Rapid-fire cyber attacks and a shifting regulatory landscape are the “new normal” — and a traditional tech-focused cybersecurity stance isn’t enough anymore.
Experts say prioritizing risk management and a law-led approach to cybersecurity could be the difference between an inconvenience and a catastrophic breach. For any business, it could also be the difference between post-breach collapse and long-term survival.
“With how common attacks are these days, if you’re not thinking about cybersecurity from a risk management standpoint — including your exposure — you’re putting your business at risk,” said Doug DePeppe, cyber-risk attorney and eosedge Legal founder.
In a law-led approach, you examine your legal exposure, your duties and responsibilities, and your company’s compliance with regulations first, instead of waiting until after a cyber incident or breach. Legal counsel helps your company to assess those areas to reduce the risk of a cyber incident — and to reduce the fallout when a cyber attack succeeds.
A law-led approach looks at how regulators will view a potential cyber incident: Was your company complying with regulations, fulfilling its duties, taking reasonable steps to protect clients and information? It also looks at how third parties (those who lose information or suffer harm in a breach) will see the incident: Will they have grounds to sue? Will your failures mean they’re likely to win?
Building strong technical barriers is still critical. But as attacks circumvent technology more often and more quickly, DePeppe said, taking a law-led, risk-management approach to cybersecurity is key.
DePeppe has helped to build the eosCyber Alliance, a network of companies offering interdisciplinary solutions and services centered on cyber risk reduction. Risk reduction is the focus because for businesses, the chaos of a cyber breach is no longer “if” but “when.”
It’s an approach Silicon Valley has been taking for years — “in their parlance it’s called product counsel; it’s the forward delivery of legal services in an interdisciplinary way,” DePeppe said.
And DePeppe, who retired from the Army JAG Corps in 2008, saw how useful the interdisciplinary team approach was in operational law for the military.
“The JAG is part of the team that’s advising the commander about an incident or a military operation — that’s what I’m used to,” he said. “It’s not your ripened legal issue, which is after the fact — it’s advisory, as part of the business plan.”
After a cyber incident, data breach investigation and response “uniformly involves counsel,” DePeppe added.
CISOs who have discussed lessons learned after major cyber breaches have all said involving legal counsel early is important. And in the cyber insurance industry, in every claim, the first call always goes to legal counsel.
“It doesn’t even go to the forensic firm; it goes to the breach coach,” DePeppe said. “And so that’s now best practice.”
Getting legal counsel involved early, long before an attack, offers another important protection: attorney-client privilege and confidentiality.
Because budget is an unavoidable part of prioritizing some cyber protections over others, DePeppe explained, “delicate decisions about what you can spend” and detailed discussions of duty and exposure have to be had.
“And ordinarily, if counsel’s not involved — if it’s just the board and their CISO — then if there is an incident, that conversation is discoverable [in] litigation,” he said.
And when that leads to “the Monday morning quarterbacking of ‘Why’d you choose that over this?’ having that conversation protected by attorney-client privilege is really useful.”
Having legal counsel that’s knowledgeable about cybersecurity helps leadership make informed, logical, defensible decisions about cyber protections, DePeppe said.
“I would argue for organizations that have fiduciary duties, it’s inadvisable not to have that in place,” he said.
Tim Smit, Mountain West cyber and technology practice leader with Lockton Companies LLC, said the benefits of taking a proactive risk management and law-led approach to cybersecurity are “the ability to discuss and determine an organization’s accountability to their regulatory and statutory requirements, along with the client/attorney privileges of information sharing and protecting during a possible discovery phase.
“As regulatory requirements change and new ones are enacted into law, organizations must understand their accountability to those requirements and implement a more robust approach to not only cyber risk, but privacy risk management,” he said.
“Legal guidance, interpretation and determination of how a particular regulation impacts an organization drives how the privacy officer develops their policies and programs. Those fuel how the security officer, in turn, develops a strategy to protect the classification of information adequately, detecting abnormal activities and preparing for a cyber event.”
Smit said traditional tech-focused risk assessment addresses one area of risk exposure, but administrative and physical controls need at least as much attention — if not more.
“Ransomware attacks are up 195 percent from Q4 of 2018,” he said. “The majority of those are initiated via phishing attacks, where an administrative control of security training, awareness, and education for the workforce may have thwarted that attack.”
eosCyber Alliance uses trusted service providers and advisors to help clients address all those issues, in an approach DePeppe describes as “more holistic.”
For risk reduction, the network offers a long list of services: penetration testing, secure network design, sector-based compliance, incident response, cyber intelligence, coordination with government, exposure analysis, counter-terrorism, secure software coding, process improvement, decision support coaching, boardroom due diligence, cyber exercises and training, strategic communications and brand protection.
DRIVE FOR DATA PRIVACY
Executives now face increased expectations in managing cyber risk, Smit said, as the SEC and other global entities set guidance and requirements for data privacy and security.
DePeppe said the drive for greater data privacy — in Colorado and other states, as well as internationally — is a compelling reason to take a law-led approach to cybersecurity.
“In the law in Colorado, there’s an affirmative duty to be ‘reasonable’ — reasonable security is now a statutory provision, and that suggests that there’s a right in having privacy,” he said, “and failure to meet regulatory requirements, or causing harm to a third party regarding privacy, creates [legal] exposure.”
The risk management approach to cybersecurity also emphasizes having response plans in place for cyber attacks. Among its post-breach services, eosCyber Alliance lists breach coaching, data forensics, notification compliance and reporting, incident response, public relations and government relations.
“We tell clients all the time that having an incident response plan is a reasonable and necessary step,” DePeppe said. “And that incident response plan needs to have counsel and the team identified and they should have some knowledge of their client.
“I don’t want to get a call after the files go flying out the windows, and have no idea if my client has an on-premises or a cloud environment. These are some rudimentary things I need to know.”
Smit said part of his role at Lockton is to help insurance clients build a quick reaction/incident response program “to identify abnormal activities quickly, contain them as to not have a massive, catastrophic cyber event, and operationalize the process in handling similar events in the future.”
DePeppe said examples of a successful interdisciplinary team approach include: navigating domestic and international law for a client, to deter a foreign cyber-stalker from further criminal harassment and threats; using cyber threat intelligence and information sharing with the FBI to profile a ransomware attack and recover decryption keys; and responding to an insider attacker’s theft of intellectual property and misappropriation of stolen corporate assets from Eastern Europe.