Safe in the knowledgeSound cyber strategy for senior management and board members

2

Safe in the knowledgeSound cyber strategy for senior management and board members

Sound cyber strategy for senior management and board members

Now, more than ever, safeguarding companies against cyberattacks requires a proactive, holistic, risk-based and well-practiced cyber strategy; the linchpin to that strategy is an involved C-Suite and Board.

Only upper management can make employees at all levels prioritize cybersecurity, align the responsibilities for cyber security with the authority to meet those responsibilities, and ensure that the overall cybersecurity is comprehensive, proactive, and practiced. Without this senior management involvement and focus, cyber strategies will become fragmented, increasingly disregarded, and wholly ineffective when the crisis occurs.

Regulators around the world are realizing this fact, and soon, so will courts. Cybersecurity is no longer the sole province of the IT department, and the prospect of individual director and officer liability has become an increasingly significant issue. Particularly with regulations in the U.S. and in Europe beginning to require senior-level sign off on cybersecurity plans and programs, it is integral for senior corporate officials to ask the right questions and ensure they are getting the right answers, before they sign their name to the cyber bottom line.

Safe in the knowledgeSound cyber strategy for senior management and board members

3

Below are some key questions and considerations to help guide senior leaders, as well as the lawyers and CISOs who advise them.

Q. Who should be in charge of prevention and response?

Cybersecurity involves the entire organization and is not limited to the IT Department. The current threat landscape demands that a cyber strategy, including its prevention and response phases, embraces a holistic approach. The core team will vary for specific industries, but executive leadership, Legal, IT, Public Relations, Investor Relations, Customer Relations, Risk Management and Operations would be involved.

Traditionally, either a chief information security officer (CISO) or general counsel will be charged with overseeing the cybersecurity program. The responsible individual needs to have the clear responsibility, as well as the authority, to effectively fulfill the role. While delineated responsibility and authority are essential to running an organization, the leader of a company’s cybersecurity program needs to have the authority and mandate to identify and allocate resources within an organization.

If the CISO’s mandate is overseeing cybersecurity, a consistent and rigorous reporting system to the Board of Directors and/ or senior management is integral to an organization’s risk management, monitoring and fluid communication. Of course, the CISO also needs to understand the business and how technology systems can be utilized and leveraged to improve business functions.

The person ultimately in charge of cybersecurity needs to be an experienced crisis manager and, if not a lawyer, should have a trusted, battle-tested, action-oriented attorney by his or her side, to ensure decisions will not have costly legal implications if not executed correctly.

Q. When should we get upper management involved?

For many reasons, the time to get upper management involved is now, well before any breach occurs. Without Board or C-Suite level attention, any cyber strategy will be fragmented, increasingly disregarded and wholly ineffective when a crisis occurs. Only upper management can make employees at all levels prioritize cybersecurity, align the responsibilities for cybersecurity with the authority to meet those responsibilities, and ensure that the overall cybersecurity is comprehensive, proactive and practiced.

A common pitfall is that responsibility is divided, and authority is often misaligned with responsibility. For example, the CISO of a corporation may be charged with requiring the immediate distribution of a necessary security patch. However, the authority requiring the mandatory restart of workstations needed to implement the patch, resulting in employees to temporarily stop working, could reside with one or more individuals in more senior positions than the CISO or in different departments. This makes coordinating and executing precautionary measures difficult, and often risk is increased by these time delays.

For these reasons, regulators are increasingly requiring sign- off and approval of cybersecurity policies by official senior management. Both the cybersecurity requirements issued by the New York Department of Financial Services and the UK’s Financial Conduct Authority (FCA) mandate that the Board of Directors or senior officers certify compliance annually, with the potential for personal liability if the organization is later found to be non-compliant.1

Director and officer civil liability is becoming a significant concern for companies; traditionally, if members of upper management act on an informed basis, in good faith and in the honest belief that their actions are taken in the best interests of the company, they will continue to enjoy relative immunity before courts if a cyberattack happens. The bar to successful shareholder derivative suits against directors and officers remains high.

As cyberattacks affecting all industries, not just those that are data rich, regularly appear in the press, courts evaluating whether directors and officers have met their standard of care will look skeptically upon any Board or director of any company that does not have a sound monitoring system, oversight procedures and mechanisms to prevent, respond to and remediate cyber threats before severe damage is done. Companies that fail to implement basic cybersecurity procedures will not appear reasonable, particularly as regulators across industries and global jurisdictions enact regulation requiring cybersecurity procedures and outline the consequences of non-compliance.

