Cyber-Security Corporate Governance: Three Essential Steps to Form a Cyber-Security SWAT Team

Written By Duncan C. Card

Last year, Canadian Lawyer InHouse Magazine¹ posed the question, "Should in-house counsel be asking more questions about the strength of their company's cyber systems…" and they cited the Association of Corporate Counsel 2012 survey that reported 28 percent of their companies had experienced a cyber-security breach in the preceding 12 months and "data breaches and protection" as one of the top issues keeping them up at night.² In my view, the best answer to that question is – in-house counsel should be actively participating in providing cyber-security corporate governance leadership and risk management guidance, including legal and compliance advice.

Regardless of your industry or business sector, whether retail, transportation, financial services, manufacturing, energy or otherwise – there are now daily (if not hourly) news reports of aggressive, targeted and damaging cyber attacks that cause significant financial, reputational and commercial harm to the enterprise as affected, whether through data breaches, trade secret theft or business disruption otherwise. Chances are, the bigger or more visible your company is, the more international your company is, or the closer your company is to our critical infrastructure, the more likely your company is a target for cyber attack. For example, in March of this year, the Department of Homeland Security in the U.S. reported³  the following statement by the Chairman of the California Energy Commission: "If you're a utility today, depending on your scale, you're under attack at this moment."⁴ Similarly, Canada's Globe and Mail newspaper recently reported that,⁵

North America's electricity grid is facing increasing risk of cyberattacks from criminals, terrorists and foreign states, and utilities have to devote growing resources to defend the system… In a report last year, cybersecurity firm Mandiant Corp.⁶ exposed a multiyear, large-scale computer espionage threat (across many sectors) originating from a group in China with close ties to the People's Liberation Army… Robert Gordon, a special adviser to Public Safety Canada on cyber threats, identified three distinct risks that Ottawa is working with industry to combat: criminal, espionage and activism.

Therefore, right now, before your company is hit by another cyber attack (yes, ...another), whether by hackers, agents of IP espionage, malware, activists launching a denial of service attack, or by a disgruntled employee, you need to proactively formulate the practices and resources that your organization requires in order to manage the response to such attacks. I believe it is possible to summarize the governance undertakings that are required to reasonably manage the risk of cyber attack into a three-step process, all of which may lead to the assembly, organization and training of a cyber-security response SWAT (Special Weapons and Tactics) Team comprised of managers (internal and/or external professionals) who will know exactly what to do, and who can be called into action on a moment's notice, in the event of a cyber threat.

STEP ONE: First, make sure that the board of directors, the C-suite, and the managers of your company's IT and web-enabled infrastructure understand and appreciate the fast-paced world of cyber insecurity, including all relevant threat sources, your organization's general vulnerability and the potential business financial, reputational and legal risks that your enterprise uniquely faces. As part of that exercise, all of the constituent subject matter experts in your organization should be identified and assigned to assist and contribute to that essential awareness exercise, and in all of the undertakings that will follow. Experts in IT corporate governance, reputational and crisis management, cyber technology risks, advanced HR practices, and concerning your company's unique legal and regulatory compliance duties, should all play a vital role in understanding the nature and scope of cyber-security threats.

STEP TWO: There are two distinct aspects to the second step of preparedness.

First, enterprises should undertake a detailed review, assessment and audit of their cyber-security history (either its direct experiences or by sector benchmarking), its vulnerability, and the risks and potential key business liabilities it may face – both commercial and regulatory (compliance) in nature. Every enterprise relies upon and uses the Internet and IT infrastructure very differently, and those different combinations of use and reliance will create a unique matrix of risk, potential liability and defence posture. That is why a comprehensive assessment of how your enterprise is uniquely positioned (or not) to address cyber threats is an essential aspect of security preparedness. As well, that assessment must include a comprehensive survey of your company's unique legal, regulatory and compliance duties so that your cyber incident action plan will be crafted to include all of your organization's required notification, reporting and disclosure requirements.

