstand any subsequent
scrutiny over their disclosure decision.
In this chapter we discuss the underlying state and
federal notifcation obligations that are implicated by
? 268
INCIDENT RESPONSE
to ensure that the various team members
understand their role and authority to
make decisions.
? Categorization. Provide a simple structure
for classifying events by severity (e.g.,
low, medium, high) and risk to “level set”
the team regarding urgency, escalation to
the C-suite, and level of engagement of
the representative groups on the incident
response team.
? Response protocol. Provide a fexible frame-
work for executing the eight key steps
of incident response: (1) preparation,
(2) identification, (3) assessment,
(4) communication, (5) containment,
(6) eradication, (7) recovery, and
(8) post-incident.
? Third parties. Identify key third parties
that will assist the company, including
external privacy counsel, forensics, crisis
communications, mail and call center
vendor, and credit monitoring.
Once the plan is created, test the plan for
gaps and provide training for the incident
response team. External privacy counsel
often conducts these exercises, sometimes in
conjunction with the primary forensic frm
and crisis communications frm. Most com-
panies choose to use a hypothetical scenario
that they would consider to be the most
likely catastrophic incident they may face
(e.g., a payment card event for a retailer) fol-
lowed by subsequent, periodic testing using
different scenarios (e.g., service disruption,
employee data).
No two incident scenarios are the same,
so there is not a one-size-fts-all, turnkey
solution to incident response. There are,
however, critical factors that drive a success-
ful response.
? Notify and assemble incident response team
members and begin the investigation. Don’t
panic when a security incident arises. Be
methodical, but swift, in your response.
Assemble the incident response team
members and notify them of the security
incident. If a member of the C-suite is
not on the team, there must be a direct
potential incidents along with best practices
developed from our experience in helping
companies respond to more than 1,000
potential events. Although these laws are a
critical part of a response, responding to an
incident is not just a legal issue. Being
viewed as handling the incident well
involves also an effective communications
response.
? Incident response best practices
A company’s incident response should be
guided by a plan that has been tailored to the
company’s industry and fne-tuned through
mock breach exercises. The response plan is
a critical element of the crisis management
strategy—not because it provides a prescrip-
tive, detailed list of action items, but because
it has been refned and practiced through
tabletop drills. A good plan outlines a fexi-
ble framework of the general steps that must
be taken to prepare for, respond to, and
recover from a security incident. An incident
response plan must be fexible enough to
adapt to the particular security incident the
company is facing (e.g., network intrusion,
denial of service, account takeovers, mal-
ware, phishing, loss of paper, employee
data, security vulnerabilities detected by
third parties, or theft of assets).
? Identify the internal incident response
team. Identify team members from
critical departments (e.g., IT, IS, legal,
communications, internal audit, HR, risk
management, business lines), describe
their roles, and defne how and when
they will be activated when a potential
incident is identifed.
? Identify who will lead the incident response
team. Companies approach this in different
ways. For some, the IT and IS groups play
a signifcant role. At highly regulated
companies, legal and regulatory members
will be integral to the response. Because
some issues go beyond the technical
response, being a good project manager is
probably one of the key traits a company
should look for when deciding who will
lead the group. Practice drills also help
269 ?
CYBER INCIDENT RESPONSE
such helpful information when fling a
motion to dismiss.
? Determine any legal obligations and comply.
Experienced outside privacy counsel that
is well versed in incident response can
help the company quickly and accurately
determine the state, federal, and
international privacy and security laws
and regulations that may be implicated
by the security incident. Complying with
these laws is sometimes a balancing act
that requires a company to consider other
factors. Engaging outside privacy counsel
who understands how the regulators
view these laws, as well as the challenges
companies face in responding to these
types of incidents, is critical. Outside
privacy counsel must be a partner with
the company in the response. There is no
one-size-fts-all approach.
? Communicate with the public and report
to the incident response team. During the
course of the investigation and response,
there should be constant communication
among incident response team members.
Periodic reporting meetings are useful.
In addition, offcers and directors should
receive reports that provide essential facts
and plans for responding to the security
incident. It is critical to have outside
counsel involved in the communications
plan to preserve any privileges that
may attach to communications. Further,
develop a ‘holding statement’ for
executives to use when communicating
with the media, affected individuals, and
shareholders. Also, consider creating
a website and using a call center to
keep affected individuals apprised of
developments.
? Eradicate remnants of the security incident
and recover business operations. When
the security incident and any resulting
damage have been contained, develop
a plan to eliminate the vestiges of the
security incident, restore the company’s
assets, and return your business to
normal operations. Ensure that the
threat created by the security incident is
eradicated.
connection to the C-suite so that decisions
can be approved in a timely fashion and
the response team can move forward with
the investigation. It is useful to appoint a
security incident manager; often this is
someone with strong project management
skills who can move the process forward
in a productive way working alongside
outside privacy counsel. Once the team
is assembled, it should initiate an internal
investigation into the security incident,
and depending on the potential severity
of the incident, daily progress calls should
be scheduled.
? Identify and fx the issue. Conduct an initial
analysis of the reported incident and
focus on getting quickly to a point where
the internal and/or external computer
security frm can develop and implement
an effective containment plan. If news of
the incident is going to become public, at
least the company will be in a position
to say that it identifed and blocked the
attack from continuing. The company can
then turn to identifying the full nature
and extent of the attack. Working with
internal resources, at least initially, is very
common; however, consider bringing in
external security frms when the company
is facing capability, credibility, or capacity
issues.
? Gather the facts and let them drive the
decision-making. Resist the pressure to
communicate about the incident too early
or to be overly reassuring. Focus on the
investigation. Institute a plan early on
for collecting all available forensic data—
hardware, devices, database activity, and
system logs—and transfer it to a safe
location for subsequent analysis. Create
a timeline of events surrounding the
security incident and the actions taken
by the company. Structure additional
investigation and response efforts
based on the information gathered
and the scope of the incident. Work to
include any favorable fndings in public
communications; notifcation letters are
often attached to class action complaints
and therefore a company can rely on any
? 270
INCIDENT RESPONSE
In addition, certain federal laws such as
the Health Insurance Portability and
Accountability Act (HIPAA) and the
Gramm-Leach Bliley Act (GLBA) require
companies to notify affected individuals.
Under HIPAA, notifcation is required with-
in 60 days and a failure to provide timely
notice will likely result in an investigation
that may lead to a fne. Timely notifcation
enables consumers to exercise self-help in
monitoring their payment card, bank
accounts, and credit reports to prevent fraud.
By reducing the likelihood that consumers
will be subject to fraud, a company can also
reduce the likelihood of future suits based
on the data breach.
Reporting
In addition to providing notifcation of a
data breach to affected individuals, a com-
pany also may be required to report a data
breach to other individuals and entities
under certain state and federal laws and
industry guidelines.
Law enforcement: Law enforcement can
be helpful during an investigation, but it
should be brought in at the appropriate time.
Telecoms and fnancial institutions have spe-
cifc guidelines regarding reporting to law
enforcement, but most industries do not
have similar regulations. Typically, compa-
nies engage either the Federal Bureau of
Investigation (FBI) or the United States
Secret Service (USSS), although local law
enforcement can be helpful in certain situa-
tions. Your outside privacy counsel should
have established relationships with law
enforcement and understand when they
should be contacted. Although law enforce-
ment can be helpful with the investigation
and communications with regulators, keep
in mind that its goal is very different from
the company’s: law enforcement wants to
catch the ‘bad guy’ and the company must
fgure out the appropriate way to respond to
the incident.
Federal regulators: Certain industry-
specifc laws also require reporting of a
breach to federal regulators. Under HIPAA,
? Potential legal issues and obligations
The issues caused by the ‘patchwork quilt’
of state breach notifcation laws in the
United States receive a lot of attention and
feed calls for a single federal law that pre-
empts any inconsistent state laws. However,
in most incidents, especially for incidents
that affect individuals across the country,
differences across state breach notifcation
laws rarely make a difference in how the
company responds. Complications do arise
when only a few state laws are implicated,
such as when one state does not have a
“risk of harm” trigger that allows a compa-
ny to determine that notifcation is not
required but the other states do. There are
no decisions from courts describing how to
interpret and apply these laws. There are
state attorneys general who have certain
interpretations regarding the timing of noti-
fcation and others who have well-known
‘hot button’ issues, neither of which are
evident from reading the text of the notif-
cation law.
Notifcation
Typically, a security incident becomes a data
breach when there is unauthorized access to
unencrypted personally identifying infor-
mation (PII), which is generally a person’s
name associated with his or her Social
Security number, driver’s license number,
health and medical information, and fnan-
cial information, depending on the state or
federal law. When a data breach occurs, all
states (except Alabama, New Mexico, and
South Dakota) require that a company notify
the affected individuals that their PII has
been compromised. The breach notifcation
laws of each state and the type of data that
are considered PII vary between states and
can create multiple and sometimes inconsist-
ent obligations on the company required to
provide notice. Most state laws require
notice as soon as reasonably possible, where-
as a few require notifcation within 30 or
45 days of discovery. Providing notifcation
within 30 days of initial discovery is often a
signifcant challenge.
271 ?
CYBER INCIDENT RESPONSE
affected by the incident for their costs associ-
ated with fraudulent charges and the reissu-
ing of cards. The liability assessments can be
one of the largest fnancial consequences of
an incident.
In certain circumstances, a company may
be required to report a data breach to the
media. Under state notifcation laws, if the
company does not have suffcient contact
information to mail notifcation letters to
affected individuals, the company has to
provide notice through substitute means,
which involves posting a link in a conspicu-
ous location on the company’s website, issu-
ing a press release to major statewide media,
and sending an email to the individuals (if
the company has their email addresses).
HIPAA requires a press release if a data
breach involves more than 500 affected indi-
viduals. In other circumstances, a company
may have no legal obligation to report a
security incident or data breach to the media
but may feel compelled to do so in an effort
to control the story and prevent inaccurate
or misleading information from being con-
veyed to the public by the hacker, affected
individuals, or other sources. Accordingly,
careful thought should be given to develop-
ing a communications strategy as part of a
company’s incident response—one that con-
siders not only the message but also the tim-
ing of the message and the medium in which
it is distributed.
Board of directors: Although reporting a
security incident to the board of directors is
not required by any specifc state or federal
law, a director’s duty to shareholders
requires that the director be informed of
important topics that signifcantly affect the
overall business of the company. Consequently,
directors may (and should) require that an
incident response team member (preferably
counsel) provide reports on any security
incidents or data breach, and the progress of
any incident response efforts. Some compa-
nies are establishing a special audit commit-
tee for cyber incidents and even engaging a
“cyber advisor” to brief the board on these
issues.
a company must report any data breach to
the Secretary for the Department of Health
and Human Services, although the timing
of that reporting differs depending on
whether the number of affected individuals
exceeds 500. Under the GLBA, fnancial
institutions must report a security incident
to their primary federal regulator as soon
as possible.
State attorneys general and agencies:
Some state laws require a company to report
a data breach to the state attorney general,
depending on the number of affected indi-
viduals, which may range from 1,000 in
some states to only one person in others.
Other states require notifcation to state
agencies, such as state consumer protection
agencies, departments of health, or cyberse-
curity agencies. The form of the notice may
also vary. Some states require simply that a
copy of the breach notifcation letter that was
sent to the affected individuals be fled with
the state attorney general. Other states may
require more, such as written notice identify-
ing the nature of the breach, the number of
affected individuals, any steps taken to
investigate and prevent future breaches, and
the content of the notice intended for the
affected individuals. Working with regula-
tors can be one of the most critical pieces of
an incident response. Ensure that your out-
side privacy counsel has a working relation-
ship with your regulators and can guide you
on the timing and content of communica-
tions. In most cases, if this piece is handled
appropriately, there is a greater chance of
very little fallout.
Other entities: When payment card data
are at risk, the response is governed by pay-
ment card network operating regulations
that merchants have agreed to follow as part
of the merchant services agreement with
their acquiring bank and payment processor.
The card network regulations defne a spe-
cifc security standard that merchants must
comply with (PCI DSS). They also dictate the
investigatory process and provide for the
recovery of noncompliance fnes and assess-
ments to reimburse banks that issued cards
? 272
INCIDENT RESPONSE
should apply to the communications
with and fndings of the forensic frm
and others engaged in assisting the law
frm. The external law frms also should
provide guidance to other members of
the incident response team on how to
preserve privileges, such as through the
use of an ‘Attorney-Client Privileged
Communication’ stamp in emails and
communications, for example. Outside
counsel should collaborate with in-house
counsel in determining whether there are
any legal or contractual obligations to
notify or report, or potential liability as a
result of a data breach.
? Forensics frm. An outside forensics frm
is sometimes needed to conduct an
examination of the available forensic data
to determine whether there are signs of
unauthorized access, and if so, determine
the nature and extent of the issue and
provide recommendations on short-term
containment and longer-term measures to
remediate and enhance security.
? Crisis communication firm. Although
public relations frms understand how
to get a company into the news, crisis
communications frms have to exercise
a different skill set in guiding the
communication strategy for companies
facing security incidents. Those frms
understand that there is often little, if
any, good news to report, so they focus
on communications designed to make it
clear that the company is responding in
a quick and transparent manner that is
designed to protect affected individuals.
They can also provide media training for
the spokesperson and assist in responding
to media inquiries in a consistent and
measured manner.
? Breach response and notifcation frm. Using a
dedicated external call center and mailing
vendor to notify and handle inquiries
from affected individuals can greatly
assist a company with the logistical
challenges it faces during an incident
response. The call center can answer calls
from an approved FAQ sheet.
Lawsuits and/or regulatory action
A company’s response to a security incident
or data breach can have signifcant legal and
fnancial consequences beyond those associ-
ated with investigating and responding to
an incident. Some state and federal laws
allow for consumers affected by a data
breach to assert a private right of action
against companies. When the incident affects
a large number of individuals, it is fairly
common to see putative class actions fled in
the hours or days after the incident becomes
public. Regulators, such as the FTC,
Department of Health and Human Services,
and Federal Communications Commission
may initiate investigations that may result in
multimillion-dollar fnes or the imposition of
a consent order that imposes a lengthy obli-
gation to implement a privacy and security
compliance program and have it audited by
a third party. Last, although not common,
directors and offcers may be named in
shareholder lawsuits.
? Role of external parties in a company’s
incident response
An incident response typically requires the
involvement of several external parties who
serve important roles in identifying and
assessing the cause, extent, and impact of a
security incident as well as crafting and dis-
seminating a response to the affected indi-
viduals, the public, the media, law enforce-
ment, and regulatory authorities. One step
that may save a few days during an incident
response is to engage and negotiate the mas-
ter services agreements with these compa-
nies before an incident so that only a new
statement of work has to be prepared when
an incident arises.
? Privacy counsel. An external law frm often
serves as the ‘quarterback’ of the incident
response. This role includes engaging other
third parties to assist the frm in providing
legal advice to the company, such as a
forensics frm, which then serves as a
foundation for establishing that attorney-
client privilege. Work-product protection
CYBER INCIDENT RESPONSE
SecurityRoundtable.org 273 ?
derivative suits. This is particularly impor-
tant because communications to directors
that are not made at the direction of, or by,
counsel may not be privileged and could be
discoverable in subsequent litigation.
Should a security incident or data breach
be made public, executives should be pre-
pared to comment on the incident. When
necessary, a holding statement should be
developed and vetted by counsel.
Communications by offcers or directors
with the public should be accurate, com-
plete, and truthful, but also simple, so as not
to be misleading or admit liability. Any fl-
ings or disclosures with the federal regula-
tors, such as the Securities and Exchange
Commission, should be carefully vetted to
ensure accuracy, which may prove diffcult
when the facts surrounding a security inci-
dent are being determined. This can be par-
ticularly problematic in quarterly (or peri-
odic) earnings calls with analysts that may
occur while investigation and response
efforts are taking place.
? Conclusion
In this ‘cyber climate,’ companies must be
prepared for a security incident. Offcers and
directors cannot sit on the sideline; they
must be aware of cyberthreats and engaged
in developing and implementing an incident
response plan to limit the amount of damage
that can be caused by a data breach. An
effective incident response can help preserve
the company’s reputation and limit its expo-
sure, allowing it to continue and grow its
business operations.
Regardless of the external parties retained to
assist in an incident response, it is important
to ensure that they are retained by outside
counsel to enable the assertion of the attor-
ney-client privilege and work-product doc-
trine to protect documents and communica-
tions generated in the investigation and
during the response to a security incident.
? Role of offcers and directors in a company’s
incident response
The C-suite and boardroom play a small but
important part in a company’s actual inci-
dent response: they mainly ensure that criti-
cal executive-level decisions concerning
impact to the business and expenditures are
made promptly. This is best facilitated by
having a C-suite representative serve as a
member of the incident response team. It is
also important for offcers and directors to be
engaged in the incident response process,
because in the event that another security
incident occurs, the offcers and directors
could be held accountable by consumers,
shareholders, and regulators for any lack of
familiarity with the company’s cybersecurity
program.
Given the potential liability and impact
to a company’s reputation posed by a data
breach, directors should have procedures in
place to ensure that they receive timely
updates on any incident response.
Communications with the board regarding
the incident response and the fndings of
any investigation should be carefully craft-
ed and limited to factual information if pos-
sible, because of the prospect of shareholder
275 ?
Sard Verbinnen & Co – Scott Lindlaw, Principal
Communicating after a cyber incident
Data security is the number one concern that keeps board
members up at night, NYSE’s annual Law in the Boardroom
survey found. It’s a rational nightmare for anyone run-
ning a company, given the explosion of data breaches and
the havoc they can wreak. As recent shareholder deriva-
tive and securities lawsuits underscore, a director is not
merely responsible for ensuring that a company’s cyber
defenses are robust. Rather, lawsuits against directors of
Target Corp., the TJX Companies, and Heartland Payment
Systems, Inc. have taught us that directors must also
ensure that the company is prepared to manage the after-
math of a breach. To contain the damage, effective com-
munications with a host of internal and external audi-
ences are essential.
The two greatest harms inficted by a breach are repu-
tational damage and loss of customer loyalty, according to
the Ponemon Institute, which compiles breach costs glob-
ally. To mitigate reputational damage, loss of customers,
and related harms from a breach, it is critical that a com-
pany communicate clearly (and often simultaneously)
with multiple audiences. The board’s oversight of this
aspect of cybersecurity should not start in the fog of a
cyber crisis. It should begin well before an incident.
? The director’s duties and cybersecurity-related
communications
A data breach can substantially diminish stock value, as
several academic studies have found. The most recent
study, involving 174 breaches, found “the cumulative
change in net earnings including extraordinary items in
the four quarters after a breach announcement is a 22.54%
decrease, indicating deteriorated earnings performance.”
These fndings by Kholekile L. Grebu, Jing Wang, and
Wenjuan Xie of the University of New Hampshire Peter T.
Paul College of Business and Economics do not always
hold true. A study of several prominent data breaches by
? 276
INCIDENT RESPONSE
increased customer acquisition activities,
reputation losses, and diminished goodwill,
cost the victimized companies an average of
$3.72 million per incident.
Companies have an opportunity to miti-
gate each of these classes of loss through
effective communications. This means fol-
lowing the law on all notifcations required
to consumers and investors, of course.
However, a company should not stop there.
Communicating about a cyber incident to
customers and investors as required by law
should be the bare minimum from a commu-
nications standpoint. To preserve goodwill
and stanch reputational losses, companies
must move beyond mere compliance and
operate from a perspective of stewardship.
They must demonstrate leadership, integrity,
and responsibility through thoughtful com-
munications. To achieve that, these princi-
ples should guide any communications relat-
ing to a cyber incident:
? Preserve the company’s credibility with
all constituencies, including consumers,
customers, partners, regulators, employees,
investors, journalists, and analysts.
? Maintain control of the communications
process by establishing concise, agreed-
upon messages so that the company speaks
with one voice.
? Provide pertinent, confirmed facts
without jeopardizing any internal or law
enforcement investigations.
? Coordinate all public communications
with legal counsel to (1) ensure accuracy;
(2) avoid compromising any investigation
or increasing legal exposure; and
(3) preserve attorney-client privilege.
? Prepare for potential negative legal,
fnancial, and customer scenarios.
These should be the tactical goals of com-
munications responding to a cyber incident:
? Reassure all constituencies that you are
taking steps to contain and fx the issue.
? Manage how the breach is portrayed in
news and social media—where possible,
position company as victim, not villain.
Sard Verbinnen & Co. found that share price
impact is hard to measure because of a mul-
titude of factors affecting stocks. Still, a com-
pany should anticipate that revenue and
profts may take a hit after a breach. A pri-
mary goal of a post-breach communications
strategy should be to mitigate this impact as
much as possible.
Because breaches can have a substantial
effect on the bottom line, preparing for and
responding to such incidents fall squarely in
the director’s fduciary duties. As explained
in Chapter 8, directors owe their companies
certain obligations, such as the duties of care,
good faith, and loyalty. In the context of
cybersecurity incidents, these duties require
directors to ensure the company develops a
reasonable crisis-management plan for use in
the event a breach occurs. This calls for board
members to have at least a high-level under-
standing of communications strategies and
tactics, for internal and external audiences.
For example, almost all states have laws
requiring companies to notify customers
when a breach compromises sensitive per-
sonal data. Directors and companies have
been sued on the ground that they failed to
take reasonable steps to notify consumers
that a company’s systems had been breached.
When the law requires it, notifying customers
about a breach is fundamentally a legal func-
tion but also a communications function.
Plaintiffs will try to hold directors accounta-
ble for a perceived failure of notifcation.
Likewise, regularly disseminating accurate
information to shareholders may be a regula-
tory requirement but also requires effective
communications. The Securities and Exchange
Commission has put companies on notice as
to the reputational harms of breaches and
companies’ disclosure obligations regarding
cyber incidents. “Reputational damage
adversely affecting customer or investor con-
fdence” may cause an attacked company to
sustain “substantial costs and suffer other
negative consequences,” the Commission
wrote in disclosure guidance in 2011. The
Ponemon Institute reported that in 2014,
breach-related lost business costs, including
the abnormal turnover of customers,
277 ?
COMMUNICATING AFTER A CYBER INCIDENT
prepared to respond very quickly to any
cyber incident and to communicate the com-
pany’s position. As part of this, the board
should review the company’s budget for
security risk management, ensuring the
availability of the funds necessary to hire
outside law frms, IT and forensics experts,
remediation support services, and commu-
nications consultants.
? Audiences to consider when responding
to a breach
A company responding to a breach must
communicate with myriad audiences. It
must coordinate and calibrate its messaging
with each while recognizing that messages
aimed at investors may end up in news sto-
ries, that news stories will shape investors’
perceptions, and that everything the com-
pany says could end up on Twitter.
? Consumers, customers, and partners: In
addition to legally required notifcations,
the breached company must be prepared
to communicate what it is doing to
contain an incident; provide assurances,
if applicable, regarding safety of
customer information and recourse on
future fraudulent activity; give front-
line customer service representatives
guidance on how to communicate with
customers; provide a dedicated call
center and/or website to handle
customer inquiries; and provide third-
party credit monitoring, if appropriate.
? Journalists and social media
communities: It will not be suffcient
to issue prepared public statements at
the company’s convenience. The victim
company must be prepared to react
to a deluge of media inquiries and be
prepared for leaks. The company may
also have to proactively engage reporters,
including regional, national, and
cybersecurity beat reporters. This requires
developing a process for engaging the
news media, including designating
media spokespersons, preparing key
executives for direct exposure to news
media, correcting inaccurate reports,
? Confne public comments to what you
know. Do not speculate.
? Avoid prolonging news media coverage
unnecessarily.
? Do and say nothing to heighten the
interest of regulators.
? Provide no fodder to plaintiffs’ attorneys.
? Minimize damage in the eyes of
consumers, customers, and investors.
? Protect share price.
Companies must integrate these communi-
cations principles and goals into a coherent
incident-response plan before a breach
strikes. An effective plan will position the
victimized company to communicate quick-
ly and effectively in the event of a data
breach or other security incident. Important
decisions will have to be made in real time,
but the tools and guidelines in a cyber inci-
dent response plan should ensure immedi-
ate engagement of the proper personnel, the
proper process for obtaining and reviewing
information needed to determine the appro-
priate communications response, and align-
ment on all appropriate steps to communi-
cate to employees and external audiences.
A company’s incident-response plan
should identify members of several sub-
teams, including legal, IT, and communica-
tions. Anyone who will be directly involved
in making communications decisions or in
the dissemination of internal and/or exter-
nal communications must read and under-
stand this plan. Press releases, key messages,
question-and-answer documents, contact
lists, and letters to stakeholders such as
investors and employees should be prepared
in advance, leaving blank spaces to fll in as
facts emerge. The plan should contemplate
the establishment of a dedicated website and
whether the company’s existing corporate
blogs and social media presence may be use-
ful communications instruments after a
breach. The communications plan, and espe-
cially its contacts lists, should be treated as a
living document. It should be kept up to
date and reviewed and tested regularly.
Directors must make clear to manage-
ment that they expect the company to be
? 278
INCIDENT RESPONSE
typically comprise two main arguments.
First, they allege directors failed to prevent
the breach. Second, they contend directors
covered it up and/or failed to notify inves-
tors and consumers. This latter class of argu-
ments essentially alleges failures of commu-
nication. The cases against Target and
Heartland show how the plaintiffs use deriv-
ative and securities suits to blame directors
and offcers for these alleged sins of commu-
nications, or lack thereof:
? Target Corp.: On December 18, 2013,
the blog Krebs on Security broke the
news of a major breach at the retailer.
The next day the company confrmed
it was investigating a security breach
involving stolen credit card and debit
card information of 40 million customers
who shopped in its stores. A few weeks
later, the company disclosed that the data
theft was signifcantly more extensive
and affected millions more shoppers than
it had initially reported.
Four sets of shareholders filed
derivative lawsuits against Target
offcers and directors. Later these were
consolidated into one derivative action.
The plaintiffs alleged that directors
breached their fduciary duties by failing
to “timely notify customers of the theft of
their personal and fnancial information
[and] to accurately notify customers
regarding the scope and substance of the
data breach.” The amended complaint
chronicled a series of statements in which
Target provided shifting information. As
a matter of media relations, this had
the effect of continually adding fuel to
the fre: each time the company updated
the number of affected customers, the
coverage spiked anew.
The plaintiffs also pre-emptively
argued that the directors’ actions in
managing the response did not constitute
decisions under the business judgment
rule, which would have protected them
against such a lawsuit. “The Board caused
Target to disseminate false and misleading
public statements concerning, among
and monitoring traditional and social
media on an ongoing basis. The company
must also prepare to use social media to
distribute messages.
? Investors and analysts: The breached
company must be prepared to answer
questions about the impact of the incident
on fnancial outlook and about the costs
of response and security upgrades. It
can expect to face such questions on its
frst earnings call after the incident, and
thereafter. A Form 8-K may be required
if shareholders would view the impact of
the incident as material.
? Internal audiences: Employees need to
hear from the company about what has
transpired, and what changes in security
policies and protocols are coming. They
must be alert to future attacks and avoid
talking publicly about the incident.
Human resources should prepare to
involve itself if employees had a possible
role in causing the incident or failing to
detect it.
In addition to the above audiences, the
breached company must carefully weigh
and coordinate each statement with a sec-
ondary set of audiences in mind. Plaintiffs’
attorneys will be circling and will race to the
courthouse to sue the company on behalf of
purportedly aggrieved customers and share-
holders. Banks and credit card companies
who may have lost money on fraudulent
transactions will expect to be made whole.
Insurance companies will also be monitoring
public statements if the victimized company
has a cyber incident or other relevant policy
and moves to fle a claim.
? Lawsuits against directors: communications
issues
As if the breaches themselves weren’t
enough to keep directors up at night, board
members have an additional and unique set
of worries: shareholder derivative and secu-
rities lawsuits after an incident. Directors of
Target, the TJX Companies, and Heartland
Payment Systems, among others, have each
seen these actions after breaches. These suits
COMMUNICATING AFTER A CYBER INCIDENT
SecurityRoundtable.org 279 ?
investors, the plaintiffs claimed, was that
“Defendants’ misrepresentations and
omissions obfuscated the Company’s true
fnancial condition and future business
prospects, artifcially infating the price of
Heartland’s common stock.”
? Conclusion
Cybersecurity is the number one fear keep-
ing directors up at night, but they can rest a
little easier by holding management account-
able and requiring a current, useful prepar-
edness plan before a crisis. Critical to any
company’s breach-response plan must be
communications. A breached company can-
not assume a defensive crouch and issue
reactive statements at the times of its choos-
ing. On the other hand, it should not say
more than it is confdent of, or more than is
necessary to safeguard its interests and those
of its customers and investors. An effective
communications plan helps protect the com-
pany after a cyber incident by blunting the
loss of reputation and customers and by
keeping plaintiffs at bay.
Every breach starts with an event outside
a company’s control, and the Target and
Sony Pictures attacks underscore how
unfolding events can further buffet a com-
pany. However, with a communications plan
that is carefully conceived and rehearsed, a
company can meet its legal obligations to
communicate and help limit the secondary
harms of a cyber incident, such as loss of
reputation and customers. It is incumbent on
directors to ensure that the plan’s communi-
cations components are ready to activate
when the cyber crisis strikes.
other things, the true nature and extent
of the data breach at the Company,” the
amended complaint stated. (A separate
action brought by consumers similarly
alleges that “Target failed to disclose and
provide timely and accurate notice of the
data breach to the public...”)
? Heartland Payment Systems, Inc.: On
December 26, 2007, hackers broke into
Heartland’s corporate computer network
and stole about 130 million credit and
debit card numbers and related card data.
The SQL injection attack on its corporate
network resulted in malware being placed
on its payment processing system.
Plaintiffs brought a securities class
action against the company after the U.S.
Department of Justice indicted several
individuals for what was reportedly
then the largest data security breach
in U.S. history. They accused CEO
and Chairman of the Board Robert O.
Carr and CFO Robert H.B. Baldwin of
concealing the breach for more than a
year—of “lying about the very existence
of the breach.” They also contended
the defendants knowingly made false
and misleading statements about
the breach in a 10-K annual report to
the SEC, during interviews with the
media, in press releases, and in other
public presentations and speeches. The
plaintiffs alleged that Carr and Baldwin
concealed the incident and made a
series of materially false and misleading
statements on an earnings call, “outright
den[ying] that a security breach had even
occurred at Heartland.” The harm to
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk management
investment decisions
283 ?
Axio Global, LLC – Scott Kannry, CEO and
David White, Chief Knowledge Offcer
Optimizing investment to
minimize cyber exposure
“
We are living in the Dark Ages of security. We cling to
outmoded world views and rely on tools and tactics from
the past, and yet we are surprised to fnd ourselves living
in an era of chaos and violence.”
Amit Yoran, President of RSA;
2015 RSA Conference Keynote
Why begin a chapter about minimizing cyber exposure with
a recent quote criticizing the security industry and raising a
question about whether it is even possible to succeed? It
underscores the importance of understanding the current
climate, how it has evolved to the current state, and its
inherent challenges. Ideally, one can then grasp that a new
way of thinking about cybersecurity is critical to succeed
and look to defne a process and methodology that gives
security leaders a better foundation to achieve that goal.
Let’s start with where we’ve been. Our hope is that few,
if any, security leaders still believe that impenetrability is
achievable. We’ve been subject to a barrage of verbiage
such as, “There are only two kinds of companies—those
that know they have been hacked and those that don’t yet
know it,” and hacked executives publicly expressing sur-
prise that their organization was successfully victimized,
despite investing in the best possible defense. However,
that belief was prevalent for many years, and investment
decisions during this “castle-wall” era were fairly easy to
make: focus on buying technological controls to fortify the
perimeter.
Thankfully, we have evolved from that era into one
that we’ll call the “defense-in-depth” era. The original
premise was fairly simple: put up more castle walls, or
perimeters, and hopefully the multiple layers will act in
concert to create impenetrability, or at least something as
close to it as possible. A more evolved premise is based on
a mantra such as, “Operate as if the bad guys are already
? 284
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
weather the storm. This point supports the
relevance of the insurance industry, not only
as a provider of fnancial certainty but also
as an industry that can provide insight and
data to support thoughtful cybersecurity
investments. We’ll now explain all of these
elements and how this approach stands the
greatest chance of minimizing exposure to
the organization.
The approach is best evidenced by Figure 1,
which depicts the relationship between
cyber risk and cybersecurity capability.
Organizations that have minimal cybersecu-
rity capability face an extraordinary degree
of risk. For these organizations, investments
in basic controls will produce meaningful
downward movement on the risk curve. It’s
also the reality that organizations on the far
left side of the curve will be given harsh treat-
ment by the insurance industry—premiums
will be extraordinarily high or coverage may
not be available at all—which is a signal that
the organization must bolster its capability
through traditional controls. At a certain
point, however, the curve begins to fatten
and the relative reduction in risk per dollar
invested pales in comparison to that which
was previously achieved. Beyond this point
frms would be wise to invest more substan-
tially in insurance because of its dispropor-
tionate effect on the risk curve. Unlike a tra-
ditional control, insurance actually reduces
(or eliminates) the cost of an event and
therefore shifts the entire risk curve down-
ward. An organization that adopts this
approach is one that is more thoughtfully
protected and better able to withstand the
impact of that inevitable event.
To better understand the elements, let’s
look at the risk calculus, which can be
explained with the following equation:
Risk =
Business Impact ? Likelihood
Capability
where business impact is a measure of
impact to the enterprise from a cyber event,
likelihood is an estimate of an event actually
occurring, and capability is a measure of the
organization’s ability to detect, protect,
respond, and recover from an event.
inside,” which starts to balance perimeter
controls with those that focus on behavioral
monitoring, segmentation, and simulated
internal environments. This trend is def-
nitely one that is taking hold. Many frms
still spend the majority of their security
budgets on perimeter-focused controls, but
spending is now being shared with internal
and reactive controls.
However, despite the improved strategy,
events over the past year and those that
undoubtedly have happened since this chap-
ter was written should easily debunk any
notion that the defense-in-depth era has
been substantially more successful than the
castle-wall era. Arguably, it has gotten worse,
in large part because of improvements and
industrialization of the tools and techniques
used by adversaries. This has led not only to
calls for a rethinking of how security is
approached but also to the practical reality
that security leaders’ jobs are more diffcult
than ever: their rate of success at protecting
the enterprise seems to be precipitously
declining, along with their job longevity.
Plus, the castle-wall and defense-in-depth
eras exacerbated a problem central to secu-
rity leader decision making; they facilitated
a monumental buildup in the availability
and use of technological controls. Evidence
of this is apparent at the RSA conference,
where a landscape of thousands of security
providers displays their wares, each claim-
ing to be the ultimate solution or silver bul-
let. Security leaders ask where to start. What
should I spend my next dollar on? How can
I justify this investment and intended return
to the board? How can I keep my job when
an event inevitably occurs? Welcome to the
modern reality for security leaders.
We propose that it is time to evolve into
what we’ll call the cybersecurity enlighten-
ment era. It’s an era that focuses on risk
management, not risk elimination, and
where cybersecurity strategy is acknowl-
edged as an investment challenge. It’s also
an era that highly values impact minimiza-
tion because cyber events are inevitable and
ultimately, the organization’s resilience
depends on having the fnancial resources to
285 ?
OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
to detect events. Many of these controls will be
technological or administrative, but the
human element is also critical and can’t be
overlooked, nor can the protocols surround-
ing third-party vendors, outsourced parties,
and subcontractors. The denominator is also
where the positive impact of insurance takes
hold, because successfully responding to and
recovering from an event depends not only on
technical capabilities but also on the fnancial
ability to cover the costs and losses involved.
How does an organization put actual
numbers into the equation? Our recommen-
dation is to start with developing and ana-
lyzing organization-specifc cyber loss sce-
narios. Gather a group of individuals that
represent key functions and insights into the
organization—information technology and
operational technology security, safety, risk
management, treasury, and legal— and brain-
storm about the likelihood and impact of
cyber events across the critical functions of the
It is important to understand that organi-
zations may have very little control over the
numerator in this equation, as these elements
are largely infuenced by the constantly
evolving threat climate, the capability and
desire of adversaries to carry out an attack,
and the ever-increasing complexity of the
technologies controlling operations, which
can fail unexpectedly in ways that result in
damage. For example, various recent reports
pegged the cause of a cargo plane crash on a
failure in software confguration, evidencing
the reality that cyber events aren’t only those
with malicious connotations. It’s also impor-
tant to recognize that neither business impact
nor likelihood can ever equal zero, even for
the most capable organizations.
Organizations can infuence the denomina-
tor by implementing, sustaining, and matur-
ing a capable cybersecurity program. This
measure refects the controls that an organiza-
tion has in place to protect its cyber assets and
Sustain Capability &
Invest in Insurance
Insurance lowers the risk
impact curve overall
Invest in Cyber
Capabilities
Risk
Cybersecurity Capability
FIGURE
? 286
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
Benchmarking is also a critical and strongly
recommended element of the capability
factor. We recognize that many security
leaders may be wary of supplying cyber
program information for benchmarking pur-
poses as to not create additional vulnerabili-
ties by giving away the proverbial keys to
the back door, but resources that do so in an
entirely de-identifed manner can provide
powerful comparative insight that is other-
wise unavailable. From a security leader’s
perspective, this information may actually
be the most powerful, because it can provide
justifcation for additional investment in
controls and, in the worse case event of a
breach, exculpability.
This is an appropriate place to introduce
the fnal detail and insight for the denomina-
tor and right side of the risk curve—the
importance of insurance coverage and rele-
vance of the insurance industry to deploying
an enlightened cybersecurity strategy. One
of the roles that the industry can serve, and
will increasingly serve, is a resource for
benchmarking intelligence via the under-
writing and premium pricing process. This
capability is candidly in its infancy for a few
reasons: the scope of coverage is evolving
and therefore the depth of information
required to underwrite is not truly compre-
hensive, many insurers are happy to deploy
a nonintrusive approach as a competitive
lever, and correlation information lacks in
areas where claims or losses have not yet
occurred. Despite this evolving capability,
frms can fnd meaningful value in the pro-
cess, because even an extraordinarily high
premium or a denial of coverage does have
informative value. Additionally, for areas in
which cyber coverage is relatively more
mature, top insurers do have enough data to
provide a “risk engineering” beneft similar
to other well-established areas of insured
risk, and the industry is continually evolving
to provide greater capabilities in this respect.
Another area of insurance industry rele-
vance requires a more nuanced dive into
coverage, but one that is important for its
informative value and relevance to security
investment decisions. Security leaders
organization. It’s important to capture as much
of the loss spectrum as possible—frst- and
third-party fnancial damages and frst- and
third-party tangible damages, the latter half
being critically important for organizations
that use industrial control systems.
In our experience, this type of exercise
proves to be very fruitful. We’ve found that
most of the informational insight actually
resides within the organization—it’s simply
a matter of getting the right stakeholders at
the table. In some instances, organizations
are surprised at how much they already
know and can bake into the calculations. For
example, we’ve worked with energy frms
that had already commissioned numerous
loss engineering studies based on traditional
perils such as earthquake, fre, or mechanical
breakdown, each with fully developed
impact estimates. All it took in this instance
was confrmation from operational and
cybersecurity leaders that a cyber event
could produce many of the same outcomes,
coupled with a technical discussion about
the likelihood of such an event to very eff-
ciently compile enough data for the numera-
tor in the equation.
Using the loss scenario approach also
helps inform the numbers in the denomina-
tor, because the technical part of the discus-
sion helps determine the organization’s
capability to protect its operations from,
detect signs of, and effectively respond to a
particular scenario. For example, if we are
working with a retailer and a scenario involv-
ing the theft of credit card information, we
may start with the fnancial impact if the
event occurs and then work backward to dis-
cuss where the information resides and how
it is processed, and most critically, how each
access point is or could be protected from
known and conceivable threats. Here, it is
useful to compare an organization’s current
capabilities against any applicable standards
or regulatory frameworks, ensure that appro-
priate threat intelligence for that particular
area of risk is being used, and continually
monitor the performance of the organiza-
tion’s protective mechanisms in its own envi-
ronment and the environment at large.
OPTIMIZING INVESTMENT TO MINIMIZE CYBER EXPOSURE
SecurityRoundtable.org 287 ?
Beyond the continually evolving risk engi-
neering capabilities of the insurance industry
and the insight provided by simply under-
standing the complete insurance landscape
for cyber exposures, the biggest beneft pro-
vided by insurance is the aforementioned
ability to meaningfully reduce the risk curve.
Here too it is critically important to under-
stand the entire insurance landscape, because
frms that purchase a single cyber insurance
policy may be disappointed in how it per-
forms. This point is not intended as criticism
of the insurance industry—the industry does
offer coverage for the vast majority of the
cyber exposure spectrum—it’s a point recog-
nizing that comprehensive coverage for com-
plex cyber events can involve multiple types
of policies.
