Editor: What does the current cyber threat landscape appear to be?
Plesco: There has been a significant increase in cyber attacks due to the development of new technologies and the utilization of those technologies by way of mobile devices, social media, cloud computing and other new media. The NSA’s General Alexander has been quoted as saying, “The question is not when a company is going to be hacked, but when will it be hacked again.” There are two types of companies: those that know that they have been hacked and those that don’t know that they have been hacked. The threat landscape shows that two-thirds of intellectual property theft from corporations is based upon internal employee theft, causing increased financial and reputational damage to firms. If you look at the recent study by Ponemon, the average price of a breach is about $5.4 million. What is happening is that the breaches make the headlines, impacting brand credibility and potentially stock price. No longer is this only an IT issue, but one affecting the intellectual property rights of a company, its proprietary information, its business transactions – the list is endless. Corporations are not only dealing with their information being accessed, but also business disruption.
Goings: Over the last ten years the landscape has not changed all that much. There are the typical threats from state-sponsored attacks and from what could be classified as the “Script Kiddies” attacks. The latter are individuals who do not have advanced skills or any organized movement but have sufficient skills to attack corporations and individuals.
Editor: Are nation states a real issue?
Plesco: Yes, they have been, and continue to be, a real issue – especially China. It is only this year that the media, the political side of government and the national security community have gone public with some very high-profile announcements of attacks by terrorists groups and the exploitation by nation states. During the most recent State of the Union address, President Obama said, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our national security and our economy. The cyber threat is one of the most serious economic national security challenges we as a nation face. America’s economic prosperity in the 21st century will depend upon it.” The Director of National Intelligence followed up within three months after the address and said, “Cybersecurity is the top national security threat, ahead of terrorism.” He said there was a remote chance that a major cyber attack will take place in the next two years, having a devastating impact on the economy. Cyber espionage by nation states, mainly China, Russia and Iran, as well as other state security and intelligence services, is the number one threat. Behind them come terrorist groups, “hacktivist” groups and cyber criminals.
Editor: What are the top issues for boards of directors?
Goings: The biggest issue that boards need to understand is public perception of their responses should an incident occur. In the last year and a half, some of the largest companies and financial institutions have actually gone public with the fact that they had been hacked. Prior to this, companies remained silent, fearing what the public perception would be. No matter how secure you make your institution, it will become a challenge to someone who wants to break it.
Plesco: At issue for boards of directors and corporate counsel with regard to cyber attacks and security is this question: What should the board’s role be? Recent studies have shown that cybersecurity is one of the top concerns, but most boards don’t feel prepared to actually deal with it. The accepted role of a board is to maintain its fiduciary duty of care to protect corporate assets and to minimize risk and liability. Cyber directly impacts that role. Intellectual property, technology and secured data are among the most critical assets of a corporation. Board members need to have a better understanding of the nature of cyber risk and its management inside the organization, for which they are responsible. Typically, boards are looking towards risk committees, technology committees or audit committees to deal with these issues, but they are unsure as to who should take ownership, because the subject matter cuts across all three. There is no clear guide as to how boards should deal with this high-profile issue. This is a top-down issue, and boards are asking their CIOs to brief them on what the strategy should be. But this is not just an IT/CIO issue but also an issue for the general counsel. It is an issue that cuts across multiple verticals in any corporation.
Editor: What are Security Analytics?
Plesco: Security Analytics have come into vogue over the last two years – especially with the rise of Big Data and Big Data analytics – bringing into view the combined areas of a corporation’s security mechanisms (or lack of security mechanisms) from a data standpoint. Taking into account, and bringing together, all of the indicators from the network and third-party intelligence sources, one might detect that someone had broken into the network – or more importantly – is about to attempt a break in. Corporations should have pre-set response strategies as to what they should, or should not, be doing in such situations. That, in a nutshell, is Security Analytics – taking all of the indicators and analyzing them in machine time, to provide warnings if something is amiss, as well as applying a pre-set escalation criteria on how to respond.
Editor: What do you mean by a Security Intelligence Model that utilizes third-party data?
Goings: Let’s use for example, an insurance company that underwrites an insurance policy based upon a person’s experience; it is no different in the cyber world, since there is so much available information about the people who are doing the attacking. You use that information like simple algebra – you take the known and make an assumption to figure out what the unknown is.
