EVENTS AND ROUNDTABLES > Roundtable > Cyber In-security
MR. DAVID BURGESS: I'd like to extend my thanks to Steptoe for hosting this evening's event. And for those of you who don't know, they do a weekly podcast on cybersecurity, which is available at www.steptoe.com/feed-Cyberlaw.rss. It's an interesting weekly discussion, and well worth a listen for those of you who have to deal with this issue constantly. I'll put this evening into context. There are, as if often said, two types of companies, a company that's been breached and one that's been breached and doesn't know it. There was a report that came out very recently, it may have even been today, that says that the cost of a breach for an American company is, on average, about four million dollars. Now bear in mind, most of the companies around here aren't average. It's going to cost you a lot more than four million dollars.
Kroll suggest it's often about 270, 280 days before most companies realize they've actually been hacked. So, it really does bring us to the topic, which is not only preparing for it, but also living with it. But I think the best thing to do initially, is go around the table, and introduce ourselves.
MS. MARY KRAYESKE: Hi, my name is Mary Krayeske. I'm an attorney and work for Con Edison.
MR. MICHAEL VATIS: I'm Michael Vatis from Steptoe's New York Office.
MR. RICHARD NOHE: I'm Richard Nohe, general counsel for BT in the Americas.
MR. MARK SCHILDKRAUT: I'm Mark Schildkraut. I'm assistant general counsel IP for BD, Becton Dickinson and Company.
MR. DARREN BOWIE: Darren Bowie, Chief Privacy Officer and Associate General Counsel at AIG.
MR. ADAM RATNER: I'm Adam Ratner. I'm general counsel and chief compliance officer at New York and Company.
MR. JASON WEINSTEIN: I'm Jason Weinstein. I'm with Steptoe's D.C. office.
MR. DAVID HERMAN: I'm Dave Herman, in-house counsel, privacy and cybersecurity from Bloomberg.
MR. SHAI MEHANI: Hi, I'm Shai Mehani. I'm from Powa Technologies. I'm associate in-house counsel.
MR. GINO TONETTI: My name's Gino Tonetti. I'm also from Powa Technologies and I'm the VP of legal for North America.
MR. ALAN COHN: I'm Alan Cohn from Steptoe's Washington, D.C. office.
MR. ANTONIOUS PORCH: I'm Antonious Porch, Vice President and Senior Counsel at Viacom.
MS. SAMANTHA HIMELMAN: Samantha Himelman, Vice President, BNP Paribas covering cyber security and privacy.
MR. STEWART BAKER: And I'm Stewart Baker from Steptoe and Johnson.
MR. DAVID BEISTER: And I'm David Beister. I'm the general counsel at WTC Captive Insurance Company.
MR. BURGESS: The opening thing that we wanted to look at was the role of GC in dealing with cyber security issues. I think it would be interesting if a couple of you jump in and say within your organization, what the GC's role is. Some of the things we've mentioned are anticipating potential adversaries, planning the response to an incident, complying with the legal regimes, protecting privilege, reducing legal exposure. Richard first, within your organization, what are the issues that you are responsible for?
MR. NOHE: In BT, legal, governance, compliance and regulatory sit within the GC office. When you look at those individual items, certainly the legal piece is very relevant. It's about providing legal advice as to what our obligations are to disclose when a breach may happen. The laws around the world continue to evolve, especially in data privacy. Security and privacy have really come together quite a bit.
If you look at the governance aspect, the GC has a key role because, at least within BT, that is largely looking at how we set up the control mechanisms. What goes to the Board and whether it goes to the nominating in governance committee, whether it goes to the Board audit and risk committee, and so forth.
Then you go into the compliance area and, there again, the GC has a key role to play in helping set the rules and policies, but ultimately it's up to everybody in the corporation to comply. And then of course, regulatory, which I think is more particular to what industry you're in.
MR. BURGESS: Do you feel the same or is it different in your organization?
MR. RATNER: I think the other part is just ongoing education of board members, as they are more and more concerned every day about this. Every time there's an article that my head of audit sees, he sends it to me, did you see this? And so I think now it's reached that point where board members are seeing that there are lawsuits being brought against companies and there is personal liability to board members who aren't as attentive to these issues.
So, from my standpoint, a lot of what I do day to day is just making sure that I keep up to date on things that are developing. I'm communicating those, setting up board education sessions, so that even if it's not providing a lot more information than what they know, they feel like we're proactively in front of the issues. Enough so, that we're not viewed as being completely reactive to what's occurring in a negative way.
MR. BAKER: So, thinking about governance, I have a hobbyhorse here. You probably noticed that attribution of these attacks has gotten better or at least the government has gotten quicker to say that this one was North Korea and that one was China. That's because the tools for determining who is attacking you are much better than they used to be. The forensics people you hire will often tell you who they think it is and they're usually right.
Knowing who's behind these attacks changes the way you think about the attacks and the way you think about cyber security. And it changes our cybersecurity thinking in a way that, it seems to me, plays directly to the strength that a general counsel brings to cybersecurity.
Knowing who's behind these attacks changes the way you think about the attacks and the way you think about cyber security. And it changes our cybersecurity thinking in a way that, it seems to me, plays directly to the strength that a general counsel brings to cybersecurity.
I gave a talk recently in which I said, "The engineers who do cybersecurity have problems to solve, but cybersecurity lawyers have opponents to beat." That insight leads to a very different strategy for cybersecurity – a strategy based on attribution and intelligence about your opponent.
The first step is to spend time with the people who gather forensic information, who have access to intelligence about attackers. They can take you to the starting point for an adversarial strategy, which is to figure out who is likely to attack you and what they want. The second step in the analysis is to ask what it would cost you if the attacker actually succeeded. That’s the first half of the strategy – deciding the cost of letting the attackers win.
For the second half of the strategy, you again begin with the identity of the likely attackers. You can go to your CISO and say, knowing that these guys want to attack us, what are the tools they're going to use? And again, your forensics and intelligence providers can help tell you that. Next you ask, what counter measures do we have to have in place to thwart those attacks? And how much will they cost? The last step in the process is just to compare the cost of the countermeasures – the cost of keeping attackers out - with the cost to the company of losing the fight and letting the attackers in. If you follow this approach, you never have to do a deep technical dive. You can just analyze your situation from the point of view of, who are my worst institutional enemies? What are they trying to do to me? And how much will it cost me to stop them? This is an analysis that general counsels in an institutional framework do all the time. It seems to me that lawyers’ adversarial training is really useful once we have a good idea of who is attacking us. And we know more and more about who the attackers are these days.
