Cyber-Security Corporate Governance: Three Essential Steps To Form A Cyber-Security SWAT Team

by Bennett Jones LLP
Contact

Last year, Canadian Lawyer InHouse Magazine1 posed the question, "Should in-house counsel be asking more questions about the strength of their company's cyber systems…" and they cited the Association of Corporate Counsel 2012 survey that reported 28 percent of their companies had experienced a cyber-security breach in the preceding 12 months and "data breaches and protection" as one of the top issues keeping them up at night.2 In my view, the best answer to that question is – in-house counsel should be actively participating in providing cyber-security corporate governance leadership and risk management guidance, including legal and compliance advice.

Regardless of your industry or business sector, whether retail, transportation, financial services, manufacturing, energy or otherwise – there are now daily (if not hourly) news reports of aggressive, targeted and damaging cyber attacks that cause significant financial, reputational and commercial harm to the enterprise as affected, whether through data breaches, trade secret theft or business disruption otherwise. Chances are, the bigger or more visible your company is, the more international your company is, or the closer your company is to our critical infrastructure, the more likely your company is a target for cyber attack. For example, in March of this year, the Department of Homeland Security in the U.S. reported3  the following statement by the Chairman of the California Energy Commission: "If you're a utility today, depending on your scale, you're under attack at this moment."4 Similarly, Canada's Globe and Mail newspaper recently reported that,5

North America’s electricity grid is facing increasing risk of cyberattacks from criminals, terrorists and foreign states, and utilities have to devote growing resources to defend the system… In a report last year, cybersecurity firm Mandiant Corp.6 exposed a multiyear, large-scale computer espionage threat (across many sectors) originating from a group in China with close ties to the People’s Liberation Army… Robert Gordon, a special adviser to Public Safety Canada on cyber threats, identified three distinct risks that Ottawa is working with industry to combat: criminal, espionage and activism.

Therefore, right now, before your company is hit by another cyber attack (yes, ...another), whether by hackers, agents of IP espionage, malware, activists launching a denial of service attack, or by a disgruntled employee, you need to proactively formulate the practices and resources that your organization requires in order to manage the response to such attacks. I believe it is possible to summarize the governance undertakings that are required to reasonably manage the risk of cyber attack into a three-step process, all of which may lead to the assembly, organization and training of a cyber-security response SWAT (Special Weapons and Tactics) Team comprised of managers (internal and/or external professionals) who will know exactly what to do, and who can be called into action on a moment's notice, in the event of a cyber threat.

STEP ONE: First, make sure that the board of directors, the C-suite, and the managers of your company's IT and web-enabled infrastructure understand and appreciate the fast-paced world of cyber insecurity, including all relevant threat sources, your organization's general vulnerability and the potential business financial, reputational and legal risks that your enterprise uniquely faces. As part of that exercise, all of the constituent subject matter experts in your organization should be identified and assigned to assist and contribute to that essential awareness exercise, and in all of the undertakings that will follow. Experts in IT corporate governance, reputational and crisis management, cyber technology risks, advanced HR practices, and concerning your company's unique legal and regulatory compliance duties, should all play a vital role in understanding the nature and scope of cyber-security threats.

STEP TWO: There are two distinct aspects to the second step of preparedness.

First, enterprises should undertake a detailed review, assessment and audit of their cyber-security history (either its direct experiences or by sector benchmarking), its vulnerability, and the risks and potential key business liabilities it may face – both commercial and regulatory (compliance) in nature. Every enterprise relies upon and uses the Internet and IT infrastructure very differently, and those different combinations of use and reliance will create a unique matrix of risk, potential liability and defence posture. That is why a comprehensive assessment of how your enterprise is uniquely positioned (or not) to address cyber threats is an essential aspect of security preparedness. As well, that assessment must include a comprehensive survey of your company's unique legal, regulatory and compliance duties so that your cyber incident action plan will be crafted to include all of your organization's required notification, reporting and disclosure requirements.

Second, based upon your company's unique cyber risk assessment, an overall cyber-security strategy must be formulated and implemented. That strategy review will likely consider:

  • necessary technological and business process security improvements;
  • third-party security contributions and testing (including encryption service providers, ethical hacking services, etc.);
  • a review of all relevant HR security programs;
  • your organization's online connections and practices with its key business partners, such as suppliers, customers, and the service providers it depends upon to carry on business;
  • the need for cyber risk insurance;
  • business continuity and contingency plans; and
  • the formulation of cyber-security policies, procedures and practices (including a cyber incident action plan) that will address cyber incident prevention, reporting, response and harm mitigation.

