On a topic as broad and evolving as cybersecurity, it’s only natural that leadership guidance and principles should run a similarly wide gamut. Rather than seeking out one voice to weigh in on such a loaded topic, we will instead hear from an eclectic mix of opinions that are truly representative of the multi-faceted roles that lawyers (and non-lawyers). So, with these parameters in mind, here are four different takes on what lawyers should consider when thinking about a risk that – over the past two decades – has fundamentally reshaped not only the global business landscape as we know it, but critically all previously held conceptions about business risk, leadership, and a lawyer’s role in connection.
Cybersecurity is complex and changes rapidly.
Good leadership in such a fast-paced space is not about knowing everything, but instead, about knowing your limits
Cybersecurity, Law, and Leadership: Four Unique Perspectives
Taking the Lead on Cyber Threat Risk Management
Bob Wice, Cyber & Tech U.S. Focus Group Leader (Beazley)
As a leading cyber insurer, we have a front row seat to the evolving risks our insured face each day. Over the past decade, we have seen the rise and fall of various causes of loss, and compromises of industry-specific vulnerabilities. Most recently, we’ve also witnessed the criminal use of malware and social engineering techniques to exploit a common risk for any organization, the human element.
A review of our cyber loss frequency and severity shows how all organizations in any class of business have a lot at stake these days. Cyber risk, which was once perceived as an issue for only large corporations susceptible to targeted attacks deployed by sophisticated hackers, now should be top of mind for companies of all sizes.
Cyber risk, now should be top of mind for companies of all sizes
The good news is that an increasing number of corporate leaders have heightened awareness that cyber risk is a defining concern, which requires Board level accountability. Organizations, which are able to mitigate financial loss and reputational harm, are those, which have leaders who are involved in cyber risk management oversight and who focus the enterprise on breach preparedness. This is a long way from the days when cyber threats were deemed to be a problem for the IT department to solve.
Our experience shows that corporate leadership, which acknowledges that a potential incident can be just around the corner, will be better prepared to minimize their exposure. From a leadership perspective, the first step in protecting an organization from data theft is to support a comprehensive risk assessment program, so that when an inevitable cyber threat knocks on your door, your people are prepared.
From a leadership perspective, the first step in protecting an organization from data theft is to support a comprehensive risk assessment program
Early cyber losses arose out of unencrypted portable devices, including laptops and backup tapes, particularly in the healthcare space. While it was unclear that criminals were actually monetizing the data from these losses, the breach response and regulatory proceedings costs proved to be significant. Once these losses got the attention of healthcare regulators and the costs accumulated, leaderships at healthcare entities started to set aside resources and made strong data encryption a priority. Thankfully, after that, such losses started to fade from view.
Cyber criminals seeking financial gain are opportunistic. Their behavior is determined by risk versus reward. Once a particular window starts to close, they tend to move on. In late 2014, name brand retailers started to get hit with numerous data breaches, where fraudsters accessed point of sale systems with memory scraping malware. Seemingly, each week throughout 2015, another retailer suffered a significant card breach, and criminals monetized the stolen card numbers on the dark web. True to form, after leaders in the retail industry started to prioritize the implementation of end-to-end encryption at the point of sale, cyber criminals turned their attention elsewhere.
With the rising cost of healthcare, criminals started to target managed care organizations and large hospital systems, stealing valuable patient health records. Healthcare data became increasingly valuable on the black market where expensive prescription drugs could be purchased. Buyers of healthcare data used someone else’s credentials to seek medical care. Health records typically contain data, which can be used for identity theft purposes, including social security numbers, and therefore are viewed as more valuable than credit card numbers. An increased focus on enterprise risk assessments highlighted which vulnerabilities needed to be hardened. After a spate of managed care breaches spiked in 2015 and 2016, criminals again appeared to move on.
Although retail and healthcare breaches continue to grab headlines, we have seen a new wave of losses resulting from business email compromise and ransom ware schemes, where criminals deploy phishing schemes to prey on our penchant for clicking on links and attachments.
In a business email compromise, criminals send phishing scams with links to what looks like a legitimate site and prompts the user to provide their credentials. Once the email account is taken over, the criminal can induce others to transfer funds to the wrong financial account or transfer sensitive corporate or personal information. Granted unauthorized access, the criminal can also sift through files, gaining access to personal details, which enable them to tailor other phishing emails to greater effect. Not only can this result in fraudulent wire transfers, but the compromised organization can incur substantial forensic costs in determining if sensitive personal information has been accessed and if there is a notification obligation.