MR. TONETTI: I think you bring up a really good point, which is what's new in reform, how to do that before an attack happens. But I take the position that as much as you do before hand to prepare, really the likelihood is that you can suffer an attack on some level and it's going to be successful. So, what do you do after that? How do you protect yourself? How do you react? And how do you protect the company beyond just in strength of data protection, providing and buying insurance and things like that. That's also very important, I think.
MS. KRAYESKE: I'm not sure that you can just think about it in a dollars and cents type of way in that the cost benefit shows I shouldn't protect myself.
MR. BAKER: Got it. I understand.
MS. KRAYESKE: Nobody wants to lose customer information. Nobody wants to suffer a cyber-attack. So, I'm not sure it's as simple as a bottom-line dollars and cents. And there are things that you can do to help protect yourself, for example, buying cyber insurance, making sure you have a breach response plan, making sure you've drilled the breach response plan, and making sure you've updated your standard contract terms and conditions. Those are some of the important things you've got to do to be prepared for an incident, as he just mentioned.
MR. VATIS: So, in terms of planning, do you plan differently against different types of threats? So, if one threat is someone's going to take personal information, Social Security numbers, about employees, or e-mail addresses. Another threat is to your operations, your business operations or to your industrial control systems and your electrical power company or something like that. Does your planning differ and if so, how? Or is it do you really just treat it all as one piece, whatever the threats might be?
MR. TONETTI: I mean I think that there are enough guidelines, general guidelines, like insuring compliance, ensuring that you meet the highest and most rigorous standards. Massachusetts and California have the most rigorous standards on response to data breaches and on protection of personally identifiable information. If you follow those standards, I think that you're more likely to succeed in protecting yourself.
So, it's two part. We're talking about this almost from a legal perspective, but then there is all the folks who actually have to do the work and integrate and provide the security platforms that are actually going to protect the company.
MR. HERMAN: I would add that there's obviously different types of information we have to prioritize and make sure you harden your resources as much as you possibly can to protect the most sensitive data. You have, when working for an information company, we have a lot of data that flows and there are different levels of sensitivity and personal information that has some concerns and when specific legal requirements that we have to affect.
There's client data that more of that, which is very sensitive for us. Most companies, I think you want to do everything you can. Your goal is to make sure it doesn't happen. The only thing I would to the point you made initially, you can get the state-of-the-art security and do everything you can do and the bad guys spend all their time trying to figure out how to crack the state-of-the-art. So, it's something that you constantly need to be evaluating and trying to make sure you always keep up.
MS. HIMELMAN: Just to go to Michael's point. I think different types of attackers are attracted to certain types of data. So, a nation state, for example, is more interested in attacking you operationally and just bringing down your ability to do business. Whereas, organized crime network is more interested in, you know, siphoning off money and having it wired to them. So, you have to think about who you're actually protecting certain data from.
MR. PORCH: Right and I think the motivations vary. For us, we're a content company. So, they may not like the message, the speech that we're trying to send or share. They may want to steal, piracy is an issue for us. I think when you create your incidents, your response plan, you need to think about insider threats, right? So it's not always the people who are external, but it's the folks who are internal. And you calibrate based on those different scenarios.
MR. HERMAN: Sure and to add to that point, your response will be different depending on the type of data. In theory, if some type of data was leaked or stolen, it might not make as much difference who the entity or individual stealing it was. But depending on the type of data if it's intellectual property, you might just be thinking about what type of civil remedies you have. As opposed to if it's personal information, you might have notification obligations. If it's client information, you might have contractual obligations. Additionally there are PR responsibilities in trying to figure out with your communications team what's the best way to deal with this.
But, I think depending on the type of data you're talking about, your response will be different. And that all are things you should be thinking about before it happens, obviously.
MR. BURGESS: Do all of you have plans with your PR department about what to do when something happens? I was talking to some GCs about this issue in the U.K. and a number of them are spending more time with their PR department than anybody else at the moment trying to work out what the message might be, as they've got a whole range of scenarios. Sometimes you have to act so quickly, you've got to have that pre-prepared response. Have you got that place?
MR. NOHE: I think it evolves. We are doing what we call gray goose planning. Basically, table top planning. And you go through hypothetical exercises. Getting back to Stewart's point about the adversarial context that we bring to the table, that's a valuable contribution we can make because it's cybersecurity. There are cyber wars going on. A lot of it also depends on your industry. Within telecommunications, we're in the business of moving data around and we have the networks that the cyber criminals or activists or whatever are accessing to go into the systems, whether it's content providers or the financial industry or anyone else. One area where general counsels can really contribute is not only in the adversarial piece of putting up a block, but also thinking about where do we want to take the practice of the law? The pace of technology is changing much more rapidly than the law is able to keep up with. We can work with not only the PR department, but also colleagues such as the CISO and those in the broader IT department. We need to really look at how should we, as a community, be driving the change from a legal perspective.
The pace of technology is changing much more rapidly than the law is able to keep up with.
MR. BAKER: Richard, how formal are your tabletop exercises? Do you actually bring people together and say, we're going to spend the morning on an actual scenario and try to test the responsiveness of the plan?
MR. NOHE: I would say they're evolving. We don't bring people to a table because that's not really how it would play out in practice. Instead we'll take a scenario and then we will launch it and then we will say, okay, so who gets the call? If it was a real world activity, how would we find out? Who would they then call and how do you bring it all together? And then what sort of issues do you confront and how should you prepare to deal with them? It really shows the gaps that you can then go back and try to close.
MR. VATIS: Richard, you have someone monitoring who calls whom and what the content is so that you can actually have an after action.
MR. NOHE: Yes.
MR. WEINSTEIN: Richard, do you include your communications people in that exercise?
MR. NOHE: Right.
