As the mainstream news revisits the cyber-attack against the DNC during the 2016 presidential campaign and Atlanta continues to recover from a debilitating shut down of its systems during a ransomware attack in March, the reality of contemporary cyber-threats is increasingly part of the boardroom agenda and on the top priority list of senior executives.
But, all too often, “cybersecurity” is pushed to a chief information security officer or chief information officer to manage the threat as though that “assignment” has checked the box and everyone else need not worry. After the Equifax breach, the General Counsel was pushed out for failure to manage the impact effectively (including a long list of misguided steps). If you are a general counsel, chief legal officer, corporate secretary or serve on a board, the reality of cybersecurity is that when a breach occurs, it will fall on your desk and you will be held accountable for the action the company takes.
The ball is never simply passed off to someone else when it comes to cybersecurity. This is a holistic effort that requires not just project management but checks and balances among the senior executive team and oversight by the board of directors.
At the mid-way point of 2018, there have already been major cyber-attacks across industry sectors. According to Business Insider, major consumer facing companies have been impacted by payment systems which were hacked including Macy’s, Adidas, Sears, Delta, Best Buy, Saks, Lord and Taylor, Panera, Under Amour and many others resulting in millions of personal consumer data compromised. And, of course, Facebook, reported its data breach of more than 87 million Americans by Cambridge Analytica of an unprecedented scale, offering little more than an apology and attempt to do better. Additionally, health care institutions continue to face ransomware and phishing threats that can shut down major health care systems and compromise millions of records of patient data not to mention real human lives. In May, the FBI warned of potential threats to routers from VPN filters as an emerging threat to address. With the roll out of GDPR in Europe (General Data Protection Regulation) and other data privacy regulation on the horizon, the liability exposure to companies for a breach increases to an alarming rate (GDPR violations can result in fines up to 4% of revenue).
Why the Chief Legal Officer is Critical to Cybersecurity
Horizontal View. The Chief Legal Officer (CLO) has a unique lens into the organization with a wide view of what’s happening across sectors and potential exposure points, making it the ideally suited role to provide a form of checks and balances to the cybersecurity team.
Well Trained for Providing Checks and Balances. While collaborative teamwork is essential at the c-suite level, so too, is the importance of checking to ensure the policies and procedures that have been put in place are working. All too often, software and systems to detect threats may be put in place and policies written, but if no one checks to ensure it works, then vulnerabilities exist. Equifax, for example, was failure to patch an open source code vulnerability (something that was known and free and just not done). The CLO has expertise in assessing risk, asking tough questions and running compliance investigations.
Additionally, and potentially more importantly, the CLO is the company’s counsel and therefore can hire and employ outside counsel subject to privilege and confidentiality, which can prove critical in the event of a breach and corresponding liability. In the infamous Target breach, courts upheld the attorney-client privilege when investigating the breach. Being proactive with the use of expert advisors subject to the attorney-client privilege can have numerous benefits in preparing for and, when needed, responding to a breach.
The CLO Cybersecurity Checklist
The CLO has several important roles in Cybersecurity.
Strategic Partner. At least semi-annually, if not quarterly, review with your c-suite counterparts the cybersecurity strategy and project management plan. This should include crisis preparedness (what happens in the event of a breach) and risk management (how the risk is being prevented). Review it from an objective, horizontal lens and look for gaps or weaknesses. Be sure to include not just defensive, but offensive strategies to mitigate risk and be prepared. No one wants to second guess their counter parts at the top level of an organization, but when it comes to cybersecurity, this is exactly what is needed and warranted.
Spot Check Vendors. Most cybersecurity initiatives rely on numerous vendors. Those vendors may be using open source software, custom software or may be outsourcing to other service providers. The office of the CLO can spot check numerous aspects of vendors outside of the relationship that is formed between the cyber team and the vendor:
- Compliance with service level agreements and responsiveness.
- Compliance with minimum insurance levels to fund any indemnification provisions of the agreements and warranties and representations should they be violated.
- Financial viability of vendors.
- Patent filings of vendors – are they protecting their technology, infringing on others or potentially exposed to their own threats by publishing their techniques? This can actually provide telling and insightful intelligence.
- Location of servers and critical functions. How are these secured?
- Physical access to your buildings and network. How are they monitored and tracked?
- Social media of senior executives. Are the senior leaders of your vendors actively engaging in potentially socially or politically charged rhetoric that draws unwanted attention to you or could result in an attack?
Open Source Compliance. This is one of the easiest, least expensive and most important steps the CLO should take in boosting cybersecurity risk management. Every company is using open source software or has vendors using open source software. Make sure there is an open source compliance program and policy in place. Then, check it and make sure it is working. Equifax likely had an open source compliance policy – but it was not enforced – and the rest is history.
