David Mace Roberts has been working to keep up with a constantly evolving cybersecurity and threat actor environment for many years. The most notable feature of a good cyber risk plan, he says, is that it looks unlike anything else on the market.
Awareness of cyber risk is increasingly catching the
attention of boards of directors and senior executives.
For Electronic Transaction Consultants (ETC), cyber has
been a top risk priority for a long time. As a leading provider of
smart mobility solutions, including electronic tolling solutions,
we manage back-office systems and roadside systems for many
prominent state tollways. That means we are dealing with
personally identifiable information, payment data and a range
of other sensitive data that we need to keep secure.
Regardless of the sector a business operates in, I would argue
that cybersecurity is now a primary risk. The frequency of
attacks and the aggressiveness and skill of the threat actors
perpetrating them has grown exponentially. Threat actors
are hitting ever larger targets, and the widespread use of
cryptocurrency has aided the ability of threat actors to obtain
money. In the absence of national or global legislation that
restricts the ability of companies to pay, criminals will always
be able to find an opportunity. But it is worth remembering
that most of this crime is opportunistic. From the threat
actors’ perspective, cybercrime is a business – potentially
a very lucrative one. For general counsel, minimising these
opportunities is essential.
It behooves any GC to understand what protections they have
in place and to test whether they are adequate in the current
threat environment. Lawyers may not feel cutout for this, but
their ability to spot gaps in a defence strategy – even if only
at a conceptual level – is often hugely important. Fortunately,
many of the most effective steps an organisation can take
do not rely on a high degree of technical familiarity with IT
There are relatively simple steps that anyone can take to
modernise their cybersecurity regime, including using Endpoint
Protection, implementing remote monitoring, tracking and
remediation. Updating remote access protection, installing
virtual firewalls and multi-factor authorisation are all very
important as well. Of course, you don't want to stop your
company doing business, so even with things like multi-factor
authentication you need to think about how often it is required
and whether it needs to cover every device or network.
In a hybrid or work-from-home environment this is especially
important. Again, there are simple tools that can make a big
difference. For example, Office 365 offers advanced threat
protection emails, which have endpoint security enhancements
rooted in an AI-based solution. They also have various levels of
protection such as automated response to security threats.
The other element that GCs must keep in mind is training,
whether for their own team or the organisation more broadly.
First, regular training is essential. If you only train once a year
[the message] loses its impact and offers minimal protection.
The form of the training is also important, and it pays to get
creative. There are services available that do mock attacks with
a fake phishing email sent around, and then if someone clicks
on the link by mistake, they must take a remediation course and
will ideally not make the same mistake again.
Of course, even the best protections and training cannot
prevent a cyber incident from occurring, and having a robust
response plan is essential to any cyber risk framework. A lot of
companies will pull up a one-size-fits-all cyber response plan,
but that’s really not good enough. A bespoke cyber response
plan needs to be custom crafted for both you and your industry,
and you should have a cyber response committee within the
company. Everyone on this should know they're on the team
and know exactly what to do when an attack occurs. That
response plan should be periodically tested in a mock attack, so
it becomes part of the team’s muscle memory.
Cyber rigor, like any other part of a company’s overhead, can
be seen as a non-essential cost. It is not. If you are a senior
member of a public company, you'd do well to look at the SEC,
the NYSE and NASDAQ who are all really pushing cybersecurity.
A cyber incident is already an event requiring an 8k event form
be filled out within three days, but it is increasingly becoming a
potentially catastrophic reputational risk.
Ask yourself: Do you want this on the front page of the Wall
Street Journal, New York Times or the Washington Post? Do you
want to have to answer to your board of directors, or to the
securities regulators or to the investors or to the general public?
If not, then taking the risk seriously now is the best defence.