Ultimately, our hope is that this process
and balanced approach provides a higher
likelihood of minimizing cyber risk, espe-
cially in comparison to any of the legacy
strategies deployed to date. If nothing else, it
helps to more effectively minimize cyber risk
through the effective deployment of insur-
ance as a complementary control, but the
process overall does produce defendable
insight and a means by which security lead-
ers can optimize investment while minimiz-
ing risk, thus allowing cybersecurity to start
to evolve out of the dark ages.
should familiarize themselves with their
own frm’s insurance portfolio as well as
industry trends relating to coverage availa-
bility and pricing. The exercise should not be
limited to cyber insurance, because despite
what many in the insurance industry would
profess, there is currently no such thing as an
all-encompassing, all-risk cyber insurance
policy. Cyber insurance, as it is commonly
known, covers many frst-party fnancial
losses and resultant fnancial liabilities from
a cyber event, but not tangible losses such as
property damage and bodily injury. Therefore,
frms also must be attentive to property, casu-
alty, environmental, terrorism, and any other
type of insurance that could provide coverage
for losses resulting from a cyber event.
What type of actionable insight does this
provide? On one hand, simply knowing
what cyber exposures the insurance industry
is willing to cover can help security leaders
make investment decisions. For example, the
insurance industry currently does not offer
much, if any, coverage for losses attributable
to the theft of intellectual property such as
trade secrets and R&D. Knowing this may
prompt overweight investment into controls
and protocols protecting trade secrets,
whereas investment into other areas of risk
where coverage is readily available can be
more balanced.
289 ?
Lockton Companies Inc. – Ben Beeson, Senior
Vice President, Cybersecurity Practice
Investment in cyber insurance
A number of high-profle corporate data breaches, mainly
in the US retail sector over the last two years, have led rap-
idly to a major change in enterprise cybersecurity strategy.
Many chief information security offcers (CISOs) now view
risk avoidance as extremely challenging, if not impossible,
and a traditional approach that builds layered defenses
around the network perimeter as increasingly insuffcient.
Accepting risk means adopting an approach that seeks to
mitigate and build enterprise resilience. This approach now
also must weigh the benefts of transferring residual sever-
ity risk from the balance sheet through cyber insurance.
Here are 10 reasons to consider making the investment.
1. Advanced persistent threats (APTs)
Targeted attacks, known as APTs, have become
increasingly diffcult to detect, let alone stop. The
emergence of the nation-state as an adversary leaves
the majority of organizations vulnerable regardless of
the resources committed to defense.
2. Governance and an enterprise-wide risk management
strategy
The emergence of cybersecurity as a governance issue
that must be addressed by the board of directors is
redefning the role of cyber insurance as purely a
fnancial instrument to transfer risk. Cybersecurity
involves the entire enterprise, with numerous
stakeholders, no longer only the domain of the IT
department. Driving a culture of collaboration between
these stakeholders is challenging for many organizations,
but cyber insurance and, more importantly, the
underwriting process can be the catalyst.
3. Increasing regulatory risk
Liability to boards of directors is expected to increase
and give added weight to a focus on governance. SEC
guidance published in 2011 highlights how regulators
see cyber insurance as part of a strong enterprise risk
? 290
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
attack by a third party. This will not
extend to an act involving the board of
directors or executive team.
7. Security is not about compliance
Treating security as a compliance
exercise only will result in failure. For
example, many organizations that are
compliant with payment card industry
data security standards have been
breached.
8. Monetizing the cost of cybersecurity
One of the biggest challenges to the
CISO is to quantify cybersecurity risk in
dollar terms to the executive team. The
premium charged by an insurance
company can help solve this problem.
9. Merger and acquisition activity
The difficulty in evaluating the
cybersecurity posture in any acquisition
target leaves the acquirer vulnerable.
10. Operational technology
Industry sectors dependent on
operational technology and industrial
control systems are particularly
vulnerable. Built primarily to be available
24/7 and to operate in isolation, these
devices are increasingly being connected
to the corporate information technology
network and the Internet.
? The cyber insurance marketplace today
It is estimated that more than 50 insurers
domiciled mainly in the U.S. and London
insurance market provide dedicated cyber
products and solutions today. Buyers are
concentrated overwhelmingly in the U.S.
with little take up to date internationally,
with low demand in the rest of the world.
Annual premium spending at the end of 2014
was estimated to be in excess of $2 billion.
Total capacity (the maximum amount of
insurance available to any single buyer) is
currently at about $300,000,000, although this
is now contracting substantially in certain
sectors such as retail and health care. Cyber
insurance frst emerged at the end of the
1990s, primarily seeking to address loss of
revenue and data restoration costs from
attacks to corporate networks. However,
the underwriting process was seen as too
management strategy. Many in the legal
community see the launch in February
2014 of a federal cybersecurity framework
(known as the NIST framework) as
creating a standard of care to be used by
plaintiff attorneys to allege negligence or
worse.
4. A fnancial incentive
Legislators are giving greater prominence
to the role of cyber insurance. The failure
to pass laws to drive stronger enterprise
security has demonstrated the challenges
in trying to enforce minimum standards.
There is growing support for market-based
incentives such as insurance that can
reward strong cybersecurity through
discounted premium or broader coverage.
However, the insurance market for cyber
risks is young, if not embryonic in some
respects, and faces signifcant challenges
if it is to continue to grow. Reversing the
lack of actuarial data to model risk and
an underwriting process that must
change to meet ever-evolving threats sit
at the top of the insurance industry’s
priorities.
5. Vicarious risk to vendors and business
associates
Adversaries are focusing increasingly on
third parties that have access to sensitive
information and other critical assets of the
target enterprise. Professional service
frms or cloud-based solution providers
are examples of business associates whose
security may be weaker than that of their
client and consequently provide an easier
back door for the attacker. Liability for
a breach of personally identifable
information (PII) or protected health
information (PHI) typically still rests with
the enterprise data owner, even though
a breach may have occurred to the
vendor’s network. Cyber insurance
addresses costs of responding to a breach
and possible privacy regulatory action or
civil litigation.
6. Insider threat
Attacks from the inside continue to be
hard to prevent. Cyber insurance covers
the employee as perpetrator as well as an
291 ?
INVESTMENT IN CYBER INSURANCE
Certain insurers will also extend coverage
to downtime of vendors on whom a
policyholder is reliant. This is commonly
known as “contingent business
interruption.”
Costs to restore compromised data
Reimbursement for costs associated with
an extortion threat
? Operational technology
A few insurers have begun to extend
coverage for the information technology
network to also include operational
technology such as industrial control
systems.
? Physical assets
Cybersecurity is no longer just about risks
to information assets. A cyberattack can
now cause property damage that also
could lead to fnancial loss from business
interruption as well as liability from
bodily injury or pollution, for example.
Understanding where coverage lies in a
corporate insurance policy portfolio is
challenging and at times ambiguous. An
assumption that coverage should rest
within a property or terrorism policy may
not be accurate. Exclusionary language
has begun to emerge and is expected to
accelerate across the marketplace as losses
occur. Dedicated products also have
started to appear.
? Reputation and brand
Insuring reputational risk from some
form of cyber event remains out of the
scope of the majority of insurers. At the
time of writing, the London market has
begun to innovate to address the fnancial
loss after adverse media publicity.
However, capacity remains constrained at
$100,000,000 at best.
What does cyber insurance not cover?
? Intellectual property assets
Theft of one’s own corporate intellectual
property (IP) still remains uninsurable
today as insurers struggle to understand its
intrinsic loss value once compromised. The
increasing diffculty in simply detecting an
attack and, unlike a breach of PII or PHI, the
frequent lack of a legal obligation to
intrusive and the cost prohibitively expen-
sive. It was not until 2003, and the passage
of the world’s frst data breach notifcation
law in California, that demand started
to grow.
What does cyber insurance cover?
Insurers do not address all enterprise assets
at risk. The majority of premium spent by
buyers was intended to address increasing
liability from handling personally identifa-
ble information (PII) or protected health
information (PHI) and the costs from either
unauthorized disclosure (a data breach) or a
violation of the data subject’s privacy.
Insurable costs range from data breach
response expenses such as notifcation,
forensics, and credit monitoring to defense
costs, civil fnes, and damages from a pri-
vacy regulatory action or civil litigation.
Insurers also continue to address certain
frst party risks, including the impact on
revenue from attacks on corporate net-
works, extortion demands, and the costs to
restore compromised data.
Insurable assets include the following:
? PII and/or PHI of employees or consumers
Data breach response costs to include the
following:
Notifcation
Credit monitoring
IT forensics
Public relations
Defense costs and civil fnes from a
privacy regulatory action
Defense costs and damages from civil
litigation
? Corporate confdential information
Addresses defenses costs and damages
incurred for a breach of third-party
corporate confidential information.
Certain insurers will extend to address
misappropriation of a third party’s trade
secret, but frst-party loss of intellectual
property remains uninsurable.
? Corporate information technology
network
Addresses the loss of income as a
consequence of network downtime.
? 292
CYBER RISK MANAGEMENT INVESTMENT DECISIONS
assets. However, the ever-evolving nature of
the threat, particularly the emergence of APTs,
undermines the reliability of these statistics.
Pricing risk to physical assets is a bigger prob-
lem because this has begun to emerge only
since 2010, and actuarial data are extremely
thin on the ground.
Fundamentally insurers continue to look
for a strong security culture within the frm
as a frst step in risk triage. Additional fac-
tors such as industry, revenue size, and
actual assets at risk also contribute to how
risk is priced.
? How to engage the insurance market
Once a decision has been made to explore a
suitable solution, the frst step is to choose a
broker. The lack of consistency in policy lan-
guage from one insurer to the next means
that a broker with dedicated expertise is vital
for a successful outcome. First class brokers
work with their clients to understand the
assets at risk and how best to address them
either under the existing insurance program
or through a new dedicated product. An
existing Directors and Offcer’s policy form
(D&O) addressing management liability
from a cyber event probably offers suffcient
coverage. However, more often than not, lia-
bility to the enterprise requires a new dedi-
cated product.
A broker should understand that insur-
ers seek to understand the security culture
of a frm and will work to position their
clients as best as possible. For many larger
organizations this does not involve com-
pleting a written questionnaire and staying
divorced from the process. Rather, an inves-
tor-style presentation to the marketplace by
key stakeholders in IT, legal, and risk man-
agement in particular, which involves ques-
tions and answers, ensures the best possible
outcome. Top-tier underwriters appreciate
that cybersecurity is not a tick-box exercise.
They understand that the risk is dynamic
and will not necessarily penalize a buyer
today for shortcomings if a roadmap is
spelled out as to how these shortcomings
will be addressed in the next 12 months.
disclose, suggest that a solution is not in the
immediate future.
? Leveraging cyber insurance as a risk
management tool
Since 2009 the marketplace has evolved to
also provide services to help buyers manage
risk. Focused mainly on post-event response,
turnkey products have emerged, which pro-
vide a panel of legal, forensics, and public
relations specialists. Popular with smaller
enterprises that lack the resources or rela-
tionships, this innovation has been a key
component in increasing the relevance of
cyber insurance and consequently its growth.
Larger frms typically seek products based
on breadth of coverage and the fexibility to
use their own vendor network.
Services that help mitigate risk before an
event occurs have started to emerge. Insurers
likely will begin to incentivize buyers to
adopt these services with rewards such as
discounted premiums.
? How do insurers underwrite cyber risks?
Historically, underwriters have sought to
understand the controls that enterprises lev-
erage around their people, processes, and
technology. However, the majority of assess-
ments are “static,” meaning a snapshot at a
certain point in time through the completion
of a written questionnaire, a phone call inter-
view, or a presentation. A consensus is grow-
ing that this approach is increasingly redun-
dant and that insurers will seek to partner
with the security industry to use tools that
can help predict and monitor the threat as
part of the underwriting process to adopt a
more threat intelligence led capability as
part of the underwriting process. In fact, this
already has started to happen, as certain
insurers have started to use technology to
underwrite vendor and M&A activity risks.
? How do insurers price risk?
Pricing cybersecurity risk remains a challenge.
An insurance market that is only 15 years old
has begun to build up a profle for frequency
and severity of loss with regard to PII and PHI
INVESTMENT IN CYBER INSURANCE
SecurityRoundtable.org 293 ?
upon up front. Forensics are not
inexpensive and can form a signifcant
part of the overall cost.
7. Law enforcement
Law enforcement typically is involved in
a major security breach. In fact, many
times the FBI, the agency leading
cybersecurity corporate defense, notifes
the enterprise before it becomes aware of
the breach. A claim should not be
excluded by an insurer for failure to
disclose as soon as practicable if law
enforcement had advised nondisclosure
during the investigation.
8. War and terrorism
Many insurance policies exclude acts of
war and terrorism which must be deleted
with the emergence of the nation-state
adversary in particular.
9. Intentional act
Ensure that coverage addresses the
employee or insider as perpetrator
acting in isolation of the executive team.
10. Continuity of coverage
When renewing the insurance policy
with the same insurer, avoid signing a
warranty regarding a circumstance or
claim.
? Conclusion
Cyber insurance has a broader role to play
than simply reimbursing costs associated
with a loss. Fundamentally, engaging in an
underwriting process that forces collabora-
tion from stakeholders across the enter-
prise can drive stronger cybersecurity
resilience. Increasing regulator and share-
holder scrutiny means that the case for
investment will continue to grow. In addi-
tion, insurers will start to provide premi-
um- and coverage-based incentives for
adopting best practices such as the NIST
framework and leveraging preferred tech-
nology tools.
A broker must then negotiate competi-
tive terms and conditions with competing
insurers with a fnal recommendation as to
whom their client should choose.
10 key coverage items to negotiate:
1. Full prior acts coverage
Insurers try to limit coverage to acts from
the frst day that the policy begins, known
as the retroactive date. However, in the
context of the challenges in detecting an
attack, buyers should seek to remove this
exclusion and avoid the risk of a claim
denial.
2. Restrict knowledge and notice of a
circumstance to the executive team
Again, an insurer should not be allowed
to impute liability to the whole enterprise
because detection has proven to be such a
challenge.
3. Security warranty
Remove any language that tries to warrant
that security is maintained to the same
level as represented in the underwriting
submission. The dynamic nature of the
risk leaves this too open to insurer
interpretation in the event of a loss.
4. Operational technology
The majority of insurance policies provide
coverage only to the corporate IT network.
If relevant, ensure that language is
broadened to also address operational
technology such as industrial control
systems.
5. Outside counsel
Choice of counsel must be agreed upon
up front. In the event of a security breach,
a dedicated legal expert must take
the response lead not least for attorney
client privilege. Negotiating with an
insurer during the event would be
counterproductive.
6. IT forensics
In a similar vein to choice of counsel, the
preferred forensics frm must be agreed
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Cyber risk and workforce
development
297 ?
NYSE Governance Services – Adam Sodowick, President
Cyber education: A job never fnished
Whether it stems from a lack of education, a sense of
ambivalence, or, in some cases, malice, nearly all cyber
vulnerabilities begin and end with some degree of human
error. In today’s data-driven environment, companies
must establish a culture of responsibility so that all levels
of employees work together to maintain vigilant practices
that mitigate cyber risk. Despite vast amounts of resourc-
es spent on countless frewalls, security systems, and
algorithms to ferret out breaches, these complex efforts
barely scratch the surface of the problem.
? Overview
Cybercrime is one of the most prevalent economic crimes
today according to PwC’s Global Economic Crime Survey.
The damages continue to grow with 24% of the more than
5,000 organizations represented in the 2014 PwC study
reporting being a victim of cybercrime. A recent study by
Verizon Enterprise Solutions points to another signifcant
issue, noting that 66% of cybercrimes are not detected for
at least six months.
The trajectory of costs continues to rise. According to
the Ponemon’s Cost of Cybercrime 2014 report, cyberat-
tacks cost the average U.S. company more than $12.7 mil-
lion. With some companies experiencing more than $61
million in losses, this average is an increase of more than
9% from the prior year.
Attacking the problem means understanding the
source. As one of the top fve most reported crimes
against businesses, cybercrime is not merely a technology
problem anymore. “It is a strategy problem, a human
problem, and a process problem,” according to the PwC
report. The Online Trust Alliance’s (OTA) 2015 Data
Protection & Breach Readiness Guide reports that employ-
ees caused 29% of data breaches between January and
June of 2014, proving that internal weaknesses are a sig-
nifcant area of vulnerability for every organization. The
? 298
CYBER RISK AND WORKFORCE DEVELOPMENT
A vast number of cases are actually a result
of error, employee ineptitude, or apathy.
These situations can cause severe holes in the
system and are cases for organizations to
change behavior so that employees become a
defensive tool against cyber risk.
The computer manufacturer Dell Inc., for
example, boasts a “culture of security” that
is fostered by the following four fundamen-
tal principles: security awareness training,
proper access management, mobile security,
and securing and monitoring the organiza-
tion’s networks, according to the company’s
white paper, The Human Side of IT Security.
Kevin Hanes, executive director, Security
and Risk Consulting, Dell SecureWorks,
describes how Dell’s information security
unit works with other organizations to deal
with cybersecurity issues. “My view is
organizations need to keep in mind that the
bad actors are going to typically follow a
path of least resistance, and often that path is
the people,” he notes. Dell’s approach to
imparting a cyber-aware culture at an organ-
ization begins at the top and involves con-
sistent communication at all levels to ensure
employees understand why the vigilance,
inconvenient though it may be, is necessary
in all aspects of what they do.
Interestingly, not all employees view the
threats in the same light. In a June 2015 global
study commissioned by Dell SecureWorks
and the Ponemon Institute, 56% of the IT
security/IT staff surveyed consider ‘negligent
insiders’ a serious threat, whereas only 37% of
the IT Security/IT corporate leaders surveyed
considered such insiders a serious threat. This
difference, the study’s authors note, points to
a need to listen more carefully to those in the
“security trenches who are dealing with these
threats.”
? Taking action
Once companies have better awareness of
the root causes of insider threats, what steps
can be taken? OTA recently reported that
90% of data breaches occurring in the frst
half of 2014 could have been prevented eas-
ily by adhering to commonly accepted best
practices for data protection. For companies
OTA guide further reports that data leaks by
employees who lost documents or used
social engineering or fraud to access and
leak information were caused by a lack of
internal controls. Therefore, educating and
cultivating true employee buy-in to a culture
of responsibility is crucial to mitigating pos-
sible damaging breaches.
? Types of insider threats
The genesis of insider threats is not always
malicious; however, the malicious or politi-
cally driven acts tend to be the ones that
make headlines. Media did not ignore
instances such as Home Depot’s former secu-
rity architect who sabotaged his previous
employer’s computer network and the April
2015 case in which the Department of Justice
indicted a Nuclear Regulatory Commission
employee for attempting to deliver nuclear
secrets to a foreign government via spear-
phishing tactics.
Although not intentionally malicious, a
related form of insider abuse stems from a
sense of privilege, when someone abuses the
trust he or she is given to safeguard sensitive
and valuable data. The 2014 Verizon Enterprise
Solutions report found that in 55% of cases
involving insider incidents, the primary moti-
vator was privilege abuse; the primary moti-
vator in 40% of cases was fnancial gain.
A 2012 survey of global employees by
Boston-based data storage and information
management company Iron Mountain found
that workers often develop a feeling of per-
sonal ownership when they are involved
with the collection of data. The study found
that in Europe, for example, many offce
workers are likely to take data with them
when they switch jobs, which, for certain
subgroups, such as millennials, happens
with more frequency than with previous
generations. The study found that of those
who did steal company information, 51%
exited with confdential customer databases,
46% with presentations, 21% with company
proposals, 18% with strategic plans, and
another 18% with product/service road
maps—all of which represent highly sensi-
tive, valuable assets.
299 ?
CYBER EDUCATION: A JOB NEVER FINISHED
Although Teradata works diligently to
train employees and maintain awareness of
cyber issues, Carver concedes the job is
never fnished. He continually takes the les-
sons learned and the new angles and feeds
them back into the funnel, honing and sharp-
ening the employee education program.
Even with that level of attentiveness, Carver
assumes his company will encounter a
breach and is planning for that eventuality.
He also feels it’s important to help employ-
ees understand what to do if they think
they’ve made a cyber-related error and how
to report any questionable or erroneous
activity.
Carver suggests three tips for chief compli-
ance offcers who are working to implement a
more robust cyber awareness program. First,
begin with including everybody. “It’s all
employees’ job to assure data protection,” he
says. Second, it’s an issue for all companies
across all sectors and needs to be prioritized
no matter what the industry. Finally, remem-
ber that what makes an organization vulner-
able is the human aspect. “You could do eve-
rything
technology-wise, but could
still be vulnerable because people are
involved—employees, third-party vendors,
customers, and the bad guys.”
At Dell, Hanes’ SecureWorks group han-
dles security monitoring, consulting, and
threat intelligence gathering for itself as well
as its many clients. Although SecureWorks
has the capacity to test “crazy amounts of
malware samples” in a lab, according to
Hanes, most companies can take steps on
their own to mitigate risks from such activi-
ties as phishing and vishing (hacking
attempts made via phone call). Creating,
communicating, and monitoring protocols
can go a long way toward keeping the
human element in check, according to
Hanes.
In his experience, Hanes says people gen-
erally have two mentalities: those who want
to check a compliance box by doing annual
training at their companies and those who
want to transform employee behavior with
programmatic changes. The former is much
easier, but the latter has the potential to offer
that are behind the curve, this means there is
a lot of work to be done.
In addition to implementing stringent best
practices and requiring employees to follow
them, self-reporting is a key component. Each
company should have a clear understanding
about its reporting guidelines as well as what
items or activities are suspicious.
Each organization’s management and cul-
ture are unique, but looking to what works at
other companies can help in understanding
and making recommendations on sound
starting places that help to benchmark prac-
tices and measure success of respective cyber-
security defense and mitigation programs.
? Case study perspectives
Taking a look at a few case studies often can
help pull blue sky ideals down to earth. At
Teradata, a leading data analytics provider,
Chief Compliance Offcer Todd Carver says
cyber awareness is viewed as a funnel, with
new information continually feeding into
the top and recirculating in the form of ongo-
ing education to keep employees aware of
the latest developments. Carver says his
company’s program spans from the board of
directors to 11,000 employees in 43 coun-
tries. Protecting data and assets is one of the
commitments in Teradata’s code of conduct,
and if anything isn’t specifcally covered in
the training, or if employees come up with
their own questions, Carver explains, there’s
also an ethics helpline so that employees can
ask questions, request guidance, or say, “I
screwed up. What do I do now?”
Annual ethics and compliance education
covers a host of issues at Teradata, including
cyber-related modules for intellectual prop-
erty, privacy, phishing, and mobile-device
awareness. The company also has policies in
place regarding keeping a clean computer,
password practices, and email usage, to name
a few. In addition, Teradata uses role-specifc
training. It’s all about getting employees truly
engaged, Carver explains. “It’s important to
explain why we have these rules.” Carver
says his company has shared scenarios of
attempted hacks to better help employees
understand the need for the procedures.
CYBER RISK AND WORKFORCE DEVELOPMENT
? 300 SecurityRoundtable.org
Directors Think Survey, 63% of director
respondents said they are only somewhat
confdent that their board is adequately over-
seeing cyber risk; nearly a quarter of respond-
ents said they are not confdent about their
board’s oversight. In sum, there is clear indi-
cation that there is room for improvement at
even the highest levels.
These fndings build a strong case that
board members, along with employees,
would beneft from being included in the
cyber awareness program at their organiza-
tion to make better decisions and oversee
cyber risk on an ongoing basis and help set
the proper tone at the top. Roughly two
thirds of companies appear committed to
this idea. According to Ethisphere’s 2015
World’s Most Ethical Companies data set,
66% of respondents had offered their board
formal training on information security/
cybersecurity within the last two years.
? Conclusion
There is no substitute for a sound, well-
understood culture of responsibility and
awareness with regard to cybersecurity, a
pervasive risk that begins and ends with the
human element. The bottom line is that
unhappy and/or untrained employees can
be a company’s biggest threat, whereas a
motivated, well-educated workforce can be
its biggest defense. Proofpoint, a Sunnyvale,
California, security service provider, warns
that cyber criminals are continually adjust-
ing to companies’ employee education, so
the cat-and-mouse game is never fnished
and constant vigilance is required.
Although the margin for human error will
never be eradicated, with proper awareness
education and follow through, companies
can leverage their greatest asset to alleviate
vulnerabilities and strengthen cybersecurity
resistance.
tangible results. Creating an organization
with a cyber-aware culture requires an ongo-
ing commitment, he explains, because even
after years of training “check-the-box”
employees, without a complete buy-in and
understanding, there will still be those who
click on a phishing email link.
? Creating a cyber-aware culture
Proactive companies such as Teradata, Dell,
and others understand that effective cyber
awareness education can transform employ-
ees into a powerful force in the fght against
cybercrime. Having a culture of awareness
can help prevent breaches, keep data secure,
and positively affect a company’s bottom
line. In fact, there’s arguably no greater bar-
rier to cyber risk than investing in and sup-
porting the right employee culture.
Surprisingly, only 29% of companies sur-
veyed by NYSE Governance Services and
the Society of Corporate Compliance and
Ethics train all their employees for cyber
issues despite the fact that cyber was chosen
one of the top three risk areas for employee
education, according to the 2014 Compliance
and Ethics Program Environment Report
issued by the same two groups.
Companywide education often means ele-
vating awareness for the board as well; espe-
cially because most board members say it’s a
diffcult area for them to wrap their arms
around. In the 2014 RSA/EY survey with
Corporate Board Member, 83% of directors said
that a signifcant impediment to their over-
sight of IT/cyber risk was the fact that it was
constantly changing. A 2015 Cybersecurity in
the Boardroom report published by NYSE
Governance Services and Veracode notes that
IT security matters are discussed in most or
every meeting by 81% of director respond-
ents. In a separate NYSE Governance Services’
study with Spencer Stuart, the 2015 What
301 ?
Collaboration and communication
between technical and nontechnical
staff, business lines and executives
Wells Fargo & Company – Rich Baich, CISO
“
You can have brilliant ideas, but if you can’t get them
across, your ideas won’t get you anywhere.”
Lee Iacocca
Delivering results is a key metric of success for any leader.
Exceeding revenue goals, meeting hiring and retention
goals, or ensuring operational budget goals are well known
and understood results. These goals are clear, easily meas-
urable, and most importantly all individuals understand
their role in achieving these results. These goals often are
established with limited collaboration and a single com-
munication to the appropriate leaders with minimal toler-
ance associated with not achieving the goals. The language
used when establishing these goals and publishing the
results transcends technical and nontechnical executives.
This information must be understood and actionable;
regardless of the executives’ background, having this infor-
mation available allows them to make an informed deci-
sion. Leaders need the right information, at the right time
to collaborate, communicate, and ultimately make the best
decision. Information enables the executive to use a deci-
sion process or framework of reasoning to help rationalize
the data and choose the best course of action. As the topic
of cybersecurity rapidly moves to the top of every C-level
executive’s agenda, cyber leaders must embrace the impor-
tance of collaboration and communication while building
bridges to ensure decisions are understood and actionable.
? Establish a cyber risk decision framework
We live in a time of acute and persistent threats to
our national security, our economy, and our global com-
munities. The number of reported cyber incidents contin-
ues to grow. The threat of a cyber catastrophic event
continues to lurk in the distance. New cyber vulnerabili-
ties are reported each day and the frequency of zero-day
threats is increasing. New victims make the headlines
? 302
CYBER RISK AND WORKFORCE DEVELOPMENT
? How vulnerable are their products and
solutions to this exploit?
? Is there any potential for business impact
to customers or suppliers?
? Do they need to contact their third parties
to see if they are secure?
? Will this affect their ability to service their
own third-party relationships?
Using the following framework formula to
explain an approach could be helpful:
Risk = Vulnerability ? Threat ? Asset
Value ? Probability of Occurrence
Having the trustworthy data readily avail-
able can allow cyber executives to quickly
and confdently communicate throughout
the organization and the third parties. For
example, a quick query of the asset inven-
tory indicates there are 50 instances of this
exploit in the current infrastructure and
fve within the third-party ecosystem. Of
those 50 internal instances, only three are
external facing, and the remaining 47 are
internal to the network. All the third-party
instances are internal to the partner’s
network. The associated vendor to the
zero-day exploit has provided a patch and
recommended an immediate application of
the patch. The internal cyberthreat team
has reviewed the external intelligence, and
there are already indications of potential
miscreants scanning for the newly identi-
fed vulnerabilities. Additional intelligence
and analysis suggest exploit code is already
being crafted to take advantage of this new
exploit. If successful, the exploit can be
used to deliver malicious code throughout
the organization providing kinetic and
nonkinetic damage to an organization.
Armed with this information, cyber leader-
ship can quickly move to gain consensus,
communicate recommendations, and infu-
ence the mitigation activities required to
address the threat.
? Defning your stakeholders
Trustworthy data are a key foundation to
establishing cybersecurity creditability.
weekly. As a result, cyber leaders continue to
be asked if their organizations are spending
enough to address cyberthreats. To answer
this question, cyber leadership must have
the facts to establish a decision framework to
guide them. Having a frewall, purchasing
the latest technologies, growing the number
of cyber professionals, and having informa-
tion security policies do not adequately pro-
vide all the information needed to answer
this question. Knowing what data to collect,
demonstrating the ability to get the data in a
timely fashion, operationalizing the data,
and ensuring the data get to the right deci-
sion maker can provide an actionable frame-
work. The following are a few examples of
what information is needed to enable a
framework:
? What risks will be mitigated if these
additional funds are provided
? Specific cyberthreats are known,
monitored, and integrated into the risk
prioritization decision process.
? Vulnerabilities are identifed, prioritized,
remediated, and validated in a timely
manner.
? Critical assets are well known,
accountability is clear, and responsibility to
ensure those assets meet defned protection
criteria are met.
? The likelihood of a specifc exploit, attack,
or signifcant occurrence is understood
and utilized in the cyber risk prioritization
framework.
Having trustworthy data is the foundation
to all cybersecurity decision frameworks.
It is important to have a framework to help
support the fundamental changes required
to enhance cyber practices and enable
communication.
Scenario: Cyber risk decision framework
Today, the media announces a new zero-day
exploit that has been identifed. Business
executives want to know:
? What do they need to do to respond to
the exploit?
303 ?
COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
3. assess business impact of material
cybersecurity program changes
4. discuss lessons learned and situations in
which program adjustment is prudent
5. identify potential areas of confict and/or
resource constraints between cybersecurity
program and business priorities
6. discuss impacts from and/or to the larger
applicable industry.
Stakeholders want the facts and reassur-
ance that the information being reporting is
trustworthy and actionable. Risk manage-
ment is everyone’s responsibility, and indi-
viduals take great pride when helping
reduce risk. Proactively removing risk
before the risk evolves in negative conse-
quence is a signifcant measurement for
success. Providing a stakeholder with the
data that clearly demonstrate a risk was
remediated before it was signifcant will
win the trust of most individuals.
Scenario: Defning stakeholders
You have been asked by a line of business
leader to provide information regarding a
third party before a contract is signed. Due
diligence is done for third parties before any
contracts are signed; that is a leading indus-
try practice. However, what if you and your
cybersecurity team were able to provide
cyber intelligence that suggests the potential
third-party partner is on a top-fve easiest-
to-hack organization list being posted in
credible underground forums? Having
information without being able to make it
actionable often results in a very heavy
paper weight being created. In this scenario,
having the cyber intelligence to provide the
stakeholders helped provide transparency
into cyber risks that can produce measured
results. Maintaining a results-oriented men-
tality coupled with the right stakeholder
group can help enable a cyber support
culture.
? Delivering the message
Effective communication, especially during a
time of change, requires frequent touchpoints.
Having a communicator or a communication
Performance of executives, regardless if they
work in a line of business, in corporate staff,
or in technology, is often measured by results.
Achieving results in cybersecurity requires
others taking action. Effective leaders can
motivate groups of like-minded people to
come together and rally behind a cause to
achieve a goal. Finding those individuals in
the organization is critical to success.
Identifying individuals who will become
stakeholders in the cybersecurity journey
provide the support needed to drive change.
The following is a list of potential stakehold-
ers to consider:
? chief executive offcer (CEO)
? chief fnancial offcer (CFO)
? chief auditor
? chief administration offcer (CAO)
? chief communication offcer (CCO)
? chief risk offcer (CRO)
? member(s) of the board of directors
? chief information offcer
? line of business leader
? audit committee
? chief technology offcer (CTO)
? line of business leaders, CIO, CTO, risk
leaders
In addition to individual stakeholders,
establishing a cybersecurity steering com-
mittee with cross-organizational representa-
tion can provide an additional platform for
collaboration and communication. The pur-
pose of the committee should be to promote
cybersecurity awareness, provide a forum in
which cybersecurity topics can be discussed,
and to solicit cyber feedback to help evolve
cyber practices and mature over time. In
addition, the committee will seek to identify
cybersecurity topics that may affect the
broader applicable industry and the emerg-
ing trends that may affect the organization.
The cybersecurity committee could:
1. review cybersecurity strategic direction
and planned initiatives
2. discuss major milestones for cybersecurity
initiatives that are in process of being
deployed
? 304
CYBER RISK AND WORKFORCE DEVELOPMENT
help build collaboration by demonstrating
how individuals can partner with cyberse-
curity to address customer needs. Regardless
of the industry, customers want to know
their information is safe and the organiza-
tion that has their data has a clear plan to
achieve that goal. Adding cybersecurity
reminders in existing individual customer
communications begins to demonstrate that
commitment to the customer. It takes a long
time to earn trust, but it only takes a second
to lose it.
This also holds true for internal stake-
holders. Often the information and measure-
ment of results reported by the cybersecurity
team may not be perceived as positive news.
For example, the cybersecurity team may
implement new technology that provides an
enhanced visibility into the health and
hygiene of various technology assets. If these
assets have never had this improved visibil-
ity, it is possible that the results may provide
awareness of critical vulnerabilities or
weakness associated with the platform.
Consequently, when reporting these results,
others may take offense to these perceived
negative results. However, this is a great
opportunity to educate leadership by
explaining that it is far better to fnd these
opportunities internally rather than be told
about these vulnerability gaps from a law
enforcement representative. Don’t pass up
the opportunity to build a champion; one
champion can quickly lead to two, which, in
turn, can often grow to thousands.
? Conclusion
During times of confict it is proven those
countries that have aligned themselves with
the right allies have prevailed and overcome
grave challenges. These are challenging times;
cyberthreats are real and present signifcant
risks for most organizations. Communicating
these risks to technical and nontechnical exec-
utives can often be a daunting task that
requires additional background and context to
successfully communicate the message.
Executives are results driven and appreciate
other executives who are proactive when
dealing with risks. The ability to provide
team specifcally aligned with the cybersecu-
rity team can provide immense benefts.
There is delicate balance associated with the
frequency and content that is communicated
to stakeholders. The fundamental goal is to
tell the cybersecurity story throughout the
organization through clear, concise, targeted
communications through the most effective
dissemination channels. Some will want more
frequent communications, whereas others
will desire less communication. Some will
prefer “pull” communications and others will
want the information pushed to them.
Cultural appetite, tone from the top, and
organizational commitment help drive the
various required communication delivery
techniques to ensure stakeholders are aware.
Some examples include the following:
? publish monthly newsletters to various
stakeholders
? create a robust intranet presence with
tools and communications
? celebrate success stories of collaborative
achievements
? provide platforms for cyber champion
recognition
? track, measure, and report the
effectiveness of the communications
through a cyber communication
dashboard
Having a venue into the corporate commu-
nications team provides cybersecurity the
opportunity to align, infuence, and enable
the infux of cybersecurity into normal busi-
ness communications. It is critical that the
corporate crisis communication team be part
of the cybersecurity incident response team
because of the potential reputational impact
associated with a signifcant cyber incident.
During a time of crisis, concise and timely
communications to key stakeholders and
customers can often be the difference
between an incident being managed and an
incident being exaggerated.
Tactically positioning the cybersecurity
story within the organization through effec-
tive education and awareness while address-
ing the latest trends in cybersecurity can
COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
SecurityRoundtable.org 305 ?
time to include, educate, and collaborate with
stakeholders can build alliances. Having the
right information is powerful, and those
stakeholders who get accurate, timely, and
meaningful data will have the opportunity to
lead change.
trustworthy data and a cyber decision support
framework enables cyber executives to trans-
late a new language to other executives. These
actions can positively enhance cybersecurity’s
internal reputation by strengthening trust and
credibility across the organization. Taking the
307 ?
Cybersecurity readiness through
workforce development
Booz Allen Hamilton – Lori Zukin, Principal; Jamie
Lopez, Senior Associate; Erin Weiss Kaya, Lead
Associate; and Andrew Smallwood, Lead Associate
The demand for skilled cybersecurity professionals cur-
rently outweighs the supply. The growing sophistication
of cyber adversaries, coupled with our increasingly
networked enterprises, means that demand will only con-
tinue to grow. To compound this issue, traditional infor-
mation technology (IT) roles are increasingly insuffcient
to address enterprise-wide cybersecurity risks. A broader
skillset, including communication, change management,
and leadership, is required in order to respond quickly
and collaboratively to evolving cyber threats.
In light of these challenges, it is clear that a new
approach to workforce planning and development is nec-
essary. Yet what would that entail? This chapter covers
fve recommendations to improve your cybersecurity
workforce, including: (1) rethink your approach to cyber-
security, (2) develop alternative talent management strate-
gies, (3) empower your cybersecurity leadership, (4) con-
nect your organization, and (5) invest in your cyber
human capital.
? Redefne cyber operations in your organization
Cyber operations are integral to every business function—
a fundamental part of business management in which
understanding your cyberthreat is key to your bottom
line. Coupled with that is a recognition that the IT func-
tion and the cyber operations function are not one and the
same. IT is an infrastructure enabler, whereas cyber opera-
tions are an organization-wide risk issue. A major cyber
breach—one that involves sensitive corporate or customer
data—poses more than a technical problem or a business
continuity challenge. A major incident can create a multi-
dimensional crisis that affects nearly all aspects of the
company’s business, as well as its customers, regulators,
and other external stakeholders.
? 308
CYBER RISK AND WORKFORCE DEVELOPMENT
environmental factors for their cyber work-
force are better prepared to adapt to chang-
ing threats.
Global business trends have shown suc-
cessful cyber practices have fve key traits:
they are agile, multifunctional, dynamic,
fexible, and informal.
Agile: Cyber work requires agility. Employees
act like chameleons shifting quickly and deci-
sively as threat warrants change course
and as a unit, the capability is alert to new
circumstances.
Multifunctional: Cybersecurity is a team
sport. A strong cyber practice is built of teams
with diverse knowledge sets who can execute
a variety of activities at once. Your employees
do not have to be good multitaskers, but your
overall capability does.
Inquisitive: Cyber professionals embrace
learning and they will be curious; they will
want to solve problems regardless of how hard
it is to fnd the solution. Because threat actors
across the globe are offering an array of new
threats to consider, your cybersecurity work
practice will change based on evolving infor-
mation. By taking on new endeavors, your
capability will be ready to solve new problems.
Flexible: Cyberthreats move fast. With con-
stantly changing work requirements, your
practice must be enabled to adapt to new areas
of focus. Your cyber organization must be
infused with a strategy that allows for employ-
ees to expand or change their roles to increase
your capability’s fexibility.
Informal: Cybersecurity professionals thrive
in a nontraditional environment. Your
recruits and team members will likely look
for unconventional working hours and shift-
ing duties. Creating this type of environment
for your cybersecurity professionals allows
your cyber organization to adjust quickly to
tackle any challenge. Your cybersecurity
practice may have different work locations,
matrixed reporting lines, around-the-clock
shifts, and a more relaxed dress code than the
In addition, the talent management chal-
lenges for cyber operations are much more
complex because there is a major crisis to
backfll cyber talent. Even once your organi-
zations recruits top cyber professionals,
there is no guarantee you will retain them.
As such, it is not enough for cybersecurity to
be relegated to a subset of people, as with
the IT function. Every employee in your
organization faces cyberthreats, and talent
management for IT and cyber operations
should not be combined. By shifting this
mindset and developing strategies that
refect these realities, your ability to develop
an effective workforce will immediately
improve.
? Develop alternative talent management
strategies
Most cybersecurity professionals are per-
sonifed by their love for cutting-edge tech-
nology, casual work environments, and crea-
tive mindsets. These unique tendencies help
them excel under the constantly changing
cyber environment but differentiate them
from the rest of your company in a number
of ways—fundamentally, their atypical char-
acteristics of (1) work environment, (2) work
preferences, and (3) nontraditional career
paths.
Recruiting, developing, and retaining this
unique workforce requires alternative talent
management strategies—strategies that are
often connected to but distinct from those
applied across the rest of your company.
Develop an appealing work environment
Not every business has a culture of prevalent
ping-pong tables, free food, and a dress code
involving fip-fops and jeans. However,
there are environmental factors that compa-
nies must account for in attracting—and
keeping—the necessary talent for accom-
plishing cyber work.
