‘You Are Going to Need a Bigger Boat' in 2016 To Navigate the Cybersecurity Storm

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Paul A. Ferrillo, Randi Singer and Austin Berglas

Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP and is part of Weil's Cybersecurity, Data Privacy and Information management group, where he focuses primarily on cybersecurity corporate governance issues and regulatory matters.

Randi Singer is partner at Weil's Cybersecurity, Data Privacy and Information management group, where she counsels clients on privacy, cybersecurity and social media issues.

Austin Berglas is senior managing director and head of the U.S. Cyber Investigations and Incidence Response practice at K2 Intelligence. He previously served as assistant special agent in charge of the FBI's Cyber Branch in New York.

We analogize what today's public company directors and officers must feel about cyberattacks and data breaches we saw in 2015 to the feeling of terror that Richard Dreyfuss, Robert Shaw and Roy Schieder must have felt when seeing“Jaws” circle their fishing boat, the “Orca.” Remember when Roy Schneider yelled out, “He's circling the boat!”

The problem we face today is that it's not just one shark out there circling the boat. There are many species of sharks waiting to bite: nation-states, nation-state “sponsored” attackers, hacktivists and cybercriminals, all equipped to do catastrophic damage to your corporation with one nasty hack. Sharks can smell blood in the water from miles away, signaling weakness and vulnerability to attack. And like sharks, the bad actors in the cyber world prey on known weaknesses, turning vulnerabilities into veritable feeding frenzies.

The last year was not a great one for public companies facing the cybersecurity storm. January 2015 brought an announcement from Anthem—81 million pieces of personally identifiable information stolen—and then things went downhill from there (25 Privacy Law Watch, 2/6/15)(14 PVLR 227, 2/9/15). The Office of Personnel Management breach showcased some of the basic flaws of our cybersecurity ecosystem: legacy systems, outdated hardware, and other information management system weaknesses (like poor password management and authentication) (108 Privacy Law Watch, 6/5/15)(14 PVLR 1031, 6/8/15). The attacker in that case (widely-believed to be China) was able to take full advantage of these flaws, possibly for years before discovery, in order to exfiltrate very sensitive data of government workers, law enforcement personnel, under cover operatives and senior defense department officials. The data resides somewhere, likely “circling the boat” and waiting for the next spear phishing-related attack in which some poor soul clicks on the link in a completely plausible, socially-engineered e-mail.

In response to the shark-infested waters we face today, we just published “Navigating the Cybersecurity Storm: A Guide for Directors and Officers.” Think of it—hopefully—as “shark repellant” for directors and officers of public companies, private equity funds, hedge funds, and alternative asset managers. It is a plain-English cybersecurity guide for directors, written in a way that takes very complicated information technology and information management issues and boils them down into the most important questions that directors should be asking of the IT staff and executives to make sure that their company's cybersecurity posture is designed to protect the company's most valuable IT and informational assets.

The book is not meant to give all the right answers. Indeed it can't—every company is different and has different IT assets and security needs. But hopefully by asking the right questions, the directors can steer their own Orca in the right direction. We discuss below the biggest potential cybersecurity threats/sharks in the water for 2016, and then how the book can hopefully help companies respond to them. A friend once said, “Protect the Most Which Matters the Most.” We think that is an excellent motto for any company facing the cybersecurity storm.

The bane of the second and third quarters of 2015, ransomware, continues to be a large threat to U.S. businesses.

A Shark Glossary for 2016

Our crystal ball (combined with our experience and sixth sense) tells us that these are poised to be some of the most important cybersecurity issues that public companies face in 2016:

1. “CaaS” (Cyber Maliciousness as a Service)—Recent articles have noted that destructive cyberattacks are now not just within the domain of nation-states. They are available over the Internet or “dark Web,” where you can buy cybercrime toolkits, DDoS [Distributed Denial of Service Attacks],2 Stuxnet,3 and remote access tools (RATS).4 Finally, as we saw in one recent breach of a large investment bank, it is increasingly easy to hire hackers themselves on certain underground forums.5 Are companies ready to meet the trickle-down cybersecurity economy, where hired hackers, or any disaffected 15-year-old with some Bitcoin, can buy a malicious toolkit and then unleash it on some unsuspecting company? We don't know, but can see that access to criminal tools like these may create not only more attacks, but more “bad” attacks if companies can't keep up with tens or hundreds of thousands of cybersecurity alerts a day.

