Kristofer Swanson, CPA/CFF, CAMS, CFE is Vice President and Practice Leader for the Forensic Services practice at Charles River Associates (CRA), which helps companies and their counsel respond to allegations of fraud, abuse, misconduct, and noncompliance. These allegations present in a variety of contexts, including data/cyber breaches, accounting and financial reporting irregularities, money-laundering, FCPA/ABAC violations and trade secret theft. He is frequently called upon to present his findings to boards and executive management teams, and to government regulators such as the SEC, FDIC, Federal Reserve, and U.S. Department of Health and Human Services.
Kristofer Swanson will be speaking at the Global Cyber Security Summit on October 12-13 in London, United Kingdom. Learn more here>>
Christopher P. Skroupa: As your company moves more and more of its data to the cloud, how does your incident response plan need to change?
Kristofer Swanson: As valuable corporate data are moved to the cloud, so do many of the access logs and other forensic artifacts typically used by response teams to help determine whether and how much confidential information was compromised after a breach incident. Accordingly, incident response plans need to be periodically updated and tested, and should include:
- Directing the cloud provider to activate relevant access logs and other critical tracking mechanisms, and confirming that those forensic artifacts are being retained by the cloud provider for the length of time desired by the company, which may vary based on its risk and regulatory profile.
- Negotiating and memorializing in a service level agreement–in advance–the process, pricing, and agreed-upon response time for getting the relevant forensic artifacts and business data back from the cloud provider after an incident.
- Testing this data recovery process periodically to ensure that it continues to function as expected and as needed. Think of this as a “cyber fire drill.”
- Validating that the forensic data recovery process will scale. There may be features in place to quickly search a single mailbox or a single day’s worth of activity. But can your forensics expert quickly and effectively search for evidence of intrusion across all employees over a multiple-month time frame?
- Confirming that the cloud provider has the desired security, insurance coverage, and cyber disaster recovery protocols in place, and testing these periodically.
- Planning to retain an incident response team via outside counsel to reasonably establish and preserve attorney-client privilege. This is vital since it is likely that the findings and conclusions will be of significant interest to third parties who will have interests adverse to your own.
Skroupa: What are some of the unique ethical issues that corporations need to be prepared to grapple with when responding to ransomware and/or cybercrime incidents?
Swanson: A big challenge for every company is whether, and under what circumstances, it will pay a ransom. In addition to the public policy considerations, there are important practical and ethical questions that management teams need to be prepared to address, such as:
- Will paying the ransom increase the likelihood of being targeted again?
- If the threat actors are believed to be linked to a terrorist organization, what potential criminal exposure could be created for the organization by making such a payment?
- From a governance perspective, does management need board approval before authorizing such a payment?
- If there are specific impacted individuals who need to be notified that their identities and/or other regulated data have been compromised, but law enforcement asks you to defer such notification while they conclude a parallel investigation, is it ethical to comply with such a request? What incremental legal liability could be created for the company by doing so?
- Does a change in business strategy, such as the decision by a retailer to no longer accept cash, or the decision by a manufacturer to double down on the “Internet of Things,” exacerbate cyber risks to a company’s valued customers and employees?
- Could a ransom payment be considered a violation of the Foreign Corrupt Practices Act (“FCPA”)? Imagine a ransom note that states, “I will arrange for your contract with foreign government XXX to be terminated if you don’t pay the stated ransom by noon tomorrow.”
- What are the perspectives of your regulators on these issues?
A smart way to start a conversation around these types of practical, legal and ethical issues is to conduct what are often referred to as “tabletop” exercises, defined by the US Department of Homeland Security as “… discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator guides participants through a discussion of one or more scenarios…. Many tabletop exercises can be conducted in a few hours, so they are cost-effective tools to validate plans and capabilities.”
Skroupa: What are some of the practical steps that companies can be taking now to reduce the costs of responding to a data incident?
- Assess whether your organization can reduce the amount of regulated and confidential data that you maintain, and reduce the tools and personnel who have access to it. Progress on this front will also translate into contemporaneous savings on the data storage front and in the varying license fees that are often incurred for different access rights.
- Continuously strengthen your existing policies and procedures to prevent/detect/correct potential breaches, including deploying proven technology tools, limiting access rights within the organization, segmenting networks into subnetworks to enhance security, and delivering timely and effective role-appropriate training and testing.
- Engage with your board in these discussions to help them provide better oversight of these risks, and be able to demonstrate that they fulfilled their fiduciary obligations.
- In your risk assessment and response planning, recognize that the “ransom-as-a-service” (“RaaS”) business model is not the only motivation for such attacks. Sometimes the goal can be the theft of trade secrets and other confidential information. And increasingly, corporations are facing state actors — competitors and cyber vandals who are engaged in outright sabotage; for example, a German steel mill sustained massive damage when hackers took over a blast furnace and intentionally caused a malfunction.
- Reduce the amount of customer/client data that can be transmitted via email, and instead keep it primarily on secure, encrypted company networks, and accessed only by authenticated users.
- Purchase contingent business interruption insurance, typically available as a rider to a standard property insurance policy, to cover losses to your company resulting from a cyber event in which the cloud provider experiences an interruption to its business operations.
Skroupa: What types of class action litigation should companies be prepared for?