The nature of cyber work means that it is
often executed in an environment that dif-
fers from that of its parent organization.
Think of your cybersecurity practice as the
fast moving, quickly adapting branch of
your organization. Businesses that consider
309 ?
CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
of diffculty, and present opportunities to
work with emerging technologies.
Create nontraditional career paths
Placing two cybersecurity resumes side by
side can sometimes feel like you are compar-
ing an apple to an orange. Cyber profession-
als have a variety of experiences, only some
with an educational background in cyber
and many with certifcations to designate
profciency. Although it would be nice if
cyber professionals could be ‘cyber warri-
ors,’ or experts in all areas of cyber opera-
tions, your cybersecurity professional’s
diverse backgrounds more likely match the
diversity of the cybersecurity feld.
Booz Allen has found that instead of
‘cyber warriors,’ it is much more likely that
your organization’s cyber workforce will be
composed of three types with many subsets
in each: senior leadership, specialized
experts, and generalist staff. Instead of
imposing linear career paths on these cyber
types, our work has shown that cybersecu-
rity professionals work better under a ‘build-
your-own’ career path option.
Senior leadership cyber professionals are
a rare breed of combined expertise and lead-
ership who can manage teams and opera-
tions. With specialized experts, their deep
know-how within a specifc group of cyber-
security capabilities often makes them the
center of the talent war. Your generalist staff
are early in their cyber careers or have cho-
sen a broad role, making them equally high
in demand but commonly part of a larger
supply pool.
For most of your company, established
career paths diagram career progression
options through linear lines of technical expe-
rience or managerial ranks. However, attract-
ing and retaining cyber professionals requires
alternative pathways that refect the diversity
of positions within the feld. For cybersecurity
professionals, try providing a nonlinear
career path—one that can be horizontal, verti-
cal, and diagonal. Show cybersecurity profes-
sionals a set of attributes that describe how to
progress using their experience, unconven-
tional education, and industry certifcation.
majority of your workforce. The budget pro-
cess for your cyber organization may be
centered around technological investments
or on a different timeline to meet shifting
threats. Given the work requirements, it is
especially important that your cyber envi-
ronment has leaders who not only share a
competitive nature and passion for technolo-
gy but also have success operating in dynam-
ic, multifunctional environments.
Understand work preferences
Like the work environment, your cybersecu-
rity professionals also have unique work
traits. These traits, or work preferences, make
them the perfect candidates to tackle the
daily challenges from threat actors around
the globe but also can separate them from the
rest of your organization. Recognizing these
work preferences, for your capability as a
whole as well as on an individual level, is
critical to developing your cyber talent man-
agement strategies.
If your cybersecurity professional had a
social media profle, it may look like this:
Lover and early adopter of new technologies,
as a cybersecurity professional my passion
for technology fuels my curiosity to solve
complex problems. I am a systems thinker
with confdence in my ability to put things
together and learn new techniques while
using my competitive nature to fuel my
work as well as engage in offce competitions.
As a natural problem solver and abstract
thinker, I tend to look ‘outside the box’ and
evaluate challenges from many different
angles and perspectives before acting.
As one method, try offering applicants an
on-the-spot challenge while testing their
ability to solve problems using senario-
based challenges. Capitalize on your
employees’ problem solving skills by allow-
ing them to be a part of strategy, offense, and
defense and by fostering a culture that
encourages every level of employee to sug-
gest solutions. Reward your employees for
forward thinking, provide them with con-
stantly changing tasks with different levels
? 310
CYBER RISK AND WORKFORCE DEVELOPMENT
Once relegated to the IT department,
cybersecurity is now part of a company’s
core strategic planning and investment port-
folio. That said, many CISOs currently don’t
have the appropriate skill set to deal with all
the overall strategic implications of a major
cyber breach. Although CISOs likely have
the technical expertise required to fx the
problem or at least manage it, they may not
be prepared for the magnitude of other mul-
tidimensional challenges that surface during
the crisis. In addition to technical know-how,
CISOs have to be able to think on their feet,
nimbly and calmly handling the internal and
external nontechnical issues that may arise.
? Connect your organization
The cyber-ready organization is a connected
one. Ineffective collaboration between lines
of business and the cyber function limits
data sharing and effective change. However,
before you can foster true collaboration
between your lines of business, you must
have appropriate cyber channels weaved
throughout your organizational structure.
Your organization needs effective processes
in place to manage cyber-related communi-
cations and policies. This ‘interconnected-
ness’ comes to life when your central cyber
unit is feeding information to key business
leaders and those business leaders are imple-
menting change throughout their lines of
business and communicating information
back to the core cyber unit. The cybersecurity
function deserves to be placed at the center
of your organization, to inform all of your
business units.
Cybersecurity should be viewed as a cen-
tral business function that informs other
business units. See Figure 1.
You also will need strong leaders at the
helm of each business unit who are bilin-
gual in business and cyber operations.
Cybersecurity is the new education leaders
have to undergo to lead your organization
effectively. In connecting the channels
across your organization, all leaders must
be on the same page, communicating the
same message, implementing the same
security measures, with the same vigor.
This provides your cyber professionals with
fexibility to put the pieces together using
defne career progression opportunities and
opens up your ability to recruit talent who
want to grow with your organization.
? Give CISOs a ‘seat at the table’
Although progress is being made in profes-
sionalizing and institutionalizing cybersecu-
rity as a feld, much remains to be done. In
fact, less than half of Fortune 100 companies
have a CISO. Organizations still struggle to
build, recruit, and retain a cybersecurity
workforce. There is no ‘one-size-fts-all’ for
placement of the CISO within your organiza-
tion. It depends on the industry, the type of
organization, and what the organization is
protecting. In some organizations, the CISO
may report to the CIO. In others, with a dif-
ferent architecture, mission statement, and
set of complex challenges, the CISO may
report to the chief risk offcer, or even directly
to the COO or CEO.
No matter where the CISO sits in your
organization, you need to give the CISO ‘a
seat at the table’ during regular operations,
for example, when discussing risk analysis,
proft reductions, performance indicators,
and other strategies in your organization’s
balanced scorecard. Elevating the level of
your CISO during normal operations helps
nurture leadership, management, and non-
technical skills—skills that are critical during
a cyber crisis. Further, by making the CISO a
member of the C-suite leadership team,
you will be able to raise the level of cyber
awareness—and coordinated response—
across your entire organization.
The CISO’s role within the organization
abruptly shifts to hands-on, crisis mode in a
cyber breach. The CISO’s foremost responsi-
bility is to quickly address the crisis from a
technical perspective. The CISO should be
fully immersed in directing the cyber
response, working with the computer inci-
dent response team or security operations
experts to remediate and minimize damage,
while delegating or outsourcing other roles/
issues such as policy implications, legal, and
public relations.
CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
SecurityRoundtable.org 311 ?
An effective way to improve the long-
term security of your company is by
investing in your cyber leaders and cyber
workforce. Investments in technology and
processes go unrealized unless your organ-
ization has strong cyber leaders along with
a capable workforce to defend your net-
works and improve your security.
Successful organizations will invest in
their workforce, give their CISO a seat at
the table, and foster integrated lines of
communication for the sharing of cyber-
related information.
? Finally, invest in cyber human capital
Most leaders in today’s business world agree
cybersecurity is important. However, when
the meeting is over, will they truly buy in
and embrace cybersecurity as a key priority
for their divisions? This is the tough ques-
tion CEOs, CIOs, and CSOs encounter. An
organizational cybersecurity plan can only
be as strong as the weakest commitment
from any key leader. It doesn’t matter how
strong your security posture is for individual
departments; if one division is vulnerable,
your entire organization is at risk.
Finance
Marketing
Cyber
Function
Operations
Human
Resources
Supply Chain
Technology
FIGURE
Cybersecurity as a central business function
313 ?
Given the growing magnitude and frequency of cyber-
security breaches, which have the potential to shake major
corporations to their core, cybersecurity has become an
issue of enterprise-wide importance. These incidents have
become commonplace events, and organizations that are
targets may suffer lost or stolen intellectual property,
damage or destruction of critical data or infrastructure,
disruptions to critical operations, and loss of confdence
among customers, investors, and employees. The longer-
term damage to value and reputation is incalculable.
? Startling statistics
PwC’s Global State of Information Security Survey 2015 of
more than 9,700 security, IT, and business executives
found that the total number of security incidents detected
by respondents climbed to 42.8 million this year, an
increase of 48% over 2013. That is the equivalent of
117,339 incoming attacks per day, every day. The Identity
Theft Resource Center reported a record high of 738 U.S.
data breaches, a 28% year-over-year increase.
If you’re thinking you can build a modern-day “moat”
to keep the bad guys out, consider that the 2014 U.S. State
of Cybercrime Survey, co-sponsored by PwC, CSO maga-
zine, the CERT Division of the Software Engineering
Institute at Carnegie Mellon University, and the U.S.
Secret Service, found that almost one-third of respondents
said insider crimes are more costly or damaging than inci-
dents perpetrated by outsiders. In a virtual ecosystem that
increasingly includes the Internet of Things (IoT), tradi-
tional frewalls do not ensure protection, as employees
come and go each day with connected devices, such as
smartphones and computers, which may wittingly or
unwittingly introduce threats that can threaten the sur-
vival of the organization.
Korn Ferry – Jamey Cummings, Senior Client Partner;
Joe Griesedieck, Vice Chairman and Co-Leader, Board and
CEO Services; and Aileen Alexander, Senior Client Partner
Building a cyber-savvy board
? 314
CYBER RISK AND WORKFORCE DEVELOPMENT
This greatly expanded cyberattack sur-
face and resulting breaches add up to a
huge price tag. The annual cost of cyber-
crime to the global economy is estimated to
be between $375 billion and $575 billion,
according to a June 2014 study by the
Center for Strategic and International
Studies; Gartner Inc. estimates that total
spending will grow 8.2 percent in 2015 to
reach $76.9 billion.
If that’s not a wake-up call, we don’t
know what is. But, the challenge remains:
translating awareness into an action plan.
Although CEOs and boards are alert to the
issue and the devastating, long-lasting
effects of security breaches, there is surpris-
ingly little knowledge of recommended
practices to best position organizations
defensively and enable quick and effective
response when the inevitable occurs. Let’s
be blunt: There is no foolproof way of pre-
venting security breaches, but a systematic,
proven approach can make the difference
between the survival and the demise of an
enterprise.
? Alignment at the top
Cybersecurity is an insidious threat, all the
more so because breaches, including the
most disastrous ones, often are not detected
until the damage is done. One cybersecurity
frm recently estimated that close to three
quarters of security breaches go undetected.
No board or management team can afford to
become complacent. If you haven’t yet fallen
victim, you may have been smart, but most
likely lucky. You should assume it’s just a
matter of time, perhaps there already has
been a breach that has gone undetected, so
plan accordingly.
In a relatively short time cybersecurity
has gone from something that was compart-
mentalized and handled by the IT depart-
ment to something that is regularly on the
agenda at board meetings. At the same time
“major threats” have been redefned, from
identifying a Trojan horse and upgrading
anti-virus software to threats that strike at
the very heart of organizations and are capa-
ble of taking them down. The view and
importance of cybersecurity has shifted from
something of marginal interest to the board
to a high priority that resides within the
board’s risk management framework.
This is a new role for CEOs and directors,
many of whom feel unequipped to deal with
it because cybersecurity does not remotely
relate to traditional areas of director exper-
tise. Armed with a tested protocol to combat
cyberthreats and the right resources, how-
ever, every board should be able to imple-
ment a preparedness and response plan that
will give the board and management team,
as well as investors, the reassurance that the
company is as well positioned as reasonably
possible to confront these ever-evolving
challenges.
In practical, operational terms, what does
all this mean for the C-suite and the board,
and how can they get started on overseeing
the many-headed beast that is cybersecu-
rity? For one thing, it starts with ensuring
everyone on the board is speaking the same
language when it comes to cyberthreats.
Because directors are generally business
people, the common language should be the
language of business.
? The right questions
According to Melissa Hathaway, private
sector cybersecurity expert and former
cybersecurity “czar” under Presidents
George W. Bush and Barack Obama, “Until
cybersecurity is refected in balance sheet
terms, it’s never going to be fully embraced
by the board.” She emphasizes that once
cybersecurity has been identifed as a criti-
cal risk, it must be managed with the same
rigor and processes applied to other risks
and remain visible on directors’ dashboards
with key, comprehensible metrics. “Tech
speak,” or any jargon that obfuscates the
issues for directors, has no place in the
boardroom.
The reality of boardrooms, however, is
that the scale of that impact is often obscured
or lost in translation. Unless directors can cut
through the technical jargon in what are
often massive amounts of information they
receive, the size of the risk and the steps to
315 ?
BUILDING A CYBER-SAVVY BOARD
mitigate it may not be clear. Companies
depend on a functioning Internet, which was
never invented with security in mind, and
all that is linked to it. Therefore, related risks
and costs must be made known to the board
so that the cost of potential breaches can be
calculated in capital and operational terms,
rather than remaining hidden.
Among the questions directors should be
asking regularly to ensure alignment as a
team and a frm grasp on cybersecurity, says
Hathaway, are the following:
? Is cyber risk accounted for in our overall
corporate planning process? The board
must be assured that cyber risk is an
element of a broader risk framework
and that exposures are recognized and
planned for.
? What is the process for evaluating
security and measuring liabilities?
Boards should know not only what
controls are in place but also how they
are evaluated.
? Do we have directors with relevant
expertise? Although boards may not
require general technology expertise,
it may be advisable to have one or
more directors who understand IT and
its associated risks, or have a security
background.
? Have we identifed executive ownership
of the issue? The CEO should have
controls in place that indicate how
cybersecurity is being managed and the
true costs to the business, which should
be part of an internal and external audit.
? What will we do in the event of a breach?
If and when a problem arises, a process
should be in place for communicating
effectively, internally and externally, and
dealing with attendant costs.
? Overseeing cyber risk
Boards are increasingly adding directors
with cybersecurity backgrounds and, more
generally, security expertise, but boards
should not assume that they need to add a
director with this specialized background.
Much depends on company specifcs and the
industry in which it operates, so each board
should decide on a case-by-case basis.
Shortfalls in board experience often can be
made up by retaining the appropriate addi-
tional expertise to advise on an as-needed
basis; however, we are starting to see more
demand for this specifc sort of talent on
boards.
Sometimes, as noted above, the board’s
most important role lies in asking the right
questions, which may require business
smarts and good old-fashioned common
sense but not necessarily technical cyberse-
curity expertise.
As overseer-in-chief of the CEO and the
business, the board has a responsibility for
managing the company’s risk portfolio, of
which cybersecurity is now a key compo-
nent. Proper oversight entails remaining at a
high, supervisory level—not getting dragged
down into the management weeds—and
boards can properly perform their fduciary
duties by focusing on a few main areas.
The board must be reassured by the CEO
that the most capable people are in the criti-
cal positions, and this extends to the leader-
ship and team managing cybersecurity. With
so much at stake, this is not a place to cut
corners.
Directors should be kept abreast of main
cybersecurity risks, as well as the remedia-
tion process and timeline for effectively
dealing with them. Certainly no one expects
directors to be technology wizards, but they
should be inquiring about safeguards the
company has in place to guard against
intrusion and be satisfed by management
that protection along with response and
recovery capabilities are adequate. In addi-
tion, they will want to be informed about
education for everyone throughout the
organization, to ensure awareness of threats,
and a step-by-step response plan to follow
in the event of a breach.
? The board at the nexus
Cybersecurity has expanded well beyond
the confnes of IT and emerged as a concern
at the highest enterprise level, primarily
because of the devastating potential effects
? 316
CYBER RISK AND WORKFORCE DEVELOPMENT
on shareholder value, market share, reputa-
tion, and long-term survival. Cybersecurity
is an issue that crosses all organizational
silos and boundaries top to bottom, encom-
passing people, culture, and risk manage-
ment and must bridge security, technology,
privacy, and compliance. Cybersecurity is,
therefore, taking its rightful place on a short
list of the board’s crucial responsibilities,
which now include protecting a company’s
assets, particularly digital, as part of an
organization’s overall risk portfolio.
In fact, managing cyber risk doesn’t differ
signifcantly from managing more tradition-
al forms of risk and must be managed in a
similar way, remaining visible on directors’
dashboards so that it is tracked and
addressed regularly.
Those boards that do not have a cyberse-
curity expert as a member of their team
should not assume they need a director with
this experience, but they should seriously
evaluate that potential need based on their
situation and needs. Some boards have
determined that they do require this exper-
tise on their audit committee—where risk
oversight generally lives—on a special
cybersecurity subcommittee, or on a dedi-
cated cybersecurity committee. While some
boards have recruited this expertise, many
have not and may not, accessing what they
require to keep them informed and able to
make key decisions either from internal tech-
nology experts or from external consultants
to the board. These solutions are varied and
tailored and continue to evolve.
CEOs and those who serve as directors
on their boards are generally a smart group
of people, and they don’t have to be subject
matter experts to provide oversight for the
few crucial areas—including strategy for-
mulation, succession planning, and risk
management—in which they exercise their
fduciary duties. Cybersecurity is yet another
form of risk, but it is a dynamic, still-emerging
form that is new to most directors. We are
likely years away from the point where
boards as a whole consider managing cyber
risk familiar terrain, so additional resources
can always be made available should direc-
tors need bolstering in this area.
In fact, directors owe it not only to their
shareholders to ensure a comprehensive
approach to monitoring and developing a
proactive approach to tackling cybersecurity
but also to themselves. With cybersecurity in
the spotlight—where it is likely to remain—
directors could also face personal risks,
because D&O insurance may not be suff-
cient if boards don’t take what are deemed
appropriate actions. Boards should consider
adding cyber insurance as part of a compre-
hensive approach to enterprise risk manage-
ment if they are to continue to recruit the
best directors. According to a recent post on
the Harvard Law School Forum on Corporate
Governance and Financial Regulation, “no
company in the U.S. should forego buying
cyber insurance to protect against the real,
ever-present risk of a major cyber-attack and
the massive costs associated with such a
breach.”
? A framework to meet the cybersecurity
challenge
Perhaps most important in properly meeting
the cybersecurity challenge, ensuring pre-
paredness and a ready response to any
breaches, directors need a framework, which
can be tailored to the needs of their organiza-
tion, in which to operate. A deep dive into
each area will link to additional responsibili-
ties and timeframes, most of which will be
the responsibility of management.
The baseline for board involvement in
overseeing cybersecurity should comprise
the six following components:
1. Security strategy. The board must ensure
that the company has a strategic vision
and a tactical road map that proactively
protect assets and keep pace with
escalating threats and evolving regulatory
requirements.
2. Policy and budget review. Company
security policies, and roles and
responsibilities of all relevant leadership,
should be evaluated, along with data
BUILDING A CYBER-SAVVY BOARD
SecurityRoundtable.org 317 ?
security and privacy budgets to ensure
they are adequately funded.
3. Security leadership. The board must
confrm that the organization has the
credible leadership and talent to develop,
communicate, and implement an
enterprise-wide plan to manage cyber
risk.
4. Incident response plan. The board
should oversee the development of a
comprehensive incident response plan
that is widely understood, rehearsed, and
stress tested.
5. Ongoing assessment. The board should
periodically review a thorough assessment
of the organization’s information
security capabilities, targeting internal
vulnerabilities and external threats.
6. Internal education. The board should
ensure that the company implements a
strong communication and education
program to create an environment
in which all employees embrace
responsibility for cybersecurity.
? A cybersecurity strategy
Organizations must have a cybersecurity
strategy, lest they simply be engaged in a
game of whack-a-mole, reacting to one
threat after another rather than having a
comprehensive game plan. That is not to
say that cyberthreats and breaches can be
eliminated—clearly they cannot—but the
resulting damage can be greatly minimized
with signifcant planning and a quick
response protocol.
In part, effectively managing cyberse-
curity starts at the top with the board rec-
ognizing what it must manage and how
that will be done, including additional
resources it may require. While the board
may have ultimate responsibility for the
war on cyberthreats, everyone, at every
level of the organization, must understand
his or her role on the front lines of this
ongoing war, because threats can come
from anywhere.
Moreover, in an increasingly robust regu-
latory environment with cybersecurity high
on the SEC’s agenda, adherence to best prac-
tices with a well-designed plan approved
and monitored by the board should prove far
preferable to regulations imposed from the
outside. Given the current direction, in the
near future it is likely that publicly owned
companies will be required to disclose more
information about their cybersecurity vul-
nerabilities, including data breaches.
Ultimately, boards should work with
senior management to build a cybersecurity-
aware culture if they are to truly protect
their companies from this relatively new,
continually morphing, and potentially dev-
astating form of risk.
319 ?
Egon Zehnder – Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick
Evaluating and attracting your next
CISO: More sophisticated approaches
for a more sophisticated role
The role of the chief information security offcer (CISO)
has changed dramatically in the last decade. No longer
merely a digital sheriff called on to protect the frm’s
data valuables, the CISO is expected to act as a full
strategic partner with the rest of the C-suite. The
upgrading of the role is a natural response to the exten-
sive technological, societal, economic, and geopolitical
developments over the same time period. For many
organizations, information—whether customer records,
intellectual property, or strategic planning—is now their
most valuable asset. As those assets have become more
valuable, they have also become less secure because of
the increase in the number and the sophistication of
attackers, as well as the vulnerabilities inherent in an
increasingly networked society.
The bottom line is that, although the CISO rarely reports
directly to the chief executive offcer, he or she must have
the qualities expected at the CEO-1 level. Organizations
endeavoring to fll the CISO role must ensure that their
recruitment strategies and candidate evaluation processes
keep pace with these greater expectations, lest those organ-
izations increase their risk of unmet security goals, shorter
CISO tenures, and the associated costs. This is in addition
to the diffculty of maintaining a consistent security culture
in the shadow of frequently changing information-security
leaders.
? Taking a holistic view of CISO candidates
Our observation at Egon Zehnder has been that when
looking for their next CISO, organizations can beneft by
taking a broader view of the required qualities and capa-
bilities. Effective candidate evaluation can be achieved
by dividing a candidate’s career into its past, present,
and future components and evaluating each element
? 320
CYBER RISK AND WORKFORCE DEVELOPMENT
to get the right things done. Audits are
responded to in a timely fashion, the
board of directors is clear on the impact
of information security investments, and
core data assets are well protected.
2. Strategic orientation: As mentioned
earlier, the CISO must be a strategically
oriented partner with critical thinking
skills. He or she must process disparate
information and generate valuable
insight regarding external issues such
as shifts in threats and countermeasures
and internal matters such as business
implications of information security
policies and protocols.
3. Transformational leadership: Regardless
of the context into which the new CISO
is taking the helm—after a major breach,
under the glare of heightened board
scrutiny, or with an acquisition that must
be integrated—he or she will need to
transform systems to address current
challenges, creating a vision others buy
into and moving the organization forward
while keeping day-to-day operations
running smoothly.
4. Relationship management: The CISO
must be able to lead in a matrixed
environment, working diplomatically
with a range of constituencies with
different perspectives on information
security, including the board, the CEO,
the CFO, the COO, and general counsel.
In addition to managing internal
relationships, the CISO must also
leverage external networks that include
peers at other organizations, Internet
service providers, third-party security
solution vendors, and law enforcement
and intelligence agencies. The CISO must
have the gravitas and infuence necessary
to communicate effectively with each of
these internal and external groups in a
range of conditions, from off-site strategy
sessions to emergency response.
5. Team leadership: Most organizations
focus all their attention on flling the
CISO position, leaving relatively little
energy for establishing a pipeline of
internal talent. This is understandable but
with the appropriate perspective. A consoli-
dation of the three elements provides a
holistic view of the CISO candidate that
corresponds with the multi-faceted nature
of the role today.
The past: What has the candidate done?
A candidate’s credentials, work history,
and track record have always been a cen-
tral part of the evaluation process, and for
good reason. This component includes
examining the types of organizations in
which the candidate has worked, their size
and complexity, and which markets they
served, and then seeing what the candi-
date accomplished in each role, what
transformations the candidate has led, and
the security record of the organizations
under the candidate’s watch. These fnd-
ings provide the raw material, basic facts,
and context for measuring the ft between
the candidate and role. Although the CISO
role has grown signifcantly beyond its
technical roots, the technical expertise
indicated by work history are essential
“table stakes” for a candidate to warrant
further consideration.
The present: What can the candidate do?
Until about a decade or so ago, exploring a
candidate’s work history generally consti-
tuted the bulk of the assessment process.
Then the realization emerged that what a
candidate had done so far is a mere subset of
what a candidate could do, because one’s
work experience can never be so broad as to
capture everything of which someone is
capable. Looking at competencies is a way of
taking an inventory of an executive’s full
leadership toolbox.
The key is to evaluate for the right com-
petencies given the demands of the posi-
tion. In our experience, fve competencies
are particularly important when evaluating
CISO candidates. They are listed here in
order from the most common to the most
elusive:
1. Results orientation: The successful
candidate must be able to move quickly
321 ?
EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE
competency-based evaluation in the same
way that examining competencies provides
much more depth than merely looking at
work history. None of these elements are
sufficient on their own for identifying
how a given candidate will respond to the
unfolding challenges of the CISO role, but
in combination they produce a vivid, and
in our experience, highly accurate, por-
trait and predictor. These added dimen-
sions are particularly important because
of how much the CISO role has changed in
the last several years. Few CISOs have
established track records acting as the sort
of strategic leaders—rather than technical
managers—that the role requires today.
The attributes of potential add another
element to help identify who is likely to
successfully navigate this leap.
But the above framework is only that—
the quality of its output depends on the
quality of the input. Without a concerted
effort, reliable input can be diffcult to
obtain in CISO evaluations because of the
tendency of data-security function to move
quickly from crisis to crisis, leaving little
concrete evidence of who did what when.
The key to obtaining the needed level of
detail is in-depth interviews with multiple
informed references. Doing so requires
the ability to tap an extensive professional
network.
Because of the number of factors being
weighed, it is important to not merely collect
observations for each quality being exam-
ined but to place the candidate on a scale
based on average performance in the indus-
try. Some organizations also complement
candidate and reference interviews with psy-
chometric testing to provide another layer of
objective input for the evaluation process.
? Positioning the role
The market for top-tier CISOs is now highly
competitive. Information security has
become a high-profle corporate concern,
and the bar has been raised on the pool of
qualifed candidates. By one estimate there
were 2,700 CISO job openings in the United
States in June 2015. So even if organizations
shortsighted. Identifying and developing
internal information security leadership
talent is critical to the long-term success
of the function and should be considered
part of the CISO’s role.
The future: How will the candidate adapt to change
and unforeseen developments?
Looking at competencies provides a more
complete view of a candidate’s abilities than
examining just professional history. But
competency-based assessment has its own
limitations in that it assumes the future will
be more or less like the past or present. It
does not measure a person’s ability to
respond to fundamental changes such as
those brought about by the current waves of
digital transformation. Someone who looks
highly qualifed on paper and presents well
thus can fall short of expectations as condi-
tions become highly complex and ambigu-
ous. Also, looking at only experience and
competencies means the organization risks
overlooking candidates who may seem
underprepared today but with suffcient
support would be best suited for the future.
In Egon Zehnder’s examination of the
assessments of thousands of senior execu-
tives, we discovered that those who fourished
in the face of volatility, complexity, uncertain-
ty, and ambiguity shared four traits, which
collectively we call potential. The four ele-
ments of potential are the following:
1. Curiosity: A penchant for seeking out
new experiences, knowledge, and candid
feedback, as well as an openness to
learning and change
2. Insight: The ability to gather and make
sense of information to suggest previously
unseen opportunities and threats
3. Engagement: A knack for using emotion
and logic for communicating a persuasive
vision and connecting with people
4. Determination: The resilience to fght for
diffcult goals despite challenges and to
bounce back from adversity.
The elements of potential add an extra
dimension to what is learned from a
? 322
CYBER RISK AND WORKFORCE DEVELOPMENT
3. “What key performance indicators will I
be measured against?” Given that every
large organization must assume that it is
continually under cyberattack, it follows
that security breaches are a matter of
not “if” but “when.” Therefore, it is not
realistic for a company to hold its CISO to
a “one strike and you’re out” performance
benchmark. The conversation about
expectations is just as important as the
ones about resources, reporting lines, and
compensation.
4. “Where will I be in fve years?” Those
who lead the information security function
are like other functional leaders in their
range of career ambitions. For some, the
opportunity to lead the function at a quality
organization is the goal; others, however,
are looking ahead to a CIO role or even a
broader role in organizational leadership. It
is important to understand each candidate’s
desires against what the organization can
offer. Remember that the CISO’s reporting
relationship will be one factor that frames
this issue in his or her mind.
Long gone are the days when an argument
had to be made regarding the strategic
importance of information security. In most
organizations, the CISO role now has the
weight and sophistication its responsibilities
require. Organizations can assess the state of
their CISO recruitment and assessment strat-
egies by asking themselves the following
four questions:
1. Have we identifed the CISO’s full range
of strategic responsibilities and the
competencies needed to be successful?
2. Do we have a consistent methodology
for evaluating a candidate against those
responsibilities?
3. Have we reviewed the CISO reporting
relationship against the information
security context of the organization
to ensure that the CISO is adequately
empowered to accomplish the
organization’s information security
goals?
are able to effectively evaluate candidates
against current and future requirements,
they must also be prepared from the start to
actively sell the opportunity to an audience
that is naturally skeptical.
In our experience, every CISO candidate
asks four overarching questions when evalu-
ating an opportunity:
1. “Who is my sponsor and how much
infuence does he or she have?” This
is likely to be the frst question on the
CISO candidate’s mind, and he or she is
thinking about this issue in at least two
specifc ways. First, although the CISO is
likely to have some interaction with the
board and C-suite, there will still be many
conversations that affect the information
security function to which the CISO
will not be privy. As a result, the CISO
will have to rely his or her supervisor
to act as an effective intermediary in
advocating for resources and policy
initiatives and in educating the board
and CEO on information security issues
as they unfold. Second, when the CISO
needs to take an unpopular position to
strengthen an organization’s information
security profle, he or she has to know
there will be support in high places.
2. “How deep is the organization’s
commitment to information security?”
This is more than a question of staff
and budget allocation, although those
elements are certainly important. The
CISO wants to know that the C-suite and
the board appreciate the complexity and
uncertainty at the core of the information
security function and the need for making
everyone in the organization, top to
bottom, responsible for security. For the
CISO to be successful, he or she must be
empowered to act and be armed with
the necessary resources to deploy both in
times of normalcy and crisis. Although
the CISO expects organizations to have
high standards, he or she will avoid
enterprises who refexively cycle through
security teams.
EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE
SecurityRoundtable.org 323 ?
adjustments to ensure they have the
approach and tools to identify and attract
the information security talent that can per-
form at the level the position now requires.
4. Do we have an adequate professional
development program in place to support
the CISO and his or her team to help them
meet the standards demanded by the
function’s heightened importance?
From the answers to these questions, organi-
zations can then begin to make the necessary
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Contributor Profles
327 ?
CONTRIBUTOR PROFILES
responsible for Product, Market Strategy,
and Marketing.
Prior to NYSE Governance Services,
Mr. Sodowick founded True Offce in 2010
to solve a long-standing problem: the tedi-
um and high cost of regulatory compliance
training. Recognizing that humans are
hardwired to learn via stories and play,
True Offce creates data-rich desktop and
mobile compliance apps that help compa-
nies identify risk, save money, and educate
employees on complex and risk-sensitive
business issues in a fun way.
Since its launch, True Offce has experi-
enced a steep growth trajectory and has been
adopted as the compliance training solution
of choice for many Fortune 500 companies.
True Offce has won multiple awards across
the GRC, Technology, and Innovation seg-
ments and has been featured prominently in
many media outlets, including the BBC, the
Wall Street Journal, Forbes, Fortune’s annual
500 Issue, and more.
Initially backed by Morgan Stanley
Strategic Investments, The Partnership for
New York City Fund and Rho Ventures, True
Offce was acquired by Intercontinental
Exchange, parent company of the New York
Stock Exchange in October 2014.
Prior to founding True Offce, Mr. Sodowick
was the co-founder and CEO of 50 Lessons.
During this time, Mr. Sodowick pioneered the
creation of the award-winning ‘50 Lessons
Digital Business Library.’
Today, 50 Lessons is widely recognized as
the world’s pre-eminent collection of multi-
media business insights from global busi-
ness leaders. These assets are housed in a
digital library and sold via various channels
to more than 350 corporate customers and
academic institutions globally.
Mr. Sodowick envisioned and led the
publishing initiative behind the best-selling
Lessons Learned: Straight Talk From The World’s
Top Business Leaders, a set of 24 books pub-
lished by Harvard Business School Press.
Initially backed by the BBC, 50 Lessons was
acquired by Skillsoft in 2011.
New York Stock Exchange
11 Wall Street
New York, New York 10005
Tel +1 212 748 4000
Web www.nyse.com
TOM FARLEY
President, NYSE Group
Tom Farley is President of the NYSE Group,
which includes the New York Stock Exchange
and a diverse range of equity and equity
options exchanges, all wholly owned sub-
sidiaries of Intercontinental Exchange
(NYSE/ICE). Mr. Farley joined the NYSE
when ICE acquired NYSE Euronext in 2013,
serving as Chief Operating Offcer. He held
previous roles at ICE, including SVP of
Financial Markets and President and COO of
ICE Futures U.S., formerly the New York
Board of Trade.
Prior to joining ICE, Mr. Farley was
President of SunGard Kiodex, a risk man-
agement technology provider to the deriva-
tives markets. He has also held various
positions in investment banking at
Montgomery Securities and in private
equity at Gryphon Investors. Mr. Farley
holds a BA degree in Political Science from
Georgetown University and is a Chartered
Financial Analyst.
NYSE GOVERNANCE SERVICES
55 East 52nd St, 40th Floor
New York, New York 10005
Tel +1 212 323 8500
ADAM SODOWICK
President, NYSE Governance Services
Email [email protected]
Adam Sodowick is currently President of
NYSE Governance Services after serving as
Chief Operating Offcer, where he was
? 328
CONTRIBUTOR PROFILES
Palo Alto Networks Inc.
4401 Great America Parkway
Santa Clara, California 95054
Tel +1 408 753 4000
Web www.paloaltonetworks.com
MARK D. MCLAUGHLIN
Chairman, President, and CEO
Mark D. McLaughlin joined as president and
CEO of Palo Alto Networks in August of
2011 and became Chairman of the Board in
2012. Previously Mr. McLaughlin served as
President and CEO of Verisign. Prior to
Verisign, he was the Vice President of Sales
and Business Development for Signio and
was instrumental in driving the acquisition
of Signio by Verisign in 1999. Before joining
Signio, he was the Vice President of Business
Development for Gemplus, the world’s lead-
ing smart-card company. Previous to
Gemplus, he also served as General Counsel
of Caere Corporation and practiced law as
an attorney with Cooley Godward Kronish
LLP. In 2014 President Obama appointed Mr.
McLaughlin as the Chairman of the National
Security Telecommunications Advisory
Committee (NSTAC). He received his JD,
magna cum laude, from Seattle University
School of Law and his BS degree from the
U.S. Military Academy at West Point.
Intercontinental Exchange
5660 New Northside Drive NW
3rd Floor
Atlanta, Georgia 30328
Tel +1 770 857 4700
Web www.intercontinentalexchange.com
JERRY PERULLO
Chief Information Security Offcer
Email [email protected]
Jerry Perullo has led the Information
Security program at Intercontinental
Exchange, Inc. (NYSE:ICE) since 2001. As
Chief Information Security Officer, he is
responsible for the security of ICE’s
heavily regulated exchanges and clearing-
houses, including the New York Stock
Exchange.
Mr. Perullo is an active participant in the
Financial Services Sector Coordinating
Council (FSSCC) and Financial Services
Information Sharing and Analysis Center
(FS-ISAC), where he serves as Chair of the
Clearinghouse and Exchange Forum
(CHEF). He also co-founded the Global
Exchange Cyber Security (GLEX) working
group under the World Federation of
Exchanges and serves on several industry
and customer advisory boards within the
cybersecurity industry.
Prior to ICE, Mr. Perullo was a Principal
Consultant at Digital Consulting and
Software Services providing information
security testing and consulting services to
the health-care, energy, and data service
industries and built an Internet Service
Provider in the mid 1990s.
Mr. Perullo studied Computer Engineering
at Clemson University and earned a BS
degree in Legal Studies from the University
of Maryland and an MBA from Georgia State
University.
329 ?
CONTRIBUTOR PROFILES
awarded the Risk and Insurance Magazine
“Power Broker” distinction and was named
to Business Insurance Magazine’s inaugural
“Top 40 under 40” brokerage honor roll
and 2014 Rising Star by Reactions magazine.
Mr. Kannry received a BS and BA from Case
Western Reserve University, a JD from the
Northwestern School of Law, and his MBA
from the Kellogg School of Management.
DAVID W. WHITE
Co-Founder and Chief Knowledge Offcer
Email [email protected]
David W. White is a founder and Chief
Knowledge Offcer at Axio Global. Axio is a
cyber risk-engineering frm that helps organi-
zations implement more comprehensive
cyber risk management based on an approach
that harmonizes cybersecurity technology/
controls and cyber risk transfer. Mr. White
works directly with Axio clients and is
responsible for the frameworks and methods
that guide Axio’s services, including cyberse-
curity program evaluation and benchmark-
ing, cyber loss scenario development and
analysis, insurance program analysis, and
data analytics.
Previously, Mr. White worked in the
CERT Program at Carnegie Mellon’s
Software Engineering Institute, a cyberse-
curity research program primarily funded
by the U.S. Department of Defense and the
U.S. Department of Homeland Security.
While there, he was responsible for techni-
cal leadership and research strategy for a
portfolio of cybersecurity and resilience
maturity models and frameworks and
associated research, diagnostic methods,
and training.
Mr. White served as chief architect for the
Electricity Subsector Cybersecurity Capability
Maturity Model (ES-C2M2) and served on the
review team for the oil-and-natural-gas ver-
sion (ONG-C2M2) and industry-agnostic
version (C2M2). Mr. White co-authored the
CERT Resilience Management Model (CERT-
RMM) and served as the chief architect for the
Smart Grid Maturity Model (SGMM).
DAVIS Y. HAKE
Director of Cybersecurity Strategy
As Director of Cybersecurity Strategy,
Davis Y. Hake is responsible for building
and sharing the company’s strategy for
cybersecurity thought leadership and deliv-
ering valuable information, insights, and
instructional tools on all things related to
cyberthreats and today’s security landscape.
Prior to joining Palo Alto Networks in 2015,
Mr. Hake was a leader in U.S. government
cybersecurity serving in the White House, at
senior levels in the Department of Homeland
Security, and as a policy expert for the U.S.
Congress. Mr. Hake also drafted some of
the frst comprehensive cybersecurity legis-
lation, for which he received a Federal 100
Award for leadership in the IT community.
He is a graduate of the University of
California–Davis, where he studied interna-
tional relations and economics and received
a Masters degree in Strategic Security Studies
from the National Defense University.
Axio Global, LLC
77 Water Street, 8th Floor
New York, New York 10005
Tel +1 708 420 8611
Web www.axioglobal.com
SCOTT KANNRY
Chief Executive Offcer
Email [email protected]
Scott Kannry is the Chief Executive Offcer of
Axio Global. Mr. Kannry’s entire career has
been in the commercial insurance industry
with a focus on cyber and previously spent
10 years in the Financial Services Group at
Aon. He works with clients in all industries
but specializes in those with evolving cyber
risks, such as energy, utility, transportation,
and manufacturing. Mr. Kannry has been
? 330
CONTRIBUTOR PROFILES
governance advice. He routinely counsels
companies victimized by cybercriminals
to investigate the underlying incident,
coordinate with law enforcement, and
manage consumer-related civil litigation
and regulatory investigations. Mr. Woods
has signifcant experience handling gov-
ernment investigations and business
crimes, privacy litigation, class actions,
information governance, and electronic
discovery matters. He regularly oversees
and advises on the intersection between
data protection issues and data collection
issues associated with internal investiga-
tions and litigations.
NADIA BANNO
Counsel, Dispute Resolution
Nadia Banno joined Baker & McKenzie’s
Dispute Resolution department in London as
Of Counsel in September 2014. She previously
held the position of Head of Litigation at the
BBC, where she regularly advised the
Executive Board and senior management on a
wide range of high-value, high-profle dis-
putes and investigations. Ms. Banno advises
clients in the areas of regulatory and public
law, defamation and media law, data protec-
tion, freedom of information, and commercial
disputes. She also advises clients on the legal
aspects of crisis and reputation management,
including handling internal investigations
and appearing before Parliamentary Select
Committees.
