Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

February 2019
By Kimberly Peretti
These areas are sure to be important in 2019.
CYBERSECURITY IS AN ENTERPRISE ISSUE. Clients, consumers, employees, politicians and regulators have rapidly shifting expectations about it. Companies would be wise to do more than simply confirm the existence of cybersecurity policies, procedures and controls. They should periodically evaluate the adequacy of their programs in light of the evolving cyber risk landscape, and consider taking steps to confirm internal compliance and effective implementation. In-house counsel play an important role in these efforts and should stay informed and ahead of the curve on threat intelligence. The following areas highlight what general counsel need to focus on.

1. Cyber fraud. In recent years, we have seen an uptick in criminals using spoofed or compromised email accounts to pass off fraudulent payment instructions as legitimate, leading businesses to transfer money to the criminals’ accounts. We expect 2019 to be no different. Known as business email compromise (and reported by the FBI as causing billions of dollars in losses), this type of fraud is one of the most prevalent. Law departments should consider taking steps to verify that policies and internal controls governing their companies’ wire transfers and change of payment instructions are effective and are being followed, including through review with company accounting and invoicing teams.

2. Proactive threat hunting. With six U.S. Department of Justice indictments of Iranian, North Korean, Chinese and Russian state-sponsored hackers in 2018, companies need to be mindful of the ongoing risk of sophisticated, persistent and long-term intrusions. In-house lawyers should consider working with their company’s information security team to verify that intrusion detection and other controls are fine-tuned and updated for current threats (based on the most recent resources available). They should also consider proactive threat hunting to verify that criminals are not already in their environment.

3. Secure accounts. Criminals continue to devise methods to compromise online accounts, whether through spear-phishing or other attacks, such as credential stuffing. Consider any such accounts that allow access to data with merely a username and a password to be at risk of compromise. Law departments should consider reviewing password policies to ensure that they have appropriate role-based and access-based restrictions, and discuss with information security whether multi-factor authentication is feasible and appropriate for these accounts.

4. Incident response planning. Companies that have well-defined and tested procedures for responding to, and escalating, cybersecurity incidents are significantly better situated to effectively handle an actual incident. The law department should consider reviewing escalation procedures that define when legal and non-IT business executives are informed of cybersecurity incidents and engaged in a response to a cybersecurity incident. Some questions to consider: Are these roles being informed at the appropriate time, in a structured manner and with the necessary detail? Legal should consider taking steps, such as reviewing actual response measures taken in recent incidents based on severity, to verify that the procedures are known and understood by relevant stakeholders—and are being followed.

5. Vulnerability and patch management programs. Hackers will always find ways to identify and exploit known vulnerabilities in company systems. Vulnerability and patch management programs help mitigate this risk. Legal teams are advised to work with information security teams to understand the company’s vulnerability and patch management program and review the procedures and time frames for patching identified vulnerabilities, based on risk, to ensure this is aligned with the company’s cyber risk appetite and regulatory expectations.  
6. Employee training—beyond the phish. Social engineering techniques have become more sophisticated. Criminals are combining spear phishing emails with phone calls (before or after) to lend a veneer of legitimacy to their phishing attempts. Legal teams are advised to review employee training and awareness programs and consider whether they are flexible and adaptive to the ever-evolving social engineering techniques. 

7. Data inventories and data retention. Data security incidents often involve “old” data or data that the company was unaware was being collected or stored in a particular location. Remember that you can’t secure your data if you don’t know where it is, and criminals can’t steal data that you don’t have. Legal teams should consider reviewing strategies on identifying data repositories and updating data inventories, as appropriate. Legal may also consider not only reviewing data retention policies, but taking steps to verify that they’re being implemented effectively.

Kimberly Peretti is a partner and co-chair of Alston & Bird’s Cybersecurity Preparedness & Response Team and National Security & Digital Crimes Team. She is the former director of PwC’s cyber forensic services group and a former senior litigator for the U.S. Department of Justice’s Computer Crime and Intellectual Property Section. She draws on her background as both an information security professional and a lawyer in managing technical cyber investigations, assisting clients in responding to data security-related regulator inquiries, and advising boards and senior executives in matters of cybersecurity and risk. Peretti is a Certified Information Systems Security Professional (CISSP).