The #CyberAvengers are: Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma & Christophe Veltsos
The recent WannaCry ransomware exploit brought into full view several factors that terrify many companies and their boards of directors. Why? Because these directors are charged with the fiduciary duty of overseeing the cyber risk preparations and defences of their companies for their shareholders.
In today’s environment, this presents quite a challenge for companies and boards alike. Security has always been a challenge because the defender must be right 100
per cent of the time and an attacker needs only one lucky shot. Effective cyberattacks can involve factors, such as:
1. A ‘zero-day’ or previously unknown software exploit (or vulnerability) that even advanced IT departments could not have reasonably planned for
2. An exploit that encrypts files when enabled or executed, and will not give the files back unless a ransom is paid
3. A public relations nightmare trying to explain to third parties, regulators (and in the case of WannaCry, hospital patients) why service levels dropped (i.e. evaporated) due to lack of properly segmented back-up recovery media and/or less than rigorous implementation of standard patches for older operating systems
WannaCry had all these factors, and more. First, even though WannaCry was thought to be a zero-day exploit, it was not truly unknown. It had been disclosed in March 2017 as part of a broader announcement of related exploits allegedly stolen from a US government agency. At that time, the software company involved (Microsoft) announced an emergency or ‘critical’ patch designed to fix the vulnerability that was ultimately exploited by WannaCry. A fix had been available for many systems in March 2017. Were all affected systems patched on time? Were all affected systems patched at all? We do not know for sure. The effectiveness of the WannaCry attack, however, gives a strong indication as to the answer.
“Cyber risk must now be viewed as an integral part of the overall enterprise risk management (ERM) framework for a board of directors and must be evaluated, documented and addressed/mitigated, according to the risk profile and economic realities of the company”
Secondly, and much worse for the companies and hospitals involved, this was not the first ransomware attack of 2017 (or 2016) or cyberattack on hospitals. A Michigan State University report examined US Department of Health and Human Services data and noted that almost 1,800 cyberattacks occurred in hospitals across the US over a seven-year period. Ransomware, in fact, has established itself as the bane of corporations. According to the FBI, ransomware is reported to have caused losses in 2016 of close to $1billion. This plague has only increased and has prompted much research and writing on cybersecurity best practices (including by us) settling on, at the very least, one or more best practices designed to lessen (if not entirely mitigate) the effects of ransomware. No prudent, risk management-conscious executive or director could have been surprised by these broadly recommended best practices, nor by the more specific need for companies to have properly segmented back-up tapes, media or hard drives.
Despite this, WannaCry surprised people across a myriad of roles and responsibilities. People were surprised that a simple patch existed that would have enabled companies to avoid the whole issue. Unfortunately, many were caught without back-up media. Serving on the front lines of the cybersecurity battlefield, we were not surprised, but were in fact saddened that WannaCry was so effective, unnecessarily. WannaCry could have been much, much worse.
How to tackle cyber threats
The purpose of this article is not to shame or call out any one particular company or hospital that was affected by WannaCry. The organisations that are bravely dealing with the aftermath of WannaCry have enough on their plates already.
Rather, we write from a different point of view, i.e. that of a board of directors or board of managers of a company that is charged generally with a fiduciary duty of overseeing the cybersecurity posture of a company or organisation. This duty is part and parcel of their duty to oversee the entire enterprise risk management as a whole. As board members, the duty of the directors is not to ‘plug into the computer network’ but to:
- Ask questions designed to bring out potential improvements
- Engage directly with cybersecurity resources inside the company
- Continuously review and improve cybersecurity policies and procedures within the company
This article provides ‘the questions’ that boards should ask regarding the prevention and mitigation of ransomware, as well as provide our suggested ‘right’ answers to those questions. We will leave it to the board members to exercise their fiduciary duty accordingly.
Rather than having a ‘direct’ role in the information technology affairs of a company,
a board has an ‘oversight’ duty. That means directors have a duty to (1) become reasonably informed about the company’s cybersecurity posture, policies and procedures implemented by the company’s senior executives, (2) ask questions of relevant personnel in the company (IT and executives) concerning the cybersecurity posture to see if those policies and procedures are being properly and effectively implemented, and (3) make suggestions or pose thoughts and ideas about how to improve this posture and the cyber risk culture of the company.
In a speech at the New York Stock Exchange on 10 June 2014, former Securities and Exchange Commissioner Luis Aguilar stated: “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols. Boards of directors are already responsible for overseeing the management of all types of risk, including credit risk, liquidity risk, and operational risk and there can be little doubt that cyber risk also must be considered as part of boards’ overall risk oversight. The recent announcement that a prominent proxy advisory firm is urging the ouster of most of the Target Corporation directors because of the perceived ‘failure…to ensure appropriate management of [the] risks’ as to Target’s December 2013 cyberattack is another driver that should put directors on notice to proactively address the risks associated with cyberattacks.”