Swanson: A well-known risk is the potential for class action litigation, which can emanate from a class of customers or employees who may allege damages as a result of having their regulated data compromised, or from a class of shareholders if a cyber incident is alleged to have caused a drop in stock price.
More recently, the plaintiffs’ bar has been focused less on the facts of the incidents and more on related statements made by management that were later alleged to be untimely and/or misleading.
Management and boards also face potential exposure if they cannot demonstrate that they had adequate controls, policies, procedures, technologies and training programs in place to reasonably prevent and/or detect a cyber incident, especially if there is a perceived gap between their actual security and recovery capabilities and representations made to regulators and/or in public filings.
The plaintiffs’ bar closely follows evolving regulatory standards, while the regulators closely follow the courtroom outcomes resulting from the creative and ever-evolving theories of damage and liability asserted by the plaintiffs’ bar. Smart companies carefully keep one eye on each of these actors in our business ecosystem.
Some additional causes of action being trumpeted by the plaintiffs’ bar in their pursuit of potential whistleblowers include the failure to purchase adequate cyber insurance, and the failure to promptly report suspected cyber incidents and/or notify impacted third parties in a timely manner.
Skroupa: What are some of the economic damages that companies may be able to recover from third parties?
Swanson: Because a breach may well be enabled by a third-party vendor, careful contracting between the parties will be a critical factor to enable or limit the potential for a recovery from third parties. Such damages claims may include elements that are captured in a company’s books and records in the normal course of operations, such as:
- Costs of investigation, remediation, notification, and credit monitoring
- Costs to resolve related downstream litigation
- Incremental expenses incurred to recover from a cyber event, net of any “betterment” that may come by replacing old assets with newer assets of better quality
- Penalties and fines imposed by state attorneys general and/or other regulators
Other damage elements may be harder to quantify without expert assistance, yet may potentially be much larger, such as:
- Increased costs of debt and equity
- Loss of income caused by an interruption to business operations
- Lost future profits
- Increased insurance premiums
- Loss of goodwill and stock value
- Increased customer and/or employee turnover
- Increased regulatory scrutiny
- Reputational harm
Because some of these damages are a challenge to quantify, companies risk basing business and legal decisions on understated estimates of the comprehensive economic impact of a cyber incident. This may not only limit the scope of their attempts to recover such damages, it may also cause the companies to fail to fully comply with regulatory reporting and disclosure obligations.
Skroupa: How can your company better leverage your existing insurance coverage to mitigate the economic impact of a cyber incident?
Swanson: The time to perform a coverage assessment is now–and periodically thereafter. Each company’s risk profile is unique, and therefore the policies and coverage terms in place for one company might not be appropriate for another, or even for the same company a year later.
Many companies have obtained cyber insurance policies to help provide coverage. Although the language of these policies can vary, they are typically advertised as providing coverage for expenses incurred in a typical data breach, such as notification costs, credit monitoring, fines, penalties, and costs to defend claims by regulators.
The good news is that a company doesn’t necessarily have to have a policy with the word “cyber” in it in order to obtain some level of coverage. For example, business interruption coverage that is included as an endorsement in a property insurance or other policy may compensate for both the loss of income, and the incremental expenses incurred to continue business operations, when faced with a disruption from ransomware.
A standard directors and officers (D&O) policy may provide coverage for board members if named as defendants in a cyber-related derivatives action.
Kidnap and ransom insurance, often referred to as K+R insurance, has historically been used in situations where employees of multinationals are kidnapped for ransom. However, companies are increasingly filing claims under such policies in situations when their computers and systems have been “constructively kidnapped” by ransomware.
Property insurance policies written on an “all-risk” basis may cover all physical damage caused by any peril (including malware), unless the cyber threat has been specifically excluded.
Fidelity (or “crime”) insurance typically provides coverage in situations of employee-caused theft or sabotage, assuming the corporation can identify and prove the individual intentionally engaged in the wrongful acts, can reasonably quantify its losses, and can establish that the individual was an employee at the time of the conduct at issue.
Other types of policies may also apply.
Skroupa: What are the U.S. Securities and Exchange Commission’s (“SEC”) expectations of SEC registrants during a ransomware and/or cybercrime incident?
Swanson: Guidance from the SEC can be characterized as follows:
- If your company has a breach, and the breach is material, the financial impact of the incident needs to be disclosed in a timely manner. In addition, the costs of investigating and responding need to be accrued in a timely manner, unless immaterial.
- If your company does not have adequate processes in place to prevent a breach situation–or adequate processes in place to detect and correct such a situation in a timely manner–then that may also need to be disclosed, as such a fact pattern may be perceived by investors and creditors as contributing to a greater investment and counterparty risk than if making a similar investment in an otherwise similar company.
- If your company is part of a portfolio, these types of obligations may also flow up to the portfolio company’s financial statements.
- If a target company is acquired through the purchase or sale of securities, and if a material cyber incident occurred pre-close and was not disclosed to the purchaser, then the SEC may consider this to be securities fraud.
Other regulators and governmental entities have also communicated various expectations, and in some cases the penalties for non-compliance are severe, including potential criminal exposure.
The views expressed herein are the views and opinions of the author and do not reflect or represent the views of Charles River Associates or any of the organizations with which the author is affiliated.