MR. WEINSTEIN: When we do table tops, one of the things that we do the most planning for is the dynamic that when the hypothetical scenario plays out, the instinct of the press people is to talk more and the instinct of lawyers to talk less. It creates an interesting decision point for whoever the decision-maker is between them.
MR. BOWIE: And it's not just Communications. There are other stakeholders as well. It may be effective to include, for example, Government Affairs representatives in a tabletop exercise. If you have an incident where public policy makers, Members of Congress, etc. are engaged and contacting the organization because they're getting questions from their constituents, how do you make sure that the Government Affairs team understands the facts, so they can respond.
MR. PORCH: Yes, we do a live table top as well and we come in to a room and we've got communications, we've got HR, government affairs, information security, audit and really think or try to think holistically. And to your point, your plan is going to evolve, right? You're going to get better. You're trying to raise awareness of what a real time situation would be like. And the hope and the expectation is coming out of the table top you're going to refine the plan or the approach or identify additional stakeholders who are there.
MR. COHN: This has come up in a couple of other comments in terms of understanding the threat and designing the scenarios. How many people are actively engaging with either the government or with the information sharing hubs in your industries to get threat information and to use it to fashion the scenarios or the tests that you run within your companies.
MR. BAKER: And I should note that Alan, until six weeks ago was part of the Department of Homeland Security and had some responsibilities for all these organizations. So, he has an interest in your answer.
MR. COHN: Well I’m curious, as Stewart has said, because there's an active debate in Washington - some people are quite fascinated with the ability of government to share information with the private sector. Or the private sector to share information with government is some type of panacea, for all of the ills of cyber security. At the same time, there is a significant amount of information that the government has that is resident in the information sharing centers that the industry sectors have that is very useful. If you are constructing scenarios you're seeking to understand who is truly interested in your networks, and we are often surprised that information is not making its way around.
So, and the OPM hack is a good example of this, and I can tell you because we had this argument last summer inside the government, are these security questionnaires actually something people are interested in or not? And the prevailing thought last summer was no and the prevailing understanding now is yes. And so it maybe that you may be thinking of a particular type of threat against your industry, your sector, or the type of information that you hold. The government holdings may show different things about the actual threat and that information is available, but it may just not be easily available. So, I'm curious your thoughts.
MR. NOHE: I think the infrastructure players on the technical side share a lot of information, and we see that developing in legislation. But, the lawyers could do a lot more. Think about where we want the risk to sit in the supply chain; that is a key issue that we could contribute more to the debate on. And it's interesting that when you look at data protection, it's about protecting and shielding information, while with cyber security, it's about sharing information with the right people.
MR. BURGESS: Within your industries, do you exchange information with other GCs or other colleagues about the scenarios you face? Or is it very much kept internally?
MR. BOWIE: I think it depends by industry. In the financial services industry there are well established systems for sharing information, particularly among IT security professionals. I think other industries are less mature in that respect and because of recent incidents, they're developing. So, I think it really varies by industry in terms of what frameworks are available.
MR. HERMAN: Yes, and I would say I think it is all evolving. As you know, the whole notion of the government sharing information is relatively new. My experience, I was at the SEC for 15 years and for a long time it was always a one-way street. I would be happy to take information from you or demanding to take information from you. But I'm sorry we can't answer any of your questions. That's been evolving, which is a good thing I would say.
But I think it's also evolving privately among companies on what people are comfortable sharing. I think the IT staff at all the companies by nature are a lot more comfortable sharing and talking to each other than the lawyers are. And I think that goes on fairly regularly.
To your point, you were right about the financial services companies. I know the broker dealer community has been sharing information for years that was a prime target ten, 15 years ago, basically hackers looking to get into people's brokerage accounts. At first they were just wiring money out and then the community caught up with that, stopped that. But then they got into to manipulate the price of securities using people's online trading accounts.
While the SEC and other agencies were busy investigating and chasing and hopefully, successfully prosecuting people, I think the industry was fairly successful in sharing information that as soon as they found a threat coming from an IP address or a range of IP addresses, they shared it relatively quickly. So, all of their, normally their competitors would be able to share this information and block those IP addressed immediately.
In that case there was, even though they're competitors, there was a common interest. Nobody has an interest in markets being manipulated if you are a player in the market.
MR. PORCH: Is there tension between the sharing that goes on or that we would want to go on and attorney-client privileged, and, if so, how is that navigated?
MR. COHN: So it's interesting, privilege is an interesting question. Each of the agencies has begun to issue opinions basically exempting information sharing for cyber security purposes from various restrictions. So the DOJ Anti-trust Division, for example, has an opinion out that says that it does not implicate anti-trust implications for competitors in an industry to share cyber security information.
But as you correctly noted, it's evolving and it's coming in pieces. It's not that the government has done a set piece move to cover down on all the bases. By the way, we should probably say that Jason is a DOJ, Department of Justice veteran. Michael, Department of Justice and FBI, and Stewart, both Homeland Security and NSA.
MR. BAKER: So I think there is a tension because our standard advice when you've got a breach is have your outside counsel or inside counsel hire the forensic firm. And have them report to the lawyers what they're finding about the nature of the breach, which is good for the privilege but makes it very hard to share the information with the other people who might be interested in exactly what the signatures of that particular breach were. Later on, you can obviously say, this is okay to release knowing that it is not going to lose the privilege. And most of the time you end up deciding to do that, but by starting with a lawyer-driven review, you've at least had a chance to review the data first for what it might say about your firm to plaintiff's counsel.
MS. KRAYESKE: Well, I think it's interesting because if you go to any CLE where outside lawyers provide their insight, there's usually a representative from the FBI or DHS who recommends that companies develop a relationship with these agencies, because if you have a relationship, they'll help you when you get in trouble. The outside lawyer perspective is that you then get into attorney client privilege issues so don’t release anything. Then there are the ISACs where, there is sharing of information among government and companies. So, it can be a double edge sword and it's tough to know exactly what to do.
MR. SCHILDKRAUT: Although it may depend on the threat. I know at BD we had an insider issue where we did bring in the Department of Justice. We did work with the FBI and they were very respectful of options that we may have had to take. We actually wound up stepping aside because the Department of Justice and the FBI and other governmental organizations really were doing a great job in trying to represent our interests. So, I think it depends maybe on what the threat is. They really were going out of their way to make sure that they were protecting BD, a victim corporate citizen’s interests.
