By Daniel E. Frank, Partner, and Jennifer J.K. Herbert, Associate, Sutherland Asbill & Brennan LLP
Overview
The threat of cyber attack is real and growing. Whether by an organized terrorist group attempting to inflict physical damage, a sophisticated government effort to steal sensitive information, or a hacker simply looking for a challenge, your company is at risk. Any system that touches the Internet or other private networks is vulnerable to attack at any moment. You should take proactive steps now, to better prepare for and mitigate the risk of a cyber attack.
In-house counsel can help their clients take those steps. Lawyers can navigate the existing statutory and regulatory security requirements that currently apply to many industries and types of data. But the landscape is shifting. Lawmakers, regulators, industry, and the public at-large are all concerned that the current regulatory landscape is inadequate to combat existing and future cyber threats. While federal legislation seems unlikely due to partisan gridlock, other regulatory actions are being taken that may impact your company.
For example, President Obama issued Executive Order 13636 in February 2013, directing the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework. Issued in February 2014, NIST's Cybersecurity Framework uses risk management processes to enable organizations to inform and prioritize cybersecurity decisions, and provides tools to build and improve upon these processes. The C3 Voluntary Program (pronounced "C Cubed") developed by the Department of Homeland Security offers assistance to entities interested in using the Cybersecurity Framework.
In-house counsel should take a leading role in building upon these regulatory actions to adopt cyber risk mitigation measures. We provide below our "Top 10" list of things that can and should be done before an attack occurs to position your company to effectively respond to a cyber incident. They are all part of developing and promoting a Culture of Security. The Cybersecurity Framework may function as a useful organizational tool as you work through these strategies to develop your company's Culture of Security.
Top 10 Cybersecurity Strategies
1. Get Upper Management on Board
To develop a Culture of Security within your company, you must start at the top. Upper management sets the tone for the organization, and by visibly making cybersecurity a priority can help ensure that all employees are vigilant and perform the roles that support a secure infrastructure. The key personnel involved in cyber security should explain to upper management the need for internal, proactive efforts to mitigate the risk of cyber attack and its potential impact on physical infrastructure, including actions not strictly required by law but nonetheless useful in protecting against cyber attack. The attorney can play a key role here in "bridging the gap" between the information technology (IT) personnel who are familiar with the technical jargon, and management who are focused on policy and the bigger business picture. A fully informed, supportive, and actively engaged upper management is critical to a successful cyber security compliance program.
2. Designate a Chief Security Officer
An effective security program requires a strong and capable leader. A chief security officer (CSO) or chief information security officer (CISO) position should be created and the duties, responsibilities, and objectives of the position should be clearly specified. Whether a company creates a new, stand-alone position or integrates the CSO / CISO role within an existing position will depend on the business structure and unique characteristics of the company (for example, a smaller organization may not be able to devote resources to a stand-alone position). Importantly, the CSO or CISO must be someone who possesses the necessary clout to get things done and who understands the technical and operational considerations that come with cybersecurity. In the absence of such an individual, your cybersecurity compliance program may lack teeth and fail to effectively combat cyber threats. In-house counsel can be a forceful advocate for the right type of person for this job.
3. Conduct Self-Assessments
Periodic self-assessments provide a means to determine the current state of your organizational cybersecurity, identify and make plans to address weaknesses, and establish a baseline for measuring improvement. Self-assessment should aim to understand the interaction of all components of your cybersecurity systems and processes, evaluate how they meet your particular security needs, and identify areas for improvement.
In conducting self-assessments, remember that cybersecurity is not monolithic. There are no one-size-fits-all solutions. Every company has zones of security with different user bases, levels of interactivity, and security requirements, particularly at the entry and exit points to the zones and the interfaces between them, the perimeters and boundaries. For example, a "customer interface" zone with thousands of user accounts that communicates with computer systems over which the company has little or no control will have security requirements that vary from those of the zone responsible for an electric utility's electronic control of its generation and transmission equipment. A self-assessment needs to examine the security for each zone in light of the unique security requirements and challenges that zone and its perimeters present. When conducting self-assessments, companies should be realistic about their capabilities and vulnerabilities. It is easy to slip into complacency. If you are tempted to say, "After all, we have never had a serious cybersecurity breach," ask: "How do I know we have never suffered a breach?" Are the mechanisms and personnel in place to allow you to detect a breach? What is being monitored? What are the signs of an attempted or successful break-in that would be detected? A strong culture of security requires you to assess what you know and don't know. In-house counsel can apply rigorous analysis and questioning to these questions and answers.
4. Evaluate Your Compliance Status
Self-assessment should include evaluating the company's compliance with regulatory and industry cybersecurity requirements. For electric utilities, generators, and transmission companies, these include the North American Electric Reliability Corp.'s (NERC's) Critical Infrastructure Protection (CIP) Reliability Standards. Other cybersecurity regulatory requirements include those issued by the U.S. Nuclear Regulatory Commission (NRC), as well as requirements applicable to government contractors. Understand which standards and requirements apply to your business and use the self-assessment as an opportunity to check your compliance with these baseline obligations. This is also a good time to consider industry "best practices" and whether to integrate them into your compliance program. In-house counsel can help navigate legal requirements and advise on the merits of adopting best practices.
5. Make a Plan for Improving Cybersecurity
A self-assessment should result in a plan for improving cyber security. The CSO or CSIO should take the lead in identifying gaps in security and taking steps to address those gaps. Rarely will a self-assessment identify no gaps or areas for improvement. In fact, a self-assessment that reflects a "perfect" program should raise concerns about whether all risks and vulnerabilities have been properly identified. However, avoid finding fault simply for the sake of finding fault. Understand that a strong detection and response measure may mitigate a weak preventive measure.