BRANDON H. GRAVES
Associate
Email [email protected]
Brandon H. Graves is a member of Baker &
McKenzie’s global cybersecurity practice
and is located in Washington, DC. He
has extensive experience in conducting
investigations and advising clients before,
during, and after cybersecurity incidents. He
represents clients in a variety of industries
Baker & McKenzie
815 Connecticut Avenue, NW
Washington, DC 20006
Tel +1 202 452 7000
Web www.bakermckenzie.com
DAVID C. LASHWAY
Partner
Email [email protected]
David C. Lashway leads Baker & McKenzie’s
global cybersecurity practice and is located
in Washington, DC. He focuses his practice in
the areas of crisis management, internal
investigations, and complex criminal, civil
and administrative litigation and has signif-
cant experience advising clients with respect
to various aspects of cybersecurity-related
matters. Mr. Lashway is a sought-after law-
yer who advises the Fortune 100 on the full
lifecycle of enterprise risks associated with
information security, including before, dur-
ing, and after a network breach, as well as
federal regulatory and criminal matters. He
regularly conducts global investigations
around the theft or compromise of confden-
tial data and is repeatedly called upon to liti-
gate post-data breach issues. His clients
include investment banks, publicly traded
and private companies, trade associations,
and individual managers, and his matters
span the globe.
JOHN W. WOODS, JR.
Partner
Email [email protected]
John W. Woods is a partner in Baker &
McKenzie’s Washington, DC, offce. He
co-leads the cybersecurity practice. His
practice in the cybersecurity area focuses on
internal investigations, data security com-
pliance, privacy litigation, and information
331 ?
CONTRIBUTOR PROFILES
Chambers USA and was one of only three
attorneys named an MVP by Law360 for
Privacy & Consumer Protection in 2013.
CRAIG A. HOFFMAN
Partner
Email [email protected]
Craig A. Hoffman provides proactive coun-
sel on the complex regulatory issues that
arise from data collection and use, including
customer communications, data analytics,
emerging payments, cross border transfers,
and security incident response prepared-
ness. He uses his experience as a litigator
and works with hundreds of companies who
have faced security incidents to help clients
develop a practical approach to meet their
business goals in a way that minimizes regu-
latory risk. Mr. Hoffman conducts incident
response workshops—built upon applicable
notifcation laws and guidelines, “good” and
“bad” examples from other incidents, and a
tabletop exercise—to prepare companies
to respond to security incidents quickly,
effciently, and in a manner that complies
with applicable law while mitigating risk
and preserving customer relationships.
Mr. Hoffman also serves as the editor of
BakerHostetler’s Data Privacy Monitor blog,
providing commentary on developments in
data privacy, security, social media, and
behavioral advertising.
F. PAUL PITTMAN
Associate
Email [email protected]
F. Paul Pittman provides guidance to clients
in responding to data security incidents and
data breaches, ensuring that they meet their
response and notifcation obligations under
state and federal data privacy laws.
Mr. Pittman also advises clients on data pri-
vacy and security issues that may arise in
their business and assists them with the
development of data privacy notices and
on incident response matters and related
disputes. Mr. Graves was formerly a
law clerk for Judge J. L. Edmondson of the
United States Court of Appeals for the
Eleventh Circuit. Before graduating from
the University of Virginia School of Law,
he was an infantry officer in the
25
th
Infantry Division with service in
Iraq. He holds a BS degree in Computer
Science from the United States Military
Academy at West Point.
BakerHostetler
45 Rockefeller Plaza
New York, New York 10111-0100
Tel +1 212 589 4200
Web www.bakerlaw.com
THEODORE J. KOBUS
Partner and Co-Leader, Privacy and Data
Protection
Email [email protected]
Theodore J. Kobus is national leader of the
BakerHostetler’s Privacy and Data Protection
team. Mr. Kobus focuses his practice in the
area of privacy and data security. He advises
clients, trade groups, and organizations
regarding data security and privacy risks,
including compliance, developing breach
response strategies, defense of regulatory
actions, and defense of class action litigation.
Mr. Kobus counsels clients involved in
breaches implicating domestic and interna-
tional laws, as well as other regulations
and requirements. Having led more than
800 data breach responses, Mr. Kobus has
respected relationships with regulators
involved in privacy concerns as well as deep
experience to help clients confront privacy
issues during the compliance risk manage-
ment stages. He is invested in his client rela-
tionships and approaches engagements
practically and thoughtfully. He is ranked in
? 332
CONTRIBUTOR PROFILES
(COE) with more than 3000 staff members,
and he built a large Technology Consulting
and Integration Business focused on the
U.S. government.
Before joining Booz Allen, Mr. Stewart
worked for a major electronics frm, where he
developed communications security and key
management devices. He also served as a
Signal Offcer, Battalion Commander, Brigade/
Battalion S-3, and Company Commander in
the U.S. Army.
He holds a BS degree in Engineering from
Widener University and an MS degree in
Electrical Engineering from Drexel University.
JASON ESCARAVAGE
Vice President
Email [email protected]
Jason Escaravage is a leader in the Strategic
Innovation Group for Booz Allen Hamilton.
With a focus on Digital Services and Solutions,
he drives the integration of Global Threat
solutions for the frm’s Predictive Intelligence
division. He is an expert in the systems devel-
opment lifecycle, software solution design
and development, and intelligence support to
real-world mission operations.
Mr. Escaravage is recognized for leading
large-scale, complex information technology
(IT) and analytical support programs support-
ing government and commercial clients and in
multiple focus areas, including conventional
operations, counter-terrorism, anti-money
laundering, and cyberthreat analysis. He has
led teams of global/cyberthreat intelligence
analysts in support of U.S. government and
commercial customers focused on collecting,
processing, and fusing data to create action-
able intelligence. He holds a degree in Military
History and Computer Science from Rutgers
University and is a certified Project
Management Professional (PMP).
SEDAR LABARRE
Vice President
Email [email protected]
Sedar LaBarre is a Vice President with Booz
Allen Hamilton, where he leads the frm’s
policies to ensure compliance with applica-
ble laws and industry standards. In addition,
he counsels clients on the permissible collec-
tion of data and usage in online advertising
in compliance with online and mobile data
standards. Mr. Pittman also offers his clients
extensive experience defending against com-
plex class action and state attorney general
litigation.
Booz Allen Hamilton
8283 Greensboro Drive
Hamilton Building
McLean, Virginia 22102
Tel +1 703 902 5000
Web www.boozallen.com
WILLIAM (BILL) STEWART
Executive Vice President
Email [email protected]
William (Bill) Stewart currently leads the
Commercial Cyber Business for Booz Allen
Hamilton. In this role he leads teams that
develop strategies and implement solutions
for the most complex issues facing Private
Sector Organizations. He has more than
25 years of professional experience building
consulting and systems integration businesses.
Mr. Stewart is responsible for providing
services that appropriately balance risk and
resource expenditure. Current clients include
C-suite executives as well as senior govern-
ment offcials. Mr. Stewart has extensive
experience envisioning, designing, and
deploying solutions that enhance business
performance. He helps clients create cutting
edge strategies that optimize and secure
critical business systems.
Mr. Stewart and his team help clients
develop state-of-the-art cyber solutions,
including Threat Intelligence, Advanced
Adversary Hunt, Incident Response, Insider
Threat, and Identity and Access Control.
Mr. Stewart also led Booz Allen Hamilton’s
Cyber Technology Center of Excellence
333 ?
CONTRIBUTOR PROFILES
instrumental in developing Booz Allen’s
CyberSim tool, an immersive training and
assessment tool used to select, train, and
place cyber professionals.
Ms. Zukin holds a Doctorate degree in
Organizational Psychology from George
Mason University and a Master’s degree in
Organizational Psychology from Columbia
University. She also holds a certifcate in
leadership coaching from Georgetown
University. She is a certifed executive coach
through the International Coaching
Federation. Ms. Zukin is on the faculty at
Georgetown University’s Institute for
Transformational Leadership and served as
a coach for the inaugural class of the
Presidential Leadership Scholars Program
created by former Presidents George W. Bush
and Bill Clinton.
DENIS COSGROVE
Senior Associate
Email [email protected]
Denis Cosgrove is a leader in Booz Allen
Hamilton’s Commercial High-Tech
Manufacturing business, where he is an
advisor to senior clients and oversees project
teams delivering strategy and analytical
solutions. His recent client engagements
include working with staff members of a
major automaker to reimagine their approach
to vehicle cybersecurity and partnering with
them to build new capabilities. Within the
frm, he drives thought leadership for brand-
ing and intellectual capital. Mr. Cosgrove
previously worked with clients in the U.S.
government national security market, devel-
oping new methods in risk analytics.
Prior to joining Booz Allen, he served as a
Senior Associate Scholar at the Center for
European Policy Analysis and taught under-
graduate courses in philosophy. He earned
graduate degrees studying political philoso-
phy at the University of Chicago and interna-
tional relations at Georgetown University.
Mr. Cosgrove has published essays on foreign
policy and presents an annual graduate-level
lecture on strategy in Machiavelli’s The Prince
at Johns Hopkins University.
commercial High-Tech Manufacturing
Practice. He has more than 18 years of practi-
cal consulting experience—providing clients
with unique advisory services equally bal-
anced in strategy and functional expertise.
Mr. Labarre leads a multi-disciplinary team
focused on helping companies realize tech-
nology-enabled growth from advanced ana-
lytics, military grade cyber, and cutting-edge
IT transformation.
Mr. Labarre is a recognized international
expert in cybersecurity standards and was
the chief architect of Booz Allen’s CyberM
3
reference model. He has worked extensively
within all sectors of the U.S. government
(cabinet-level agencies, all branches of the
military, the intelligence community, as well
as several small to micro government agen-
cies); public sector clients in the United
Kingdom, Europe, and the Middle East; and
within the private sector areas of fnancial
services, retail, telecommunications, con-
sumer products, industrial manufacturing,
and automotive.
LORI ZUKIN
Principal
Email [email protected]
Lori Zukin is a leader with Booz Allen
Hamilton, where she leads People
Innovations for the firm’s Strategic
Innovations Group. She has led engagements
for clients in the public and private sectors
and engaged with them to solve their tough-
est organizational challenges. She has direct-
ed several high-profle projects for federal
and commercial organizations, providing tal-
ent management expertise to help them
improve the bottom line.
Most recently, Ms. Zukin worked with a
global pharmaceutical company to dramati-
cally improve how a newly formed senior
leadership team manages and measures per-
formance while reducing risk during a period
of signifcant growth. In other client engage-
ments she has worked with large organiza-
tions to help them implement cutting edge
solutions for cyber talent management and
leadership development. She was also
? 334
CONTRIBUTOR PROFILES
Security for WellPoint, Inc. Mr. Gaidhane
holds an MBA from Duke University’s
Fuqua School of Business and also BS and
MS degrees in Computer Science from
Nagpur University (India) and Texas Tech
University, respectively. He also holds
numerous certifcations, such as the PMP,
CISSP, CISM, CGEIT, CRISC, CISA, and
CIPP/US in the felds of Information
Security, Audit, Information Privacy, and
Project Management.
JAMIE LOPEZ
Senior Associate
Email [email protected]
Jamie Lopez is a leader with Booz Allen
Hamilton’s Strategic Innovation Group,
where he provides thought leadership and
talent solutions to his client base across the
commercial and federal sector. He helps
drive Booz Allen’s TalentInsight
™
Solutions
focusing on Data Science and Cyber and
Predictive Intelligence. In addition to his
core consulting and advisory duties,
Dr. Lopez serves as the Booz Allen Program
Manager for a large human capital vehicle,
where he leads a sizable team in the devel-
opment of HR Shared Services, Competency
Modeling, Talent Placement & Acquisition,
Change Management, Promotional Systems,
and Professional & Leadership Development.
Prior to joining Booz Allen Hamilton,
Dr. Lopez was the Vice President of Lopez
and Associates Inc., a thirty-year-old
Industrial-Organizational psychology con-
sulting company focusing on commercial
clients in the fnancial services and utility
sectors. In this capacity he specialized in tal-
ent management, individual assessment,
and personnel selection.
Dr. Lopez completed his PhD in
Industrial-Organizational Psychology at
Hofstra University and MA degree with a
Scholars Designation in I/O Psychology
from New York University’s Graduate
School of Arts. He also holds an MBA in
Finance with a specialization in Trading and
Portfolio Management from the Fordham
Graduate School of Business, a BA in
MATTHEW DOAN
Senior Associate
Email [email protected]
Matthew Doan leads Booz Allen’s
Commercial Cyber Strategy practice while
also serving as a leader in the frm’s High-
Tech Manufacturing business. He specializ-
es in driving innovative cybersecurity
and risk management solutions, particularly
for automotive, industrial, and consumer
product companies. Mr. Doan provides fun-
damental knowledge in large-scale maturity
assessments, enterprise risk management,
strategic planning, organizational change
management, and governance.
Mr. Doan has an array of experiences in
consulting C-suites, boards, and other sen-
ior decision makers in driving important
changes that effectively reduce business risk
and capture new opportunity. Mr. Doan
holds an MA in Security Studies from
Georgetown University and a BBA in
Computer Information Systems from James
Madison University, as well as a Graduate
Certifcate in Applied Intelligence from
Mercyhurst University.
TONY GAIDHANE
Senior Associate
Email [email protected]
Tony Gaidhane is a dynamic and innovative
information security leader with a strong
background in implementing IT security,
compliance (including NIST and ISO), pri-
vacy, and risk management. His most recent
experience includes diverse engagements
such as leading the assessment of high-risk
technology platforms for attack surface
reduction for a large retailer, leading the
build of a Cyber Incident Response Playbook
for a large fnancial institution, and leading a
supply chain cyber risk assessment for a
large high-tech client. Mr. Gaidhane has
more than 17 years of experience with cyber-
security, and his experience includes manag-
ing large Affordable Care Act implementa-
tions in multiple states for Accenture, as a
senior leader in its Information Security
Practice and as a Director of Information
335 ?
CONTRIBUTOR PROFILES
teams achieve signifcant organizational
transformations. She is an Associate Business
Continuity Manager with Disaster Recovery
Institute International, a Certifed Information
Privacy Professional, and received a gradu-
ate certifcate from University of Maryland in
Cyber Security.
KATIE STEFANICH
Lead Associate
Email [email protected]
Katie Stefanich is a management consultant
that specializes in cyber incident management
strategy, cyber education and outreach, and
crisis communication. She has strong experi-
ence in authoring enterprise-wide cyber
incident management strategies for retail,
energy, and high-tech commercial organiza-
tions. Ms. Stefanich helps clients understand
cybersecurity in terms of risk management, as
well as identify and build cross-organization
relationships for smooth incident response.
She also has extensive experience providing
strategic counsel to startups, entrepreneurs,
and organizations interested in using lean
startup methodology. Prior to her time at Booz
Allen, Ms. Stefanich implemented integrated
marketing campaigns for high-tech commer-
cial organizations.
ERIN WEISS KAYA
Lead Associate
Email [email protected]
Erin Weiss Kaya is a Lead Associate with
Booz Allen Hamilton. She has more than
15 years of experience designing and manag-
ing strategic transformation programs, most
recently serving as an external consultant on
cybersecurity workforce and organization
issues to the Department of Homeland
Security and a number of large fnancial
services institutions.
Ms. Weiss Kaya has served as an external
consultant to Fortune 500 companies, state
government agencies, and non-profts and
as an internal strategic advisor and execu-
tive. She has led large projects for effective
change implementations as well as cyberse-
curity human capital strategies, including
Psychology from the College of the Holy
Cross, and an Advanced Graduate Certifcate
in Counterintelligence from Mercyhurst
University.
JAMES PERRY
Senior Associate
Email [email protected]
James Perry is a Chief Technologist in Booz
Allen Hamilton’s Strategic Innovation
Group, where he leads the commercial cyber
incident response planning, investigation,
and remediation services offerings, includ-
ing our National Security Cyber Assistance
Program Certifed Incident Response capa-
bility. Mr. Perry works with chief informa-
tion security offcers, security operations
center directors, and incident response teams
across fnance, retail, energy, health, manu-
facturing, and public sectors. In this role,
he helps organizations to design and imple-
ment Cyber Security Operations capabilities
to protect from, detect, and respond to
advanced cyberthreats. Mr. Perry leverages
his experience supporting incident response
investigations across multiple sectors to help
these organizations prepare for and rapidly
contain cyber incidents.
LAURA EISE
Lead Associate
Email [email protected]
Laura Eise is a cybersecurity consultant in
Booz Allen’s commercial practice. In this
role, she works with leaders across multiple
industries in aligning cybersecurity pro-
grams to manage risk and meet the needs of
the business. She specializes in program-
matic assessment, incident response, enter-
prise risk management, strategy setting, and
organizational design. Recently, she has led
teams across the fnancial, retail, and manu-
facturing industries to create three-year
strategy roadmaps to improve their cyberse-
curity programs. Ms. Eise is a co-author of
the CyberM
3
maturity model and co-leads
the frm’s internal investment in the capabil-
ity. She is also an Executive Coach and
focuses on helping leaders and leadership
? 336
CONTRIBUTOR PROFILES
providing strategy, competitive analysis, pro-
cess improvement, organizational design,
and project management support
to commercial and government clients.
Ms. Wong works with clients to seize busi-
ness opportunities while navigating risks
around connected products and the data used
to power them. She holds a Masters degree in
City and Regional Planning from Cornell
University and a BA in Political Economy
from the University of California, Berkeley.
BuckleySandler LLP
1250 24th Street NW, Suite 700
Washington, DC 20037
Tel +1 202 349 8000
Web www.buckleysandler.com
ELIZABETH E. MCGINN
Partner
Email [email protected]
Elizabeth E. McGinn is a partner in the
Washington, DC, offce of BuckleySandler
LLP, where she assists clients in identifying,
evaluating, and managing risks associated
with privacy and information security prac-
tices of companies and third parties.
Ms. McGinn advises clients on privacy and
data security policies, identity theft red fags
programs, privacy notices, safeguarding and
disposal requirements, and information
sharing limitations. She also has assisted
clients in addressing data security incidents
and complying with the myriad security
breach notifcation laws and other U.S.
state and federal privacy requirements.
Ms. McGinn is a frequent speaker and author
on a variety of topics, including privacy and
data security, consumer fnancial services
litigation, electronic discovery, and vendor
management. Ms. McGinn received her JD,
the hiring, compensation, development,
and allocation of cybersecurity workforce.
She also manages Booz Allen’s internal ini-
tiative in Cybersecurity Workforce and
Organization, where she established a new
service offering and designed a suite of tools
to support clients in the development and
maturation of their cybersecurity workforce
capabilities. Ms. Weiss Kaya holds a BA from
University of Maryland-College Park and a
Masters degree from Columbia University.
CHRISTIAN PAREDES
Associate
Email [email protected]
Christian Paredes is an Associate on Booz
Allen Hamilton’s Predictive Intelligence team
within the frm’s Strategic Innovation’s Group
(SIG), where he focuses on cyberthreat intel-
ligence (CTI) and CTI program development
for commercial clients. Mr. Paredes has expe-
rience helping commercial clients to produce
actionable threat intelligence for internal
stakeholders at the operational and strategic
levels. He has expertise in analytic tradecraft
and production standards; technical threat
intelligence; intelligence workfow integra-
tion with security operations; and threat intel-
ligence program development. He has also
worked with global organizations to assess
their information security capabilities.
His emphasis on improving analytic qual-
ity by maximizing analyst time, resources,
workfows, tools, and data sources has helped
clients to realize value in their cyberthreat
intelligence programs. Mr. Paredes holds an
MS degree in International Affairs from
Georgia Institute of Technology and a BA
degree in Political Science from Georgia
College & State University.
WAICHING WONG
Associate
Email [email protected]
Waiching Wong is part of Booz Allen
Hamilton’s high-tech manufacturing practice,
337 ?
CONTRIBUTOR PROFILES
data security, as well as federal and state
investigations and enforcement actions.
Mr. Ruckman joined BuckleySandler from
the Federal Communications Commission,
where he served as Senior Policy Advisor to
Commission’s Enforcement Bureau Chief,
advising him on enforcement strategies in
the areas of privacy and data security.
Prior to his time at the FCC, Mr. Ruckman
spent fve years as an Assistant Attorney
General at the Maryland Attorney General’s
offce, where he was the frst Director of the
offce’s Internet Privacy Unit. The Unit played
a leading role in several multistate investiga-
tions into practices that threatened consum-
ers’ online privacy and security, including the
largest privacy settlement in AG history.
Mr. Ruckman is a graduate of Yale Law
School and Yale Divinity School.
TIHOMIR YANKOV
Associate
Email [email protected]
Tihomir Yankov is an associate in the
Washington, DC, offce of BuckleySandler
LLP. Mr. Yankov represents clients in a
wide range of litigation matters, including
class actions and complex civil litigation, as
well as government enforcement matters.
His government enforcement experience
includes representing clients before the
Consumer Financial Protection Bureau
(CFPB), the New York Department of
Financial Services (DFS), and various state
regulators and attorneys general, as well as in
cases involving unfair, deceptive, and abusive
acts and practices (UDAAP).
Mr. Yankov also counsels clients on elec-
tronic discovery issues, including matters
related to document and data retention, data
assessment, data extraction strategies, and
pre-litigation discovery planning.
Mr. Yankov received his JD from American
University (cum laude) and his BA from the
University of Virginia.
cum laude, from The American University,
Washington College of Law in 2000, and
received the Mooers Trial Practice Award.
She received a BS from St. Lawrence
University. Ms. McGinn has been recognized
with the frm’s Privacy, Cyber Risk, and Data
Security practice group in Legal 500 (2013
and 2015).
RENA MEARS
Managing Director
Email [email protected]
Rena Mears is a Managing Director at
BuckleySandler LLP, where she focuses on
data risk, cybersecurity, and privacy. She has
more than 25 years’ experience advising
fnancial services, hospitality, technology,
bio-tech, and consumer-focused companies
and boards on effective methods for address-
ing data asset risks while operating in com-
plex business and regulatory environments.
Prior to joining BuckleySandler, Ms. Mears
was a partner in a Big Four advisory frm’s
Enterprise Risk Services practice, where she
founded and led the Global and U.S. Privacy
and Data Protection practice. She has signif-
cant experience building and implementing
multinational and enterprise data risk, priva-
cy and security programs, performing com-
pliance assessments, developing cybersecuri-
ty initiatives, and leading breach response
teams. Ms. Mears has served on industry
standards committees and company advisory
boards for privacy and security. She regularly
researches, speaks, and publishes on data
risk, privacy, and cybersecurity and holds the
CISSP, CIPP, CISA, and CITP certifcations
STEPHEN (STEVE) M. RUCKMAN
Senior Associate
Email [email protected]
Stephen (Steve) M. Ruckman is a senior
associate in the Washington, DC, offce of
BuckleySandler, where his practice focuses
on privacy, cyber risk, mobile payments, and
? 338
CONTRIBUTOR PROFILES
JIM PFLAGING
Principal
Email [email protected]
Jim Pfaging is the global lead for The Chertoff
Group’s business strategy practice. Based in
Menlo Park, California, Mr. Pfaging works
closely with leading technology companies,
private equity investors, and system integra-
tors to identify, diligence, acquire and build,
exciting companies. Based on dozens of suc-
cessful client engagements, Mr. Pfaging has
become a trusted advisor on technology and
security to many in the U.S. Government
and private industry. Mr. Pfaging has more
than 25 years of Silicon Valley experience
including 15 years as chief executive offcer of
cybersecurity and data management compa-
nies. He serves on the board of several secu-
rity companies and is a frequent speaker on
technology and security issues.
MARK WEATHERFORD
Principal
Email [email protected]
or [email protected]
(assistant)
Mark Weatherford is a Principal at The
Chertoff Group, where he advises clients on a
broad array of cybersecurity services. As one
of the nation’s leading experts on cybersecuri-
ty, Mr. Weatherford works with organizations
around the world to effectively manage today’s
cyberthreats by creating comprehensive
security strategies that can be incorporated
into core business operations and objectives.
Prior to joining The Chertoff Group,
Mr. Weatherford served as the U.S.
Department of Homeland Security’s frst
Deputy Under Secretary for Cybersecurity.
In this position, he worked with all critical
infrastructure sectors as well as across the
federal government to create more secure
network operations and thwart advanced
persistent cyber threats. He previously
The Chertoff Group
1399 New York Avenue, NW
Suite 900
Washington, DC 20005
Tel +1 202 552 5280
Web www.chertoffgroup.com
MICHAEL CHERTOFF
Co-Founder and Executive Chairman
Email [email protected]
(assistant)
Michael Chertoff is Co-Founder and
Executive Chairman of The Chertoff Group,
a premier global advisory frm that focuses
exclusively on the security and risk man-
agement sector by providing consulting,
mergers and acquisitions (M&A), and risk
management services to clients seeking to
secure and grow their enterprises. In this
role, Mr. Chertoff provides high-level stra-
tegic counsel to corporate and government
leaders on a broad range of security issues,
from risk identifcation and prevention to
preparedness, response, and recovery.
From 2005 to 2009, Mr. Chertoff served as
Secretary of the U.S. Department of Homeland
Security (DHS), where he led the federal gov-
ernment’s efforts to protect our nation from a
wide range of security threats, including
blocking potential terrorists from crossing the
United States border or allowing implemen-
tation of their plans on U.S. soil. Before lead-
ing DHS, Mr. Chertoff served as a federal
judge on the U.S. Court of Appeals for the
Third Circuit and earlier headed the U.S.
Department of Justice’s Criminal Division. In
this role he investigated and prosecuted cases
of political corruption, organized crime, and
corporate fraud and terrorism—including the
investigation of the 9/11 terrorist attacks.
339 ?
CONTRIBUTOR PROFILES
public and private companies in the busi-
ness process outsourcing, marketing servic-
es, enterprise software, smart-grid, informa-
tion, and IT services industries. He has
a proven track record as the CEO of six
companies and has served as director of
13 private equity, public, and VC-backed
companies and executive chairman of two
others. Prior to his leadership role with
Coalfre, from 2007 to 2011, Mr. Jones was
CEO of Denver-based StarTek, Inc. (NYSE:
SRT), a provider of global outsourced call
center and customer support services. He
has also served as CEO of Activant Solutions,
an enterprise software company; chairman
of WebClients, an internet affliate marketing
frm; CEO of Interelate, Inc., a marketing
services frm; CEO of MessageMedia (NASD:
MESG), an email marketing services com-
pany; CEO of Neodata Services, Inc., a direct
marketing services frm; and was founding
CEO of GovPX, a provider of government
securities data. Mr. Jones also was a senior
vice president at Automatic Data Processing
and held various positions at Wang
Laboratories between 1977 and 1987.
Mr. Jones currently also serves as a direc-
tor of Diligent Corporation (NZX: DIL) and
Essential Power, LLC. He is also active mem-
ber and Fellow in the National Association
of Corporate Directors (NACD). Over the
past 10 years, Mr. Jones has served as
director of numerous public and private
companies including Work Options Group,
StarTek, Exabyte, Activant Solutions, Realm
Solutions, SARCOM, WebClients, DIMAC,
and Fulcrum Analytics. Mr. Jones graduated
from Worcester Polytechnic Institute with
a degree in computer sciences in 1975
and earned his MBA from Boston University
in 1980.
served as the Chief Information Security
Offcer for the states of Colorado and
California and as Vice President and Chief
Security Offcer for the North American
Electric Reliability Corporation (NERC).
Coalfre
361 Centennial Parkway, Suite 150
Louisville, Colorado 80027
Tel +1 303 554 6333
Web www.coalfre.com
RICK DAKIN
Chief Executive Offcer (2001-2015)
Rick Dakin provided strategic manage-
ment IT security program guidance for
Coalfre and its clients. After serving in the
U.S. Army after graduation from the U.S.
Military Academy at West Point, Mr. Dakin
began his management career at United
Technology Corporation. Prior to co-found-
ing Coalfre, he was President of Centera
Information Systems, a leading eCommerce
and systems integration frm. He was a
past president of the FBI’s InfraGard pro-
gram, Denver chapter, and a member of a
committee hosted by the U.S. Secret Service
and organized by the Joint Council on
Information Age Crime.
Mr. Dakin passed away June 20, 2015.
LARRY JONES
Chief Executive Offcer
Email [email protected]
Larry Jones has served as Chairman of the
Board of Coalfre since 2012 and became
CEO in 2015. He has more than 25 years of
experience building, operating, and growing
? 340
CONTRIBUTOR PROFILES
NIGEL L. HOWARD
Partner
Email [email protected]
Nigel L. Howard, a partner in Covington’s
New York offce, helps clients execute their
most innovative and complex transactions
involving technology, intellectual property,
and data. Mr. Howard has been at the fore-
front of initiatives to protect data assets for
his clients, helping them achieve a competi-
tive advantage or fend off a competitive
threat. He advises clients on their proprie-
tary rights to data and global strategies for
protecting these assets. He has represented
companies in transactions covering the full
spectrum of data-related activities, including
data capture and storage, business and oper-
ational intelligence, analytics and visualiza-
tion, personalized merchandizing, and the
related cloud computing services, such as
Data as a Service and Analytics Infrastructure
as a Service.
ELIZABETH H. CANTER
Associate
Email [email protected]
Elizabeth H. Canter is an associate in the
Washington, DC, offce of Covington. She
represents and advises technology compa-
nies, fnancial institutions, and other clients
on data collection, use, and disclosure prac-
tices, including privacy-by-design strate-
gies and email marketing and telemarket-
ing strategies. This regularly includes
advising clients on privacy and data secu-
rity issues relating to third-party risk man-
agement. Ms. Canter also has extensive
experience advising clients on incident
preparedness and in responding to data
security breaches.
Covington & Burling LLP
One City Center
850 Tenth Street, NW
Washington, DC 20001-4956
Tel +1 202 662 6000
Web www.cov.com
DAVID N. FAGAN
Partner
Email [email protected]
David N. Fagan, a partner in Covington’s
global privacy and data security and inter-
national practice groups, counsels clients on
preparing for and responding to cyber-
based attacks on their networks and infor-
mation, developing and implementing
information security programs, and com-
plying with federal and state regulatory
requirements. Mr. Fagan has been lead
investigative and response counsel to com-
panies in a range of cyber- and data security
incidents, including matters involving mil-
lions of affected consumers.
KURT WIMMER
Partner
Email [email protected]
Kurt Wimmer is a Washington partner and
U.S. chair of Covington’s privacy and data
security practice. Mr. Wimmer advises
national and multinational companies on
privacy, data security, and digital technology
issues before the FTC, the FCC, Congress,
the European Commission, and state attor-
neys general, as well as on strategic advice,
data breach counseling and remediation,
and privacy assessments and policies. He is
chair of the Privacy and Information Security
Committee of the ABA Antitrust Section and
is a past managing partner of Covington’s
London offce.
341 ?
CONTRIBUTOR PROFILES
was the Ernst & Young Entrepreneur of the
Year Regional winner for Alabama/Georgia/
Tennessee in 2011 and was awarded The
Deal of the Year by The Association of
Corporate Growth (ACG) and The IndUS
Entrepreneurs (TiE). Mr. Cote’s leadership
style is punctuated by high integrity and a
client-centric philosophy.
Delta Risk LLC
4600 N Fairfax Dr., Suite 906
Arlington, Virginia 22203
Tel +1 571 483 0504
Web www.delta-risk.net
THOMAS FUHRMAN
President
Thomas Fuhrman is President of Delta Risk.
In this capacity he is a practicing cybersecu-
rity consultant and the leader of the Delta
Risk business.
Prior to joining Delta Risk, Mr. Fuhrman
was the founder and president of 3tau LLC, a
specialized consulting frm providing infor-
mation security and technology advisory,
analysis, and strategy services to senior clients
in commercial industry and government, in
the United States and internationally. He is a
former Partner at Booz Allen Hamilton, where
he led a $100 million consulting practice in
cybersecurity and science and technology
serving Department of Defense clients.
Mr. Fuhrman has more than 35 years of
military and government experience and has
expertise in many areas including cyberse-
curity strategy, policy, and governance;
cybersecurity controls and technology; and
risk management.
Mr. Fuhrman has degrees in electrical
engineering, mechanical engineering, and
mathematics and is a Certifed Information
Systems Security Professional (CISSP).
PATRICK REDMON
Summer Associate
Email [email protected]
Patrick Redmon will graduate from the
University of North Carolina School of Law
in 2016. He graduated from Fordham
University in 2007 with a BA in Philosophy
and Economics and in 2013 was awarded an
MA in Liberal Arts from St. John’s College in
Annapolis, Maryland. Mr. Redmon is the
Managing Editor of the North Carolina Law
Review.
Dell SecureWorks
One Concourse Pkwy NE
#500
Atlanta, Georgia 30328
Tel +1 404 929 1795
Web www.secureworks.com
MICHAEL R. COTE
Chief Executive Offcer
Email [email protected]
Michael (Mike) R. Cote became chairman
and CEO of SecureWorks in February of 2002
and led the company through an acquisition
by Dell in February of 2011. Under his
leadership Dell SecureWorks has become a
recognized global leader in information
security services, helping organizations of
all sizes protect their IT assets, reduce costs,
and stay one step ahead of the threats.
Previously Mr. Cote held executive positions
with Talus Solutions, a pricing and revenue
management software frm acquired by
Manugistics in 2000. He joined Talus from
MSI Solutions, where he was Chief Operating
Offcer, and his early career included
international assignments with KPMG. He
? 342
CONTRIBUTOR PROFILES
recruits senior legal and technology execu-
tives for Fortune 500 and private-equity
owned portfolio companies and consults to
boards of directors on a range of issues.
Prior to joining Egon Zehnder, Ms. LaCroix
was a senior international attorney with
major international law frms as well as serv-
ing in house at Texas Instruments and
Honeywell International, where she was
Asia Pacifc General Counsel. Ms. LaCroix
began her career as an attorney in private
practice at Gray Cary Ware & Freidenrich
(now DLA Piper) in California and in
Singapore, focusing on mergers and acquisi-
tions, intellectual property, and admiralty law.
Ms. LaCroix completed the Graduate
Program in American Law at the University
of California at Berkeley and Davis. She
holds an LLB from the National University
of Singapore and is admitted to practice law
in Singapore, California, and the United
Kingdom.
CHRIS PATRICK
Email [email protected]
Chris Patrick is a consultant at Egon
Zehnder, a global executive search and
assessment frm. Based in the frm’s Dallas
offce, he is a trusted advisor for CIO and
C-suite talent strategy and development for
global companies across a diverse set of
industries, including retail/consumer prod-
ucts, IT services, industrial, fnancial servic-
es, and digital. As the global leader for Egon
Zehnder’s Chief Information Officer
Practice, Mr. Patrick advises some of the
world’s leading corporations on talent
development and assessment at the board
level and across the executive suite.
Prior to joining Egon Zehnder, Mr. Patrick
was CIO/Vice President of Mergers and
Acquisitions with Chatham Technologies, a
start-up telecommunications systems manu-
facturer/integrator. Previously, he was a
Senior Manager with Ernst & Young
Consulting and MD80 Project Manager for
McDonnell Douglas in Los Angeles.
Egon Zehnder
350 Park Avenue, 8th Floor
New York, New York 10022
Tel +1 212 519 6000
Web www.egonzehnder.com
KAL BITTIANDA
Email [email protected]
Kal Bittianda is a consultant at Egon Zehnder,
a global executive search and assessment
frm. Based in the frm’s New York offce,
Mr. Bittianda advises and recruits senior
executives in technology, telecommunica-
tions, and fntech, with a special focus on
emerging technologies. He also leads the
frm’s Cybersecurity Practice.
Prior to joining Egon Zehnder, Mr. Bittianda
served in leadership positions at several pri-
vately held technology-enabled businesses.
He built teams and led growth in North
America for Kyriba, an enterprise cloud solu-
tions provider, for EXL, a knowledge and
business process outsourcing frm, and for
Inductis, an analytics consulting and services
frm. He was previously an Engagement
Manager at the Mitchell Madison Group.
Mr. Bittianda started his career in technology
and leadership roles at Unisys and
International Paper.
Mr. Bittianda earned a BTech in Naval
Architecture at the Indian Institute of
Technology, MA in Industrial Engineering
from Purdue University, and an MBA from
Harvard Business School.
SELENA LOH LACROIX
Email [email protected]
Selena Loh LaCroix is a consultant at Egon
Zehnder, a global executive search and
assessment frm. Based in the frm’s Dallas
offce, she is global leader of the Legal,
Regulatory and Compliance Practice and of
the Global Semiconductor Practice. She
343 ?
CONTRIBUTOR PROFILES
conducting investigations and digital foren-
sic analysis and has served as Director, Lead
Investigator, Quality Assurance Manager,
and Forensic Examiner. For the past 12 years
he has led large-scale breach incident
responses for the private and public sectors,
specializing in organizational strategies, inci-
dent response, network security, computer
forensics, malware analysis, and security
assessments. He facilitates liaison with legal
counsels, regulators, auditors, vendors, and
law enforcement. Also during this time
Mr. Vela served as a Strategic Planner at the
Defense Computer Forensics Laboratory
(DCFL) and Defense Cyber Crime Institute
(DCCI), where he established operational
improvements and laboratory accreditation.
Mr. Vela earned his MBA from Johns Hopkins
University and bachelor’s degree from
Georgetown University.
Fish & Richardson P.C.
One Marina Park Drive
Boston, Massachusetts 02210-1878
Tel +1 617 521 7033
Web www.fr.com
GUS P. COLDEBELLA
Principal
Email [email protected]
Gus P. Coldebella is a principal at the law frm
of Fish & Richardson concentrating on cyber-
security, litigation, and government investi-
gations. From 2005 to 2009, he was the deputy
general counsel, then the acting general coun-
sel, of the U.S. Department of Homeland
Security, focusing on all major security issues
confronting the nation. As the department’s
top lawyer, Mr. Coldebella helped lead imple-
mentation of President Bush’s Comprehensive
National Cybersecurity Initiative, designed to
shore up the government’s civilian networks
from attack and to promote information shar-
ing and cooperation between the public and
private sector.
Fidelis Cybersecurity
4416 East West Highway
Suite 310
Bethesda, Maryland 20814
Tel 1 800 652 4020 or +1 617 275 8800
Web www.fdelissecurity.com
JIM JAEGER
Chief Cyber Strategist
Email [email protected]
Jim Jaeger serves as Chief Cyber Strategist
for Fidelis Cybersecurity, responsible for
developing and evolving the company’s
cyber services strategy while synchronizing
it with product strategy. Mr. Jaeger previ-
ously managed the Network Defense and
Forensics business area at Fidelis, including
the Digital Forensics Lab. He also held lead-
ership roles for a wide range of cyber pro-
grams, including General Dynamics’ support
for the DoD Cyber Crime Center, the Defense
Computer Forensics Lab, and the Defense
Cyber Crime Institute.
Mr. Jaeger is a former Brigadier General
in the United States Air Force. His military
service includes stints as Director of
Intelligence for the U.S. Atlantic Command,
Assistant Deputy Director of Operations
at the National Security Agency, and
Commander of the Air Force Technical
Applications Center. Mr. Jaeger frequently
advises organizations on strategies to
mitigate damage caused by network
breaches and prevent their reoccurrence.
He also presents on Large Scale Breach
“Lessons Learned” at cyber symposiums
worldwide.
RYAN VELA
Regional Director, Northeastern North
America
Email [email protected]
Ryan Vela brings expertise in large-scale breach
incident response management to Fidelis
Cybersecurity. He has 15 years’ experience in
? 344
CONTRIBUTOR PROFILES
At Fish & Richardson, he focuses on help-
ing companies plan for and respond to
cyberattacks. As a securities litigator, he is
well positioned to advise public companies
on SEC disclosures regarding cybersecurity
and boards of directors’ corporate govern-
ance responsibilities to oversee and manage
this important enterprise risk.
Mr. Coldebella is a graduate of Colgate
University, where he currently serves as
audit committee chair on its Board of
Trustees; he received his JD, magna cum laude,
from Cornell. He is on Twitter at @g_co.
CAROLINE K. SIMONS
Associate
Email [email protected]
Caroline K. Simons is a litigation associate at
Fish & Richardson P.C. Her practice focuses
on white collar defense, cybersecurity and
trade secret theft, internal investigations, and
complex commercial litigation, including sig-
nifcant state and federal appellate experience.
In 2013 Ms. Simons was selected by the Boston
Bar Association to participate in the Public
Interest Leadership Program. Ms. Simons is a
graduate of Harvard College and Columbia
Law School.
Georgia Institute of Technology
North Ave NW
Atlanta, Georgia 30332
Tel +1 404 894 2000
Web www.gatech.edu
JODY R. WESTBY, ESQ.
Adjunct Professor
Email [email protected]
Jody R. Westby is CEO of Global Cyber Risk
and provides consulting services in the areas
of privacy, security, cybercrime, and cyber
governance. She is a professional blogger for
Forbes and also serves as Adjunct Professor
at Georgia Institute of Technology’s School
of Computer Science.
Previously, Ms. Westby launched In-Q-Tel,
was senior managing director at
PricewaterhouseCoopers, was senior fellow
and director of IT Studies for the Progress
and Freedom Foundation, and was director
of domestic policy for the U.S. Chamber of
Commerce. Ms. Westby practiced law at
Shearman & Sterling and Paul, Weiss,
Rifkind, Wharton & Garrison.