MS. KRAYESKE: I'm sure it varies depending on what happens and what the incident is.
MR. COHN: No, but you're very right about the difference. I do think you've put your finger on another difference between the law enforcement agencies and the independent regulators. When you think about government information sharing or government cooperation, those are two different groupings of government. I think both the FBI, also the Secret Service and others in federal law enforcement are trying to be more proactive. And so if you're doing tabletop exercises, if you're doing pre-planning, they are interested in engaging, although there are still questions at the end of the day. I think we've seen, and I'd be curious if you've seen also, the independent regulatory agencies are a bit more, still a bit more concerned with everybody as meeting standards, as opposed to wanting to come and necessarily being part of your preparedness work.
MR. NOHE: Certainly the SEC's Division of Corporation Finance Guidance on cyber security is a double edge sword when you look at the risk versus the threat and the disclosure. And then you get into the potential for civil lawsuits and so forth. Where do you balance? You want to be able to share the information and the SEC has to make sure that sufficient information is disclosed for the investors' best interests. But these things continue to evolve. You also have the attorney client privilege issue in that context as well.
So, it's certainly not a straightforward issue or we wouldn't be sitting around this table. It continues to evolve and you just have to advise as best you can. And some of the things on attorney client privilege, you're going to advise that they shouldn't be disclosed, right? It's up the client to make the call because they're the ones holding the privilege.
Law enforcement agencies and security agencies will treat you like a victim, which is what you are. The regulators are going to blame you. They tend to blame the victim.
MR. WEINSTEIN: As Alan said, it's complicated by the fact that these different parts of government have very different missions. Law enforcement agencies and security agencies will treat you like a victim, which is what you are. The regulators are going to blame you. They tend to blame the victim. And it doesn't help that DOJ won't enter into non-disclosure agreements with companies. They want all the access. I used to say we, now they, want all the access to your systems. To be clear, they will agree to exercise discretion using that information - they're very concerned about reputational harm that can be caused to the company if that information gets out. But the reality is that when the FTC, if you turn over your forensic report to the DOJ or the Secret Service and the FTC comes to get it, there's no legal protection for you. And we tried over time to get a legislative fix for that. It's a relatively simple legislative fix that would just say that type of disclosure does not vitiate the privilege and we could never get any traction on it. And because of that, it makes what should be a mildly difficult decision about whether and when to engage with law enforcement a much more complicated one.
MR. BURGESS: One thing that is interesting is your management thinking on cybersecurity. What are the sort of events that drive that thinking? Is it, something like the Target breach? Is it the OPM recently? Is it Sony just before Christmas? What are the trigger points? You were talking about the auditors sending the articles through. Do you find that your management of the overall business hears about something, panics a little bit and suddenly everything goes into overdrive? Or is it much more an ongoing issue?
MR. COHN: Which of these most recent incidents get the most questions to you from your board as you mentioned or from other executives within the company? Which of them have really captured their attention or their fear?
MS. HIMELMAN: For BNP Paribas I personally think it is JPM. I think that scared everyone, shook everyone up in the financial industry. But I do think cyber security is an ongoing concern. And just going back to the table top discussions, I think that they can bring out a lot of fear with the participants, like, wow this could happen and how prepared are we? In that sense, the tabletop is really useful.
But I do think cyber security is an ongoing concern and when these things crop up in the news I get forwarded articles.
MR. WEINSTEIN: You mentioned you had those training sessions for your board, how long have you been doing that and how has the way in which you message it to the board evolved? I imagine the people on the board are either of an age or level of experience that this is not second nature to them and many of them probably rolled their eyes when they first started to hear about it.
MR. RATNER: Well the first thing to say is that we're a retail clothing company. So any time there's a story about a retailer being hacked, that's what they think about. They think one of the challenges is to get them to realize that's not the only way that there could be a breach incident. I think that's the one that they really want to grab onto because that's the one that happened maybe more often to our competitors and also, which really could damage our relationship with our customers. But we're trying to address it more holistically.
So, I think we've all got of retail veterans who cut their teeth 20, 30 years ago and less, so not everybody is of an age where they didn't have experience. But like our business, whats grown fastest is e-commerce. So I think that's a way that we're driving interest because people can see that the future of the business really involves technology directly and I think that's easier for them to grasp than almost anything else.
But, I came on board about a year ago, I think like lots of retail companies we struggle to make money. There are tons of moving parts that we need to change just to move the needle a tiny bit. And that becomes very difficult if you're also trying to drive compliance at the same time and we are. So, we try to do all of this at once and we're a billion dollar company, which isn't small, but it's not that big either. So, trying to do all of these things in sequence, how to be more strategic, and how to grow revenue and how to be profitable, and to be compliant is the challenge. It's just a lot of everything and I think that's what gets the board.
And my job, as I get to learn the company, is trying to focus it. So, we can do discrete things that make each board member feel more knowledgeable than they were. But the enormity of how to do everything is paralyzing for everybody. So, one of the things I'm trying to do is just to figure out how do we break the scam? They do it regularity so that over time at the end of the year or two years, whatever it is, we're all left smarter 'cause we get paralyzed.
So, if we're talking about tabletop exercises, we haven't even gotten that far. And to it, we talk about it, we have a plan, but I know when we do that, which will happen soon, we're going to have to manage people's fear of how far behind the curve we are.
MR. BAKER: With consumer facing industries, there's a risk obviously of lawsuits by the customers whose credit cards are exposed. But that's dwarfed by the risk that the banks are going to sue you for the cost of reissuing those cards. And that second risk is a phenomena that comes out of the increasing sophistication of the forensic tools that can tell you exactly whose breach led to this card being exposed. It does seem to me that focusing on liability to the issuing banks is increasingly where you want to put your attention.
MR. RATNER: Right. Well, and the other thing too is that we're dealing with, we have point of sale. We have terminals and they're old. So, we're trying to update those and we've got deadlines for doing that for chip and pin but just getting aligned along with what our operational needs are and then what our compliance needs are. You know, just when you think you’ve figured it out, then something else changes and we don't necessarily pivot so quickly when those things change. So, we have the right ideas in mind, but operationalizing it has been challenging.