Q. Is there a technological solution?

Technological solutions to cybersecurity may be included as a component of a cyber strategy, but the key to preparedness and risk management is a thorough cyber strategy plan that anticipates threats, mitigates potential damage in advance, and plans for remediation when necessary.

Identifying and implementing a cyber strategy and plan is not a singular, one-time task. Cybercrime continues to evolve, and new types of attacks are continually developed. In order to maintain a strong defense, organizations need to be vigilant and consistent in testing and updating their strategy as well as nimbly shifting resources to new areas of vulnerability.

Continuous vigilance does have a core IT component, and any successful cyber strategy will incorporate continuous monitoring, not only of internal networks, but also emerging threats. The IT component of a sound cyber strategy requires a deep understanding of the information that system logs provide. The IT team, tasked with monitoring for internal cybersecurity red flags, should know how to properly manage and oversee these internal systems. Finally, it is important to consider routinely sharing and receiving cyber threat indicators to help the organization, and the larger economy, inoculate against cyber threats.

1 https://corpgov.law.harvard.edu/2017/03/25/new-york-cybersecurity- regulations-for-financial-institutions-enter-into-effect/

Safe in the knowledgeSound cyber strategy for senior management and board members

4

Q. Should we just be concerned with data?

As the latest string of ransomware attacks show, cybersecurity threats are not limited to traditional consumer or financial data rich targets like banks, hospitals or insurance companies. Hackers are increasingly willing to target any company from which they can steal valuable trade secrets, cause disruption, if not destruction, or extract ransom. The companies themselves may not even be the direct target but rather a springboard to others or a move in a longer-term strategy, with the end goal of targeting customers and third-party vendors or serving a political agenda.

It is critical for companies to identify what data and other vulnerabilities exist. Critical questions to ask are:

– How sensitive is the data that is collected, whether commercially, legally or reputationally) and can it cause physical damage (i.e., chemical companies, electric utilities, cargo ships or vehicles)?

– Where is critical data stored and used?

– Who has access to it?

– Is it compartmented?

– What potential threats exist?

– What are the potential consequences if hackers were to get at the data in some way, shape or form?

Once surveying the threat landscape and determining the relative value of data or assets, then the next step is to enact risk-based measures to mitigate those threats in a systematic fashion. One approach would be to create a “layered defense” strategy, whereby the most valued assets are provided higher levels of protection than less sensitive or less valuable data and assets. This tailored and informed strategy efficiently saves money and time while preserving employee goodwill. However, this strategy is only effective with the knowledge of where the data resides, what kind of data is held and what vulnerabilities exist.

Q. What is the role of privilege?

Before a breach occurs, courts and regulators evaluate the risk- based cybersecurity judgments that were made, and the reasoning behind those decisions. Regulators like the US Securities and Exchange Commission (SEC) and the UK’s FCA will not wait until after a breach occurs to ensure that core aspects of a cyber strategy are recorded. Courts handling a breach case will also consider written, pre-breach decisions to determine whether the emerging standard of care was met (usually based on a reasonableness analysis). Therefore, documenting the thought process, and the written response plans are significant evidentiary pieces to be drafted with the understanding that these documents may be released. It is important to consider that forensic reports in advance of a known breach are likely not privileged, so company actions regarding the risks and vulnerabilities revealed by that report will become core elements of any post-breach litigation or regulatory action.

Q. Should I be concerned with third parties?

If a third-party vendor or client has access to internal networks or maintains corporate data, it is crucial to evaluate the vendor’s cybersecurity level and consider quality control of vendors to ensure their cybersecurity strategy meets the company’s requirements. The organization and the third-party vendor should apportion risk of breach via contract. Many well-known cyberattacks have occurred via a third party due to its insufficient cybersecurity measures, despite the company’s otherwise solid cybersecurity infrastructure. Companies should systematically understand all third parties that connect to organizational networks or have access to organizational data, and review their contracts, especially longstanding ones, from a cybersecurity perspective.