Software Updates. Vulnerabilities in software are one of the biggest exposure points for most companies. Creating a procedure for spot checks of your software patches across systems and devices can help ensure your IT and CISO team stay on top of it. Your cyber and IT teams likely have this, but everyone needs to be checked. We value what is tracked, measured and checked. Sixty percent of cybersecurity breaches are never reported. This is one place you can help, just by asking the questions and trusting, but verifying that the cyber team is doing what they need to do.
Phishing Check and double check again on this one. Eighty-percent of malware attacks occur because of phishing. A phishing email clicked on by John Podesta is what triggered the hack of the DNC during the 2016 presidential campaign. Other senior executives and high-profile leaders (including Colin Powell) have mistakenly clicked on phishing emails. The sophistication of phishing is so refined, even those of us highly trained in the field could fall prey. While the security team may be responsible for training and testing the rank and file employees for phishing awareness, the CLO can also run spot checks and evaluate those who do the evaluating. This is simply too important to not have multiple check points in place. Don’t forget to also test your board members and senior executives. Sometimes it’s the most senior people who are overlooked in testing for fear of embarrassing them. It will be more embarrassing if a breach occurs by their click. As the most senior lawyer for the company, you can protect their privacy while also ensuring their readiness.
Social Media Policies. While HR likely sets social media policies for the organization, who runs spot checks and ensures that HR is compliant with their own policies? Bad actors get most of their intelligence from information your employees put out there on social media (not to mention vendors and contractors who work in your buildings). Checking the compliance with these policies and sufficiency as social media shifts and evolves is essential to ensuring you are not providing the very information to be used by spear phishing or ransomware attacks. Are all your top security executives on vacation this summer at the same time? I can probably find out with a few degrees of separation in social media.
Facilitate Drills and Practice Sessions. Partner with your cyber security team to facilitate running drills and preparedness in the event of a cyber breach. If you don’t have a checklist and a way to communicate with your CEO, board and other executives if your systems are down, then you are not prepared. Coordinate drills and run them separately with your team to look for holes in the response. You board should run a mock breach event of cyberbreach to ensure everyone knows their role and responsibility at least annually.
Physical Security Checkpoints. I’ve been a lawyer and consultant attending meetings at offices of the biggest companies in the world for the last nineteen years. I can’t tell you how many times I have immediately noticed when there is a lack of or failure to enforce physical security procedures, the ability to use old Wi-Fi passwords to connect to the network or walk around a building seemingly unchecked. I probably look like I belong there and I have no bad intentions. But, if a bad actor who looks like they belong can get through your physical security, the ability to put a flash drive in a computer somewhere is not implausible. Ask your outside counsel and consultants to candidly recount their experiences at your offices – you might be surprised what you hear.
A Few Other Best Practices to Ensure Cyber-Security Readiness
- Invest in education on emerging technologies. New emerging technologies each bring a long list of security vulnerabilities. Hire outside counsel or consultants to help you understand the impact of new tech like artificial intelligence, internet of things, blockchain and open source software. Recognize that everything your digital team rolls out to grow the business could impact cybersecurity initiatives.
- Strategic planning and value building. Your role as oversight to cybersecurity adds enormous value to the organization. Understand how this fits into the larger strategic plan of the company and how what you uncover could also be used to drive strategic thinking.
- Crisis communication and response planning. When something bad happens, the chief lawyer is always called to the meeting. Being fully prepared with your own crisis training and preparation will mean the difference between an ad hoc, hope you get-it-right approach, and a well-rehearsed and strategized response. Get independent advice so you think through how this impacts your future.
- Build your team. Invest in educating your team to understand the role of the legal office in cybersecurity, understanding emerging technologies and preparing for a crisis.
- Google alerts. This is a simple and free way to ensure you get the most up to date information on new technologies and cyberthreats related to your industry. Set up numerous alerts and read them at least weekly by carving out time on a Friday for reading and catch up.
- Involvement in vendor selection. Be sure to be involved in vendor selection with the cybersecurity team. I know they may not want you there until the end, but early involvement can help you to spot issues and know what questions to ask when they get down to make important selections.
As the CLO, it’s easy to assume that the cyber team and IT departments are in charge of cybersecurity and hope they do their job. But, if you work for a publicly traded company, checking that box may not be enough. Take a proactive role for the good of the company and its stakeholders.
If you’re interested in learning more about blockchain, digital disruption, futurecasting and other emerging technologies at the c-suite or board level or how to manage cyber-security risk, email me at firstname.lastname@example.org. I’m happy to customize a briefing or program to meet your needs. You can also reach me directly at 513.746.2801.