Second, based upon your company's unique cyber risk assessment, an overall cyber-security strategy must be formulated and implemented. That strategy review will likely consider:

• necessary technological and business process security improvements;
• third-party security contributions and testing (including encryption service providers, ethical hacking services, etc.);
• a review of all relevant HR security programs;
• your organization's online connections and practices with its key business partners, such as suppliers, customers, and the service providers it depends upon to carry on business;
• the need for cyber risk insurance;
• business continuity and contingency plans; and
• the formulation of cyber-security policies, procedures and practices (including a cyber incident action plan) that will address cyber incident prevention, reporting, response and harm mitigation.

Such corporate cyber-security policies usually include:

• information (awareness) systems to remain "threat current" (including warnings from trade associations and public sector security services such as police, public sector security alerts, and access to the full range of governmental support systems⁷);
• employee training programs;
• IT security policies, possibly including data and IT access restrictions, segregated data, and SaaS or Cloud security stipulations;
• supplier, customer and e-commerce security practices;
• management and employee resource allocation for ongoing security governance activities; and
• internal management policies, including the creation of a cyber attack response and management SWAT Team.

STEP THREE: Based on your assessment of cyber-security vulnerability and risk, and in accordance with the directly resulting cyber-security policies and procedures that are formulated, your enterprise should proactively consider putting a specialized team of trained managers in place to both oversee the organization's cyber-security preparedness and response capabilities, as well as stand as the crisis management team in the event of a cyber attack, including:

• to oversee the existing policies and procedures to ensure that they are properly implemented and that all related practices are constantly improved (as needed);
• to ensure that the company's preparedness is adequate (through testing and otherwise) and to have the management authority to correct any deficiencies; and
• to be trained, coordinated and ready to immediately act on several fronts in the event of a cyber threat in accordance with a detailed cyber threat action plan.

Basically, that focused management team may be thought of as a Cyber-Security SWAT Team.

Upon being first notified of a cyber attack, the Cyber-Security SWAT Team's role will include the following choreographed efforts:

• identify/discover and diagnose the specific cyber threat;
• terminate the threat as quickly as possible;
• assess its continuation (or abetment) and determine (if possible) the extent of any harm and unauthorized activity (impact assessment);
• act to mitigate or avoid potential harm;
• work with third parties (police, regulators, telco, suppliers, distributors, etc.) to address all relevant stakeholder interests;
• manage precipitating reputational issues, stakeholder communications and public relations; and
• attend to all legal, regulatory and compliance (including required or beneficial reporting, whether to insurers, regulators or otherwise) activities while also preserving the enterprise's legal rights and defences in the face of any possible litigation or regulatory concerns.

Typically, such a Cyber-Security SWAT Teams would be comprised of (at least) the following key skill sets:

1. a crisis management leader to make (or shepherd) critical and urgently required business decisions;
2. a highly trained IT manager with cyber-security technical expertise;
3. a legal advisor to ensure compliance, to help assess sources of liability (including to identify any possible plaintiffs or classes of plaintiffs) and to undertake any required legal action (immediate or otherwise); and
4. (depending upon the nature of the cyber-attack) a reputation management expert to address reputational risks, and to attend to any public (stakeholder) relations, media relations, and even government relations matters that may arise.

Cyber-security is now an essential aspect of corporate governance, business risk management, and legal (regulatory) compliance – and a Cyber-Security SWAT Team might serve as an excellent catalyst for top-down governance oversight and management of that increasing enterprise threat.

Notes

1. Jennifer Brown, "Managing Cyber Risk", Vol. 8, Issue 3, June, 2013, at page 36.
2. Ibid, at page 36.
3. Homeland Security News Wire, March 25, 2014, "Making The Grid Smarter Makes It More Vulnerable TO Hackers"
4. Per Robert Weisenmiller, Chairman CEC, at page 1.
5. Shawn McCarthy, "Utilities Face Growing Cyberattack Risk", Thursday, May 8, 2014, ROB, page B5.
6. Mandiant Intelligence Center Report, APT1: Exposing One of China's Cyber Espionage Units (http://intelreport.mandiant.com/).
7. See Communications Security Establishment Canada's list of IT and Cyber-Security publications, such as the COTS Security Guidance, CSEC's Top 35 Cyber Threat Mitigation Measures, etc.; and the Canadian Cyber Incident Response Centre (CCIRC), operated by Public Safety Canada – and many other accessible resources.