Kim Peretti, partner at Alston & Bird
One trap that companies often fall into is looking at a business risk and thinking, “that can’t happen to us.” It’s an attitude that many have taken in relation to cyber attacks and data breaches, but a string of high profile disasters have brought the matter into clear focus for every business, and many are now playing catch-up in terms of devising a plan to deal with this growing threat.
“The biggest concern for companies, their boards and senior executives, is that being the victim of a cybersecurity event will make headlines for months or years,” says Kim Peretti, partner at Alston & Bird LLP. “There’s broad exposure for companies, board members may lose jobs. It’s now no longer a matter of if a company will be breached, but when, and in some cases, it’s not the breach itself but rather a company’s response that can land on the front page of the news.”
What it boils down to, Peretti explains, is a matter of risk, and companies need to ensure that they have a plan to mitigate that risk. To do so, they need to implement an enterprise security system, which is benchmarked, and perform security risk assessments from a legal and IT perspective, plus ensure there is a plan in place regarding a business and public relations response in the event that a breach does take place.
But which departments need to be involved in creating this plan? “It’s not just IT, though that’s a core component,” says Peretti. “Legal, compliance, human resources, specific lines of business and media relations are all part of it, as are senior executives.” All of these core groups need to come together in areas of both preparation and response.
In today’s business world, many of the most critical company assets are digital, the systems are networked together and subject to any number of attacks from rogue states, hacktivists or even disgruntled employees. Attackers have more points of entry on a network than ever before and more sophisticated techniques to find and exploit those weaknesses for their benefit.
“From a legal standpoint, the risk exposure for a cyber-attack has continued to rapidly increase,” Peretti explains. “The risk profile presented by cyber-security incidents is increasingly more likely to result in financial losses, enforcement actions and lawsuits.” Regulators, from the Federal Trade Commission to the Securities and Exchange Commission to the Federal Communications Commission, the Food and Drug Administration, the Department of the Treasury and state attorneys general all have a growing interest in cybersecurity. This can be challenging for companies, working with officials that have different agendas and focus on specific aspects of risk.
Peretti emphasizes the fact that senior executives and members of the board have an important role to play in cybersecurity. “Boards are responsible for risk management and assessment, so they play an oversight role,” she says. “Senior management should know it’s not just an IT issue, it’s enterprise risk and needs to be handled as all other enterprise risks. The board and senior executives should be involved in a company strategy before and after a breach in an oversight role.”
Before a breach, the board should be informed and engaged, asking probing questions and getting basic knowledge to familiarize themselves with technical matters, asking questions and getting informed. One topic that senior execs should be aware of is cyber insurance, which could be a way to transfer risk. After a breach, in the midst of a crisis, both the board and executives should get engaged and involved in directing the response and working on a mediation plan.
There are also specific roles for a general counsel to play as well. “The GC must settle into a central role, proactively addressing cybersecurity and responding to breaches,” Peretti explains. “The GC should assume a central role in responding, but proactively, regulators could become involved in evaluating cybersecurity… the GC should be aware of what is expected and what is developing from a legal perspective.”
In September, Peretti will be bringing her expertise on cybersecurity risk to the Women, Influence & Power in Law Conference in Washington, DC, where she will lead a panel on enterprise risk management. She attended the event in 2013, and enjoyed both the networking aspect of the event as well as the insightful conversations he had on a number of topics. “In cybercrime, women are outnumbered by men, though more and more are entering the field,” she says. “I like to interact with senior women, sharing insights on everything from the law to sports to the challenge of raising kids while working full time. It was a remarkable event last year, like no other event I know, it really brings everything together.
For more information in the event, click here.
The Women, Influence & Power in Law conference offers an opportunity for unprecedented exchange with women inside and outside counsel. The event runs from Sept. 17-19 and is being held at the Capital Hilton in Washington, D.C.