She is co-chair of the American Bar
Association’s Privacy & Computer Crime
Committee (Science & Technology Law
Section) and co-chair of the Cybercrime
Committee (Criminal Justice Section) and
served three terms on the ABA President’s
Cybersecurity Task Force. Ms. Westby speaks
globally and is the author of several books
and articles on privacy, security, cybercrime,
and enterprise security programs. She has
special expertise in the governance of privacy
and security and responsibilities of boards
and senior executives. She is author of the
2008, 2010, 2012, and 2015 Governance of
Enterprise Security Reports and was lead
author of Carnegie Mellon University’s
Governing for Enterprise Security Implementation
Guide. She graduated magna cum laude from
Georgetown University Law School and
summa cum laude from the University of Tulsa
and is a member of the Order of the Coif,
American Bar Foundation, and Cosmos Club.
Institutional Shareholder Services Inc.
702 King Farm Boulevard
Suite 400
Rockville, Maryland 20850
Tel +1 646 680 6350
Web www.issgovernance.com
MARTHA CARTER
Head of Global Research
Email [email protected]
Martha Carter is the head of global research
for ISS. In this role, she directs proxy voting
research for the frm, leading a research
345 ?
CONTRIBUTOR PROFILES
Corporate Directors. He was named to the
2011 National Association of Corporate
Directors’ Directorship 100 list.
Internet Security Alliance
2500 Wilson Boulevard
Arlington, Virginia 22201
Tel +1 703 907 7090
Web www.isalliance.org
LARRY CLINTON
President
Email [email protected]
Larry Clinton is President of the Internet
Security Alliance (ISA). He is the primary
author of ISA’s “Cyber Social Contract,”
which articulates a market-based approach
to securing cyber space. In 2011 the House
leadership GOP Task Force on cybersecurity
embraced this approach. In 2012 President
Obama abandoned his previous regulatory-
based approach in favor of the ISA Social
Contract model. The ISA document is the
frst and most often referenced source in the
President’s “The Cyber Space Policy
Review.” He is also the primary author of
the Cyber Security Handbook for corporate
boards published by the National Association
of Corporate Directors (NACD) in 2014. In
2015 Mr. Clinton was named one of the
nation’s 100 most infuential persons in the
feld of corporate governance by NACD. He
has published widely on various cybersecu-
rity topics and testifes regularly before
Congress and other government agencies
including the NATO Center for Cyber
Excellence.
team that analyzes companies in more than
110 markets around the world, provides
institutional investors with customized
research, and produces studies and white
papers on issues and topics in corporate
governance. In addition, Ms. Carter serves
as the head of the ISS Global Policy Board,
which develops the ISS Global Proxy Voting
Policies. Named for fve years in a row to
the National Association of Corporate
Directors’ Directorship 100 list of the most
infuential people in the boardroom com-
munity (2008–2012), Ms. Carter has been
quoted in media around the world and is a
frequent speaker for corporate governance
events globally. Ms. Carter holds a
PhD in fnance from George Washington
University and an MBA in fnance from the
Wharton School, University of Pennsylvania.
PATRICK MCGURN
Executive Director and Special Counsel
Email [email protected]
Patrick McGurn is executive director and
special counsel at ISS. Considered by indus-
try constituents to be one of the leading
experts on corporate governance issues, he is
active on the U.S. speaking circuit and plays
an integral role in ISS’s policy development.
Prior to joining ISS in 1996, Mr. McGurn was
director of the Corporate Governance Service
at the Investor Responsibility Research
Center, a not-for-proft frm that provided
governance research to investors. He also
served as a private attorney, a congressional
staff member, and a department head at the
Republican National Committee. He is a
graduate of Duke University and the
Georgetown University Law Center. He is a
member of the bar in California, the District
of Columbia, Maryland, and the U.S. Virgin
Islands. Mr. McGurn serves on the Advisory
Board of the National Association of
? 346
CONTRIBUTOR PROFILES
Kaye Scholer LLP
The McPherson Building
901 Fifteenth Street NW
Washington, DC 20005-2327
Tel +1 202 682 3500
Web www.kayescholer.com
ADAM GOLODNER
Partner
Email [email protected]
Adam Golodner is a partner and the Leader
of the Global Cybersecurity & Privacy Practice
Group at Kaye Scholer LLP, a leading global
law frm. Mr. Golodner represents companies
on cyber and national security matters
globally—including public policy, litigation,
corporate governance, and transactions.
Prior to joining Kaye Scholer, he spent
ten years as an executive at Cisco Systems,
Inc., where he led cyber policy globally.
Before Cisco, Mr. Golodner was Associate
Director of the Institute for Security,
Technology and Society, Dartmouth College;
Chief of Staff of the Antitrust Division,
United States Department of Justice: Deputy
Administrator of the Rural Utilities Service,
USDA; and Search Manager, The White
House Offce of Presidential Personnel (on
leave from law frm).
Mr. Golodner is also a Senior Advisor at
The Chertoff Group, a member of Business
Executives for National Security (BENS),
and a Fellow at the Tuck School of Business.
K&L Gates LLP
K&L Gates Center
210 Sixth Avenue
Pittsburgh, Pennsylvania 15222-2613
Tel +1 412 355 6500
Web www.klgates.com
ROBERTA D. ANDERSON
Partner
Email [email protected]
Roberta D. Anderson is a partner of K&L
Gates LLP. A co-founder of the frm’s global
Cybersecurity, Privacy and Data Protection
practice group and a member of the frm’s
global Insurance Coverage practice group,
Ms. Anderson concentrates her practice in
insurance coverage litigation and counseling
and emerging cybersecurity and data priva-
cy-related issues. She has represented clients
in connection with a broad spectrum of insur-
ance issues arising under almost every kind
of business insurance coverage. A recognized
national authority in insurance coverage,
cybersecurity, and data privacy–related
issues, Ms. Anderson frequently lectures and
publishes extensively on these subjects. In
addition to helping clients successfully pur-
sue contested claims, Ms. Anderson counsels
clients on complex underwriting and risk
management issues. She has substantial
experience in the drafting and negotiation of
“cyber”/privacy liability, D&O, professional
liability, and other insurance placements.
Ms. Anderson received her JD, magna cum
laude, from the University of Pittsburgh
School of Law and her BA from Carnegie
Mellon University.
347 ?
CONTRIBUTOR PROFILES
Prior to Korn Ferry, Mr. Cummings served
as an associate principal in the industrial,
supply chain, and transportation and logis-
tics practices of another leading executive
search frm, where he executed executive
search assignments for public and private
equity-backed companies.
Earlier in his career, Mr. Cummings was a
consultant with The Boston Consulting
Group in Dallas and, before that, he served
nine years with distinction as an offcer in
the U.S. Navy’s SEAL teams.
He earned a master’s degree in business
administration from Stanford University
and graduated with merit with a bachelor of
science in aeronautical engineering from The
United States Naval Academy.
JOE GRIESEDIECK
Vice Chairman & Co-Leader, Board & CEO
Services
Email [email protected]
Joe Griesedieck is Vice Chairman and
Co-Leader, Board and CEO Services at Korn
Ferry. He focuses primarily on engagements
for board director searches across multiple
industries, as well as working with boards of
directors on succession planning and other
related senior talent management solutions.
Mr. Griesedieck’s prior experience includes
two terms as global chief executive offcer of
another international search frm. He also
served as co-head of the frm’s strategic lead-
ership services practice in North America.
Prior to entering the executive search pro-
fession, Mr. Griesedieck was a group vice
president with Alexander & Baldwin, Inc.,
and spent a number of years with the Falstaff
Brewing Corporation, concluding his tenure
as president and chief operating offcer and
as a director of this NYSE company.
Mr. Griesedieck has been named by The
National Association of Corporate Directors
(NACD) to the Directorship 100, recognizing
the most infuential people in corporate
governance and the boardroom.
Mr. Griesedieck is a graduate of Brown
University.
Korn Ferry
2101 Cedar Springs Road
Suite 1450
Dallas, Texas 75201
Tel +1 214 954 1834
Web www.kornferry.com
AILEEN ALEXANDER
Senior Client Partner
Email [email protected]
Aileen Alexander is a Senior Client Partner
and co-leads Korn Ferry’s Cybersecurity
Practice. Based in the frm’s Washington,
D.C., offce, she has led senior executive
searches across the security domain. She also
partners with the frm’s Board & CEO
Services practice.
In a previous position with another inter-
national executive search frm, Ms. Alexander
served clients in the aerospace and defense
and professional services sectors.
Prior to the talent management profession,
Ms. Alexander was a Professional Staff
Member on the Committee of Armed Services
in the U.S. House of Representatives.
Previously, she was a Presidential Management
Fellow in the Offce of the Secretary of Defense
and served as a Captain in the U.S. Army.
Ms. Alexander holds a master’s degree in
public policy from Harvard University’s
Kennedy School of Government and earned
a Bachelor of Arts degree from The Johns
Hopkins University.
JAMEY CUMMINGS
Senior Client Partner
Email [email protected]
Jamey Cummings is a Senior Client Partner
in Korn Ferry’s Global Technology and
Information Offcers Practices, and he co-
leads the frm’s Global Cybersecurity
Practice. Based in the frm’s Dallas offce, he
is also a member of the frm’s Aviation,
Aerospace & Defense Practice.
? 348
CONTRIBUTOR PROFILES
Latham & Watkins LLP
555 Eleventh Street NW
Suite 1000
Washington, DC 20004-1304
Tel +1 202 637 2205
Web www.lw.com
JENNIFER ARCHIE
Partner
Email [email protected]
Jennifer Archie is a litigation partner in the
Washington, DC, offce of Latham & Watkins
with extensive experience investigating and
responding to major cybersecurity and hack-
ing events, advising clients from emerging
companies to global enterprises across all
market sectors in matters involving com-
puter fraud and cybercrime, privacy/data
security compliance and program manage-
ment, advertising and marketing practices,
information governance, consumer fraud,
and trade secrets. Ms. Archie regularly sup-
ports Latham & Watkins’ leading national
and global M&A, private equity, and capital
markets practices in identifying, evaluating
and mitigating deal or company privacy and
data security risks.
Littler Mendelson P.C.
1900 Sixteenth Street
Suite 800
Denver, Colorado 80202
Tel +1 303 629 6200
Web www.littler.com
PHILIP L. GORDON, ESQ.
Co-Chair, Privacy and Background Checks
Practice Group
Email [email protected]
Philip L. Gordon chairs the Privacy and
Background Check Practice Group of Littler
Mendelson, the nation’s largest law frm
representing only management in employ-
ment law matters. He counsels employers
on the full range of workplace privacy and
data protection issues, including back-
ground checks; monitoring employees’
electronic communications; regulating
employees’ social media; developing
“bring-your-own-device” programs; com-
pliance with HIPAA and other federal,
state, and international data protection
laws; and security incident preparedness
and response. Mr. Gordon sits on the
Advisory Board of BNA’s Privacy and
Security Law Report and Georgetown
University Law Center’s Cybersecurity
Law Institute. Mr. Gordon was named to
Best Lawyers in America in 2014 and 2015
and a Colorado Super Lawyer annually since
2006. He received his undergraduate degree
from Princeton University and his law
degree from the New York University
School of Law. He served as a law clerk on
the United States Court of Appeals for the
Tenth Circuit.
Lockton Companies Inc.
1801 K Street, NW, Suite 200
Washington, DC 20006
Tel +1 202 414 2653
Web www.lockton.com
BEN BEESON
Senior Vice President, Cybersecurity
Practice
Email [email protected]
Ben Beeson advises organizations on how best
to mitigate emerging cyber risks to mission
critical assets that align with the business strat-
egy. As insurance continues to take a greater
role in a comprehensive enterprise cyber risk
management program, he also designs and
places customized insurance solutions to ft an
organization’s specifc needs.
349 ?
CONTRIBUTOR PROFILES
executive director of KPMG’s Audit
Committee Institute. He routinely lends his
regulatory expertise to counsel audit com-
mittees in critical areas, and he has extensive
experience as an auditor and consulting with
companies in the banking and insurance
industries. Mr. Daly is a frequent speaker
and writer on many issues confronting
today’s corporate board, including executive
compensation. He regularly appears in
media and has been quoted in the Wall Street
Journal, the New York Times, and Fox News
Radio, among others.
Orrick, Herrington & Sutcliffe LLP
51 West 52nd Street
New York, New York 10019-6142
Tel +1 212 506 5000
ANTONY KIM
Partner
Email [email protected]
Antony Kim is a partner in the Washington,
DC, offce of Orrick, Herrington & Sutcliffe
and serves as Global Co-Chair of its
Cybersecurity and Data Privacy practice.
Mr. Kim represents clients in federal and state
regulatory investigations, private actions, and
crisis-response engagements across an array
of cybersecurity, data privacy, sales and
marketing, and consumer protection matters,
on behalf of private and public companies.
ARAVIND SWAMINATHAN
Partner
Email [email protected]
Aravind Swaminathan is a partner the
Seattle offce of Orrick Herrington & Sutcliffe
LLP and serves as the Global Co-Chair of its
Cybersecurity and Data Privacy practice.
Mr. Swaminathan advises clients in proac-
tive assessment and management of internal
Mr. Beeson is also engaged in the devel-
opment of Cybersecurity Policy in the U.S.
and U.K.. In March 2015 he testifed before
the Senate Commerce Committee on the
evolving cyber insurance marketplace.
A frequent public speaker, in April 2015
Mr. Beeson was one of the frst panelists to
present on the topic of Cyber Insurance at
the world’s largest Cyber Security
Conference, RSA, San Francisco.
Prior to moving to Washington, DC,
Mr. Beeson was based in Lockton’s London
office for seven years, where he cofounded
and built one of the leading cybersecurity
teams within the Lloyd’s of London
marketplace.
Mr. Beeson holds a BA (Hons) degree in
modern languages from the University of
Durham, U.K., and a certifcation in Cyber
Security Strategy from Georgetown
University, Washington, DC.
National Association of Corporate
Directors
2001 Pennsylvania Ave. NW
Suite 500
Washington, DC 20006
Tel +1 202 775 0509
Web www.nacdonline.corg
KEN DALY
Chief Executive Offcer
Ken Daly is the Chief Executive Offcer of
the National Association of Corporate
Directors (NACD). As head of the nation’s
largest member-based organization for
board directors, Mr. Daly is a recognized
expert on corporate governance and board
transformation. Prior to NACD, Mr. Daly
was an audit partner at KPMG, where he
also served as the partner-in-charge of the
national risk management practice. After
retiring from the frm, he assumed the role of
? 350
CONTRIBUTOR PROFILES
cyber and physical security matters, focusing
his practice on providing proactive liability
mitigation advice to clients.
Mr. Finch is also a leading authority on
the SAFETY Act, a federal statute that can
provide liability protection to companies fol-
lowing a terrorist or cyberattack.
He is a senior advisor to the Homeland
Security and Defense Business Council,
serves on the National Center for Spectator
Sports Safety and Security’s advisory board,
and is an adjunct professor at The George
Washington University Law School.
Mr. Finch regularly speaks and writes on
security issues and has written articles for
the Wall Street Journal, Politico, The Hill, and
other publications.
Rackspace Inc.
1 Fanatical Place
City of Windcrest
San Antonio, Texas 78218
Tel +1 860 869 3905
Web www.rackspace.com
BRIAN KELLY
Chief Security Offcer
Email [email protected]
Brian Kelly brings three decades of leader-
ship in security, special operations, investi-
gations and intelligence to Rackspace.
In the Air Force, Mr. Kelly rose to the rank
of lieutenant colonel. He led teams involved
in satellite surveillance, cybersecurity, and
special operations; as a Department of
Defense Senior Service Fellow, advised the
Joint Chiefs of Staff and the Secretary of
Defense; and received a Department of
Defense meritorious service medal.
In the private sector, Mr. Kelly held the
positions of vice president with Trident Data
Systems, principal (select) at Deloitte, and
CEO of iDefense. He led the Giuliani
Advanced Security Center and served as
and external cybersecurity risks, breach inci-
dent response planning, and corporate gov-
ernance responsibilities related to cybersecu-
rity and has directed dozens of data breach
investigations and cybersecurity incident
response efforts, including incidents with
national security implications. A former
Cybercrime Hacking and Intellectual
Property Section federal prosecutor,
Mr. Swaminathan also represents companies
and organizations facing cybersecurity and
privacy-oriented class action litigation that
can often follow a breach.
DANIEL DUNNE
Partner
Email [email protected]
Dan Dunne, a partner in the Seattle offce of
Orrick, Herrington & Sutcliffe LLP, repre-
sents corporations, fnancial institutions,
accountants, directors, and offcers in com-
plex litigation in federal and state courts.
Mr. Dunne defends directors and offcers in
shareholder derivative suits, securities class
actions, SEC, and other state and federal
regulatory matters.
Pillsbury Winthrop Shaw Pittman LLP
1200 Seventeenth Street, NW
Washington, DC 20036
Tel +1 202 663 8062
Web www.pillsburylaw.com
BRIAN FINCH
Partner
Email [email protected]
Brian Finch is a partner in the Washington,
DC, offce of Pillsbury Winthrop Shaw
Pittman LLP. He has been named by Law360
as one of its “Rising Stars” in Privacy Law in
2014 and a “Rising Star” by National Law
Journal D.C. He is a recognized authority on
351 ?
CONTRIBUTOR PROFILES
Stroz Friedberg LLC
2101 Cedar Springs Rd #1250
Dallas, Texas 75201
Tel: +1 214 377 4556
Web www.strozfriedberg.com
ERIN NEALY COX
Executive Managing Director
Email [email protected]
Erin Nealy Cox is an Executive Managing
Director at Stroz Friedberg, a global leader in
investigations, intelligence, and risk man-
agement. In this capacity, she leads the
Incident Response Unit for Stroz Friedberg.
Ms. Nealy Cox is responsible for the overall
operations of the global incident response
group, including supervising frst respond-
ers, threat intelligence analysts, and mal-
ware specialists. These responders are
deployed to assist corporate clients affected
by cyberattacks, state-sponsored espionage,
and data breach cases in sectors, including
retail, hospitality, energy, biomedical and
health, and critical infrastructure. Ms. Nealy
Cox also maintains a full docket of corporate
client assignments in the areas of cybercrime
investigations, data breach response, digital
forensics, and electronic discovery process-
ing. She is a trusted advisor to top execu-
tives, in-house lawyers, and outside counsel.
Prior to Stroz Friedberg, Ms. Nealy Cox
served as an Assistant U.S. Attorney, leading
major cybercrime prosecutions nationwide
while also handling complex cases of white-
collar fraud, public corruption, and intellec-
tual property theft. Additionally, she served
as Chief of Staff and Senior Counsel for the
Offce of Legal Policy at the Department of
Justice in Washington, DC, during the Bush
Administration.
executive director of IT risk transformation
for Ernst and Young. Mr. Kelly is the author
of From Stone to Silicon: a Revolution in
Information Technology and Implications for
Military Command and Control.
Mr. Kelly holds a degree in management
from the U.S. Air Force Academy, an MBA
from Rensselaer Polytechnic Institute, and
an MS degree from the Air Force Institute of
Technology.
Sard Verbinnen & Co
475 Sansome St. #1750
San Francisco, California 94111
Tel +1 415 618 8750
Web www.sardverb.com
SCOTT LINDLAW
Principal
Email [email protected]
Scott Lindlaw is a Principal at Sard Verbinnen
& Co, a strategic communications frm that
helps clients manage overall positioning and
specifc events affecting reputation and mar-
ket value. He counsels companies on how
best to prepare for and respond to data
breaches, as well as how to effectively com-
municate in a wide range of other special
situations and transactions. Before joining
Sard Verbinnen, Mr. Lindlaw practiced
cybersecurity and intellectual property law
at the law frm Orrick, Herrington & Sutcliffe
LLP. In addition to litigating IP cases, several
of which went to trial, he wrote extensively
about developments in data-breach litiga-
tion. Prior to his legal career, Mr. Lindlaw
was a reporter for The Associated Press,
including a four-year posting as an AP
White House correspondent, covering
President George W. Bush.
? 352
CONTRIBUTOR PROFILES
Treliant Risk Advisors LLC
1255 23rd Street NW
Suite 500
Washington, DC 20037
Tel +1 202 249 7950
Web www.treliant.com
DANIEL J. GOLDSTEIN
Senior Director
Email [email protected]
Daniel J. Goldstein is a Senior Director with
Treliant Risk Advisors. He advises clients
operating in complex business and regulatory
environments on data risk mitigation strate-
gies and solutions. His career has centered on
guiding U.S. and multinational clients
through complex international data protec-
tion requirements to provide business solu-
tions that can be implemented across large
organizations.
Prior to joining Treliant, Mr. Goldstein
was the Director of International Data
Privacy for Amgen GmbH in Switzerland.
At Amgen, he initiated and led privacy and
data protection efforts across Amgen’s glob-
al affliates, while managing an international
privacy offce and a network of data protec-
tion offcers.
Mr. Goldstein is a graduate of the UCLA
and the Golden Gate University School of
Law and a member of the State Bar of
California. He is a Certifed Information
Systems Security Professional (CISSP) and a
Certifed Information Privacy Professional
(CIPP–US and Europe).
U.S. Department
of Justice
Cybersecurity Unit
1301 New York Ave NW
Suite 600
Washington, DC 20530
Tel +1 202 514 1026
Web www.justice.gov
Email [email protected]
In December 2014 the Criminal Division
created the Cybersecurity Unit within the
Computer Crime and Intellectual Property
Section to serve as a central hub for expert
advice and legal guidance regarding how
the criminal electronic surveillance and
computer fraud and abuse statutes impact
cybersecurity. Among the unit’s goals is to
ensure that the powerful law enforcement
authorities are used effectively to bring per-
petrators to justice while also protecting the
privacy of every day Americans. In pursu-
ing that goal, the unit is helping to shape
cybersecurity legislation to protect our
nation’s computer networks and individual
victims from cyberattacks. The unit also
engages in extensive outreach to the private
sector to promote lawful cybersecurity
practices.
353 ?
CONTRIBUTOR PROFILES
the Board of Visa U.S.A. from 2003 to 2007
and the Visa Inc. Board from 2007 to January
2011. He was also previously director of
Travelers Insurance.
He holds a Bachelor of Arts degree from
Johns Hopkins University and an MBA
degree from New York University. He is cur-
rently on the Executive Council for UCSF
Health, the Board of Trustees for Johns
Hopkins University, the Board of Directors
for the Financial Services Roundtable, and
the Board of Directors for Microsoft Corp.
Wells Fargo & Company
420 Montgomery Street
San Francisco, California 94104
Tel +1 800 869 3557
Web www.wellsfargo.com
RICH BAICH
Chief Information Security Offcer
Rich Baich is Wells Fargo’s Chief Information
Security Offcer. Prior to joining Wells Fargo,
he was a Principal at Deloitte & Touche,
where he led the Global Cyber Threat and
Vulnerability Management practice. Mr. Baich’s
security leadership roles include retired
Naval Information Warfare Offcer, Senior
Director for Professional Services at Network
Associates (now McAfee) and after 9/11, as
Special Assistant to the Deputy Director for
the National Infrastructure Protection Center
(NIPC) at the Federal Bureau of Investigation
(FBI). He recently retired after 20+ years of
military service serving in various roles such
as a Commander in the Information
Operations Directorate at NORAD/Northern
Command Headquarters; Commanding
Offcer Navy Information Operations Center
(NIOC), Denver, Colorado; Special Assistant
at the National Reconnaissance Offce (NRO),
Visa Inc.
900 Metro Center Boulevard
Foster City, California 94404
Tel +1 415 932 2100
Web usa.visa.com
CHARLES W. SCHARF
Chief Executive Offcer
Email [email protected]
Prior to joining Visa Inc., Charles W. Scharf
spent nine years at JPMorgan Chase & Co. as
the chief executive offcer of Retail Financial
Services, one of JPMorgan Chase’s six
lines of business and a major issuer of
Visa-branded cards. He was a member of
the frm’s Operating Committee and its
Executive Committee. Mr. Scharf was previ-
ously managing director at One Equity
Partners, which manages $10 billion of
investments and commitments for JPMorgan
Chase.
From 2002 through 2004, he led Bank
One’s consumer banking business, helping
to rebuild the brand, expand the branch and
ATM network, and develop senior talent. He
was appointed Chief Financial Offcer of
Bank One in 2000, leading the company’s
effort to fortify its balance sheet, improve
fnancial discipline, and strengthen manage-
ment reporting. Mr. Scharf spent 13 years at
Citigroup and its predecessor companies,
serving as chief fnancial offcer for
Citigroup’s Global Corporate and Investment
Bank prior to joining Bank One. He was chief
fnancial offcer of Salomon Smith Barney
when its parent company—Travelers
Group—merged with Citicorp in 1998 to cre-
ate the nation’s largest fnancial institution.
Mr. Scharf became CFO of Smith Barney in
1995, after serving in a number of senior
fnance roles at Travelers companies, includ-
ing Smith Barney, Primerica and Commercial
Credit Corporation. He previously served on
? 354
CONTRIBUTOR PROFILES
Real Time Military Analysis Center, the
Reserve Armed Forces Threat Center, the
Center for Information Dominance, and the
Information Operations Technology Center
(IOTC) within the National Security Agency
(NSA). Mr. Baich was also selected as an advi-
sor for the 44th President’s Commission on
Cybersecurity.
Wilson Elser Moskowitz Edelman
& Dicker LLP
55 West Monroe Street
Suite 3800
Chicago, Illinois 60603
Tel +1 312 821 6105
Web www.wilsonelser.com
MELISSA VENTRONE
Partner
Email [email protected]
Melissa Ventrone, chair of Wilson Elser’s
Data Privacy & Security practice, focuses
privacy breach response (pre- and post-
event), including assisting clients with iden-
tifying, evaluating, and managing frst- and
third-party data privacy and security risks.
Ms. Ventrone frequently advises clients on
compliance with state, federal, and interna-
tional laws and regulations. She has assisted
numerous clients with identifying and miti-
gating cybersecurity risks, including inci-
dent response.
A member of the Marine Corps Reserve
for more than 20 years, she uses her strong
organizational skills to manage Wilson
Elser’s breach response team, quickly bring-
ing lawyers, clients, and forensic and breach
response vendors together to optimize
response time and effectiveness. Ms. Ventrone
has handled numerous breaches for small
and large entities, including merchants,
fnancial institutions, medical providers, and
educational institutions, successfully reduc-
ing public and regulatory scrutiny and pro-
tecting clients’ reputations.
LINDSAY NICKLE
Partner
Email [email protected]
Lindsay Nickle is experienced in assisting
clients with the development and implemen-
tation of risk management processes and
data security measures related to the receipt
and use of confdential, private, and highly
sensitive data. As part of the frm’s breach
response team, Ms. Nickle assists clients in
developing an effcient and prompt response
to the loss or compromise of sensitive and
protected data. She has assisted numerous
clients with responding to data security
incidents, and she is experienced with stand-
ards and issues unique to consumer protec-
tion, as well as the payment card industry.
She also has provided guidance and advice
regarding regulatory compliance within the
fnancial industry.
Ms. Nickle is an experienced civil litigator
with a background in general civil litigation
and creditors’ rights. In her years of repre-
senting fnancial institutions, she has han-
dled litigation and arbitrations involving
fraud and identity theft issues related to
fnancial accounts. Ms. Nickle has extensive
courtroom experience, including successful-
ly handling more than one hundred bench
and jury trials.
World Economic Forum
World Economic Forum
91-93 route de la Capite,
CH-1223 Cologny/Geneva
SWITZERLAND
Tel +41 (0) 22 869 1212
Web www.weforum.org
DANIL KERIMI
Director, Center for Global Industries
Danil Kerimi is currently leading the World
Economic Forum’s work on Internet govern-
ance, evidence-based policy-making, digital
economy, and industrial policy. In addition,
he manages Global Agenda Council on
Cybersecurity. Previously, Mr. Kerimi led
CONTRIBUTOR PROFILES
SecurityRoundtable.org 355 ?
Forum’s engagement with governments and
business leaders in Europe and Central Asia,
was in charge of developing the Forum’s
global public sector outreach strategy on
various projects on cyberspace, including
cyberresilience, data, digital ecosystem, ICT
and competitiveness, and hyperconnectivity.
Before joining the Forum, Mr. Kerimi worked
with the United Nations Offce on Drugs and
Crime/Terrorism Prevention Branch, the
Organization for Security and Cooperation
in Europe, the International Organization for
Migration, and other international and
regional organizations.
ELENA KVOCHKO
Cyber Security Strategist
Elena Kvochko is currently head of global
information security strategy and imple-
mentation in the fnancial services indus-
try. Previously, she was Manager in
Information Technology Industry at World
Economic Forum, where she led global
partnership programs on cyber resilience
and the Internet of Things and was respon-
sible for developing relationships with top
information technology industry partners.
Prior to her position at the Forum, she
worked as Information and Communication
Technology specialist at the World Bank.
Ms. Kvochko focused on a portfolio of pro-
jects aimed at leveraging ICT for economic
growth and transparency in emerging
economies.
Ms. Kvochko is an author of numerous
publications and reports and has contribut-
ed to Forbes, the New York Times, and Harvard
Business Review.
Individual Contributor
ROBERT (BOB) F. BRESE
Former Chief Information Offcer, U.S.
Department of Energy
Email [email protected]
Robert (Bob) F. Brese is a Vice President and
Executive Partner with Gartner, Inc., the
world’s leading information technology
research and advisory company. He brings
his recent, real-world Federal CIO experi-
ence to provide IT leaders with insight on
their most pressing issues and their most
thrilling business opportunities. Most
recently, Mr. Brese was the Chief Information
Offcer (CIO) for the U.S. Department of
Energy (DOE), whose national laboratories,
production facilities, and environmental
cleanup site missions span open science to
nuclear security. Mr. Brese led DOE’s policy,
governance, and oversight of more than
$1.5 billion in annual IT investments, as
well as DOE’s key initiatives in open data,
cloud computing, and energy-effcient IT
strategies. Mr. Brese also served as the
Department’s Senior Agency Offcial for
Privacy and for Information Sharing and
Safeguarding. A leader in the U.S.
Government’s cybersecurity community, Mr.
Brese was a key contributor to the
Administration’s efforts in cyber legislation;
policy; cybersecurity technology research,
development and deployment; and in the
cybersecurity protection of the country’s
critical infrastructure.
doc_468580044.pdf
still be vulnerable because people are
involved—employees, third-party vendors,
customers, and the bad guys.”
At Dell, Hanes’ SecureWorks group han-
dles security monitoring, consulting, and
threat intelligence gathering for itself as well
as its many clients. Although SecureWorks
has the capacity to test “crazy amounts of
malware samples” in a lab, according to
Hanes, most companies can take steps on
their own to mitigate risks from such activi-
ties as phishing and vishing (hacking
attempts made via phone call). Creating,
communicating, and monitoring protocols
can go a long way toward keeping the
human element in check, according to
Hanes.
In his experience, Hanes says people gen-
erally have two mentalities: those who want
to check a compliance box by doing annual
training at their companies and those who
want to transform employee behavior with
programmatic changes. The former is much
easier, but the latter has the potential to offer
that are behind the curve, this means there is
a lot of work to be done.
In addition to implementing stringent best
practices and requiring employees to follow
them, self-reporting is a key component. Each
company should have a clear understanding
about its reporting guidelines as well as what
items or activities are suspicious.
Each organization’s management and cul-
ture are unique, but looking to what works at
other companies can help in understanding
and making recommendations on sound
starting places that help to benchmark prac-
tices and measure success of respective cyber-
security defense and mitigation programs.
? Case study perspectives
Taking a look at a few case studies often can
help pull blue sky ideals down to earth. At
Teradata, a leading data analytics provider,
Chief Compliance Offcer Todd Carver says
cyber awareness is viewed as a funnel, with
new information continually feeding into
the top and recirculating in the form of ongo-
ing education to keep employees aware of
the latest developments. Carver says his
company’s program spans from the board of
directors to 11,000 employees in 43 coun-
tries. Protecting data and assets is one of the
commitments in Teradata’s code of conduct,
and if anything isn’t specifcally covered in
the training, or if employees come up with
their own questions, Carver explains, there’s
also an ethics helpline so that employees can
ask questions, request guidance, or say, “I
screwed up. What do I do now?”
Annual ethics and compliance education
covers a host of issues at Teradata, including
cyber-related modules for intellectual prop-
erty, privacy, phishing, and mobile-device
awareness. The company also has policies in
place regarding keeping a clean computer,
password practices, and email usage, to name
a few. In addition, Teradata uses role-specifc
training. It’s all about getting employees truly
engaged, Carver explains. “It’s important to
explain why we have these rules.” Carver
says his company has shared scenarios of
attempted hacks to better help employees
understand the need for the procedures.
CYBER RISK AND WORKFORCE DEVELOPMENT
? 300 SecurityRoundtable.org
Directors Think Survey, 63% of director
respondents said they are only somewhat
confdent that their board is adequately over-
seeing cyber risk; nearly a quarter of respond-
ents said they are not confdent about their
board’s oversight. In sum, there is clear indi-
cation that there is room for improvement at
even the highest levels.
These fndings build a strong case that
board members, along with employees,
would beneft from being included in the
cyber awareness program at their organiza-
tion to make better decisions and oversee
cyber risk on an ongoing basis and help set
the proper tone at the top. Roughly two
thirds of companies appear committed to
this idea. According to Ethisphere’s 2015
World’s Most Ethical Companies data set,
66% of respondents had offered their board
formal training on information security/
cybersecurity within the last two years.
? Conclusion
There is no substitute for a sound, well-
understood culture of responsibility and
awareness with regard to cybersecurity, a
pervasive risk that begins and ends with the
human element. The bottom line is that
unhappy and/or untrained employees can
be a company’s biggest threat, whereas a
motivated, well-educated workforce can be
its biggest defense. Proofpoint, a Sunnyvale,
California, security service provider, warns
that cyber criminals are continually adjust-
ing to companies’ employee education, so
the cat-and-mouse game is never fnished
and constant vigilance is required.
Although the margin for human error will
never be eradicated, with proper awareness
education and follow through, companies
can leverage their greatest asset to alleviate
vulnerabilities and strengthen cybersecurity
resistance.
tangible results. Creating an organization
with a cyber-aware culture requires an ongo-
ing commitment, he explains, because even
after years of training “check-the-box”
employees, without a complete buy-in and
understanding, there will still be those who
click on a phishing email link.
? Creating a cyber-aware culture
Proactive companies such as Teradata, Dell,
and others understand that effective cyber
awareness education can transform employ-
ees into a powerful force in the fght against
cybercrime. Having a culture of awareness
can help prevent breaches, keep data secure,
and positively affect a company’s bottom
line. In fact, there’s arguably no greater bar-
rier to cyber risk than investing in and sup-
porting the right employee culture.
Surprisingly, only 29% of companies sur-
veyed by NYSE Governance Services and
the Society of Corporate Compliance and
Ethics train all their employees for cyber
issues despite the fact that cyber was chosen
one of the top three risk areas for employee
education, according to the 2014 Compliance
and Ethics Program Environment Report
issued by the same two groups.
Companywide education often means ele-
vating awareness for the board as well; espe-
cially because most board members say it’s a
diffcult area for them to wrap their arms
around. In the 2014 RSA/EY survey with
Corporate Board Member, 83% of directors said
that a signifcant impediment to their over-
sight of IT/cyber risk was the fact that it was
constantly changing. A 2015 Cybersecurity in
the Boardroom report published by NYSE
Governance Services and Veracode notes that
IT security matters are discussed in most or
every meeting by 81% of director respond-
ents. In a separate NYSE Governance Services’
study with Spencer Stuart, the 2015 What
301 ?
Collaboration and communication
between technical and nontechnical
staff, business lines and executives
Wells Fargo & Company – Rich Baich, CISO
“
You can have brilliant ideas, but if you can’t get them
across, your ideas won’t get you anywhere.”
Lee Iacocca
Delivering results is a key metric of success for any leader.
Exceeding revenue goals, meeting hiring and retention
goals, or ensuring operational budget goals are well known
and understood results. These goals are clear, easily meas-
urable, and most importantly all individuals understand
their role in achieving these results. These goals often are
established with limited collaboration and a single com-
munication to the appropriate leaders with minimal toler-
ance associated with not achieving the goals. The language
used when establishing these goals and publishing the
results transcends technical and nontechnical executives.
This information must be understood and actionable;
regardless of the executives’ background, having this infor-
mation available allows them to make an informed deci-
sion. Leaders need the right information, at the right time
to collaborate, communicate, and ultimately make the best
decision. Information enables the executive to use a deci-
sion process or framework of reasoning to help rationalize
the data and choose the best course of action. As the topic
of cybersecurity rapidly moves to the top of every C-level
executive’s agenda, cyber leaders must embrace the impor-
tance of collaboration and communication while building
bridges to ensure decisions are understood and actionable.
? Establish a cyber risk decision framework
We live in a time of acute and persistent threats to
our national security, our economy, and our global com-
munities. The number of reported cyber incidents contin-
ues to grow. The threat of a cyber catastrophic event
continues to lurk in the distance. New cyber vulnerabili-
ties are reported each day and the frequency of zero-day
threats is increasing. New victims make the headlines
? 302
CYBER RISK AND WORKFORCE DEVELOPMENT
? How vulnerable are their products and
solutions to this exploit?
? Is there any potential for business impact
to customers or suppliers?
? Do they need to contact their third parties
to see if they are secure?
? Will this affect their ability to service their
own third-party relationships?
Using the following framework formula to
explain an approach could be helpful:
Risk = Vulnerability ? Threat ? Asset
Value ? Probability of Occurrence
Having the trustworthy data readily avail-
able can allow cyber executives to quickly
and confdently communicate throughout
the organization and the third parties. For
example, a quick query of the asset inven-
tory indicates there are 50 instances of this
exploit in the current infrastructure and
fve within the third-party ecosystem. Of
those 50 internal instances, only three are
external facing, and the remaining 47 are
internal to the network. All the third-party
instances are internal to the partner’s
network. The associated vendor to the
zero-day exploit has provided a patch and
recommended an immediate application of
the patch. The internal cyberthreat team
has reviewed the external intelligence, and
there are already indications of potential
miscreants scanning for the newly identi-
fed vulnerabilities. Additional intelligence
and analysis suggest exploit code is already
being crafted to take advantage of this new
exploit. If successful, the exploit can be
used to deliver malicious code throughout
the organization providing kinetic and
nonkinetic damage to an organization.
Armed with this information, cyber leader-
ship can quickly move to gain consensus,
communicate recommendations, and infu-
ence the mitigation activities required to
address the threat.
? Defning your stakeholders
Trustworthy data are a key foundation to
establishing cybersecurity creditability.
weekly. As a result, cyber leaders continue to
be asked if their organizations are spending
enough to address cyberthreats. To answer
this question, cyber leadership must have
the facts to establish a decision framework to
guide them. Having a frewall, purchasing
the latest technologies, growing the number
of cyber professionals, and having informa-
tion security policies do not adequately pro-
vide all the information needed to answer
this question. Knowing what data to collect,
demonstrating the ability to get the data in a
timely fashion, operationalizing the data,
and ensuring the data get to the right deci-
sion maker can provide an actionable frame-
work. The following are a few examples of
what information is needed to enable a
framework:
? What risks will be mitigated if these
additional funds are provided
? Specific cyberthreats are known,
monitored, and integrated into the risk
prioritization decision process.
? Vulnerabilities are identifed, prioritized,
remediated, and validated in a timely
manner.
? Critical assets are well known,
accountability is clear, and responsibility to
ensure those assets meet defned protection
criteria are met.
? The likelihood of a specifc exploit, attack,
or signifcant occurrence is understood
and utilized in the cyber risk prioritization
framework.
Having trustworthy data is the foundation
to all cybersecurity decision frameworks.
It is important to have a framework to help
support the fundamental changes required
to enhance cyber practices and enable
communication.
Scenario: Cyber risk decision framework
Today, the media announces a new zero-day
exploit that has been identifed. Business
executives want to know:
? What do they need to do to respond to
the exploit?
303 ?
COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
3. assess business impact of material
cybersecurity program changes
4. discuss lessons learned and situations in
which program adjustment is prudent
5. identify potential areas of confict and/or
resource constraints between cybersecurity
program and business priorities
6. discuss impacts from and/or to the larger
applicable industry.
Stakeholders want the facts and reassur-
ance that the information being reporting is
trustworthy and actionable. Risk manage-
ment is everyone’s responsibility, and indi-
viduals take great pride when helping
reduce risk. Proactively removing risk
before the risk evolves in negative conse-
quence is a signifcant measurement for
success. Providing a stakeholder with the
data that clearly demonstrate a risk was
remediated before it was signifcant will
win the trust of most individuals.