MR. COHN: Gino, you guys are more of a technology company. How does it differ? Is it the same?
MR. TONETTI: I'd say retailers are our focus client. So, for us, I'm here listening and thinking to myself exactly why we're so adamant on having the proper securities. It's because our clients demand that. About loss of revenue. I don’t even think about what it's going to cost for credit card companies - how about the loss of business because customers no longer want to frequent your establishment or you no longer want to be one of our clients? So, that's a bigger problem to me than whether it's going to cost four or five million dollars.
MR. BURGESS: So you're saying trust is the biggest cost?
MR. TONETTI: That is the biggest cost. Yes.
MR. SCHILDKRAUT: And speaking on behalf of another technology company, a medical device company, the threat for us relates to our intellectual property. And whether it's an insider leaving and going elsewhere. Or whether it's a nation state or some other organization outside coming in. And that's where I know our Board has questions. They want to know how we classify our most critical and significant intellectual property and then how we are taking the appropriate actions for each one of those categories of information. I mean, as others have said, there's no way to protect or prevent somebody from coming in 100% of the time. It is how can we make sure that they're not getting to the most important and valuable assets that we have? And that's really where one area of focus has been from the Board for us.
MR. BAKER: Do you air gap that stuff?
MR. SCHILDKRAUT: It's difficult. When you're in a technology development company, and we're worldwide. We have over 40,000 employees all around the world, R&D centers all around the world. It's impossible for us to air gap our information and yet at the same time, conduct our business effectively. Something as simple as just what do you do about USB ports, right? Sometimes that can be very, very difficult and it sounds so simple technologically and in terms of just one pathway of communication. And it's amazing what types of discussions or resistance or demands that you hear on both sides of the argument.
MR. BAKER: I think the U.S. Army solved it by taking super glue and just filling the ports.
MR. SCHILDKRAUT: That's the technological discussion that's ongoing in many organizations, including ours.
MR. NOHE: Yes, it’s an issue that gets into the insurance area where the market hasn't determined where the risk should sit in the supply chain. Our commercial lawyers spend most of their time arguing about indemnities and liability caps, in an adversarial way, pushing back and forth. But in reality it may take a different view of where the risk should reside, because it may not be with the customer or the supplier. It may be a third party that comes in and looks at it and says, this is something that should be transferred to a different part of the market. It's another area that GCs can really help resolve. But I don't think we're having those types of conversations. And certainly the government could be of big assistance in that regard. They have been in pushing, for example with cyber security insurance. If you have the NIST framework in place, then it's beneficial from an insurance perspective. But much more can be done.
MR. BAKER: You mentioned earlier the idea that you ought to abide by standards as a way of protecting yourself and the government. The U.S. government is really pushing the NIST cyber security framework as a standard. I wonder whether anybody here has actually said, yes, we're going to retranslate all of our security operations into the NIST cyber security framework and how that has worked out? It clearly has legal benefits. I just wanted to hear from people who had actually gone through it, whether it was particularly painful or as I suspect, fairly easy.
MS. HIMELMAN: What I think could be more useful is more of the mapping of where we are against the NIST framework. Not reconfiguring everything. Just looking at NIST, you can map where you are against it and look at where areas of improvement are and, decide how to improve those areas.
MR. BOWIE: I think that's how many companies have handled it, looking at existing standards and controls and seeing how they fit within the framework to identify any gaps, rather than redoing or recreating a framework. So, it's useful from that perspective.
MR. BAKER: Because if you did it against the ISO standards, you can just map them over. But you want a memo in your file in which your CISO says, yes, we've examined our performance under the NIST framework and we believe that we are acting in accordance with it, because it's not that hard to do and it has value.
MR. WEINSTEIN: Especially when the regulator comes calling.
MS. KRAYESKE: Well, we have, NERC-CIP for certain parts of the electric business. Where electricity is handled at a higher voltage, we have certain standards that we have to meet.
MR. BAKER: It’s as they say, the nice thing about standards is there are so many to choose from.
MR. COHN: Do you find that the ESISAC or the CRISP program or things like that are that useful, that are electric sector-specific?
MS. KRAYESKE: It was interesting, I was sitting here listening to the retailers say, it would be problematic if we were attacked. Well, if utilities are attacked, this situation could be much more difficult. We worry about that and we spend a lot of time and money addressing these concerns. As for ISACs, the Information Technology folks are really the ones that could answer better, whether or not they feel there is some beneficial information.
MR. COHN: Because it is interesting, the ISAC should be - and again, Stewart, this betrays my recent government roots - more than just a resource to the CISO and to the IT team. They should fill in at the governance level and at the standards level, you know, information that would be difficult for any one company to be able to capture, articulate, and assemble.
MS. KRAYESKE: And there certainly are sharing programs that are out there. And different utilities make different choices as to whether or not they participate, but they're new and people are learning. I think we have to work our way through it. There's been legislation proposed that has and hasn't passed. And some of the legislation makes sharing more difficult. Some of it would make it less difficult.
MR. BAKER: So, Mary makes a good point that if you have industrial control systems, which we now know famously can be hacked because Stuxnet hacked the Iranian nuclear program and the consequences were disastrous for Iran. But only a limited number of people or industries have that issue. So, if you're in the pipeline business or power business or refinery business that's a big deal. If you're just in the business of moving information, you can focus on Windows networks.
But is there anybody else who has had to struggle with the question of industrial control systems security?
MS. KRAYESKE: Yes, and the problem as was discussed earlier, you could be 99.9% right. You worry about that less than 1% and the other side’s job is to get through your systems. That's what they're paid for eight hours a day, ten hours a day, twelve hours a day and that's the thing I find the scariest.
The other side’s job is to get through your systems. That's what they're paid for eight hours a day, ten hours a day, twelve hours a day, and that's the thing I find the scariest.
MR. COHN: And the analogous situation is, and people have alluded to it, and Adam you mentioned it at one point, it's what's there besides the data? It's one thing to have data exfiltrated. It's one thing to have data stolen. It's very damaging to have IP stolen, but there are other things that can happen in the cyber security world that are not data exfiltration. And the industrial control system is one area where someone can get in and actually manipulate the actual operation of your business to cause harm.
