Executives realize that cybercrime is an existential threat to business, but increasingly they have something else to fear: that the Securities and Exchange Commission will lower the boom if their firms haven’t taken adequate precautions or provided adequate disclosures related to those risks.
This past summer, the SEC hit Pearson and First American Financial with steep fines following data breaches, and the agency sanctioned eight investment firms over email takeovers. More recently, SEC Chairman Gary Gensler told the Senate his agency is developing a proposal on cybersecurity risk governance. He said it likely would address incident reporting and “cyber hygiene,” the steps firms take to defend against cyberattacks and improve online security.
There’s good reasoning for the SEC to fret. According to Accenture’s Cyber Investigations, Forensics and Response team, cybernetic intrusion volume rose by 125% over the first six months of 2021. Most of those attacks came through supply chain intrusions, targeted ransomware and extortion stings.
Ransomware is particularly of concern to in-house legal teams, since it often involves deep-pocketed targets. According to Accenture’s study, more than 70% of targets are organizations with more than $1 billion in annual revenue.
It’s enough to make corporate legal departments seriously sweat, Florida-based IT consultant Jeff Birner said.
“I think the reason no one feels safe is that it’s been proven that cybercrimes are evolving,” Birner said. “We can defend, but attackers are getting smarter and smarter.”
With challenges growing, and the regulatory environment shifting, now is the time for in-house lawyers to consider what their companies can do to improve transparency. It’s also a good time to consider how they can work with regulators to shape the new rules and receive assistance mitigating cyberrisks.
Information-Sharing is Key
According to Mayer Brown Partner Marcus Christian, sharing information within an industry can lead to better solutions over time. One complaint he’s heard from corporate compliance officers is that, while companies share data with government regulators, regulators are rarely so forthcoming with actionable intelligence on emerging threats themselves.
By collaborating with the government and other companies, cybersecurity leaders can share their best practices, and those that lag can get help implementing new techniques.
Cybersecurity leadership may not always correlate to size, Christian noted, making it especially important for large companies not yet fully protected to seek guidance from their industries.
“There are some companies that have cybersecurity programs that are much larger than some fairly formidable corporations standing alone,” Christian said. “This level of seriousness needs to be reflected by all parties in all sectors.”
Disclose Early and Often
Stephen Riddick, general counsel at Tenable, advises fellow GCs to emphasize disclosure. In a recent risk management and compliance article published by the Harvard Business Review, Riddick said companies seeking tighter cybersecurity should form disclosure committees composed of director and senior-director employees as well as an information security leader. Such committees can then run surveys and advise executives on potential disclosure-related risks.
Riddick said timely disclosure of breaches is important. He noted that, in First American Financial’s case, six months elapsed between when the company become aware of the breach and when the company disclosed it. That’s likely far too long for the SEC’s taste, Riddick speculated.
“This is notable because the SEC has not seen fit to immerse itself in the internal affairs of public companies regarding cybersecurity before now,” Riddick said.
Even before companies are sure something has gone wrong with their cybersecurity, their best practice may be to just disclose upon realizing there’s a vulnerability, he added.
Build Forensics Into Your Strategy
Of course, all the best practices in the world aren’t much help without understanding what your company is up against, Riddick noted. Brett Callow, Threat Analyst at Emsisoft, agreed.
“Most ransomware attacks succeed because of fairly basic security failings, [such as] not patching systems or not using multi-factor authentication everywhere,” Callow said.
Another important step is to take forensic data to executives and make sure they’re informed, Riddick said. C-suite officers should always have a snapshot of the current risk level.
“A winning solution is to not be hacked, not be held for ransom,” Birner said. “It’s time for a lot of companies to review what they have and think outside the box as far as what they’re utilizing.”
Reprinted with permission from the October 4, 2021 edition of Corporate Counsel © 2021 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.