Scenario: Defning stakeholders
You have been asked by a line of business
leader to provide information regarding a
third party before a contract is signed. Due
diligence is done for third parties before any
contracts are signed; that is a leading indus-
try practice. However, what if you and your
cybersecurity team were able to provide
cyber intelligence that suggests the potential
third-party partner is on a top-fve easiest-
to-hack organization list being posted in
credible underground forums? Having
information without being able to make it
actionable often results in a very heavy
paper weight being created. In this scenario,
having the cyber intelligence to provide the
stakeholders helped provide transparency
into cyber risks that can produce measured
results. Maintaining a results-oriented men-
tality coupled with the right stakeholder
group can help enable a cyber support
culture.
? Delivering the message
Effective communication, especially during a
time of change, requires frequent touchpoints.
Having a communicator or a communication
Performance of executives, regardless if they
work in a line of business, in corporate staff,
or in technology, is often measured by results.
Achieving results in cybersecurity requires
others taking action. Effective leaders can
motivate groups of like-minded people to
come together and rally behind a cause to
achieve a goal. Finding those individuals in
the organization is critical to success.
Identifying individuals who will become
stakeholders in the cybersecurity journey
provide the support needed to drive change.
The following is a list of potential stakehold-
ers to consider:
? chief executive offcer (CEO)
? chief fnancial offcer (CFO)
? chief auditor
? chief administration offcer (CAO)
? chief communication offcer (CCO)
? chief risk offcer (CRO)
? member(s) of the board of directors
? chief information offcer
? line of business leader
? audit committee
? chief technology offcer (CTO)
? line of business leaders, CIO, CTO, risk
leaders
In addition to individual stakeholders,
establishing a cybersecurity steering com-
mittee with cross-organizational representa-
tion can provide an additional platform for
collaboration and communication. The pur-
pose of the committee should be to promote
cybersecurity awareness, provide a forum in
which cybersecurity topics can be discussed,
and to solicit cyber feedback to help evolve
cyber practices and mature over time. In
addition, the committee will seek to identify
cybersecurity topics that may affect the
broader applicable industry and the emerg-
ing trends that may affect the organization.
The cybersecurity committee could:
1. review cybersecurity strategic direction
and planned initiatives
2. discuss major milestones for cybersecurity
initiatives that are in process of being
deployed
? 304
CYBER RISK AND WORKFORCE DEVELOPMENT
help build collaboration by demonstrating
how individuals can partner with cyberse-
curity to address customer needs. Regardless
of the industry, customers want to know
their information is safe and the organiza-
tion that has their data has a clear plan to
achieve that goal. Adding cybersecurity
reminders in existing individual customer
communications begins to demonstrate that
commitment to the customer. It takes a long
time to earn trust, but it only takes a second
to lose it.
This also holds true for internal stake-
holders. Often the information and measure-
ment of results reported by the cybersecurity
team may not be perceived as positive news.
For example, the cybersecurity team may
implement new technology that provides an
enhanced visibility into the health and
hygiene of various technology assets. If these
assets have never had this improved visibil-
ity, it is possible that the results may provide
awareness of critical vulnerabilities or
weakness associated with the platform.
Consequently, when reporting these results,
others may take offense to these perceived
negative results. However, this is a great
opportunity to educate leadership by
explaining that it is far better to fnd these
opportunities internally rather than be told
about these vulnerability gaps from a law
enforcement representative. Don’t pass up
the opportunity to build a champion; one
champion can quickly lead to two, which, in
turn, can often grow to thousands.
? Conclusion
During times of confict it is proven those
countries that have aligned themselves with
the right allies have prevailed and overcome
grave challenges. These are challenging times;
cyberthreats are real and present signifcant
risks for most organizations. Communicating
these risks to technical and nontechnical exec-
utives can often be a daunting task that
requires additional background and context to
successfully communicate the message.
Executives are results driven and appreciate
other executives who are proactive when
dealing with risks. The ability to provide
team specifcally aligned with the cybersecu-
rity team can provide immense benefts.
There is delicate balance associated with the
frequency and content that is communicated
to stakeholders. The fundamental goal is to
tell the cybersecurity story throughout the
organization through clear, concise, targeted
communications through the most effective
dissemination channels. Some will want more
frequent communications, whereas others
will desire less communication. Some will
prefer “pull” communications and others will
want the information pushed to them.
Cultural appetite, tone from the top, and
organizational commitment help drive the
various required communication delivery
techniques to ensure stakeholders are aware.
Some examples include the following:
? publish monthly newsletters to various
stakeholders
? create a robust intranet presence with
tools and communications
? celebrate success stories of collaborative
achievements
? provide platforms for cyber champion
recognition
? track, measure, and report the
effectiveness of the communications
through a cyber communication
dashboard
Having a venue into the corporate commu-
nications team provides cybersecurity the
opportunity to align, infuence, and enable
the infux of cybersecurity into normal busi-
ness communications. It is critical that the
corporate crisis communication team be part
of the cybersecurity incident response team
because of the potential reputational impact
associated with a signifcant cyber incident.
During a time of crisis, concise and timely
communications to key stakeholders and
customers can often be the difference
between an incident being managed and an
incident being exaggerated.
Tactically positioning the cybersecurity
story within the organization through effec-
tive education and awareness while address-
ing the latest trends in cybersecurity can
COLLABORATION AND COMMUNICATION BETWEEN TECHNICAL AND NONTECHNICAL STAFF, BUSINESS LINES AND EXECUTIVES
SecurityRoundtable.org 305 ?
time to include, educate, and collaborate with
stakeholders can build alliances. Having the
right information is powerful, and those
stakeholders who get accurate, timely, and
meaningful data will have the opportunity to
lead change.
trustworthy data and a cyber decision support
framework enables cyber executives to trans-
late a new language to other executives. These
actions can positively enhance cybersecurity’s
internal reputation by strengthening trust and
credibility across the organization. Taking the
307 ?
Cybersecurity readiness through
workforce development
Booz Allen Hamilton – Lori Zukin, Principal; Jamie
Lopez, Senior Associate; Erin Weiss Kaya, Lead
Associate; and Andrew Smallwood, Lead Associate
The demand for skilled cybersecurity professionals cur-
rently outweighs the supply. The growing sophistication
of cyber adversaries, coupled with our increasingly
networked enterprises, means that demand will only con-
tinue to grow. To compound this issue, traditional infor-
mation technology (IT) roles are increasingly insuffcient
to address enterprise-wide cybersecurity risks. A broader
skillset, including communication, change management,
and leadership, is required in order to respond quickly
and collaboratively to evolving cyber threats.
In light of these challenges, it is clear that a new
approach to workforce planning and development is nec-
essary. Yet what would that entail? This chapter covers
fve recommendations to improve your cybersecurity
workforce, including: (1) rethink your approach to cyber-
security, (2) develop alternative talent management strate-
gies, (3) empower your cybersecurity leadership, (4) con-
nect your organization, and (5) invest in your cyber
human capital.
? Redefne cyber operations in your organization
Cyber operations are integral to every business function—
a fundamental part of business management in which
understanding your cyberthreat is key to your bottom
line. Coupled with that is a recognition that the IT func-
tion and the cyber operations function are not one and the
same. IT is an infrastructure enabler, whereas cyber opera-
tions are an organization-wide risk issue. A major cyber
breach—one that involves sensitive corporate or customer
data—poses more than a technical problem or a business
continuity challenge. A major incident can create a multi-
dimensional crisis that affects nearly all aspects of the
company’s business, as well as its customers, regulators,
and other external stakeholders.
? 308
CYBER RISK AND WORKFORCE DEVELOPMENT
environmental factors for their cyber work-
force are better prepared to adapt to chang-
ing threats.
Global business trends have shown suc-
cessful cyber practices have fve key traits:
they are agile, multifunctional, dynamic,
fexible, and informal.
Agile: Cyber work requires agility. Employees
act like chameleons shifting quickly and deci-
sively as threat warrants change course
and as a unit, the capability is alert to new
circumstances.
Multifunctional: Cybersecurity is a team
sport. A strong cyber practice is built of teams
with diverse knowledge sets who can execute
a variety of activities at once. Your employees
do not have to be good multitaskers, but your
overall capability does.
Inquisitive: Cyber professionals embrace
learning and they will be curious; they will
want to solve problems regardless of how hard
it is to fnd the solution. Because threat actors
across the globe are offering an array of new
threats to consider, your cybersecurity work
practice will change based on evolving infor-
mation. By taking on new endeavors, your
capability will be ready to solve new problems.
Flexible: Cyberthreats move fast. With con-
stantly changing work requirements, your
practice must be enabled to adapt to new areas
of focus. Your cyber organization must be
infused with a strategy that allows for employ-
ees to expand or change their roles to increase
your capability’s fexibility.
Informal: Cybersecurity professionals thrive
in a nontraditional environment. Your
recruits and team members will likely look
for unconventional working hours and shift-
ing duties. Creating this type of environment
for your cybersecurity professionals allows
your cyber organization to adjust quickly to
tackle any challenge. Your cybersecurity
practice may have different work locations,
matrixed reporting lines, around-the-clock
shifts, and a more relaxed dress code than the
In addition, the talent management chal-
lenges for cyber operations are much more
complex because there is a major crisis to
backfll cyber talent. Even once your organi-
zations recruits top cyber professionals,
there is no guarantee you will retain them.
As such, it is not enough for cybersecurity to
be relegated to a subset of people, as with
the IT function. Every employee in your
organization faces cyberthreats, and talent
management for IT and cyber operations
should not be combined. By shifting this
mindset and developing strategies that
refect these realities, your ability to develop
an effective workforce will immediately
improve.
? Develop alternative talent management
strategies
Most cybersecurity professionals are per-
sonifed by their love for cutting-edge tech-
nology, casual work environments, and crea-
tive mindsets. These unique tendencies help
them excel under the constantly changing
cyber environment but differentiate them
from the rest of your company in a number
of ways—fundamentally, their atypical char-
acteristics of (1) work environment, (2) work
preferences, and (3) nontraditional career
paths.
Recruiting, developing, and retaining this
unique workforce requires alternative talent
management strategies—strategies that are
often connected to but distinct from those
applied across the rest of your company.
Develop an appealing work environment
Not every business has a culture of prevalent
ping-pong tables, free food, and a dress code
involving fip-fops and jeans. However,
there are environmental factors that compa-
nies must account for in attracting—and
keeping—the necessary talent for accom-
plishing cyber work.
The nature of cyber work means that it is
often executed in an environment that dif-
fers from that of its parent organization.
Think of your cybersecurity practice as the
fast moving, quickly adapting branch of
your organization. Businesses that consider
309 ?
CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
of diffculty, and present opportunities to
work with emerging technologies.
Create nontraditional career paths
Placing two cybersecurity resumes side by
side can sometimes feel like you are compar-
ing an apple to an orange. Cyber profession-
als have a variety of experiences, only some
with an educational background in cyber
and many with certifcations to designate
profciency. Although it would be nice if
cyber professionals could be ‘cyber warri-
ors,’ or experts in all areas of cyber opera-
tions, your cybersecurity professional’s
diverse backgrounds more likely match the
diversity of the cybersecurity feld.
Booz Allen has found that instead of
‘cyber warriors,’ it is much more likely that
your organization’s cyber workforce will be
composed of three types with many subsets
in each: senior leadership, specialized
experts, and generalist staff. Instead of
imposing linear career paths on these cyber
types, our work has shown that cybersecu-
rity professionals work better under a ‘build-
your-own’ career path option.
Senior leadership cyber professionals are
a rare breed of combined expertise and lead-
ership who can manage teams and opera-
tions. With specialized experts, their deep
know-how within a specifc group of cyber-
security capabilities often makes them the
center of the talent war. Your generalist staff
are early in their cyber careers or have cho-
sen a broad role, making them equally high
in demand but commonly part of a larger
supply pool.
For most of your company, established
career paths diagram career progression
options through linear lines of technical expe-
rience or managerial ranks. However, attract-
ing and retaining cyber professionals requires
alternative pathways that refect the diversity
of positions within the feld. For cybersecurity
professionals, try providing a nonlinear
career path—one that can be horizontal, verti-
cal, and diagonal. Show cybersecurity profes-
sionals a set of attributes that describe how to
progress using their experience, unconven-
tional education, and industry certifcation.
majority of your workforce. The budget pro-
cess for your cyber organization may be
centered around technological investments
or on a different timeline to meet shifting
threats. Given the work requirements, it is
especially important that your cyber envi-
ronment has leaders who not only share a
competitive nature and passion for technolo-
gy but also have success operating in dynam-
ic, multifunctional environments.
Understand work preferences
Like the work environment, your cybersecu-
rity professionals also have unique work
traits. These traits, or work preferences, make
them the perfect candidates to tackle the
daily challenges from threat actors around
the globe but also can separate them from the
rest of your organization. Recognizing these
work preferences, for your capability as a
whole as well as on an individual level, is
critical to developing your cyber talent man-
agement strategies.
If your cybersecurity professional had a
social media profle, it may look like this:
Lover and early adopter of new technologies,
as a cybersecurity professional my passion
for technology fuels my curiosity to solve
complex problems. I am a systems thinker
with confdence in my ability to put things
together and learn new techniques while
using my competitive nature to fuel my
work as well as engage in offce competitions.
As a natural problem solver and abstract
thinker, I tend to look ‘outside the box’ and
evaluate challenges from many different
angles and perspectives before acting.
As one method, try offering applicants an
on-the-spot challenge while testing their
ability to solve problems using senario-
based challenges. Capitalize on your
employees’ problem solving skills by allow-
ing them to be a part of strategy, offense, and
defense and by fostering a culture that
encourages every level of employee to sug-
gest solutions. Reward your employees for
forward thinking, provide them with con-
stantly changing tasks with different levels
? 310
CYBER RISK AND WORKFORCE DEVELOPMENT
Once relegated to the IT department,
cybersecurity is now part of a company’s
core strategic planning and investment port-
folio. That said, many CISOs currently don’t
have the appropriate skill set to deal with all
the overall strategic implications of a major
cyber breach. Although CISOs likely have
the technical expertise required to fx the
problem or at least manage it, they may not
be prepared for the magnitude of other mul-
tidimensional challenges that surface during
the crisis. In addition to technical know-how,
CISOs have to be able to think on their feet,
nimbly and calmly handling the internal and
external nontechnical issues that may arise.
? Connect your organization
The cyber-ready organization is a connected
one. Ineffective collaboration between lines
of business and the cyber function limits
data sharing and effective change. However,
before you can foster true collaboration
between your lines of business, you must
have appropriate cyber channels weaved
throughout your organizational structure.
Your organization needs effective processes
in place to manage cyber-related communi-
cations and policies. This ‘interconnected-
ness’ comes to life when your central cyber
unit is feeding information to key business
leaders and those business leaders are imple-
menting change throughout their lines of
business and communicating information
back to the core cyber unit. The cybersecurity
function deserves to be placed at the center
of your organization, to inform all of your
business units.
Cybersecurity should be viewed as a cen-
tral business function that informs other
business units. See Figure 1.
You also will need strong leaders at the
helm of each business unit who are bilin-
gual in business and cyber operations.
Cybersecurity is the new education leaders
have to undergo to lead your organization
effectively. In connecting the channels
across your organization, all leaders must
be on the same page, communicating the
same message, implementing the same
security measures, with the same vigor.
This provides your cyber professionals with
fexibility to put the pieces together using
defne career progression opportunities and
opens up your ability to recruit talent who
want to grow with your organization.
? Give CISOs a ‘seat at the table’
Although progress is being made in profes-
sionalizing and institutionalizing cybersecu-
rity as a feld, much remains to be done. In
fact, less than half of Fortune 100 companies
have a CISO. Organizations still struggle to
build, recruit, and retain a cybersecurity
workforce. There is no ‘one-size-fts-all’ for
placement of the CISO within your organiza-
tion. It depends on the industry, the type of
organization, and what the organization is
protecting. In some organizations, the CISO
may report to the CIO. In others, with a dif-
ferent architecture, mission statement, and
set of complex challenges, the CISO may
report to the chief risk offcer, or even directly
to the COO or CEO.
No matter where the CISO sits in your
organization, you need to give the CISO ‘a
seat at the table’ during regular operations,
for example, when discussing risk analysis,
proft reductions, performance indicators,
and other strategies in your organization’s
balanced scorecard. Elevating the level of
your CISO during normal operations helps
nurture leadership, management, and non-
technical skills—skills that are critical during
a cyber crisis. Further, by making the CISO a
member of the C-suite leadership team,
you will be able to raise the level of cyber
awareness—and coordinated response—
across your entire organization.
The CISO’s role within the organization
abruptly shifts to hands-on, crisis mode in a
cyber breach. The CISO’s foremost responsi-
bility is to quickly address the crisis from a
technical perspective. The CISO should be
fully immersed in directing the cyber
response, working with the computer inci-
dent response team or security operations
experts to remediate and minimize damage,
while delegating or outsourcing other roles/
issues such as policy implications, legal, and
public relations.
CYBERSECURITY READINESS THROUGH WORKFORCE DEVELOPMENT
SecurityRoundtable.org 311 ?
An effective way to improve the long-
term security of your company is by
investing in your cyber leaders and cyber
workforce. Investments in technology and
processes go unrealized unless your organ-
ization has strong cyber leaders along with
a capable workforce to defend your net-
works and improve your security.
Successful organizations will invest in
their workforce, give their CISO a seat at
the table, and foster integrated lines of
communication for the sharing of cyber-
related information.
? Finally, invest in cyber human capital
Most leaders in today’s business world agree
cybersecurity is important. However, when
the meeting is over, will they truly buy in
and embrace cybersecurity as a key priority
for their divisions? This is the tough ques-
tion CEOs, CIOs, and CSOs encounter. An
organizational cybersecurity plan can only
be as strong as the weakest commitment
from any key leader. It doesn’t matter how
strong your security posture is for individual
departments; if one division is vulnerable,
your entire organization is at risk.
Finance
Marketing
Cyber
Function
Operations
Human
Resources
Supply Chain
Technology
FIGURE
Cybersecurity as a central business function
313 ?
Given the growing magnitude and frequency of cyber-
security breaches, which have the potential to shake major
corporations to their core, cybersecurity has become an
issue of enterprise-wide importance. These incidents have
become commonplace events, and organizations that are
targets may suffer lost or stolen intellectual property,
damage or destruction of critical data or infrastructure,
disruptions to critical operations, and loss of confdence
among customers, investors, and employees. The longer-
term damage to value and reputation is incalculable.
? Startling statistics
PwC’s Global State of Information Security Survey 2015 of
more than 9,700 security, IT, and business executives
found that the total number of security incidents detected
by respondents climbed to 42.8 million this year, an
increase of 48% over 2013. That is the equivalent of
117,339 incoming attacks per day, every day. The Identity
Theft Resource Center reported a record high of 738 U.S.
data breaches, a 28% year-over-year increase.
If you’re thinking you can build a modern-day “moat”
to keep the bad guys out, consider that the 2014 U.S. State
of Cybercrime Survey, co-sponsored by PwC, CSO maga-
zine, the CERT Division of the Software Engineering
Institute at Carnegie Mellon University, and the U.S.
Secret Service, found that almost one-third of respondents
said insider crimes are more costly or damaging than inci-
dents perpetrated by outsiders. In a virtual ecosystem that
increasingly includes the Internet of Things (IoT), tradi-
tional frewalls do not ensure protection, as employees
come and go each day with connected devices, such as
smartphones and computers, which may wittingly or
unwittingly introduce threats that can threaten the sur-
vival of the organization.
Korn Ferry – Jamey Cummings, Senior Client Partner;
Joe Griesedieck, Vice Chairman and Co-Leader, Board and
CEO Services; and Aileen Alexander, Senior Client Partner
Building a cyber-savvy board
? 314
CYBER RISK AND WORKFORCE DEVELOPMENT
This greatly expanded cyberattack sur-
face and resulting breaches add up to a
huge price tag. The annual cost of cyber-
crime to the global economy is estimated to
be between $375 billion and $575 billion,
according to a June 2014 study by the
Center for Strategic and International
Studies; Gartner Inc. estimates that total
spending will grow 8.2 percent in 2015 to
reach $76.9 billion.
If that’s not a wake-up call, we don’t
know what is. But, the challenge remains:
translating awareness into an action plan.
Although CEOs and boards are alert to the
issue and the devastating, long-lasting
effects of security breaches, there is surpris-
ingly little knowledge of recommended
practices to best position organizations
defensively and enable quick and effective
response when the inevitable occurs. Let’s
be blunt: There is no foolproof way of pre-
venting security breaches, but a systematic,
proven approach can make the difference
between the survival and the demise of an
enterprise.
? Alignment at the top
Cybersecurity is an insidious threat, all the
more so because breaches, including the
most disastrous ones, often are not detected
until the damage is done. One cybersecurity
frm recently estimated that close to three
quarters of security breaches go undetected.
No board or management team can afford to
become complacent. If you haven’t yet fallen
victim, you may have been smart, but most
likely lucky. You should assume it’s just a
matter of time, perhaps there already has
been a breach that has gone undetected, so
plan accordingly.
In a relatively short time cybersecurity
has gone from something that was compart-
mentalized and handled by the IT depart-
ment to something that is regularly on the
agenda at board meetings. At the same time
“major threats” have been redefned, from
identifying a Trojan horse and upgrading
anti-virus software to threats that strike at
the very heart of organizations and are capa-
ble of taking them down. The view and
importance of cybersecurity has shifted from
something of marginal interest to the board
to a high priority that resides within the
board’s risk management framework.
This is a new role for CEOs and directors,
many of whom feel unequipped to deal with
it because cybersecurity does not remotely
relate to traditional areas of director exper-
tise. Armed with a tested protocol to combat
cyberthreats and the right resources, how-
ever, every board should be able to imple-
ment a preparedness and response plan that
will give the board and management team,
as well as investors, the reassurance that the
company is as well positioned as reasonably
possible to confront these ever-evolving
challenges.
In practical, operational terms, what does
all this mean for the C-suite and the board,
and how can they get started on overseeing
the many-headed beast that is cybersecu-
rity? For one thing, it starts with ensuring
everyone on the board is speaking the same
language when it comes to cyberthreats.
Because directors are generally business
people, the common language should be the
language of business.
? The right questions
According to Melissa Hathaway, private
sector cybersecurity expert and former
cybersecurity “czar” under Presidents
George W. Bush and Barack Obama, “Until
cybersecurity is refected in balance sheet
terms, it’s never going to be fully embraced
by the board.” She emphasizes that once
cybersecurity has been identifed as a criti-
cal risk, it must be managed with the same
rigor and processes applied to other risks
and remain visible on directors’ dashboards
with key, comprehensible metrics. “Tech
speak,” or any jargon that obfuscates the
issues for directors, has no place in the
boardroom.
The reality of boardrooms, however, is
that the scale of that impact is often obscured
or lost in translation. Unless directors can cut
through the technical jargon in what are
often massive amounts of information they
receive, the size of the risk and the steps to
315 ?
BUILDING A CYBER-SAVVY BOARD
mitigate it may not be clear. Companies
depend on a functioning Internet, which was
never invented with security in mind, and
all that is linked to it. Therefore, related risks
and costs must be made known to the board
so that the cost of potential breaches can be
calculated in capital and operational terms,
rather than remaining hidden.
Among the questions directors should be
asking regularly to ensure alignment as a
team and a frm grasp on cybersecurity, says
Hathaway, are the following:
? Is cyber risk accounted for in our overall
corporate planning process? The board
must be assured that cyber risk is an
element of a broader risk framework
and that exposures are recognized and
planned for.
? What is the process for evaluating
security and measuring liabilities?
Boards should know not only what
controls are in place but also how they
are evaluated.
? Do we have directors with relevant
expertise? Although boards may not
require general technology expertise,
it may be advisable to have one or
more directors who understand IT and
its associated risks, or have a security
background.
? Have we identifed executive ownership
of the issue? The CEO should have
controls in place that indicate how
cybersecurity is being managed and the
true costs to the business, which should
be part of an internal and external audit.
? What will we do in the event of a breach?
If and when a problem arises, a process
should be in place for communicating
effectively, internally and externally, and
dealing with attendant costs.
? Overseeing cyber risk
Boards are increasingly adding directors
with cybersecurity backgrounds and, more
generally, security expertise, but boards
should not assume that they need to add a
director with this specialized background.
Much depends on company specifcs and the
industry in which it operates, so each board
should decide on a case-by-case basis.
Shortfalls in board experience often can be
made up by retaining the appropriate addi-
tional expertise to advise on an as-needed
basis; however, we are starting to see more
demand for this specifc sort of talent on
boards.
Sometimes, as noted above, the board’s
most important role lies in asking the right
questions, which may require business
smarts and good old-fashioned common
sense but not necessarily technical cyberse-
curity expertise.
As overseer-in-chief of the CEO and the
business, the board has a responsibility for
managing the company’s risk portfolio, of
which cybersecurity is now a key compo-
nent. Proper oversight entails remaining at a
high, supervisory level—not getting dragged
down into the management weeds—and
boards can properly perform their fduciary
duties by focusing on a few main areas.
The board must be reassured by the CEO
that the most capable people are in the criti-
cal positions, and this extends to the leader-
ship and team managing cybersecurity. With
so much at stake, this is not a place to cut
corners.
Directors should be kept abreast of main
cybersecurity risks, as well as the remedia-
tion process and timeline for effectively
dealing with them. Certainly no one expects
directors to be technology wizards, but they
should be inquiring about safeguards the
company has in place to guard against
intrusion and be satisfed by management
that protection along with response and
recovery capabilities are adequate. In addi-
tion, they will want to be informed about
education for everyone throughout the
organization, to ensure awareness of threats,
and a step-by-step response plan to follow
in the event of a breach.
? The board at the nexus
Cybersecurity has expanded well beyond
the confnes of IT and emerged as a concern
at the highest enterprise level, primarily
because of the devastating potential effects
? 316
CYBER RISK AND WORKFORCE DEVELOPMENT
on shareholder value, market share, reputa-
tion, and long-term survival. Cybersecurity
is an issue that crosses all organizational
silos and boundaries top to bottom, encom-
passing people, culture, and risk manage-
ment and must bridge security, technology,
privacy, and compliance. Cybersecurity is,
therefore, taking its rightful place on a short
list of the board’s crucial responsibilities,
which now include protecting a company’s
assets, particularly digital, as part of an
organization’s overall risk portfolio.
In fact, managing cyber risk doesn’t differ
signifcantly from managing more tradition-
al forms of risk and must be managed in a
similar way, remaining visible on directors’
dashboards so that it is tracked and
addressed regularly.
Those boards that do not have a cyberse-
curity expert as a member of their team
should not assume they need a director with
this experience, but they should seriously
evaluate that potential need based on their
situation and needs. Some boards have
determined that they do require this exper-
tise on their audit committee—where risk
oversight generally lives—on a special
cybersecurity subcommittee, or on a dedi-
cated cybersecurity committee. While some
boards have recruited this expertise, many
have not and may not, accessing what they
require to keep them informed and able to
make key decisions either from internal tech-
nology experts or from external consultants
to the board. These solutions are varied and
tailored and continue to evolve.
CEOs and those who serve as directors
on their boards are generally a smart group
of people, and they don’t have to be subject
matter experts to provide oversight for the
few crucial areas—including strategy for-
mulation, succession planning, and risk
management—in which they exercise their
fduciary duties. Cybersecurity is yet another
form of risk, but it is a dynamic, still-emerging
form that is new to most directors. We are
likely years away from the point where
boards as a whole consider managing cyber
risk familiar terrain, so additional resources
can always be made available should direc-
tors need bolstering in this area.
In fact, directors owe it not only to their
shareholders to ensure a comprehensive
approach to monitoring and developing a
proactive approach to tackling cybersecurity
but also to themselves. With cybersecurity in
the spotlight—where it is likely to remain—
directors could also face personal risks,
because D&O insurance may not be suff-
cient if boards don’t take what are deemed
appropriate actions. Boards should consider
adding cyber insurance as part of a compre-
hensive approach to enterprise risk manage-
ment if they are to continue to recruit the
best directors. According to a recent post on
the Harvard Law School Forum on Corporate
Governance and Financial Regulation, “no
company in the U.S. should forego buying
cyber insurance to protect against the real,
ever-present risk of a major cyber-attack and
the massive costs associated with such a
breach.”
? A framework to meet the cybersecurity
challenge
Perhaps most important in properly meeting
the cybersecurity challenge, ensuring pre-
paredness and a ready response to any
breaches, directors need a framework, which
can be tailored to the needs of their organiza-
tion, in which to operate. A deep dive into
each area will link to additional responsibili-
ties and timeframes, most of which will be
the responsibility of management.
The baseline for board involvement in
overseeing cybersecurity should comprise
the six following components:
1. Security strategy. The board must ensure
that the company has a strategic vision
and a tactical road map that proactively
protect assets and keep pace with
escalating threats and evolving regulatory
requirements.
2. Policy and budget review. Company
security policies, and roles and
responsibilities of all relevant leadership,
should be evaluated, along with data
BUILDING A CYBER-SAVVY BOARD
SecurityRoundtable.org 317 ?
security and privacy budgets to ensure
they are adequately funded.
3. Security leadership. The board must
confrm that the organization has the
credible leadership and talent to develop,
communicate, and implement an
enterprise-wide plan to manage cyber
risk.
4. Incident response plan. The board
should oversee the development of a
comprehensive incident response plan
that is widely understood, rehearsed, and
stress tested.
5. Ongoing assessment. The board should
periodically review a thorough assessment
of the organization’s information
security capabilities, targeting internal
vulnerabilities and external threats.
6. Internal education. The board should
ensure that the company implements a
strong communication and education
program to create an environment
in which all employees embrace
responsibility for cybersecurity.
? A cybersecurity strategy
Organizations must have a cybersecurity
strategy, lest they simply be engaged in a
game of whack-a-mole, reacting to one
threat after another rather than having a
comprehensive game plan. That is not to
say that cyberthreats and breaches can be
eliminated—clearly they cannot—but the
resulting damage can be greatly minimized
with signifcant planning and a quick
response protocol.
In part, effectively managing cyberse-
curity starts at the top with the board rec-
ognizing what it must manage and how
that will be done, including additional
resources it may require. While the board
may have ultimate responsibility for the
war on cyberthreats, everyone, at every
level of the organization, must understand
his or her role on the front lines of this
ongoing war, because threats can come
from anywhere.
Moreover, in an increasingly robust regu-
latory environment with cybersecurity high
on the SEC’s agenda, adherence to best prac-
tices with a well-designed plan approved
and monitored by the board should prove far
preferable to regulations imposed from the
outside. Given the current direction, in the
near future it is likely that publicly owned
companies will be required to disclose more
information about their cybersecurity vul-
nerabilities, including data breaches.
Ultimately, boards should work with
senior management to build a cybersecurity-
aware culture if they are to truly protect
their companies from this relatively new,
continually morphing, and potentially dev-
astating form of risk.
319 ?
Egon Zehnder – Kal Bittianda, Selena Loh LaCroix,
and Chris Patrick
Evaluating and attracting your next
CISO: More sophisticated approaches
for a more sophisticated role
The role of the chief information security offcer (CISO)
has changed dramatically in the last decade. No longer
merely a digital sheriff called on to protect the frm’s
data valuables, the CISO is expected to act as a full
strategic partner with the rest of the C-suite. The
upgrading of the role is a natural response to the exten-
sive technological, societal, economic, and geopolitical
developments over the same time period. For many
organizations, information—whether customer records,
intellectual property, or strategic planning—is now their
most valuable asset. As those assets have become more
valuable, they have also become less secure because of
the increase in the number and the sophistication of
attackers, as well as the vulnerabilities inherent in an
increasingly networked society.
The bottom line is that, although the CISO rarely reports
directly to the chief executive offcer, he or she must have
the qualities expected at the CEO-1 level. Organizations
endeavoring to fll the CISO role must ensure that their
recruitment strategies and candidate evaluation processes
keep pace with these greater expectations, lest those organ-
izations increase their risk of unmet security goals, shorter
CISO tenures, and the associated costs. This is in addition
to the diffculty of maintaining a consistent security culture
in the shadow of frequently changing information-security
leaders.
? Taking a holistic view of CISO candidates
Our observation at Egon Zehnder has been that when
looking for their next CISO, organizations can beneft by
taking a broader view of the required qualities and capa-
bilities. Effective candidate evaluation can be achieved
by dividing a candidate’s career into its past, present,
and future components and evaluating each element
? 320
CYBER RISK AND WORKFORCE DEVELOPMENT
to get the right things done. Audits are
responded to in a timely fashion, the
board of directors is clear on the impact
of information security investments, and
core data assets are well protected.
2. Strategic orientation: As mentioned
earlier, the CISO must be a strategically
oriented partner with critical thinking
skills. He or she must process disparate
information and generate valuable
insight regarding external issues such
as shifts in threats and countermeasures
and internal matters such as business
implications of information security
policies and protocols.
3. Transformational leadership: Regardless
of the context into which the new CISO
is taking the helm—after a major breach,
under the glare of heightened board
scrutiny, or with an acquisition that must
be integrated—he or she will need to
transform systems to address current
challenges, creating a vision others buy
into and moving the organization forward
while keeping day-to-day operations
running smoothly.
4. Relationship management: The CISO
must be able to lead in a matrixed
environment, working diplomatically
with a range of constituencies with
different perspectives on information
security, including the board, the CEO,
the CFO, the COO, and general counsel.
In addition to managing internal
relationships, the CISO must also
leverage external networks that include
peers at other organizations, Internet
service providers, third-party security
solution vendors, and law enforcement
and intelligence agencies. The CISO must
have the gravitas and infuence necessary
to communicate effectively with each of
these internal and external groups in a
range of conditions, from off-site strategy
sessions to emergency response.
5. Team leadership: Most organizations
focus all their attention on flling the
CISO position, leaving relatively little
energy for establishing a pipeline of
internal talent. This is understandable but
with the appropriate perspective. A consoli-
dation of the three elements provides a
holistic view of the CISO candidate that
corresponds with the multi-faceted nature
of the role today.
The past: What has the candidate done?
A candidate’s credentials, work history,
and track record have always been a cen-
tral part of the evaluation process, and for
good reason. This component includes
examining the types of organizations in
which the candidate has worked, their size
and complexity, and which markets they
served, and then seeing what the candi-
date accomplished in each role, what
transformations the candidate has led, and
the security record of the organizations
under the candidate’s watch. These fnd-
ings provide the raw material, basic facts,
and context for measuring the ft between
the candidate and role. Although the CISO
role has grown signifcantly beyond its
technical roots, the technical expertise
indicated by work history are essential
“table stakes” for a candidate to warrant
further consideration.
The present: What can the candidate do?
Until about a decade or so ago, exploring a
candidate’s work history generally consti-
tuted the bulk of the assessment process.
Then the realization emerged that what a
candidate had done so far is a mere subset of
what a candidate could do, because one’s
work experience can never be so broad as to
capture everything of which someone is
capable. Looking at competencies is a way of
taking an inventory of an executive’s full
leadership toolbox.
The key is to evaluate for the right com-
petencies given the demands of the posi-
tion. In our experience, fve competencies
are particularly important when evaluating
CISO candidates. They are listed here in
order from the most common to the most
elusive:
1. Results orientation: The successful
candidate must be able to move quickly
321 ?
EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE
competency-based evaluation in the same
way that examining competencies provides
much more depth than merely looking at
work history. None of these elements are
sufficient on their own for identifying
how a given candidate will respond to the
unfolding challenges of the CISO role, but
in combination they produce a vivid, and
in our experience, highly accurate, por-
trait and predictor. These added dimen-
sions are particularly important because
of how much the CISO role has changed in
the last several years. Few CISOs have
established track records acting as the sort
of strategic leaders—rather than technical
managers—that the role requires today.
The attributes of potential add another
element to help identify who is likely to
successfully navigate this leap.
But the above framework is only that—
the quality of its output depends on the
quality of the input. Without a concerted
effort, reliable input can be diffcult to
obtain in CISO evaluations because of the
tendency of data-security function to move
quickly from crisis to crisis, leaving little
concrete evidence of who did what when.
The key to obtaining the needed level of
detail is in-depth interviews with multiple
informed references. Doing so requires
the ability to tap an extensive professional
network.
Because of the number of factors being
weighed, it is important to not merely collect
observations for each quality being exam-
ined but to place the candidate on a scale
based on average performance in the indus-
try. Some organizations also complement
candidate and reference interviews with psy-
chometric testing to provide another layer of
objective input for the evaluation process.
? Positioning the role
The market for top-tier CISOs is now highly
competitive. Information security has
become a high-profle corporate concern,
and the bar has been raised on the pool of
qualifed candidates. By one estimate there
were 2,700 CISO job openings in the United
States in June 2015. So even if organizations
shortsighted. Identifying and developing
internal information security leadership
talent is critical to the long-term success
of the function and should be considered
part of the CISO’s role.
The future: How will the candidate adapt to change
and unforeseen developments?
Looking at competencies provides a more
complete view of a candidate’s abilities than
examining just professional history. But
competency-based assessment has its own
limitations in that it assumes the future will
be more or less like the past or present. It
does not measure a person’s ability to
respond to fundamental changes such as
those brought about by the current waves of
digital transformation. Someone who looks
highly qualifed on paper and presents well
thus can fall short of expectations as condi-
tions become highly complex and ambigu-
ous. Also, looking at only experience and
competencies means the organization risks
overlooking candidates who may seem
underprepared today but with suffcient
support would be best suited for the future.
In Egon Zehnder’s examination of the
assessments of thousands of senior execu-
tives, we discovered that those who fourished
in the face of volatility, complexity, uncertain-
ty, and ambiguity shared four traits, which
collectively we call potential. The four ele-
ments of potential are the following:
1. Curiosity: A penchant for seeking out
new experiences, knowledge, and candid
feedback, as well as an openness to
learning and change
2. Insight: The ability to gather and make
sense of information to suggest previously
unseen opportunities and threats
3. Engagement: A knack for using emotion
and logic for communicating a persuasive
vision and connecting with people
4. Determination: The resilience to fght for
diffcult goals despite challenges and to
bounce back from adversity.
The elements of potential add an extra
dimension to what is learned from a
? 322
CYBER RISK AND WORKFORCE DEVELOPMENT
3. “What key performance indicators will I
be measured against?” Given that every
large organization must assume that it is
continually under cyberattack, it follows
that security breaches are a matter of
not “if” but “when.” Therefore, it is not
realistic for a company to hold its CISO to
a “one strike and you’re out” performance
benchmark. The conversation about
expectations is just as important as the
ones about resources, reporting lines, and
compensation.
4. “Where will I be in fve years?” Those
who lead the information security function
are like other functional leaders in their
range of career ambitions. For some, the
opportunity to lead the function at a quality
organization is the goal; others, however,
are looking ahead to a CIO role or even a
broader role in organizational leadership. It
is important to understand each candidate’s
desires against what the organization can
offer. Remember that the CISO’s reporting
relationship will be one factor that frames
this issue in his or her mind.
Long gone are the days when an argument
had to be made regarding the strategic
importance of information security. In most
organizations, the CISO role now has the
weight and sophistication its responsibilities
require. Organizations can assess the state of
their CISO recruitment and assessment strat-
egies by asking themselves the following
four questions:
1. Have we identifed the CISO’s full range
of strategic responsibilities and the
competencies needed to be successful?
2. Do we have a consistent methodology
for evaluating a candidate against those
responsibilities?
3. Have we reviewed the CISO reporting
relationship against the information
security context of the organization
to ensure that the CISO is adequately
empowered to accomplish the
organization’s information security
goals?
are able to effectively evaluate candidates
against current and future requirements,
they must also be prepared from the start to
actively sell the opportunity to an audience
that is naturally skeptical.
In our experience, every CISO candidate
asks four overarching questions when evalu-
ating an opportunity:
1. “Who is my sponsor and how much
infuence does he or she have?” This
is likely to be the frst question on the
CISO candidate’s mind, and he or she is
thinking about this issue in at least two
specifc ways. First, although the CISO is
likely to have some interaction with the
board and C-suite, there will still be many
conversations that affect the information
security function to which the CISO
will not be privy. As a result, the CISO
will have to rely his or her supervisor
to act as an effective intermediary in
advocating for resources and policy
initiatives and in educating the board
and CEO on information security issues
as they unfold. Second, when the CISO
needs to take an unpopular position to
strengthen an organization’s information
security profle, he or she has to know
there will be support in high places.
2. “How deep is the organization’s
commitment to information security?”
This is more than a question of staff
and budget allocation, although those
elements are certainly important. The
CISO wants to know that the C-suite and
the board appreciate the complexity and
uncertainty at the core of the information
security function and the need for making
everyone in the organization, top to
bottom, responsible for security. For the
CISO to be successful, he or she must be
empowered to act and be armed with
the necessary resources to deploy both in
times of normalcy and crisis. Although
the CISO expects organizations to have
high standards, he or she will avoid
enterprises who refexively cycle through
security teams.