Cyber risk must now be viewed as an integral part of the overall enterprise risk management (ERM) framework for a board of directors and must be evaluated, documented and addressed/mitigated, according to the risk profile and economic realities of the company. Each company will have different economic constraints and a unique risk appetite. The exercise of evaluating the risk for the entity and coming to a decision about mitigation within an ERM framework is an essential part of the board’s fiduciary duty.
This fiduciary duty is extremely important (in the age of WannaCry and others). Cyberattacks not only cause costs and business disruptions, but also can cause negative publicity, reputational harm, litigation and regulatory proceedings, each of which negatively impacts the company or organisation involved. Examples of such high-profile cases in the United States are Target Corp, The Home Depot, and Wyndham Hotels. Though there is little case law in the area, courts in the US generally note the duty of a board member is ‘reasonable’ oversight. Not perfect oversight. Not flawless oversight. Just reasonable oversight.
The risk of cyber vulnerability
So, what is reasonable oversight? What questions should be asked to get the board there, especially in cybersecurity, where there is often no right answer (just multiple ‘less wrong’ answers)? The courts will ultimately decide what constitutes reasonable oversight. But in our view, here is how an effective board director might be able to get to the right place and demonstrate his or her oversight was reasonable:
1. Get the cybersecurity policies and procedures of your company. All of them. Including training manuals. Read them thoroughly and become acquainted with them. Remember, if something goes wrong and your company gets hacked, some third party might say those policies were ill-advised, not enough, or just plain wrong.
2. Understand how your company or organisation is regulated and by which regulatory body. No two regulators are alike. There are material differences, especially between US and UK and EU regulators. Remember, regulators generally get involved when something bad happens and then look at things through a 20/20 hindsight view (which might not show a pretty picture). It is best to be proactive when it comes to cybersecurity.
3. Does your company perform employee training on a semi-regular basis (at least twice a year or more)? Does this training address email policies and social media sites that employees might visit? If your company does not, or performs training only when it is convenient, this area alone could be a ‘red flag’ to regulators.
4. Does your company have in place some sort of email ‘filtering’ system in order to reject any emails that might appear normal, but are actually sent from a spoofed or copycat address? In general, a company email address should be the only address used by company employees (and board members). Filters catch things which change the .com email address of a company in subtle ways to make it appear to be a legitimate email, when it is in fact very illegitimate.
5. When are critical patches and updates made to the network? Once a week, once a month? How quickly are critical or emergency patches made? 48 hours, 72 hours, two weeks, or longer? In general, critical patches should be made in 72 hours or less (e.g. WannaCry patch). Waiting too many days to make a patch effective could be your worst nightmare. Waiting months to make a critical patch effective might spell doomsday to your company.
6. Does your company have enough IT staff to handle not just security alerts that need to be investigated, but also handle patching, applications, the Cloud, and a host of other daily jobs that need to be performed? The lack of skilled cybersecurity workers in the US and UK is critical at this moment, and many companies are simply unable to hire as many people as they need, or as many skilled IT executives they need at a reasonable price. Now is not the time to have an understaffed IT department and there is nothing worse than having an understaffed IT department in a company that gets hacked. There are solutions for this, like managed service providers, and machine-learning driven cybersecurity orchestration and automation solutions. But you need to find the staffing answer first. Then, seek out the help of professionals if necessary.
7. What is your company’s password policy? Is it complex enough, with both letters and numbers and symbols, or can a password, such as ‘password’ or ‘0123456’ be held as sufficient? The answer to this question will be self-explanatory. Complex is good. 0123456 is bad. And ‘P@$$w0rd2017’ is almost as bad as ‘0123456’ as it will be one of the top 100 passwords tested by attackers.
8. Finally, what is your company’s back-up procedure and what back-up media are used by your IT department? This is a more complex question, but the generally rule is ‘back it up’ daily in at least three places: on site, off-site, and in the Cloud. Back-up solutions (which are relatively inexpensive and plentiful for both networks and desktops) should be enacted on a segmented basis, meaning that following the back-up they should be taken off-line and disconnected from the network so an encryption exploit cannot get to them. Remember, this is not like the old days where back-ups were few and difficult to employ. Major companies, such as Amazon (for the Cloud) and Carbonite (for smaller organisations) exist and can train your IT employees to become not only proficient, but fanatical about your company’s back-up policies and procedures.
