Big Investments In Cybersecurity A Must, GCs Say

More than ever before, in-house counsel are focused on and willing to devote resources to cybersecurity, a comprehensive survey from the Association of Corporate Counsel (ACC) found. But many have yet to take the necessary steps to ensure their data is protected. As the survey and anecdotes from general counsel show, for many companies, it isn't until after a data incident that they address what areas need shoring up.

Advice for managing cybersecurity risks seems to come down to the idea that companies need to invest time and resources, whether they have it or not.

Philip Yannella of Ballard Spahr, the firm that served as underwriter of the ACC's “State of Cybersecurity Report,” says there has been an evolution in the way in-house counsel view cybersecurity, with the survey showing 50% of respondents wanted to increase their role and responsibilities when it comes to cybersecurity.

And despite an overall scaling back of legal-department outside spending, 23% of respondents said their legal spend has increased as a result of their company's focus on cybersecurity.

“In respect to preparedness, it's a good survey, showing a lot of companies have the right mind frame,” Yannella says. “On the other hand, it's also showing that a lot of companies probably aren't where they need to be. They're not doing some basic things.”

One of the biggest standouts from the survey, Yannella says, was the lack of employee training. Although employee error is the most common cause for a breach, half of companies have mandatory training, but few have a policy for testing that knowledge or ensuring attendance at the training, according to the survey.

Angelo A. Stio III, a Pepper Hamilton partner who focuses on cybersecurity, says privacy policies have to be handled at an organizational level through the implementation of administrative, technical and physical standards. Making sure employees follow those privacy policies is important in states whose consumer protection laws expressly make it a deceptive and fraudulent business practice to publish inaccurate privacy policies, Stio says.

Chad Whalen, who recently joined Calgon Carbon as general counsel, experienced a data incident at his former company that involved potential employee error. The manufacturing company was a target of a phishing scheme that would send e-mails to company employees in the hopes they would click the link and open up the company to data mining.

Whalen says it was the FBI, not the company, that detected the scheme, and the company then moved to implement procedures to train and test its employees on how to avoid such hacking attempts. It's a cost of doing business that just can't be ignored, according to Whalen.

“The best thing you can do, whether you have the budget for it or not, is to have the IT department go out and have an independent third party do a risk assessment,” Whalen says. “There will be a whole menu of recommendations that come out of it.”

In the case of his old company, Whalen says an employee had opened one of the phishing e-mails. The e-mail wasn't obviously problematic, he says, but there were enough clues that some better training would have prevented the employee from opening it. So the company began targeting itself, hiring third-party vendors to send the phishing e-mails and test the employees' response. The first time, there was about a 25% click-through rate, Whalen says. If the same employee continued to click the link on subsequent tests, they and their supervisors were given training.

“You have to be vigilant,” Whalen says. “The more you keep it top-of-mind for employees, the better it will be.”

Companies are beyond just the phishing concerns or warnings about leaving documents on the copier, says Victoria Silbey, General Counsel of financial services software provider SunGard, noting the increasing sophistication of cybersecurity risks. Silbey says companies have to create redundancies in this area to double-check compliance, and they have to invest the money; there can be no shortcuts when it comes to cybersecurity.

Jan P. Levine of Pepper Hamilton says all general counsel should keep up with industry guidance, Federal Trade Commission consent orders and developing case law.

“Working with risk-management, in-house and outside counsel on cybersecurity matters is essential,” Levine says.

Silbey says she only sees her role in this space increasing.

What also might be increasing is the purchase of cyberinsurance. According to the survey, more than half of companies have cyberinsurance. And of those that do, 68% say they have $1 million or more in coverage. About 25% say they expect that coverage to increase in the next year.

That may have to do with the fact that only 19% of those who experienced a breach said their policies fully covered the related damages.

“What this tells me is that the market hasn't quite figured out how to quite price cyberinsurance or companies don't know what issues they need to be looking for or how much cyberinsurance they need,” Yannella says.

The costs for responding to a data breach have risen, though they are still focused more on credit monitoring for large groups of people and any potential regulatory fine, the survey and Silbey note.

Gina Passarella is a Senior Staff Reporter for The Legal Intelligencer. She can be contacted at [email protected] and on Twitter @GPassarellaTLI.