2. Ransomware—The bane of the second and third quarters of 2015, ransomware (i.e. Cryptolocker or Cryptowall), continues to be a large threat to U.S. businesses. A ransomware threat starts with a company employee opening a malicious link, which then encrypts all files. If the company then doesn't pay up, then the attackers delete the files. For bigger companies with a fulsome back up procedure, this is less of a problem. For small to medium business, ransomware is a big problem, and is readily available for sale on the dark Web (214 Privacy Law Watch 214, 11/5/15)(14 PVLR 2027, 11/9/15).

3. Hacktivism—who's hacking whom, and why?—The events of the last few weeks tell us that there are many disparate terrorist groups that would like nothing more than to interrupt businesses in the U.K., EU and U.S. with hacking attacks aimed at defacing websites, or worse, crippling or destroying critical infrastructure.

4. Attacking the cloud—Bank robber Willie Sutton explained that he robbed banks “because that's where the money is.” The same will be true of the Cloud in 2016. As more and more business move their operations, in part or in whole, to the Cloud, the Cloud will become a ripe repository or data “bank” for hackers. More schemes to steal employee passwords and administrative privilege information will result in more attempt account takeovers and more attempted cloud attacks. Data protection strategies must be built in to any cloud environment, but those strategies better be very good in 2016.

5. The endpoint threat —a cybersecurity ecosystem without a defense perimeter—In era of Bring Your Own Device (BYOD), mobile devices have created new challenges for many companies whose employees access the network remotely. Are these mobiles up to date from a security prospective? Has the user of the mobile device accidently downloaded an application laced with malware aimed at sealing his ID and password? Companies will need to get a better handle in 2016 on the endpoints, or continue to face breaches from remote endpoints.

6. The continued debate over encryption—the good versus the not so good—The recent tragedy in Paris has brought up again one of the most debated issues in 2015. This debate will continue in 2016. For many companies, encryption is a necessity to protect personally identifiable information (PII) or customer or consumer data. Though there are different types of encryption models, encryption per se is not evil. And encryption in the cloud may be come even more important as companies, seeking efficiency of scale, optimization, and monetary savings, move more and more information to a cloud-based environment. 
For those dedicated to privacy, encrypted communications provide an important check on the ability of governments to monitor personal communications allegedly for the wrong purposes. For law enforcement, encryption is a difficult challenge when trying to monitor terrorists and indeed foil terrorist threats. These encryption debates will continue in 2016. A middle ground must be found, especially after the Paris attacks. Our lives may depend on it.

7. The Global Internet Ecosystem Debates Business v. Privacy v. Security—The debate over privacy and international data transfers between the U.K./U.S. and EU was recently highlight in the Schrems v. Data Protection Commissionerdecision (194 Privacy Law Watch 194, 10/7/15)(14 PVLR 1825, 10/12/15). Will there be a new U.S./EU Safe Harbor that will continue to allow cross-Atlantic data transfers?6 Will EU data protection authorities prosecute U.S. companies in the absence of a Safe Harbor? Will use companies change their method and mode of doing business to meet the challenge represented by the lack of a Safe Harbor? All good questions. More debate and uncertainty ahead.

8. The regulatory drumbeats will continue in 2016—We expect U.S. regulators to continue to be very active in 2016, especially as new agencies announce new rules and guidelines and enforcement actions like the recent Securities and Exchange Commission (SEC) administrative decision in R.T. Jones (185 Privacy Law Watch 185, 9/24/15)(14 PVLR 1749, 9/28/15).7 Expect continued regulatory examination of regulated investment advisers and funds by the Office of Compliance Inspections and Examinations and the Financial Industry Regulatory Authority, and continued cybersecurity oversight of banks and banking institutions by the Federal Deposit Insurance Corporation and the Federal Financial Institutions Examination Council because the systemic risk of a global cybersecurity strike upon critical U.S. financial institutions and regulated investment entities, funds and advisers is too much to be left to chance. Similarly, stock market-related issues proven to be problematic in the FIN4 and PRNewswire attacks cannot be ignored.

Cybersecurity insurance was a fast-growing area in 2015. Underwriting standards tightened. Premiums increased. Insurers moved from an application-oriented underwriting process to a more systems and security underwriting process.

Navigating the Cybersecurity Storm

The shark glossary above ain't pretty. In fact it's pretty ugly at first sight. Our book, however, contains some shark repellant chapters which hopefully will give companies some idea how to punch the shark in his snout:

• Good cyber governance by boards of directors— What is good “cyber governance?” To us, it is the ability of a board to dig down and understand the most important cybersecurity issues that a company faces. Certainly cybersecurity is part of a board of directors' enterprise risk management duties. Throughout our book, we cover for different types of companies and information management rubrics, the most important questions that a director should ask about a company's cybersecurity posture. Our view is simple: without asking the right questions, you won't get the right answer (or any answer) that will allow a director to exercise his or her business judgment.

