Ask Nikki Latta about the biggest change in her nine years of practicing in-house at the consulting giant Deloitte LLP, and the Assistant General Counsel says it is the focus the firm’s clients are placing on cyber security and protecting their IT systems from unwanted intrusions.
“What we are seeing is that clients want to understand what security protections are in place with respect to the information they are sharing with us and with respect to the access they are providing us to their networks. They want to know who they are dealing with…so they can satisfy themselves that they are in good hands.”
Part of Latta’s job is to facilitate the negotiation of large IT outsourcing contracts, which drives part of Deloitte’s consulting business, so she has had a front-row seat to the emergence of cyber crime as a major issue facing businesses.
To enhance its business, Latta says, her group was one of the first in Deloitte to achieve ISO 27001, an international, gold-seal standard that covers an organization’s information security management system. It applies risk management principles to policies and processes around IT systems to help organizations manage the security of critical assets, such as financial information, intellectual property, employee details and information entrusted to organizations by third parties.
That ISO stamp of approval has become critical in contract negotiations, she says, noting “in the early days, people weren’t looking for an ISO certification. Now you see that expressly in standard form contracts.”
Indeed, data protection and cyber security is moving to the forefront of the corporate world, spurred by recent high-profile cyber incidents—from hacked emails during the U.S. presidential election to the release of 11 million confidential client tax records from the Panamanian law firm Mossack Fonseca. There is also a trail of stolen money and pilfered credit card data. Hackers recently managed to steal US$81 million from the Bangladesh central reserve bank. Credit card thefts at major retailers, including Target, The Home Depot and TJX Cos., cost those companies millions of dollars to rectify.
Now, a new threat is emerging, known as ransomware. That’s where a hacker infiltrates a company’s IT system and holds critical information hostage until the company agrees to pay a ransom, usually in untraceable bitcoins. “They are targeting amounts they think you can pay,” warns David R. Mackenzie, an insurance and cyber security lawyer at Blaney McMurtry LLP. He says oftentimes it is more “cost effective” for a company to quietly pay the ransom and get control of its systems and information back than to go through the rigmarole of rooting out the perpetrators.
These types of developments are spurring both concern and action. The 2016 Kroll Corporate Risk Survey of in-house counsel finds that the combined triple play of data security, cyber security and privacy risk is now the most pressing legal issue facing companies.
While 76% of respondents say they have effective safeguards in place to protect information, many appear ill prepared to deal with the fallout from a breach. Only 41% say they have an incident response plan that is regularly updated and tested. Another 18% say they have a response plan but it is not regularly updated or tested, while a further 13% say they have a plan but it lacks resources. Almost one-third report having no plan at the moment. Moreover, a startling 20% of in-house lawyers say they never talk to the head of the IT department about data security issues.
Those figures concern cyber security expert Dan Tobok of Cytelligence Inc. in Toronto, “They need to have a breach response plan,” says Tobok, who investigates between 25 and 30 cyber security breaches per month.
Securities regulators are now taking aim at cyber security. Louis Morriset, Chair of the Canadian Securities Administrators, said in a September statement that his organization “has identified cyber security as a priority.”
“Cyber security has evolved considerably” since the CSA issued its last notice on the topic in 2013, he says, adding, “Attacks have become more frequent, complex and costly for organizations.”
"It is crucial for us to improve collaboration and communication on cyber security issues with market participants. We want to ensure they are aware of the challenges, have a sufficient level of preparedness and are as resilient as possible against cyber risks."
Securities commissions are now reviewing cyber security risk disclosures from large, publicly traded companies and are meeting with some issuers “to get a better understanding of their assessment of the materiality of cyber security risks and cyber attacks,” the CSA said. The focus is on:
cyber security risk assessment and information security governance programs;
IT safeguards and controls;
use of encryption;
risks related to third-party service providers;
vulnerability tests and compliance monitoring;
evidence of regular employee training and awareness;
incident response plans; and
practices for accepting client instructions to withdraw or transfer funds via electronic means.
Kirsten Thompson, who leads the cyber security, privacy and data protection group at McCarthy Tétrault LLP, says the CSA’s move “tells me that issuers aren't getting the message. Cyber security is a fairly new risk factor that needs to be disclosed.”
She warns, “You can't take a check-box approach. There’s a tendency to shove this off to the IT group. This isn’t solely an IT issue.”
As cyber risk moves to the top of the corporate agenda, expect a cyber security tsunami to wash over industries, with corporate boards and senior management asking tough questions about the state of their company’s readiness. It is likely that much of the heavy lifting in terms of developing better breach response plans and preparing policies and procedures to combat cybercrime will fall on the shoulders of the legal department.
So it is time for in-house lawyers to brush up on their cyber security risk knowledge. Here are nine essential things to think about as you embark on your cyber risk journey.