Along the same lines, ransom ware has spiked as a cause of loss in 2018 and 2019, with many events deployed by unskilled criminals using a ransom ware as a service platform. Attackers are going after organizations of all sizes and in varying industries, casting a wide net with ransom demand amounts increasing to six figures in some cases. Once in a system, criminals restrict access to infected computers, encrypting files on a hard drive and then demanding payment in exchange for decryption keys.
Again, it is clear that organizations focused on preparedness and security awareness can minimize the impact of or flat out prevent such incidents. Common best practices to thwart business email compromises include:
- Implementation of multi-factor authentication for remote access
- Limitations on the number of employees with authority to submit or approve wire transfers
- Standardized protocols for confirmation of requests to transfer funds; and
- Robust security awareness training for all employees.
Ransom ware threats can be mitigated through proper segmentation of backups to prevent malware from spreading and infecting them. If the organization can successfully get back up and running, they can avoid paying the ransom. Other best practices to prevent ransom ware losses include:
- Phishing awareness training;
- Locking down remote desk protocol;
- Hardening the port with multi-factor authentication; and
- Diligent adherence to patch management and anti-virus updates.
Cyber threats will continue to evolve, and while there is no magic bullet for cyber security risk management, corporate leaders who pay attention and endorse the implementation of best practices will have a better chance of seeing criminals find another organization’s weakness to exploit.
Four Cybersecurity Leadership Tips for Attorneys
Sherri Davidoff, CEO (LMG Security)
Ransom ware cripples’ attorneys and clients alike. Hackers infiltrate organizations for economic, political, or military gain. Compliance requirements change constantly and vary by industry, jurisdiction, and other factors. Today’s cybersecurity landscape is complex, nascent, and rapidly evolving.
Today's cybersecurity landscape is complex, nascent, and rapidly evolving
In these rough seas, strong leadership is critical. Attorneys play a dual role in cybersecurity: first, as advisors to clients, who may have questions about cybersecurity or experience a data breach; and second, as part of the “human firewall” within your own organizations. Here are four cybersecurity leadership tips that every attorney can employ.
Attorneys play a dual role in cybersecurity: first, as advisors to clients; and second, as part of the "human firewall" within your own organizations
1. Secure Your Own Communications
Information is the lifeblood of the legal industry. Attorneys constantly send and receive vast volumes of data, through email, voice and text messages. Often, this data remains in cloud accounts or on mobile devices long-term, so it is easy to access—but this convenience can also make you more vulnerable to hackers.
The single most important thing you can do to secure your communications is to use multifactor authentication to protect your online accounts
The single most important thing you can do to secure your communications is to use multifactor authentication to protect your online accounts. In cybersecurity, authentication refers to the process of verifying your identity. There are three general ways to authenticate people:
- Something you know (for example, a password).
- Something you have (for example, a key).
- Something you are (for example, a fingerprint).
Multifactor authentication means that you verify your identity using two or more methods together. For example, when you login, you might enter your password and a code from an app on your phone. This way, criminals can’t break into your account using just a stolen password. Many popular email and cloud services support two-factor authentication.
2. Support Secure Options for Clients/Colleagues
Clients and colleague need to exchange information with you quickly and easily. Carefully consider what options you support. Email without encryption is not considered a secure way to send information across the Internet, because it can be intercepted in transit. Much like a postcard going through the mail, emails travel through intermediary computers on their trip from source to destination. Anyone with access to a computer along the path can read the contents of an unencrypted email.
Consider offering secure options, such as a reputable file sharing service and/or secure email service. Colleagues and clients who are sensitive to risks will appreciate that you support secure communications, and you will be a good role model for other attorneys.
3. Acknowledge Your Limits
Cybersecurity is complex and changes rapidly. New threats constantly emerge; best practices change; laws evolve and multiply. Even cybersecurity specialists that work hard to stay on the bleeding edge cannot possibly keep up with all the changes.
Attorneys are typically seen as the source of knowledge--- but when it comes to cybersecurity, we must redefine our reactions. Good leadership in such a fast-paced space is not about knowing everything, but instead, about knowing your limits. Get comfortable acknowledging when you don’t know the answers, and build your network of experts so that you have the right person on speed dial when questions arise.
4. Handle Mistakes Gracefully
You might send an email to the wrong person. Your organization might get hacked. You might advise a client regarding a new cybersecurity regulation, only to find out later that you were wrong. Mistakes happen, especially in such a complex industry. How you handle mistakes is just as important.
Mistakes happen, especially in such a complex industry
If you think you may have made an error, first, confirm it. “Don’t push the panic button unless the sky is actually falling,” writes Randall Ryder of Lawyerist.com. “Investigate, analyze, and confirm you actually screwed up.”