• The National Institute of Standards and Technology Cybersecurity Framework (Framework)—The Framework provides a plain-English process that can allow a company's board of directors to stand on equal footing with their IT executives when assessing their company's cybersecurity posture. What is most important about the Framework? Today, we would argue that it is the “national standard” for cybersecurity in the U.S. It has been adopted by the federal government, mandated for government contractors, adopted by many public companies, and incorporated by reference into a great deal of regulatory guidance. If a plaintiff's counsel wanted to hold up a company's cybersecurity policies, procedures and governance to a “standard,” he or she would like hold them up to the Framework. If you believe that cybersecurity breach and privacy litigation has increased in 2015 (and it has), you will not be disappointed by the potential positive effects adopting the Framework may bring your company.

• Don't discount regulatory guidance—Regulators are not idly standing by to watch the cybersecurity storm. The R.T. Jones SEC administrative proceeding is exemplary—in that case, the SEC fined a broker dealer for having lax (if any) mandatory cybersecurity policies and procedures, even given the fact that its customers suffered no damage as a result of the breach. R.T. Jones can be considered the “warning shot” across the bow of regulated entities that don't have their policies and procedures in place to both protect, defend and respond to a cybersecurity breach. We think R.T. Jones will be only the tip of the iceberg, especially in light of the second round of guidance that the SEC gave registered entities on Sept. 15, 2015.

• Cybersecurity Insurance—Finally, explore cybersecurity insurance as a way for companies to transfer some of the risk of a loss associated with a cyberattack to a third party insurer for an appropriate premium and retention. Cybersecurity insurance was a fast-growing area in 2015. Underwriting standards tightened. Premiums increased. Insurers moved from an application-oriented underwriting process to a more systems and security underwriting process (many times involving outside experts to help them). Some carriers (AIG and ACE American) have started to offer higher limits of liability to insureds that can show they had their cybersecurity act together. Other carriers flooding into the marketplace “decided” that perhaps underwriting this risk might not have been such a good idea, and thus determined maybe paying real claims was also not a good idea. We see more activity in the area of cyber insurance in 2016. More activity in the area of infrastructure cybersecurity insurance coverage for 2016. Although cybersecurity insurance is not a cure-all for lax cybersecurity, it is a very important risk transfer mechanism for many companies. Given its importance, we would strongly suggest that companies interested in cybersecurity insurance in 2016 see a skilled cybersecurity insurance broker, or their cybersecurity insurance lawyer to help them with the underwriting process.

There you go. Our predictions for 2016. And our response, “Navigating the Cybersecurity Storm.” Though most certainly our book did not (and could not) cover every topic a director and officer might face when considering their company's cybersecurity needs in 2016, it contains many of them, in one place, at one time, and in plain English. We urge you and your staff to read the book and understand its points and nuances. Cybersecurity is not just an IT problem. It's everyone's problem. It is the ultimate team sport.

  2

See “Six Nabbed for Using LizardSquad Attack Tool,” available at http://krebsonsecurity.com/2015/08/six-nabbed-for-using-lizardsquad-attack-tool/#more-32160.

3

See “Stuxnet-style code signing of malware becomes darknet cottage industry,” available at http://www.theregister.co.uk/2015/11/04/code_signing_malware/.

4

See “Blackshades + hacking = prison,” available at http://www.usatoday.com/story/money/2015/06/23/blackshades-sentencing-yucel/29175447/.

5

See “Hired-gun hacking played key role in JPMorgan, Fidelity breaches,” available at http://www.reuters.com/article/2015/11/13/us-hacking-indictment-outsourcing-idUSKCN0T22E920151113#uwpvSGbGrUVby1qh.99.

6

See “Need for a Safer “Safe Harbor” following the ECJ's Schrems Ruling,” available at http://www.weil.com/~/media/files/pdfs/150666_cybersecurity_alert_oct2015_v5.pdf.

7

See “Did the Regulatory Cybersecurity Shoe Just Drop? SEC Enforcement Action in In re R.T. Jones Capital Equities Management, Inc.,” available at http://privateequity.weil.com/thought-leadership/did-the-regulatory-cybersecurity-shoe-just-drop-sec-enforcement-action-in-in-re-r-t-jones-capital-equities-management-inc/.