Cybersecurity becoming real issue for boards of directors

By Daniel B. Garrie and Yaron Sobol

Based on recent announcements made by the Securities and Exchange Commission, publicly traded companies doing business with the U.S. need to begin focusing on the material risks of cybersecurity. In April, the SEC issued a risk alert which is the latest in a series of public announcements on cybersecurity by markets regulators.

Then there is the May 28 advisement issued by Institutional Shareholder Services, a prominent proxy adviser, which urged the ouster of most Target Corp.'s board of directors because they failed to properly manage cyber-risks. Specifically, ISS called for the ouster of seven of Target's 10 directors for failure to ensure that Target's systems were protected from attack. "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders," ISS wrote.

Some corporate directors have begun focusing on cybersecurity, usually through the appointment of a chief information security officer who reports directly to the full board, allowing the board to get unadulterated cybersecurity updates. And experience has shown that retaining a law firm with cybersecurity expertise can be invaluable in navigating a crisis, identifying issues before they become full blown crises, and ensuring that the company has appropriate insurance coverage.

Additionally, companies would be remiss to ignore the letters sent in January by the Financial Industry Regulatory Authority to broker-dealers to notify them about upcoming assessments of firms' approaches to managing cybersecurity threats. Indeed, in the SEC's risk alert, the commission indicated that it will conduct an initial set of examinations of more than 50 registered broker-dealers and registered investment advisers to collect information about the industry's recent experiences with certain cybersecurity threats and the level of the industry's cybersecurity preparedness.

The examinations will focus specifically on: cybersecurity governance and identification; assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; experiences with specific cyber security threats.

The scope of the SEC cybersecurity assessment will require broker-dealers and registered investment advisers to provide the following information upon request:

The firm's information security policy, as well as policies and procedures concerning how software and network resources are inventoried and updated. The firm will need to show the SEC that its physical devices and systems, as well as its software platforms, are inventoried. It is imperative that the firm should be able to prove that it creates or updates network resources, connections, and data. The firm should demonstrate that such policies and procedures are periodically reviewed and tested.

The firm's cybersecurity risk assessment process and any findings from recent assessments. The firm must identify individuals or business groups that conduct the assessment and the date that the most recent assessment was completed. The firm should be able to provide records to the SEC of all identified risks and the measures taken to remediate these risks.

The firm's cybersecurity roles and responsibilities, including whether the firm has a chief information security officer or equivalent position. The firm should show the SEC that the information security officer has been given the authority and financing to maintain a staff which can properly design, maintain and oversee a firm's cybersecurity system. Here it is essential that the firm maintain written documentation of the information security officer's role.

The firm's insurance for cybersecurity incidents. A firm must procure insurance that covers against losses and expenses related to cybersecurity events. Best practices usually require that the firms disclose to the SEC the nature of the coverage and of any filed claims and the nature of the resolutions of the claims.

The firm's cybersecurity controls, including written guidance and periodic employee training on information security risks and responsibilities, as well as the firm's periodic audits of compliance with its information security policies. The firm should retain copies of any related written materials and identification of the dates, topics and records of which groups of employees participated in each training event conducted. By recording this data, a firm is able to demonstrate to the SEC that it has taken measures to help minimize the risks of a security breach caused by human error.

The firm should have a written data destruction policy and cybersecurity incident response policy (IRP). The IRP should include a description of an IRP team. This could include the managing member of the firm, the information security officer and general counsel. The firm will also need to record when the IRP was most recently updated and demonstrate that it conducts tests or exercises to assess its IRP. The firm must also record when and by whom the last such test or assessment was conducted.

The firm should be able to disclose to the SEC details around the security of customers' online accounts, which includes the firm's policies for addressing responsibility for losses associated with attacks or intrusions impacting customers. Where online access is provided, the firm may also be required to disclose to the SEC details of any third parties managing the service, the functionality of the firm's electronic platform, the authentication process, and the software deployed to detect irregular customer requests. The firm may also be required to disclose the methods they employ to protect customers' pin numbers. If a firm offers guaranties to customers against attacks, then best practice requires that copies of these guaranties be provided to the SEC.

The firm's procedures for assessing cybersecurity risks posed by third-party contractors, including the firm's cybersecurity risk assessments of vendors and business partners with access to the firm's networks, customer data or other sensitive information. In addition, the firm should be prepared to provide copies of vendor or third-party contractors' information security plans to the SEC, copies of contracts with outside parties in which the firm included language dealing with appropriate security measures for a cybersecurity breach, and any training materials related to information security procedures and practices.

The firm's practices to monitor and detect unauthorized activity on its networks and devices, including procedures for penetration testing and vulnerability scans to improve the firm's defensive measures. The firm should be able to demonstrate that it has restricted its users' access solely to network resources necessary for their own business functions. It should also be able to produce copies of the policies and procedures for these control measures to the SEC upon request. Where the firm promotes BYOD ("bring your own device"), it should be prepared to demonstrate to the SEC that is has adopted technology, procedures and practices to monitor and detect any type of unauthorized activity on mobile devices.

While the nine points above are a mixture of policies, systems and practices, at the end of the day a company must retain legal counsel to ensure that all these points are properly addressed. It is likely only a matter of time, given the current and rapidly evolving importance of cybersecurity, before the SEC expands its examinations beyond these few firms to include all firms, in the context of its supervising and verifying disclosure of material risks.

Daniel B. Garrie is a partner at Law & Forensics (www.lawandforensics.com), where he focuses on cyber security, e-discovery, and forensics. Mr. Garrie is the editor-in-chief of the Journal of Law & Cyber Warfare and a distinguished neutral with Alternative Resolution Centers, Conflict Prevention & Resolution, and a sitting special master and forensic neutral in state and federal courts. You can reach Daniel at (855) 529-2466 or Daniel@lawandforensics.com.

Yaron Sobol, a partner in Hamburger Evron & Co., Tel-Aviv, Israel (www.evronlaw.com), chairs the firm's technology and high-tech practice and has over 25 years of experience in technology law.

The authors would like to thank Michael Mann, a summer associate at Law & Forensics, for his assistance in preparing this article.

<!-- Cybersecurity becoming real issue for boards of directors -->