More than ever before, in-house counsel are focused on and willing to devote resources to cybersecurity, a comprehensive survey from the Association of Corporate Counsel (ACC) found. But many have yet to take the necessary steps to ensure their data is protected. As the survey and anecdotes from general counsel show, for many companies, it isn't until after a data incident that they address what areas need shoring up.

Advice for managing cybersecurity risks seems to come down to the idea that companies need to invest time and resources, whether they have it or not.

Philip Yannella of Ballard Spahr, the firm that served as underwriter of the ACC's “State of Cybersecurity Report,” says there has been an evolution in the way in-house counsel view cybersecurity, with the survey showing 50% of respondents wanted to increase their role and responsibilities when it comes to cybersecurity.

And despite an overall scaling back of legal-department outside spending, 23% of respondents said their legal spend has increased as a result of their company's focus on cybersecurity.

“In respect to preparedness, it's a good survey, showing a lot of companies have the right mind frame,” Yannella says. “On the other hand, it's also showing that a lot of companies probably aren't where they need to be. They're not doing some basic things.”

One of the biggest standouts from the survey, Yannella says, was the lack of employee training. Although employee error is the most common cause for a breach, half of companies have mandatory training, but few have a policy for testing that knowledge or ensuring attendance at the training, according to the survey.

Angelo A. Stio III, a Pepper Hamilton partner who focuses on cybersecurity, says privacy policies have to be handled at an organizational level through the implementation of administrative, technical and physical standards. Making sure employees follow those privacy policies is important in states whose consumer protection laws expressly make it a deceptive and fraudulent business practice to publish inaccurate privacy policies, Stio says.

Chad Whalen, who recently joined Calgon Carbon as general counsel, experienced a data incident at his former company that involved potential employee error. The manufacturing company was a target of a phishing scheme that would send e-mails to company employees in the hopes they would click the link and open up the company to data mining.

Whalen says it was the FBI, not the company, that detected the scheme, and the company then moved to implement procedures to train and test its employees on how to avoid such hacking attempts. It's a cost of doing business that just can't be ignored, according to Whalen.

“The best thing you can do, whether you have the budget for it or not, is to have the IT department go out and have an independent third party do a risk assessment,” Whalen says. “There will be a whole menu of recommendations that come out of it.”

In the case of his old company, Whalen says an employee had opened one of the phishing e-mails. The e-mail wasn't obviously problematic, he says, but there were enough clues that some better training would have prevented the employee from opening it. So the company began targeting itself, hiring third-party vendors to send the phishing e-mails and test the employees' response. The first time, there was about a 25% click-through rate, Whalen says. If the same employee continued to click the link on subsequent tests, they and their supervisors were given training.

“You have to be vigilant,” Whalen says. “The more you keep it top-of-mind for employees, the better it will be.”

Companies are beyond just the phishing concerns or warnings about leaving documents on the copier, says Victoria Silbey, General Counsel of financial services software provider SunGard, noting the increasing sophistication of cybersecurity risks. Silbey says companies have to create redundancies in this area to double-check compliance, and they have to invest the money; there can be no shortcuts when it comes to cybersecurity.

Jan P. Levine of Pepper Hamilton says all general counsel should keep up with industry guidance, Federal Trade Commission consent orders and developing case law.

“Working with risk-management, in-house and outside counsel on cybersecurity matters is essential,” Levine says.

Silbey says she only sees her role in this space increasing.

What also might be increasing is the purchase of cyberinsurance. According to the survey, more than half of companies have cyberinsurance. And of those that do, 68% say they have $1 million or more in coverage. About 25% say they expect that coverage to increase in the next year.

That may have to do with the fact that only 19% of those who experienced a breach said their policies fully covered the related damages.

“What this tells me is that the market hasn't quite figured out how to quite price cyberinsurance or companies don't know what issues they need to be looking for or how much cyberinsurance they need,” Yannella says.

The costs for responding to a data breach have risen, though they are still focused more on credit monitoring for large groups of people and any potential regulatory fine, the survey and Silbey note.

Gina Passarella is a Senior Staff Reporter for The Legal Intelligencer. She can be contacted at [email protected] and on Twitter @GPassarellaTLI.