Such corporate cyber-security policies usually include:

  • information (awareness) systems to remain "threat current" (including warnings from trade associations and public sector security services such as police, public sector security alerts, and access to the full range of governmental support systems7);
  • employee training programs;
  • IT security policies, possibly including data and IT access restrictions, segregated data, and SaaS or Cloud security stipulations;
  • supplier, customer and e-commerce security practices;
  • management and employee resource allocation for ongoing security governance activities; and
  • internal management policies, including the creation of a cyber attack response and management SWAT Team.

STEP THREE: Based on your assessment of cyber-security vulnerability and risk, and in accordance with the directly resulting cyber-security policies and procedures that are formulated, your enterprise should proactively consider putting a specialized team of trained managers in place to both oversee the organization's cyber-security preparedness and response capabilities, as well as stand as the crisis management team in the event of a cyber attack, including:

  • to oversee the existing policies and procedures to ensure that they are properly implemented and that all related practices are constantly improved (as needed);
  • to ensure that the company's preparedness is adequate (through testing and otherwise) and to have the management authority to correct any deficiencies; and
  • to be trained, coordinated and ready to immediately act on several fronts in the event of a cyber threat in accordance with a detailed cyber threat action plan.

Basically, that focused management team may be thought of as a Cyber-Security SWAT Team.

Upon being first notified of a cyber attack, the Cyber-Security SWAT Team's role will include the following choreographed efforts:

  • identify/discover and diagnose the specific cyber threat;
  • terminate the threat as quickly as possible;
  • assess its continuation (or abetment) and determine (if possible) the extent of any harm and unauthorized activity (impact assessment);
  • act to mitigate or avoid potential harm;
  • work with third parties (police, regulators, telco, suppliers, distributors, etc.) to address all relevant stakeholder interests;
  • manage precipitating reputational issues, stakeholder communications and public relations; and
  • attend to all legal, regulatory and compliance (including required or beneficial reporting, whether to insurers, regulators or otherwise) activities while also preserving the enterprise's legal rights and defences in the face of any possible litigation or regulatory concerns.

Typically, such a Cyber-Security SWAT Teams would be comprised of (at least) the following key skill sets:

  1. a crisis management leader to make (or shepherd) critical and urgently required business decisions;
  2. a highly trained IT manager with cyber-security technical expertise;
  3. a legal advisor to ensure compliance, to help assess sources of liability (including to identify any possible plaintiffs or classes of plaintiffs) and to undertake any required legal action (immediate or otherwise); and
  4. (depending upon the nature of the cyber-attack) a reputation management expert to address reputational risks, and to attend to any public (stakeholder) relations, media relations, and even government relations matters that may arise.

Cyber-security is now an essential aspect of corporate governance, business risk management, and legal (regulatory) compliance – and a Cyber-Security SWAT Team might serve as an excellent catalyst for top-down governance oversight and management of that increasing enterprise threat.

Notes

  1. Jennifer Brown, "Managing Cyber Risk", Vol. 8, Issue 3, June, 2013, at page 36.
  2. Ibid, at page 36.
  3. Homeland Security News Wire, March 25, 2014, "Making The Grid Smarter Makes It More Vulnerable TO Hackers"
  4. Per Robert Weisenmiller, Chairman CEC, at page 1.
  5. Shawn McCarthy, "Utilities Face Growing Cyberattack Risk", Thursday, May 8, 2014, ROB, page B5.
  6. Mandiant Intelligence Center Report, APT1: Exposing One of China's Cyber Espionage Units (http://intelreport.mandiant.com/).
  7. See Communications Security Establishment Canada's list of IT and Cyber-Security publications, such as the COTS Security Guidance, CSEC's Top 35 Cyber Threat Mitigation Measures, etc.; and the Canadian Cyber Incident Response Centre (CCIRC), operated by Public Safety Canada – and many other accessible resources.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bennett Jones LLP | Attorney Advertising

Written by:

Bennett Jones LLP
Contact
more
less

Bennett Jones LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.