Plesco: There are companies that look at negative activities on the Internet – where nation states, cyber terrorists, hacktivists and cyber criminals are targeting corporations and individual CEOs. They look to detect intelligence related to what is about to happen to them, or is currently happening to their peers. The model they have developed takes this threat intelligence inside an organization, combines it with network security intelligence to anticipate an attack, and escalates it to prevent anything from actually happening. For example, the financial sector has deployed significant security analytics models that utilize third-party intelligence to identify and prevent D-DoS (distributed denial of service) attacks. Last year, they shared information through third-party intelligence and public/private partnerships announcing service attacks against the banking sector, giving other financial companies notice of imminent attacks. That information goes into a corporate security analytics and intelligence model that allows them to identify the threat, escalate it, prioritize it and hopefully stop the mode of attack before it happens.
Editor: Can you give examples of industries where this is deployed?
Goings We know that this is being deployed in some of the large banking and financial institutions, as well as in several other industries: aerospace and defense, oil and gas, telecommunications, and retail companies with an e-commerce channel. This form of people-process methodology is being employed to better protect and defend them. This is not something new that is taking place in these industries, but it is being rolled out to larger markets.
Editor: What type of ROI can one expect with such a deployment?
Goings: The reality is that the ROI is unlimited. What value can be placed on a company from a reputational, legal and compliance standpoint? That is what you are protecting and defending.
Plesco: ROI is dependent upon the industry. That is the question CIOs have been struggling with: How do you show ROI to the C-level and how does the C-level show it to the board of directors? That paradigm has shifted from bottom-up to top-down. The board is now saying, how do we do this, and what return will we get on our investment? The real question should be, what do we lose if we don’t do this? I know of one company that has spent one billion dollars on an IT transformation, just to get the analytics and the networks they need to deal with these types of problems.
Editor: What is the current standard of care in the industry? How would you defend a shareholder suit that claims the board did not follow a standard of care?
Goings: The board holds a fiduciary obligation not only to the shareholders, but also to the employees of the company, for the protection of the company and its assets. The board has to be prepared for any negative incident that occurs, and they have an obligation to prove compliance to their shareholders and stakeholders. The board also has to respond by dealing with the situation as adequately and as accurately as possible. Most companies retain third-party independent verification and validation to show that they have done a thorough and complete investigation of any problem, and take remedial steps.
Plesco: In 2011, the SEC sent out guidance asking SEC-regulated companies to let them know when they were hacked. This was followed by a letter from Senator Rockefeller to every Fortune 500 CEO, asking the same question: What is the standard from a cybersecurity standpoint? How does the board ensure that the company has some kind of comprehensive response program and customized incident response team that is cross-functional with IT, compliance, communications, legal and finance? These are just minimum requirements. They need to weigh in and make decisions, look at their general D&O insurance and make a decision as to what type of cyber liability insurance coverage the company should have. Today, some boards are assigning responsibility to a C-level executive for regularly managing and monitoring any cyber risk with a direct report to the board, usually under the banner of the audit or other committees.
Editor: What does this mean for the general counsel and other counsel within a company?
Plesco: At the very minimum this is a change in the legal landscape from a standard-of-care perspective. Your inside counsel should understand where your peers in similar industries are. This has to be coupled with the nature of the threat and the environment that you are in. It is one of these issues where you don’t want to lead the pack in how to respond, but you don’t want to be behind the pack either. The task of the general counsel is to determine what the standard of care should be, and what action on cyber threats the board should take.
Goings: There are not many laws that cover this issue since a major incident has not yet occurred. Over the last few years a few bills have been introduced, but they have died for various reasons. The President, through executive order and federal agencies, has tried to get in front of this issue. Even our government considers cybersecurity a higher priority than terrorism, because they know there have already been acts within the United States that were cyber-related terrorist acts.
Editor: Do you see any more trends and corporate and government action in response to cyber threats?
Plesco: The trend that needs to continue is the sharing of intelligence and the incorporation of threat intelligence in an actionable manner into a corporation. Corporations have moved away from keeping to themselves information regarding a threat to sharing that intelligence with their peers. Another trend we’re seeing is the board having a C-level person – CIO, CTO, etc. – legally attest in a document that the company is secure and in compliance with all prevailing rules, regulations and the current standard of care in that industry. Because of the concerns regarding the standard of care, KPMG’s cyber investigation response teams are being brought in more and more, pursuant to attorney-client privilege, to investigate these instances.