Q. When should we call in law enforcement?

The decision to call in law enforcement in the event of a breach is an important one and depends on a number of factors. The advantages of calling the authorities include the potential to receive classified or otherwise sensitive briefings relevant to the breach; the ability to limit the number of interfaces in multi-jurisdictional breaches; and to better ensure victim-vice-perpetrator treatment. However, each situation is different so there may be disadvantages; it is integral to have a decision plan in place ahead of time, and to select outside advisers that have pre-existing relationships with law enforcement.

Q. Are there tax implications to consider?

While the US Treasury, the Internal Revenue Service (IRS) and Congress have not addressed the tax treatment of certain breaches—ransomware in particular—there are important tax considerations to consider when devising a decision plan, since there is often pressure to resolve ransomware attacks quickly. In the event of a hack that results in a company choosing to pay ransom to release its data, the company will have to face decisions regarding the proper treatment of the payment on its books, and ultimately its tax return, as a non-deductible illegal payment under section 162(c) (2), a deductible theft loss under section 165(c), or potentially as an ordinary and necessary trade or business expense under section 162(a). Thinking through the tax implications in advance may aid in deciding whether to pay.

Q. Should we have insurance coverage?

The first step is to determine whether existing coverage is applicable to a cyber incident the company is vulnerable to facing. For example, while computer fraud is typically covered under policies insuring against crime, some common cyber means of fraud may not be (e.g., tricking a company into transferring funds via a fraudulent email where the transfer itself is legitimate, i.e., not fraudulent). Traditional forms of insurance were not designed to cover cyber risk; many policies will either entirely exclude coverage for cyber-related incidents or limit the scope of coverage that is available for this type of occurrence. Additionally,

Safe in the knowledgeSound cyber strategy for senior management and board members

5

coverage for damage is often limited to physical damage, which may not be considered the same as stolen, deleted or inaccessible data.

If existing coverage is inadequate, the second step is to determine what the company wants to have covered. Typically, the first-party component of a cyber policy will cover data breach notification and response costs; forensic investigation and security costs; public relations/crisis management costs; and remediation and rectification costs. It may be prudent to work with insurers to get a pre-approval for the retention of preferred specialists and advisers so that in the event of a crisis, negotiations with the insurance company would be taken care of prior to a breach. During a breach, time is of the essence, and the organization should be focused on devoting time and resources to mitigation of damage, not negotiation with the insurance company.

Equally important is to know what is likely not covered by a cyber insurance policy—unless negotiated for in advance. It is unlikely that cyber policies will cover the indirect or intangible consequences of a cyber incident such as loss of share price, loss of future business opportunity, or bodily injury or property damage where, for example, an explosion follows a failure of IT systems at a power plant. Losses arising purely under contract (i.e., where there is no concurrent liability in tort or other legal basis) are also typically excluded from coverage. Depending on the jurisdiction, fines and penalties may not be covered. For example, in the UK, the FCA prohibits insurance against its regulatory fines. Director and officer liability coverage may also be excluded to avoid “double insurance” (i.e., two different types of policies covering the same loss), but care must be taken in advance to ensure there is no coverage gap. Finally, ransoms and cyber extortion may be excluded based on local law. For example, UK and US terrorism laws may prohibit the paying of a ransom if the money ends up supporting terrorist activity.

Q. How often should we practice and update our response plan?

Companies should engage in a table-top exercise or similar evaluation and update the response plan annually. Consistent practice will not only improve an actual breach response, but it also will help identify holes or anachronisms to be rectified to better prevent a breach.

It is also important to ensure that any standard disaster response plans are applicable to cyber incidents. Many companies have disaster recovery or business continuity plans, but not many of these plans directly address cyber incidents. This situation presents unique facets that should not be addressed for the first time in the middle of a crisis. A disaster recovery plan may account for a natural disaster, like a hurricane or flood for example, but may not account for loss of communication or digital systems owing to a data breach of core systems. A number of organizations have recently faced attacks that have shut down critical communication systems which significantly hobbled their abilities to operate over a significant period of time.

Q. How often should we train employees?

Hackers know that people are frequently the weakest link in cybersecurity, and they prey on that vulnerability through phishing and more advanced spear phishing attacks. Regular training is critical on how to recognize and avoid threats and what to do when attacks are successful.

Q. What should we not do?

A sound cyber strategy is about anticipation, mitigation and then remediation.

– The first step is to plan. As discussed earlier, planning is crucial when attempting to stay ahead of data breaches.

– Second, cybersecurity is not just about technology; companies should involve many different departments and individuals, particularly senior management, in order to be prepared.