MR. NOHE: That risk is growing exponentially with the Internet of things. There was a "60 Minutes" episode not too long ago where Leslie Stahl is sitting in her car and loses control because somebody hacked in and took over the driving of the car. Airplanes as well, and there's a lot of things that we don’t even think about. There's certainly the electricity grid, smart buildings, you could go on and on and on with all the risks.
Again, a lot of that gets back to, what are the technology people doing? Technology people tend to deal in standards better. You're right Stewart that they might have too many of them, but at least they're talking to each other about the technological fixes and how you can coordinate. I don't think the legal community is communicating enough. We tend to be more backward looking than forward looking.
MR. COHN: It's interesting. Gino you had mentioned a question about do you feel like the legal community knows the questions to ask the CISOs and the technical community to cover the risks?
MR. TONETTI: Right, and we just don’t have the technical background and certainly I don’t have the technical background. So, just being in conferences like this and talking with people when you can and learning what's the right question to ask and what are the issues I'm supposed to be spotting. I think that goes a long way to helping.
MS. KRAYESKE: Alan I would just note that part of the question becomes how much time should lawyers spend in trying to learn what the business people do?
MR. SCHILDKRAUT: To both of those points, it's one thing for us to understand the vocabulary, but then being able to communicate that to the Board. And then, to Mary's point, whose responsibility is that for communicating? Is it the information security organization's? The lawyer’s? Is it compliance? Is it a group effort and that's something that I'm still thinking about.
MR. BOWIE: And communications with your IT group is important because they may have to communicate with a regulator or others. And so, enabling your IT group to explain things in a way that a regulator, a judge, or other party can understand is important too.
MR. COHN: You know, David at the beginning mentioned the quote that a breach costs an average of four million dollars. There's another quote that people have mentioned, which is that 40% of a company's data doesn't reside on its own networks anymore. It's in a cloud provider. It's on a customer's network provider. So, I wonder how much of a challenge is it, again, to keep up with those types of basic questions, to say to the CISO, where is our data? How is it protected? How is it protected when it's not on our networks? What does that mean?
MR. NOHE: Also where in the world is it and what laws apply to it? We tend to, as lawyers, think jurisdictionally, but there are conflicts of laws. You look at the Microsoft issue in Ireland and it's almost impossible to say, at any given moment, where is my data because in our business we're transferring data over a network. It's constantly in motion. You may have a cloud that's in a particular jurisdiction and you can have certain parameters built so it stays in that jurisdiction if that's what is required under the law. But that's not always the case. It can be mirrored in multiple jurisdictions. An executive on an airplane could be accessing it too. So, it's complex.
MS. KRAYESKE: And I'm still trying to figure out the four million dollar average on an event basis. Because, honestly, it seems incredibly low.
MR. BAKER: That's credit card breaches or financial, account information where you announce a breach and you get sued.
MR. SCHILDKRAUT: We all are dealing with third parties and having a robust third party compliance program in place, whether it comes from your compliance group or some other group, is essential. Because your system is only as strong as your weakest link, right? And if your outside third parties don't have strong enough systems to protect your data, then the infiltration or exfiltration is going to occur from there.
MR. BURGESS: And how involved are you getting into that or is the CISO taking the lead on that?
MR. SCHILDKRAUT: In my organization I'd say it's the compliance group that runs our third party assurance program. And they set the framework and implement various tools to allow different individuals in different departments in our company to assure that who we're working with, and confirm that who we're working with have the appropriate systems in place. So, a lot of it is done contractually. And based on the reputation of who you're working with and hopefully the combination of those two decreases the risks that you're dealing with companies and other organizations that are going to have the door open.
MR. BAKER: Where does the CISO belong? Is it now really a compliance function to be reporting to the GC? You know, the CIO's job is to make the information move faster and make it more convenient. And that's not the CISO's job. I have plenty of in-house law clients who tell me they are described to by their sales department as the division of contract impedance. And the CISO's job is similar - to make sure that the information doesn't get to you as easily. Sony famously, or maybe not so famously, they haven't been bragging about it, had their CISO report to the general counsel before the attack. Does everybody here have a traditional CISO-reports-to-the-CIO model or are you, do you have a security unit where the physical and information security are together? Nobody at least has a GC with responsibility for overseeing the operations of the CISO?
MR. NOHE: It's outside of legal, and it is combined with the physical and the network or logical. I think there are a number of different models. The key to me is that there are so many different players that you have to look at it not so much as the individual who is the CISO, but more like a topic. And I wouldn't say just have a committee manage it, but it is important to get the governance framework right. If you look at the CIO going back a couple of decades, the position often reported to the CEO and that evolved to often reporting to the CFO focusing largely on controlling costs for IT. We seem to be at an early stage with the CISO. To me there is an argument that it is a direct report to the CEO in order to be able to have peers because they're going to have to interact with the CFO, CHRO, the general counsel and operating presidents.
MR. SCHILDKRAUT: One other issue you have is that the IT organization often is the key holder to your systems, and to your network. And if you have the information security officer reporting into the CIO, problems may arise in terms of not seeing what should be seen in terms of activities performed by the privileged key holder.
MR. ROMAN STREITBERGER: At Honeywell, it used to be under IT. But now it is under the General Counsel’s Office. It was moved a couple of years ago.
MR. WEINSTEIN: I was curious, for those of you who have had to employ forensic firms, either pre-breach to help you with an assessment or post-incident to help you clean one up, what have you found is sort of the range of costs? How big a component were the forensic costs in your overall cost to respond to the incident?
MR. COHN: Let me ask one question to follow up on that, though, which was another feature of the OPM hack. How many of you, to the extent that you know, have systems in place where you would know if you were told you'd been hacked, you would know what had been exfiltrated? Because this is something that OPM has been wrestling with is they didn't have the physical, logical pieces in place to know that.
MR. STREITBERGER: Yes, we have a system in place. However, if you're working in the cloud then there is, to my knowledge, no system right now which could monitor every possible issue.
MR. NOHE: Yes, it's about balancing risk. You can't have, similar to Roman's comment, everything covered, at least not in a very large organization. It depends on the key areas of risk. Where you don't really have any data that is significantly at risk, such as public information, there's no reason to have that type of monitoring controls in place.