Once you’ve confirmed your mistake, assess the extent of the damage and come up with plan to communicate with everyone who is affected. Trust is the most important thing you have with clients and colleagues, and how you approach stakeholders in times of stress makes a big difference.
You may have suffered a data breach, or accidentally provided incorrect advice. Be open and honest, and your relationships will remain intact.
Every challenge is an opportunity, and this is as true for cybersecurity as it is in other areas. From hackers to malware to complex, emerging regulations, cybersecurity presents a myriad of challenges—and opportunities for leadership. By adopting these four tips—securing your own communications, offering secure options for others, acknowledging your limits and handling mistakes gracefully--- attorneys can provide much needed leadership for clients, colleagues, and our communities.
Limitations and Opportunities: Cybersecurity and Lawyers
Jeffrey Batt, Cyber Insurance Practice Leader (Large U.S. bank)
Effective leadership in the cybersecurity domain is a somewhat tricky concept for lawyers. For starters, most lawyers transition or pivot into cybersecurity after first developing relevant experience in other legal practice areas, as opposed to becoming lawyers after initially working in IT or security. Therefore, right off the bat, lawyers may frequently be at a technical disadvantage when advising CIOs and CISOs – both in an in-house or external client capacity.
Similarly, regardless of the setting (in-house or private practice), lawyers typically need to juggle both privacy and cybersecurity considerations in their work. In private practice, this dual focus is typically dictated by economic needs, aka there not being enough billable client work to focus solely on cybersecurity, although that dynamic is changing for some firms as client incident response needs increase in the wake of rampant ransom ware attacks. Yet, the dual focus on privacy and cybersecurity is also a necessity given the intersection of both disciplines around data security, and especially in a global privacy regulatory environment where the possibility of severe fines or penalties for negligent non-compliance weighs heavily on many companies.
Lawyers typically need to juggle both privacy and cybersecurity considerations in their work
So, with these realities in mind, how can a lawyer optimally navigate leading not only an internal team on cybersecurity, but importantly also be seen as an authoritative, informed voice on a dynamic risk area, by senior corporate leaders, clients, and peers?
For starters, focus on being a risk advisor and problem solver. You don’t need to be a technical wizard, although some general know-how around core information security principles certainly helps. Understand how cyber risk correlates with other key corporate risks, and especially how core organizational assets – whether data, services, or products – are vulnerable. Engage with colleagues and external vendors to better determine the financial impact of such events, and advise on available solutions that can help limit related damage. Such solutions can include quantifying the impact of a large-scale data breach or operational loss event (or alternatively a key vendor’s operating loss), as well as procuring cyber insurance to manage financial impact. In such discussions, attorneys are the optimal bridge between more technical minded colleagues and the financial side of the house, a neutral interpreter of sorts who can create common ground between disparate viewpoints and strategically steer the organization’s risk preparedness efforts at a high level.
Next, always prioritize and be in constant learning and listening mode. Too frequently, learning is sidelined in favor of more pressing client or time-sensitive priorities, which is understandable. However, given how rapidly cyber threats evolve, it is critically important to stay abreast of new threats, trends, and solutions. Not only is such information essential for your client servicing needs, but also to optimally safeguard your own business.
Likewise, cybersecurity is a unique discipline where there is not necessarily a correlation between expertise and academic or test-based accomplishment. Unlike the consulting or legal world, where respective top practitioners frequently hail from leading MBA and JD programs, what often matters most in the cyber domain is experience with pre-incident preparedness and best practices recommendations, technical know-how (pen testing, “blue team” problem solving and defense), and all aspects of incident response. So, regardless of your prior experience or where you went to law school, try to listen and learn from either clients or colleagues as much as possible, as it will be the easiest way to both increase your understanding of cybersecurity and keep your skills sharpened.
Finally, lawyers need to own the regulatory interpreter / advisor role. This is a natural fit well within the scope of more traditional legal responsibilities, especially since lawyers frequently advise both internal and external clients on all types of regulatory developments. But cybersecurity is the one area where a lawyer’s perspective and training can be particularly invaluable, especially when combined with industry-specific or other regulatory experience where cybersecurity concerns are heightened (such as with financial institutions, power & utility, and most other critical infrastructure providers). In light of more stringent privacy regulations, both in the U.S. and globally, knowledge of and guidance around how corporate business practices can be optimally aligned with such requirements frequently concerns discussions around data security as well.
