“The DNC Hack Was Not an Act of War” publishes in Metropolitan Corporate Counsel

On February 24, 2017, Executive Managing Partner Daniel Garrie and Joey Johnson published “The DNC Hack Was Not an Act of War: What we call it under international law should influence our response” in the Metropolitan Corporate Counsel.

The article discusses Russia’s alleged hack of the DNC and whether it classifies as an “act of war” under international laws and norms. The authors conclude that measured and proportionate responses, founded in the rule of law, are the soundest long-term strategy for dealing with this attack.  Quantifying what justifiably constitutes ‘measured and proportionate’ is the challenge that remains ahead.

“A New Focus on Law Firm Cybersecurity” publishes in the Legal Executive Institute

On January 11, 2017, Executive Managing Partner Daniel Garrie published “A New Focus on Law Firm Cybersecurity” on the Legal Executive Institute blog. Richard Borden, Counsel of Robinson+Cole and a specialist in cybersecurity risk management, contributed to this blog post.

Law firms have long held a hallowed position in the corporate world, as the preeminent keeper of confidences. But the frequency with which law firms are falling victim to data breaches and hacks should leave clients questioning their firm’s data security. Due to their trusted position in the business world, law firms have become a prime target for cyber criminals, and without adequate data security confidential client information can fall into the hands of a wide variety of bad actors.

“Is Cyberinsurance Really Worth It? Using ADR to Resolve Cyberattack Disputes” publishes on Law.com

On October 27th, 2016, Executive Managing Partner Daniel Garrie published “Is Cyberinsurance Really Worth It? Using ADR to Resolve Cyberattack Disputes” on Law.com. The article is co-authored with Andrew Nadolna, a mediator and arbitrator with JAMS, who has 25 years of experience in the insurance industry as a claims executive and litigator.

While strengthening a company’s cybersecurity posture can make a considerable difference, companies must also prepare for the unfortunate inevitability of a successful cyberattack. Recognizing this risk, companies have turned to cyberinsurance as a tool for mitigating their cybersecurity risks. Unfortunately, uncertainty still exists regarding how courts will interpret this relatively new type of insurance policy. Accordingly, contractual alternatives such as arbitration or mediation are often the most efficient means for resolving cyber coverage disputes.

 

“How prepared are law firms to face cyber security threats?”

On October 17th, 2016, Executive Managing Partner Daniel Garrie was interviewed by Thomson Reuters on the question, “How prepared are law firms to face cyber security threats?

Thomson Reuters’ Joseph Raczynski spoke with Mr. Garrie on the cyber security issues facing law firms today, in the wake of the April 2016 hacking of Panamanian law firm Mossack Fonseca. Questions posed included “Why do hackers and other cyber criminals target law firms?” and “What steps can law firms take to get prepared to deal with these threats?”

The white paper Client Data: Secure as the Weakest Link, published with Thomson Reuters, further discusses these issues. It was co-authored Daniel Garrie and Rhea Siers, scholar in residence at the Center for Cyber and Homeland Security and an adjunct professor at George Washington University.

Garrie and Griver Publish Article in Bloomberg BNA on CIO/CISO Liability in Cybersecurity Litigation

On August 26, ZEK’s Daniel Garrie and Yoav M. Griver published an article in Bloomberg BNA titled, “Do CIOs and CISOs Get Covered in Cybersecurity Litigation.”  In it, the authors discuss the increasing risk that Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) will be personally sued in the event of a data breach or other cybersecurity incident, and suggest three ways in which such risk can be managed.  The article is part of a continuing series of articles discussing the increasing impact of the digital age.

https://bol.bna.com/do-cios-and-cisos-get-covered-in-cybersecurity-litigation/

* * *

Yoav M. Griver is a partner in Zeichner, Ellman and Krause LLP’s litigation group and a key member of its Cybersecurity practice. He works with clients to assess and secure computer systems, minimize cybersecurity risk liabilities, and ensure compliance with a panoply of regulatory frameworks and cybersecurity standards.  Yoav frequently lectures on e-discovery, cybersecurity, and risk management issues nationally, and writes on these matters for a variety of journals, periodicals, and legal reviews.  He is co-editor and an author of the multi-year treatise, Dispute Resolution and e-Discovery, which is published by Thomson Reuters.

 

Webinar – Introduction to Cyber Insurance Policy Litigation

Mr. Daniel Garrie, Co-Head of Cyber Security Practice at ZEK, will be co-hosting a 1-hour webinar with Thomson Reuters. Mr. Garrie and his co-host, Mr. Tom Ricketts, Senior Vice President, Executive Managing Director, Risk Management Solutions, Aon, will be discussing the cyber insurance and its effects on policy litigation. They will provide an overview of the rapidly evolving cyber insurance policy space and present several case studies that focus on companies seeking cyber insurance policies. The panel will also examine frequent topics that arise in cyber security insurance policy litigations.

