Every day the headlines report another Fortune 500 company suffering a hacking incident. For companies, the hack itself creates substantial risks of economic devastation caused by the theft of valuable trade secrets. Add to the mix the potential disclosure of consumer and employee information, and potential data breach notification risks, and you have a recipe for corporate disaster. Company and government internet sites are now becoming fodder for international espionage, competitor misconduct and illegal marketplace distortions.
At the core of the problem is Congress’ failure to act. For years now, Congress has tried to enact meaningful cybersecurity legislation. Unfortunately, the issue is controversial because of three specific questions: (1) Should the government mandate private business cyber security standards? (2) Should the government or the private sector craft mandatory or voluntary cybersecurity standards and procedures without treading on individual privacy interests?; and (3) What civil immunity protections, if any, should be given to companies that meet basic cybersecurity standards?
These are not hard questions but they should be resolved and legislation should be enacted. The risks are too large and the consequences of failing to act can result in serious economic consequences.
In the absence of legislation, the Obama Administration is taking steps to exercise its executive authority to implement more cybersecurity protections for the government. It is a welcome step which builds on prior executive efforts to protect our electronic infrastructure.
Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet. The United States Sentencing Commission’s website was destroyed when activists attacked the site to protest the federal prosecution of Aaron Swartz which eventually led to Mr. Swartz committing suicide. For years, the Chinese government has launched massive daily attacks against our government and private industry which are aimed at disrupting government operations, stealing trade secrets and undermining economic activity.
With every major economic issue, the government tries to address the problem and private plaintiffs try to enrich themselves at the expense of companies. In 2011, the SEC acted to require companies to disclose assessments of cybersecurity risks. Private plaintiffs are bringing more class actions against companies claiming that deficient cybersecurity policies have resulted in shareholder losses.
Again, these trends are growing in significance primarily as a result of Congress’ failure to act. At some point, the business community will demand that Congress take appropriate steps to address the problem of cybersecurity to protect the operation of the US economy and US businesses.
For companies, the time to act has long passed and some are having to play catch up. Corporate boards often list cybersecurity as one of their top issues of concern, which keep the board members up at night. Companies need to take action now and begin the process by focusing on five critical issues.
1. Assess the Risk: companies have to assess the strengths and weaknesses of its cybersecurity system. What protections are in place to prevent a cyber attack? What are the company’s vulnerabilities? How likely is the company to experience an attack?
2. Cost of Improvement: companies have to calculate the cost of improving its cybersecurity defenses. How much will improvements cost? How quickly can the improvements be implemented?
3. Cost of an Attack: when assessing risk, a company has to identify the value of its information and intellectual property. What exactly is at risk? What impact will a theft of trade secrets have on a company’s bottom line? What impact on the company would disruption in service have?
4. Reputation Risks: a company which experiences a cyber attack and disruption of service can suffer immediate and significant harm to its reputation with consumers, government regulators and the public. A loss of consumer data can result in consumers switching to competitors. It is hard for companies to regain consumer confidence once a cyber attack has occurred and consumers learn about the disclosure of their information or face a disruption in their services.
5. Timing: companies need to determine quickly how long it will take to assess the risk, measure the cost of an attack, determine the costs to improve security, identify potential reputational harms, and implement change. A response is hard to implement quickly but companies are behind the eight ball now and need to act soon.