Well now, 2014 has certainly started of with a nice digital bang hasn’t it? The Target data breach appears to be two or three times larger than originally thought. Nieman Marcus also disclosed a breach of its payment card systems. The popular “Snapchat” program, which touted itself as a secure messaging system, suffered a breach that led to the leak of user information. Serious questions linger about the security of the “Obamacare” website, and everyone knows that the Defense Department and other federal agencies are under constant attack.
*Sigh* “So other than that, how was the play, Mrs. Lincoln?”
If you are a senior executive at any company in the U.S. and you don’t get by now that cyber threats should be on your radar, you may seriously want to reconsider how you evaluate risk. Sadly, the reality is that your company has likely suffered a cyberattack or data breach in some fashion. It’s a question of when are you going to find out about it, not if.
You might be saying to yourself “Okay, we’ve heard this before. So what?” Well here’s the “what” – it is time for the C-suite and management in general to make a list of New Year’s cybersecurity resolutions and get serious about them. The cyber criminals and malicious state actors are not slowing down, so it is time for companies to bulk up their defenses and strategies.
And these resolutions can’t be all pie-in-the-sky strategies and mission statements. It’s time to get down to brass tacks.
I’ll start with a few ideas for the CEOs, COOs, CLOs, and board members of the world just to get the ball rolling:
What’s the plan? Is there one?
First things first: check to see if your company has a cyberattack response plan. Undoubtedly you have one for other emergencies. Cyberattacks are no different. So make sure the company has a plan and actually take a look at it. Most importantly, make sure that you are a part of the plan. The last thing an executive wants to have happen is to be left out of the loop when the balloon goes up.
Don’t be the slowest animal in the herd. Take action to protect yourself now. I know that sounds simplistic, but too many companies sit back and wait for events to come to them before taking serious security measures. That cannot be the pattern anymore. Companies need to take a variety of measures to protect themselves against cyberattacks from multiple directions. Sitting behind a moat with the drawbridge up is not going to help. Companies have to consider multiple vectors and threats (insider theft, compromised components, cloud security, and so on). Taking these steps won’t guarantee complete security, but they will make you a harder target to hit. Which leads me to my next point…
Spread the risk out
What do you do in the face of an inevitable threat? Curl up in a ball under your desk? Stop caring? No, of course not. You plan, and you make risk minimization a priority. The same is true for cyberattacks.
Here is what that involves. First, as discussed above, have a good plan and make sure it is being implemented. Second, look at ways to be reimbursed for losses and expenses associated with cyberattacks—that mainly involves examining cyber insurance options. This is a relatively new class of insurance, and so just buying any old policy isn’t the best decision. Careful thought and review needs to go into determining what is the right policy and what is a fair premium point. But look sooner rather than later to lock coverage in place.
Third, get the lawyers involved. No, I don’t mean line them up to sue or threaten people. Instead, have them do what they are supposed to do: find ways in contract language to make sure everyone’s role is clearly defined. In other words, have the lawyers read vendor agreements and other contracts to make sure cybersecurity is addressed, and that it is understood beforehand who has to do what. This will provide an excellent opportunity to have others chip in when losses happen.
Finally, find proactive tools to cut possible losses or even eliminate them. That’s the Holy Grail, of course, but options are out there. The best one right now is the government’s SAFETY Act liability management program. That law can help limit liability, or even eliminate it, after an act of terrorism. Best of all, Congress is actively working to make that law even clearly applicable to cyberattacks. Homeland Security Committee Chairman Mike McCaul, Ranking Member Bennie Thompson, and others have introduce the National Cyber Critical Infrastructure Protection Act (or “NCCIP”), which would make perfectly clear that the SAFETY Act applies to a variety of cyberattacks. This is the kind of law that the C-suite needs to know about, support, and use.
When all is said and done, 2014 should be the watershed year for corporate executives on cybersecurity. The costs associated with attacks are piling up, as are the number of attacks. Blissful ignorance no longer exists, nor does turning a blind eye to the coming punch. It’s time for the C-suite to roll up its sleeves and get to work.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.