Mr. Garrie’s extensive knowledge in both the legal and cyber security fields will allow him to discuss critical matters in risk management and recommendations for how to appropriately respond to an attack. The webinar will take place Wednesday, February 11th at 1PM EST. Register Here!

Webinar – What is the difference between a Cyber Criminal and a Cyber Solider and how will companies address cyber attacks by State Actors?

Mr. Daniel Garrie, Co-Head of Cyber Security Practice at ZEK, will be co-hosting a 1-hour webinar with Thomson Reuters. Mr. Garrie and his co-host, Mr. Clark, Attorney at the US Military Academy Cyber Institute, will be discussing the implications of cyber attacks on corporate America. Attendees will understand what corporations can legally do to respond, how best to handle the influx of media attention surrounding an attack, when and if to involve the United States government or law enforcement, and how to educate employees to prevent security breaches.

Mr. Garrie’s extensive knowledge in both the legal and cyber security fields will allow him to discuss critical matters in risk management and recommendations for how to appropriately respond to an attack. The webinar will take place Monday, February 9th at 1PM EST.

Register here!

Risk Managers Should Step Up As SEC Targets Cyber Security

2014 brought companies like Sony Pictures Entertainment Inc., Domino’s Pizza, eBay Inc., and the US Postal Service to the front page news as victims of cyber hacking. The reality is that cyber hacking is costing companies not only a headache and their reputation, but a whole lot of money. Despite statistics that show over $445 billion spent on cybercrime worldwide annually, many companies have not come to terms with reality. As the risks resulting from cyber are increasing, risk managers must guide the board of directors and CEO to provide active oversight to assure that their enterprises have prudently taken all reasonable measures to protect themselves. The SEC has sharpened its focus on cyber security preparedness, including the regulation of disclosure by public companies to address cyber security as a material risk that needs to be fully disclosed. If these risks are regularly disclosed and a company has legally insufficient protections, lawsuits presenting substantial risk are sure to follow.

To effectively do their job, risk managers and cyber attorneys today must fully understand all the technological implications of cyber security. Absent full understanding of cyber technology, both are ill-equipped to properly advise and protect companies regarding the legal and regulatory issues involved. The issues are multiplying and complex, ranging from compliance with government and industry regulatory bodies to litigation arising from lawsuits by a number of actors and corporate partners whose personal data has been lost, compromised, and/or held hostage. This article addresses a number of central issues that risk managers must make sure their cyber attorneys are able to resolve to protect against substantial liabilities. Risk managers must significantly change their behavior to help guide his or her company in taking necessary and prudent steps to protect against the vast legal liabilities cyber presents.

Read More!

SEC’s New Cyber Inspection and Examination and the Effects on Broker-Dealers and Law Firms (Part 2 of 2)

In the first post of this series, there was an overview of the SEC’s “OCIE Cyber Security Initiative” and its effect on broker-dealers and registered investment advisers. In this post, there will be a closer analysis of the nine pieces of information that must be provided upon request and their implications for firms.

The scope of the SEC cyber security assessment will require broker-dealers and registered investment advisers to provide the following information upon request:

  1. The firm’s information security policy, as well as policies and procedures concerning how software and network resources are inventoried and updated. The firm will need to show the SEC that its physical devices and systems, as well as its software platforms, are inventoried. It is imperative that the firm should be able to prove that it creates or updates network resources, connections, and data. The firm should demonstrate that such policies and procedures are periodically reviewed and tested.
  1. The firm’s cyber security risk assessment process and any findings from recent assessments. The firm must identify individuals or business groups that conduct the assessment and the date that the most recent assessment was completed. The firm should be able to provide records to the SEC of all identified risks and the measures taken to remediate these risks.
  1. The firm’s cyber security roles and responsibilities, including whether the firm has a chief information security officer or equivalent position. The firm should show the SEC that the information security officer has been given the authority and financing to maintain a staff that can properly design, maintain and oversee a firm’s cyber security system. Here it is essential that the firm maintain written documentation of the information security officer’s role.
  1. The firm’s insurance for cyber security incidents. A firm must procure insurance that covers against losses and expenses related to cyber security events. Best practices usually require that the firm’s disclose to the SEC the nature of the coverage and of any filed claims and the nature of the resolutions of the claims.
  1. The firm’s cyber security controls, including written guidance and periodic employee training on information security risks and responsibilities, as well as the firm’s periodic audits of compliance with its information security policies. Copies of any related written materials and identification of the dates, topics, and which groups of employees participated in each training event conducted should be retained by the firm. By recording this data, a firm is able to demonstrate to the SEC that it has taken measures to help minimize the risks of a security breach t caused by human error.
  1. The firm’s should have a written data destruction policy and cyber security incident response policy (“IRP”).  The IRP should include a description of an IRP team which could include the managing member of the firm, the information security officer, and general counsel.     The firm will also need to record when the IRP was most recently updated and demonstrate that it conducts tests or exercises to assess its IRP. The firm must also record when and by whom the last such test or assessment was conducted.
  1. The firm should be able to disclose to the SEC details around the security of customers’ online accounts, which includes the firm’s policies for addressing responsibility for losses associated with attacks or intrusions impacting customers. Where online access is provided, the firm may also be required to disclose to the SEC details around any of the third-parties managing the service, the functionality of the firm’s electronic platform, the authentication process, and the software deployed to detect irregular customer requests. The firm may also be required to disclose the methods they employ to protect customers’ pin number. If a firm offers guaranties to customers against attacks, then best practice requires that copies of these guaranties be provided to the SEC.
  1. The firm’s procedures for assessing cyber security risks posed by third-party contractors, including the firm’s cyber security risk assessments of vendors and business partners with access to the firm’s networks, customer data or other sensitive information.   In addition, the firm should be prepared to provide copies of vendor or third party contractors’ information security plans to the SEC, copies of contracts with outside parties, in which the firm included language dealing with appropriate security measures for a cyber security breach, and any training materials relate to information security procedures and practices.
  1. The firm’s practices to monitor and detect unauthorized activity on its networks and devices, including procedures for penetration testing and vulnerability scans to improve the firm’s defensive measures. The firm should be able to demonstrate that it has restricted its users’ access solely to network resources necessary for their own business functions. It should also be able to produce copies of the policies and procedures for these control measures to the SEC upon request. Where the firm promotes BYOD, it should be prepared to demonstrate to the SEC that is has adopted technology, procedures, and practices to monitor and detect any type of unauthorized activity on mobile devices.