Everyone is a target
Several factors existed in WannaCry that made us sad and all factors relate to the above questions we are asking you to consider: (1) improper or insufficient patching, (2) aging network architecture which was susceptible to ‘not’ being patched or not having patches readily available, and (3) insufficient back-ups. Unfortunately, each of these factors were and are, for the most part, entirely preventable or fixable at a reasonable cost. Yet they were not.
Why? We don’t know. Is cybersecurity ‘an enigma shrouded in mystery’? Is cybersecurity too hard to understand by most people? Are companies not investing enough in cybersecurity? Do companies think they are simply too small and thus ‘not a target’? We don’t know, but each of these questions begs the following answer: if your company has data that is valuable or computer hardware that is critical to running its business, it is a target. And, even if your company simply sends a lot of email and has employees, it is still a target. Simply put, everyone and every company is a target.
About the Authors:
Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements which govern them. Mr. Ferrillo regularly counsels clients on cyber-governance best practices (using as a base the NIST cybersecurity framework), third-party vendor due diligence issues, cybersecurity regulatory compliance issues for private equity, hedge funds, and financial institutions that have been promulgated by the SEC, FINRA, the FTC, and the FDIC/OCC, the preparation and practicing of cybersecurity incident response plans, as well as evaluating and procuring cyber-liability insurance to protect against losses suffered by companies as a result of the theft of consumer or personally identifiable information, or as a result of the destruction of servers and corporate infrastructure.
Chuck Brooks is Vice President of Government Relations & Marketing for Sutherland Government Solutions. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 500 million members. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, and as a member of The AFCEA Cybersecurity Committee. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill.
Driven by an intense passion for technology and innovation, Kenneth Holley launched Information Systems Integration (ISI), a Washington, DC-based information technology (IT) services and consulting firm in 1993. Serving as ISI President and CEO for the past 23 years, Kenneth has provided IT consulting services to firms across the United States, with a particular focus on infrastructure security and data analytics. In recent years Kenneth has assisted many clients, including foreign sovereigns, ensure brand and profile security as well as building engaged communities within the social media realm.
For over 15 years George Platsis has worked with the private, public, and non-profit sectors to address their strategic, operational, and training needs. Professionally, he has worked on projects related to business development, risk/crisis management, resilience, cyber and information security, and cultural relations. He also creates custom-designed educational products and workshops, has been published, is a regular commentator, and public speaker. Currently, his professional efforts focus on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas. Some of the issues he tackles include: business continuity, resilience strategies, social engineering, insider threats, psychological warfare, data manipulation and integrity and information dominance. He is a team member of SDI Cyber, based in Washington, DC.
George Thomas is President of Three Hill Shoals, a firm that provides strategic advisory services to firms with a particular focus on addressing cybersecurity as a corporate governance issue. Over his twenty-five year professional career, Mr. Thomas has held a series of positions in banking, trading, asset management and auditing at a broad range of the financial services firms including General Electric, Citigroup, State Street Global Advisors, Instinet, and Nomura Securities International in New York, Boston and Tokyo, Japan. George currently splits time between New York, Boston and Bermuda, the risk capital of the world, and has a keen interest in real world implementations of next generation technologies including: blockchain, quantum computing, machine learning and artificial intelligence.
Shawn Tuma is passionate about serving his clients. He honors the trust they place in him by working hard to achieve their objectives as effectively and efficiently as possible. His integrity, intensity, and drive for excellence have helped him become an internationally recognized attorney and thought-leader in cybersecurity, computer fraud, and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Scheef & Stone, LLP and General Counsel and Director for the Cyber Future Foundation. Shawn frequently assists clients with cybersecurity and data breach related incidents, both as cyber insurance panel counsel and direct engagements. For proactive companies, an ideal role for him is to serve as a member of their team as outside cybersecurity counsel to help them prepare for and minimize the risks of doing business in today’s cyber risk-laden business world. Then, if a problem does arise, he is there to guide them through resolving those issues as well. He has worked his entire career as both a cyber lawyer and a complex business trial lawyer, a combination of experience that equips him with unique skills for helping businesses assess, avoid, and resolve problems in a very expeditious manner.
Chris Veltsos, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people. Whether performing information security risk assessments, working alongside CIOs & CISOs to set and communicate strategic security priorities, or advising board members on effective governance of cyber risks, Chris enjoys working with business leaders to improve their organization’s cyber risk posture. As a faculty member at Minnesota State University, Mankato, Chris is Graduate Program Director for the Professional Science Masters degree in Information Security and Risk Management (ISRM PSM) launched in Fall 2015. Chris has written over 45 articles for IBM’s SecurityIntelligence.com blog on cyber topics such as the relationship between CISOs and board directors, effective security awareness, cyber resilience, and the communication and governance of cyber risks