Steven Grimberg and Mark Ray are Managing Directors at Nardello & Co., a leading global investigations firm that, among other things, specializes in cybersecurity consulting, internal investigations and incident response. Grimberg is a former federal prosecutor with the U.S. Department of Justice who led a cybercrime unit and investigated complex and high-profile criminal and national security-related cyber incidents. Ray is a former special agent with the Federal Bureau of Investigation who led global investigations involving transnational cyber-criminal organizations.
Christopher P. Skroupa: What should publicly-traded companies worry about most when it comes to cybersecurity?
Mark Ray: Computer hackers have an insatiable appetite for private data of all stripes, but publicly traded companies in particular have a target on their backs. The reason is that no matter the intended result of the bad guys, companies that are bought and sold on the open market can most easily achieve their ends. For example, computer hackers that are motivated by publicity or social causes, better known as “Hacktivists,” believe – and justifiably so – that the breach of a publicly-traded company will make for a better headline and yield widespread coverage from media outlets.
Hackers that are sponsored directly or indirectly by a nation-state can steal massive amounts of valuable intelligence, such as personal identifying information and personal health information, from a publicly traded company; or they can steal confidential intellectual property and trade secrets for the benefit of foreign state-sponsored competitors.
Steven Grimberg: And the most common type of computer hackers, those motivated by financial gain, see enormous opportunities in this space because of the ability to learn non-public information and then either trade on that information themselves, or sell the insider information on exclusive online criminal forums. In fact, there have been known instances of hackers compromising public entities not to steal and monetize their data, but to leak news of the compromise to the world while they cash in on their short-selling scheme.
Skroupa: Are there points of vulnerability in cybersecurity that are unique to publicly-traded companies?
Grimberg: Unique, no. Whether it’s a massive international conglomerate or a small family-owned business, the most predominate point of vulnerability in cybersecurity systems continues to be the human element. And what we mean by that is employees, contractors and other users on a company’s computer network who fail to abide by and follow good cybersecurity hygiene, whether it’s by unwittingly “clicking on the link” of a phishing or socially engineered email, failing to properly authenticate an online wire transfer request, or utilizing poor password security and not taking advantage of additional security measures that may be available within their computer or phone network system, such as two-factor authentication.
Most responsible companies these days require that their network users complete annual or periodic cybersecurity awareness training, but not enough companies test their users’ compliance. Companies of all shapes and sizes may want to consider a carrot-and-stick approach of rewarding cybersecurity-compliant employees – through financial or non-financial rewards – and disciplining poor-performing ones. And while most publicly traded companies today have security tools in place, many of these technologies are inadequate to stop social engineering attacks against unwitting employees without cybersecurity organizations and processes in place – in addition to the tools.
Ray: Another aspect of the human element that makes it the predominate point of vulnerability for companies within their cybersecurity system is the insider threat. A disgruntled employee, a trusted vendor/contractor, or a former employee that is still able to utilize online credentials to gain access to proprietary information, can cause tremendous amounts of harm.
Many in the security industry would argue that from a cybersecurity perspective, the insider threat is harder to detect than outside attackers. Publicly traded companies in particular should consider utilizing predictive analytical tools and implementing comprehensive insider threat programs to scope out potential red flags and warning signs before damage is done.
Skroupa: How should companies best prepare for the inevitable next cyber incident?
Ray: Most publicly traded companies today have a cyber incident response plan in place, but they may not be testing it thoroughly enough to account for a number of variables that may occur during an actual cyber event. There is no one-size-fits-all approach. We recommend to our clients that they conduct periodic cybersecurity assessments of their network that are specifically tailored to their industry sector and threat profile. Then, test the incident response plan with events such as tabletop exercises.
Tabletop exercises are analogous to a fire drill, where a hypothetical cyber incident scenario is developed and played out, and the good exercises will involve not only those company personnel who have direct responsibilities under the incident response plan but also the “C-Suite” executives who may not fully appreciate all the things that can go wrong during a real cyber incident. For example, what if the Chief Security Officer or head of IT is unavailable during a cyber-related event? Does the incident response plan account for missing personnel or the loss of basic services, such as electricity or cellular network availability? Like the incident response plan itself, the tabletop exercise should be specifically tailored to the company that is using it and not be just an off-the-shelf product.
We’ve seen these tabletop exercises done during executive committee meetings or corporate retreats, and of course they can be done as stand-alone events as well. The length and complexity of the exercises can be adjusted, but the main import is that it be done with the right decision-makers, both from an incident response and budget allocation perspective, in the room. In addition to being an outstanding tool for exercising their incident response plan, regulators and insurance providers are beginning to expect publicly traded companies to perform tabletop exercises as an ongoing part of their cybersecurity program.
Skroupa: Is a cyber incident at a publicly traded company considered insider information? When should it be reported to regulators, shareholders and law enforcement?
Grimberg: It is important for publicly traded companies, as part of their cyber incident planning, to implement well-defined controls and procedures for the executives and personnel within or associated with the company who will be “read-in” to a cybersecurity incident before its public disclosure. Recent data breaches have demonstrated that regulators and law enforcement will closely scrutinize the trading activity of executives and personnel within the control group of a cyber incident, so companies should be mindful of reputational considerations surrounding the sale of securities by personnel within their cyber-incident control group.
But answering the ultimate questions of whether and when to report a cyber incident are some of the most vexing ones faced by publicly traded companies in the cyber arena today. In the United States, the Securities and Exchange Commission recently issued guidance, which purports to clarify how cyber incidents fit in with existing disclosure requirements. But the guidance has received a mixed reaction over whether it provides companies with any new, actionable information or is simply a rebranded form of existing policies.
It is easy for regulators to mandate that company insiders not trade on ‘material’ nonpublic information relating to a cybersecurity incident, but that is much harder to implement in practice. The networks of publicly traded companies are being attacked thousands if not millions of times per day. Determining the ‘materiality’ of a particular cybersecurity incident is not always readily apparent, or at least not right away. Moreover, there is a big difference between a cybersecurity ‘incident,’ and an actual data breach. So publicly-traded companies may be placed in a trick bag of either failing to disclose a material cybersecurity incident on a timely basis in order to fend off regulator inquiries and class action or shareholder derivative suits, or alternatively over-disclosing incidents that in hindsight turn out to not be material to the company’s operations at all.
In today’s environment, publicly traded companies are under intense pressure to expedite the investigation of a cyber incident and get to the bottom of it right away so that any public disclosure that is deemed necessary is well informed and complete. Communicating anomalous cybersecurity incidents to law enforcement as part of the company’s incident response is important, not only because it’s the right thing to do, but also because the law enforcement and intelligence communities may have valuable information relating to the incident that may inform the company’s decision about whether and when to make a regulatory and/or public disclosure.
Ray: Further, if a company is multinational and subject to the General Data Protection Regulation in the EU which enters into force in May 2018, onerous reporting obligations – e.g., within 72 hours – may be applicable in multiple jurisdictions and under different regulatory regimes.
Mark Ray will be speaking at the Cyber Risk Governance program on March 13 in New York, NY on a panel entitled Working with Law Enforcement: A Case Scenario.
Follow us on twitter @SkytopStrat, and on Facebook @SkytopStrategies. Find us on YouTube, too, for exclusive interviews, panel discussions and debates that are prime examples of the market moving dialogue held at our various conferences and summits around the world.