While the nine points above are a mixture of policies, systems, and practices at the end of the day a lawyer must sign-off. Therefore, it is critical that the firm employs a lawyer that is a cyber security expert and has the requisite technical, legal, and business acumen. Otherwise, the firm can expose itself to unnecessary risks and costs.

It is critical that firms that fall under these guidelines should carefully evaluate their existing cyber security policies and practices in light of the SEC’s extensive sample requests and make any necessary adjustments and improvements.   At a high-level, firms should consider undertaking the following steps: (1) conduct periodic risk assessments, (2) evaluate third-party vendor risks, and (3) develop and test incident response plan. Given the current and rapidly evolving importance of cyber security, it is only a matter of time before the SEC will, in the context of its supervising and verifying disclosure of material risks, expand its examinations beyond these few firms to include all publicly listed companies.

SEC’s New Cyber Inspection and Examination and the Effects on Broker-Dealers and Law Firms (Part 1 of 2)

Based on recent announcements made by the SEC, publicly traded companies doing business with the United States need to begin focusing on of cyber security.  On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations issued an alert entitled “OCIE Cyber Security Initiative” (the Risk Alert).  The Risk Alert is the latest in a series of public announcements made in 2014 on cyber security by the SEC and other financial markets regulators.

In January, FINRA sent sweep letters to broker-dealers to notify them about upcoming assessments of firms’ approaches to managing cyber security threats.  In the Risk Alert, OCIE indicated that it will conduct an initial set of examinations of more than fifty registered broker-dealers and registered investment advisers to collect information about the industry’s recent experiences with certain cyber security threats and the level of the industry’s cyber security preparedness.

The examinations will focus specifically on the following areas:

  • Cyber security governance and identification
  • Assessment of cyber security risks
  • Protection of networks and information
  • Risks associated with remote customer access and funds transfer requests
  • Risks associated with vendors and other third parties
  • Detection of unauthorized activity
  • Experiences with specific cyber security threats.

The scope of the SEC cyber security assessment will require broker-dealers and registered investment advisers to provide the following information upon request:

  1. The firm’s information security policy, as well as policies and procedures concerning how software and network resources are inventoried and updated.
  1. The firm’s cyber security risk assessment process and any findings from recent assessments.
  1. The firm’s cyber security roles and responsibilities, including whether the firm has a chief information security officer or equivalent position.
  1. The firm’s insurance for cyber security incidents.
  1. The firm’s cyber security controls, including written guidance and periodic employee training on information security risks and responsibilities, as well as the firm’s periodic audits of compliance with its information security policies.
  1. The firm’s should have a written data destruction policy and cyber security incident response policy (“IRP”).
  1. The firm should be able to disclose to the SEC details around the security of customers’ online accounts, which includes the firm’s policies for addressing responsibility for losses associated with attacks or intrusions impacting customers.
  1. The firm’s procedures for assessing cyber security risks posed by third-party contractors, including the firm’s cyber security risk assessments of vendors and business partners with access to the firm’s networks, customer data or other sensitive information.
  1. The firm’s practices to monitor and detect unauthorized activity on its networks and devices, including procedures for penetration testing and vulnerability scans to improve the firm’s defensive measures.

In the second part of this series, there will be a closer analysis of the nine pieces of information that must be provided upon request and their implications for firms.