EVALUATING AND ATTRACTING YOUR NEXT CISO: MORE SOPHISTICATED APPROACHES FOR A MORE SOPHISTICATED ROLE
SecurityRoundtable.org 323 ?
adjustments to ensure they have the
approach and tools to identify and attract
the information security talent that can per-
form at the level the position now requires.
4. Do we have an adequate professional
development program in place to support
the CISO and his or her team to help them
meet the standards demanded by the
function’s heightened importance?
From the answers to these questions, organi-
zations can then begin to make the necessary
Electronic version of this guide and additional content available at: SecurityRoundtable.org
Contributor Profles
327 ?
CONTRIBUTOR PROFILES
responsible for Product, Market Strategy,
and Marketing.
Prior to NYSE Governance Services,
Mr. Sodowick founded True Offce in 2010
to solve a long-standing problem: the tedi-
um and high cost of regulatory compliance
training. Recognizing that humans are
hardwired to learn via stories and play,
True Offce creates data-rich desktop and
mobile compliance apps that help compa-
nies identify risk, save money, and educate
employees on complex and risk-sensitive
business issues in a fun way.
Since its launch, True Offce has experi-
enced a steep growth trajectory and has been
adopted as the compliance training solution
of choice for many Fortune 500 companies.
True Offce has won multiple awards across
the GRC, Technology, and Innovation seg-
ments and has been featured prominently in
many media outlets, including the BBC, the
Wall Street Journal, Forbes, Fortune’s annual
500 Issue, and more.
Initially backed by Morgan Stanley
Strategic Investments, The Partnership for
New York City Fund and Rho Ventures, True
Offce was acquired by Intercontinental
Exchange, parent company of the New York
Stock Exchange in October 2014.
Prior to founding True Offce, Mr. Sodowick
was the co-founder and CEO of 50 Lessons.
During this time, Mr. Sodowick pioneered the
creation of the award-winning ‘50 Lessons
Digital Business Library.’
Today, 50 Lessons is widely recognized as
the world’s pre-eminent collection of multi-
media business insights from global busi-
ness leaders. These assets are housed in a
digital library and sold via various channels
to more than 350 corporate customers and
academic institutions globally.
Mr. Sodowick envisioned and led the
publishing initiative behind the best-selling
Lessons Learned: Straight Talk From The World’s
Top Business Leaders, a set of 24 books pub-
lished by Harvard Business School Press.
Initially backed by the BBC, 50 Lessons was
acquired by Skillsoft in 2011.
New York Stock Exchange
11 Wall Street
New York, New York 10005
Tel +1 212 748 4000
Web www.nyse.com
TOM FARLEY
President, NYSE Group
Tom Farley is President of the NYSE Group,
which includes the New York Stock Exchange
and a diverse range of equity and equity
options exchanges, all wholly owned sub-
sidiaries of Intercontinental Exchange
(NYSE/ICE). Mr. Farley joined the NYSE
when ICE acquired NYSE Euronext in 2013,
serving as Chief Operating Offcer. He held
previous roles at ICE, including SVP of
Financial Markets and President and COO of
ICE Futures U.S., formerly the New York
Board of Trade.
Prior to joining ICE, Mr. Farley was
President of SunGard Kiodex, a risk man-
agement technology provider to the deriva-
tives markets. He has also held various
positions in investment banking at
Montgomery Securities and in private
equity at Gryphon Investors. Mr. Farley
holds a BA degree in Political Science from
Georgetown University and is a Chartered
Financial Analyst.
NYSE GOVERNANCE SERVICES
55 East 52nd St, 40th Floor
New York, New York 10005
Tel +1 212 323 8500
ADAM SODOWICK
President, NYSE Governance Services
Email [email protected]
Adam Sodowick is currently President of
NYSE Governance Services after serving as
Chief Operating Offcer, where he was
? 328
CONTRIBUTOR PROFILES
Palo Alto Networks Inc.
4401 Great America Parkway
Santa Clara, California 95054
Tel +1 408 753 4000
Web www.paloaltonetworks.com
MARK D. MCLAUGHLIN
Chairman, President, and CEO
Mark D. McLaughlin joined as president and
CEO of Palo Alto Networks in August of
2011 and became Chairman of the Board in
2012. Previously Mr. McLaughlin served as
President and CEO of Verisign. Prior to
Verisign, he was the Vice President of Sales
and Business Development for Signio and
was instrumental in driving the acquisition
of Signio by Verisign in 1999. Before joining
Signio, he was the Vice President of Business
Development for Gemplus, the world’s lead-
ing smart-card company. Previous to
Gemplus, he also served as General Counsel
of Caere Corporation and practiced law as
an attorney with Cooley Godward Kronish
LLP. In 2014 President Obama appointed Mr.
McLaughlin as the Chairman of the National
Security Telecommunications Advisory
Committee (NSTAC). He received his JD,
magna cum laude, from Seattle University
School of Law and his BS degree from the
U.S. Military Academy at West Point.
Intercontinental Exchange
5660 New Northside Drive NW
3rd Floor
Atlanta, Georgia 30328
Tel +1 770 857 4700
Web www.intercontinentalexchange.com
JERRY PERULLO
Chief Information Security Offcer
Email [email protected]
Jerry Perullo has led the Information
Security program at Intercontinental
Exchange, Inc. (NYSE:ICE) since 2001. As
Chief Information Security Officer, he is
responsible for the security of ICE’s
heavily regulated exchanges and clearing-
houses, including the New York Stock
Exchange.
Mr. Perullo is an active participant in the
Financial Services Sector Coordinating
Council (FSSCC) and Financial Services
Information Sharing and Analysis Center
(FS-ISAC), where he serves as Chair of the
Clearinghouse and Exchange Forum
(CHEF). He also co-founded the Global
Exchange Cyber Security (GLEX) working
group under the World Federation of
Exchanges and serves on several industry
and customer advisory boards within the
cybersecurity industry.
Prior to ICE, Mr. Perullo was a Principal
Consultant at Digital Consulting and
Software Services providing information
security testing and consulting services to
the health-care, energy, and data service
industries and built an Internet Service
Provider in the mid 1990s.
Mr. Perullo studied Computer Engineering
at Clemson University and earned a BS
degree in Legal Studies from the University
of Maryland and an MBA from Georgia State
University.
329 ?
CONTRIBUTOR PROFILES
awarded the Risk and Insurance Magazine
“Power Broker” distinction and was named
to Business Insurance Magazine’s inaugural
“Top 40 under 40” brokerage honor roll
and 2014 Rising Star by Reactions magazine.
Mr. Kannry received a BS and BA from Case
Western Reserve University, a JD from the
Northwestern School of Law, and his MBA
from the Kellogg School of Management.
DAVID W. WHITE
Co-Founder and Chief Knowledge Offcer
Email [email protected]
David W. White is a founder and Chief
Knowledge Offcer at Axio Global. Axio is a
cyber risk-engineering frm that helps organi-
zations implement more comprehensive
cyber risk management based on an approach
that harmonizes cybersecurity technology/
controls and cyber risk transfer. Mr. White
works directly with Axio clients and is
responsible for the frameworks and methods
that guide Axio’s services, including cyberse-
curity program evaluation and benchmark-
ing, cyber loss scenario development and
analysis, insurance program analysis, and
data analytics.
Previously, Mr. White worked in the
CERT Program at Carnegie Mellon’s
Software Engineering Institute, a cyberse-
curity research program primarily funded
by the U.S. Department of Defense and the
U.S. Department of Homeland Security.
While there, he was responsible for techni-
cal leadership and research strategy for a
portfolio of cybersecurity and resilience
maturity models and frameworks and
associated research, diagnostic methods,
and training.
Mr. White served as chief architect for the
Electricity Subsector Cybersecurity Capability
Maturity Model (ES-C2M2) and served on the
review team for the oil-and-natural-gas ver-
sion (ONG-C2M2) and industry-agnostic
version (C2M2). Mr. White co-authored the
CERT Resilience Management Model (CERT-
RMM) and served as the chief architect for the
Smart Grid Maturity Model (SGMM).
DAVIS Y. HAKE
Director of Cybersecurity Strategy
As Director of Cybersecurity Strategy,
Davis Y. Hake is responsible for building
and sharing the company’s strategy for
cybersecurity thought leadership and deliv-
ering valuable information, insights, and
instructional tools on all things related to
cyberthreats and today’s security landscape.
Prior to joining Palo Alto Networks in 2015,
Mr. Hake was a leader in U.S. government
cybersecurity serving in the White House, at
senior levels in the Department of Homeland
Security, and as a policy expert for the U.S.
Congress. Mr. Hake also drafted some of
the frst comprehensive cybersecurity legis-
lation, for which he received a Federal 100
Award for leadership in the IT community.
He is a graduate of the University of
California–Davis, where he studied interna-
tional relations and economics and received
a Masters degree in Strategic Security Studies
from the National Defense University.
Axio Global, LLC
77 Water Street, 8th Floor
New York, New York 10005
Tel +1 708 420 8611
Web www.axioglobal.com
SCOTT KANNRY
Chief Executive Offcer
Email [email protected]
Scott Kannry is the Chief Executive Offcer of
Axio Global. Mr. Kannry’s entire career has
been in the commercial insurance industry
with a focus on cyber and previously spent
10 years in the Financial Services Group at
Aon. He works with clients in all industries
but specializes in those with evolving cyber
risks, such as energy, utility, transportation,
and manufacturing. Mr. Kannry has been
? 330
CONTRIBUTOR PROFILES
governance advice. He routinely counsels
companies victimized by cybercriminals
to investigate the underlying incident,
coordinate with law enforcement, and
manage consumer-related civil litigation
and regulatory investigations. Mr. Woods
has signifcant experience handling gov-
ernment investigations and business
crimes, privacy litigation, class actions,
information governance, and electronic
discovery matters. He regularly oversees
and advises on the intersection between
data protection issues and data collection
issues associated with internal investiga-
tions and litigations.
NADIA BANNO
Counsel, Dispute Resolution
Nadia Banno joined Baker & McKenzie’s
Dispute Resolution department in London as
Of Counsel in September 2014. She previously
held the position of Head of Litigation at the
BBC, where she regularly advised the
Executive Board and senior management on a
wide range of high-value, high-profle dis-
putes and investigations. Ms. Banno advises
clients in the areas of regulatory and public
law, defamation and media law, data protec-
tion, freedom of information, and commercial
disputes. She also advises clients on the legal
aspects of crisis and reputation management,
including handling internal investigations
and appearing before Parliamentary Select
Committees.
BRANDON H. GRAVES
Associate
Email [email protected]
Brandon H. Graves is a member of Baker &
McKenzie’s global cybersecurity practice
and is located in Washington, DC. He
has extensive experience in conducting
investigations and advising clients before,
during, and after cybersecurity incidents. He
represents clients in a variety of industries
Baker & McKenzie
815 Connecticut Avenue, NW
Washington, DC 20006
Tel +1 202 452 7000
Web www.bakermckenzie.com
DAVID C. LASHWAY
Partner
Email [email protected]
David C. Lashway leads Baker & McKenzie’s
global cybersecurity practice and is located
in Washington, DC. He focuses his practice in
the areas of crisis management, internal
investigations, and complex criminal, civil
and administrative litigation and has signif-
cant experience advising clients with respect
to various aspects of cybersecurity-related
matters. Mr. Lashway is a sought-after law-
yer who advises the Fortune 100 on the full
lifecycle of enterprise risks associated with
information security, including before, dur-
ing, and after a network breach, as well as
federal regulatory and criminal matters. He
regularly conducts global investigations
around the theft or compromise of confden-
tial data and is repeatedly called upon to liti-
gate post-data breach issues. His clients
include investment banks, publicly traded
and private companies, trade associations,
and individual managers, and his matters
span the globe.
JOHN W. WOODS, JR.
Partner
Email [email protected]
John W. Woods is a partner in Baker &
McKenzie’s Washington, DC, offce. He
co-leads the cybersecurity practice. His
practice in the cybersecurity area focuses on
internal investigations, data security com-
pliance, privacy litigation, and information
331 ?
CONTRIBUTOR PROFILES
Chambers USA and was one of only three
attorneys named an MVP by Law360 for
Privacy & Consumer Protection in 2013.
CRAIG A. HOFFMAN
Partner
Email [email protected]
Craig A. Hoffman provides proactive coun-
sel on the complex regulatory issues that
arise from data collection and use, including
customer communications, data analytics,
emerging payments, cross border transfers,
and security incident response prepared-
ness. He uses his experience as a litigator
and works with hundreds of companies who
have faced security incidents to help clients
develop a practical approach to meet their
business goals in a way that minimizes regu-
latory risk. Mr. Hoffman conducts incident
response workshops—built upon applicable
notifcation laws and guidelines, “good” and
“bad” examples from other incidents, and a
tabletop exercise—to prepare companies
to respond to security incidents quickly,
effciently, and in a manner that complies
with applicable law while mitigating risk
and preserving customer relationships.
Mr. Hoffman also serves as the editor of
BakerHostetler’s Data Privacy Monitor blog,
providing commentary on developments in
data privacy, security, social media, and
behavioral advertising.
F. PAUL PITTMAN
Associate
Email [email protected]
F. Paul Pittman provides guidance to clients
in responding to data security incidents and
data breaches, ensuring that they meet their
response and notifcation obligations under
state and federal data privacy laws.
Mr. Pittman also advises clients on data pri-
vacy and security issues that may arise in
their business and assists them with the
development of data privacy notices and
on incident response matters and related
disputes. Mr. Graves was formerly a
law clerk for Judge J. L. Edmondson of the
United States Court of Appeals for the
Eleventh Circuit. Before graduating from
the University of Virginia School of Law,
he was an infantry officer in the
25
th
Infantry Division with service in
Iraq. He holds a BS degree in Computer
Science from the United States Military
Academy at West Point.
BakerHostetler
45 Rockefeller Plaza
New York, New York 10111-0100
Tel +1 212 589 4200
Web www.bakerlaw.com
THEODORE J. KOBUS
Partner and Co-Leader, Privacy and Data
Protection
Email [email protected]
Theodore J. Kobus is national leader of the
BakerHostetler’s Privacy and Data Protection
team. Mr. Kobus focuses his practice in the
area of privacy and data security. He advises
clients, trade groups, and organizations
regarding data security and privacy risks,
including compliance, developing breach
response strategies, defense of regulatory
actions, and defense of class action litigation.
Mr. Kobus counsels clients involved in
breaches implicating domestic and interna-
tional laws, as well as other regulations
and requirements. Having led more than
800 data breach responses, Mr. Kobus has
respected relationships with regulators
involved in privacy concerns as well as deep
experience to help clients confront privacy
issues during the compliance risk manage-
ment stages. He is invested in his client rela-
tionships and approaches engagements
practically and thoughtfully. He is ranked in
? 332
CONTRIBUTOR PROFILES
(COE) with more than 3000 staff members,
and he built a large Technology Consulting
and Integration Business focused on the
U.S. government.
Before joining Booz Allen, Mr. Stewart
worked for a major electronics frm, where he
developed communications security and key
management devices. He also served as a
Signal Offcer, Battalion Commander, Brigade/
Battalion S-3, and Company Commander in
the U.S. Army.
He holds a BS degree in Engineering from
Widener University and an MS degree in
Electrical Engineering from Drexel University.
JASON ESCARAVAGE
Vice President
Email [email protected]
Jason Escaravage is a leader in the Strategic
Innovation Group for Booz Allen Hamilton.
With a focus on Digital Services and Solutions,
he drives the integration of Global Threat
solutions for the frm’s Predictive Intelligence
division. He is an expert in the systems devel-
opment lifecycle, software solution design
and development, and intelligence support to
real-world mission operations.
Mr. Escaravage is recognized for leading
large-scale, complex information technology
(IT) and analytical support programs support-
ing government and commercial clients and in
multiple focus areas, including conventional
operations, counter-terrorism, anti-money
laundering, and cyberthreat analysis. He has
led teams of global/cyberthreat intelligence
analysts in support of U.S. government and
commercial customers focused on collecting,
processing, and fusing data to create action-
able intelligence. He holds a degree in Military
History and Computer Science from Rutgers
University and is a certified Project
Management Professional (PMP).
SEDAR LABARRE
Vice President
Email [email protected]
Sedar LaBarre is a Vice President with Booz
Allen Hamilton, where he leads the frm’s
policies to ensure compliance with applica-
ble laws and industry standards. In addition,
he counsels clients on the permissible collec-
tion of data and usage in online advertising
in compliance with online and mobile data
standards. Mr. Pittman also offers his clients
extensive experience defending against com-
plex class action and state attorney general
litigation.
Booz Allen Hamilton
8283 Greensboro Drive
Hamilton Building
McLean, Virginia 22102
Tel +1 703 902 5000
Web www.boozallen.com
WILLIAM (BILL) STEWART
Executive Vice President
Email [email protected]
William (Bill) Stewart currently leads the
Commercial Cyber Business for Booz Allen
Hamilton. In this role he leads teams that
develop strategies and implement solutions
for the most complex issues facing Private
Sector Organizations. He has more than
25 years of professional experience building
consulting and systems integration businesses.
Mr. Stewart is responsible for providing
services that appropriately balance risk and
resource expenditure. Current clients include
C-suite executives as well as senior govern-
ment offcials. Mr. Stewart has extensive
experience envisioning, designing, and
deploying solutions that enhance business
performance. He helps clients create cutting
edge strategies that optimize and secure
critical business systems.
Mr. Stewart and his team help clients
develop state-of-the-art cyber solutions,
including Threat Intelligence, Advanced
Adversary Hunt, Incident Response, Insider
Threat, and Identity and Access Control.
Mr. Stewart also led Booz Allen Hamilton’s
Cyber Technology Center of Excellence
333 ?
CONTRIBUTOR PROFILES
instrumental in developing Booz Allen’s
CyberSim tool, an immersive training and
assessment tool used to select, train, and
place cyber professionals.
Ms. Zukin holds a Doctorate degree in
Organizational Psychology from George
Mason University and a Master’s degree in
Organizational Psychology from Columbia
University. She also holds a certifcate in
leadership coaching from Georgetown
University. She is a certifed executive coach
through the International Coaching
Federation. Ms. Zukin is on the faculty at
Georgetown University’s Institute for
Transformational Leadership and served as
a coach for the inaugural class of the
Presidential Leadership Scholars Program
created by former Presidents George W. Bush
and Bill Clinton.
DENIS COSGROVE
Senior Associate
Email [email protected]
Denis Cosgrove is a leader in Booz Allen
Hamilton’s Commercial High-Tech
Manufacturing business, where he is an
advisor to senior clients and oversees project
teams delivering strategy and analytical
solutions. His recent client engagements
include working with staff members of a
major automaker to reimagine their approach
to vehicle cybersecurity and partnering with
them to build new capabilities. Within the
frm, he drives thought leadership for brand-
ing and intellectual capital. Mr. Cosgrove
previously worked with clients in the U.S.
government national security market, devel-
oping new methods in risk analytics.
Prior to joining Booz Allen, he served as a
Senior Associate Scholar at the Center for
European Policy Analysis and taught under-
graduate courses in philosophy. He earned
graduate degrees studying political philoso-
phy at the University of Chicago and interna-
tional relations at Georgetown University.
Mr. Cosgrove has published essays on foreign
policy and presents an annual graduate-level
lecture on strategy in Machiavelli’s The Prince
at Johns Hopkins University.
commercial High-Tech Manufacturing
Practice. He has more than 18 years of practi-
cal consulting experience—providing clients
with unique advisory services equally bal-
anced in strategy and functional expertise.
Mr. Labarre leads a multi-disciplinary team
focused on helping companies realize tech-
nology-enabled growth from advanced ana-
lytics, military grade cyber, and cutting-edge
IT transformation.
Mr. Labarre is a recognized international
expert in cybersecurity standards and was
the chief architect of Booz Allen’s CyberM
3
reference model. He has worked extensively
within all sectors of the U.S. government
(cabinet-level agencies, all branches of the
military, the intelligence community, as well
as several small to micro government agen-
cies); public sector clients in the United
Kingdom, Europe, and the Middle East; and
within the private sector areas of fnancial
services, retail, telecommunications, con-
sumer products, industrial manufacturing,
and automotive.
LORI ZUKIN
Principal
Email [email protected]
Lori Zukin is a leader with Booz Allen
Hamilton, where she leads People
Innovations for the firm’s Strategic
Innovations Group. She has led engagements
for clients in the public and private sectors
and engaged with them to solve their tough-
est organizational challenges. She has direct-
ed several high-profle projects for federal
and commercial organizations, providing tal-
ent management expertise to help them
improve the bottom line.
Most recently, Ms. Zukin worked with a
global pharmaceutical company to dramati-
cally improve how a newly formed senior
leadership team manages and measures per-
formance while reducing risk during a period
of signifcant growth. In other client engage-
ments she has worked with large organiza-
tions to help them implement cutting edge
solutions for cyber talent management and
leadership development. She was also
? 334
CONTRIBUTOR PROFILES
Security for WellPoint, Inc. Mr. Gaidhane
holds an MBA from Duke University’s
Fuqua School of Business and also BS and
MS degrees in Computer Science from
Nagpur University (India) and Texas Tech
University, respectively. He also holds
numerous certifcations, such as the PMP,
CISSP, CISM, CGEIT, CRISC, CISA, and
CIPP/US in the felds of Information
Security, Audit, Information Privacy, and
Project Management.
JAMIE LOPEZ
Senior Associate
Email [email protected]
Jamie Lopez is a leader with Booz Allen
Hamilton’s Strategic Innovation Group,
where he provides thought leadership and
talent solutions to his client base across the
commercial and federal sector. He helps
drive Booz Allen’s TalentInsight
™
Solutions
focusing on Data Science and Cyber and
Predictive Intelligence. In addition to his
core consulting and advisory duties,
Dr. Lopez serves as the Booz Allen Program
Manager for a large human capital vehicle,
where he leads a sizable team in the devel-
opment of HR Shared Services, Competency
Modeling, Talent Placement & Acquisition,
Change Management, Promotional Systems,
and Professional & Leadership Development.
Prior to joining Booz Allen Hamilton,
Dr. Lopez was the Vice President of Lopez
and Associates Inc., a thirty-year-old
Industrial-Organizational psychology con-
sulting company focusing on commercial
clients in the fnancial services and utility
sectors. In this capacity he specialized in tal-
ent management, individual assessment,
and personnel selection.
Dr. Lopez completed his PhD in
Industrial-Organizational Psychology at
Hofstra University and MA degree with a
Scholars Designation in I/O Psychology
from New York University’s Graduate
School of Arts. He also holds an MBA in
Finance with a specialization in Trading and
Portfolio Management from the Fordham
Graduate School of Business, a BA in
MATTHEW DOAN
Senior Associate
Email [email protected]
Matthew Doan leads Booz Allen’s
Commercial Cyber Strategy practice while
also serving as a leader in the frm’s High-
Tech Manufacturing business. He specializ-
es in driving innovative cybersecurity
and risk management solutions, particularly
for automotive, industrial, and consumer
product companies. Mr. Doan provides fun-
damental knowledge in large-scale maturity
assessments, enterprise risk management,
strategic planning, organizational change
management, and governance.
Mr. Doan has an array of experiences in
consulting C-suites, boards, and other sen-
ior decision makers in driving important
changes that effectively reduce business risk
and capture new opportunity. Mr. Doan
holds an MA in Security Studies from
Georgetown University and a BBA in
Computer Information Systems from James
Madison University, as well as a Graduate
Certifcate in Applied Intelligence from
Mercyhurst University.
TONY GAIDHANE
Senior Associate
Email [email protected]
Tony Gaidhane is a dynamic and innovative
information security leader with a strong
background in implementing IT security,
compliance (including NIST and ISO), pri-
vacy, and risk management. His most recent
experience includes diverse engagements
such as leading the assessment of high-risk
technology platforms for attack surface
reduction for a large retailer, leading the
build of a Cyber Incident Response Playbook
for a large fnancial institution, and leading a
supply chain cyber risk assessment for a
large high-tech client. Mr. Gaidhane has
more than 17 years of experience with cyber-
security, and his experience includes manag-
ing large Affordable Care Act implementa-
tions in multiple states for Accenture, as a
senior leader in its Information Security
Practice and as a Director of Information
335 ?
CONTRIBUTOR PROFILES
teams achieve signifcant organizational
transformations. She is an Associate Business
Continuity Manager with Disaster Recovery
Institute International, a Certifed Information
Privacy Professional, and received a gradu-
ate certifcate from University of Maryland in
Cyber Security.
KATIE STEFANICH
Lead Associate
Email [email protected]
Katie Stefanich is a management consultant
that specializes in cyber incident management
strategy, cyber education and outreach, and
crisis communication. She has strong experi-
ence in authoring enterprise-wide cyber
incident management strategies for retail,
energy, and high-tech commercial organiza-
tions. Ms. Stefanich helps clients understand
cybersecurity in terms of risk management, as
well as identify and build cross-organization
relationships for smooth incident response.
She also has extensive experience providing
strategic counsel to startups, entrepreneurs,
and organizations interested in using lean
startup methodology. Prior to her time at Booz
Allen, Ms. Stefanich implemented integrated
marketing campaigns for high-tech commer-
cial organizations.
ERIN WEISS KAYA
Lead Associate
Email [email protected]
Erin Weiss Kaya is a Lead Associate with
Booz Allen Hamilton. She has more than
15 years of experience designing and manag-
ing strategic transformation programs, most
recently serving as an external consultant on
cybersecurity workforce and organization
issues to the Department of Homeland
Security and a number of large fnancial
services institutions.
Ms. Weiss Kaya has served as an external
consultant to Fortune 500 companies, state
government agencies, and non-profts and
as an internal strategic advisor and execu-
tive. She has led large projects for effective
change implementations as well as cyberse-
curity human capital strategies, including
Psychology from the College of the Holy
Cross, and an Advanced Graduate Certifcate
in Counterintelligence from Mercyhurst
University.
JAMES PERRY
Senior Associate
Email [email protected]
James Perry is a Chief Technologist in Booz
Allen Hamilton’s Strategic Innovation
Group, where he leads the commercial cyber
incident response planning, investigation,
and remediation services offerings, includ-
ing our National Security Cyber Assistance
Program Certifed Incident Response capa-
bility. Mr. Perry works with chief informa-
tion security offcers, security operations
center directors, and incident response teams
across fnance, retail, energy, health, manu-
facturing, and public sectors. In this role,
he helps organizations to design and imple-
ment Cyber Security Operations capabilities
to protect from, detect, and respond to
advanced cyberthreats. Mr. Perry leverages
his experience supporting incident response
investigations across multiple sectors to help
these organizations prepare for and rapidly
contain cyber incidents.
LAURA EISE
Lead Associate
Email [email protected]
Laura Eise is a cybersecurity consultant in
Booz Allen’s commercial practice. In this
role, she works with leaders across multiple
industries in aligning cybersecurity pro-
grams to manage risk and meet the needs of
the business. She specializes in program-
matic assessment, incident response, enter-
prise risk management, strategy setting, and
organizational design. Recently, she has led
teams across the fnancial, retail, and manu-
facturing industries to create three-year
strategy roadmaps to improve their cyberse-
curity programs. Ms. Eise is a co-author of
the CyberM
3
maturity model and co-leads
the frm’s internal investment in the capabil-
ity. She is also an Executive Coach and
focuses on helping leaders and leadership
? 336
CONTRIBUTOR PROFILES
providing strategy, competitive analysis, pro-
cess improvement, organizational design,
and project management support
to commercial and government clients.
Ms. Wong works with clients to seize busi-
ness opportunities while navigating risks
around connected products and the data used
to power them. She holds a Masters degree in
City and Regional Planning from Cornell
University and a BA in Political Economy
from the University of California, Berkeley.
BuckleySandler LLP
1250 24th Street NW, Suite 700
Washington, DC 20037
Tel +1 202 349 8000
Web www.buckleysandler.com
ELIZABETH E. MCGINN
Partner
Email [email protected]
Elizabeth E. McGinn is a partner in the
Washington, DC, offce of BuckleySandler
LLP, where she assists clients in identifying,
evaluating, and managing risks associated
with privacy and information security prac-
tices of companies and third parties.
Ms. McGinn advises clients on privacy and
data security policies, identity theft red fags
programs, privacy notices, safeguarding and
disposal requirements, and information
sharing limitations. She also has assisted
clients in addressing data security incidents
and complying with the myriad security
breach notifcation laws and other U.S.
state and federal privacy requirements.
Ms. McGinn is a frequent speaker and author
on a variety of topics, including privacy and
data security, consumer fnancial services
litigation, electronic discovery, and vendor
management. Ms. McGinn received her JD,
the hiring, compensation, development,
and allocation of cybersecurity workforce.
She also manages Booz Allen’s internal ini-
tiative in Cybersecurity Workforce and
Organization, where she established a new
service offering and designed a suite of tools
to support clients in the development and
maturation of their cybersecurity workforce
capabilities. Ms. Weiss Kaya holds a BA from
University of Maryland-College Park and a
Masters degree from Columbia University.
CHRISTIAN PAREDES
Associate
Email [email protected]
Christian Paredes is an Associate on Booz
Allen Hamilton’s Predictive Intelligence team
within the frm’s Strategic Innovation’s Group
(SIG), where he focuses on cyberthreat intel-
ligence (CTI) and CTI program development
for commercial clients. Mr. Paredes has expe-
rience helping commercial clients to produce
actionable threat intelligence for internal
stakeholders at the operational and strategic
levels. He has expertise in analytic tradecraft
and production standards; technical threat
intelligence; intelligence workfow integra-
tion with security operations; and threat intel-
ligence program development. He has also
worked with global organizations to assess
their information security capabilities.
His emphasis on improving analytic qual-
ity by maximizing analyst time, resources,
workfows, tools, and data sources has helped
clients to realize value in their cyberthreat
intelligence programs. Mr. Paredes holds an
MS degree in International Affairs from
Georgia Institute of Technology and a BA
degree in Political Science from Georgia
College & State University.
WAICHING WONG
Associate
Email [email protected]
Waiching Wong is part of Booz Allen
Hamilton’s high-tech manufacturing practice,
337 ?
CONTRIBUTOR PROFILES
data security, as well as federal and state
investigations and enforcement actions.
Mr. Ruckman joined BuckleySandler from
the Federal Communications Commission,
where he served as Senior Policy Advisor to
Commission’s Enforcement Bureau Chief,
advising him on enforcement strategies in
the areas of privacy and data security.
Prior to his time at the FCC, Mr. Ruckman
spent fve years as an Assistant Attorney
General at the Maryland Attorney General’s
offce, where he was the frst Director of the
offce’s Internet Privacy Unit. The Unit played
a leading role in several multistate investiga-
tions into practices that threatened consum-
ers’ online privacy and security, including the
largest privacy settlement in AG history.
Mr. Ruckman is a graduate of Yale Law
School and Yale Divinity School.
TIHOMIR YANKOV
Associate
Email [email protected]
Tihomir Yankov is an associate in the
Washington, DC, offce of BuckleySandler
LLP. Mr. Yankov represents clients in a
wide range of litigation matters, including
class actions and complex civil litigation, as
well as government enforcement matters.
His government enforcement experience
includes representing clients before the
Consumer Financial Protection Bureau
(CFPB), the New York Department of
Financial Services (DFS), and various state
regulators and attorneys general, as well as in
cases involving unfair, deceptive, and abusive
acts and practices (UDAAP).
Mr. Yankov also counsels clients on elec-
tronic discovery issues, including matters
related to document and data retention, data
assessment, data extraction strategies, and
pre-litigation discovery planning.
Mr. Yankov received his JD from American
University (cum laude) and his BA from the
University of Virginia.
cum laude, from The American University,
Washington College of Law in 2000, and
received the Mooers Trial Practice Award.
She received a BS from St. Lawrence
University. Ms. McGinn has been recognized
with the frm’s Privacy, Cyber Risk, and Data
Security practice group in Legal 500 (2013
and 2015).
RENA MEARS
Managing Director
Email [email protected]
Rena Mears is a Managing Director at
BuckleySandler LLP, where she focuses on
data risk, cybersecurity, and privacy. She has
more than 25 years’ experience advising
fnancial services, hospitality, technology,
bio-tech, and consumer-focused companies
and boards on effective methods for address-
ing data asset risks while operating in com-
plex business and regulatory environments.
Prior to joining BuckleySandler, Ms. Mears
was a partner in a Big Four advisory frm’s
Enterprise Risk Services practice, where she
founded and led the Global and U.S. Privacy
and Data Protection practice. She has signif-
cant experience building and implementing
multinational and enterprise data risk, priva-
cy and security programs, performing com-
pliance assessments, developing cybersecuri-
ty initiatives, and leading breach response
teams. Ms. Mears has served on industry
standards committees and company advisory
boards for privacy and security. She regularly
researches, speaks, and publishes on data
risk, privacy, and cybersecurity and holds the
CISSP, CIPP, CISA, and CITP certifcations
STEPHEN (STEVE) M. RUCKMAN
Senior Associate
Email [email protected]
Stephen (Steve) M. Ruckman is a senior
associate in the Washington, DC, offce of
BuckleySandler, where his practice focuses
on privacy, cyber risk, mobile payments, and
? 338
CONTRIBUTOR PROFILES
JIM PFLAGING
Principal
Email [email protected]
Jim Pfaging is the global lead for The Chertoff
Group’s business strategy practice. Based in
Menlo Park, California, Mr. Pfaging works
closely with leading technology companies,
private equity investors, and system integra-
tors to identify, diligence, acquire and build,
exciting companies. Based on dozens of suc-
cessful client engagements, Mr. Pfaging has
become a trusted advisor on technology and
security to many in the U.S. Government
and private industry. Mr. Pfaging has more
than 25 years of Silicon Valley experience
including 15 years as chief executive offcer of
cybersecurity and data management compa-
nies. He serves on the board of several secu-
rity companies and is a frequent speaker on
technology and security issues.
MARK WEATHERFORD
Principal
Email [email protected]
or [email protected]
(assistant)
Mark Weatherford is a Principal at The
Chertoff Group, where he advises clients on a
broad array of cybersecurity services. As one
of the nation’s leading experts on cybersecuri-
ty, Mr. Weatherford works with organizations
around the world to effectively manage today’s
cyberthreats by creating comprehensive
security strategies that can be incorporated
into core business operations and objectives.
Prior to joining The Chertoff Group,
Mr. Weatherford served as the U.S.
Department of Homeland Security’s frst
Deputy Under Secretary for Cybersecurity.
In this position, he worked with all critical
infrastructure sectors as well as across the
federal government to create more secure
network operations and thwart advanced
persistent cyber threats. He previously
The Chertoff Group
1399 New York Avenue, NW
Suite 900
Washington, DC 20005
Tel +1 202 552 5280
Web www.chertoffgroup.com
MICHAEL CHERTOFF
Co-Founder and Executive Chairman
Email [email protected]
(assistant)
Michael Chertoff is Co-Founder and
Executive Chairman of The Chertoff Group,
a premier global advisory frm that focuses
exclusively on the security and risk man-
agement sector by providing consulting,
mergers and acquisitions (M&A), and risk
management services to clients seeking to
secure and grow their enterprises. In this
role, Mr. Chertoff provides high-level stra-
tegic counsel to corporate and government
leaders on a broad range of security issues,
from risk identifcation and prevention to
preparedness, response, and recovery.
From 2005 to 2009, Mr. Chertoff served as
Secretary of the U.S. Department of Homeland
Security (DHS), where he led the federal gov-
ernment’s efforts to protect our nation from a
wide range of security threats, including
blocking potential terrorists from crossing the
United States border or allowing implemen-
tation of their plans on U.S. soil. Before lead-
ing DHS, Mr. Chertoff served as a federal
judge on the U.S. Court of Appeals for the
Third Circuit and earlier headed the U.S.
Department of Justice’s Criminal Division. In
this role he investigated and prosecuted cases
of political corruption, organized crime, and
corporate fraud and terrorism—including the
investigation of the 9/11 terrorist attacks.
339 ?
CONTRIBUTOR PROFILES
public and private companies in the busi-
ness process outsourcing, marketing servic-
es, enterprise software, smart-grid, informa-
tion, and IT services industries. He has
a proven track record as the CEO of six
companies and has served as director of
13 private equity, public, and VC-backed
companies and executive chairman of two
others. Prior to his leadership role with
Coalfre, from 2007 to 2011, Mr. Jones was
CEO of Denver-based StarTek, Inc. (NYSE:
SRT), a provider of global outsourced call
center and customer support services. He
has also served as CEO of Activant Solutions,
an enterprise software company; chairman
of WebClients, an internet affliate marketing
frm; CEO of Interelate, Inc., a marketing
services frm; CEO of MessageMedia (NASD:
MESG), an email marketing services com-
pany; CEO of Neodata Services, Inc., a direct
marketing services frm; and was founding
CEO of GovPX, a provider of government
securities data. Mr. Jones also was a senior
vice president at Automatic Data Processing
and held various positions at Wang
Laboratories between 1977 and 1987.
Mr. Jones currently also serves as a direc-
tor of Diligent Corporation (NZX: DIL) and
Essential Power, LLC. He is also active mem-
ber and Fellow in the National Association
of Corporate Directors (NACD). Over the
past 10 years, Mr. Jones has served as
director of numerous public and private
companies including Work Options Group,
StarTek, Exabyte, Activant Solutions, Realm
Solutions, SARCOM, WebClients, DIMAC,
and Fulcrum Analytics. Mr. Jones graduated
from Worcester Polytechnic Institute with
a degree in computer sciences in 1975
and earned his MBA from Boston University
in 1980.
served as the Chief Information Security
Offcer for the states of Colorado and
California and as Vice President and Chief
Security Offcer for the North American
Electric Reliability Corporation (NERC).
Coalfre
361 Centennial Parkway, Suite 150
Louisville, Colorado 80027
Tel +1 303 554 6333
Web www.coalfre.com
RICK DAKIN
Chief Executive Offcer (2001-2015)
Rick Dakin provided strategic manage-
ment IT security program guidance for
Coalfre and its clients. After serving in the
U.S. Army after graduation from the U.S.
Military Academy at West Point, Mr. Dakin
began his management career at United
Technology Corporation. Prior to co-found-
ing Coalfre, he was President of Centera
Information Systems, a leading eCommerce
and systems integration frm. He was a
past president of the FBI’s InfraGard pro-
gram, Denver chapter, and a member of a
committee hosted by the U.S. Secret Service
and organized by the Joint Council on
Information Age Crime.
Mr. Dakin passed away June 20, 2015.
LARRY JONES
Chief Executive Offcer
Email [email protected]
Larry Jones has served as Chairman of the
Board of Coalfre since 2012 and became
CEO in 2015. He has more than 25 years of
experience building, operating, and growing
? 340
CONTRIBUTOR PROFILES
NIGEL L. HOWARD
Partner
Email [email protected]
Nigel L. Howard, a partner in Covington’s
New York offce, helps clients execute their
most innovative and complex transactions
involving technology, intellectual property,
and data. Mr. Howard has been at the fore-
front of initiatives to protect data assets for
his clients, helping them achieve a competi-
tive advantage or fend off a competitive
threat. He advises clients on their proprie-
tary rights to data and global strategies for
protecting these assets. He has represented
companies in transactions covering the full
spectrum of data-related activities, including
data capture and storage, business and oper-
ational intelligence, analytics and visualiza-
tion, personalized merchandizing, and the
related cloud computing services, such as
Data as a Service and Analytics Infrastructure
as a Service.
ELIZABETH H. CANTER
Associate
Email [email protected]
Elizabeth H. Canter is an associate in the
Washington, DC, offce of Covington. She
represents and advises technology compa-
nies, fnancial institutions, and other clients
on data collection, use, and disclosure prac-
tices, including privacy-by-design strate-
gies and email marketing and telemarket-
ing strategies. This regularly includes
advising clients on privacy and data secu-
rity issues relating to third-party risk man-
agement. Ms. Canter also has extensive
experience advising clients on incident
preparedness and in responding to data
security breaches.
Covington & Burling LLP
One City Center
850 Tenth Street, NW
Washington, DC 20001-4956
Tel +1 202 662 6000
Web www.cov.com
DAVID N. FAGAN
Partner
Email [email protected]
David N. Fagan, a partner in Covington’s
global privacy and data security and inter-
national practice groups, counsels clients on
preparing for and responding to cyber-
based attacks on their networks and infor-
mation, developing and implementing
information security programs, and com-
plying with federal and state regulatory
requirements. Mr. Fagan has been lead
investigative and response counsel to com-
panies in a range of cyber- and data security
incidents, including matters involving mil-
lions of affected consumers.
KURT WIMMER
Partner
Email [email protected]
Kurt Wimmer is a Washington partner and
U.S. chair of Covington’s privacy and data
security practice. Mr. Wimmer advises
national and multinational companies on
privacy, data security, and digital technology
issues before the FTC, the FCC, Congress,
the European Commission, and state attor-
neys general, as well as on strategic advice,
data breach counseling and remediation,
and privacy assessments and policies. He is
chair of the Privacy and Information Security
Committee of the ABA Antitrust Section and
is a past managing partner of Covington’s
London offce.
