By Christopher L. Garcia and David P. Byeff, Weil, Gotshal & Manges LLP
(Christopher L. Garcia is a Litigation partner and a member of the Securities Litigation and White Collar Defense and Investigations practices at Weil, Gotshal & Manges LLP. Prior to joining Weil, he was Chief of the Securities and Commodities Fraud Task Force in the US Attorney’s Office for the Southern District of New York. David Byeff is a Securities Litigation associate at Weil, Gotshal & Manges LLP. His practice focuses on the representation of entities and individuals in connection with regulatory investigations, class actions under federal and state securities laws, and corporate governance and derivative litigation.)
The Southern District of New York and the Samuel and Ronnie Heyman Center for Corporate Governance at the Benjamin N. Cardozo School of Law co-sponsored a Symposium on the Cyber-Threat to Corporate America. The symposium featured two panel discussions on internet security that included as participants Robert Khuzami, the Director of Enforcement for the U.S. Securities and Exchange Commission (SEC); Paul Cappuccio, General Counsel for Time Warner; Robert Greifeld, CEO and President of NASDAQ; A.T. Smith, Deputy Director of the United States Secret Service; former White House advisor Richard Clarke; Joseph Demarest, Assistant Director in Charge of the FBI’s Cyber Division; Louise Parent, General Counsel of American Express; and Edward Stroz, founder and co-president of Stroz Friedberg, a cyber-security firm.
In his opening remarks, Preet Bharara, the United States Attorney for the Southern District of New York, noted the dramatic rise in the number of incidents of cyber-crime over the past decade and the Justice Department’s increased focus on prosecuting such crimes.Mr. Bharara observed that recent cyber-attacks show that hackers are increasingly interested in stealing trade secrets and committing corporate espionage for hire. Moreover, Mr. Bharara explained that cyber-attacks are increasingly being committed by state actors seeking to undermine the United States’ national security, infrastructure, government secrets, and public safety. Mr. Bharara emphasized that, by contrast to traditional crime, corporations have been slow to report cyber-crime to law enforcement. He called for corporate America to end this reluctance and to adopt a “culture of disclosure.”
PANEL DISCUSSION ONE: WHAT TO DO IF YOU’VE BEEN HACKED
The first panel discussion considered a hypothetical scenario in which a company gradually discovers an increasingly severe series of breaches of its network security, including a distributed denial of service (DDoS) attack, the theft of customer information and trade secrets, and the insertion of “backdoors” allowing hackers unfettered access to the company’s network even after the company corrected the vulnerability through which hackers originally gained access.
Responding to “Routine” Cyber-Attacks
The panelists explained that large corporations can experience over 5,000 DDoS attacks per day, but that most such attacks are easily thwarted and thus do not merit being reported to law enforcement.
Responding to More Serious Cyber-Attacks
In the case of more serious cyber-attacks resulting in the theft of customer information or of trade secrets, or the insertion of “backdoors” allowing hackers access to companies’ networks even after the original exploits have been patched, panelists suggested involving law enforcement as soon as possible. At a minimum, panelists emphasized the importance of having a plan that ensures that that material cyber-threats are elevated to management and the board of directors. Panelists also recommended notifying joint venture partners and third parties whose confidential data may have been compromised, as well as sending letters to competitors explaining that any stolen data remains subject to trade secret protection.
SEC Disclosure Obligations
When asked about the potential public reporting consequences of network security breaches, SEC Enforcement Director Robert Khuzami was reluctant to offer any steadfast guidance, acknowledging that the SEC does not have specific rules governing the disclosure of breaches of network security.1 Instead, Mr. Khuzami suggested that the SEC’s traditional rules regarding disclosure – that companies must disclose events with a material impact on their business – apply to cyber-crime, and that more serious security breaches (including those involving the theft of customer information) typically are material enough to warrant disclosure. Other panelists pointed out that public companies often are confronted with difficult considerations regarding the timing of disclosure, including in instances where law enforcement requests that companies not publicly report violations so that they can continue to build a case against a suspected perpetrator.
PANEL DISCUSSION TWO: CREATING A CULTURE OF SECURITY IN BUSINESS
The second panel discussion considered how companies can improve their corporate culture – including corporate governance – regarding cyber-security.
Pervasiveness and Scope of Cyber-Crime
Messrs. Demarest and Clarke emphasized that cyber-crime represents a substantial threat to the U.S. economy, in particular financial services and intellectual property. They provided numerous examples of how widespread and costly cyber-attacks can be, including that:
• At least 300,000 incidents of cyber-crime (amounting to $500 million in losses) were reported in 2011 (the cost of cyber-crime was likely many times that amount if unreported incidents were factored in);
• In one incident, within a matter of minutes, hackers in China stole from a US company 10 years of research and development work product that cost $1.3 billion to develop;
• The hacking group “Anonymous” posted 60,000 stolen credit card numbers online, which were charged more than $1,000,000 in fraudulent purchases; and
• According to a Verizon survey, two-thirds of hacked companies surveyed were unaware of any security issues until they were informed by law enforcement.
All panel members agreed that cyber-security is no longer simply an information technology issue – or even a Chief Information Officer issue – and that proper reporting lines must exist between companies’ IT personnel and senior management and boards of directors, including audit and risk committees. Panelists emphasized the importance of “tone at the top” and forming relationships between IT personnel and upper management to demystify technical issues. Mr. Clarke recommended having management engage in exercises simulating the company’s response to a cyber-attack so that roles and responsibilities are clear in the event of an actual emergency.
he panel members also agreed that many significant improvements to network security were inexpensive or practically cost-free. For example, numerous panel members emphasized that a focus on the physical security of a company’s premises tended to greatly increase network security. Another panel member suggested that simply reconfiguring networks to decrease connectivity to the most sensitive information greatly increased security, as did closely monitoring users’ default access rights.
FOSTERING RELATIONSHIPS WITH LAW ENFORCEMENT
Both the private industry and government representatives on the panels agreed that corporate America should forge relationships with law enforcement on “sunny days” when they are not in the midst of a cyber-attack-related crisis. Mr. Demarest expressed hope that more open and collaborative relationships between corporations and law enforcement will aid the flow of information and lead to better law enforcement, increased network security, and fewer successful cyber-attacks.
Mr. Bharara stated that he has “come to worry about few things as much as the gathering cyber-threat,” and the U.S. Attorney’s Office for the Southern District of New York has made no secret of its intent to aggressively prosecute cyber-crime. To this end, the Department of Justice is openly seeking cooperation from private industry in identifying specific cyber-attacks and building general intelligence regarding cyber-criminals. We believe that the success of this initiative will depend on the extent to which corporate America is willing to adopt a “culture of disclosure,” which in turn will depend on the extent to which law enforcement will accommodate corporations’ demands for sensitivity towards their commercial data. Though the threats of cyber-sabotage and corporate espionage are real, substantial questions remain about the “best practices” for engaging in voluntary, informal contact with the government.
1 The SEC released guidance on the disclosure of cyber-security risks in October 2011. Seehttp://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.