By Paul Ferrillo and Randi Singer
“By the time you hear thunder, it’s too late to build the ark.” – Unknown
In November 2014 – just two weeks after Admiral Michael Rogers, director of the National Security Agency, testified to the House Intelligence Committee that certain nation-state actors had the capability of “infiltrating the networks of industrial-control systems, the electronic brains behind infrastructure like the electrical grid, nuclear power plants, air traffic control and subway systems”[i] – Sony Pictures announced it had experienced a major cyber-attack, one many sources believe was likely perpetrated by or on behalf of a nation-state. This destructive cyber-attack was a game-changer for corporate America because it became clear that hackers are not simply focused on credit card numbers or personal information. Indeed, the attack on Sony was designed to steal the Company’s intellectual property, disseminate personal emails of high-ranking executives, and destroy Sony servers and hard drives, rendering them useless.[ii]
What the events of 2014 proved to corporate America is that there are no fool-proof methods for detecting and preventing a devastating cyber-attack. As FBI Director James Comey eloquently put it, “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”[iii]
Thus, it is absolutely critical to understand what kind of data a company collects, how the company uses, stores, shares, processes, protects, and disposes of information, and how to develop and evaluate a plan to respond to attacks that target these data. Proper planning can mean the difference between a news story that begins, “Sony has just announced that Sony Pictures Entertainment co-chairman Amy Pascal is stepping down from her post,”[iv] and one that announces a major cyber-attack, but concludes, “Anthem said it doesn’t expect the incident to affect its 2015 financial outlook, ‘primarily as a result of normal contingency planning and preparation.’”[v]
Proper planning includes incident response and information management business continuity planning, which are mission-critical. They are (or should be) part of a Board’s enterprise risk management duties, and they are particularly vital for certain federally-regulated entities with an obligation to protect consumer and client information and to keep it private. We have written in-depth elsewhere about incident response plans and their elements.[vi] Here, we set forth a high-level summary designed to help evaluate a company’s incident response and business continuity plans.
Incident Response Planning – You Can’t Defend What You Can’t See
Given that 97 percent of the IT systems of companies surveyed globally have been breached,[vii] the question of how to protect a network from a breach is effectively a moot point. The better question is, how do you respond in the event of a breach when it occurs despite your best prevention efforts?
Incident response planning is exactly what it sounds like – a plan to detect and respond to indicators or actual evidence found on a network server or alert system that a malicious intrusion may be occurring.
In general, there are many indicators or precursors of a potential cyber-attack. Though there are far too many to list, potential triggers for a robust incident detection and response plan include:
This non-inclusive list, based on the National Institute of Standards and Technology Computer Security Incident Handling Guide, illustrates one of the most basic challenges of working with advanced incident intrusion detection systems: they often generate thousands, if not tens of thousands of alerts of potential intrusions into a company’s computer network every day. In fact, one recent report notes that potentially actionable (i.e., “we better take a look at this”) malware intrusions could number in the thousands per day.[ix]
Even in the largest companies, resources are not unlimited, particularly given the shortage of skilled IT professionals in the marketplace today, so each company’s incident response plan will necessarily reflect certain compromises. However, recent events offer some basic principles as to how companies can and should lay out their incident detection and response plans from a “process perspective”:
As there is no silver bullet in a constantly-evolving environment where hackers are often several steps ahead of cybersecurity professionals (or at least adapt quickly to new security measures), a lawyer conducting due diligence on a company’s incident response plan should evaluate the approach and process of the plan. Malware leaves signs or indicators of “bad behavior” on logs. Network traffic monitors may show spikes at unusual times, or even better, at regular intervals. A robust plan will have a process in place to correlate all of the indicators as quickly as possible and then escalate those more “suspicious” events for further review. In many cases, automated processes that correlate aggregated log data using “big data” analytics may be of particular benefit given the time-sensitive nature of event-response: any particular piece of malware could have devastating consequences if it is not quickly captured and eradicated.[xii]
Business Continuity Planning
Information management business continuity planning requires implementing procedures to recover data and information from a backup source as quickly as possible in order to get systems back online.[xiii] Business continuity planning was once the province of preparations for hurricanes, fires, and earthquakes, but in the wake of the devastating attack on Sony Pictures – as well as the companion announcement of the wiper malware attack on the Las Vegas Sands[xiv] – it is incumbent upon a company (and its board) to plan for the consequences of a severe cyber-attack, which might involve the loss of data, the loss of servers, the loss of computer hard drives, and even the loss of VoIP-based phone systems. As many have noted, “The biggest risk a company faces in today’s uncertainty of cyber-attacks is not being prepared.”[xv]
Volumes can be (and have been) written about business continuity planning in general. Vendors abound in this area, many claiming to offer the “best” back-up and business continuity procedures. And of course, every company (whether it is U.S.-based or multi-national, or a financial institution, broker-dealer or “brick-and-mortar”) is different when it comes to determining the most important elements of a business continuity plan, including which systems are critical to the organization, and how and when to bring them online. But in examining a company’s continuity planning for a cyber-attack, at least the following issues should be addressed:[xvi]
Like an incident response plan, a business continuity plan needs to be tested, the personnel responsible for implementing it need to be trained, and it should be periodically rehearsed so that all involved (including third-party or outsourced vendors) know their roles in getting the organization’s information management system back on line.[xx] Ideally, a plan should be put to the test through a full-scale functional exercise that includes a “full cut-over” and recovery to back-up data.
