Editor: Do corporations leave themselves vulnerable to cybercrimes?
Epstein: Yes, for a number of reasons. First is a false sense of security because the leaders of many corporations believe their computer systems are secure. Second is lack of education about how easy it is to penetrate corporate computer systems and how prevalent cybercrime is. Every computer system can be penetrated. It is only a question of how long it will take to get in. Third, it is only recently that there has been a marked increase in the number of press reports about cybercrime and the attendant risks, thereby highlighting the problems.
Editor: Have many companies suffered cyber attacks?
Epstein: Many companies and government agencies have suffered from cyber attacks. A year or two ago, there was reluctance on the part of companies to report that they were victims of cyber attacks. This mentality is changing because companies now realize that they should come forward when they are victims of cyber attacks and report the crime. In the last year we have seen many instances in which large, sophisticated, reputable high-technology companies have been victims of cyber attacks.
Editor: What are the most significant cybersecurity threats at the moment, and what are the sources of risk?
Epstein: There are a number of risks that cybercrime presents.
First is economic and competitive risk. This risk arises because there are many unscrupulous parties involved, including a number of governments. China has made obtaining sensitive business information through cyber attacks a high priority.
Companies store sensitive business information on computer systems. This information includes trade secrets such as marketing plans, strategic reports, research and development plans, future budgets, plans about future acquisitions and dispositions – and this list goes on. Losing this information in a cyber attack is a major risk. The Wall Street Journal recently estimated that the economic cost of this competitive risk to companies could approach one trillion dollars.
The second risk that companies face if they are a victim of a cybercrime is the litigation risk. Companies that are victims can become defendants either in consumer class action lawsuits brought by individuals whose personal information was obtained in the cybercrime or in securities class action lawsuits alleging that a company made false statements about the security of its computer systems.
The third risk is the direct threat to the integrity of a company’s computer systems. The way cybercrime is carried out is that the criminal sends a virus into the computer system of the victim, and that virus disrupts or corrupts the victim’s computer system.
It can be a very tricky virus, and the nature of the virus also relates to the question about why companies may have a false sense of security. In part, this is a crime whose commission may not be known to companies that are victimized. There have been instances when a virus was introduced into a company’s computer system, and the virus went undetected for periods of five years or longer. During this entire time, the virus was transmitting sensitive information back to the cyber criminals.
The fourth risk is the monetary risk that companies face if they are the victims of a cybercrime. Monetary risk is threefold: the cost of remediation of computer systems that have been corrupted with viruses; fines that companies can face from U.S. and European regulators if personal data is stolen; and potential litigation costs.
Finally, and perhaps the most important, the fifth risk is the reputational loss that comes with being the victim of a cyber attack. There have been cases where the victims of the cyber crime have been companies in the business of providing security services for computer systems. This gives you a sense of how widespread cybercrime is and how difficult it is to detect.
Editor: Does the SEC consider failure to disclose a major computer security breach a material event for disclosure purposes?
Epstein: Yes. The SEC staff has issued guidance reminding companies to disclose material risks and material incidents concerning their computer systems. The SEC hasn’t brought any actions of which I am aware.
Editor: Do you find that senior management and directors are adequately informed about the risks of cybersecurity failures and the steps taken by their companies to assure cybersecurity?
Epstein: I don’t believe they are. I recently spoke at a conference attended by approximately 150 members of audit committees of boards of directors of public companies. A poll taken of the attendees revealed that a majority of them thought that boards, audit committees and senior management do not spend enough time understanding and taking steps to prevent the risks of cybercrime. This issue has not been sufficiently elevated to the senior management and board levels.
Editor: Do you think this is something that general counsel should be involved with?
Epstein: Absolutely. This is an issue that general counsel should understand and be concerned about since it involves the potential theft of the company’s trade secrets, other intellectual property as well as its important commercial information. As discussed, the risks to the corporation are significant and numerous. General counsel need to be engaged.
Editor: Should companies develop compliance programs to reduce the risk of cybersecurity failures? What are the key elements of such programs?
Epstein: Companies should have a plan for minimizing the risk of a cyber attack. It is the view of most experts that one cannot prevent a cyber attack with 100 percent certainty, but one can minimize the risks in large part by maximizing the time required to penetrate a company’s computer system.
On a regular basis (every six months), a corporation should, without generally informing its IT department, retain an expert to penetrate its computer systems. Companies need to know how long it takes to get into their computer systems. It is not an issue of whether someone can get into a computer system. The issue is how long it will take. If it only takes three hours to penetrate a system, that is not a good result because the company likely will not be able to detect and halt the attack in a three-hour period. On the other hand, if it takes 18 hours to penetrate a company's computer system, that is better because within that time frame the company will be able to detect and halt the virus that has tried to penetrate the computer system.
Another step that companies should take is to encrypt information. Companies should set rules for the type of documents and information employees must encrypt. Corporations should consider rules regarding the use of wireless devices and personal email accounts since these items represent potential vulnerable spots in a computer system. Procedures should also be formulated about taking computers or other communication or storage devices into certain foreign countries where those countries are known to engage in cyber crime.
Finally, companies need to ask whether their budget for cybersecurity is adequate, whether they are taking any non-standard risks, and whether their employees are educated on prudent safety measures.
Editor: Is the use of smartphones a problem?
Epstein: Yes, personal and mobile devices present security risks. Highly sensitive business information should not be on an individual’s personal computer or a personal smartphone. It should only be on company-issued computers and devices.
Editor: What role should government play?
Epstein: Interestingly, the government has been taking a leading role educating about cybercrime and warning companies to take action. It is the conclusion of present and former government officials that much of the cybercrime directed against U.S. companies is being committed by China. In a Wall Street Journal opinion piece, a former director of National Intelligence, a former Secretary of Homeland Security, and a former Secretary of Defense wrote, “The Chinese government has a national policy of economic espionage in cyberspace.”
The U.S. government just issued its Annual Intelligence Report on the major risks that the country faces. The report said that the two biggest threats to our security are Iran and cyber attacks. I think the government may have a better picture of risks of cybercrime than the private sector.
A bill introduced in the Senate by Senator Lieberman would place regulatory authority in the Department of Homeland Security, which would be empowered to mandate that companies follow certain computer security standards. The criticism of the Senate bill is that it will increase regulation of business at a time when minimizing regulatory burdens may be the best approach for fostering economic growth.
The approach being considered in the House of Representatives focuses on facilitating the ability of companies to get together to self-regulate and create their own standards for maintaining security. The criticism of the House approach is that it will not lead to a satisfactory common security standard and that a lack of regulatory oversight may adversely affect individual privacy rights.
Editor: To what extent should the private sector and its organizations be involved?
Epstein: The private sector must be actively involved and engaged on this issue.
The issues of cybercrime and cybersecurity are part of a broad range of technology related issues in which the private sector and senior management must actively participate. Technology-related issues that are confronting companies with new risks include cloud computing; nano, green and other emerging technologies; e-discovery; and the use of social networking, among others. We as a law firm see these technology-oriented trends and are preparing for them by understanding in a detailed way the various new technologies so as to be able to help our clients reduce the risks these technologies present.