Data breaches have become a fact of business life—there’s no getting around it. As a result, corporate America’s awareness of its vulnerability to cyber attacks has increased. Unfortunately, most businesses are still lacking in their crisis-management preparedness for such instances, according to a group of experts.
This increased focus, spurred by several recent high-profile breaches, has led more companies to take the issue seriously and begin making plans, said speakers at a briefing and crisis-planning exercise held in New York City for industry leaders. The experts in cybersecurity gathered at a meeting sponsored by the law firm Hunton & Williams, Palo Alto Networks, recruiters Egon Zehnder, and the risk-management firm Stroz Friedberg.
“It’s been a complete revolution. The cyber environment has just exploded,” said Lisa Sotto, chair of the global privacy and cybersecurity practice of Hunton & Williams. “We could not have predicted this five years ago. There is no question that cybersecurity is a top priority for C-suites and boards. It is now recognized as a basic risk issue by every company.”
The legal landscape is also changing, with industry trying to keep up with a May 25, 2018, deadline for new European data regulations (GDPR) and new “groundbreaking” regulations in New York State taking effect March 1 that require notification of breaches within 72 hours. Companies are “frantically” preparing to comply, said Sotto.
Additionally, on the enforcement side, businesses have seen “class action suits galore, “and state attorneys general have become active in enforcement and reaching record settlements for consumers whose data is compromised, said Sotto.
Protection is possible
But despite this bleak picture, “prevention is possible” said Rick Howard, chief security officer at Palo Alto Networks. Protecting a company from cyberattacks “is absolutely possible to do.”
The building blocks of a cybersecurity program are four basic principles, he explained. Companies need complete visibility into offices, data centers, mobile devices, and cloud deployments to protect data security, said Howard. Additionally, they need to reduce the “attack surfaces” by controlling access to data only to those who truly need it.
What’s more, cyber criminals must take a number of steps before staging a successful attack, explained Howard. “There are many places in the whole sequence of attack where you can stop the bad guy.”
Firms that were hacked were viewed as victims in the past, but now “there is an ecosystem change,” said Stephen Gannon, general counsel of Citizens Financial Group. Regulators are coming around to the view that industry has seen enough of this and should have learned by now that a very organized response is expected. “If something goes wrong, regulators could be very unforgiving,” he said.
Find the weaknesses
To that end, companies can run exercises to see what weakness they have, said Bryan Rose, managing director of Stroz Friedberg. They must also have ongoing relationships with security vendors to ensure a rapid response in a crisis. A relationship with law enforcement is also a good idea, added Howard: “You don’t want to first call the FBI when the crisis is happening.”
Regular tabletop exercises are a good idea, because they train management to keep thinking ahead all the time, said Gannon. “That’s what builds muscle memory,” suggested Sotto. And because the exercises can impart a false sense of security, because the next penetration won’t necessarily be covered by the latest exercise, they must be constantly refreshed, said Gannon.
The panel held a sample tabletop exercise, in which a fictional hotel company was contacted by the FBI about a possible breach involving a foreign criminal syndicate and an extortion demand that the FBI thought involved other companies. “Unfortunately, we’re making these kinds of notifications daily,” said Ari Mushairas, special agent in charge of special operations of the cyber division in the FBI’s New York field office.
The experts agreed that the company should bring in help as soon as possible and involve law enforcement. Then, the pressure of social media will require the company to make a statement. Sotto suggested that this messaging should be brief and limited to acknowledging the company is investigating and working with law enforcement, without giving too many details.
The FBI would like to be involved in crafting the public message to avoid giving the bad actor information, said Mahairas. “To the greatest extent possible, do not surprise the FBI,” warned Gannon.
“You have to have a real plan to respond. You can’t train the entire legal team and compliance team when there’s a crisis,” Gannon said. Companies must have a governance plan they can take off the shelf and implement in an emergency, as well as an effective communications plan internally and externally: In the absence of information, people default to the negative,” said Gannon.
A review of the company’s security insurance is also a good idea, said the panel. Tom Ricketts, senior VP and executive director of Aon Plc., said managers frequently ask how much will they will need in insurance to cover a breach. “The simple answer is: a lot,” he said. “This does not come cheap.” But in the case of a breach, it’s money well spent, because costs mount as outside experts come in to help and settlement costs add up.
Fraught with hazards
Business must be careful of the structure of the policy, since it’s not like property insurance and the application is “fraught with hazards,” said Ricketts. Some don’t cover rogue employees or foreign bad actors, others don’t cover personal computers or mobile phones.
“We’ve seen a sea change in a lot of areas in the last two years,” said Walter Andrews, a partner of Hunton & Williams. “There will always be liability no matter what, but cyber insurance has gone from a product a few companies acquired to one held by almost all.” In fact, today regulators and boards require it.
“The cyber landscape is very pernicious. It’s only going to get worse,” said Sotto. Companies should do a major crisis-management exercise every year or two, with several smaller ones regularly several times a year to refresh knowledge, added Howard.
Awareness is growing, but denial is still an issue, concluded Howard. “If you watch how the executives communicated [after a breach] it’s clear that many of them had not thought about this until the crisis happened.”