Organizational cyber risk may be both daunting and unpredictable, but as with other business risks, a lawyer can provide effective guidance both internally and externally amidst such uncertainty
In our current environment where ensuring the security and permissioned use of data is increasingly important, by emphasizing enterprise risk management, actively listening and learning, and keeping pace with regulatory developments, lawyers can continue to play a pivotal leadership role around cybersecurity. After all, organizational cyber risk may be both daunting and unpredictable, but as with other business risks, a lawyer can provide effective guidance both internally and externally amidst such uncertainty.
Taming the Digital Swan
José Luis Colin Vega, Founding Partner Colin Vega Fletes Attorneys at Law
The upshot produced by the tandem created between a low predictability and a large impact is what makes a “Black Swan”, once wrote Nassim Nicholas Taleb. This effect can be characterized by three main attributes: (i) the event lies outside of any real or regular expectations; (ii) it has an extreme impact; and (iii) it can just be explained after its occurrence, bringing a false sense of predictability.
In light of this theory, now we know that a “Black Swan” called the Fourth Industrial (Digital) Revolution has finally arrived. This new era accrues several events or watershed moments that –standing alone or jointly– can clearly and objectively confirm the existence of four new corners under which human life will further develop.
This brand-new stage or “Black Swan” has been fostered over time by, among others, the human need to continue to accrue richness, for which price or value benchmarks are of utmost importance. Stone, silver, gold and oil have well satisfied those required standards, based upon which almost every asset is tagged-priced.
During the last century and the wake of the current one, every aspect of business global performance (which eventually unfolds to all daily life) had perhaps relied upon the value of a particular asset: oil. Currencies, stocks, commodities, among others, are governed (and might still) by it.
Since then, however, some consider that a threshold has been surpassed in value by what is increasingly becoming the most coveted asset for humanity in the forthcoming years and the new “oil” of the digital era: data or information.
The metamorphosis of data has reached sophisticated and unthinkable levels. We all are getting used to the fact that, whilst shared unconsciously or naively, information is immediately processed and returned in the form of tailor-made messages or advertisements that drive our choices and decisions based on profiling.
That has been further proven (and repeatedly confirmed), as it has come to light how information and data exploitation has accrued until tilting the scale, not only in our daily myriad of decisions, but on processes that govern the destiny of entire countries and even generations. The 2016 U.S. presidential election and Brexit referendum are both clear examples on how those were used to influence people’s vote, which would later strongly influence the course of the respective outcomes.
Information and its inherent powers have geared and taken control of the visible and invisible hands that rule the world. People, companies (regardless of size) and countries all have been built –whether consciously or unconsciously, greatly or slightly– on data dependence to meet their operations and duties.
Obviously, such potential has a direct and proportionate relation to the catastrophic impact that data and information can produce, should it be misused. No great imagination is needed to envision that a devastating crisis could be triggered by a deficient custody or processing of them.
Hence, the use and protection of data should be at the very heart of all discussions regarding the daily performance of businesses or public entities (regardless of their specific field or activity), as it carries an unforeseeable potential of benefits and harm. Therefore, leaders must need turn her/his eyes towards this primary element in the effort to secure it from any internal or external hazards that continuously threaten it.
Leaders must naturally behave as zealous defenders and talented alchemists when dealing with their data and information assets, for which cybersecurity plays a critical role. Accordingly, they need to carefully calibrate the balance between business interests, privacy rights and other considerations, in order to foster profits and mitigate risks.
Regardless of nuances, leadership is almost always linked to a core concept: success, which is often linked to financial achievement. When contemplating this objective, a natural triage comes to light, formed by specific aspects which depend one on another and must be jointly addressed to produce a favorable result: data / cybersecurity / leadership = success.
The challenges of a new era have been imposed on leaders, which will encompass, now more than ever, an accelerated myriad of novelties and caveats that certainly require a sophisticated legal, commercial and ethical sense, with cybersecurity increasingly playing a pivotal role in connection.
Taking the Lead on Cyber Threat Risk Management
Cyber risk should be top of mind for companies of all sizes and all kind of organizations. Patient health records stealing in large hospitals, email 'phising' or 'ramson' ware attacks are good examples of the importance of security awareness. Attackers are demanding amounts increasing to six figures in some cases.
Organizations can minimize the impact or prevent such incidents. For example, ransom ware threats can be mitigated through proper segmentation of backups to prevent malware from spreading and infecting them.
Besides, an increasing number of corporate leaders have heightened awareness that cyber risk is a defining concern which requires Board level accountability. Attorneys play a dual role in cybersecurity: first, as advisors to clients and second, as part of the "human firewall" within their own organizations.