MR. BURGESS: Obviously, we're very lucky here that no one's been breached (or at least admitting it!). But on your hypotheticals and your tabletops, at what stage do you inform various stakeholders in your company that you have been breached? Is it immediate or does it depend on the type of breach?
MR. NOHE: I think it's both, yes. It also depends on who do you consider the stakeholders. Some stakeholders get notified immediately. Certainly if the CISO doesn't know, that's somebody to tell. But it depends on what you know at the time. Bad news is not like wine and cheese, as they say. It doesn't age well. So, it's informing to a reasonable level. You don't want to be the boy that cried wolf.
MR. BURGESS: And have you found that in your tabletops that one of the tensions or one of the issues that you have to face, is when do you communicate or who do you communicate it to? Would that one of the scenarios that you faced?
MS. HIMELMAN: Well in a response plan, one of the first steps should be to classify what's happened into a number of categories. And once it's categorized, that drives the next steps. And one of the next steps is informing the individuals we think who need to be informed. When you're early on in your response process, I don't think it makes sense to give a detailed analysis as we probably don’t have the full picture yet and it's going to take maybe days of investigation to where you really understand what's happened.
So, I think informing key people about what's happened at a very high level and what steps are being taken and updating them daily or twice a day, whatever, is probably the best approach.
MR. BOWIE: One model is to have a key group of responders who handle all incidents and, based on the facts and as they develop, make determinations of when things need to get escalated, because it depends on the incident. The incident could be very small. It could be a loss of five records, which could constitute a legal data breach in some states, for example. You may need to notify the affected individuals in that case, but executives may not necessarily need to be engaged in the incident response, depending on the circumstances.
I think it's also important that managers and others are not notified prematurely when the facts are still being developed and the incident may not actually be a serious incident. And so, depending on the facts, having a core group manage the response avoids unnecessary activity at the executive level.
I think it's also important that managers and others are not notified prematurely when the facts are still being developed and the incident may not actually be a serious incident. And so, depending on the facts, having a core group manage the response avoids unnecessary activity at the executive level.
MR. WEINSTEIN: With all the high profile breaches really even dating back before Target, but starting with Target certainly and Neiman Marcus and then other breaches outside the retail space, what lessons have you all taken away as you've observed as outsiders the way those companies have responded to the incidents? Target, for example, seemed to issue a different public statement every 48 hours that seemed to contradict the one before; you have Neiman Marcus saying in effect, we'll tell you when we're ready to tell you and you've got a lot of other responses in between. As you watch these incidents unfold, as an outsider and a person who wants to learn from the unfortunate experience of these other companies, what do you think are the elements of an effective public messaging operation in the wake of a breach?
MR. BLESTER: I'm not sure it's different from any other public relationship disaster. And if you want to get in front, then tell your story first, but you want to do that in a way that where you're confident what you're saying is actually true. So that you're not so far in front that you're, you know, caught off guard by questions or if the facts turn out to be not quite as bad as you said they were or worse. But you always want to be, you know, forthright and in front.
MR. HERMAN: Well absolutely, and I don't think it's different than any other PR situation necessarily and we've learned lessons from all these different various responses without going to individual firms and criticizing individuals, I'm sure operating in crisis mode dealing with a situation none of us wants to deal with. Having said that, you obviously want to get out early and be as transparent as you can, realizing that you probably won't have all the facts when you want to start telling the story. But you want to get it out there before somebody else starts telling the story and something might stick that might not be true, that you might not ever be able to unwind. But you don't want to be, as you were saying and I think we've seen, some companies getting out there and being overly optimistic and probably setting up the situation where they have to put out statements subsequently that seem to be at least contradictory or inconsistent.
MR. BURGESS: Is there anybody that you've seen that has done it really well? Looking at some of the breaches, is there a company you think - they got out in front of it and they handled it?
MR. TONETTI: Can I tell you I think that recently and this is very rare that anyone gives the IRS any sort of compliments in life, but I think the IRS did a pretty decent job recently with its data breach. Letting the general public know that there was a breach and that they were contacting or have contacted those individuals whose data was compromised. I think that's a nice way to do it because you're telling people generally there was a breach, so you're notifying them. And then you're calming down the mass hysteria of oh, well was it me? And you've either been notified or you will be notified shortly if it was you. Otherwise, I'm not worried about it. I think that was a nice way of dealing with it.
MR. NOHE: Everybody's happy when the IRS doesn't contact them.
MR. BURGESS: I don't think that I've ever had a roundtable where the IRS has been praised. So, that's got to be a first!
MR. VATIS: John Koskinen, the head of the IRS, was the Y2K czar, he told us way in advance that the world was going to fall apart on Y2K. Fortunately, it didn't.
MR. TONETTI: Well, wait to the end of this month. There's a month when we get an extra minute.
MR. RATNER: I just wonder about for a company like Target that probably ran through these tabletop exercises and probably had had discussions that we need to be measured and we can't get too far ahead of ourselves. I'm sure they did that. So, is that just the stress in the crisis room getting ahead, it's the pressure of the press and stockholders and the whole world. And suddenly you veered off the plan?
MR. BAKER: It was during the Christmas season when bad publicity is much harder for a retailer.
MR. WEINSTEIN: IRS gets kudos for the way they handled it. OPM is in the middle of a Target-like experience, you know, one day it's four million, the next day, or two days later it's 14 million and now they've gotten into bad PR.
MR. VATIS: But it really does vary, too, because I was thinking the JP Morgan incident was handled well, but they probably had a lot more luxury of time to figure out what was going on before they issued a statement. Whereas, Target didn't have that luxury. Their hair was on fire from the get go.
MR. WEINSTEIN: And Brian Krebs kind of contributes to that, right, when he's reporting online that you've been breached. They may have had a response strategy in place that just got completely short-circuited.
MR. RATNER: They probably didn't foresee the new factors that had been introduced into the mix. I don't know how you make it resemble anyway true reality, but trying to use that as reinforcement to take the exercise seriously. That's what I sort of think of as a way to try and get people to view it not as, all right, I'll run through the motions because I'm told. But to really try to use it as experience gathering.