341 ?
CONTRIBUTOR PROFILES
was the Ernst & Young Entrepreneur of the
Year Regional winner for Alabama/Georgia/
Tennessee in 2011 and was awarded The
Deal of the Year by The Association of
Corporate Growth (ACG) and The IndUS
Entrepreneurs (TiE). Mr. Cote’s leadership
style is punctuated by high integrity and a
client-centric philosophy.
Delta Risk LLC
4600 N Fairfax Dr., Suite 906
Arlington, Virginia 22203
Tel +1 571 483 0504
Web www.delta-risk.net
THOMAS FUHRMAN
President
Thomas Fuhrman is President of Delta Risk.
In this capacity he is a practicing cybersecu-
rity consultant and the leader of the Delta
Risk business.
Prior to joining Delta Risk, Mr. Fuhrman
was the founder and president of 3tau LLC, a
specialized consulting frm providing infor-
mation security and technology advisory,
analysis, and strategy services to senior clients
in commercial industry and government, in
the United States and internationally. He is a
former Partner at Booz Allen Hamilton, where
he led a $100 million consulting practice in
cybersecurity and science and technology
serving Department of Defense clients.
Mr. Fuhrman has more than 35 years of
military and government experience and has
expertise in many areas including cyberse-
curity strategy, policy, and governance;
cybersecurity controls and technology; and
risk management.
Mr. Fuhrman has degrees in electrical
engineering, mechanical engineering, and
mathematics and is a Certifed Information
Systems Security Professional (CISSP).
PATRICK REDMON
Summer Associate
Email [email protected]
Patrick Redmon will graduate from the
University of North Carolina School of Law
in 2016. He graduated from Fordham
University in 2007 with a BA in Philosophy
and Economics and in 2013 was awarded an
MA in Liberal Arts from St. John’s College in
Annapolis, Maryland. Mr. Redmon is the
Managing Editor of the North Carolina Law
Review.
Dell SecureWorks
One Concourse Pkwy NE
#500
Atlanta, Georgia 30328
Tel +1 404 929 1795
Web www.secureworks.com
MICHAEL R. COTE
Chief Executive Offcer
Email [email protected]
Michael (Mike) R. Cote became chairman
and CEO of SecureWorks in February of 2002
and led the company through an acquisition
by Dell in February of 2011. Under his
leadership Dell SecureWorks has become a
recognized global leader in information
security services, helping organizations of
all sizes protect their IT assets, reduce costs,
and stay one step ahead of the threats.
Previously Mr. Cote held executive positions
with Talus Solutions, a pricing and revenue
management software frm acquired by
Manugistics in 2000. He joined Talus from
MSI Solutions, where he was Chief Operating
Offcer, and his early career included
international assignments with KPMG. He
? 342
CONTRIBUTOR PROFILES
recruits senior legal and technology execu-
tives for Fortune 500 and private-equity
owned portfolio companies and consults to
boards of directors on a range of issues.
Prior to joining Egon Zehnder, Ms. LaCroix
was a senior international attorney with
major international law frms as well as serv-
ing in house at Texas Instruments and
Honeywell International, where she was
Asia Pacifc General Counsel. Ms. LaCroix
began her career as an attorney in private
practice at Gray Cary Ware & Freidenrich
(now DLA Piper) in California and in
Singapore, focusing on mergers and acquisi-
tions, intellectual property, and admiralty law.
Ms. LaCroix completed the Graduate
Program in American Law at the University
of California at Berkeley and Davis. She
holds an LLB from the National University
of Singapore and is admitted to practice law
in Singapore, California, and the United
Kingdom.
CHRIS PATRICK
Email [email protected]
Chris Patrick is a consultant at Egon
Zehnder, a global executive search and
assessment frm. Based in the frm’s Dallas
offce, he is a trusted advisor for CIO and
C-suite talent strategy and development for
global companies across a diverse set of
industries, including retail/consumer prod-
ucts, IT services, industrial, fnancial servic-
es, and digital. As the global leader for Egon
Zehnder’s Chief Information Officer
Practice, Mr. Patrick advises some of the
world’s leading corporations on talent
development and assessment at the board
level and across the executive suite.
Prior to joining Egon Zehnder, Mr. Patrick
was CIO/Vice President of Mergers and
Acquisitions with Chatham Technologies, a
start-up telecommunications systems manu-
facturer/integrator. Previously, he was a
Senior Manager with Ernst & Young
Consulting and MD80 Project Manager for
McDonnell Douglas in Los Angeles.
Egon Zehnder
350 Park Avenue, 8th Floor
New York, New York 10022
Tel +1 212 519 6000
Web www.egonzehnder.com
KAL BITTIANDA
Email [email protected]
Kal Bittianda is a consultant at Egon Zehnder,
a global executive search and assessment
frm. Based in the frm’s New York offce,
Mr. Bittianda advises and recruits senior
executives in technology, telecommunica-
tions, and fntech, with a special focus on
emerging technologies. He also leads the
frm’s Cybersecurity Practice.
Prior to joining Egon Zehnder, Mr. Bittianda
served in leadership positions at several pri-
vately held technology-enabled businesses.
He built teams and led growth in North
America for Kyriba, an enterprise cloud solu-
tions provider, for EXL, a knowledge and
business process outsourcing frm, and for
Inductis, an analytics consulting and services
frm. He was previously an Engagement
Manager at the Mitchell Madison Group.
Mr. Bittianda started his career in technology
and leadership roles at Unisys and
International Paper.
Mr. Bittianda earned a BTech in Naval
Architecture at the Indian Institute of
Technology, MA in Industrial Engineering
from Purdue University, and an MBA from
Harvard Business School.
SELENA LOH LACROIX
Email [email protected]
Selena Loh LaCroix is a consultant at Egon
Zehnder, a global executive search and
assessment frm. Based in the frm’s Dallas
offce, she is global leader of the Legal,
Regulatory and Compliance Practice and of
the Global Semiconductor Practice. She
343 ?
CONTRIBUTOR PROFILES
conducting investigations and digital foren-
sic analysis and has served as Director, Lead
Investigator, Quality Assurance Manager,
and Forensic Examiner. For the past 12 years
he has led large-scale breach incident
responses for the private and public sectors,
specializing in organizational strategies, inci-
dent response, network security, computer
forensics, malware analysis, and security
assessments. He facilitates liaison with legal
counsels, regulators, auditors, vendors, and
law enforcement. Also during this time
Mr. Vela served as a Strategic Planner at the
Defense Computer Forensics Laboratory
(DCFL) and Defense Cyber Crime Institute
(DCCI), where he established operational
improvements and laboratory accreditation.
Mr. Vela earned his MBA from Johns Hopkins
University and bachelor’s degree from
Georgetown University.
Fish & Richardson P.C.
One Marina Park Drive
Boston, Massachusetts 02210-1878
Tel +1 617 521 7033
Web www.fr.com
GUS P. COLDEBELLA
Principal
Email [email protected]
Gus P. Coldebella is a principal at the law frm
of Fish & Richardson concentrating on cyber-
security, litigation, and government investi-
gations. From 2005 to 2009, he was the deputy
general counsel, then the acting general coun-
sel, of the U.S. Department of Homeland
Security, focusing on all major security issues
confronting the nation. As the department’s
top lawyer, Mr. Coldebella helped lead imple-
mentation of President Bush’s Comprehensive
National Cybersecurity Initiative, designed to
shore up the government’s civilian networks
from attack and to promote information shar-
ing and cooperation between the public and
private sector.
Fidelis Cybersecurity
4416 East West Highway
Suite 310
Bethesda, Maryland 20814
Tel 1 800 652 4020 or +1 617 275 8800
Web www.fdelissecurity.com
JIM JAEGER
Chief Cyber Strategist
Email [email protected]
Jim Jaeger serves as Chief Cyber Strategist
for Fidelis Cybersecurity, responsible for
developing and evolving the company’s
cyber services strategy while synchronizing
it with product strategy. Mr. Jaeger previ-
ously managed the Network Defense and
Forensics business area at Fidelis, including
the Digital Forensics Lab. He also held lead-
ership roles for a wide range of cyber pro-
grams, including General Dynamics’ support
for the DoD Cyber Crime Center, the Defense
Computer Forensics Lab, and the Defense
Cyber Crime Institute.
Mr. Jaeger is a former Brigadier General
in the United States Air Force. His military
service includes stints as Director of
Intelligence for the U.S. Atlantic Command,
Assistant Deputy Director of Operations
at the National Security Agency, and
Commander of the Air Force Technical
Applications Center. Mr. Jaeger frequently
advises organizations on strategies to
mitigate damage caused by network
breaches and prevent their reoccurrence.
He also presents on Large Scale Breach
“Lessons Learned” at cyber symposiums
worldwide.
RYAN VELA
Regional Director, Northeastern North
America
Email [email protected]
Ryan Vela brings expertise in large-scale breach
incident response management to Fidelis
Cybersecurity. He has 15 years’ experience in
? 344
CONTRIBUTOR PROFILES
At Fish & Richardson, he focuses on help-
ing companies plan for and respond to
cyberattacks. As a securities litigator, he is
well positioned to advise public companies
on SEC disclosures regarding cybersecurity
and boards of directors’ corporate govern-
ance responsibilities to oversee and manage
this important enterprise risk.
Mr. Coldebella is a graduate of Colgate
University, where he currently serves as
audit committee chair on its Board of
Trustees; he received his JD, magna cum laude,
from Cornell. He is on Twitter at @g_co.
CAROLINE K. SIMONS
Associate
Email [email protected]
Caroline K. Simons is a litigation associate at
Fish & Richardson P.C. Her practice focuses
on white collar defense, cybersecurity and
trade secret theft, internal investigations, and
complex commercial litigation, including sig-
nifcant state and federal appellate experience.
In 2013 Ms. Simons was selected by the Boston
Bar Association to participate in the Public
Interest Leadership Program. Ms. Simons is a
graduate of Harvard College and Columbia
Law School.
Georgia Institute of Technology
North Ave NW
Atlanta, Georgia 30332
Tel +1 404 894 2000
Web www.gatech.edu
JODY R. WESTBY, ESQ.
Adjunct Professor
Email [email protected]
Jody R. Westby is CEO of Global Cyber Risk
and provides consulting services in the areas
of privacy, security, cybercrime, and cyber
governance. She is a professional blogger for
Forbes and also serves as Adjunct Professor
at Georgia Institute of Technology’s School
of Computer Science.
Previously, Ms. Westby launched In-Q-Tel,
was senior managing director at
PricewaterhouseCoopers, was senior fellow
and director of IT Studies for the Progress
and Freedom Foundation, and was director
of domestic policy for the U.S. Chamber of
Commerce. Ms. Westby practiced law at
Shearman & Sterling and Paul, Weiss,
Rifkind, Wharton & Garrison.
She is co-chair of the American Bar
Association’s Privacy & Computer Crime
Committee (Science & Technology Law
Section) and co-chair of the Cybercrime
Committee (Criminal Justice Section) and
served three terms on the ABA President’s
Cybersecurity Task Force. Ms. Westby speaks
globally and is the author of several books
and articles on privacy, security, cybercrime,
and enterprise security programs. She has
special expertise in the governance of privacy
and security and responsibilities of boards
and senior executives. She is author of the
2008, 2010, 2012, and 2015 Governance of
Enterprise Security Reports and was lead
author of Carnegie Mellon University’s
Governing for Enterprise Security Implementation
Guide. She graduated magna cum laude from
Georgetown University Law School and
summa cum laude from the University of Tulsa
and is a member of the Order of the Coif,
American Bar Foundation, and Cosmos Club.
Institutional Shareholder Services Inc.
702 King Farm Boulevard
Suite 400
Rockville, Maryland 20850
Tel +1 646 680 6350
Web www.issgovernance.com
MARTHA CARTER
Head of Global Research
Email [email protected]
Martha Carter is the head of global research
for ISS. In this role, she directs proxy voting
research for the frm, leading a research
345 ?
CONTRIBUTOR PROFILES
Corporate Directors. He was named to the
2011 National Association of Corporate
Directors’ Directorship 100 list.
Internet Security Alliance
2500 Wilson Boulevard
Arlington, Virginia 22201
Tel +1 703 907 7090
Web www.isalliance.org
LARRY CLINTON
President
Email [email protected]
Larry Clinton is President of the Internet
Security Alliance (ISA). He is the primary
author of ISA’s “Cyber Social Contract,”
which articulates a market-based approach
to securing cyber space. In 2011 the House
leadership GOP Task Force on cybersecurity
embraced this approach. In 2012 President
Obama abandoned his previous regulatory-
based approach in favor of the ISA Social
Contract model. The ISA document is the
frst and most often referenced source in the
President’s “The Cyber Space Policy
Review.” He is also the primary author of
the Cyber Security Handbook for corporate
boards published by the National Association
of Corporate Directors (NACD) in 2014. In
2015 Mr. Clinton was named one of the
nation’s 100 most infuential persons in the
feld of corporate governance by NACD. He
has published widely on various cybersecu-
rity topics and testifes regularly before
Congress and other government agencies
including the NATO Center for Cyber
Excellence.
team that analyzes companies in more than
110 markets around the world, provides
institutional investors with customized
research, and produces studies and white
papers on issues and topics in corporate
governance. In addition, Ms. Carter serves
as the head of the ISS Global Policy Board,
which develops the ISS Global Proxy Voting
Policies. Named for fve years in a row to
the National Association of Corporate
Directors’ Directorship 100 list of the most
infuential people in the boardroom com-
munity (2008–2012), Ms. Carter has been
quoted in media around the world and is a
frequent speaker for corporate governance
events globally. Ms. Carter holds a
PhD in fnance from George Washington
University and an MBA in fnance from the
Wharton School, University of Pennsylvania.
PATRICK MCGURN
Executive Director and Special Counsel
Email [email protected]
Patrick McGurn is executive director and
special counsel at ISS. Considered by indus-
try constituents to be one of the leading
experts on corporate governance issues, he is
active on the U.S. speaking circuit and plays
an integral role in ISS’s policy development.
Prior to joining ISS in 1996, Mr. McGurn was
director of the Corporate Governance Service
at the Investor Responsibility Research
Center, a not-for-proft frm that provided
governance research to investors. He also
served as a private attorney, a congressional
staff member, and a department head at the
Republican National Committee. He is a
graduate of Duke University and the
Georgetown University Law Center. He is a
member of the bar in California, the District
of Columbia, Maryland, and the U.S. Virgin
Islands. Mr. McGurn serves on the Advisory
Board of the National Association of
? 346
CONTRIBUTOR PROFILES
Kaye Scholer LLP
The McPherson Building
901 Fifteenth Street NW
Washington, DC 20005-2327
Tel +1 202 682 3500
Web www.kayescholer.com
ADAM GOLODNER
Partner
Email [email protected]
Adam Golodner is a partner and the Leader
of the Global Cybersecurity & Privacy Practice
Group at Kaye Scholer LLP, a leading global
law frm. Mr. Golodner represents companies
on cyber and national security matters
globally—including public policy, litigation,
corporate governance, and transactions.
Prior to joining Kaye Scholer, he spent
ten years as an executive at Cisco Systems,
Inc., where he led cyber policy globally.
Before Cisco, Mr. Golodner was Associate
Director of the Institute for Security,
Technology and Society, Dartmouth College;
Chief of Staff of the Antitrust Division,
United States Department of Justice: Deputy
Administrator of the Rural Utilities Service,
USDA; and Search Manager, The White
House Offce of Presidential Personnel (on
leave from law frm).
Mr. Golodner is also a Senior Advisor at
The Chertoff Group, a member of Business
Executives for National Security (BENS),
and a Fellow at the Tuck School of Business.
K&L Gates LLP
K&L Gates Center
210 Sixth Avenue
Pittsburgh, Pennsylvania 15222-2613
Tel +1 412 355 6500
Web www.klgates.com
ROBERTA D. ANDERSON
Partner
Email [email protected]
Roberta D. Anderson is a partner of K&L
Gates LLP. A co-founder of the frm’s global
Cybersecurity, Privacy and Data Protection
practice group and a member of the frm’s
global Insurance Coverage practice group,
Ms. Anderson concentrates her practice in
insurance coverage litigation and counseling
and emerging cybersecurity and data priva-
cy-related issues. She has represented clients
in connection with a broad spectrum of insur-
ance issues arising under almost every kind
of business insurance coverage. A recognized
national authority in insurance coverage,
cybersecurity, and data privacy–related
issues, Ms. Anderson frequently lectures and
publishes extensively on these subjects. In
addition to helping clients successfully pur-
sue contested claims, Ms. Anderson counsels
clients on complex underwriting and risk
management issues. She has substantial
experience in the drafting and negotiation of
“cyber”/privacy liability, D&O, professional
liability, and other insurance placements.
Ms. Anderson received her JD, magna cum
laude, from the University of Pittsburgh
School of Law and her BA from Carnegie
Mellon University.
347 ?
CONTRIBUTOR PROFILES
Prior to Korn Ferry, Mr. Cummings served
as an associate principal in the industrial,
supply chain, and transportation and logis-
tics practices of another leading executive
search frm, where he executed executive
search assignments for public and private
equity-backed companies.
Earlier in his career, Mr. Cummings was a
consultant with The Boston Consulting
Group in Dallas and, before that, he served
nine years with distinction as an offcer in
the U.S. Navy’s SEAL teams.
He earned a master’s degree in business
administration from Stanford University
and graduated with merit with a bachelor of
science in aeronautical engineering from The
United States Naval Academy.
JOE GRIESEDIECK
Vice Chairman & Co-Leader, Board & CEO
Services
Email [email protected]
Joe Griesedieck is Vice Chairman and
Co-Leader, Board and CEO Services at Korn
Ferry. He focuses primarily on engagements
for board director searches across multiple
industries, as well as working with boards of
directors on succession planning and other
related senior talent management solutions.
Mr. Griesedieck’s prior experience includes
two terms as global chief executive offcer of
another international search frm. He also
served as co-head of the frm’s strategic lead-
ership services practice in North America.
Prior to entering the executive search pro-
fession, Mr. Griesedieck was a group vice
president with Alexander & Baldwin, Inc.,
and spent a number of years with the Falstaff
Brewing Corporation, concluding his tenure
as president and chief operating offcer and
as a director of this NYSE company.
Mr. Griesedieck has been named by The
National Association of Corporate Directors
(NACD) to the Directorship 100, recognizing
the most infuential people in corporate
governance and the boardroom.
Mr. Griesedieck is a graduate of Brown
University.
Korn Ferry
2101 Cedar Springs Road
Suite 1450
Dallas, Texas 75201
Tel +1 214 954 1834
Web www.kornferry.com
AILEEN ALEXANDER
Senior Client Partner
Email [email protected]
Aileen Alexander is a Senior Client Partner
and co-leads Korn Ferry’s Cybersecurity
Practice. Based in the frm’s Washington,
D.C., offce, she has led senior executive
searches across the security domain. She also
partners with the frm’s Board & CEO
Services practice.
In a previous position with another inter-
national executive search frm, Ms. Alexander
served clients in the aerospace and defense
and professional services sectors.
Prior to the talent management profession,
Ms. Alexander was a Professional Staff
Member on the Committee of Armed Services
in the U.S. House of Representatives.
Previously, she was a Presidential Management
Fellow in the Offce of the Secretary of Defense
and served as a Captain in the U.S. Army.
Ms. Alexander holds a master’s degree in
public policy from Harvard University’s
Kennedy School of Government and earned
a Bachelor of Arts degree from The Johns
Hopkins University.
JAMEY CUMMINGS
Senior Client Partner
Email [email protected]
Jamey Cummings is a Senior Client Partner
in Korn Ferry’s Global Technology and
Information Offcers Practices, and he co-
leads the frm’s Global Cybersecurity
Practice. Based in the frm’s Dallas offce, he
is also a member of the frm’s Aviation,
Aerospace & Defense Practice.
? 348
CONTRIBUTOR PROFILES
Latham & Watkins LLP
555 Eleventh Street NW
Suite 1000
Washington, DC 20004-1304
Tel +1 202 637 2205
Web www.lw.com
JENNIFER ARCHIE
Partner
Email [email protected]
Jennifer Archie is a litigation partner in the
Washington, DC, offce of Latham & Watkins
with extensive experience investigating and
responding to major cybersecurity and hack-
ing events, advising clients from emerging
companies to global enterprises across all
market sectors in matters involving com-
puter fraud and cybercrime, privacy/data
security compliance and program manage-
ment, advertising and marketing practices,
information governance, consumer fraud,
and trade secrets. Ms. Archie regularly sup-
ports Latham & Watkins’ leading national
and global M&A, private equity, and capital
markets practices in identifying, evaluating
and mitigating deal or company privacy and
data security risks.
Littler Mendelson P.C.
1900 Sixteenth Street
Suite 800
Denver, Colorado 80202
Tel +1 303 629 6200
Web www.littler.com
PHILIP L. GORDON, ESQ.
Co-Chair, Privacy and Background Checks
Practice Group
Email [email protected]
Philip L. Gordon chairs the Privacy and
Background Check Practice Group of Littler
Mendelson, the nation’s largest law frm
representing only management in employ-
ment law matters. He counsels employers
on the full range of workplace privacy and
data protection issues, including back-
ground checks; monitoring employees’
electronic communications; regulating
employees’ social media; developing
“bring-your-own-device” programs; com-
pliance with HIPAA and other federal,
state, and international data protection
laws; and security incident preparedness
and response. Mr. Gordon sits on the
Advisory Board of BNA’s Privacy and
Security Law Report and Georgetown
University Law Center’s Cybersecurity
Law Institute. Mr. Gordon was named to
Best Lawyers in America in 2014 and 2015
and a Colorado Super Lawyer annually since
2006. He received his undergraduate degree
from Princeton University and his law
degree from the New York University
School of Law. He served as a law clerk on
the United States Court of Appeals for the
Tenth Circuit.
Lockton Companies Inc.
1801 K Street, NW, Suite 200
Washington, DC 20006
Tel +1 202 414 2653
Web www.lockton.com
BEN BEESON
Senior Vice President, Cybersecurity
Practice
Email [email protected]
Ben Beeson advises organizations on how best
to mitigate emerging cyber risks to mission
critical assets that align with the business strat-
egy. As insurance continues to take a greater
role in a comprehensive enterprise cyber risk
management program, he also designs and
places customized insurance solutions to ft an
organization’s specifc needs.
349 ?
CONTRIBUTOR PROFILES
executive director of KPMG’s Audit
Committee Institute. He routinely lends his
regulatory expertise to counsel audit com-
mittees in critical areas, and he has extensive
experience as an auditor and consulting with
companies in the banking and insurance
industries. Mr. Daly is a frequent speaker
and writer on many issues confronting
today’s corporate board, including executive
compensation. He regularly appears in
media and has been quoted in the Wall Street
Journal, the New York Times, and Fox News
Radio, among others.
Orrick, Herrington & Sutcliffe LLP
51 West 52nd Street
New York, New York 10019-6142
Tel +1 212 506 5000
ANTONY KIM
Partner
Email [email protected]
Antony Kim is a partner in the Washington,
DC, offce of Orrick, Herrington & Sutcliffe
and serves as Global Co-Chair of its
Cybersecurity and Data Privacy practice.
Mr. Kim represents clients in federal and state
regulatory investigations, private actions, and
crisis-response engagements across an array
of cybersecurity, data privacy, sales and
marketing, and consumer protection matters,
on behalf of private and public companies.
ARAVIND SWAMINATHAN
Partner
Email [email protected]
Aravind Swaminathan is a partner the
Seattle offce of Orrick Herrington & Sutcliffe
LLP and serves as the Global Co-Chair of its
Cybersecurity and Data Privacy practice.
Mr. Swaminathan advises clients in proac-
tive assessment and management of internal
Mr. Beeson is also engaged in the devel-
opment of Cybersecurity Policy in the U.S.
and U.K.. In March 2015 he testifed before
the Senate Commerce Committee on the
evolving cyber insurance marketplace.
A frequent public speaker, in April 2015
Mr. Beeson was one of the frst panelists to
present on the topic of Cyber Insurance at
the world’s largest Cyber Security
Conference, RSA, San Francisco.
Prior to moving to Washington, DC,
Mr. Beeson was based in Lockton’s London
office for seven years, where he cofounded
and built one of the leading cybersecurity
teams within the Lloyd’s of London
marketplace.
Mr. Beeson holds a BA (Hons) degree in
modern languages from the University of
Durham, U.K., and a certifcation in Cyber
Security Strategy from Georgetown
University, Washington, DC.
National Association of Corporate
Directors
2001 Pennsylvania Ave. NW
Suite 500
Washington, DC 20006
Tel +1 202 775 0509
Web www.nacdonline.corg
KEN DALY
Chief Executive Offcer
Ken Daly is the Chief Executive Offcer of
the National Association of Corporate
Directors (NACD). As head of the nation’s
largest member-based organization for
board directors, Mr. Daly is a recognized
expert on corporate governance and board
transformation. Prior to NACD, Mr. Daly
was an audit partner at KPMG, where he
also served as the partner-in-charge of the
national risk management practice. After
retiring from the frm, he assumed the role of
? 350
CONTRIBUTOR PROFILES
cyber and physical security matters, focusing
his practice on providing proactive liability
mitigation advice to clients.
Mr. Finch is also a leading authority on
the SAFETY Act, a federal statute that can
provide liability protection to companies fol-
lowing a terrorist or cyberattack.
He is a senior advisor to the Homeland
Security and Defense Business Council,
serves on the National Center for Spectator
Sports Safety and Security’s advisory board,
and is an adjunct professor at The George
Washington University Law School.
Mr. Finch regularly speaks and writes on
security issues and has written articles for
the Wall Street Journal, Politico, The Hill, and
other publications.
Rackspace Inc.
1 Fanatical Place
City of Windcrest
San Antonio, Texas 78218
Tel +1 860 869 3905
Web www.rackspace.com
BRIAN KELLY
Chief Security Offcer
Email [email protected]
Brian Kelly brings three decades of leader-
ship in security, special operations, investi-
gations and intelligence to Rackspace.
In the Air Force, Mr. Kelly rose to the rank
of lieutenant colonel. He led teams involved
in satellite surveillance, cybersecurity, and
special operations; as a Department of
Defense Senior Service Fellow, advised the
Joint Chiefs of Staff and the Secretary of
Defense; and received a Department of
Defense meritorious service medal.
In the private sector, Mr. Kelly held the
positions of vice president with Trident Data
Systems, principal (select) at Deloitte, and
CEO of iDefense. He led the Giuliani
Advanced Security Center and served as
and external cybersecurity risks, breach inci-
dent response planning, and corporate gov-
ernance responsibilities related to cybersecu-
rity and has directed dozens of data breach
investigations and cybersecurity incident
response efforts, including incidents with
national security implications. A former
Cybercrime Hacking and Intellectual
Property Section federal prosecutor,
Mr. Swaminathan also represents companies
and organizations facing cybersecurity and
privacy-oriented class action litigation that
can often follow a breach.
DANIEL DUNNE
Partner
Email [email protected]
Dan Dunne, a partner in the Seattle offce of
Orrick, Herrington & Sutcliffe LLP, repre-
sents corporations, fnancial institutions,
accountants, directors, and offcers in com-
plex litigation in federal and state courts.
Mr. Dunne defends directors and offcers in
shareholder derivative suits, securities class
actions, SEC, and other state and federal
regulatory matters.
Pillsbury Winthrop Shaw Pittman LLP
1200 Seventeenth Street, NW
Washington, DC 20036
Tel +1 202 663 8062
Web www.pillsburylaw.com
BRIAN FINCH
Partner
Email [email protected]
Brian Finch is a partner in the Washington,
DC, offce of Pillsbury Winthrop Shaw
Pittman LLP. He has been named by Law360
as one of its “Rising Stars” in Privacy Law in
2014 and a “Rising Star” by National Law
Journal D.C. He is a recognized authority on
351 ?
CONTRIBUTOR PROFILES
Stroz Friedberg LLC
2101 Cedar Springs Rd #1250
Dallas, Texas 75201
Tel: +1 214 377 4556
Web www.strozfriedberg.com
ERIN NEALY COX
Executive Managing Director
Email [email protected]
Erin Nealy Cox is an Executive Managing
Director at Stroz Friedberg, a global leader in
investigations, intelligence, and risk man-
agement. In this capacity, she leads the
Incident Response Unit for Stroz Friedberg.
Ms. Nealy Cox is responsible for the overall
operations of the global incident response
group, including supervising frst respond-
ers, threat intelligence analysts, and mal-
ware specialists. These responders are
deployed to assist corporate clients affected
by cyberattacks, state-sponsored espionage,
and data breach cases in sectors, including
retail, hospitality, energy, biomedical and
health, and critical infrastructure. Ms. Nealy
Cox also maintains a full docket of corporate
client assignments in the areas of cybercrime
investigations, data breach response, digital
forensics, and electronic discovery process-
ing. She is a trusted advisor to top execu-
tives, in-house lawyers, and outside counsel.
Prior to Stroz Friedberg, Ms. Nealy Cox
served as an Assistant U.S. Attorney, leading
major cybercrime prosecutions nationwide
while also handling complex cases of white-
collar fraud, public corruption, and intellec-
tual property theft. Additionally, she served
as Chief of Staff and Senior Counsel for the
Offce of Legal Policy at the Department of
Justice in Washington, DC, during the Bush
Administration.
executive director of IT risk transformation
for Ernst and Young. Mr. Kelly is the author
of From Stone to Silicon: a Revolution in
Information Technology and Implications for
Military Command and Control.
Mr. Kelly holds a degree in management
from the U.S. Air Force Academy, an MBA
from Rensselaer Polytechnic Institute, and
an MS degree from the Air Force Institute of
Technology.
Sard Verbinnen & Co
475 Sansome St. #1750
San Francisco, California 94111
Tel +1 415 618 8750
Web www.sardverb.com
SCOTT LINDLAW
Principal
Email [email protected]
Scott Lindlaw is a Principal at Sard Verbinnen
& Co, a strategic communications frm that
helps clients manage overall positioning and
specifc events affecting reputation and mar-
ket value. He counsels companies on how
best to prepare for and respond to data
breaches, as well as how to effectively com-
municate in a wide range of other special
situations and transactions. Before joining
Sard Verbinnen, Mr. Lindlaw practiced
cybersecurity and intellectual property law
at the law frm Orrick, Herrington & Sutcliffe
LLP. In addition to litigating IP cases, several
of which went to trial, he wrote extensively
about developments in data-breach litiga-
tion. Prior to his legal career, Mr. Lindlaw
was a reporter for The Associated Press,
including a four-year posting as an AP
White House correspondent, covering
President George W. Bush.
? 352
CONTRIBUTOR PROFILES
Treliant Risk Advisors LLC
1255 23rd Street NW
Suite 500
Washington, DC 20037
Tel +1 202 249 7950
Web www.treliant.com
DANIEL J. GOLDSTEIN
Senior Director
Email [email protected]
Daniel J. Goldstein is a Senior Director with
Treliant Risk Advisors. He advises clients
operating in complex business and regulatory
environments on data risk mitigation strate-
gies and solutions. His career has centered on
guiding U.S. and multinational clients
through complex international data protec-
tion requirements to provide business solu-
tions that can be implemented across large
organizations.
Prior to joining Treliant, Mr. Goldstein
was the Director of International Data
Privacy for Amgen GmbH in Switzerland.
At Amgen, he initiated and led privacy and
data protection efforts across Amgen’s glob-
al affliates, while managing an international
privacy offce and a network of data protec-
tion offcers.
Mr. Goldstein is a graduate of the UCLA
and the Golden Gate University School of
Law and a member of the State Bar of
California. He is a Certifed Information
Systems Security Professional (CISSP) and a
Certifed Information Privacy Professional
(CIPP–US and Europe).
U.S. Department
of Justice
Cybersecurity Unit
1301 New York Ave NW
Suite 600
Washington, DC 20530
Tel +1 202 514 1026
Web www.justice.gov
Email [email protected]
In December 2014 the Criminal Division
created the Cybersecurity Unit within the
Computer Crime and Intellectual Property
Section to serve as a central hub for expert
advice and legal guidance regarding how
the criminal electronic surveillance and
computer fraud and abuse statutes impact
cybersecurity. Among the unit’s goals is to
ensure that the powerful law enforcement
authorities are used effectively to bring per-
petrators to justice while also protecting the
privacy of every day Americans. In pursu-
ing that goal, the unit is helping to shape
cybersecurity legislation to protect our
nation’s computer networks and individual
victims from cyberattacks. The unit also
engages in extensive outreach to the private
sector to promote lawful cybersecurity
practices.
353 ?
CONTRIBUTOR PROFILES
the Board of Visa U.S.A. from 2003 to 2007
and the Visa Inc. Board from 2007 to January
2011. He was also previously director of
Travelers Insurance.
He holds a Bachelor of Arts degree from
Johns Hopkins University and an MBA
degree from New York University. He is cur-
rently on the Executive Council for UCSF
Health, the Board of Trustees for Johns
Hopkins University, the Board of Directors
for the Financial Services Roundtable, and
the Board of Directors for Microsoft Corp.
Wells Fargo & Company
420 Montgomery Street
San Francisco, California 94104
Tel +1 800 869 3557
Web www.wellsfargo.com
RICH BAICH
Chief Information Security Offcer
Rich Baich is Wells Fargo’s Chief Information
Security Offcer. Prior to joining Wells Fargo,
he was a Principal at Deloitte & Touche,
where he led the Global Cyber Threat and
Vulnerability Management practice. Mr. Baich’s
security leadership roles include retired
Naval Information Warfare Offcer, Senior
Director for Professional Services at Network
Associates (now McAfee) and after 9/11, as
Special Assistant to the Deputy Director for
the National Infrastructure Protection Center
(NIPC) at the Federal Bureau of Investigation
(FBI). He recently retired after 20+ years of
military service serving in various roles such
as a Commander in the Information
Operations Directorate at NORAD/Northern
Command Headquarters; Commanding
Offcer Navy Information Operations Center
(NIOC), Denver, Colorado; Special Assistant
at the National Reconnaissance Offce (NRO),
Visa Inc.
900 Metro Center Boulevard
Foster City, California 94404
Tel +1 415 932 2100
Web usa.visa.com
CHARLES W. SCHARF
Chief Executive Offcer
Email [email protected]
Prior to joining Visa Inc., Charles W. Scharf
spent nine years at JPMorgan Chase & Co. as
the chief executive offcer of Retail Financial
Services, one of JPMorgan Chase’s six
lines of business and a major issuer of
Visa-branded cards. He was a member of
the frm’s Operating Committee and its
Executive Committee. Mr. Scharf was previ-
ously managing director at One Equity
Partners, which manages $10 billion of
investments and commitments for JPMorgan
Chase.
From 2002 through 2004, he led Bank
One’s consumer banking business, helping
to rebuild the brand, expand the branch and
ATM network, and develop senior talent. He
was appointed Chief Financial Offcer of
Bank One in 2000, leading the company’s
effort to fortify its balance sheet, improve
fnancial discipline, and strengthen manage-
ment reporting. Mr. Scharf spent 13 years at
Citigroup and its predecessor companies,
serving as chief fnancial offcer for
Citigroup’s Global Corporate and Investment
Bank prior to joining Bank One. He was chief
fnancial offcer of Salomon Smith Barney
when its parent company—Travelers
Group—merged with Citicorp in 1998 to cre-
ate the nation’s largest fnancial institution.
Mr. Scharf became CFO of Smith Barney in
1995, after serving in a number of senior
fnance roles at Travelers companies, includ-
ing Smith Barney, Primerica and Commercial
Credit Corporation. He previously served on
? 354
CONTRIBUTOR PROFILES
Real Time Military Analysis Center, the
Reserve Armed Forces Threat Center, the
Center for Information Dominance, and the
Information Operations Technology Center
(IOTC) within the National Security Agency
(NSA). Mr. Baich was also selected as an advi-
sor for the 44th President’s Commission on
Cybersecurity.
Wilson Elser Moskowitz Edelman
& Dicker LLP
55 West Monroe Street
Suite 3800
Chicago, Illinois 60603
Tel +1 312 821 6105
Web www.wilsonelser.com
MELISSA VENTRONE
Partner
Email [email protected]
Melissa Ventrone, chair of Wilson Elser’s
Data Privacy & Security practice, focuses
privacy breach response (pre- and post-
event), including assisting clients with iden-
tifying, evaluating, and managing frst- and
third-party data privacy and security risks.
Ms. Ventrone frequently advises clients on
compliance with state, federal, and interna-
tional laws and regulations. She has assisted
numerous clients with identifying and miti-
gating cybersecurity risks, including inci-
dent response.
A member of the Marine Corps Reserve
for more than 20 years, she uses her strong
organizational skills to manage Wilson
Elser’s breach response team, quickly bring-
ing lawyers, clients, and forensic and breach
response vendors together to optimize
response time and effectiveness. Ms. Ventrone
has handled numerous breaches for small
and large entities, including merchants,
fnancial institutions, medical providers, and
educational institutions, successfully reduc-
ing public and regulatory scrutiny and pro-
tecting clients’ reputations.
LINDSAY NICKLE
Partner
Email [email protected]
Lindsay Nickle is experienced in assisting
clients with the development and implemen-
tation of risk management processes and
data security measures related to the receipt
and use of confdential, private, and highly
sensitive data. As part of the frm’s breach
response team, Ms. Nickle assists clients in
developing an effcient and prompt response
to the loss or compromise of sensitive and
protected data. She has assisted numerous
clients with responding to data security
incidents, and she is experienced with stand-
ards and issues unique to consumer protec-
tion, as well as the payment card industry.
She also has provided guidance and advice
regarding regulatory compliance within the
fnancial industry.
Ms. Nickle is an experienced civil litigator
with a background in general civil litigation
and creditors’ rights. In her years of repre-
senting fnancial institutions, she has han-
dled litigation and arbitrations involving
fraud and identity theft issues related to
fnancial accounts. Ms. Nickle has extensive
courtroom experience, including successful-
ly handling more than one hundred bench
and jury trials.
World Economic Forum
World Economic Forum
91-93 route de la Capite,
CH-1223 Cologny/Geneva
SWITZERLAND
Tel +41 (0) 22 869 1212
Web www.weforum.org
DANIL KERIMI
Director, Center for Global Industries
Danil Kerimi is currently leading the World
Economic Forum’s work on Internet govern-
ance, evidence-based policy-making, digital
economy, and industrial policy. In addition,
he manages Global Agenda Council on
Cybersecurity. Previously, Mr. Kerimi led
CONTRIBUTOR PROFILES
SecurityRoundtable.org 355 ?
Forum’s engagement with governments and
business leaders in Europe and Central Asia,
was in charge of developing the Forum’s
global public sector outreach strategy on
various projects on cyberspace, including
cyberresilience, data, digital ecosystem, ICT
and competitiveness, and hyperconnectivity.
Before joining the Forum, Mr. Kerimi worked
with the United Nations Offce on Drugs and
Crime/Terrorism Prevention Branch, the
Organization for Security and Cooperation
in Europe, the International Organization for
Migration, and other international and
regional organizations.
ELENA KVOCHKO
Cyber Security Strategist
Elena Kvochko is currently head of global
information security strategy and imple-
mentation in the fnancial services indus-
try. Previously, she was Manager in
Information Technology Industry at World
Economic Forum, where she led global
partnership programs on cyber resilience
and the Internet of Things and was respon-
sible for developing relationships with top
information technology industry partners.
Prior to her position at the Forum, she
worked as Information and Communication
Technology specialist at the World Bank.
Ms. Kvochko focused on a portfolio of pro-
jects aimed at leveraging ICT for economic
growth and transparency in emerging
economies.
Ms. Kvochko is an author of numerous
publications and reports and has contribut-
ed to Forbes, the New York Times, and Harvard
Business Review.
Individual Contributor
ROBERT (BOB) F. BRESE
Former Chief Information Offcer, U.S.
Department of Energy
Email [email protected]
Robert (Bob) F. Brese is a Vice President and
Executive Partner with Gartner, Inc., the
world’s leading information technology
research and advisory company. He brings
his recent, real-world Federal CIO experi-
ence to provide IT leaders with insight on
their most pressing issues and their most
thrilling business opportunities. Most
recently, Mr. Brese was the Chief Information
Offcer (CIO) for the U.S. Department of
Energy (DOE), whose national laboratories,
production facilities, and environmental
cleanup site missions span open science to
nuclear security. Mr. Brese led DOE’s policy,
governance, and oversight of more than
$1.5 billion in annual IT investments, as
well as DOE’s key initiatives in open data,
cloud computing, and energy-effcient IT
strategies. Mr. Brese also served as the
Department’s Senior Agency Offcial for
Privacy and for Information Sharing and
Safeguarding. A leader in the U.S.
Government’s cybersecurity community, Mr.
Brese was a key contributor to the
Administration’s efforts in cyber legislation;
policy; cybersecurity technology research,
development and deployment; and in the
cybersecurity protection of the country’s
critical infrastructure.
doc_468580044.pdf