In developing a corrective plan, start with the low-hanging fruit. Gaps in security often are the result of oversight or the accumulation of "exceptions" to security policies that build up to become a significant vulnerability. These are often easy to fix. Develop both short-term, quick-fix plans and longer-term evaluation and improvement plans to strengthen your compliance program. Here, too, in-house counsel can apply rigorous analysis to evaluate the effectiveness of the plan adopted to address gaps in security.
6. Train Personnel
Cybersecurity is not solely the domain of the IT department. Everyone who touches the hardware and software that provide potential access points for cyber attacks must be involved in preventing such attacks. Given the ubiquity of personal computers, mobile devices, and the like, nearly everyone in the organization plays a part. Thus, everyone must be trained to identify, mitigate the risk of, and respond to cyber threats and attacks. In-house counsel is no exception; you do not need a computer science background to understand the basics and you should understand them to be able to effectively communicate among the various departments in your company. Not all employees must receive the same degree of training. Those involved in "front line" cyber protection must receive the greatest amount of training. A robust training program will identify the subject matter areas for training, the levels of training required, and the corresponding training techniques and programs. A Culture of Security also requires that the training program be enforced; the company should be prepared to discipline violations of training requirements and procedures.
7. Develop an Incident Response Plan
Many organizations already have a business continuity plan, but these frequently focus on commonly recognized physical incidents such as floods and fires. However, "virtual" attacks can have real-world consequences as significant as any physical event. Cybersecurity incidents are not just problems for the IT team; with computer systems communicating with and controlling physical systems, cybersecurity incidents impact engineers and technicians, the public, government and shareholder relations, and upper management.
A cybersecurity incident response plan should be part of every company's broader business continuity plans. It involves many of the same elements: monitoring, detection, and escalation to decision-makers; assembling predesignated response teams; action to mitigate and stop the incident; activation of alternatives to continue operations during the incident; notification of and communication with partners, authorities, and the public; recovery of normal operations; and evaluation of the incident for lessons learned and opportunities for improvement. Regulatory requirements, such as those enforced by NERC and the NRC, are not always sufficient for each organization. Make sure your plan fits your needs.
You should also develop an incident response plan team comprised of members from across the company as well as some external actors, including contractors, vendors, outside counsel, and law enforcement. Internal membership should include an incident lead as well as representatives from upper management, operations, public relations, IT and security, legal and privacy, and customer relations. A varied team will help ensure that your company is ready for a wide-range of cyber threats or attacks that may occur. Each member's role on the team would vary depending on the type and scope of the cyber incident experienced. For example, if a cyber incident occurs and can be largely contained within the company without the result of a data breach, then the public relations team member may not have a role to play (as public awareness of the event may be minimal).
8. Test Your Incident Response Plan
Periodic testing of a cybersecurity incident response plan is the best way to ensure it will work when needed to respond to a real incident. Conduct "table-top" exercises regularly that simulate a variety of cybersecurity incidents and involve the entire incident response team. In some cases, such exercises are required by regulation. It can also be worthwhile to occasionally conduct unscheduled exercises, so that complacency does not set in, resulting in the response team able to handle only incidents that they know are coming, leaving them ill-prepared for the way real-world incidents usually unfold. Scheduled and unscheduled exercises will help engage and mitigate against the human reaction (e.g., panic) in the event of a real incident. These exercises will improve your incident response team's confidence, better prepare the team to handle any cyber incident that may occur, and promote commitment to the Culture of Security you are trying to develop. Because in-house counsel has an integral role in incident response, you should be actively involved in the response plan tests.
9. Identify "Lessons Learned"
Every test of the incident response plan should result in lessons learned and an action plan to adapt the response plan to address those lessons. The CSO or CSIO should take responsibility for following up on the lessons learned. Changes should be incorporated into the response plan and tested at the next opportunity (which in some cases is required by regulation, such as with the NERC CIP Reliability Standards). In-house counsel can play a key role here as well in "translating" IT requirements into action items in the plan.
10. Get Involved and Stay Involved
The current regulatory environment is enmeshed in uncertainty and perpetual red tape that impedes development of a comprehensive regulatory regime within which to address cyber threats. Industry faces a critical and daunting task: how best to tackle current threats and prepare to combat and mitigate future threats. In light of today's minimal mandatory regulatory requirements, it falls to industry to proactively seek solutions to the growing number and sophistication of cyber threats. As part of its Culture of Security, a company should be actively seeking opportunities to improve, including participating in industry working groups and other activities that provide access to lessons learned and best practices that the company can import into its own cybersecurity compliance program. In-house counsel should be part of these efforts, particularly in evaluating the potential risks and liabilities of adopting the lessons and practices.
Conclusion
The future of cybersecurity is uncertain, both in terms of the types of threats and attacks that can compromise your company's business and the legislative and regulatory response intended to protect against such attacks. But even in the absence of more definitive legislation and regulations, there are steps that can be taken today to address cyber threats and attacks. The strategies identified here will help companies develop and implement a culture of security and be better prepared for whatever compliance requirements are thrown their way. In-house counsel can take a leading role in these efforts and thereby provide value to their clients in achieving security.
Web Resources
- Cybersecurity: How to Prepare for and Respond to Cyber Attacks Legal Alert: NIST Cybersecurity Framework – What It Is and What It Means for the Energy Industry Sutherland Webcast: NIST Cybersecurity Framework – What It Means For Energy Companies Legal Alert: New Regulation Under Cybersecurity Executive Order Ponemon Institute: 2011 Cost of Data Breach Study: United States (March 2012) Ponemon Institute: 2012 Cost of Data Breach Study: Global Analysis (May 2013) White House Blog: Incentives to Support Cybersecurity Framework (Aug. 6, 2013)