MR. BURGESS: Yeah, I think people are very comfortable when they think they can control the process. We did an event in the U.K. on cybersecurity where we had a bunch of GCs around the table and we launched it by saying there's been a tweet that's gone up that says “we've got your data for sale”. And as they discuss what they would do, we escalated the issue. Trying to react it is much more difficult. When you do these scenarios, it's very easy to say, this is what we will be doing. But most of the time the factors are completely outside of your control. I mean when you do these exercises, are you doing them from standpoint of they're out of our control? Or is it, we believe we've been hacked, so, therefore, now we're going to tell the story?
MR. WEINSTEIN: You know, Michael and I, when we prepared for these, one of the things that we started doing is we'll sit down with the CISO or the IT staff and ask them what keeps them up at night. And you'd be amazed how fully developed their scenarios are that they are losing sleep over it. That the CEO and even the GC may not even have thought about. You know, you're paying somebody to lose sleep and you can lose a little less sleep.
So, we kind of modeled scenarios after those things because it's something that the IT staff will consider realistic because it's something they're generally worried about.
MR. COHN: But there is a good point that both Adam and Richard made, which is that you will get yourself into a problem with the tabletop exercise if you start it in a box. And Richard, you made the point of, we don't do a “table top exercise” because our executives don't sit around a table managing an IT incident. And Adam, I think in this area, one has to assume there will be two or three major factors that are not, that are non-standard to the incident because the area is so dynamic.
The government gets itself into terrible traps by starting the exercise with everybody around the room. With a scenario that everybody understands, which has usually been pre-briefed beforehand to everybody so no one will embarrass themselves and then everybody can kind of step through what they know to be their roles.
MR. NOHE: It's like a play.
MR. WEINSTEIN: Very much like it. The staff has already come up with the answers. So the principals, you know, aren't caught off guard when they're asked a question.
MS. KRAYESKE: When you do tabletops, do you do them with injections that come along the way and the people that are sitting at the table top don't know what the scenario is?
MR. VATIS: Yeah, that's the only way to do it, in my mind.
MS. HIMELMAN: I think the best approach is to have a third party come in and run the exercise. The people around the table talk through the plan and think they have a course forward, and then the third party interjects a new fact. That changes everything.
MS. KRAYESKE: Because that's what happens in real life.
MS. HIMELMAN: Yes, and you can't really simulate it.
MR. VATIS: What I've found from putting them on is that people might come in thinking, one person's in charge, maybe the CISO, maybe the COO. And invariably, it's the GC or the GC's designee who ends up being the quarterback because every decision on those thoughts has a legal implication. So, it has to be cleared with the general counsel.
So, it might start off where, okay just run this by the general counsel and make sure it's okay. But it ends up that the general counsel is running the show. If you're going to run every decision by him or her, then that person ends up being the field marshal or the quarterback or whatever metaphor you want to use.
MR. NOHE: Yes, and the likelihood that you're going to have a real live example that maps to a hypothetical that you did last month, it's just not going to happen. To me, the tabletop is really to do two things. One, make sure that you understand the communications and, within that, the chain of command. And the second is policies that you've thought through and what are the laws. What do you need to disclose? What are you prohibited from disclosing? And then the facts will be the facts. It's how do you establish those channels and then how do you react, put the facts against the policies.
MR. WEINSTEIN: You know, when we do them we change the facts sort of mid-stream. And I think the value of that is it reinforces in you the notion when you're dealing with a real incident that the facts on day one, minute one are not going to be the facts, four hours later. But the other two takeaways, I think, clients get from them are, first, that the most challenging decisions are going to be disclosure/public notification and then how or whether we engage with law enforcement or regulators. And second, just to have everybody involved go through that analytical process, even though it's not really a crisis environment, you know it's a simulated environment. But just to go through that decision making process will make you more effective when you have to do it for real.
MR. HERMAN: And I would add to that, that not only will the facts change and be not what you anticipated, the players that you, you know in a vacuum you can say here are the five people we need in this room. In real life it will happen when at least one of those people is not available. You know, they might be having a Christmas Eve or some kid's graduation or whatever. Somebody's not there. So, who in that group will have the authority and responsibility to sit in, for that person? Have they gone through this drill before? And I think that's something you need to keep in mind as well.
MS. KRAYESKE: And that comes back to awareness. Because if you have somebody who has never been there sitting in on the drill and they sit there and they don't know what the plan is, it makes it all that much more problematic in real life. So, you almost have to have a backup to the backup.
MS. COHN: Which takes you back to the, I think the comment of the meeting, which is some of this reverts just to general incident management principles, general principles of having a backup to a backup to a backup. That a plan, that's great but a protocol is better, just general principals.
MR. BURGESS: I'm afraid we've reached our allotted time. I think the key thing to takeaway is that it is a constantly evolving process and no one really quite knows what they're doing in advance. Unfortunately, that's the very nature of it. But hopefully today has allowed you to exchange ideas and best practice for when it does happen.
16 June 2015
Location: New York
- David Burgess, The Legal 500
- Stewart Baker partner, Steptoe & Johnson LLP
- Alan Cohn of counsel, Steptoe & Johnson LLP
- Michael Vatis partner, Steptoe & Johnson LLP
- Jason Weinstein partner, Steptoe & Johnson LLP
- Mark Schildkraut Assistant General Counsel-IP, Worldwide Cybersecurity Counsel, BD
- Mary Krayesk Senior Attorney, Consolidated Edison Company of New York
- Antonious Porch Vice President, Senior Counsel – Technology & Kids, Viacom
- Shai Mehani Associate Counsel, Americas, Powa Technologies, Inc.
- Richard Nohe General Counsel, Americas Region, BT
- Gino Tonetti VP Legal, North America, Powa Techologies, Inc.
- Roman Streitberger Assistant General Counsel, Technology and Operations, Honeywell
- David Herman Privacy Counsel, Bloomberg
- David Biester General Counsel, WTC Captive Ins. Co., Inc
- Darren Bowie Chief Privacy Officer and Associate General Counsel, AIG
- Adam Ratner President, General Counsel and Chief Compliance Officer, New York And Company
- Samantha Himelman Vice President, Intellectual Property, Privacy & Cybersecurity, BNP Paribas