Legal teams can play a major role in helping clients reduce vulnerabilities, minimize consequences, and hasten responses to cyber attacks, but doing so requires a focus around the changing nature of the underlying risk. Let’s take three areas where lawyers play crucial counseling roles: liability reduction, mergers and acquisitions, and regulatory affairs.
- The basic elements of negligence claim include a duty to exercise reasonable care, a breach of that duty, injury, and causation. The challenge in the cyber domain is: what is reasonable care, either for your own client or an important counterparty?
- In a mergers and acquisitions context, key issues include representations and warranties, allocation of risk, and valuation. In a cyber context, consider again the adequacy of cybersecurity-related representations and warranties, related allocation of risk, and contingencies for a compromise discovered during the course of due diligence.
- Cybersecurity regulations and enforcement actions are proliferating across federal, state, and foreign jurisdictions. Moreover, some agencies such as the Federal Trade Commission can bring complaints in the absence of security standards.
Lawyers can play key roles in advising their clients on how to frame security risk, so companies can focus on building effective programs that are sustainable in times of change and communicating program effectiveness to key internal and external stakeholders. So, what does “effectiveness” look like?
As a foundational matter, effectiveness requires a continuous cycle of assessment, mitigation, and monitoring of security risks to the business.
Any event that changes how companies and their counterparts interact with sensitive assets generates new risk, as do shifting political and threat landscapes. Let’s take three examples of 2017 incidents:
- As seen during the 2017 NotPetya and other incidents, adversaries are using third-party software as a viable entry vector to deploy malware on targeted systems. Malicious actors were able to infiltrate at the source of a supply chain, compromise the third-party software in question, and leverage this compromise to inject malware into victim computer systems (via a built-in auto-update process), which then spread laterally through those systems. Maersk reported an impact of over $300 million in its third quarter earnings report, as did pharmaceutical provider Merck.
- Mandiant recently reported that it had responded to an incident wherein an attacker deployed malware to manipulate industrial safety systems that provided emergency shutdown capability for industrial processes for a Middle Eastern client.
- The recently disclosed Uber breach resulted in the compromise of personal information for 57 million Uber customers around the world … without apparently breaching Uber’s corporate systems or infrastructure. According to Uber CEO Dara Khosrowshahi, external attackers “inappropriately accessed user data stored on a third-party cloud-based service that we use” to gain unauthorized access to this information.
Security measures that don’t stay current with changing risks can create equally dangerous blind spots in a company’s ability to manage risk effectively. Likewise, leveraging new business models, partnerships, and new technologies also entail new risk. Mobile banking and payments, for example, have increased significantly over the last few years, introducing a new vector of attack.
Lawyers can play key roles in advising—and challenging—management to ensure that defensive measures stay current with these risks. Do we have risk-appropriate controls to defend our own environment against these sorts of attacks? Do our contracts protect us where critical business parties fall victim? Do the terms of our insurance coverage adequately address the changing nature of perils?
Even where the organization stays current with inherent risk, planning and implementing mitigation takes time and money, so prioritization is key. Choices must be made, balancing risk reduction, ease of implementation, and regulatory imperatives. With a seat at the table, counsel can play an important role in informing these choices and developing strategies for addressing residual risk.
Risk monitoring demonstrates, through testing, auditing, and other measures, that defensive measures implemented to address risks identified during a risk assessment are fully implemented and operating as intended—the last leg in our three-legged assess-mitigate-monitor effectiveness stool. Many organizations victimized by cyber attacks thought they had effective programs in place before the incident. Security programs that lack appropriate testing and auditing can leave organizations with a false sense of security. Related, meaningful metrics can help management monitor trends over time and proactively address any resulting issues.
Organizations are increasingly looking to independent third parties for advice on managing security risk, and at The Chertoff Group, we work with clients to build effective security programs that are sustainable in times of change. To assist our clients in designing and implementing effective security, we have reduced our core approach into a Security Risk Management Consulting Methodology that is approved for SAFETY Act designation by the U.S. Department of Homeland Security (DHS) Science and Technology Directorate.
The Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act was enacted after the 9/11 attacks to foster the development of effective anti-terrorism capabilities by providing important legal liability protection to providers and users of security capabilities that could save lives in a terrorist attack. To obtain approval, the law requires proof that the capability in question is operationally effective and immediately available for use. We are one of the only consultancies in the world to have achieved this approval for a security risk management methodology. While the SAFETY Act pertains to terrorism risk, our methodology applies to all hazards.
The Chertoff Group’s SAFETY Act-designated approach offers a variety of benefits to Chertoff Group clients:
- At the conclusion of an engagement, a client will either know that it has an effective security program or understand the key steps it needs to take to get there.
- The methodology is scalable, flexible, and modular, and can apply to both physical and cyber risks, so a program can be scoped to tailor efforts around focused areas of risk.
- Our methodology can also be used to help organizations advance SAFETY Act risk management programs of their own, which can, in turn, lessen potential organizational liability.
To learn more about SAFETY Act-designated security specialists, read the SAFETY Act report below.