Home > A GC's Cyber Resolutions for 2014 by Peter J. Beshar, Corporate Counsel
A GC's Cyber Resolutions for 2014 by Peter J. Beshar, Corporate Counsel
The new director of the Federal Bureau of Investigation recently testified before Congress that cyberattacks would likely eclipse terrorism as the No. 1 threat to U.S. domestic security. That assessment echoed earlier warnings from senior U.S. officials of the potential for a "Cyber Pearl Harbor."
Given that threat environment, here are seven cyber resolutions for general counsel in the New Year:
1. Analyze Your SEC Disclosures Regarding Cyber Risk
In October 2011, the Securities and Exchange Commission issued guidance on disclosure obligations related to cyber risks and data breaches. Citing the potential for lost revenues and reputational damage, the SEC advised public companies to “consider the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks."
According to a Bloomberg analysis of SEC public filings, one-quarter of the largest 100 companies in the U.S. acknowledged being the target of cyberattacks or having significant exposures in 2012. SEC chair Mary Jo White has stated that the SEC will “prioritize” cybersecurity in its review of public disclosures. Indeed, the SEC has already directed comment letters to approximately 50 companies on cybersecurity issues, and the pace of that review is likely to accelerate.
Accordingly, the 2013 Form 10-Ks that many companies will file in the next 45 days represent an important opportunity to review and bolster cyber disclosures.
2. Review Your Cyber Insurance Policies
In its guidance regarding cyber disclosures, the SEC specifically referenced cyber insurance coverage as a risk-mitigation tool. Accordingly, general counsel should consult with their risk managers to assess (1) their company's potential vulnerabilities, particularly around social security, health care and credit card data; and (2) the specific types of coverage that are now available in the market.
What type of insurance coverage is most important to your company? Is it to insure the loss of data? Is it tangible harm that could be caused to your physical plant or other assets as a result of an attack? Is it harm that could be caused to your clients or customers?
At the simplest level, cyber policies cover out-of-pocket costs from data breaches, such as notification of affected persons, credit monitoring and the operation of call centers. Cyber coverage can also respond to loss of revenue and additional expense created by network interruptions or IT outages—essentially a business interruption claim. Moreover, coverage can be obtained for acts of terrorism, extortion over control of networks and reimbursement for data restoration.
As with any insurance, it is important to review key exclusions. For example, many policies exclude harm resulting from the improper collection of data and place limitations on coverage for fines and penalties from regulatory actions. In addition, networks typically must be down for eight to 12 hours before lost income will be covered. Finally, companies should review how other coverages—such as property, crime and general liability policies—intersect to avoid gaps in coverage.
3. Review Cyber Clauses in Vendor and Client Contracts
As the volume and complexity of data protection laws increase, parties on both sides of the contracting process are seeking ways to protect their interests.
First, with respect to vendors, legal departments should establish protocols for reviewing data protection provisions in your company's IT outsourcing, cloud hosting and offsite storage agreements:
Vendor Security Standards: Vendors should be required to maintain a written IT security program that details how they store data and protect it from unauthorized disclosure and theft.
Restrictions On Data Storage and Transfer: Contracts should restrict cloud providers and other IT outsourcers from moving your data to other venues without your consent.
Breach Reporting: Contracts should impose an affirmative obligation on vendors to report promptly any cyberattacks or unauthorized disclosures of confidential information.
Second, legal departments may receive requests from clients for stricter contractual provisions regarding data security, requests for security assessments or even audits. To simplify contract negotiations, consider:
Data Protection Templates: Create a coherent summary of your company’s IT security standards, storage practices and data protection training procedures that can be provided to clients. Have the business, IT, HR and compliance functions vet the summary to ensure its accuracy and the company's ability to comply.
Certifications and External Audits: Compliance with a recognized industry security standard can facilitate contract discussions. Similarly, obtaining an independent assessment of your data security practices, such as a SOC Type II report, can be powerful tool in responding to client requests for audits.
4. Develop Relationships with Law Enforcement Officials and Forensic Investigators
The FBI has created a special "Cyber Division" whose senior officials participate regularly at industry events and provide assistance in the event of a disabling attack. Similarly, the U.S. Department of Homeland Security has an integration center for coordinating threat information and emergency response teams. General counsel, chief information security officers and other senior company representatives should engage with these officials. A strong relationship with these agencies can provide an important line of defense in the event of a significant attack.
Similarly, build relationships with one or two forensic investigative firms. In the event of an attack, you may well need outside help to assess the extent of the harm, to stop further damage and to restore a system's functionality. There are a number of well-regarded firms in this rapidly developing field.
5. Develop and Review an Incident Response Plan
A key element of a comprehensive cybersecurity program is an incident response plan. What are your obligations, legal and otherwise, to notify regulators and potentially affected clients and individuals? What are your procedures for doing so? Who will respond to the media? To employees? Target Corporation's recent experience, in which cybercriminals apparently stole tens of millions of credit and debit card numbers, underscores the stakes.
6. Engage Your Government Relations Team to Shape Cyber Policy
In early 2013, President Barack Obama issued Executive Order 13636 with the goal of improving cybersecurity protections for the country’s critical infrastructure, and the White House is expected to unveil its Cybersecurity Framework soon. By reviewing the administration's recommended practices, companies can assess their own programs, conduct a gap analysis and make improvements as necessary. Numerous regulators, including the Comptroller of the Currency, the Food and Drug Administration and the Environmental Protection Agency, have already referenced the Framework in issuing warnings about cyber threats to particular industries.
The business community should be engaged with the administration in creating a public-private partnership on this critical issue. As one example, the White House is exploring whether the insurance industry can use the Cybersecurity Framework and appropriate incentives "to build underwriting practices that promote the adoption of cyber risk-reducing measures." (See Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, “Incentives to Support Adoption of the Cybersecurity Framework,” accessed on Dec. 31, 2013.)
7. Make Security a Team Effort
Reach out to your senior IT colleagues, particularly your chief information officer and your chief risk or privacy officer, to develop a better understanding of your company’s technology infrastructure. Then offer to help. Information security is a team game.
The threat of a "Cyber Pearl Harbor" has been perceived in parts of the U.S. business community as the stuff of Hollywood producers and doomsday thinkers who cried wolf over Y2K. Yet, our country's most senior intelligence and defense officials are now pouring resources into combatting this threat, and governments around the world have responded with a battery of new laws and regulations. Working in tandem with other corporate departments and business leaders, general counsel should step into the fray and help guide their companies through this complex maze.
Peter J. Beshar is the EVP and general counsel of the Marsh & McLennan Companies. Inna Tsimerman, MMC's chief privacy and international trade counsel, and Matthew McCabe, formerly senior counsel to the Committee on Homeland Security for the U.S. House of Representatives and now a Marsh advisor on cybersecurity, contributed to this article.