In many cases, the company that you are diligencing may be your own. It is indisputable that enterprise risk management is part of a director’s fiduciary duty to the organization and its shareholders. And cybersecurity today is undoubtedly part of enterprise risk management, and thus within a board of director’s oversight role:
The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control and expected standards of conduct. Management and the board of directors have the authority and responsibility to set the top priorities of the company. If being secure, vigilant, and resilient is not defined as a priority and communicated within the organization, there is little hope that the organization will deploy sufficient resources to protect its information systems and to respond to cyber events appropriately.[xxi]
Though the drafting of incident response plans and business continuity plans can be complex, the last 13 months of cyber-attacks have taught us both types of plans should be in writing, in place, practiced, tested, and ready to implement at any time. Taking the time to plan may well determine the fate of a company following a cyber-attack.
****
[i] See “NSA Director Warns of ‘Dramatic’ Cyberattack in Next Decade,” available here.
[ii] See “Devastating malware that hit Sony Pictures similar to other data wiping programs,” available here.
[iii] See “Cyber Attacks on U.S. Companies in 2014,” available here.
[iv] See “Amy Pascal out as Sony Pictures co-chair,” available here.
[v] See “Health Insurer Anthem Hit by Hackers: Breach Gets Away With Names, Social Security Numbers of Customers, Employees,” available here.
[vi] See “The Importance of A Battle-Tested Incident Response Plan,” available here.
[vii] See “FireEye suspects FIN4 hackers are Americans after insider info to game stock market,” available here.
[viii] See NIST Computer Security Incident Handling Guide, Special Publication 800-61 (Rev.2) (2012), available here.
[ix] See “Security Case Study: Responsys,” available here. The same study notes that one large network it studied was getting 100,000-150,000 cyber “events” per day.
[x] See e.g. “An Adaptive Approach To Cyber Threats For The Digital Age,” available here (discussing one such advanced solution).
[xi] Indeed, for regulated investment advisers and managers, the April 2014 SEC Office of Compliance and Examinations announcement listed most of these process steps as “required” answers that a regulated entity will have to give at its next annual examination. See “OCIE Cybersecurity Initiative,” available here.
[xii] See e.g. “Big Data Analytics for Security Intelligence,” available here (noting “Big Data tools have the potential to provide a significant advance in actionable security intelligence by reducing the time for correlating, consolidating, and contextualizing diverse security event information, and also for correlating long-term historical data for forensic purposes.”).
[xiii] Note that both incident response planning and business continuity planning are both questions that are required to be answered as part of the SEC Office of Compliance and FINRA Street sweep programs that are currently ongoing as respects cybersecurity.
[xiv] See “Now at the Sands Casino: An Iranian Hacker in Every Server,” available here.
[xv] See “Why Companies Need a Business Continuity Plan,” available here; “Hurricane, Fire… DDoS? Make Cyber Threats Part of Business Continuity Planning,” available here.
[xvi] We again note the concept of business continuity planning is “fair game” when dealing with regulators. See SEC OCIE Cyber Security Risk Alert, at pg. 2 (“Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists.”).
[xvii] See e.g. “Black Hat Keynoter: Beware of Air Gap Risks,” available here (noting the positives and potential negatives of an “air-gapped” based back up system).
[xviii] The NIST “Contingency Planning Guide for Federal Information Systems,” Publication 800-34 Rev. 1, available here, also suggests that certain organizations may also consider an off-site facility to not only keep their back up data, but keep hardware available so that they can resume business operations from the off-site facility. Such a site would obviously be more expensive, but for larger companies it would certainly be a feasible option to resume critical options as soon as possible.
[xix] Id.
[xx] See SEC OCIE Cyber Risk Alert, at pg. 3 (“[Does] the Firm periodically tests the functionality of its backup system. If so, please provide the month and year in which the backup system was most recently tested.”).