– Third, do not assume an organization is a singular target. Hackers attack multiple companies, often in the same industry, at the same time.

The US passed the Cybersecurity Act of 2015 to encourage industries to broadly share malware by freeing organizations within each industry from certain liability concerns. Oftentimes industries share knowledge via Information Sharing and Analysis Centers (ISACs), which can prove useful; especially as these associations evolve to encourage sharing of more valuable and timely information. Finally, do not panic. Crises can beget more crises through compounding, panic-born errors. Having a plan—and knowing whom to call—will help tremendously.

Safe in the knowledgeSound cyber strategy for senior management and board members

6

For further information, please contact:

US:

Michael Bahar, US Lead of Global Cybersecurity and Data Privacy Team

T: +1 202 383 0882michaelbahar@eversheds-sutherland.com

Mary Jane Wilson-Bilik, Partner

T: +1 202 383 0660mjwilson-bilik@eversheds-sutherland.com

Mark Thibodeaux, Associate

T: +1 713 470 6104markthibodeaux@eversheds-sutherland.com

Al Sand, Associate

T: +1 404 853 8168alexandersand@eversheds-sutherland.com

UK:

Paula Barrett, Global Co-Head of Privacy and Information Law

T: +44 207 919 4634paulabarrett@eversheds-sutherland.com

Liz Fitzsimons, Partner

T: +44 122 344 3808lizfitzsimons@eversheds-sutherland.com

James Hyde, Partner

T: +44 113 200 4066jameshyde@eversheds-sutherland.com

Craig Rogers, Partner

T: +44 20 7919 0707craigrogers@eversheds-sutherland.com

Asia:

Brian Law, Counsel

T: 65 63 61 98 33brianlaw@eversheds-harryelias.com

Jennifer Van Dale, Partner

T: +852 2186 4945jennifervandale@eversheds.com

Nigel Stamp, Partner

T: +852 2186 3202nigelstamp@eversheds.com

Geraldine Ahern, Partner

T: +9712 494 3632geraldineahern@eversheds-sutherland.com

About Eversheds SutherlandWe provide a single interface for a full-spectrum, multi-disciplinary approach:

Board counseling. Advising boards and senior leaders on the essential elements of a sound, proactive cybersecurity strategy

Identifying and mitigating risk. Advising on how to avoid and fix the most common—and potentially most devastating—blind spots in cyber planning, including the extent and adequacy of existing insurance coverage and the role of third parties and supply chains

Global compliance. Providing guidance on current and pending regulatory requirements across jurisdictions, including the European GDPR and the New York State Department of Financial Services Cyber Regulations

Embracing tech opportunities. We provide guidance on mitigating risks in adoption of new technologies (including Big Data, the Cloud, AI, fintech, insurtech, Robotics and IoT)

IP protection. We not only help protect your IP from convention exploitation, but cyber theft as well

Prediction. Anticipating attacks, vulnerabilities and increased regulatory and litigation risks

Investment decisions. Making sound investment decisions to shore up cybersecurity, as well as to better establish “reasonableness” before regulators and courts

Creating cyber resilience. Putting plans in place to help recover quickly after any breach and to minimize reputational, regulatory and litigation harm

M&A. Preparing for cybersecurity due diligence—shoring up the value of your company in advance of any sale, or assessing the cyber risks (and price) or any company you wish to acquire

Managing risk with third parties. Wisely apportioning cyber risk when contracting with, or absorbing, third parties

Competitiveness. Maximizing ability to compete internationally and in all 50 US states in light of rapidly evolving and differentiated cyber laws and requirements

Public policy. Engaging law and policy makers on cyber issues

Should a breach occur, we calmly handle all aspects of the crisis response including:

– requiring notifications

– multi-jurisdictional litigation (we are one of the few firms that have successfully handled multiple class action lawsuits resulting from a large data breach)

– regulatory actions

– congressional or parliamentary investigations

– obtaining injunctive relief/seeking redress for losses

– management of claims process with insurers

7

Safe in the knowledgeSound cyber strategy for senior management and board members

eversheds-sutherland.com©Eversheds Sutherland 2017. All rights reserved. Eversheds Sutherland (International) LLP is part of a global legal practice, operating through various separate and distinct legal entities, under Eversheds Sutherland. For a full description of the structure and a list of offices, please visit eversheds-sutherland.com. 090517