1. No one is immune
Gillian Stacey, a lawyer at Davies Ward Phillips & Vineberg who deals with technology issues, says clients tell her all the time that they don't collect consumer credit card information or personal information about clients, so they don't need to worry about cyber security.
“If you have employees,” she observes, “you have personal information.” Moreover, “there isn't a business today that can run without technology. Every business is reliant on technology to one degree or another.”
Laureen Seeger, General Counsel at American Express Company, warns on a recent podcast, “Everyone has something of value that you don't want your competitors to possess.” Cyber sleuths covet things like customer lists, intellectual property and new product information.
2. Fighting cybercrime is a team sport
Cyber security is not simply the purview of IT or something that can be dumped on the legal department alone to address. Rather, it is an enterprise problem. Lawyer Karen Burke, Enterprise Chief Privacy Officer at BMO Financial Group, says, “For us, cyber security management is a team sport. You need to have the right perspective and expertise.” That means building a team of in-house experts featuring legal, IT, HR, privacy and communications, as well as external advisors to call upon in the event of an incident.
3. Beware the lowest common denominator
Steve Rampado, a partner in the Enterprise Risk Services at Deloitte, says cyber thieves go after the “lowest common denominator.” That includes employees who are lapse in controlling their passwords or who fall prey to “phishing” expeditions and wrongfully open emails with malware or give up details under false pretences. “It’s a very patient game and a very long game these underground organizations are playing,” he warns and it starts with the “weakest link.”
4. Take the lead
Security expert Tobok says that “IT should never be in charge of security,” nor should the chief financial officer. While CFOs are good with money, they “[may not] have a clue about security,” he says. On the other hand, the IT department has built the system and might be blind to its weaknesses. The best place for security responsibility to reside, he feels, is the legal or compliance department.
5. Analyze the gaps
Burke says undertaking cyber security and gap analyses is a critical first step in moving a company forward. That means hiring an outside firm to review you internal operations. A good cyber security firm can help you quickly spot the weaknesses and suggest ways to plug the holes, he adds.
6. Beware of your supply chain
One of the weakest links is an organization’s supply chain. The hackers who broke into Target’s system came through an HVAC vendor. Deloitte’s Rampado warns that even law firms can be a weak link: “Many are small and may not have the same level of security,” yet they often
sensitive client data. It’s imperative that companies get assurances from their third parties suppliers—supplemented with independent audits—that their information security systems are robust and meet the governance standards set by your company.
7. Prepare incident response plans
Breaches are inevitable and when they happen you need a roadmap to guide you, experts say. So similar to a disaster recovery plan, companies need to develop a cyber incident response plan, and make sure you can access it during an attack. Know who you need in the room and who to call in from outside, and make sure your resources can respond at a moment’s notice. Most importantly, though, experts say you need to test the plan. Run some live fire drills to work out kinks and see how the plan transfers from paper to real life.
8. Boards need to know
The reputational risk is enormous when it comes to a cyber breach. It’s important to involve the board early in the game and provide regular reporting about controls that are in place and incidents. Tobok says too many boards suffer cyber denial. “They say it will never happen to us and if it does, we will just handle it.” By then it’s too late, he warns.
9. Educate, train, educate, train
Experts say that one of the simplest ways to deter cyber breaches is through a mandatory employee education program. People need to understand why they have to change passwords regularly and follow security protocols. Test them by exposing them to phony emails so they learn what a phishing threat looks like, says Stacey.
“Part of managing [cyber] risk is education—not just employees, but your board—on what your risks are and how to mitigate them,” she advises.
Mackenzie adds, “You can have the best system in the world, but it is only as good as the employees following it.”
Insuring the Inevitable
In-house lawyers should make sure their organization has a cyber security insurance policy that covers their risk, says David R. Mackenzie, an insurance and cyber security lawyer at Blaney McMurtry LLP, who tracks developments in cyber security insurance. He says the insurance market covering cyber breaches is “getting more traction,” and policies cover a wide range of things, from ransomware to denial of service attacks, which is when a website is bombarded with junk traffic and effectively shuts down.
However, he warns, not all policies are equal and the insurance can be complicated. The policy language is also quickly evolving, as insurers learn more about coverage risks.
He says the problem with a cyber breach is not just lost information or stolen money. It's the aftermath and clean up. A 2016 Ponemon Institute study says it costs Canadian organizations an average of $278 for each stolen record, and a typical incident ranges between $5.3 and $6 million—a number that keeps rising. “All sorts of people have to be involved in fixing it and making sure it doesn't happen again,” he observes.
“You will never be able to eliminate risk,” Mackenzie notes, but by building a strong security culture backed by policies and procedures that people follow, a company can reduce risks. “Know your business, know your risks and deal with them the best that you can.”
Jim Middlemiss is a writer based in London, Ontario.
Photo licensed under Creative Commons by wocintechchat.com